Archive for the ‘FUD’ Category

I came across an interesting thing this morning – over at SANS, there’s a brief one-pager about using fear as a sales tactic. Basically, it’s a cautionary statement about how fear can backfire and it probably isn’t the best way to sell product in the security arena. All of which is absolutely true.

The problem though, is that it’s so darn effective. It has to be, since so many of the vendors in security use it. It seems to me kinda like spam – if there weren’t some percentage of the population that receive spams and actually buy stuff as a result, then it wouldn’t continue. So, people must be responding to the fear. Everyone in this industry uses it – journalists use it to get eyes, vendors use it to get sales, salespeople use it get meetings. So, we know it works.

See… take a look at a few of today’s headlines:

The Internet’s Biggest Security Hole
Most IT Staff Would Steal Company Secrets

and so forth. Now, neither of these articles would be things I’d classify as FUD per se. In fact, they’re both interesting and well-written pieces. But the fact of the matter is that there’s a *startle* component that makes us take notice. Does that count as fear? Arguably. And it works.

Should it work? Maybe yes, maybe no. But clearly it does. And we’re into our second decade of continued effectiveness. So I’m not sure I buy it that there’s much of a backlash going to happen soon.

I’ve been watching with interest the debate going on over at aero-news about the TSA flight inspector that grounded some planes over at O’Hare. It’s kind of a long story, so here’s a brief recap:

A TSA inspector (tasked with inspecting planes) was looking over some planes over at O’Hare. Seeing a metal post jutting out of the front of the plane, he tried to climb it (looking to see if surreptitious entrance could be gained to the cockpit that way.) Unbeknownst to him, the post he was climbing was the temperature gauge (which is pretty important, apparently). The gauge broke, they maintenance crew found it, and they grounded the plane. Not a good situation in any light, but here’s where it gets freaky.

Now comes some serious aftermath. Airline personnel flipped out. They called the inspector “bumbling”, “incompetent”, and compared him to Inspector Clouseau. The aero-news article is the most vitriolic (which is, of course, why I selected it), but suffice it to say that there was major backlash.

The TSA responded saying that they encourage inspectors to find issues like this one. This just put more fuel on the fire. Aero-news ran an update to their original story, where they recommended that the TSA be dismantled because they have “the potential to imperil the flying public in myriad ways”. Again – major freaking out.

But, as a security professional reading this, *both* the TSA inspector and the airline response creep me out. OK, so the inspector endangering lives – that’s never good. But the fact that one guy can do something seemingly minor, out of sight of any ground personnel, that could potentially bring down the plane isn’t comforting. Isn’t the TSA ostensibly there to stop just this kind of thing?

Think about that for a minute, and put aside the fact that the temperature probe practically begs someone to slap a climbing karabiner on it. If the TSA’s job is to look for attacks – and the reaction from the airline pros makes me think this is a pretty good one – isn’t this inspector a hero? After all, from a security practitioner point of view, the fact that the TSA inspector was thinking outside the box and looking for a useful point of attack to the plane means he’s doing his job.

It comes down, in my opinion, to the fact that there’s a disconnect between the TSA and the folks in the airline industry about what the role of the TSA inspector to be. If their role is to find “security issues”, they should be encouraged to find problems like this and point them out (so they can get fixed). If their job is something else – well, then they shouldn’t be monkeying around with the probes. At the end of the day, if it’s true that damaging the temperature sensor prior to takeoff is “an extraordinarily dangerous incident”, it seems to me that somebody ought to know about that before somebody else deliberately sabotages one.

Now, some pilots think the role of the TSA should be more limited. According to the article, some pilots “respond that agents are only allowed to check for unlocked cabin doors” in their inspection. That seems bogus to me. Seriously – checking the door? If that’s the role of the TSA, I’d ask what’s the point of having TSA inspectors at all? Get the pilots to check if it’s locked. Seriously – you reach over, jiggle the handle or whatever, and whamo-blamo, Bob’s your uncle (for realz on this one, I do it with my car door all the time.)

Anyway, at the end of the day, I think the fact that this probe can be damaged by a lone person – and that the damage to that probe can jeopardize the lives of the passengers – is a significant threat. Is it the TSA inspector’s job to find this threat? Maybe not. Maybe he was totally in the wrong. But shouldn’t it be somebody’s job to point it out? And how about fixing the issue? Maybe it makes sense to hire TSA inspectors who are also aircraft mechanics so that they know how to look for issues like this; maybe it makes sense to guard the plane when it’s on the ground. But seriously – somebody do something.

