So just wanted to paste a few links to various views on the security community I have a come across lately.
The Extinction of Hackers by FX
http://www.phenoelit.net/extinction.html
The established community and its rules have the effect of distracting young hackers from their own, personal goals. You are not accepted as a hacker if you run Windows (there are very few exceptions). If you are not an established and respected person, you must run at least Linux, but never one of the large distributions like RedHat or Suse, even if your goal is hacking in the Microsoft .NET environment.
There is no doubt that working with Linux, FreeBSD, OpenBSD and MacOS X will teach you a lot. But if that's not what you are interested in, why bother? It just wastes a lot of valuable time, during which you could have read another book or two about the Windows architecture.
...
The community, the industry and the society as a whole needs smart, aggressive, young blood taking over the hacker's banner. It's time the role models realise what their task and their responsibility is, namely to encourage young hackers to do their own thing and stop to tell them how something should be done. This is not science; this is hacking, where reinventing the wheel is not necessarily a bad thing. The task is to help (re)inventing, not to show them your wheel from five years ago, it's rotten anyway.
Not Kind, Not Gentle. The turn of the decade in security. by Greg Hoglund
http://fasthorizon.blogspot.com/2009/11/not-kind-not-gentle-turn-of-deca...
The decade in review: The most painful thing we learned is that computer security hasn’t worked. We are, at this very moment, MORE insecure than we were in the year 2000. Billions of dollars were wasted on security technology that isn't working. In the last ten years, true cybercrime was born. Maybe we were just naïve about the coming storm. At the turn of the century, it was hard to get past the romantic idea of a university student hacker who prowled systems harmlessly for fun. Blocking ports and preventing network based buffer overflow attacks seemed so important. None of this technology prevented true criminals from pulling off the biggest heist in computer history – the massive theft of identity and subsequent banking fraud of the last few years. The traditional hacker is dead. Hackers are now called terrorists. The Russian mafia pays developers six figure salaries to write rootkits and malware. Independent researchers can and will sell a reliable working exploit of Internet Explorer for more than $50,000 USD. It began to hurt so bad that even Microsoft had to jump on the secure coding bandwagon, declaring a massive effort to make their code more secure. But this isn’t working either. You see, we are adopting technology at a rate far faster than we can secure it. By the time we have secured something, the landscape has changed and the attackers have moved on. In fact, that is why desktop exploitation has become the dominant attack vector. Over the last few years, malicious documents and media, especially “rich content” that contains embedded logic, parse-able metacode or script, and other logical constructs that can be malformed, emerged as the dominant method of exploitation. The API’s, COM objects, and other hoo-hah piled sky high on your windows workstation is a garden of carnal delights to a skilled attacker. Exploits of this nature have been mostly delivered via Internet Explorer and email. In fact, Internet Explorer is quite possibly the largest software disaster ever. As a software program, it has probably caused over a hundred billion dollars in damages since its release. This isn't about blame - if IE wasn't there, someone else's browser would have been the target. The browser is the portal into the Enterprise, so it's going to be where the bad guys focus. Finally, even before all this was going on, every nation state on the planet was standing in the shadows scared out of their britches. Smart people in high (low?) places could see the writing on the wall. It is TRULY AMAZING that a terrorist hasn’t hacked into the SCADA systems of a municipal power utility, started a cascade failure, and shut down half a state in the dead of winter. It’s because of this that I think [most of] those so-called terrorists aren’t very bright. As we close out the first decade, we must realize we have just entered one of the biggest arms races in the history of warfare. In fact, one can easily say that true cyber warfare was birthed in the last ten years.
ZFO5
http://seclists.org/dailydave/2009/q3/47
The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS
poisoning will destroy life as we know it. You have Matasano harvesting talent
and critiquing everyone, and then Ptacek can only announce the release of....a
graphical firewall management client. There's kingcope killing bugs and
dropping weaponized exploits while making no other contribution except putting
a smile on the face of kiddies. There's iDefense and their competitors selling
exploits and only doing research in how to make more exploits. There's Jeff
Moss running a conference under the hideous misnomer "Blackhat Briefings" where
the same researchers search for glory and present the same shit year after
year. There are people who just live press release by press release. And on top
of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry
cares about virtualization one year and iPhones the next, every year forgetting
the lessons it should have picked up in the last.
If you are just someone looking to pay a fair price to not get owned, you find
out quickly that none of these people exist to help you. Very few people in
this industry have their income model based around actually making you more
secure. At best, some of them have it based around convincing you that you are
better off.
The very concept of "penetration testing" is fundamentally flawed. The problem
with it is that the penetration tester has a limited set of targets they're
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box. So if a site on a shared host is being tested, just
because site1.com is "secure" that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks. The time constraint is another problem. A professional pentester with
a week or two to spend on a client's network may or may not get into
everything. A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.
