Showing posts with label BlackHat. Show all posts
Showing posts with label BlackHat. Show all posts

Thursday, August 06, 2009

BlackHat 2009 Inspired – On Media Whoring

There is “security theater” and then there is BlackHat/DEFCON. If it were a vendor glossy, I’d have called BH/DC “the latest version of an ultimate, next-generation, paradigm-shifting, integrated theatrical experience.” :-)

As a result, seeing a few of the speakers [and being in, you know, Las Vegas, Nevada :-)] made me think about whoring; media whoring, to be exact. Obviously, security industry is unthinkable or maybe even provably impossible without some media slutting, but at this year’s show I realized “I ain’t seen nut’n yet.” Some folks are just sooooooooooooooooooooooooooooo good at it.

In any case, my thinking converged into the following over-simplified model (or “muddle”?) which analyzes the intersection of media whoring and subject matter (in this case, security) knowledge:

Security knowledge vs seeking media attention Media attention not sought Media attention sought
Knowledge of subject matter  present Knows his shit + nobody knows about it (case I) Knows his shit+ makes everybody know it (case III)
Knowledge of subject matter  lacking Knows nothing + nobody knows about it (case II) Knows nothing + makes everybody  think that he knows everything (case IV)

What does this teach us?

  1. Case I gets respect, but not enough of it. There is nothing we can do about it, however. People, if you are cool, speak up, the world needs you! Get a blog or something…
  2. Case II gets nothing, which is coincidentally what it deserves. Stay there :-)
  3. Case III  gets non-trivial amount of disdain and some respect  (especially when it involves MD2 crypto :-)) However, is such disdain truly justified?  While there is no metric to compare the value of one’s contribution with an effort needed to get the media to spread his message, common sense criteria definitely apply (“Internet is DEAD! Press conference at 5PM. Live Twitter coverage!” :-))
  4. Case IV gets non-trivial amount of hatred and disdain, but IMHO – and this is my MAIN POINT! – nowhere near enough disdain compared to what they actually deserve!

So, action item: get all your disdain, antipathy,  hatred and annoyance that you now spread between cases III and IV, “double it! double it!! – then double it again!!!” and focus it in the direction of case IV people.

Possibly related posts:

Posted by at
Labels: , , , ,

Wednesday, August 05, 2009

BlackHat 2009 Day 2 – Bruce “Reconceptualizing”

At the very end of BlackHat 2009, Day 2, I went to Bruce Schneier’s talk called “Reconceptualizing Security.” And, let me tell you, I was surprised that his talk was actually really fun, especially the Q&A in the end.

It seems like on his ‘security journey,’ Bruce is moving from security economics (which is still pretty “hot”, BTW, as most problems are unresolved) to security psychology. That was the main theme for his talk: being secure vs feeling secure. BTW, this post is an inseparable mix of what I’ve heard there at his talk and what I thought as a result :-)

He started from saying that ancient humans in African savannah used to have a complete match between “being” and “feeling” secure (scary=risky), but today this is out of sync AND, when it comes to computers, it is heavily out of sync (“tiger at the other end of the wire is not that scary”). So, while “evolution favors good security tradeoff”, we still evolved to today with an ever-decreasing correlation of being and feeling secure. To top it off, humans now make decisions on feeling, not being secure. Thus the whole mess :-)

This, BTW, drove the final coffin (for me, at least) into “market will drive infosecurity.” No it won’t!! Think about it:

People make bad risk decisions, since they are based on feeling secure, not becoming secure

+

Market drives security

+

Market is a bunch of people making purchase decisions

=

Overall result is folks feeling more secure and no advance in security aka “the whole mess.”

He also quoted some paper (this?) which analyzed the perception of risks and feeling secure (I think I’ve seen it before, but summary was useful):

  • unknown risk > (=is perceived as higher than) known risk (example: new disease vs flu variant)
  • rare > common (example: swine flu vs regular flu)
  • personal > anonymous (example: Osama vs terrorism)
  • involuntary > voluntary (example: smoking vs other medical problem)

One of the things I loved the most was Bruce’s final acknowledgement that “security theater” is actually beneficial: specifically, if PERCEIVED risk is higher than the REAL risk, what one needs is to be be reassured and feel good. Guess what? Security theater provides it! Air travel is pretty darn safe, but a lot of folks are afraid: thus, we have TSA, the ultimate in “security theater.” This argument actually makes sense, as long as the false boost to security does not overcome the actual state of being secure – you need to get them to feel as secure as they are secure, but not more. Get it? :-) Same logic applies to such “key” technologies as “anti-baby kidnapping RFID” or drug safety seals, which add a perception of safety to something already pretty safe.

