vulnerability research

It seems every time I write something about obscurity in TDI, I piss someone off. I guess part of that goes with the territory of being me, but the other part is that it's very hard to be clear and complete in a 100-word snippet each morning.

So Chandler Howell takes me out (here) because I advocated actually being careful about what we disclose to who relative to potential vulnerabilities in physical door locks. He has a point, that I wasn't exactly clear or complete in my statements, so let me clarify a bit.

First, let me get the religion out of the way. There are times when it makes sense to obscure information about exploits and defenses. I've written about this in the past, and I don't believe there is an absolute right or wrong here. But if you are religious about it, the rest of this post is really going to piss you off. In general, I think more information is better than less information, but I'm not about to make a blanket statement that security by obscurity is bad in all cases.

Chandler's post got me thinking about when obscurity may be a better option. Of course, it does carry a significant amount of risk (and that's what Chandler is steamed about), but it may be worth it. We are security folks, no? Our jobs are to evaluate risk and then decide if it's worth taking.

I'm sure I'm missing something here and the odds fairly high that I'll kick off some crap-storm. But to me, the key questions are how easy is it to spread the word about a vulnerability and how active a community is there to receive and take advantage of the information? If you can think in 3D, maybe you also add what it will cost (in terms of time and/or money) to fix the problem.

If the answer to either of the first two questions is yes or if the cost to fix it is small, then obscurity is probably not worth the risk.

Let's look at OS-level exploits (Windows, Mac, Linux exploits, etc) to illuminate the point. In that case, since it's technology-related, there are lots of ways to disseminate that information. Underground newsgroups, blogs, etc. make exploit information spread like wildfire when discovered. And there are certainly lots of hackers to consume the information and have the ability to use it effectively pretty much immediately. And though many will argue how much it costs to patch, it's really trivial relative to having to replace the machine.

Given the answer to both questions is yes and it doesn't cost a lot to fix the problem, it's a bad idea to obscure information relative to these types of exploits. This has been proven many times in practice. I suspect Apple is now learning this the hard way, given how they've behaved lately.

Now let's look at physical locks. Is there a lock-pickers newsgroup, or bulletin board? Are there blogs written by lock pickers that share the latest gadgets and techniques. Are folks RSS readers buzzing with how to break a Schlage F-Series? I honestly don't know. And how many of the lock pickers frequent these information sources and would be able to quickly take advantage of the new information. Again, I don't know.

Let's say both of the answers are no, in that there aren't well built out information dissemination vehicles for lock-pickers and these folks wouldn't know where to look anyway. And what about cost. Replacing physical devices is expensive. And even if the vendor replaces the locks, someone has to do the labor to swap them out. This is non-trivial.

So based on my analysis, obscurity is not out of the question for the physical lock issue. Of course, that turned out to be a bad decision, but we are talking theory here. If you look at the downside, this biggest risk is that the information becomes public. Then we have to clean up the mess. 

And it's quite a mess. When an obscured exploit becomes public it becomes a fiasco quickly. Kind of like Chandler relates relative to the Kryptonite/Bic Pen issue of a few years ago. But even that only involved replacing portable locks, not necessarily having to replace every lock in your house (that would be 5 for me).

So to net this out, there are a few factors that need to be considered relative to whether obscurity is a viable option. The religious will say it's never a viable option and I think they are wrong. Clearly obscurity didn't work in the case that Jeff Hayes brought up to kick this discussion off, but how many other issues did we not worry about because we were blissfully unaware. And the lock-pickers were unaware as well.

That's what I have to say about that. Obscurity can and should be looked at on a case-by-case basis, but just keep in mind that it's a tight-rope act. Like the Flying Wallenda's, you can certainly get away with it, but probably not forever. If the wind blows in the wrong direction at the wrong time, SPLAT.

 

So Apple ships some iPods with malware. As George Ou points out here, Apple then displays "arrogance and insincerity" in blaming Microsoft. George is absolutely right, Apple's display was disgusting and offensive to those of us that would like companies to accept responsibility when they screw something up.

But what George is missing is that what Apple did is good marketing. Dare I say it, maybe even great marketing. Huh? Did I say good/great marketing? With the blogosphere in an uproar? With everyone questions the legitimacy of Apple's security posture? Absolutely, this is classic example of why Apple is by far the best marketing organization in technology.

Why? Because their target market is not us. We'll buy their stuff anyway because we KNOW it's more secure. We can get pissed off and blow off steam and call them names. But what are you going to do, buy a new XP machine in protest? Not likely. Or maybe you are a Windows bigot (yes, they exist) - you aren't going to buy a Mac anyway - so they aren't talking to you either.

One of the first keys to good marketing is to stay on message. Apple certainly does that. It's all about the "Windows virus" and how Microsoft's OS should be more "hardy" and resistant to malware - like a Mac. Consumers eat this stuff up. And I suspect quite a few (who love their iPods) will certainly consider buying a Mac when their current machine blows up. If they had a Mac, they wouldn't have this problem.

Of course, it's ridiculous given that Apple created the problem. But the mass market is not comprised of the sharpest tools in the shed.

Another key to good marketing is to speak to your target customer. Apple's customers just want things to work (like their iPod) and because this virus only compromised Windows machines, it's another opportunity to poke Microsoft in the eye. Like they did in the original no virus ad here. See, they always stay on message and they never miss an opportunity to make the competition look bad.

So as much as I'm with George in being disgusted by Apple's actions, sometimes the best marketing makes you want to puke. And this is one of those times.

 

One of my most treasured memories from college was the time my buddy Alex and I went to a fraternity rush event where they were serving Tom Collins. Lots of Tom Collins. Neither one of us could make it back to the dorm on our own, so we basically leaned on each other, took one ginger step at a time, and made it back in one piece. We were literally two drunks holding each other up and remain very close friends 20 years later. To this day I cannot drink Gin.

I get the same feeling looking at the Symantec/Juniper announcement this morning (here). I can imagine Scott Kriens of Juniper and John Thompson of Symantec meeting at one of those cocktail parties where your personal net worth needs to be in the 9 figure range to get in, and one goes to the other: "Hey, you're not Cisco! We should do something together."

I'm not sure how much wine they each had at that fateful party, but this is clearly two vendors who are not Cisco trying to prop each other up.

On the surface, I'm not as negative as Stiennon on this deal (here), but I think the impact will be largely at the product level and transparent to customers. Juniper gets to build in some of Symantec's "intelligence" into their perimeter network security gear. Symantec gets to reference sell a legitimate perimeter platform.

I do agree with Richard that this is clearly a reactive deal driven by the fact that Cisco has a better story, bigger channels, and more momentum in the security space. Neither could do an outright acquisition, so this is what they are left with. I concur that the channel stuff is going to be hard to navigate, especially for the Juniper folks - that don't really understand the enterprise and don't really understand security either (many of their Netscreen folks have left).

But adding Symantec's anti-spam, IPS signatures, and vulnerability research to Juniper's products will make them better and I think it will actually happen. Why wouldn't Juniper do this, given they are pretty much irrelevant in the IPS space and don't really have a compelling UTM platform? They've got nothing to lose.

And Symantec gets access to a legitimate perimeter security platform. After killing their own platform a few months back, this is the other piece of the puzzle they couldn't answer back then. Clearly they couldn't abandon the market, but they also didn't want to continue investing in a non-competitive platform. This solves those problems IF (and that is a huge IF) they can execute, which certainly hasn't been Symantec's forte of late.

So I would be positive on this deal if it involved money changing hands. Or an asset transfer (like SYMC bought the Netscreen business). Or anything besides a press release in a purple suit. But it doesn't, so I'm negative and skeptical.

But clearly both Kriens and Thompson now can proudly display their ABC (anyone but Cisco) membership cards. That's what this is all about.

 

In today's TDI, I mentioned a different perspective - offered by Dave Goldsmith of Matasano - showing a positive view of the Symantec study of Vista's network attack surface (link here). Sure enough Dave's colleague Thomas weighed in to clarify some stuff. It because a pretty interesting interchange between the two of us and one that warrants a deeper discussion. Since many of you don't get access to the comments via RSS, I thought I'd cut and paste a bit to keep you clued in. I did edit Thomas' comments a bit because this is a family blog. HA!

The Symantec Study

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:15.

The mistake you're making with the Symantec report is believing that the work was driven by top-down strategy inside the company. It isn't.

I've known Oliver Friedrichs, the manager of what SYMC calls "Advanced Threat Research", since 1995. I worked directly alongside him at Secure Networks, where he co-founded the industry's first professional vulnerability research lab, along with Tim Newsham, Dave Sacerdote, and Ivan Arce.

Oliver Friedrichs is not f***ing [MSR edit] around. SYMC has the resources and the talent to build a top-calibre security research team. If there's any top-down decision-making at SYMC, I'm sure it's simply to go do that. "Oliver, kick Cisco and ISS's ass and seize the mindshare around research that Symantec has ceded over the past 6 years".

