QOTD on Disclosure

Thinking that there's no one else out there who knows the details of a given zero-day flaw is one of the things that leads to ridiculously long gaps between disclosure and the release of a patch. Even in the case of a vulnerability for which all of the details aren't public, a bit of information combined with a short window of time before a patch is available can give attackers the head start they need to launch mass exploits.

-- Dennis Fisher, Editor at ThreatPost

Src: Why Vulnerability Research Matters | threatpost

QOTD on Malware

They’ll [i.e. hackers will] use the headlines of the day as bait. The malware will install itself on the user’s desktop or laptop, then dial out to another machine and say, ‘I’ve infected this organization, come do something.’

-- Wade Baker, director of risk intelligence for Verizon Business

Src: How hackers use the World Cup and Chelsea Clinton to steal your data -- Washington Technology

QOTD - Economics of Targeted Attacks

The cost of non-scalable attacks is such that very few users are targeted. It further suggests a security investment strategy for Internet users: all scaleable [i.e. non-targeted] attacks should be addressed first. Consider the case where Alice’s [a potential victim] email account can be harvested for value $200 by a non-scalable attacker [i.e. a targeted attack]. Alice’s avoidance of harm depends not so much on her security investments, but on the relative worthlessness of other email accounts, from which hers cannot be distinguished. -- Cormac Herley of Microsoft Research, who presented a paper entitled "The Plight of the Targeted Attacker in a World of Scale," at the 2010 Workshop on the Economics of Information Security.

Src: Ninth Workshop on the Economics of Information Security (WEIS 2010) program (PDF)

QOTD - Shostack on Infosec & Oil Platform Engineering

Replying to a series of posts on the Security Metrics mailing list about whether information security is (or can aspire to become) an art, a science, or an engineering discipline, Adam Shostack, author of The New School of Information Security, wrote:

I think we're more like oil platform engineers than bridge engineers. Our mistakes are hidden, hard to estimate, and residue is turning up in unexpected places.

Note: posted with author's permission

QOTD - Spaf on InfoSec R&D Funding

Security is an ongoing effort against those who make continuing attacks against us, in a domain where innovation and change have been accelerating. We cannot hope to succeed if we take small steps, fail to provide continuous emphasis, and focus solely on finding cheap solutions to problems in 60-90 days; our adversaries are not acting this way, and we are already behind in several important areas.
[...]
It has been repeatedly noted in reports, testimony, and community gatherings that current cyber-security research is largely incremental. This evolutionary rather than revolutionary approach has prevented true leaps ahead in the technology. Thus, we continue to deal with legacy issues such as computer viruses and buffer overflows on a seemingly endless basis.
-- Dr. Eugene Spafford, Two Proposals on Cyber Security Research

Src: http://transfer.spaf.us/is-prop.pdf

QOTD on Cyberspace

Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states. -- Major-General Amos Yadlin, chief of military intelligence for Israel

Src: Spymaster sees Israel as world cyberwar leader | Reuters

Playing 'Whac-A-Mole' with personal data

According to this article, the current legal approach to protecting Personally Identifiable Information (PII) can be compared to playing "Whac-A-Mole" with personal data. Dr. Paul Ohm, law professor at the University of Colorado Law School, writes:

Data can either be useful or perfectly anonymous but never both.
...
For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical 'database of ruin,' the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Reidentification has formed the database of ruin and given access to it to our worst enemies.
...
The trouble is that PII is an ever-expanding category. Ten years ago, almost nobody would have categorized movie ratings and search queries as PII, and as a result, no law or regulation did either.

Src: "Anonymized" data really isn't—and here's why not - Ars Technica

When BIOS updates become malware attacks

You get the call - a computer is acting strange, malware is the likely suspect. After recording appropriate activity logs and ensuring data is safe, you proceed with the disinfection: wipe the OS and reinstall from a clean image.

If you performed the procedure above, your machine may still be infected. The reason? The malware may have rooted itself deeply into the hardware itself, the BIOS, and not simply residing on the drive.

