Shan Yu had a point.

BOOK: Have you ever read the works of Shan Yu?
SIMON: Shan Yu, the psychotic dictator?
BOOK: Yep. Fancied himself quite the warrior poet. Wrote volumes on war, torture… the limits of human endurance.
SIMON: That’s nice…
BOOK: He said “live with a man 40 years, share his house, his meals, speak on every subject. Then tie him up and hold him over the volcano’s edge. And on that day you will finally meet the man.”
SIMON: What if you don’t live near a volcano?
BOOK: I expect he was being poetical.

I am a sucker for a movie or TV show that presents a compelling scene or story, that conveys a complicated topic most humans will never experience, or likely never fully grasp with any bit of reality. I am a bigger sucker when such a scene or story starts taking on a small shred of reality, in a different context, that I can piece together.

While I can’t compare my point to being held over a volcano’s edge, I feel that slowly meeting and getting to know someone over 20 years and watching a variety of mental toils take effect, may come in a distant second. In addition to compassion fatigue, spending decades in an industry you believe in that keeps failing, no matter how hard you try to improve, wears a person down in many ways. Some of them often destructive to themselves and those around them.

We’ve reached a point in InfoSec where there are hundreds, maybe thousands of veterans that are reaching a critical mass. The number of disillusioned professionals that cannot tolerate their beloved industry is incredible. Some I know have sworn off the industry, vowing to work outside their niche market, and forsake the rest of the industry. This is great for them, bad for the industry who could desperately use their experience and knowledge, and absolutely fair to both. I won’t get into the debate of “oh but there is a next generation“, and just say that a community who loses a significant portion of their elders will suffer tremendously, even if they don’t realize it until many decades later.

if Shan Yu were on social media, I think he would be fascinated watching the story unfold, and amazed at how much he could learn about people during their industry-induced downward spirals.

Studies, articles, and social media activism are just a start.

I would imagine everyone reading this, who partakes of social media to any degree, is getting worn down with the social media activists. Like everything, there are some that are effecting change and doing great work. They use the media to spread the message while helping to enact change in other ways. Basically, doing more than just ‘awareness‘. You can Tweet and Facebook and Tumblr all day long about “help our vets”, and the sentiment is great. But until you turn that effort toward people who can effect change (e.g. politicians), it’s not likely to actually help a veteran. Oh, and you do occasionally promote charities that help the veterans and donate yourself… right?

Yesterday, “Spouse-gate” happened at the ASIS / ISC2 Congress event. In a nutshell, a female InfoSec professional is a speaker at the conference, and her InfoSec professional husband joined her as a regular attendee, but via her “plus one” that the conference provides for. Each “plus one” in the eyes of ISC2 is the spouse, which by definition is the husband or wife. So imagine his surprise when he goes to the registration desk and finds the staff “utterly confused how [he] could be a spouse and asks [him] four times how [he’s] a spouse“. Did the meaning of spouse change sufficiently in the past years, that it is only applied to females? He explains several times that his wife is speaking, and he is her “plus one”, and they finally understand. Next, they give him a con swag bag and information regarding ‘spouse events’ which include shopping trips. The bag included two bottles of hand lotion, an empty photo album, shopping coupons, a magazine, and the business card for Jay Claxton, the Director of Loss Prevention at Marriott Vacation Club International.

I think it safe to say that the conference bag for spouses is a clear case of misogyny. Now, why am I posting about this? Peruse the bag contents and scroll down…

isc2-bag

I have been an outspoken critic of ISC2 for many years. In the last couple of years, I have toned down that criticism considerably, for various reasons. The biggest reason is that one of the board members, Wim Remes reached out to me and prompted many discussions over a year. He made an effort to get my feedback on how ISC2 could improve in their process, public perception, and get back on track (my words) with their intended purpose of making the security industry better. When someone in a position to effect change reaches out and demonstrates they want to make things better, it is time to help them rather than continue to criticize the organization. In that time, Wim has done an incredible job working to change the organization from the inside. Sorry for the diversion, but I feel it is important to give credit to those working very hard toward bettering our industry.

