Category Archives: Rants

Infosec apostasy

Leave a reply

I’ve been mulling this one over for a while. And honestly, after a post to an internal global mail list at work putting forward my ideas, I’ve come to realise there are at least two camps in information security:

  • Those who aim via various usual suspects to protect things
  • Those who aim via various often controversial and novel means to protect people 

Think about this for one second. If your compliance program is entirely around protecting critical data assets, you’re protecting things. If your infosec program is about reducing fraud, building resilience, or reducing harmful events, you’re protecting people, often from themselves.

I didn’t think my rather longish post, which brought together the ideas of the information swarm (it’s there, deal with it), information security asymmetry and pets/cattle (I rather like this one), would land with the heavy thud akin to 95 bullet points nailed to the church door.

So I started thinking – why do people still promulgate stupid policies that have no bearing on evidence? Why do people still believe that policies, standards, and spending squillions on edge and end point protection when it is trivial to break it?

Faith.

Faith in our dads and grand dads that their received wisdom is appropriate for today’s conditions.

Si Dieu n’existait pas, il faudrait l’inventer” Voltaire

(Often mis-translated as “if religion did not exist, it would be necessary to create it”, but close enough for my purposes)

I think we’re seeing the beginning of infosec religion, where it is not acceptable to speak up against unthinking enforcement of hand me down policies like 30 day password resets or absurd password complexity, where it is impossible to ask for reasonable alternatives when you attempt to rule out the imbecilic alternatives like basic authentication headers.

We cannot expect everyone using IT to do it right, or have high levels of operational security. Folks often have a quizzical laugh at my rather large random password collection and use of virtual machines to isolate Java and an icky SOE. But you know what? When Linked In got pwned, I had zero fears that my use of Linked In would compromise anything else. I had used a longish random password unique to Linked In. So I could take my time to reset that password, safe in the knowledge that even with the best GPU crackers in existence, the heat death of the universe would come before my password hash was cracked. Plenty of time. Fantastic … for me, and I finally get a pay off for being so paranoid.

But… I don’t check my main OS every day for malware I didn’t create. I don’t check the insides of my various devices for evil maid MITM or keyloggers. Let’s be honest – no one but the ultra paranoid do this, and they don’t get anything done. But infosec purists expect everyone to have a bleached white pristine machine to do things – or else the user is at fault for not maintaining their systems.

We have to stop protecting things and start protecting humans, by creating human friendly, resilient processes with appropriate checks and balances that do not break as soon as a key logger or network sniffer or more to the point, some skill is brought to bear. Security must be agreeable to humans, transparent (as in plain sight as well as easy to follow), equitable, and the user has to be in charge of their identity and linked personas, and ultimately their preferred level of privacy.

I am nailing my colors to the mast – we need to make information technology work for humans. It is our creature, to do with as we want. This human says “no

Marketing – first against the wall when the revolution comes

1 Reply

A colleague of mine just received one of those awful marketing calls where the vendor rings *you* and demands your personal information “for privacy reasons” before continuing with the phone call.

*Click*

As a consumer, you must hang up to avoid being scammed. End of story. No exceptions.

Even if the business has a relationship with the consumer, asking them to prove who they are is wildly inappropriate. Under no circumstances should a customer be required to provide personal information to an unknown caller. It must be the other way around – the firm must provide positive proof of who they are! And by calling the client, the firm already knows who the client is, so there’s no reason for the client to prove who they are.

As a business, you are directly hurting your bottom line and snatching defeat from the jaws of victory by asking your customers to prove their identity to you.

