Tuesday, October 29, 2013

what would AV's complicity in government spying look like?

as you may well have heard, the EFF and a bunch of security experts have written an open letter to the AV industry asking about any possible involvement by them in the mass spying scandal that has been in the headlines for much of this year. at first i thought this was old news for AV, since the issue of government trojans has actually been around a lot longer than the current spying revelations. i thought these people had simply failed to do their homework but, as time passed, the wheels began to turn and i started thinking differently. now i think the question we should all be asking ourselves is, what would AV's complicity look like?

some background, first. the subject of government trojans have been around for over a decade. magic lantern, for example, dates back to 2001 (or at least public awareness of it does). so it should come as little surprise that the question of whether the AV industry looks the other way has come up before. in 2007 cnet ran a story where 13 different vendors were asked about this very thing. they all more or less denied being a party to such shenanigans, but i suggest you read the article and pay careful attention to the answers.

now earlier this year one of the first controversial spying revelations to come about was about a program called PRISM which a whole bunch of well known, big name internet companies (including google, microsoft, yahoo, facebook, etc) were apparently involved with. the companies all denied it of course, and it turns out they may be legally required to do so.

that adds an interesting wrinkle to the question now being put towards the AV industry; would they be allowed to admit to any complicity that might be going on? they say actions speek louder than words, so maybe we should look for something other than the carefully crafted assurances of multi-million dollar corporations. maybe what we should be looking for is the same thing that alerted us to the mass spying in the first place - a leak. maybe then we can get a glimpse of their actions.

back in early 2011 a rather spectacular breach occurred. security firm hbgary was breached by some members of anonymous, and one of the things that leaked out was the fact that hbgary wrote malware for the government. in fact, it doesn't take much imagination to suppose that this would be the very type of malware the EFF et al are concerned the AV industry may have been asked to ignore.

it's unknown whether any AV vendor actually did field such a request. i have my doubts since traditional commercial malware writers seem to be perfectly capable of creating undetected malware without making such requests. that being said, one fact that became rather suspicious in light of the revelations about hbgary was the fact that they were partners with mcafee, one of the biggest AV vendors around and certainly one of the best known names in AV. i wrote about this apparent ethical conflict back in february of 2011, and then again in march of 2011 to note the tremendous non-reaction from the industry. i even went so far as to create a blog specifically for keeping an eye on the industry (though as an outsider myself there was little i could do on my own).

the EFF and others want to know if the AV industry has been complicit in the government's spying. well, one AV vendor was notably evasive when asked by cnet in 2007 about their handling of governmental trojans/police spyware. that same AV vendor was and still is partnered with a company that wrote government malware (in all likelihood for very purpose in question).  furthermore, in the intervening years, nothing has come of it. no other vendor has said anything or done anything to call attention to or raise awareness of this partnership. even after the mass surveillance controversy started earlier this year, not a one bothered to raise the alarm and suggest that mcafee might at least in principle be compromised by that partnership, even though they certainly could have benefited from disrupting mcafee's market share. no one thought they could profit from it? no one thought it was their duty to warn people of a potential problem? to raise concerns that the protection mcafee's customers receive may suffer in some way because of their close ties with government malware writers? to give voice to the doubts this partnership creates even after publicly wringing their hands over how wrong what the government themselves were doing was?

AV vendors may or may not have been asked to turn a blind eye to government malware - we may never know, and it's impossible to prove a negative. but they've done a heck of a job turning a blind eye to the people who make government malware and to those in their own ranks who got in bed with government malware writers. i asked at the beginning what AV complicity would look like and i think when it comes to those whose job it is to raise an alarm, complicity would probably have to look like silence (and something about silence makes me sick).

(2013-10-29 13:21 - updated to change the open letter link to point to the blog post that includes the list of intended recipients as well as a link to the letter itself)

Wednesday, October 16, 2013

my experiences at #sectorca in 2013

well, another year, another sector conference. i almost got another of my colleagues at work to go too (an actual security operations sort of guy at that) but in the end it didn't happen. i'm going to have to see if there's anything more i can do to make it happen next year. in fact, i'm pretty sure some of the folks at work would have preferred if i hadn't gone either (just so much to do) but it was already paid for, so...

the first thing that struck me this year (aside from the great big gaping hole where the street around union station used to be) was that the staff at the metro toronto convention center could accurately guess where i was trying to go just by looking at me. i guess that must mean i look like i belong with the crowd of other sector attendees, even if i've never really felt like i do (what with not being an information security professional and all).

the second thing that stuck me was the badge redesign. more space was dedicated to the QR code than to the human readable name. almost as if my interactions with machines are more important than my interactions with people.

the first keynote of day one was "how the west was pwned" by g. mark hardy. i suppose it was a kind of cyberwar talk (that's certainly how it was introduced), but really focused more on economic/industrial espionage, theft of trade secrets and intellectual property and that sort of thing. there were some interesting bits of trivia, like china's cyber warrior contingent having a comparable number of people to the entire united states marine corps. also an interesting observation about the global form of government (that being the system that governs us on a global scope rather than simply within our own nations) being anarchy. i'd never thought of it that way before, but there really isn't anyone governing over how how nations interact with each other or how people interact with foreign nations.