It seems to me that the TSA and the airline personnel should be working together on this rather than going after each other. In the gap between the pilots’ outrage and the TSA’s “blue line”, there’s issues that clearly aren’t getting fixed.

(with apologies to that great orator and statesman Roderick Spode)

So, I came across, via the Spire blog, the followup commentary from Noam Eppel to his Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security article.

In case you don’t remember the original article, the premise was that information security as a discipline has already failed, and the follow-up is more of the same. The argument is predicated on the observation that there are demonstrable failures of security in the world – quite a bit of them as a matter of fact. In other words, his argument is that security (as the applicable discipline) has failed and that we (as practitioners therein) have also failed because of the vast number of security breaches, security issues, and snafu’s that occur on a day to day basis. Fraud? We’ve failed. Phishing? Failed again. Lost luggage? Depends on who lost it, but if it’s the TSA – probably our fault.

Now the point that I made the first time around was that it’s not productive to define success/failure based on whether or not incidents occur or even by whether or not it’s possible for incidents to happen. For example, traffic accidents occur – does that mean that the traffic laws in this country have categorically failed? Could be… or not depending. But folks would never get away with saying this (at least with anyone taking them seriously) until/unless you could prove that the laws were directly related to the number of accidents. In other words, that there was a demonstrable cause and effect between these two things *and* that the particular success criteria used to define “success” (in this case, less accidents) is both relevant and applicable.

In the traffic safety example, the success criteria might be having a low number of accidents. Once you define what it means to be successful, it’s possible to measure how people stand up to the yardstick. For example, by comparing the percentage of increased accidents in one area vs. another area with different laws, you can extrapolate as to whether or not the laws in area A are more able to satisfy a given goal vs the laws in area B (for example, maybe there are less accidents.) In this case, the success criteria is whether or not there are incidents; well, if you take a risk management approach, aren’t incidents unavoidable? In other words, if I’m only going to spend money protecting resources commensurate with the value of the resource, isn’t it implied that there are going to be areas that are less protected than others? For example, if I have ADT in my home, and somebody comes and hits the mailbox with a bat, did ADT fail? *Should* I hire an armed guard to protect the mailbox? Probably not. But if you define success as living in a world where punks can’t hit the mailbox, it’s a failure.

Maybe we should define success or failure based on something provable and something that works within the context of risk management. Well, I’ll stop going down this road, since I covered it all in the original reaction, but I thought it was useful to point out that when you say somebody failed you have to say “what at?” Did the security industry fail at making the world risk free? Unquestionably. Is that the primary goal that we as an industry should be after? Not in this lifetime. How about “reduce the number of incidents to the point that customers are well-served, that money spent by the organization protects resources commensurate to their risk and value, and that we spend enough to ensure that our personal safety is ensured in contexts where it’s applicable?” I think that’s a pretty good goal… I’m going with that one.

As yes, the Grinch. Everybody loves him. After all, how could you not love a green Ebeneezer Scrooge with a cute dog and Boris Karloff’s voice, right? He’s cranky, he’s cantankerous, and he don’t take no guff from all those dismal whos down in whoville. In fact, everybody loves the Grinch the so much that we’re willing to overlook the whole “trying to steal Christmas” thing. Right? I mean here’s a guy who breaks into people’s houses, steals presents from their kids, steals their food off the table (trying to implicate Santa in the process,) and tortures a dog (he does – if you don’t think so, watch it again and pay attention to what he does to Max.) What a dirtbag! But we love him anyway – probably because he’s green and eventually apologizes.

In that spirit, we’re naming our first annual “Grinch” award. For context, this is an award presented to someone who tries their best to steal Christmas but who we love anyway despite their “stake of holly through the heart” attitude. This year’s contenders are:

-Sophos for announcing video game-blocking software a week before people receive their new games (note that we’re not dinging Microsoft for their functionally-equivalent “must be administrator to install software” feature because they didn’t actually exploit the holidays to sell it.)

-Panda for their “New vulnerabilities threaten Christmas shoppers” press release.

-CNN for their “Happy new-year, have some cyber-warfare” story.

-Red Orbit for their “Online Shoppers Need to Be More Secure” story.