This is about the dumbest marketing mistake ever – many customers will automatically assume (correctly in my view) that the campaign is a scam, and repeatedly hang up, thus lowering goal completion rates and driving up the cost of sales. Thus this dumb move can cost a company millions in opportunity costs in the form of:

  • wasted marketing (hundreds of dropped customer contacts for every “successful” completed sale),
  • increase fraud to the consumer and ultimately the business when customers reject fraudulent transactions
  • lose thousands if not hundreds of thousands of customers, and their ongoing and future revenue if they lose trust in the firm or by the firm’s lack of fraud prevention, cause them to suffer fraud by allowing scammers to easily harvest PII from the customer base and misuse it

Customers hate moving businesses once they have settled on a supplier of choice, but if you keep on hassling them the wrong way, they do up and leave.

So if any of you are in marketing or are facing pressure from the business to start your call script by asking for personally identifying information from your customers, you are training your customers to become victims of phishing attacks, which will cost you millions of dollars and many more lost customers than you’ll ever gain from doing the right thing.

It’s more than just time to change this very, very, very bad habit.

Responsible disclosure failed – Apple ID password reset flaw

Leave a reply

Responsible disclosure is a double edged sword. The faustian bargain is I keep my mouth shut to give you time to fix the flaws, not ignore me. I would humbly suggest that it is very relevant to your interests when a top security researcher submits a business logic flaw to you that is trivially exploitable with just iTunes or a browser requiring no actual hacking skills.

If anyone knows anyone at Apple, please re-share or forward this post, and ask them to review my rather detailed description of my rather simple method of exploiting the Apple ID password reset system I submitted over six months ago with so far zero response beyond an automated reply. The report tracking number is #221529179 submitted August 12, 2012.

My issue should be fixed along with the other issues before they let password reset back online with my flaw intact.

PTV iPhone app – worst public transport app ever, or just pure evil?

4 Replies

I take the train between Marshall and Southern Cross Station, a terminus station with 14 or 15 platforms and hundreds of V/Line country, suburban and bus services daily. I had an app that worked (the old MetLink app). That wasn’t stellar, but it worked well enough that I didn’t need to get a paper timetable.

So imagine my continuing frustration that the most basic of use cases just doesn’t work in the complete re-write of the new app:

I cannot find my station when standing on the station platform (!) using location search or by searching for the station in the default “Trains” mode the app comes in from the AppStore.

It cannot find the terminus of all V/Line services – Southern Cross Station. I’m serious. In “Train” mode, you cannot search for V/Line services or stations. In “V/Line” mode, Southern Cross is not even a station (!!). You cannot find it by clicking on “Find my location” icon whilst in the station (!), and you cannot choose it from the map, and you cannot search for it. Epic fail of all epic fails. It’s like the PTV app designers chose not to walk the 40 m from their office block to the biggest and busiest station in all of Victoria and test it out.

Modality. It’s nearly impossible to work out you can change the mode of transport you’re looking up by clicking the word “Trains” at the bottom of the screen. I am catching a “train”, but not the default type of “train”. Who knew? The thought that there are multiple types of trains obviously never entered to PTV’s UX designers. There’s no button shape or indicator, it’s just in a button bar by itself, which usually means that there are no other choices.

Honestly, PTV need to test their apps:

  • You should be able to find all the services within 500 m of where you are standing. Just list them all and let the filter function narrow things down in one or two keytaps.
  • You should be able to find ANY station or service or transport mode via text search. It’s just not that hard. There should be no difference between a regional bus, a metropolitan tram, an intercity V/Line service, or a station or bus stop. List ‘em all, and let the filter work its magic in a few keystrokes.
  • Get rid of modes. I don’t think of modes and I use at least two every day. Free up that wasted screen real estate and replace it with a search function that works across all modes, and services.
  • You should be able to view a line’s entire timetable with no more than two or three clicks. Timetables -> scroll to the timetable or tap in enough to narrow things down -> voila. It’s not rocket science. Allow it to be a favorite.
  • Planning a multi-mode trip is not rocket science. This is just not possible with the current PTV app.
  • The old app had notifications for the services / lines you were interested in. Please bring it back. This feature may actually be in the PTV app – I simply don’t know because I have not been able to find my station or the station at which I get off.

