<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>So I assume most people skim any news reports of big breaches in
the same way these days. Was this predictable? Was it preventable?
Do we know who did it? Did they do anything new to attack or
defend?</p>
<p>In Equifax's case, the reportable information clearly is the
alleged trading anomalies, rather than the hack itself. But the
third question is interesting to a point. I've been trying to
write a keynote for T2 for the past few weeks, and while my muse
is clearly on an extended vacation, there are some interesting
generational changes afoot with regards to these questions.</p>
<p>At some level, in a world where vulnerabilities are super rare,
governments dominate the discussion of malicious actors. I think
there's a lot of news chaff about every little 20-something hacker
or aspiring malware businessman who gets caught. Filtering those
out, there are relatively few reports of hacking groups with high
skills levels. And because of our assumptions that "Governments"
are behind everything now, I think we naturally err towards
flinching at boogeymen who...wield SQLi and Phishing with .jar
files. <br>
</p>
<p>But when you look at the accomplishments of truly skilled
hackers, they're amazing. And the environment we live in is not
one where major vulnerabilities are rare. The environment is such
that any specialized <a moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/Extremophile#/media/File:Grand_prismatic_spring.jpg">extremophile</a>
can penetrate and persist all of cyberspace. In a sense, the
entire bug bounty market is a breeding ground for a species that
can collect extremely low impact web vulnerabilities into a life
sustaining nutrient cycle, like the crabs on volcanic plumes in
the depths of the Pacific. Likewise, learning everything about RMI
is enough to be everywhere, or .Net serialization, or CCleaner. In
cyber, where there's a way there's a will. <br>
</p>
<p>It used to be we would be more afraid if it was China or Russia
or Iran or whoever. But these days I like to annoy people by
asking what if it's not? <br>
</p>
<p>Also, does anyone know how often Equifax did their penetration
testing? My new rule is that if you only do it in Q4 you are
unlikely to have a mature security program. :)<br>
</p>
<p>-dave</p>
<p><br>
</p>
</body>
</html>