His answer: metrics, of course. We need to observe the reality of security, not the perception. He had this fun warning about metrics though: “my elephant-trample protection device has been perfect for 10 years” (=nothing bad happened due to security vs nothing wouldn’t have happened anyway)

Next he went into models and at times sounded positively “Bandlerian” (actually, I think he quoted Bandler once when he said that ‘sometimes a “model” becomes a “muddle”’). My fave quote: neocortex is “kinda still in beta” :-)

Another very fun point was that he run a fine line about infosecurity becoming more scientific or at least more rational. He said that "“experiment, theory, science leads to good, useful models”, while “religion, faith, myth [or voodoo cult of infosec :-)] leads to bad models.” At the same time, when I asked whether security will become predominantly scientific, he countered with “not in our lifetime, maybe someday.”

So, his idea of “short term fix” for the whole mess is to sync the “feeling” and “being” secure, by reassuring (moves feeling up - hopefully not to “false sense of security”, leave security in place), FUD (moves feeling down – hopefully not too much to paranoia, leaves security in place) and securing (leaves feeling secure in place, increases security as needed). His idea of “long term fix” – “change the model” (which IMHO was not entirely clear to me or probably to anybody else in the audience for that matter :-)) BTW, he also reminded that maybe the reality now changes faster than we can adjust our models and so, as a result, maybe our models will never catch up (and we will be forever doing incident response on 0wned boxes :-), whether on-site or in the cloud…)

At one point, he also kicked infosec risk management in the balls, by reminding that you never really “manage” risk, sometimes it just hits you :-) This somehow reminded me about my sad experience at a Russian security conference a few years ago when I realized that a proper translation of the words “risk management” into Russian literally means “control of risk”…

Q&A was good. After the mandatory AES question, which proved that Bruce is still a cryptographer :-), there was a lot of interesting questions.

I loved these the most:

Q: Checkbox auditing vs value-based auditing, which is better? A: “Use AND” – both are useful.

Q: Is compliance beneficial? A: Security improves two ways: fear (negative) and greed (positive). The first is harder! “ROI nonsense; security is NOT a greed sell” . Thus, fear, but we need the right one :-) Compliance (=audit fail fear) sells security: Bruce noted that it is an “expensive way to sell security; a lot of stuff sold does not add to security at all – documentation, etc.” Still, his resume was that it is “INEFFICIENT BUT THE BEST we have!” and “has improved security at the cost of some extra spending.”

Conclusion: there is only one Bruce! :-) Despite all the jokes (and here), I still think that his security thinking contributions by far overshadow his contributions to media whoring (this will, BTW, be a subject of a dedicated BlackHat-inspired post soon…)

Now onto DEFCON 17th!

UPDATE: very timely link from Bruce's blog called "Risk Intuition."


Possibly related posts:

Posted by at
Labels: , , , ,

Tuesday, August 04, 2009

Monthly Blog Round-Up – July 2009

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is my attempt to remind people of useful content from the past month! If you are “too busy to read the blogs,” at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

  1. Now every blogger has that experience: his most loved, deep, insightful post gets little traffic, while something fun and stupid gets loads of it: example this month is my “Nobody Is That Dumb ... Oh, Wait XII” about the evils of honeypots in Norway…
  2. I am no longer surprised that “Why No Open Source SIEM, EVER?” “rules the seas”, taking #2 spot this month, just as last month. The older inspiration for this post is “On Open Source in SIEM and Log Management.”
  3. My review and coverage of the book “Beautiful Security” (“Best Chapter From “Beautiful Security” Downloadable!” and “Book Review “Beautiful Security””) is popular due to a lot of linking to it.
  4. Vulnerability Scanning and Clouds/SaaS/IaaS/PaaS” post, which is basically a “link and quote” post to this was in Top 5. It helps to continue the discussion about vulnerability assessment of cloud infrastructure (a topic which will be featured in a few posts soon…)
  5. BlackHat 2009 Day 1 – Laws of Vulnerabilities Panel” is next. I have three more very fun BlackHat/DEFCON posts in the queue; never had a chance to write them since I was finishing that PCI DSS book last week.

See you in July. Also see my annual “Top Posts” (2007, 2008)

Possibly related posts / past monthly popular blog round-ups:

Technorati Tags: ,,,
Posted by at
Labels: , , , ,

Monday, August 03, 2009

BlackHat 2009 Day 2 – Fun Cloud Stuff

BlackHat 2009 is over, but sharing impressions from it is certainly not.

So, for the the remainder of day 1 went to “Weaponizing the Web” (which had good ideas on CSRF, see their tool here) and “Psychotronica” (which was great content totally killed by a sleep-inducing speaker – I left mid-talk. In fact, I am yawning even as I write about it…). And then I had a chance of seeing Linus get his pwnie

Then I started Day 2 at Jeremiah and Trey talk, which was a lot of fun. Moreover, it was so much fun as to reach 100% entertainment, which is another way of saying that it was not useful for any practical purpose (apart from entertainment purpose mentioned above, of course :-)). In brief, it covered a whole bunch of fun “non-hacking hacking“ cases (such as compromise of a system to issue licenses to do logging in Brazilian jungle, which supposedly netted somebody a cool $800m). They touched (but, sadly, didn’t analyze) a few things such as what is a better focus: “super hacker strategy” (vs advanced targeted attacker on key systems) vs basic baseline (vs opportunists strategy on all systems) [“both” is what they hinted at, of course]. BTW, their deck is posted here, check it out!

Next was my cloud talk #1, “Clobbering the Cloud.” (UPDATE: full slide deck here) A lot of fun and useful things were discussed – and some impressive cloud “0wnage” was shown too. It started from a useful reminder that the whole permission for “testing the cloud” (whether via scanning or manual pentesting) issue is not resolved. Moreover, PaaS/IaaS made it that much worse, since you might have a permission from the cloud application vendor, but not from Amazon and then end up blacklisted (“Never allowed to buy from Amazon again” :-)). In addition, even issues like “Which version of the application/OS/environment are you testing?” are frequent, since SaaS provider might update their application at any time.

They briefly touched on “cloud compliance”, focusing on transparency of the cloud. Somehow they had an impression that nobody is putting regulated data in the cloud…mmmm… right :-) The also mentioned the subpoena risks of having your data obtained by this or that government without you even knowing. Their point was that trust matters A LOT in the cloud, but at the same time the “verify” part of ‘trust but verify’ often fails.

Here is a set of fun things discussed:

  • Cool method for password brute-forcing with password reset links; after all, most if not cloud apps use some password recovery (email- or secret questions-based)
  • A very interesting sifto tool (SaaS nikto) written as a Salesforce.com app, which then runs off a high-bandwidth link for free (the story also features a CAPTCHA with its text left in the same web page…)
  • Also, a bunch of good ways to steal cloud resources: Amazon cloud instance of Windows license stealing, paid application theft (via DevPay), etc.
  • Fun “cloud DoS” with exponential, virus-like growth of VM instances and users.
  • Impressive use of trojaned images combined with a tool to make them popular and have them show up at the top of the list. Instant mass cloud 0wnage!

Overall, amazing Amazon IaaS rampage! Also, they showed some fun Apple MobileMe 0wnage as well.

What are my thoughts on this?

First, I’d bet that offensive cloud use (either using stolen benign cloud resources or native “built for evil by evil” clouds :-)) will beat defensive cloud use (like Mark Curphey’s security data analysis ideas) by a long shot. Before we harness cloud resources for security (such as for analytics, etc – we do harness them for scanning already), somebody will turn it against us in a big way. But then again, botnet use for password cracking (which is more “distributed computing” than “cloud computing”) is already there so, “evil cloud” stuff is starting to be a reality…

Second, something made me think that, personally, I’d always keep an offline backup (for BOTH data and processing capability!) for anything I’d put in the cloud. Notice how it compares to the past paranoid mantra “don’t store anything truly private on an Internet-connected PC” – nowadays it is “don’t store it ON the Internet” :-( What’s next, don’t announce it on Twitter? :-)

Third, people talk a lot about software liability and how hard/controversial it is. I had this thought that maybe cloud computing will be where it will start?

Finally, how’s that for a paradox?

a) Many folks say that: “cloud security" (loosely defined here) can be and needs to be awesome.

b) Everybody agrees that: web app security is horrible and will be horrible for a long time.

c) Obviously: cloud computing today is mostly web apps.

Huh? Isn’t the whole cloud security fun (now I know why some folks are so excited about it)?

Next, I went to Kostya’s “Cloudburst” talk; I didn’t follow VMWare security closely enough, but seeing another reliable Guest->Host escape is pretty cool. Sadly, too many people chose this room to catch up on some much needed sleep after a rough night, it seems.

Finally, Bruce Schneier did a very fun talk (yes, really!), which deserves its own post tomorrow.

Possibly related posts:

Posted by at
Labels: , , , , ,

Wednesday, July 29, 2009

BlackHat 2009 Day 1 – Laws of Vulnerabilities Panel

Since I am press (got my ridiculous pink  badge tag already), I will write :-) After catching part of the keynote (the Google guy was pretty interesting with his security thinking – however, I suspect when he says “users”, he means much better people than a typical organization), I am at Qualys-led (Wolfgang) panel with GE (Richard), Orbitz CSO (Ed), Heartland Payment Systems CSO (Kris), Goldman Sachs (Paul) and State of CA (Mark).

Wolfgang showed the updated Laws of Vulnerabilities (all details here); some good insights to take away are (if you were not here – there was a lot more of great insights than that!):

  • Half-lifes of vulnerabilities (=time in which half of the vulnerable boxes get patched) didn’t change much since 2004 (same as the research revealed at RSA 2009 showed)
  • No matter how old, many vulnerabilities stay forever on some systems (or new systems with old vulns are being connected). 8-10% of machines which were vulnerable stay vulnerable for as long as the research covers, but likely forever. This about it! Even old critical – “Insta-0wn”-type – vulnerability stay forever on some – likely compromised – systems.
  • If you limit the scope of half-life analysis to core OS vulnerabilities, the half-life drops to 15 days (which means that people patch those quickly!) On the other hand, if you limit it to Adobe and MS Office flaws, the half-life sharply rises to 60 days (which means people just don’t care – and the current dramatic “0wnage” will continue)
  • “Speed up patching!” call is still needed, despite it being made for years and years. Looks like people get to pay attention to OS flaws, but not to client issues.

The panel then discussed that doing “single day”  patching (holy grail for many organizations) is doable even in large companies, but that is not the end of it -by far. For example, Ed from Orbitz comments reminded folks that “deploy patch” becomes  “write patches”  for custom apps. The problem thus becomes worse and worse, if you happen to have a “build, not buy” culture: the percentage of systems that you can quickly patch becomes lower and lower.

A lot of interesting comments were made by the Heartland CISO (who, BTW, joined 2 weeks before the now-infamous election breach disclosure) about how a breach motivated a change in their patching process. He said that they used  to focus most resources on payment processing environment, but then their non-CDE corporate network was breached first and analyzed for 7 months (!) by the attacker who then broke thru the developer access to CDE. Patching client flaws on the corporate (non-CDE) side is now a priority as well.

Richard’s comments come from the IR/IH side. For example, in case of a particular Adobe flaw, they saw exploitation activity on the 15th, were informed about the issue on the 21st, and then the patch came on the 28th (timeline approximate). Thus, even if you patch really well, finding 0days becomes key since 0-day 0wnage is rampant if you are the “right target.” In-house research is the only choice in this case, I suspect.

Afterwards, Kris from Heartland made a few one comments on DLP: they use it for discovery and data auditing, not for data leak prevention (which is definitely very reasonable). Another interesting theme (brought up by Ed) was not just awareness of what is going on your network (which is hard), but also on all the supplier networks that connect to it. This is a curious mix of technical security and legal, contractual stuff.

Finally, an interesting insight came to me from listening to this panel: evidence of different focus of security management was clearly heard - some organizations focus on patching the right segment, some on faster patching, some on limiting access, some on network visibility. To me this spells the end of the quest for “security best practices” since your “best” might be doomed to be forever different from others “best” …

Overall, this was a very fun panel to attend!

Now, on to the  “Weaponizing the Web” talk.

Posted by at
Labels: , , ,

Tuesday, July 28, 2009

Meet at BlackHat and DEFCON?

Just a quick note to folks who are going to BlackHat 2009 and DEFCON 17 (and Security BSides, of course!): see you all there.
Posted by at
Labels: , , ,
Subscribe to: Posts (Atom)

Dr Anton Chuvakin

Dr Anton Chuvakin