Those things should all be very obvious, but whitehats still make the mistake
of discounting them. Look at Mitnick. Every time he gets owned he blames his
host or his DNS provider. If he's getting owned through them, that's still his
fault. Choosing a host is a security decision, it's just like choosing a
password. If you choose a weak one you expose yourself. It's still your fault.
It's the same with outsourcing the development of your security-critical code.
Mitnick could get someone else to make him a flashy website, and then blame
them when it is full of file include vulnerabilities. People do this all the
time, indirectly, by using ridiculous CMS or blog software. As an easy example,
look at Wordpress. Even easier, look at Wordpress in 2007. Horrid. When
considering Wordpress, a blackhat starts reading the PHP, shudders and giggles,
and then laughs at the idea of ever using it on one of their servers. A
whitehat never gets that far apparently, they just install it and get owned. I
simply fail to see how leading security researchers run all kinds of code that
is blatantly dangerous. Are they really that bad at reading code? Or do they
just not care much if their passwords end up on Full Disclosure? If it's the
second option, why is that? Why can these people make a living selling
security when they make such bad choices? How do they maintain legitimacy? They
take less responsibility for getting owned than do the people who they sell
services to.
There's a popular term for people who don't read code. We call them script
kiddies.
You cannot outsource blame. You HAVE to take responsibility for your mistakes,
whether they are mistakes in your code, mistakes in code you are using,
mistakes by your host, or mistakes in who you trust. These are all security
choices. Learn to control this shit. Learn how to read code. A lot of the time
it only takes a very shallow audit to realise that the code is crap and is
bound to have bugs. In a smarter world, security professionals get paid to stop
people from getting owned. End of. These is no limit to the scope of an audit.
Are you professional types really this out of touch? I see all these papers
about how to protect yourself from these super-fucking-advanced techniques and
exploits that very few people can actually develop, and most hackers will NEVER
USE. It's the simple stuff that works now, and will continue to work years into
the future. Not only is it way easier to dev for simple mistakes, but they are
easier to find and are more plentiful.
The whole concept of full-disclosure has backfired. It will never work. It's
some slashdot hippie pipe dream. Even you dumbass corporate types should
recognize this. If you're constantly giving away all the vulnerabilites you
find, for *FREE* mind you (and what other industry does that?), and the
vulnerabilites get harder and harder to find and exploit, it will get harder
and harder for you all to do your "job". Frankly, I'm surprised that the
non-disclosure movement didn't start in the security industry in the first
place. In a way it did, by default. With full-disclosure, the security
industry is all about show and gloat, it is not about fixing anything. A lot of
bugs have been fixed from it, but it comes with the price of an industry that
likes to cripple itself. Projects run by teams of trained monkeys are always
eager to add more bugs to replace those that have been fixed.
We hate the industry because it is full of shit. There are so many trolls like
Kaminsky who just desperately search for anything new, to get attention. So
many talentless buffoons trying to scam the planet. A lot of the actual talent
out there is severely misapplied. It's an industry tied to news and not
results, because very few of you can even attain results. When you can't, who's
the wiser? Your customers can hardly tell if you have really made them more
secure or not. Sometimes there are superficial benefits, sometimes there
aren't. How do you convince the customer that they are more ZF0-safe than
before, if they were never targetted and probably never will be? And you all
lack the legitimacy to really do the job you should anyways. We can only expose
so many frauds, the rest of you can pretend you have changed something.
Very few whitehats actually go out there and provide a service where they make
people more secure. Not just for a day or a month. Are you genuinely fixing the
underlying design and logic flaws that generate security problems for your
clients or customers? If you actually clean up every exposed security flaw they
have, will they still be "secure" in six months or a year?
We could go on. Just in general, the industry is failing. Flat out failing.
You cannot even protect yourselves.
Powerful things to think about as we move forward into 2010.
Comments
Good read. I'm a young hacker
Good read. I'm a young hacker myself, and I take this as inspiration to keep working on what I want to do instead of being pushed to follow the old paths of others. I appreciate the words, and being part of a small community I will continue to do what I love most. Maybe, one day you'll be reading an exploit I posted on the net. Until then,
Peace.
truth
1) Code doubles every 6 months
2) Bugs recidivate at a rate of 15%
3) Security-related bugs, especially in the highly targeted ones, are fixed years after reported/discovered
We must move away from the Exploitability Trap. We must reduce all copy-paste and unnecessary code, hopefully by using IDE and Continuous Integration Server plugins along with Test-first Development and Refactoring software engineering practices.
We must purchase multiple varieties of very expensive services from the small camp of security boutiques providing application security consulting. All risk management and information security budget must come from a single source, preferably a Board of Directors, CFO/CIO/CISO/CSO, or similar. IT/Network Managers/Administrators/Engineers cannot be responsible for security.
OEM and ISVs should not install software on brand-new computers without some sort of rating system for security (as determined by some sort of collective similar to ZERT). Organizations should not enumerate/discover applications across their workspaces, but instead should eliminate, minimize, and harden according to CIS, NIST, NSA, or DISA STIG guidelines.