-ComputerActive for their “New PCs ripe for Christmas hackers” story

And the winner is (envelope please)…

Panda! Because that mascot of their in the system tray is so damn cute and cuddly-looking that we all love them anyway, even though they did try to exploit the holiday by using it as a draw for a press release on vulnerabilities, and telling us all that we’re all going to get some spiffy new fraud for Christmas unless we buckle down (implication: unless we use their product.)

Ever hear of Terror Management Theory (TMT)? TMT is a theory in psychology that basically tries to explain the psychological reaction of people to fear of their own death. For example, TMT predicts (and experiments support) that persons reminded of their own death will tend to cling to concepts, leaders, and symbols of “traditional” sociological values; for example, persons reminded of the threat of death by terrorists are more likely to hold to political and social conservativism than if they are not reminded of their own mortality. Al Franken lays out a convincing argument (personal politics aside) for why repetitions of terrorism strikes helped sway the 2004 presidential elections in his book “The Truth (with Jokes)”.

TMT also says something else; it says (intuitively) that individuals faced with the threat of their own demise will cling to ideas that make death seem less likely or less meaningful. For example, individuals have shown under experimental conditions to represent themselves as having a stronger belief in religion immediately after being reminded of their own mortality. Makes sense, right? But I don’t think it’s just death; in fact, I think that the same principle probably operates (albeit at a lower level) for individuals who are threatened with events that may not be life-threatening. For example, I think if threatened with the prospect of emotional anguish that most folks would react in a similar way; for example, if considering the loss of a loved one. But that’s just me; no experiments that I know of have explicitly proved this.

So, as always, we have to tie this back to computer security. Which makes me ask the question of why FUD works as a sales tool. Could it be that the same principles are at work here? Is it the case that individuals, when presented with the prospect of the worst case scenario, become more pliant and succeptible to certain marketing spin that they would otherwise be hardened to. Most folks take their jobs very seriously; is it out of line to speculate that perhaps they would be more likely to cling to “computational conservativism” marketing messages just like TMT predicts with the loss of life? Clearly, I would argue that they are more likely to make decisions that they perceive would make the presented threat seem likely. But how far does that go? I don’t have any answers here, but boy would I like to see some experiments done in this area…

I’m glad that the mainstream press is starting to wake up to the FUD that people like Verisign, Symantec, and McAfee are pumping out. The Forbes article Fraidy Cat Marketing describes in detail how companies use things like the Sober worm, Kama Sutra, and so on (err… phone-borne malware perhaps) to generate product buzz.

Have you ever seen a stronger admission of guilt than this quote from Vincent Weafer over at Symantec:

“To get attention, you pick something new and say the sky’s falling down,”

It’s true… And props to Symantec for admitting that they’re doing it. Now if they could just spin it down for a bit…

Everybody and their brother is blogging about the recent Security Absurdity rant “The Complete, Unquestionable, And Total Failure of Information Security”. Due to the near tidal-wave of interest from the blogosphere, I decided to check it out and see if it was, in fact, all that and a bag of chips. Anyway, in case you haven’t read the article, it’s basically a laundry list of why information security sucks and why infosec practitioners are a group of bumbleheads – or at least that’s my paraphrase, but I don’t think it’s an unfair one.

Basically, the premise is that the security community in toto has failed (in his words, “[failed] ourselves, our community and the people we are meant to protect”) grievously and that we should all be ashamed of ourselves – we’re apparently ignoring the stench of defeat clinging to us because of the fact that “business is booming” in infosec. Quite a condemnation, no? Or at least it would be if it were the case. So is it? Are we all dismal failures? I happen to not think so, but let’s investigate…

Boiling down the content of the paper, the assertion that infosec has failed is predicated on the observation that there are threats, and that there are people taking advantage of those threats. It goes on to relate a laundry list of those threats, and the unfortunate ramifications of those threats being exploitated. Where I think the argument breaks down, is in the implication – I don’t agree that the exploited threats imply the failure of security as a discipline. Look at this by analogy – if a bank has a bunch of security guards defending the vault, are the security guards always at fault if there’s a theft? Or if a counterfeiter is able to make fake currency, has the secret service “completely failed” because of the fact that fraud could take place? I happen not to think so… In the physical world, just as in the digital world, risk management is about balancing threats with countermeasures, and producing a strategy for risk reduction commensurate with the risk. But this paper isn’t about risk management – the cost/benefit of security isn’t even mentioned…

Anyway, I think this paper is worth a read, but I don’t think we should all hang our heads in shame as the author suggests. If you’re going to read it, remember that the best kind of constructive criticism offers suggestions for improvement – in this case the author stops short of presenting anything to make the situation better (that’s apparently for “part two” of the rant.) Dale Carnegie told us that “any fool can criticize, condemn, and complain” – but complaining doesn’t help the situation get better.