This app is terrible. It must be withdrawn.

Shame, Slashdot, Shame – misogyny and moderation

Leave a reply

Our industry suffers from a lack of women – women in senior positions are very rare, women who do what I do I can count on my hands without resorting to binary, and there are so few women coming out of Uni comp sci, developers and engineering courses that I can use and craft into my replacements.

IT needs women, and lots more of them, not only for the perspective they can bring to the table, but simply in the terrible truth that young women deciding on future careers at high school don’t see any future for themselves in our great industry, or any of the Science, Technology, Engineering or Medical research (STEM) subjects as a valid career choice.

There is so much to do to rectify this situation, not the least eliminating low hanging fruit, such as eliminating booth babes. I’ve heard lots of excuses, like:

  • “It’s a legal job, I don’t see the problem” (this one makes the least amount of sense)
  • “Everyone does it” (no, they most certainly don’t)

So when /. posts a story on what booth babes really think of us leering at them, you know it’s going to be a stinky disgusting mess, but you have to try to convert the heathens in any case.

I’ve been a Slashdot irregular for years. In 1999, the /. “community” said some disgusting things about Richard Stevens, the author of some of the (still) best Unix and TCP/IP books. I stopped going there every day after that shameful episode. I’ve not posted there since 2010, but I have /. in my RSS feed.

I have removed that feed today and I will be deleting my account shortly.

Why?

Many of you know my very low opinion of IT vendors who use booth babes at trade shows.

Update: I found this comment to a similar post last year just a few minutes ago:

Thanks for making the main point clear, I want to chime in here as a woman and someone who has represented my company from very early on at trade shows (and does to this day). In the telecom industry in particular these booth babes run rampant, they literally provide you with a form when you register to exhibit asking if you want to hire models.

At one event a couple years ago, a guy came over to talk with our CTO (a guy) and I and said point blank to me, “do you have an ownership stake in the company? if not, at least you’ve got one foot in the door to marry this guy?” Nevermind that I’m wearing my wedding ring! All I could do was paint a “go F&%$ yourself” smile on my face and wait for him to leave. The things I would have liked to say, but it just wasn’t worth it in that context.

The problem is, most people don’t walk up to me expecting me to know about APIs, building applications, solving problems specific to their industry or use case, how supply chain works, or anything else important to their business. This is perpetuated by booth babes. How do I know? If I dress in a frumpy or slightly less feminine style, instead of my normal stylish heels and a skirt suit, I get a different reaction. If I wear skinny jeans and flats and a tshirt or hoodie, look my age (early 20s) and have a self-effacing air, they think “oh she’s a nerdy girl” and then they ask the real questions. PUH-LEASE.

If you are a vendor, I have a very strict, and very long standing rule – if you use booth babes, I either don’t recommend you to my clients, or I actively campaign against you, and I will never, ever buy from you again. Such vendors have lost more than a $1m in recommendations from me alone in the last 10 years, and I doubt I am alone in my opinion of such appalling, women hating sales tactics.

So fast forward to today. I logged in after a few days to see if my romantic idealization of early Slashdot met up with even 1999 Slashdot low life scum. I was saddened and disappointed. I lost my decade long ”excellent”  karma rating to peer moderation, and it’s no surprise the peers at Slashdot hate women.

One of my posts had to get more than seven negative flamebait downward moderation clicks to get the score it finally received.

So let’s look at the quality gem of a reply that gets +5 moderation (errors in copy and paste I will leave to the troll, can’t even do that right):

“ook at my low user ID, I’ve been here for longer than some of you have been alive.”

No one cares. I’m probably the same age as you but I don’t go around pointing it out as if it somehow adds extra weight to the argument.

“I am literally white hot angry with whomever did it b”

You’ll get over it.

“f you have a daughter, I expect you’ll want her to be a geekgrrl. If you want that outcome, you will join me in boycotting booth babes.”

