Tuesday, July 14, 2009

[Rant] Pulling Back

"There are 2 kinds of InfoSec people out there... those who still believe we can build secure environments/apps and those that know it wouldn't matter anyway."
--Rafal (me)

Hi everyone, first off this is going to be an ugly one because over the course of the last 2 days I've had conversations with many of you that have started out very constructive but then quickly devolved into the "oh crap, we're fu**ed" variety. Most of this is thanks to "anonymous" (I'll let him remain nameless until he cares to step out of the shadows) who has given us (and more importantly, me) some very not-so-subtle clues on why my job grows more meaningless with every tick of the clock.

If you haven't read it yet, read the mass-spam article, and pay special attention to the comments section... this is where things went downhill... rant follows

When I wake up in the morning, what gets me energized and going is knowing that I can make a positive impact on the world I live and work in. For me that means InfoSecurity has to make progress. Progress, since I like to use Medieval metaphors, is pushing the kingdom out further and further into the wild country beyondn the castle walls. This of course means one of two things - you can either build a bigger army and spread them ever-more thin, OR you can arm the redidents of your kingdom for self-defense against the hordes that lie beyond the edge of the kingdom. Translated into 2009-speak that roughly means we're tryingn to protect people from themselves... and since we can't keep spreading our already strained InfoSec resources ever-more thin... we have to teach people to defend themselves. This is where sh** really starts to break down quickly.

The problem is people just don't give a damn. They're sheeple. Like sheep... they're herded rather easily but they have things others (the "bad guys") want like social security numbers, credit card information and passwords. It wouldn't be so bad if we could just charge them the idiot tax and move on but banks and credit cards and even our government have been passing their stupidity to the rest of us who are smart enough to figure this out. How you ask? Have you seen your bank fees lately? They're skyrocketing because of the rising costs of fraud, and banks continue to "put your money back if you get your (virtual) pocket picked)" - even if it's your own fault?!

I can make my peace with people being careless with their own property but unfortunately this is a social commune - where your stupidity translates into higher interest rates, fees, and less services for me. So naturally sentiment for this is turned against the evil hackers who are out to steal our lives because they're bad. Well... what most of you that make this argument miss is that these types of things have existed in real-life for centuries and they haven't bankrupted society (yet) beacuse people eventually got wise to the schemes... usually. What's mind-boggling is that in the digital world people still fail to see how "security" matters.

How can this be any worse? The fact that companies have adopted this same moronic mentality. I can't take it anymore, I want to smash my head into a wall every time someone at a major Fortune 1,000 company tells me that they don't need to do Web App Sec because they "don't take payments over the web"... how is that the only way that security has stuck in people's minds? Forget the network security ... we've had that figured out and are now reaping diminishing returns... have been for the last ~2-3 years... web apps are the main target now, I don't need Gartner or IDC to tell me that, do you?

Then there's the PCI-DSS... and while I love all my friends who are gurus in this space (you know who you are) this has become the absolute minimum requirement now... "do you do everything on this PCI-DSS checklist?"... which is bullsh** and we all know it but it keeps the lawyers on their leashes and makes the risk people happy until something catastrophic happens (ahem... you twits at Heartland Payment Systems) and then you sue the people who audited you? Really? You shop around for the cheapest, least-intrusive PCI auditor who will give you a passing grade with the least amount of effort and you wonder why you're making headlines? Can we stop and think for just one stupid second?

Then there's the whole point of why I'm at this stage of delerium... with the best-effort I make every day (and many of you are in the same boat)... bailing water as fast as possible - saving people and companies from their own ignorance and stupidity - everything I do to protect you has already been beaten like a red-headed step-child. Twice. Except now there are scripts for beating any security measures we may have... and the basic concepts and premises we base our careers on are shot. We're bailing water from a sinking boat when the boat is already under water.

What do you do when you've forced (beaten...) your users into compliance with security policy, you have anti-malware on every desktop, locked-down admin rights, carefully filtered web ingress/egress traffic, tight firewall rules and network security devices (IPS/WAF/what_ever) and everything is fully patched... then one of your users visits a legitimate web site and within 30 seconds is trojaned with a ring-0 trojan that completely and utterly devastates the machine. Sucking down passwords, critical data and setting up cover channels into your network without even tripping Vista's built-in protective measures. Yes... I know it's possible, for a fact. Quote me.

