Wednesday, December 11, 2013

Consumer Antivirus Blogs

OK, I give up, what's up with all the blog sites run by the antivirus vendors - in particular the consumer-level antivirus products? Every day the post essentially the same damned blog entries. What is the purpose of those blogs?

You know the blogs I mean. Day-in, day-out, 20+ antivirus companies post the same mind-numbing blog entries covering their dissection of their latest "interesting" piece of malware or phishing campaign. The names of the malware change, but it's the same blow-by-blow step through of another boring piece of malware, with the same dire warnings that you need new detection signatures and offering up the same recommendations readers should follow to protect themselves.

I guess my question is "after a decade producing essentially the same blogs each day, who the hell do they think they're writing these blogs for?" I'm pretty damned sure that the end user isn't reading them the day they're churned out. I'm guessing that a couple hundred die-hard information security folks around the world have configured their RSS readers to download each day's worth of posting - but I'm pretty sure that all but a tiny fraction of those guys actually read more than a handful of the entries on any day.

I suspect that most of the blog entries are merely mandated responses to some marketing initiative to generate new content for the websites and help maintain a certain SEO presence. The content doesn't really matter. It's not like real people are using the data in a meaningful way... its for the machines.

I sometimes wonder if half the malware or phishing blog entries are completely made up. They may as well be generated by an automated routine for all the value they contribute to the community - let alone the actions they initiate for the end users of the vendors products.

I'm sure some marketing weenie or sub-junior malware analyst is prepared to justify the 2 hour investment in writing and posting the blog... and how someday someone will search for that particular piece of malware and the details will be online surrounded with their branded material and links back to the download page for the product... but come on, is the effort worth it? The antivirus vendor blogs would be a thousand times more interesting if the posted a photo of Grumpy Cat every day... it could even be the same photo every day...

Can we stop this farce, this joke, this waste of time that is the daily postings of yet another totally uninteresting piece of malware or phishing email and stop pretending it's news?

Saturday, December 7, 2013

Divvy Up the Data Breach Fines

There are now a bunch of laws that require companies to publicly disclose a data breach and provide guidance to the victims associated with the lost data. In a growing number of cases there are even fines to be paid for very large, or very public, or very egregious data breaches and losses of personal information.

I often wonder what happens to the money once the fines have been paid. I'm sure there's some formula or stipulation as to how the monies are meant to be divided up and to which coffers they're destined to fill. But, apart from paying for the bodies that brought forth the case for a fine, is there any consistency to where the money goes and, more to the point, does that money get applied to correcting the problem?

In some cases I guess the fine(s) are being used to further educate the victims on how to better protect themselves, or to go towards third-party credit monitoring services. But come-on, apart from a stinging slap on the wrist for the organization that was breached, do these fines actually make us (or anyone) more secure? In many cases the organization that got breached is treated like the villain - it was their fault that some hackers broke in and stole the data (it reminds me a little of the "she dressed provocatively, so deserved to be raped" arguments). I fail to see how the present "make'em pay a big fine" culture helps to prevent the next one.

A couple of years ago during some MAAWG conference of other, I remember hearing a tale of how Canada was about to bring out a new law affecting the way fines were actioned against organizations that had suffered a data breach. I have no idea whether these proposals were happening, about to happen, or were merely wishful thinking... but the more I've thought on the topic, the more I'm finding myself advocating their application.

The way I envisage a change in the way organizations are fined for data breaches is very simple. Fine them more heavily than we do today - however half of the fine goes back to the breached company and must be used within 12 months to increase the information security of the company. There... it's as simple as that. Force the breached organizations to spend their money making their systems (and therefore your and my personal data) more secure!

Yes, the devil is in the detail. Someone needs to define precisely what that money can be spent on in terms of bolstering security - but I'm leaning towards investments in technology and the third-party elbow-grease to setup, tune, and make it hum.

I can see some folks saying "this is just a ploy to put more money in the security vendors pockets!". If it's a ploy, it's hardly very transparent of me is it? No, these organizations are victims of data breaches because their attackers are better prepared, more knowledgeable, and more sophisticated than their victims. These organizations that are paying the fine would need to be smart about how they (forceably) spend their money - or they'll suffer again at the hands of their attackers and just have to pay more, and make wiser investments the second time round.

I've dealt with way too many of these breached organizations in my career. The story is the same each time. The IT departments know (mostly) what needs to be done to make their business more secure, but an adequate budget has never been forthcoming. A big data breach occurs, the company spends triple what they would have spent securing it in the first place doing forensics to determine the nature and scope of the data breach, they spend another big chunk of change on legal proceedings trying to protect themselves from lawsuits and limit liabilities and future fines, and then get lumbered with a marginal fine. The IT department gets a dollop of lucre to do the minimum to prevent the same attack from happening again, and they're staved again until the next data breach.