At some point in the last year or two, ISC2 has taken on a very public “pro-woman” stance (scroll through their Twitter feed). They have collectively called for more equality in the workforce in our industry. In fact, within one hour of ‘Spouse-gate’ starting, ISC2 was Tweeting about women remaining underrepresented in InfoSec. It’s hard to understand how an organization can promote a great cause while also devolving to the base levels of misogyny that are a root cause of the inequality.

isc2-tweet

Social media activism can do great things. But many of the great things that can be done get lost in the noise of people blindly re-posting feel-good messages that ultimately do very little to do actual good, and concretely support the cause. If organizations like ISC2 want to help effect real change, they need to “be the change that [they] wish to see in the world.” In short, more doing and less grandstanding.

Compassion Fatigue in an industry largely devoid of compassion.

A few days ago, Bruce Schneier actually wrote a slightly interesting piece for Fusion. I say that with surprise because most of his articles are engaging and well-written, but he rarely shares new ideas or concepts. Most of my professional circle is already very familiar with a given topic, and Schneier largely enjoys a reputation for his insight because he has a considerable following and they read about it there first. In this case, it wasn’t so much that Schneier’s piece was new information (he did quote and cite a 1989 reference on the topic that was new to me), it was that he flirted with a much more interesting topic that is somewhat aligned with his point.

In ‘Living in Code Yellow’, Schneier quotes a handgun expert who described a specific mind-set. From his article:

In 1989, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the “combat mind-set.” Here is his summary:
[..]
In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.

Reading on, Schneier brings up the psychological toll that such a mindset can have, and that concept should not be new to anyone that has been in InfoSec for a few years.

Cooper talked about remaining in Code Yellow over time, but he didn’t write about its psychological toll. It’s significant. Our brains can’t be on that alert level constantly. We need downtime.

While not new a concept, this one flirts with another type of psychological toll that some in the industry are not familiar with, based on my conversations over the last year. It only took a few minutes of Twitter discussion for others to recognize the same thing. While the point I want to bring up is similar to a degree, I want to stress that is also significantly different based on profession. I am not comparing InfoSec people to the people that typically face this condition. That said, quoting Wikipedia’s entry on ‘Compassion Fatigue‘:

Compassion fatigue, also known as secondary traumatic stress (STS), is a condition characterized by a gradual lessening of compassion over time. It is common among individuals that work directly with trauma victims such as, therapists (paid and unpaid) nurses, psychologists, first responders, health unit coordinators and anyone who helps out others.

This is another important aspect for some InfoSec professionals, but clearly not all (or most?) of them. Personally, I feel this is a condition that can manifest in people who truly care about their work, and as the article says, people who “help out others”. Many in our industry technically help, to some degree, but are driven by profit and fame. I do not think they suffer from, or will ever suffer from such a condition. On the other hand, there are certainly many InfoSec professionals who strive to help their clients, the public, and anyone they can. Money is a nice perk, but they are likely the ones that would do it even if it meant a paltry salary. Unfortunately, I think that many of them are newer to the industry as it speaks directly to compassion fatigue and the effects it can have on an individual. From Wikipedia again:

Sufferers can exhibit several symptoms including hopelessness, a decrease in experiences of pleasure, constant stress and anxiety, sleeplessness or nightmares, and a pervasive negative attitude. This can have detrimental effects on individuals, both professionally and personally, including a decrease in productivity, the inability to focus, and the development of new feelings of incompetency and self-doubt.

First, I don’t think our industry suffers from the last detrimental effect. It is brimming with egotistical idiots that never have those feelings, even if they should. Second, while I doubt anyone in our industry will suffer nightmares, the rest can and likely hold true to varying degrees. More specifically, hopelessness and a negative attitude. I will be the first to admit that I fall into this category when it comes to InfoSec. I have a serious level of apathy and disillusionment with the effectiveness of our industry. I have several draft blog posts on this topic and may finish one some day. All of the evidence is right there, showing we fail over and over in the bigger picture. Those who argue otherwise are idealists or new to the industry. Either they haven’t seen the evidence, or they refuse to believe it. It is easy to miss when you live the life. But there is a steady level of ‘systematic desensitization’ as @VRHax calls it, and that is spot on. For anecdotal comparison, think back to the frog in boiling water story, even if not true. It happens to us all, even if we aren’t fully cognizant of it.

While compassion fatigue can have a much more serious toll on some of the professions listed above, I believe that it likely has an interesting way to manifest for our industry. Rather than lose the desire to help, or feel it is hopeless, I think that it slowly wears down an individual in a different way. They lose that desire to help out of a truly noble cause, and inch toward doing it only for the salary and lifestyle that many of us enjoy. As such, they become hopeless as far as original intent, don’t enjoy their work as much, develop a base level of stress, and grow an increasingly negative attitude, yet do it because it pays well.

Unfortunately, when you join the industry, you aren’t warned about this to any degree.

If you volunteer at an animal rescue / rehabilitation shop, you are likely to be warned of this during your orientation on day one. And for good reason! When you spend your time trying to help a sick or wounded animal, do everything in your power to help it, and it doesn’t make it… it is devastating. That warning is what prompted me to read more on the topic originally, and it took Schneier’s blog to make me realize just how true it was in our industry, one that largely helps out of selfish gain rather than altruistic desire. So I am grateful for his blog missing the mark as usual, but doing so in a way that prompted this blog and discussion. Is there a solution to this, for InfoSec professionals? Not that I can figure out. Many that see the problem still operate under this assumption that we can magically fix things, if only we could figure out! They rarely give merit to the possibility we are in an untenable position and there is no way to win. Perhaps they should watch Star Trek again and consider the value of the Kabayashi Maru challenge. In the mean time, I will offer you a simple but slightly twisted way to help deal with compassion fatigue in our industry; by going outside of it. Dare to face it in another world while you help others unrelated to technology. I’ve found great reward in doing it every week, even if I may ultimately face the same problem.

2015-06-07-151123-Chip20150712_154604

Ruminations on David Weinstein’s “Ruminations on App CVEs”

[This was originally published on the OSVDB blog.]

David Weinstein, a researcher at NowSecure, has posted a blog titled “Ruminations on App CVEs“. Thanks to Will Dormann’s Tweet it came to our attention, and he is correct! We have opinions on this. Quoted material below is from Weinstein’s blog unless otherwise attributed.

CVE is well-positioned to play a critical role in tracking the risk level of mobile computing.

This is trivially to debate and counter in 2015. Until last year, CVE maintained a public list of sources that was virtually unchanged since its inception in 1999. After pressure from the public and the CVE Editorial Board, compromised of non-MITRE industry “advisors”, CVE revised their coverage policy and shifted to a new system of ‘full’ or ‘partial’ coverage based on the vendor, product, and/or vulnerability source. On the surface, this list looks promising, but upon any significant scrutiny, it is utterly lacking in adequate coverage. In order to head off complaints, their webpage even qualifies ‘full coverage’ sources by using the phrasing “nearly all issues disclosed” to “allow the flexibility to potentially postpone coverage of minor issues”.

In fact, Steve Christey may disagree with your assertion. In 2013, he posted to the VIM list saying:

Unfortunately, CVE can no longer guarantee full coverage of all public vulnerabilities… we are not well-prepared to handle the full volume of CVEs for all publicly-disclosed vulnerabilities… – Steve Christey, Editor of CVE

Given the 39,280 vulnerabilities we track that do not have a CVE assignment, assignment volume is specifically a problem for them. Further, the current state of CVE assignments is a disaster, and I have been in mails with CVE staff actively encouraging them to figure out the problem, as my now 27 day wait for three different CVE assignments is getting ridiculous.

However, CVEs have largely focused on tracking server-side and related flaws and yet the security community has evolved to track client-side vulnerabilities as a critical aspect of dealing with risk.

While I can’t offer you a set of handy statistics to back this claim, know that CVE, or their CNAs, assign identifiers to a considerable number of client applications. In fact, with the release of Apple iOS 9 yesterday, the public learned of 91 _new_ vulnerabilities affecting the platform, many of them client-side. I do not believe this statement to be a fair criticism of CVE’s assignment history and policy.

While CVE has worked well for tracking system flaws in mobile operating systems, there remain quirks with regard to mobile app flaws.

There are around 90 vulnerabilities in Google Android alone, that do not have CVE assignments, and that represents a fairly significant percentage overall. However, in this case we can’t blame CVE at all for this shortcoming, as the fault lies entirely with Google instead.

It seems like using CVE is the “right thing” here but MITRE has been very cryptic (in my opinion) about what qualifies as something that gets a CVE and what doesn’t. These discussions should not happen in some closed door meeting in my opinion, or at least should not end there…

First, please factor in that CVE and every other vulnerability database has gone through a world of headache, dealing with researchers who do not fully understand the concept of ‘crossing privilege boundaries’. The number of “not-a-vuln” vulnerability reports we see has skyrocketed this year. Further, even from individuals that are very technical, don’t always convey their information in terms that are easily understood. They clearly see a vulnerability, the report they send doesn’t show it to our eyes. It requires back-and-forth to figure it out and better understand the exact vulnerability. Bottom line, some are clear-cut cases and typically get a quick assignment. Other cases are murky at best.