Once you get to that point, the Vista study is pretty obvious. You've got access to some of the best vulnerability research talent in the industry. What are you going to aim it at? I don't think the board, John Thompson, or even Oliver's immediate manager had to be involved in the decision to spend some resources poking the Vista TCP/IP stack.

I don't mind the accusation that you're leveling at Symantec. They're in business to win and they're not all nice people. But I don't think you make yourself look more credible when you cast Oliver's group in this light; people who know vuln research will scratch their heads at your assertion.

Thanks for noticing us, though! =)

For a change, the Matasano guys adding value to the discussion. Here is my response:

How much they publicize it is a corporate decision

Submitted by Mike Rothman on Thu, 2006-07-20 10:26.

Thomas,
I hear your point and that's more good perspective. But I also don't think that Oliver was out there humping his work in the press this week. That would be uncharacteristic given what I know about "most" vulnerability researchers. It's plausible that Oliver has free reign over what gets researched, but I highly doubt he has much to say about what Symantec's PR machine decides to push.

If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game. Maybe he knows this, maybe he doesn't. Since I don't know him I can't say. But when his group finds something of interest (like they did this week), the Big Yellow PR machine will try to bend it to their own devices.

I'm not doubting that the research was genuine. But I'm very comfortable in my assessment of what their PR aims were.

And this is where it gets interesting. Clearly there is something here and now we need to figure it out. Thomas weighs in a final time:

SYMC's Vulnerability Strategy

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:59.

You say, "If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game". I say, THAT's the interesting discussion to have about this.

Write something explaining the point you're making; I want to hear more about it. What's the "high profile game" around vulnerability research?

Your point about PR vs. research calendar is well taken. I can split the difference. Oliver's group owns their calendar, bottom-up. SYMC PR is probably top-down.

So let's dig a bit deeper here. What is the value of vulnerability research? Clearly in the early stages it was mostly for PR purposes. Folks like RipTech (which was subsequently bought by Symantec) had reams of data and they did some interesting analysis on it. Their real innovation was packaging it up in a report and starting the media frenzy about the increasing vulnerability landscape. They got very broad media coverage for the report and it really put RipTech on the map.

But now it seems that every vendor has it's own version of the report. Every big one anyway. ISS and VRSN have gotten their research groups a lot of ink driven by these quarterly reports. So it's not really differentiating anymore, is it?

At the same time, you see security vendors being attacked and vulnerabilities in their code being disclosed pretty regularly. Some patch things and forget to tell folks (ahem, McAfee) and it seems every month or so you hear about Symantec and Cisco patching things as well. So now the cottage industry seems to be finding the holes in other folks stuff.

This is both a PR strategy - pioneered very effectively by eEye (3rd party patching anyone) and new entrants like Mu Security that have boxes that are designed to find holes - as well as a competitive lever. Security is about credibility at the end of the day. If you have really smart guys that can find stuff broken in other people's software - then they must do a good job of protecting their own, no?

Well, not exactly. But close enough - especially to a customer that is looking at 3 products that are totally undifferentiated. I'm talking about pretty much every security market, by the way. Who do they pick? Maybe the one from the guys that seem the smartest. That's one plausible scenario anyway.

But, back to the topic. As Thomas speculates above, it's unlikely that anyone in Symantec specifically told their vulnerability research team to go find something broken in Vista. It could have happened, but I agree with Thomas - it's more likely bottoms-up. But once they found that data, I believe the Big Yellow PR team smelled a big opportunity to poke Microsoft in the eye. And they took it. And many of us bit. At least I can say I questioned their motives, as opposed to questioning their findings. Again, kudos to Dave G for doing the derivative analysis.

So what? Basically, I figure we are going to see vulnerability researchers let loose on competitor's security software. The Symantec-Microsoft deal may have been bottoms-up, but in a market this competitive, with folks looking for literally ANY advantage - it's just a matter of time before this becomes a big part of competitive analysis moving forward. And the PR teams will be orchestrating, on one hand working to seem on the up and up - just doing a service to the community - don't cha know. But on the other hand trying to stick it to the competition when they can. That's a high wire act for sure.

But it puts the researcher in the precarious position of trying to do the right thing, but more often than not becoming the finger poking some competitor. As I mentioned in my response, some will be cool with that and others...not so much. Interesting times to be a vulnerability researcher, that's for sure.