Today went a lot better than yesterday. I felt honest inspiration from the presentations I saw today. However, that does not mean the day was not without some drama.
Cyber War: You’re Doing it Wrong! With Marcus Ranum
RSA 2012 – Wednesday
This was a great presentation. Ranum walked through the realm of cyber war and explained how the different actors have sometimes competing interests and contradictory objectives. But mostly, he made it clear that cyber war is simply not that likely and has too many variables to be a dependable form of attack.
One example I liked was the vaporizing rifle. Imagine if a defense company approached the army with a new rifle. The gun could kill enemies who are miles away and is 100% deadly. But, it has one weakness, it can disappear at any moment and never be useful again. Such is the reality with cyber weapons. They can be highly effective, until some event happens, like the target patches their servers, and then the weapon is completely useless.
This was music to my ears because it mirrors Anitian’s practical, pragmatic approach to security. I have always advised clients that cyber war and cyber terrorism were largely creations of the media. That waging any kind of serious warfare over the Internet was unlikely to happen or be extremely localized.
The most recent and relevant example of cyberwar is Stuxnet. Many researchers believe this was a creation of the Israeli intelligence group Mossad, with assistance from the United States. It was designed to damage centrifuges that are allegedly being used in Iran to make nuclear weapons materials. Regardless of who created it, Stuxnet was designed to hit a very specific target and within a very specific time frame. Once it escaped beyond that attack, the secondary damage was light and relatively contained.
Which underscores the problems with cyberwar, it is not as easy as people think. It takes a lot of coordination, effort and political cover. Moreover, it is not something states are going to engage in without some viable strategic interest. People fret over hackers taking down the power grid, but realistically what would be the benefit? People could not microwave their hot pockets for a few hours? It is not like the power companies are just going to throw up their hands and say “oh well, we’re hacked, pack it in boys, there is no stopping the hackers.” No, they are going to reboot the affected systems, bring the lights back on and then figure out what happened. Moreover, why would a nation-state or terrorist want to knock out the power? There really is no strategic benefit to doing so.
Ranum also made the point that we need to stop obsessing over the Chinese or the terrorists taking information from us. He noted that if the Chinese want data, they can always just ask and they will probably get it. When global players want something, they just bargain for it. They do not need to setup complex espionage efforts. If anything, the Chinese are using hacking efforts to oppress their own people, not steal the recipe to a Mocha Frappuccino. And terrorists do not need or want this information, because it is really not tactically important to them. Terrorists want to cause fear and harm, and if they want information, they can just hang around long enough to get it. Their motivations are long-term and strategic. Again, they do not need to wage a complex hacking campaign.
Ranum was also critical of politicians who keep saying the private sector needs to step up and take security seriously. His point was that the entire security industry, and the thousands of sophisticated security technologies that exist IS the private sector “stepping up.” He noted that basically the entire security industry is a private effort and that many of the technologies that exist provide extremely effective defenses for many types of cyberwar attacks. It is the public sector that needs to step up and start encouraging government and business to invest in security.
Again, I had a huge smile on my face when he said this. He is completely correct. Lost inside the hacking demonstrations at DefCon and Black Hat is the brutal reality that while hacking may be easy, defense is getting easier too. For every “game-changer” attack that is breathlessly released at these conventions, there is an ample set of strong security controls that companies can implement. The real problem is not the hack, it is getting organizations to invest in sound security technologies and practices.
I left that presentation with a positive outlook on the day.
Breaking News! Up to the Minute Hacking Threats
This was a panel discussion with four security guys. Roel Schouwenberg from Kaspersky Labs, David Litchfield from Accuvant, Johnathan Tal from TAL Global, and Kevin Mahaffry from Lookout Security. The panel was moderated by Uri Rivner from RSA.
This was a reasonable, albeit dull discussion about current attacks. Anonymous was getting a lot of attention here. Honestly, all the guys seemed to have fairly decent observations, just not terribly insightful.
This presentation was not too exciting, so I ducked out to check out the session on IPv6 security.
Implementing IPv6 Security
This too was a dull, but useful session. There were basically three take-aways from this session. When you implement IPv6 for Internet use, you need to do three things:
- Mirror IPv4 policies to IPv6. Sensible.
- Scan for rogue routers and DHCP systems.
- Block transition tunnels between IPv4 and IPv6.
Again, all good stuff. I left that session, grabbed a ham sandwich and headed over to Crypto Commons.
Bruce Schneier: Liars and Outliers: Enabling the Trust That Society Needs to Thrive
Bruce Schneier is one of my favorite security luminaries. I read his blog regularly, have read most of his books and generally enjoy his thinking. He can get very arcane at times. He has a very academic, intellectual take on security. And not everything he says is immediately useful to the average practitioner.
However, he does make some excellent points about trust. His main point is that trust is a key component of our society. And we must figure out ways to encourage trust, even if some people are untrustworthy. This was the first time I heard this concept … and it would get repeated later. This concept is interesting, but more on that later.