This is a fascinating and developing area of active research (both by hackers and security researchers such as those at Core Security) and a story that all information security professionals should be aware of.

Next time a machine is acting strange, wipe the OS and reinstall, but only after you have also flashed the BIOS.

Src: When BIOS updates become malware attacks | SearchSecurity.com

The End of the University as We Know It

Graduate education is the Detroit of higher learning. Most graduate programs in American universities produce a product for which there is no market (candidates for teaching positions that do not exist) and develop skills for which there is diminishing demand (research in subfields within subfields and publication in journals read by no one other than a few like-minded colleagues), all at a rapidly rising cost (sometimes well over $100,000 in student loans).

I agree wholeheartedly. Traditional academia is a dinosaur on its way towards extinction. If you were to look around various institutions, you would find that most faculty are incapable of functioning outside of the bubble of the ivory tower as they often lack "real-world skills" that the marketplace requires.

What's this gotta do with Information Security you may ask? In areas such as Computer Science and Information Technology, faculty often teach classes without spending much time (if any) discussing the implications of writing insecure code. How could they since they themselves lack the interest and/or motivation to embrace information security.

Once tenure has been granted, there is no leverage to encourage a professor to continue to develop professionally or to require him or her to assume responsibilities like administration and student advising...
Colleges and universities should be able to reward researchers, scholars and teachers who continue to evolve and remain productive while also making room for young people with new ideas and skills.

My own career path has been markedly different from that of the traditional faculty. I consider myself a hybrid, one equally at ease talking with ivory-tower colleagues, but also very much at ease interacting with fellow information security practitioners or business executives. I do not view my Ph.D. as a "terminal degree." Instead, I view it as a lifelong commitment to learning, as evidenced by my later accomplishments including several leading certifications and engagements within the field of InfoSec.

Src: Op-Ed Contributor - End the University as We Know It | NYTimes.com [tx to the other Dr. Veltsos for this link]

Sniffing keystrokes via laser and keyboard power

This news article reports on a recent CanSecWest presentation by researchers from a company called InversePath into two different methods of sniffing keyboard activity from 50ft away, one using a laser (w/ line of sight to a laptop), the other from signals emanated from a PS/2 keyboard plugged into a grounded outlet (via PC apparently).

Src: Sniffing keystrokes via laser and keyboard power | CNET News [tx @the_ryebread]

No User Action Required In Newly Discovered PDF Attack

I've had the good fortune of following Didier Stevens on Twitter for a few months and his research into various software flaws is nothing short of amazing. Didier has managed to demonstrate without a doubt that the latest Adobe PDF Zero-day flaw can trigger an attack even without user intervention. The culprit is one of the many things that your machine does in the background, in this case, the Windows Indexing Service (WIS). In order to index the contents of a PDF file, WIS needs to process it. Yet, the code responsible for processing the PDF is itself vulnerable to this latest attack, which leads to the compromise of a process running with local system privileges.

Src: No User Action Required In Newly Discovered PDF Attack | DarkReading [tx to @gattaca]

Time to Take the Theoretical Seriously

Chris Wysopal, CTO of Veracode, has an article on the double-edged sword of vulnerability research and disclosure. Here are a few quotes:

The hope that no one is willing, or no one is able, to implement an attack is not a security strategy.
[...]
Yet, the necessity of demonstrating such attacks before the vulnerabilities are fixed is dangerous, both for Internet users and for researchers. By raising the amount of work required for researchers to get their voices heard it makes it all the more likely attackers will build the tools first.

Src: Time to Take the Theoretical Seriously | SecurityFocus [Tx @ioerror]

Rethinking computing insanity, practice and research

Gene Spafford provides a historical perspective and commentary about the state of cyber-security research.

The current cyber security landscape is a major battlefield. We are under constant attack from criminals, vandals, and professional agents of governments.

Src: Rethinking computing insanity, practice and research | CERIAS | Purdue