the first normal talk of day one that i attended was a so-called APT building talk. specifically it was "exploiting the zero'th hour: developing your advanced persistent threat to pwn the network" given by solomon sonya and nick kulesza. i kinda knew going in that this wasn't going to be the best quality APT talk just by the title. they clearly believe APT is simply a kind of advanced malware rather than realizing that APT is people. i can't say references to "the internet cloud" improved my opinion any. add to that the fact that anyone who took an undergrad systems programming course would have recognized most of the concepts they were talking about and i was pretty "meh" about the talk. the rest of the audience, however, was clearly very impressed based on the applause. all but one, that is. he called them out on their amateurish malware (about the only part of the APT acronym they got right was persistent, and even that is debatable). he also called them out on their releasing of malware (i swear he wasn't me, even though it probably seems like something i would do) that really wouldn't help anyone defend but certainly would help arm the shallower end of the attacker gene pool. i quite agreed with his opposition, but the applause again from the rest of the audience when one of the speakers said he could sleep quite well at night made it clear who the community was siding with here.

that all left a bad taste in my mouth so i decided to skip the next round of talks. that wasn't a difficult decision to make since the entire time-slot was filled with sponsored talks which i've long found to be a disappointment. so instead i took the time to look around and see what and who i could see.

i happened to luck out and stumble across chris hoff. i'm not entirely sure he remembered/recognized me but that doesn't come as a huge surprise since i'm not the most memorable person in the world and my appearance has changed significantly since the days when he did remember/recognize me. also, and perhaps more to the point, someone like chris has got to get approached by so many people that there'd be no way he could remember them all. that's part of being a "security rock star". anyway, we chatted briefly and he asked me if i was a speaker or listener. i'm definitely not a speaker and i told him i've sorta been down the speaking path before and it didn't work out so well (part of being on a panel involves speaking, right?). he shared an anecdote of his own which frankly put my bad experience to shame. still, if i went to the effort to develop that skill, what would i do a talk about? "everything you know about anti-virus is wrong"? i expect that would go over about as well as a lead balloon. my specialty is in something that has little or no respect in the information security community, so even if i did by some miracle make it past the CFP stage, i can't imagine there'd be much of a turn-out.

after that i saw a familiar face i never would have expected. an old colleague from work, joel campbell, who i gather now works at trustwave and was manning their booth on the expo floor. we chatted a bit about work of course, but also about security conferences like sector and how they compare with some of the ones in the states. sector is apparently small, which rationally i knew since i did once attend RSA, but i guess with little else to compare it to in more recent times, sector seems big to me.

the lunch keynote given by gene kim about DevOps interested me in a "i know someone who'd probably be interested in this" sort of way. i can't wait for the video to become available so i can share it with some of my higher-ups in the dev department at work (we do have an ops guy sort of embedded with us devs, i wonder what DevOps would say about that). there was also a very interesting observation about human nature; apparently when we break promises we compensate by making more promises that are even bolder and less likely to be kept. i think i've seen that play out on more than one occasion.

after lunch i attended kelly lum's talk ".net reversing: the framework, the myth, the legend", which was pretty good despite the original recipe bugs that kept her distracted at the beginning. i actually saw a .net hacking talk last year as well (i'm a .net developer, it stands to reason i'd be interested in knowing how people can attack my work) but this one spent less time talking about all the various gadgets you could use to attack .net programs and more time talking about the format such that one could possible use it as a starting point for creating one's own .net reverse engineering tools. that'll certainly be filed away for future reference.

following that i attended leigh honeywell's talk "threat modeling 101", only it wasn't really a talk. this was one of the more inventive uses of the time-slots speakers are given, as she actually had us break up into groups to play a card game called elevation of privilege. it's quite an interesting approach to teaching people to think about various types of attacks and i've already talked about the game at work and shared some links. hopefully i can get some of my coworkers to play.

for the last talk of day 1 i attended "return of the half schwartz fail panel" with james arlen, mike rothman, dave lewis, and ben shapiro. this was apparently a follow-up of a previous fail panel that i never saw but that didn't seem to matter because it didn't seem to reference it at all. i didn't find it particularly cohesive, i guess because the only common theme it was designed to have running throughout was failure, but one interesting thing i took away was the notion of venture altruism. it's a different way of looking at things than i'm used to as i tend to frame things more as 'noblese oblige', but it certainly appears as though quite a few people really do have their hearts in the right place in that they're trying to make the world a better place in their own particular, security-centric way.