Bruce was also critical of all the attention Anonymous gets. While he does not doubt that some of the group is very skillful, he said they are more like a brand than a group. And while they have done some good, we only really see their successes. Nobody talks about Anonymous when they fail miserably. And they have likely had more failures than successes.
Bruce also discussed how complex trust systems are breaking down, because of technology and our inability to adapt to the changes. Part of that is because we tend to focus on the failures, and not the success. He used the global credit systems as an example. There are billions of transactions and successful uses of credit, but we only tend to focus on the failures, of which there are relatively few.
One concept that he also brought up was that technology is allowing us to become more moral. That idea made me stop and ponder. He cited events in Syria and Egypt as examples of how people are leveraging technology to affect social change and demand rights and freedoms we consider moral. He also cited the Occupy movement as a similar force, pushing for societal change and social justice.
I liked this idea a lot and it did not feel exploitative. One thing that has really annoyed me about this conference is when CEOs and executives try to exploit the “Arab Spring” movement in the Middle East as a reason why security (and of course their products) are so important. I am sorry, but the struggles of BYOD is not an equivalent problem to the Syrian regime shelling civilians. I think it is inappropriate to equate those two struggles. One is irritating and unproductive, the other is killing innocent people who want their freedom. It is not the same.
I left that presentation feeling inspired. But honestly, the inspiration had only just started. The next few hours would be some of the most inspiring hours of my life.
Live Forensics of a Malware Infection
This was an absolutely fascinating analysis of a malware infection on a host. The presenters, Antti Tikkanen and Paolo Palumbo from F-Secure did a great job of stepping through the intricate details of how they analyze a malware infection. We have done this similar forensics work at Anitian, so it is interesting to see others do it.
While I am familiar with the tactics and techniques of malware analysis, it was still engrossing and interesting. The sample they used was rather sophisticated, showing the various ways attackers can obfuscate their efforts.
Security Debate – Marcus Ranum and Bruce Schneier debate Software Liability
This event brought together two of my favorite guys to discuss an interesting, albeit arcane, concept. The question posed was: should there be software liability laws? In other words, should people or companies have the ability or right to exert liability claims when software fails and causes loss. Currently, there are no such laws and for the most part you cannot sue for damages when software fails.
Schneier was for liability laws, Ranum was against them.
Schneiers point was that we need a level playing field and an economic incentive to make software companies produce better software. Companies should be allowed to sue for damages when a weakness in software is shown to have allowed an attack. He felt this would force those firms to implement more effective security controls. His prime example was the credit card industry. Which up until the 1970s, the individual was liable for credit card theft or misuse, which meant the credit card companies had no incentive to make the system safer. Once Congress passed a law saying that the maximum liability an individual could have was $50, the credit card companies went berserk with security controls. I should note that PCI compliance ultimately grew out of that.
Okay, good point. I cannot disagree with that, considering I am a PCI QSA.
But, Ranum made the point that liability laws will inevitably favor only the big guys, since they can wage liability battles with consumers longer. Smaller companies will simply be wiped out. Moreover, this will stifle innovation. Ranum took a classic laissez-faire capitalism stance that we should let the markets decide. If software is bad, people will stop using it. Ranum also said that if consumers and companies keep picking mediocre or low-cost solutions over more expensive or more robust technologies, then frankly they got what they paid for.
I admit I am decidedly on Ranum’s side on this issue. I do not think we need regulation in this area. I think rapidly evolving and innovative markets need the freedom to self-regulate where possible. Provided people are not harmed, I think the government and the lawyers need to stay out of the picture. When lawyers get involved, everybody (except the lawyers) loses.
I also firmly believe the notion of “you get what you pay for.” If you cut corners and buy cheap software or inexperienced consultants, you get poor quality. Inherent in the system is the fact that quality not only costs more it also takes longer and requires more experience to produce. People unwilling or unable to pay for that should not be empowered to get compensated for their poor decision making. Leaving the system alone forces the buyer to more carefully consider the software they are buying and make informed choices.
Weak providers who offer an inferior product will naturally decline and lose market share. Moral hazard, as was popularized during the financial crisis of 2008, is a critical component of capitalism. The weak should fail. Moreover, we should not reward or protect irresponsible spending.
However the crowd disagreed with me. A non-scientific poll at the end of the debate chose Schneier’s position favoring liability laws. Eh, so much for capitalism.
The Key Notes
The Rise of Hacktivism
This was a panel discussion between Grady Summaers, VP of Mandiant, Eric Strom, from the FBI and Misha Glenny, an author and journalist. It was moderated by Jeffry Brown, a senior correspondent for the NewsHour on PBS. This was a lively and interesting discussion, mostly about Anonymous. It underscored the problems of “catching” people in Anonymous, since they have no real central control.