As promised, here are the specifics for the Security Curve “Horrific Catastrophe Yousa-People-Gonna-Die TerrorMonger Alert Con”. First of all, by contrast to the other traffic lights out there, we’re doing more than just malware, or just terrorists, or just what’s probable. Our “con” runs the gamut from the bird-flu pandemic to rampaging armies of the undead. We’re all about preparedness.

To personalize the fear that you’ll experience at each level, we thought it best if the “alert zones” had a mascot. As such, here are the levels of the Security Curve system – what we call affectionately “terror levels”:

Terror Level “Moderate” (Mascot: “Sleepy Kenny”) – Kenny represents the lowest level of terror, “moderate” terror. Here we see Kenny sleeping it off – unaware of the panic that he is about to experience. The alert con is designed to never be at “moderate level” status – it’s not scary enough. We just liked the picture.

Terror Level “Cranked” (Mascot: “Kenny”) – No longer sleepy, Kenny is fully cognizant of the lack of safety in the world around him. Terror sets in as he becomes aware of the truism that what can go wrong will. His terror turns to grim acceptance as he recognizes he cannot change what is.

Terror Level “Heart Attack” (Mascot: “Jenny”) – We see Jenny here with her party hat on. She’s oblivious to all the pain, suffering, and drama going on around her. Hey, Jenny, get that grin off your face – don’t you know that bird flu is coming, that the polar caps are melting, and that Longhorn is almost here?

Terror Level “OH OH OH” (Mascot: “Bunny”) – The bunny is the “most totally in your face” pet ever. As such, he makes a fitting mascot for our new con. Notice his copy of “Building Internet Firewalls” in the background? Yeah – safety bunny.

Terror Level “OMFG” (Mascot: “Angry Bunny”) – Here he is, the bunny again. We think the expression on his face speaks for itself as to why he is the appropriate mascot for the OMFG terror level for maximum fearmongering. Note that this is the default state for the “Horrific Catastrophe Yousa-People-Gonna-Die TerrorMonger Alert Con”

“Powerful secret forces…”

I think a septillion is just over a gujillion.

Consider the Amir Herzberg Unprotected Login Hall of Shame. More specifically, this is the I-NFL (Inter-Net Fraud League) Hall of Shame, of which Amir Herzberg is “commissioner”. However, as I can find no other references to the I-NFL other than this page (see google,) I’ll just call it the “Amir list.”

Anyway, here’s my beef with this page. An interested party goes to this page, which has pictures of leading banking, payment, and commerce sites such as Amazon, PayPal, Chase, Bank of America, etc. under the heading “unprotected sites.” Plus each site has in big red letters “this page is not protected” written across it (the output of the NetCraft tool). Pretty scary, right? This, coupled with the 24-pt heading “hall of shame” at the top of the page might lead one to infer (sarcasm intentional) that somehow the security of these sites is at issue. Oh my gosh! Time to panic, right? All these major sites! And they all have “shameful” security problems?!?! Holy *&%@!!!

Well, not so fast there buckarooney. Apparently, the “shame of being unprotected” that these sites bear has nothing to do with privacy of authentication data, authentication of the users, privacy of the account data, auditing features, security of facilities, backups, etc. In fact, the “shame” in question does not apply to anything that the majority of infosec practitioners or auditors would even consider a “security problem” per se. In point of fact, the “shameful” practice is that the login form is not SSL – note that the id/password submission is still SSL, it’s just the preliminary submission form that’s not.

According to Dr. H and the nebulous “Internet Fraud League,” phishing is facilitated by the lack of SSL on the user ID form submission page. This is true from a certain point of view (and props to a true academic for pointing it out) but I think it totally misses the point of site security. Which is, there’s more to a site’s security than the logon form. CardSystems does not appear in the hall of shame, but Chase does. Which one would I trust with my account data nowadays? “Unprotected Login Hall of Shame” – maybe a qualifying adjective might help out there, Dr. H.