Actually if I had a daughter I’d let her do whatever she wanted. Unfortunately you obviously don’t realise it but you’re just another one of those self righteous prudish males who seem to think that women should only do the jobs YOU approve of. Newsflash pal – its the WOMEN who get to decide whether to do it , not people like you.

I suspect in another century you’d be at the pulpit foaming at the mouth and damning any woman who dared go out with an unmarried man or wear a short skirt or speak before a man gave her permission.

You know what – Fuck you and your kind.

From viol8, a 40-something troll programmer who lives and works somewhere in Europe (if he can be trusted to thump things into the post box), who comes across as an arrogant Australian or English ex pat. I can’t be arsed working out who he is any longer – he’s exactly like any number of the worthless women hating smegheads that infest slashdot.

It’s time to put /. out of its misery and terminal decline. It has been an irrelevant community for years, and now the cesspool is dead to me.

ajv (4061, ex-member /. 1997-2012)

Update: RSS feed – deleted. Twitter – unfollowed. Can I find how to delete my /. account, no I can’t. Help appreciated in the box below.

Political expediency

1 Reply

Last week, Julia Gillard listened to Clubs Australia and the few voters out at Rooty Hill RSL rather than do the right thing and fix problem gambling. In her announcement, she used the code word “gaming”, which is industry speak that doesn’t like to be called “gambling”. By using this special phrase, it’s obvious that for-profit gambling is more important to her than the lives of problem gamblers and society’s fabric, particularly those who are close to problem gamblers.

The problem isn’t the little flutters that most of us have from time to time, it’s the problem gamblers who form much of the industry’s profits. The for-profit firms have shown no mercy in their campaign to get rid of gambling reform. They succeeded.

The problem is the ALP now sways in the wind to the tune of vested interests rather than the public good. Whitlam didn’t give up on creating Medicare just because the AMA was against it. Hawke and Keating didn’t give up on monetary reform, such as floating the dollar or removing trade barriers that have made us far richer, just because the unions were against it.

The ALP will be in the wilderness for a very long time after the next election. They can’t rule by themselves for many years because they have given up on traditional ALP values, and abandoned and cast off a good percentage of their party support base to the Greens.

If the ALP wants to govern again, it needs to get some vision aligned with its core values, and do it. Kicking refugees, dropping gambling reform, and working against gay marriage are none of these things. Once Craig Thompson has gone (and although I reckon he will hang on until convicted, he surely will be forced to go), the ALP will feel the full wrath of its core voters.

I hate being proven right – mass pwnage

10 Replies

Seriously. When will people (even security pros) ever learn? This is the IRC log between a few security pros who are involved in w00w00.org and BlackOps.org from an insanely long tour de force brag post that seemingly showed up folks from the big guns like Google, through security ISVs such Core Security through several security pros that I truly admire. I am not perfect, and honestly, I feel for these folks as it could happen to me, but weak passwords? OMG! Passwords seem to have cost one of them a great deal of money and time, irreversible data loss and now involvesd law enforcement (update – see comments, this log is from the 1990′s I’m so duh that I missed that bit, but it still proves my point that passwords have sucked for a long time):

  [14:41] <@rkl> shit.
  [14:41] <@rkl> whoever broke into blackops.org
  [14:41] <@rkl> when we caught them
  [14:41] <@rkl> they began rm filesystems
  [14:41] <@rkl> and removed my only copy of some photos i had of me and my
          fiance'
  [14:42] <@rkl> that i had up there for like 2 days while i reinstalled my OS
  [14:42] <@rkl> she's going to be sad about that
  [14:44] <@nobody> ur shitting me
  [14:44] <@nobody> who broke in?
  [14:44] <@rkl> we know.
  [14:44] <@rkl> luckily they were incompetent
  [14:44] <@rkl> however
  [14:44] <@nobody> bunch of savages in this town
  [14:44] <@rkl> because they tried to use blackops as a platform to launch
          attacks against a few corporations
  [14:44] <@rkl> now the FBI is involved
  [14:45] <@nobody> wonderful
  [14:45] <@rkl> me and murray couldnt' give a rat's ass
  [14:45] <@rkl> we back up blackops 1 time a month
  [14:45] <@rkl> to cd, now dvd
  [14:45] <@rkl> they got in through a weak user passwd
  [14:45] <@rkl> cause there were near 100 users
  [14:45] <@rkl> just normal users, so they didn't practice good security with their passwds
  [14:45] <@nobody> typical
  [14:46] <@rkl> we've had to turn over everything to the FBI
  [14:46] <@nobody> a system is only as secure as its users