The best comment was “Anonymous holds up a mirror to our neglect.” This was good, since most of Anonymous’ attacks have used well known vulnerabilities and exploits. Anonymous is not on the cutting edge of hacking. They use very common, well known tactics which are, for the most part, easy to remedy. The fact that they have been successful shows that there is a lot of neglect of basic security practices and controls.
This mirrors what Anitian sees. I see company after company that cannot handle the basic operational components of security. Things like patching, firewall management, log management, and even antivirus.
Another good comment came from Mr. Summers who reiterated the need for good incident response planning. I was very happy to hear that, since it echoes something we have been saying at Anitian for years. All these “advance persistent threats” sound scary, but good IR is what can defeat them. IR planning and testing should be a priority for all companies.
Lock It Down or Free It Up, Christopher Young, Senior VP Cisco
Mr. Young spent his first 10 minutes on stage explaining why he went to work for Cisco and how great Cisco is. I found that to be a phenomenal waste of time and decided I did not want to hear any more. I do not take Cisco very seriously when it comes to security, and Mr. Young reinforced that opinion.
Securing the Unsecurable, Stuart McClure, CTO McAfee
Mr. McClure started out good, with some fun commentary about movies and how insightful they have been about hacking. Mr. McClure even referenced Star Trek II: The Wrath of Kahn, which is my favorite movie. So, this presentation was looking up.
Then it became FUD – unrelenting FUD. I’ll give McClure credit for having the guts to do a live hacking demo of an insulin pump. He showed how using some special software (that McAfee designed) they can hack the pump and get it to release insulin. The implication is that hackers could go around killing diabetes patients.
Buy why? Why would anybody do that? There is no reason for hackers to go around killing people in hospitals who have insulin pumps. It would be absolutely psychotic. And nobody with the skills to hack an insulin machine is going to use them to kill people – they would just get a job at McAfee and make good money.
This is sensationalist hacking at its worst. It is manipulating our fears with sensationalism. First off, this hack has never been reported in the wild. Second, we have no idea what system is being used, its state, its vulnerabilities, and so forth. All we see is Mr. McClure holding up an antenna and then making the pump spit out fluid. This reminds me of that ridiculous ATM hack from a few months back, which had similar characteristics.
It came as no surprise then when McClure was wrapping up he thanked his team of researchers, namely one Barnaby Jack, the same guy behind the ATM hacking. Seems Jack is now a McAfee employee.
Don’t get me wrong, I think Mr. Jack’s work is very, very useful. But these kinds of sensationalist demonstrations are merely designed to ratchet up the drama. They do not provide useful context. And it is is especially disingenuous when the person doing the attack, is sure to note how his company sells the answers.
I’ve met Mr. McClure and I think he is a smart and decent guy. I like McAfee and I think they make some good security products (they also make a few stinkers.) But I do not like sensationalism. And this lowered my opinion of both of them.
If Mr. McClure has simply said “embedded systems are vulnerable and we need tools and methods to protect them” I would have taken that at face value as being an accurate statement. He could have then used the time he spent playing hacker to discuss strategies, concepts and technologies that provide these protections. I would have enjoyed that and would want more McAfee in my life.
Mr. McClure did touch upon some of the things McAfee and Intel are doing to bring better forms of isolation and protection to systems using embedded security components in chips. That is interesting. I wanted to hear more about that. But, all we got were some flashy slides and limited details. I suspect that is all still in the development stage.
With that sensationalist demonstration I see another security firm falling victim to the FUD. I implore you McAfee, don’t do that demo again. Resist the urge to go for drama and instead start talking about ways to make things better. Show us what you are doing to improve security. Do not use fear to sell. It is beneath you as an organization.
The Social Animal, David Brooks, Columnist New York Times, PBS Commentator, Author
I have never seen Mr. Brooks speak nor am I very familiar with his work. However, at the end of this presentation, I can safely say I am a David Brooks fan.
His presentation was one of the most inspiring, thought provoking and fascinating things I have heard. I simply cannot do his points justice, so I won’t even try. I will say that if you read this far in my blog post – then stop here and go watch the video of his presentation. It is about 45 minutes long, but it is worth it. http://www.youtube.com/watch?v=Xnxsp6bL12Q
There are so many things I could say about this presentation. But it reinforced what I tell every single customer – your greatest weakness is and always will be the people around you at work. Building trust among co-workers, partners, vendors and the community is a critical foundation to any security program.
I stayed after to see an ongoing discussion with Mr. Brooks. He is a fascinating person with some truly profound insights into the human condition and social connections.
Aside from Mr. McClure’s presentation, today was great. I walked out of the show at 6:30 inspired and emotionally drained. I was supposed to go to a party for Rapid7, which I heard is quite wild. I simply could not make it. I was just too tired and wanted to write up this blog entry.
Tomorrow is a light day. I am only attending a few break-outs and keynotes. I feel at this point I have really gotten my money’s worth at RSA.