[Dailydave] The monetization of information insecurity

J. Oquendo joquendo at e-fensive.net
Tue Sep 9 09:28:34 EDT 2014

On Mon, 08 Sep 2014, Brad Spengler wrote:

> Hi Dave,
> How to avoid repeating the mistake of AV: this is a difficult problem.
> I don't have much experience in defense, so if I were to ponder a
> solution to this problem, I would look toward the paradigm-shifters in
> the infosec industry.  Being an avid reader of Wired and other such
> online magazines, my immediate thought was Google's Project Zero.
> We've learned from the failure of AV that ex post facto detection
> and remediation of single pieces of malware is a losing battle given
> the ever increasing number of malware samples in the wild.  It seems
> like for every malware detected, two more take its place.

This is/was one of the main reasons why I choose to avoid
doing static malware analysis. Once upon a 4-6 years ago, I
was tasked to analyze a sample (Qakbot/Qbot/YourNameHere).
Initially, I was able to pick this little needle out of
a haystack pretty easy. As time went on, those responsible
for it made some heavy duty modifications. To the point
where, every 15 minutes of so, another iteration was sent
(via C&C) and the whole structure changed. Waste of time.

> That's why I really admire Project Zero's approach -- it took these
> lessons to heart, producing a real game-changer.  They're focused
> on ex post facto detection and remediation of single bugs, a highly
> effective approach given the ever increasing number of bugs in the
> software today.

Software bugs are one thing however, malware makes use of
other bugs (network related misconfigurations, human error)
so patching/finding all bugs is not going to solve the
problem either.

> What's really unique about Project Zero's approach though, is that
> unlike AV, Project Zero pairs its work with copious quantities of
> self-advertisement -- because when one's goal is making the world
> a safer place, one needs to make sure everyone knows it.
> We need to change course.  Let's resolve to put the monetary focus
> of the industry to where it really belongs: bug bounties.  Let's
> ensure fuzzers are employed for the next decade while we reap the
> bountiful rewards of their endless trickle of bugs.  If we make
> sure this strategy dominates, we can be sure we don't hamstring
> the industry by focusing efforts on what produces real improvement.
> We know bug bounties work because their associated monetary offerings
> continue to increase -- the market has spoken.

With all due respect, you're looking at a single segment of
security. Fix all the bugs you want: "You can't fix stupid."
Where stupid is arrogant me calling someone horrible names.
One of the things I love doing when doing red teaming, is
shoving java into flash, then shoving flash into a PDF,
then controlling what I send, via mod_security to a target.
There is NO bug that is exploited with the attack and I have
a HIGH exploit ratio. This is due to human error (opening
a file) not any 0day (exploitation of a browser, IE, office).

> If we take our cues from such visionaries, I think we can avoid the
> parasitic growth of the infosec industry and break the chain of
> strategies that haven't worked for their entire reign.
> Respectfully submitted for your consideration,
> -Brad

I believe based on experience that the solution lies in the
network PERIOD. A while back, I watched a show about the
precious metals at West Point Military Academy. They got
into a brief discussion about the security there. Getting
in, involved typical show your ID, walk through the metal
detector, etc. What I found kick ass cool was when it was
time for the employees to go home. The entire facility was
locked down. EVERY SINGLE ounce of precious metal was then
accounted for, weighed, etc., before ANYTHING was to leave
the building.

What is the one thing you CAN CONTROL in your network?
What leaves. Whether you're implementing firewalling, or
filtering, analyzing. I believe the proper way to tackle
the problem is figuring out a way to do so before traffic
LEAVES. Because of the fact malware works (iterations, etc)
it's a waste of time analying (only to find out 5 mins
later things changed), OR... you go bug hunting only to
have someone stupidly fall for something that I do with
PDFs (where no exploit is involved)... The ULTIMATE common
core with ANY virus, or malware writer, or even Joe Blow
APT (or is that Wang Chung APT?) is... They all need to
get data OUT of the network.

An extrusion mitigation/filter/doo-hickey is what I opine
is the best bet. However that too becomes cumbersome since
it would HAVE to be IP based, EVERYONE would have to run it
(in the world) otherwise it wouldn't work based on any kind
of blacklisting. The reason it wouldn't work unless everyone
used it is simple... If I owned say Microsoft, and you went
and trusted Microsoft, I could just xfer to MS, and take it
from there.

I have the ultimate answer but I'm not telling unless
In-Q-Tel offers me a billion for the solution.

J. Oquendo

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF

More information about the Dailydave mailing list