In my previous post, my first item stated unequivocally that passwords are crap and first against the wall when the revolution comes? That revolution starts today.

Everyone’s New Year resolution has to be to change their crappy password (or in the rare case, passwords) for their computer to a passphrase (20 characters or more), install a password manager, and change all those crappy passwords into long (20 characters or more) random passwords for every single service. If your service doesn’t let you use > 20 character passwords, STOP USING IT. There’s something very dumb, wrong and insecure with that service.

I do not have a single password that is the same for any service on the Internet. Changing a password to me is extremely simple because I DO NOT CARE about any of them. I do not type them, I do not remember them. They are all at least 20 characters long, and occasionally way more if I care about the system in question.

Additionally, I have no truthful answers for the weak Q&A security backdoor on any system I use. What is your first pet’s name? Just try to crack fazEha*u@eJAM#!#6DafRatrAm6Q before the universe ends. p.s. I generated that one just for this blog entry. Don’t waste your time trying it out anywhere.

Passwords are insecure, always have been, always will be, and that goes double for the horrifically insecure Q&A backdoor that many sites insist upon who should (and most likely do) know better. Passwords are unsuitable even for this blog. Folks who say passwords are free or worse – “the norm” – are idiots and should be ignored whilst the rest of us get on with getting rid of them as Priority #1.

CALL TO ACTION!

If you are responsible for passwords on your site or service, the very first thing you must do when you get back to work is to call an urgent meeting with all stakeholders. The very first agenda item must be “We’re getting rid of passwords as of right now. How do we do that?” Don’t stop until you succeed. Your users will love you.

If you are a victim of passwords, you should ask “Why are we still using passwords? When will you get rid of them?”

Just Do it. Do It Now. I’m deadly serious.

Security trends for 2012

5 Replies
  1. Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned.
  2. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned.
  3. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re completely pwned.
  4. Folks will continue to click shit. They will then be surprised when they’re completely pwned.
  5. van der Stock’s immutable law of gullibility: Folks will continue to be sucked in by incredibly basic scams. They will then be surprised when they’re completely pwned.
  6. Folks despite extensive and continuous evidence to the contrary for over 25 years, will continue to be sucked in by grandiose vendor claims (“buy X now, and you’ll be protected from X…”) in the unfounded belief that technological solutions can fix people problems. They will then be surprised when they’re completely pwned.
  7. Folks will continue to allow mobile and web apps to transmit their sensitive crap without any form transport layer encryption. They will then be surprised when they’re completely pwned.
  8. Folks will turn on a firewall and think they’re safe. They will then be surprised when they’re completely pwned. It’s not 1995 any more. Never was.
  9. Folks will continue to run old crap, or allow old crap to connect to them. They will then be surprised when they’re completely pwned.
  10. Folks will continue to think that they will be safe if they just virtualize or cloud enable their crappy apps. They will then be surprised when they’re completely pwned.
If we can’t learn from our most basic of basic mistakes, 2012 will be exactly like 1989 – 2011. And that’s sad.
Because I hate solution free hand waving posts like the above, here are some basic solutions:
  • Adopt strong authentication TODAY – passwords have NEVER been appropriate.
  • Patch your crap.
  • Implement low privilege users and service accounts.
  • Don’t click shit.
  • Learn about basic phishing and scams.
  • Fire folks who post on Twitter or Facebook all day. You know who they are.
  • Don’t buy any product marked “Protects against APT”. If you do, fire yourself as you’re an idiot.
  • Only use products that use SSL. If you don’t know, assume it doesn’t and find something that does.
  • Evaluate your security needs with 2012 in mind – firewalls alone are a few sheep short of a full paddock.
  • Upgrade to the latest OS and apps. Not only will your users love you, it’ll be harder to attack you.
  • Protect data assets no matter where they are. The plumbing is unimportant.

