2009-07-09

Dear Information Security Industry,

Stop exploiting current events by making dubious or outright false statements in order to advance your own agenda. You do nothing more than devalue yourselves and the credibility of the rest of us when you do so.

Case in point #1: Allen Paller's statements on the recent (and long overdue) analysis of the predictability of SSN's. To wit,
"I don't think this is a high priority, because it doesn't deliver a big enough payoff" for hackers, he said. "You do identify theft so you can steal money, but it's easier to steal money by taking over someone's computer."
Are you serious? One compromises a computer to impersonate another. If you have an SSN, name, and other basic information like birthday, etc (that's often publicly available on social networking sites), it's Game Over - impersonation can be achieved at a much deeper level than simply userid/password - nevermind that more and more sites are implementing some sort of 2-factor authentication. This reeks of "look over here where I can make money," ignoring reality. SANS has a lot to offer the information security community, but when its leaders make such questionably accurate and profit-driven comments, it hurts all of our credibility (what professional doesn't have a cache of SANS certs these days) and devalues the institution as a whole.

Case in point #2: The questionably accurate stories floating around about this alleged North Korean-sourced DDoS against a completely random set of targets. I don't know for sure, but it seems the source of this attributional rumor is the Korea Communications Commission. Here's a sample of one of their statements:
“An aggressive distribution of vaccine programs against the attack has helped fight back,” the official, Shin Hwa-soo, said. “But we are not keeping our guard down. We are distributing the vaccine programs as widely as possible and monitoring the situations closely because there might be a new attack.”
A vaccine? Really? Please tell me we're not taking these people seriously. It seems to be a fact that some sort of DDoS attempt took place, but keep in mind the attribution to DPRK is hinging on people who distribute "vaccine programs" against a DDoS - whatever the hell that means. Initially, the attacks were downplayed - until 24/7 news got a hold of it and realized that CNA can be sexy. Then the "cyber security professionals" realized there was a platform for advancing an agenda and poured fuel on the hype fire. There are plenty of examples. Below are a few.

Google hosted news:
"Just from looking at footprint, it was Bigfoot, not Bambi," said Charles Dodd, founder and chief technology officer for Nicor Cyber Security.

What started off as "Cyber Attacks" on the east coast became "massive" by the time they got to San Francisco.
The US sites experienced a “massive outage”, according to Keynote Systems, a company which monitors 40 government sites in America.

Even Ron Beckstrom, whose comments were mostly well tuned, eventually fell victim to the hype cycle in a most spectacular way:
"[It's] a little bit like launching some Scud missiles towards the U.S.," noted Beckstrom. "These are cyber-scuds, very low-tech, but a lot of them, and kind of annoying."
No, Ron, it is nothing like this.
All of this hype, yet when you ask the victims, they tell you that the impact was negligible [source: ABC World News Tonight, 7/8/2009]. This underscores the classic properties of CNA that makes it much less effective in terms of real economic impact than CNE:
  1. Its effectiveness is often limited to the period over which it can be sustained - except when machine or software destruction is involved, in which case it simply becomes a DR exercise,
  2. It is difficult to sustain,
  3. It is open conflict and identifiable immediately, and
  4. It rarely maps to the intended strategic or tactical goals of the executor (what, for instance, was achieved here?)
So, can we please stop participating in the hype and lend some credibility to our young and rapidly emerging field by focusing on factual and rigorous investigation? Exaggeration and misrepresentation in the media is inevitable, but we encourage it when we reinforce it with expert opinion.

No comments: