Home page logo

dailydave logo Dailydave mailing list archives

Re: Security Paleontology - The Jurassic Park rule
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 17 Jul 2014 09:51:52 -0400

I got a bunch of replies that said this:
Dave, enjoyed reading your rant, but I don't understand your punchline
on securing data --"but in fact, just to make it less valuable" - how do
you do make data less valuable?

So to bring us back to how you do this, let 's take a quick look at
credit cards and Target, which are the best example of an "If you
collect it, hackers will come" information security strategy. What
Target really wants is not Chip and Pin (or worse, Chip and Sign), but a
transactional system that is only good ONE TIME and to ONE PERSON. What
they want is something where I say "On this day please pay Target 11.50
USD" and then cryptographically sign it. This is actually not that hard
to do in the age of smart phones and Google wallet.

If you steal a bunch of those signed blobs, NOBODY CARES. They are
useful only to Target and only for that one day. I guess you could
datamine them and find out I bought a toothbrush that rotates because
I'm a sucker for such things, but that's it.  We don't as a society have
to fund a giant team of FBI and SS agents to hunt down teenagers in
Eastern Europe (those headlines where we crow about arresting some
teenager are embarrassing to everyone involved).

In RSA's case you have to wonder why they have the key material for
their SecureID tokens in a DB of any kind at all? Just delete that stuff
as you create it. Instead of collecting data, how about NOT collecting
data? Wysopal likes to go on about "security technical debt", which is
essentially when you are building a system and you don't consider
security and later you have assess, retrofit, or junk the entire system
(this is the credit card system from A to Z in a nutshell). Honestly,
this is something M&A people really should take into consideration a lot
earlier in their valuation process.

But there is also a technical debt associated with collecting any kind
of large database of information. This is counter-intuitive because
having lots of information is a very valuable thing for a corporation or
Government agency! But it is also a huge liability, and so building
these databases should be undertaken with caution. If you haven't asked
"How can I make this database valueless to anyone but me?" then you have
already failed at information security and you are left to worry about
IT security instead.


On 7/16/2014 4:29 PM, Dave Aitel wrote:
Like many of you, I went to the theater with a child much too young
and re-watched new and more awesome 3D-Jurrassic Park until they cried
loudly enough to annoy the other theater-goers and wanted to leave.
Because in 3D, those big dinosaur things are scary. And also that dude
gets eaten while on the toilet.

And, honestly, looking at a lot of the security problems my friends
are dealing with  on the defensive side makes me re-iterate that I'd
rather be eaten, while on the toilet if necessary, by a large reptile
than ever try to convince someone that "cloud security" was possible.
How are you going to do anything securely in the cloud, when the core
problem of performance isolation is basically just a lot of hands
waving over a lot of CPU's in the basic architecture of perfidy that
Seymore Cray would have cried to have even dreamed about.

I know you all feel the same way about sitting through any
presentations on Internet Scale Performance - except all your IO is
going over a cleartext leased line through both China and Russia
before coming back to you, on machines whose hypervisors are all
corrupted by malware that "can't possibly exist".

And, of course, what my friends often want to know about is "the root
cause".  You can probably see the
former-Saudi-contruction-project-managers that make up a lot of Al
Quada's command structure thinking the same thing. "Maybe if we just
stop using cell phones so much we'll stop getting eating by the giant
beasts that are hunting us?" And you can see Target's new team using
that same tone of voice except in a much nicer cave somewhere in
suburbia. "Hey, if we switch to whitelisting our point of sales
systems, will that prevent hackers from stealing all the credit cards
that people still use to buy their kids giant book bags that can
double as Go Karts?"

And the answer, is of course, that if you put lots of sugar in a bowl,
flies will find a way to eat it.  Life will find a way! It's the
Jurassic Park rule, and it applies equally to credit card numbers, 
RSA token key information and State Department cables. The way to
secure your data is not to add layers of encryption and whitelisting,
but in fact, just to make it less valuable. You can see Archer
<https://www.youtube.com/watch?v=8KAVZEiIjk8&feature=kp>saying "This
is why we get Ants" right here, and it's not a coincidence that
INNUENDO <https://www.immunitysec.com/products-innuendo.shtml>'s logo
is a big ant head.


Dailydave mailing list
Dailydave () lists immunityinc com

Attachment: signature.asc
Description: OpenPGP digital signature

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]