Resurrecting the wife’s laptop – Asus hates you and you and you

2 Replies

At Christmas last year, I bought a new laptop for the wife, an Asus K52DR with 4 GB of RAM and 500 GB hard drive. I quote from then:

[...Asus should...] supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

Although I stand behind every word I said above, I’m begrudgingly glad I spent the extra 2.5 hours creating those DVDs as I’m restoring her computer to factory default after she killed the previous HD by cooking it in the bedding. Obviously, not Asus’ fault, but what happens after replacing the HD is most certainly Asus’ fault. This Asus will be our last PC – my life is just too precious to donate to absurd and evil corporate practices.

When I bought the Asus, it took me about three days to get the PC to a default-ish Windows installation, Office 2010, and iTunes with just enough drivers to run “advanced” technical devices like the display or the wireless network. Don’t get me started on the number of reboots or gigabytes of patches required. Copying Tanya’s data, migrating her PST and recovering her calendar was simple by comparison.

I am dreading wasting yet another two to most likely three days of my personal life YET AGAIN to weed out all the circusware from the factory default build. Asus must start providing a fast circusware free method of complete restoration like Apple do. The time I’m going to spend over the next few nights, and probably the next weekend, is like a working week away from my family. Completely unacceptable.

I tried restoring the repair partition I dd’d off, but due to the new 750 GB drive having different sized clusters and alignment than the old 500 GB drive, I struggled to create a bootable recovery partition without spending yet more time than it would take to restore using the DVDs. So I’m using the restore DVDs.

I still don’t have a Time Machine work-a-like that can back up Tanya’s data. This is a serious issue as hers is the most likely computer to die. [...]

And die it did. I tried Windows 7 Backup for months on and off after buying a new 2TB external HD, but as per usual being a Microsoft product, it doesn’t actually work. So too late, I found Rebit, which is just like Time Machine … but expensive. I’ll be trying that after restoring Tanya’s data. Luckily, I was able to get her most if not all of her data off under Linux all the while the HD was making very high pitched death screams. It’s dead now – all the sparing sectors are spared and the computer wedges hard if you try to do anything with it in read / write mode.

My newish MacBook Air 11.6″ is significantly faster and cheaper than this Asus, and more so every time I have to fix it up. Once I had recovered Tanya’s data to my 2TB dumping ground on my Mac, she was up and running with one of our AppleTV’s in about two minutes.

Tanya’s next computer will be a Mac when this one dies. I will not tolerate the loss of any more of my life to Asus insistence on circusware in the default build, and cheapening out by not providing real installation media, or Microsoft’s insistence on a recovery CD and crappy end user experience.

I stand by my recommendation:

Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don’t get it.

 

I’m going to reduce the rating to 1/5, and the 1 is only due to the surprisingly resilient Seagate 500 GB drive that survived just long enough to get nearly all of Tanya’s data off it.

On APT

4 Replies

Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs.

These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way.

RSA chose not to discuss the details of the attack, using the old furphy that disclosure will damage their customers (reality: it would damage RSA’s brand). RSA’s silence allowed

Advanced

Persistent

Threats

to execute the boldest cryptographic information warfare attack since Enigma.

RSA’s (IMHO) cowardly silence has actually damaged their customers in highly spectacular fashion. RSA told us nothing, so we couldn’t ask our clients to change vendors in a staged way, or to disable access, or put in other controls. We could guess, but business decisions are not made that way.

