Can Infosec get ahead of the Blackhats?

It is described at times as an arms race. Information Security always seems to be behind the bad guys. Can this ever change?

We all know the routine by now. New exploit, new signatures, new patches, new updates, new exploits. Rinse, lather, and repeat. We hear of the next big thing to be adaptive. Heuristic scanning, signature scanning, IDS, IPS, all to mitigate the threats. We are always fighting the good fight from behind. Unfortunately, this will always be the case. Yes, we get faster, not as far behind, and better. Yes, we have people on our side actively looking for the latest exploits. It is a neck and neck race in this day and age, but the fact remains, the bad guys will always find something we haven’t. We do our best to mitigate. We know that people are the weakest link. We try to educate, but even the best education, following the best practices will not stop exploitable scenarios, be they human or code. Why? Because we are human and are flawed.

Now don’t think that I am all doom and gloom. We have made great strides forward, and will continue to do so. Truth be told though, their are only a few ways to even have a chance of truly stopping the situation, and they are either super extreme or extremely improbable.

First idea I have is to have, as was a tag line from the movie Sneakers, “No More Secrets.” If everyone from corporations, to governments were wide open about everything, then what is there left to steal? Just money which brings me to the second thought. Go back to the bartering system. This gets rid of the money issue, and actually makes sense. Trading goods and services for other goods and services. Now you don’t need credit cards, Money, bank accounts, etc… The other big one that gets brought up in my mind is of course getting rid of technology all together.

None of these ideas are practical of course, so we are back to the original thought here. Can we ever get ahead. More thank likely not, but we keep getting closer to being even. So keep training, keep educating others, and keep your wits about you. We are in for a bumpy ride.

Meanwhile, away from Las Vegas

Yep, Hacker or Security Summer Camp time is here. For those of us not out in Las Vegas at Blackhat, B-Sides, and Defcon, The world continues on. As it goes, the U.S. Army has a lot to learn about the world of hacking.

The Register put out a story on how the US Cyber Army got its rear whooped by reservists. This article should be scary, and for good reason. If the full time Cyber Army didn’t even know how they had been attacked, how do we expect them to defend our country, let alone attack aggressors? The simple answer is they won’t be able to, but why? Well it is actually a matter of a few things.

The military is a great institution. As such they have a great regiment, and are highly organized. Follow orders, follow procedures, be a good soldier. The higher up you are the more planning you are able to do, but still the open thinking is still limited unless under true fire. This goes against the idea of being a hacker, someone who can go out and keep directly up to date with the infosec world. the world of Zero Days, backdoors, malware and the like is ever evolving and at a breakneck pace. The amount of “Eureka” moments compared to normal military strategy “Eureka” moments is astronomical. Yes the ideas put for in The Art of War by Sun Tzu still apply but the pace of shifts, adjustments and new “weapons” one talks about is daily.

Now while both the full timer Cyber Army members and the reservists both might have an interest or passion for the world of hacking and security, the reservists have a huge advantage. According to the article a good majority of the work in the infosec field full time. Imagine how more up to date, be it from looking at darknet forums, to researching zero days, penetration testing all different sorts of systems, they are. Add on that they have gone through the training and regiment that the full time Army has. This is where the full time military failed. think about it, we all have heard of former hackers recruited by the government, and for good reason. It is straight out of Art of War, “Know thyself and know thy enemy and never in 1000 battles will you lose.” The full time Cyber Army needs that adaptation. they need to be more loose on regulations, need to be able to constantly think outside the box and be able to expand their skills and knowledge outside of a regimented system. Until that time, I hope those reservists are ready to defend the country cause the full timers are a liability.

.

Security – Open Source vs. Closed: It’s a matter of eyes

For years there has been the whole what is more secure, Open or Closed source? Microsoft has and still takes a beating over this. Truth, though, is a different thing.

We all have heard of Heartbleed by now. The 2 year old security gap in OpenSSL has been all over the news. During all of this, a hole in the much loved Chrome browser that will allow websites to turn on your microphone and record what you are saying was announced. Another bug that had been around for a while (August 2013). Meanwhile, the hated entity known as Microsoft has been pretty much unaffected by these issues. Maybe it is time to remove our preconceived and ancient thought over security in the Open vs. Closed Source world.

The argument has been, from what I have heard and can tell, that Open Source is more secure because you have more eyes looking at it. The code is open and out there so people can find the issues faster and with the collaborative nature of Open Source, will be patched faster. Truth of the matter, as has been shown over the past week, is that it is not the case, and security holes can get past this set of checks and balances just as they can in any Closed Source system. The surprising thing is how long it has taken to find Heartbleed. One would think, with all those eyes looking at the code, that it would have been found much sooner. Of course this has led to the theories of the bug being an NSA backdoor. True or not, the code was still out there for everyone to see.

Chrome is a slightly different issue. Here is a bug that was found over 6 months ago, that still hasn’t been patched. It was brought to Google’s attention and they sat on it. Could this be another NSA (or insert your favorite Government agency here) backdoor? A way to spy on you without warrants? We will never know for sure, but it does show one major hole. Our thinking of Open Source and security is not completely correct. It is not the be all end all.

What has been lost in this is that Microsoft, and its Closed Source implementations of SSL have been free and clear of the Heartbleed problem. Microsoft at one time was awful with security. In this day and age though, it has gotten a lot better. It is responsive to holes, and the amount of out-of-band patches and workarounds for Zero Days is quite speedy. In fact the biggest security holes in Microsoft systems, is usually Java and/or Flash. Flash is still Closed Source, but Java was at one point more open. Java also is embedded in the web very deep. Try using NoScript at it’s tightest levels and see how much of websites get blocked, and how many websites complain about Java not being turned on. Yet through all of this, Microsoft is the one that still takes the blame, especially in the public’s eye. That is because we, the ones in the know, have done little to reeducate the public, and ourselves.

Do not get me wrong. I have nothing but love for the Open Source community. Collaborative efforts are awesome, and the community puts out some fantastic software, and alternatives to Closed Source (and overpriced) programs. It just has to be realized that it is no more secure than Closed Source. In the end it is all about the eyes on the code and the people looking for the holes. Remember Security is a process, not a destination.