Friday, August 26, 2016

The Unintended Consequences of Software Liabilities

"Pacemakers".

People love the idea of holding software company's feet to the fire when it comes to security. You hear a lot about software liabilities, how "inevitable" they are for example, at CFR meetings or other policy forums. You hear about mandatory FDA-enforced or Commerce enforced recalls for cars or other IoT devices with software vulnerabilities.

But if you do that, you make it so every hacker in the world can figure out the cost of a disclosed vulnerability, which means shorting stock becomes the best bug bounty in the world. "Why not just control all vulnerability disclosure?" the policy makers then say. Fantastic idea. I wonder if THAT will have any unintended consequences?


Monday, August 22, 2016

Data is not Analysis in Vulnerability Equities

If you haven't read Matt Tait's and my piece on why we think the VEP has severe problems, please do so! We love heckling. :) That said, government 0day policy is the last area we should be focusing on as a control measure. It's insanely complex and we don't have the data to do it right, which is the case I think you'll see me making in the next few months.

I want to point out that in many policy and academic papers I've read (some of which are referenced in the above piece) they've both over-simplified the idea of bug collision (to "sparse" or "dense" - terms which make no real technical sense) and come to the opposite conclusion about vulnerability overlap of every technical person I know, many of whom have decades of experience holding 0day.

Below are some Twitter notes from Steffan Esser, Halvar, Grugq, Argp, and others who point out that while anecdotal evidence of a lack of overlap is not conclusive in any way, it's interesting that everyone in the business seems to have the same basic experience. 

To wit, the most common way vulnerabilities get "killed" appears to be because of coincidental code refactor. 

And of course, sometimes it's not a vulnerability, but a CLASS of vulnerabilities that you are trying to measure. Most big research firms have new classes of bugs and new exploit techniques that are not seen or used publicly. There are no clear lines here, but at a certain point, what you're trying to measure is math. Why is there no Math Equities Process for the government? It's because MATH is not as sexy as 0day (aka, not as clearly impactful on Microsoft's bottom line and marketing message?). 

Even if you had all the data, normalizing it, analyzing it and understanding it would be a complex, difficult endeavor. And beyond that, making a sane policy choice is even harder. But until then, we have to admit that our policy choices are a bit...insane. :)
 




Tuesday, August 16, 2016

Why EQGRP Leak is Russia

"Cyber Stalingrad Statue has opinions!"

First off, it's not a "hack" of a command and control box that resulted in this leak. Assuming it's real (I cannot confirm or deny anything here - largely because I don't know), it's almost certainly human intelligence - someone walked out of a secure area with a USB key. So let's go down the list of factors that make it "Almost Certainly Russia".

  1. Timing: Seems almost certain to be related to the DNC hacks. High level US political officals seemed quite upset about the DNC hacks, which no doubt resulted in a covert response, which this is then likely a counter-response to. As Snowden put it: Somebody is sending a message that they know about USG efforts to influence elections and governments via cyber. 
  2. Mention of corruption and elections in the text of the release feels classicly Russian
  3. Ability to keep something this big quiet for three years (leak is just post-Snowden) is probably limited to only those with operational security expertise or desire to leverage those bugs for themselves
  4. Information results from HUMINT, not simple hack of a C2 box as suggested (not that even that would be easy). Level of difficulty: Very Experienced Nation State. 
    1. Alternate possibility: someone was sitting on a redirector box and the most incompetent person on Earth uploaded this ops disk to it to make their lives easy. Still means someone was hiding on this box who knows what they're doing in an unusually skilled way. 
    2. Alternate, believable opinion on this from the Grugq: here.
  5. No team of "hackers" would want to piss off Equation Group this much. That's the kind of cojones that only come from having a nation state protecting you.
  6. Wikileaks also has the data (they claim)
"Conventional Wisdom from Russian Intel!"