No, I'd much sooner see the companies being fined more heavily, but with half of that wrist-slapping money being forcably applied to securing the organization from future attacks and limiting the scope for subsequent data breaches. I defy anyone to come up with a better way of making these organizations focus on their security problems and reduce the likelihood of future data breaches.

-- Gunter Ollmann

Friday, December 6, 2013

The CISSP Badge of Security Competency

It can be a security conference anywhere around the world and, after a few beers with the attendees, you can guarantee the topic of CISSP will come up. Very rarely will it be positive. You see, CISSP has become the cockroach of the security community and it just wont die. They say that cockroaches could survive a nuclear winter... I'm pretty sure CISSP is just as resilient.

Personally, I think CISSP gets an unfair hearing. I don't see CISSP as a security competency certification (regardless of those folks who sell it or perceive it as such), rather I interpret it like a badge on a Girl Scout's sash that signifies completion of a rote task... like learning how to deliver CPR. It's a certification that reflects an understanding of the raw concepts and vocabulary, not a measure of competency. Just like the Girl Scout with the CPR badge has the potential to be a competent medic in the future, for now it's a "well done, you understand the concepts" kind of deal.

If that's the case, then why, as a security professional, would practitioners not be lining up to have their own CISSP accreditation? In a large way, it's a bit like requiring that aforementioned (and accomplished) professional medic to sit the Girl Scout CPR exam and to proudly show off her new badge afterwards. To many folks, both scenario's are likely to be interpreted as an insult. I think this is one of the reasons why the professional security practitioners community is so against CISSP (and other security accreditation's) - and causes the resultant backlash. The fact that many businesses are now asking for CISSP qualification as part of their recruitment vetting processes just adds salt to the wounds.

I see the CISSP certification as a great program for IT professionals (web developers, system administrators, backup operators, etc.) in order to gain the minimum level of understanding of what security means for them to do their jobs.

Drawing once again from the CPR badge analogy, I think that everyone who works in an office should do a first aid course and be competent in CPR. It just makes sense to have that basic understanding available in a time of need. However, the purpose of gaining those skills is to keep the patient alive until a professional can arrive and take over. This is exactly how I see CISSP operating in modern IT departments.

I think that if CISSP were positioned more appropriately as an "IT health" badge of minimum competency, then much of the backlash from the security community would die down.

-- Gunter Ollmann

Monday, March 25, 2013

Tales of SQLi

Last week I came across an amusing picture that depicted a scenario for an SQL Injection attempt. At the time I just tweeted about it, but over the weekend I wrote a longer blog entry on the topic of SQLi and included a few examples of where I've encountered similar "real world" vulnerable scenarios.

You can find the full blog over on the IOActive site - "SQL Injection in the Wild".

Monday, February 4, 2013

Vulnerability Disclosures in 2012

A new blog post by me is up on the IOActive site - 2012 Vulnerability Disclosure Retrospective. It follows from a review of the new analyst briefing document from NSS Labs about the statistics of vulnerabilities throughout last year and their increase.

Friday, December 21, 2012

How much is a zero-day exploit worth?

It's a pretty common question asked by both bug hunters and journalists alike - "How much is a zero-day vulnerability worth?"

There's no simple answer as I discuss the topic in my first blog posting with IOActive. You can find the discussion "Exploits, Curdled Milk and Nukes (Oh my!)" on the IOActive Labs Blog site.

Monday, December 17, 2012

Now at IOActive

For those that haven't seen the exchanges on Twitter or LinkedIn, I'm no longer with Damballa...

The last 3.5 years with Damballa were a wild ride. My first 3 years with the company saw much innovation and cutting-edge technology making its way to the market, but as things slowed down and the business doubled down on the features that make a product more "channel friendly", it was becoming less interesting to me. Don't get me wrong though, the research coming from Damballa Labs still can't be beat, and I hope it makes it the product sometime soon.

So, with that all said, I wanted to get back in to consulting. I love the constant flux of new problems, logistics and cutting-edge technology.

Last week I joined IOActive, Inc., as their CTO.

As some of you may be aware, I've been working with the company for a number of years - including being  a member of their Advisory Board. As their CTO my initial focus will be on helping to develop the long-term service strategy - bringing new boutique and cutting-edge services to market to address the latest onslaught of technology threats and preempt many upcoming security problems for large and sophisticated organizations.

IOActive is a fantastic company. It's at the forefront of advanced security consultancy and has been growing at an amazing rate.

So, with all that said, you can now find me at IOActive, and I'd be pleased to offer you my new business card. I'm sure IOActive will be able to help! :-)

Sunday, November 25, 2012

Exploit Development for Fun & Profit

Last week I pulled together a posting for DarkReading covering the commercial aspects of exploit development - "The Business of Commercial Exploit Development". I hope you find it interesting... it sheds some light in to a side of the security business that few understand or operate within, but has a huge impact on what the threat landscape looks like in reality.