2006-11-29

Security Absurdity

File this under the "blogging about blogging" category:

A recent Slashdot article turned me on to the Security Absurdity blog, highlighting, as the author puts it, "The Complete, Unquestionable, and Total Failure of Information Security." While not typically a great source for finding nuggets of highly-valuable InfoSec news, the old geek standby comes through once again.

In essence, this is a series of editorials about how information has, as a profession, been a miserable failure. Looking back at my posts, I suppose the author of Security Absurdity managed to articulate the heart of a lot of my, and the community's, complaints all along. Pity the user of a computer, nowadays.

However, I want to make perfectly clear my view that the Information Security community is not the one responsible for these problems. The root cause, by in large, is in the design and implementation of software: Software producers have created this mess of a situation that we in the InfoSec community are trying so hard to fix. They failed to build reliable, secure products and educate the users upon purchase of the products' proper use, period.

Moving on to our role, I agree with the author: we have also failed. We have failed to properly articulate the universe of problems created by bad software or software implementation, and furthermore, we have failed to educate those who should need to know, and build technological protections for those who shouldn't have to worry about it. We've taken too narrow a focus, setting our sights on specific problems and dedicated huge amounts of resources designing fantastic solutions, while turning a blind eye to the bigger problem.
Case in point: firewalls.
Problem solved: applying principle of least privilege to network-based, inter-computer communication.
Bigger problem narrowly addressed: Principle of least privilege.
Illusion: bigger problem nearly solved by narrow solution.

Security product vendors share as much of the blame as we analysts do: overstating the effectiveness of their products, while helpful to their bottom line, hurts the industry in a bad way. People unfamiliar with the scope of information security challenges believe that their purchased solution to solve a narrow set of problems is a silver bullet - or something near to it. These individuals shouldn't have to worry about the gory details of security to browse the web. After all, my DVD player plays DVD's, why should my computer be any different?

I don't have the solutions, but clear and concise communication from the InfoSec community to the rest of the computer-using world would be a really great start. Bravo to the SA blogger(s). Their commentary is long overdue, and the community would do well in heeding some advice therein.

2006-11-25

Malware trend worth watching

Malware that can detect VM or sandboxed environments and react appropriately is not a new concept. However, seeing it in the wild with any sort of frequency is big news. In a little-reported SANS ISC update, Lenny Zeltser comments "3 out of 12 malware specimens recently captured in our honeypot refused to run in VMware."

This is a trend analysts knew was going to come around eventually. While the tactic's employment by authors is still in its infancy, this represents a major development: every malware analyst uses VMWare at some point in their analysis. It appears the "bad guys" figured out how to get another leg up in the constant arms race we engage in. This will be yet another aspect of the back-and-forth between authors and analysts that has been ongoing for years. Someone will find a way to beat the VMWare detection, then better detection will be developed, and so-on. However, this is one of the biggest leaps in anti-analysis from the black-hats since the emergence of executable packing. Better keep an eye on this one, folks.

2006-11-21

InfoSec Laws, Pt. 1, and 2007 predictions

Newton's Second Law applied to IT: An administrator at rest tends to stay at rest, unless acted upon by a force.
How many times have we had to pester system or network administrators to do something involving security? How many times do we have to keep asking them to do the same thing? Unfortunately, many of those outside of the security community tend to put all other priorities and notions above even the most immediate security needs. I've even seen this in the midst of a compromise or crisis. While this situation has certainly has improved in the past 10 years, it has a long way to go. In that time, I've been trying to find a way to simply imply all of these problems, and I think I have finally found the answer in Newton. Thanks, Isaac!

The Jesus Principle of Intrusions: Seek, and ye shall find.
The past 8 months have been a watershed for me professionally, insofar as Incident Response is concerned. Through all of the digital trauma witnessed, most of which I cannot discuss here, I have come to conclude that the only reason any security analyst is not working on IR at any given time is simply because he or she has not found the security breach, not because there are no intrusions happening on the network. For a brief period of time, perhaps in 2004, the good guys had the advantage - finally. That has been marked ever since with a dramatic reversal. Our adversaries are far more skilled than in the late 90's and 2000's when the world first began to sincerely appreciate the problems of poor information security. Fortunately, we are too, but I feel the gap is just as large, if not bigger. They have new tools. We have the same old tools, in new, shiny packaging and perhaps an easier GUI. The result has been the constant compromise, to one degree or another, for a variety of reasons, of nearly every network of any significant size.

As 2007 rapidly approaches, I feel next year we as a society will begin to feel the repercussions of the security problems facing IT in a very different and much more serious way: in terms of national security of industrialized countries, the financial stability of big companies suffering from widespread, difficult-to-identify compromises, and measurable economic impact stemming from this and the large number of identity thefts happening recently. We've already seen the beginnings of this - media reports of foreign nation-states targeting military and contractor computer networks, Choicepoint facing major problems as the result of its breach, and the recent revelation that 50 million US citizens have had their identities stolen. I feel a failure to properly address this as a society (or the industry's failure to effectively warn of it) will lead to serious consequences in 2007. Perhaps by the end of the year, after enough problems have surfaced, we will begin to debate reform and change perceptions. I think 2007 is the year to turn this corner, but only because of the large problems we will face that have long been predicted by security pundits.

As much as I hate to be a doom-sayer, my eyes were opened in 2006 to many of these problems simmering just below the surface. In a silver lining moment, I will say this: The worst that can happen is that we as a country continue to turn a blind eye to economic and national security problems related to Information Security, allowing them to undermine our economic well-being and defense posture. A watershed moment is just what we need, but it will be a painful path to walk when it comes.