Does it matter that there are educational programs, open-source OWASP security tools, projects and pre-built reasonably secure code modules? Does it matter that InfoSecurity is finally making headway within the corporate world? No... why?
  1. users are still apathetic and choose to remain that way
  2. companies still would rather spend precious money on upgrading firewalls and IPSes than building secure web apps
  3. security is not simple and usable and therefore failing the user-friendly test
  4. arogant developers still try to re-invent the wheel every single time
  5. even if we succeed... we fail because the "bad guys" are 2 steps ahead, always
So what? I'm feeling a little jaded after doing the research and the follow-ups on that last article (can you tell?). Who cares if CAPTCHAs are everywhere when the bad guys are paying people in India $0.01/CAPTCHA they manually break? So rather than the "security kingdom" expanding and pushing further into the darkness we're left retreating within the realm of the kingdom...then fall back to the castle walls... then fall back inside the castle... then fall back to the inner-castle wall and now we're being over-run again and the only place left to hide and fall back to is the inner-keep. There is no falling back further... the game is over at that point. There has to be a line in the sand drawn or else this game is over boys and girls.

We're not at any particular cross-roads in IT history...but this is as good a time as any to get off our complacent asses and make a hell of a lot of noise. Reach out to those in positions to make a difference and make your case like everything depends on it. Hey, believe me when I say I understand this situation isn't bad for business - because as crappy as the world of security gets we will all have job security forever - but at what cost?

We need to stop the advancement, we need to stop pulling back. Continuing to build better anti-automation into our social-networking sites is stupid and a waste of time. No more free bugs? Who cares... it doesn't make a damn bit of difference in the end result. Here's an idea... how about you pick a side and work towards that goal. If you're a white-hat then understand you're not doing it to make yourself rich but for the betterment and the "greater good". It's time to get over ourselves and quit acting like divas because we are clearly getting our asses handed to us out there folks...

Wake up and smell the fire burning under your feet.


Sorry it had to be said.


Dave Hull said...

Another day, another ocean to boil.

Anonymous said...

Hi Rafal,

As long as we're using medieval/castle analogies then I'll throw in mine as well: "conquer and divide". There won't be any one silver bullet but many smaller bullets.... and even then we may not slay *every* dragon. We'll take some casualities but the other side will take more. Right now they've got the upper hand - the castle is asleep from last nights drinking binge (e.g. massive building of insecure applications). The King didn't listen to our warnings because his cost-benefit calculations told him the costs weren't worth the risks.

One by one castles are starting to fall, at some point the value of the King's risk variable will change overnight (even though the attacks are EXACTLY the same) - probably when the Kings brothers castle falls - then the result of his cost-benefit calculation will also suddenly change and then he'll suddenly devote his resources to the task.


Rafal Los said...



I'm waiting for that day... because I'm going to bring out every risk assessment I've done over the last 2 years that CIO/CISO's ignored.

... tick, tick, tick, tick...

Jabra said...

Everyone in the industry needs to raise the bar. We can't settle for good enough... This is the reason I don't sleep much, because I'm helping to push my customers and everyone around me in the right direction.

Anton Chuvakin said...

Reading posts like this makes me want to go into cybercrime :-)

Brian Honan said...

I have been mulling over your excellent post for the past few days and thinking about some of the points you raise.

Part of the problems we face is that as infosec professionals most of us come from a technical background where everything is logical and is either 1 or 0. There is no in between and that is the way a lot of technologist like to view the world.

However, most users of computer systems, both individuals and businesses, are not from a technical background and do not want or care about logic or the technicalities of the systems they are using and the risks posed to them by cybercrime. And what is more they feel they should not have to care.

But what we see happening in the cyber world is the same that we are seeing in the real world.

How many people die in car accidents each year? This keeps happening despite the driver education, law enforcement drives and new technologies (air bags & seat belts). And yet each year new drivers come onto the road with their basic driver education, an understanding of the rules of the road and maybe an apprecitation of how their car works (in reality though most won't even know how to change the oil). I am sure there are road safety professionals (if that is the correct term) who are equally frustrated and disheartened each time they hear of a fatal road crash.

Real world crime is another good example of where society does not learn from its past mistakes or those of others. Crime is still with us despite the best efforts of us all.

The above is also compounded that humans are not good at perceiving risk, be that in cyber space, on the roads or indeed in real epidemics such as swine flu. How many people will still go against all medical advice regarding swine flu and spread the virus further simply because they thought it would not happen to them?

So I think as infosec professionals we should;
(a) Continue to fight the good fight and help people understand the issues so they can better protect themselves and ultimately the community
(b) Focus our efforts on our own organisations and families to make them better prepared than everyone else to deal with the online threats (remember its survival of the fittest)
(c) be prepared for when despite our best efforts something happens outside our control to undermine our defences
(d) Accept that we do not live in a digital world where everything is true or false and that we cannot have cyber crime = 0.
(e) Accept that, just like real crime, online crime will always be an issue and cannot be eliminated. What we have to learn to do is to control the levels of crime and ensure that we do not become a victim.

So it is not about creating the most secure castle and kingdom in the world but making it secure enough that criminals move to a weaker target. Ultimately if you cannot convince your King of this then maybe it is time for you to start a revolution.