[Dailydave] 2013 - A New Hope

[Dave Aitel]

2013 - A New Hope


So I hesitate to make predictions, but I think it's important to at some
level acknowledge that 2013 was a huge year for information security. A
few things happened... :

o The rebirth of managed security services.

When you don't care about bringing hackers to court, but you DO care
about the security of your IP, you start to evolve a very different
fabric on your network and you need a completely different specialist
set of skills. Managed Security Services used to be the haven of total
technical wash-outs, with IDS monkeys watching screens for alerts nobody
cared about. This has changed, and I think the watershed moment was
February 2013, with Mandiant releasing their APT1 report
<https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators/>. 
We are moving to a much more highly skilled, and expensive, version of
managed security services, with Mandiant, Crowdstrike, Terremark, and
others all competing with similar technologies and methodologies and
price points. This is the pendulum swinging away from offense a bit
more, assuming people can afford these services (which is not at all a
given).

o The Snowden Event

Look, there's very little in the "revelations" Snowden has talked about
that wasn't already highly visible to industry insiders: What can be
done, is being done. And everyone who says Cyber is a asymmetric warfare
should be eating their words now, since you cannot believe the US Intel
Community has succeeded to the level they have in this space and think
it was a game for small players anymore.  My USENIX talk from 2011
<http://www.youtube.com/watch?v=D5ULFP4CgQU> pointed out much of what
has come out. The most obvious angle on the story is the growing
push-back from corporations. Google building certificate pinning into
Chrome by default hurts not just Iran, but also all the allied
governments Google calls home, who are just as happy about how the
global PKI system SSL depends on bends to their whims. The corporations
have been taking huge unbalanced risks on behalf of their governments,
and these chickens are coming home to roost. Or, to be more specific,
vultures, as Huawei demonstrated
<http://venturebeat.com/2013/12/03/everyone-hates-huawei-ceo-says-company-is-giving-up-on-the-us/>
by being thrown out of the largest market for IT gear in the world. But
it's exactly that horrifying prospect that scares Facebook and Google
and every other big US IT company into taking a hard line with the USG,
and no doubt, with one eye on Cisco's revenue sheet
<http://www.reuters.com/article/2013/11/13/us-cisco-results-idUSBRE9AC16F20131113>.

To quote from today'sWashington Post article:
<http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html>
"""
Microsoft general counsel Brad Smith took to his company's blog
and called the NSA an "advanced persistent threat
<http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx>"
--- the worst of all fighting words in U.S. cybersecurity circles,
generally reserved for Chinese state-sponsored hackers and sophisticated
criminal enterprises.
"""

What should scare administration officials is that when you talk to big
financials in NY, they feel the exact same way. In my discussions, they
are now MORE invested in securing themselves against the US Government
than the Chinese government!

It is safe to say these battle lines have yet to be completely redrawn,
and when they do the Chinese and US governments will be on the same
side, with Chinese and US corporations allied against them.

And we will then officially exit the "Golden age of SIGINT" and enter
the scrappy Bronze Age of Targeted Access.

o The rise of Bitcoin

The financials (and business in general) are extremely excited about the
useful shared delusion that is Bitcoin. Nobody knows how this pans out,
but it doesn't necessarily pan out well for groups whose root of power
is controlling the flow of commerce
<http://www.nytimes.com/2013/12/06/business/international/china-bars-banks-from-using-bitcoin.html?_r=0>.


o The cementing of Leaks as cyberweapons

Every reporter I talk to now who is starting a new venture has a
foundational element of "some place people can send me leaked
documents". The concept of leaking things into the public eye as a
cyber-weapon has gone from "Assange is a crazy loon" to "This is how
things get done" in a fairly rapid space. It's easy to forget that the
whole reason he started WikiLeaks was that he believed that you could
forever change how government works by draining the ocean of secrecy
they live in (and of course, to get babes). The Russian and Chinese and
Iranians and so forth are snarkily reveling in how the USG is painfully
handling the leaks, but of course, their turn is coming, and they are
far more vulnerable.

Conclusion:

So to sum up, 2013 was a year governments (and in particular the USG)
found their influence sharply contracting, with budget cuts, shutdowns,
and philosophical pressure on all sides. I, with the rest of the hacker
community, look forward to 2014, when the empire can strike back.

-dave
P.S. MERRY CHRISTMAS AND HAPPY NEW YEARS TO ALL DD LIST READERS!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131224/c723ed91/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131224/c723ed91/attachment.sig>