Second, I fully agree that such a discussion should not be behind closed doors. At the very least, it should include the CVE editorial board, and ideally should include anyone in the industry who has an interest in it. If you want to bring up the discussion on the VIM mail list, which has over one hundred members, including at least one person from each of the major public vulnerability databases, please do.

Is MITRE consistently responding to other researchers’ requests for CVEs?

No. The turnaround time for requesting a CVE has gone up considerably. As mentioned above, I have been waiting for three assignments for almost one month now, while CVE assigned two others filed on the same day within hours. They are not currently consistent with the same researcher, even one familiar with CVE and their abstraction and assignment policy.

Attaching a CVE to a vulnerable app, even if it’s an old version, is actually a big part of tracking the reputation of the developer as well!

Just quoting to signal-boost this, as it is a very important comment, and absolutely true.

Who acts as a certified numbering authority (CNA) on behalf of all the app developers on the market?

Based on the current list of CNAs, there is no CNA that covers third-party apps really, regardless of platform. Also note that many CNAs are not currently fulfilling their duties properly, and I have been trying to address this with MITRE for months. There is no current policy on filing a complaint against a CNA, there is no method for warning or revoking CNA status, and MITRE has dropped the ball replying to me on several different threads on this topic.

Should Google step in here as a formal body to assist with coordinating CVEs etc for these apps?

Absolutely not. While they are positioned to be the ideal CNA, their history in CVE assignments has been dismal. Further, they have so many diverse products, each with their own mechanism for bug reporting (if one exists), own disclosure policy (if one exists), and disclosure method (which doesn’t exist for many). We can’t rely on Google to disclose the vulnerabilities, let alone act as a CNA for standardized and formalized ID assignment. Could Google fix this? Absolutely. They are obviously overflowing with brilliant individuals. However, this would require a central security body in the company that crosses all departments, and fulfills such a duty. Due to the volume of software and vulnerabilities they deal with, it would require a small team. The same kind that IBM, Cisco, and other large companies already stand up and have used for years.

Is the process MITRE established designed and prepared to handle the mountain of bugs that will be thrown at it when the community really focuses on this problem as we have?

No, as covered above. CVE is already backpedaling on coverage, and has been for a couple years. That does not give any level of comfort that they would be willing to, or even could handle such a workload.

Can the community better crowd source this effort with confirmation of vulnerability reporting in a more scalable and distributed manner that doesn’t place a single entity in a potentially critical path?

Possibly. However, in the context of mobile, Google is a better choice than crowd-sourcing via the community. The community largely doesn’t understand the standards and abstraction policy that helps define CVE and the value. Many CNAs do not either unfortunately, despite them being in the best position to handle such assignments. Moving to a model that relies on more trusted CNAs has merit, but it would also require better documentation and training from MITRE to ensure the CNA follows the standards.

Every vendor distributing an app on the Play Store should be required to provide a security related contact e.g., security@yourdomain.com

Except, statistically, I bet that not even half of them have a domain! The app stores are full of a wide variety of applications that are little more than a hobby of one person. They don’t get a web page or a formal anything. Given the raw number of apps, that is also a tall order. Maybe apps that enjoy a certain amount of success (via download count?) would then be subjected to such rules?

Google could be a little clearer about when security@android.com should be used for organized disclosure of bugs and consider taking a stronger position in the process.

Little clearer” is being more than generous. Remember, until a month or two ago, they had no formal place or process to make announcements of security updates. Disclosures related to Android have been all over the board and it is clear that Google has no process around it.

MITRE and/or whoever runs CVE these days should clarify what is appropriate for CVEs so that we know where we should be investing our efforts

Absolutely, and CVE’s documentation the last decade or more has not been properly updated. Having such documentation would also potentially cut down on their headache, as requests are made for issues clearly not a vulnerability. But newcomers to security research don’t have a well-written guide that explain it.

Should we pursue a decentralized CVE request process based on crowdsourcing and reputation?

I cannot begin to imagine what this would entail or what you have in mind. On the surface, won’t happen, won’t work.

Hopefully others in the industry chime in on this discussion, and again, I encourage you to take it to the CVE Editorial Board and the VIM list, to solicit feedback from more. I appreciate you bringing this topic up and getting it attention.