Now the brand damage to RSA will truly begin. This is the end of the simple RSA fob. Even if a better algoritm or fob is used, RSA are toast as no one will trust them any more, particularly in the sort of organizations that buy fobs by the palette.

APT boosters have said vociferously – “see, it was APT!”. Yep, I agree. It’s one of the few times that truly worthy attacks are out in the open enough for us to get a small glimpse into what’s really going on.

Unfortunately, due to widespread abuse of the term, APT is the laughing stock of the information security world. The folks who routinely use it with knowledge can’t discuss why APT is any different to the other threats out there today. Everyone else has no clue.

I’ve seen CSOs give up, thinking that since these attackers are so advanced, surely we can’t protect against them, or they buy stuff marked “Solves APT TODAY!1!” when in fact, hard work is required. Nothing very hard, just simple stuff like input validating every field and not tolerating insecure software any more.

But for your average CSO, finding out if an application was developed in a secure fashion and that every parameter is validated is impossible. It shouldn’t be. But that’s not the main point of today’s post.

It’s moderately clear in the fog of active disinformation that the weaknesses used in the RSA, Sony, and PBS hacks are well known and easily exploitable. The solution is like losing weight. There is a simple solution that works – albeit slowly. It’s called eating the right amounts of good food for a year or two and exercising hard every day. Anyone who has tried to lose weight, including myself, knows that we really just want an APT strength diet pill.

I think most of us in our industry will acknowledge that penetration testing has become “different” over the last few years, from literally shooting fish in a barell with the most rudimentary or no tools, to requiring a fair bit of work, and moving up the value chain to find interesting and exploitable issues the business cares about.

In terms of results, I think we’re still finding 10-20 things wrong in every app. Attackers need one. This is the attacker’s advantage. The number of weaknesses, the type of weaknesses, and the severity of the weaknesses are NOT “advanced” in any way shape or form in 95%+ of the code reviews and penetration tests I perform. The other 5% have been working with me for a while, are mature risk managers, and they’re hard to attack as a result.

But because of the hard core mystique surrounding the use of the term “APT”, we’re seeing completely inappropriate uses of the term everywhere from anti-virus scanners through to security appliances that promise data loss protection but forget that the information security triangle is people-process-technology. Putting one in place doesn’t solve the other two, nor negate your responsiblities to put in appropriate controls that PEOPLE can live with to do their JOBS and make the business MONEY.

My twitter icon is the famous drive around control image:

Access controls are only for those with easy access

Access controls are only for those with easy access

This is where folks promoting APT fail. I am not denying that the attackers who have found a end run around a widely known security control are

Advanced

Persistent

Threats

Anyone who targeted a particular firm, and utterly broke a long standing crypto system, and everything else required to obviate hardened controls of at least two military industrial giants are worthy of the term APT.

Unfortunately, APT as a term is so brand damaged in the info sec community (try saying it at a public event without being openly laughed at), that we have to choose a better one, one that marketers would never dream of using inappropriately. I don’t know what it is, but surely

Enemy Combatent

or

Soon To Be A Small Pile Of Glowing Ash (STBASPOGA, or the more friendly sounding Strasbourg)

are right up there.

Worse still, the fact that these Strasbourgs really are APTs doesn’t mean that we should forget to do the hard work, but instead demonstrates the paucity of protective information security research. Some of you might remember me saying a year or two ago that too much attention is paid to those who hack, and not enough on those who defend. Strasbourgs should mean more dollars in pro-active research. We need to make it difficult to develop insecure software. We should make easy to determine if Acme’s latest release of their widgets are insecure. We should have metrics that easily demonstrate insecure software costs more. We should make it legally untenable to ship insecure software, and give redress to consumers when their investments, privacy and intellectual property are violated due to stupid, simple weaknesses that we knew about in 1965.