Applications should have extensive architectural risk analysis performed, especially in co-ordination with the Refactoring and other Application Lifecycle Management processes.
Compliance reporting and audits should be aggregated internally as much as possible, using UCP and BITS FISAP. Existing compliance standards such as COBIT should be replaced by COSO; ISO 27002 replaced by Visible Ops Security; ITIL/ISO 20000 replaced by Visible Ops.
Follow NIST (if you're gov't) or follow CISecurity+ITPI (if you're not). Become a CIS member and utilize CIS-CAT. Become an OWASP member and utilize ESAPI.
Write a formal appsec policy if you produce, have produced, or intend to produce software in any line-of-business. It should, at the very least, mention the Microsoft SDL and/or the OWASP ASVS standard.
Application Security Assessment and Protection suites, such as the Microsoft A&P Suite, should be built into the default installs, making all development/testing and operational configuration secure-by-default.
We must figure out and understand our true adversaries. Is it Russia? China? Romania? Can we identify our adversaries more specifically than by country? Can we shut them down? Can we give them mis-information? Can we get moles/spies inside their organizations? Can we perform actual information warfare against them?
Alas you are mostly right
I find it sad to say that most of the things you say are right. I have been doing the security thing for 12 years now, and it seems like we stumble over the same problems over and over. People develop something for internal 'trusted' users, then move this out into 'untrusted' internet as a new 'product' and wonder why it gets owned in ten seconds.
Buffer overflows continue to plague us, Universities teach people stupid stuff like java, and don't train the young'ens the concept of bounding variables, Looking for known GOODNESS rather than unknown "BADNESSS".
Attacks have gone from thousands of ports to 4 or 5 (DNS, HTTP, HTTPS (the best!), SMTP, and Bittorrent). So we have just as many attacks just on fewer ports.
OSES continue to be designed to train the user to say 'yes' because they bother us with unnecessary prompts, and passwords are so annoying that even the best of us have to write them down because every site requries a UID and pw now.
Text, once an unimaginable vector for attack, is now a primary vector for attack. Whoever decided to mix content and programming languages should have been shot.
We see a profusion of useless certifications, endless bodies certifying the work of equally shoddy other bodies, and snake oil being sold by the hogshead.
Simplicity: If you want it to be secure, keep it simple, disconnected, and users few. There's nothing wrong with security through obscurity so long as it isn't your ONLY line of defense.
Avoid OS monoculture, keep your operating systems diverse, well patched, and minimize open services. Run SSH on non standard ports, and why can the whole world scan your SSH port anyway?
I could go on. But simply knowing what you have, ensuring your patch schedule is well attended to, good vetting of employees (good employee screening). And the practice of hiring convicted criminals as todays 'security experts' could also be called into question.
And I agree on the defcon thing. Same old Crap, Different Day. There is a ray of sunshine in HITB which has some interesting stuff, as well as Cansecwest.
RSA conference is a joke, as is SANS. I kind of like OWASP though, a lot of good stuff there.
agreed
Can't agree more!
Evolution of penetration testing
While penetration testing is certainly just a portion of what should be done, the expansion of the penetration test to include multiple modes of successful attack and the corresponding awareness that an organization then receives can be a big help, as far as actually securing organizations. But the economic realities of global capitalism, which includes the security industry, are not often going to allow for this sort of comprehensive testing unless there is enough motivation (or compliance regulation that goes into *detail*) on the behalf of the client.
Regarding your first paragraph about "no client sides, no social engineering, no custom built backdoors that wont flag on AV" I refer you to my blog post (that you Chris have already read) that goes into my thoughts on this subject - "Penetration testing, targeted malware attacks and the future"
http://perpetualhorizon.blogspot.com/2009/10/penetration-testing-targete...
-cw
thoughts
Personal thoughts(even though I don't even remotely rank with the people above)...most of the people I have encountered still don't get it. We ask for "black box" pentests of 100 IPs out of 10,000 with nothing useful running on them and call things secure... oh but no client sides, no social engineering, no custom built backdoors that wont flag on AV...bad guys don't do any of that.
We ask our pentesters for the cheapest pentest we can get for PCI compliance (and pentest shops line up and salivate to do it), and most companies couldn't even put their finger on the thing that makes them money or the why/how they are trying to protect it so we can test those controls.
We still look at security as a bunch of boxes on the network and not the data or resources those networks contain, and we have people who just now think that pentesting with a "goal" in mind is new, its not new, its what we should have been doing all along. How that is late breaking news I don't understand. How automating core impact to pop 50 shells on 08-067 helps get someone secure i'll never understand. Yea...you've emulated the laziest and crappiest of all attackers you'll ever get and you never even tested if you could catch them...blah.
See Chris Nickerson for the rest.
Thoughts?
Comment
I've had the "its all about the dollar bill" and "vendor dictated cons" debate with a very popular "security expert" (if your reading this you know who you are) and was told "we all gotta eat". Pretty much, 'nuff said.