i decided to opt out of the reception afterwards. i felt guilty about it because i know i really ought to have gone but the truth is that in all the times i've gone before i've never really felt comfortable among all those strangers in a purely social environment. plus there was last year's (and possibly other years as well, but definitely last year) shenanigans where your badge would get scanned in order for you to get drink tickets, and then the company doing the scanning would send you email as though you had actually shown interest in them and visited their booth. i know the conference is an important tool for generating leads for sales, but over drink tickets? really? i suppose if they're paying for the drinks then it's hard to argue against them getting your contact info in return, but at least when facebook asks you to trade your privacy for some reward you have some kind of idea that that's what's going on. it made participating in the reception feel like bad OpSec; and you know, if you add enough disincentives together you're eventually going to inhibit behaviour.

the day 2 morning keynote was another panel, and if i'd gotten the impression from the fail panel that panels lacked cohesion, this one dispelled it. "crossing the line; career building in the IT security industry" with brian bourne, leigh honeywell, gord taylor, james arlen, and bruce cowper as moderator focused very strongly on the issue of crossing legal, ethical, and moral lines and whether that was necessary to get ahead and be taken seriously in security. i came into the keynote thinking it would be more about career building (which hasn't been that interesting to me in the past since i'm perfectly happy not being in InfoSec) but the focus on the law, ethics, and morals is much more interesting to me as the frequent mentions of ethics on this blog could probably attest to. i was pleased to see both leigh and gord take the position that crossing those lines is not necessary and holding themselves up as examples. james was careful to point out that those lines are not set in stone (they're "rubber" as he put it, though he also made a point that that doesn't mean they aren't well defined), and certainly theres a point there at least with the relevancy of the law as there are some really poorly written laws as well as some badly abused laws (as the prosecution of aaron schwartz certainly highlights). of course as the amateurish malware distributors from day 1 demonstrated, crossing ethical and moral lines is still widely accepted and embraced in the information security community. one might want to draw a comparison between that and lock pick village which teaches people how to breach physical security, but the lock picking at least has a dual use (beyond simple education) in that it allows you to regain access to things that you have a legal right to but would otherwise be unable to access because you lost a key, for example. the AV community was historically much more stringent about not crossing those lines, and much closer to having (or at least implicitly obeying) a kind of hippocratic oath; and having literally grown up with that influence i'm certainly in favour of it, though when leigh mentioned the hippocratic oath it did not seem that well received. james pointed out that ISC^2 has a rule against consorting with hackers and yet gives credits for attending hacker conferences - which to me just makes them seem like they're either hypocrites or toothless. i could probably write an entire post about this topic alone, or rather another entire post about this topic since i already did once years ago that's kind of begging for a follow-up.

the first regular talk i attended the second day was schuyler towne's "how they get in and how they get caught", which turned out to be a lock picking forensics talk (in the security fundamentals track, no less). after having seen a number of talks about lock picking over the years, seeing one on detecting that lock picking has occurred rounded things out really nicely. the information density for the talk was high, there was even a guy in front of my taking picture after picture of the diagrams being shown on the screen, but schuyler is really passionate about the subject matter and did a good job of keeping the audience's interest in spite of all the details and photos of lock parts under high magnification.

after that talk i finally relented and attended one of the sponsored talks, specifically "the threat landscape" by ross barrett and ryan poppa of rapid7. i suppose it's only fitting that a vendor would hand out buzzword bingo sheets. certainly it's good that they acknowledge that as vendors they're expected to throw out a lot of buzzwords. but i think it kind of backfired for the talk because rather than paying attention to what they were saying i found myself paying attention to what buzzwords i could cross off my sheet. buzzword bingo is a funny joke, but if you make it real i think you wind up sabotaging your talk. on the other hand, perhaps that acts as a proxy for actual engagement of the audience, so that people will come away feeling better about the talk than they otherwise might have.

the lunch keynote by marc saltzman was really more entertainment than information. flying cars? robots? virtual reality? ok. lunch was good, though.

after lunch i attended an application security talk given by gillis jones. this one wasn't in the schedule so i can't look up the actual name of the talk. it replaced james arlen's "the message and the messenger" which i've already seen on youtube. i guess whenever they say app sec they must be talking about web application security, because i can't say i've seen much in the way of winform application security talks (unless .net reversing counts). i'm not a web guy, i don't do web application development (yet) so i sometimes find myself out of my depth, but (perhaps because it was in the security fundamentals track) gillis approached the topic in a way that would help beginners understand, and i certainly feel like i have a better handle on some of the topics he covered. in fact, i started trying to find XSS vulnerabilities at work the very next day.

for the final talk of the conference i attended todd dow's "cryptogeddon" which was a walk-through of a cyber wargame exercise. it had a very class-room like approach to working through a set of clues in order to gain access to an enemy's resources. that format works well, i think, and i can see why educators would want to use todd's materials for their classes.

and that was pretty much my experience of sector 2013. it's taken me several days to write this up - certainly enough time for me to come down with the infamous "con-flu", but i never do. i'm not certain, but i have a feeling that my less social nature makes me less likely to contract it somehow. i don't shake as many hands, or collect as many cards, or stand face to coughing/sniffling/sneezing face with as many people as some of the more gregarious attendees do.