Master iPhone hacker Charlie Miller will be giving the keynote speech, which will be about why the bad guys are winning, at NATO's International Conference on Cyber Conflict.
Security
researcher Charlie Miller will deliver the keynote speech June 9 at the International
Conference on Cyber Conflict. The conference, in its third year, is sponsored
by the NATO Cooperative Cyber Defence Center of Excellence and will take place
in Estonia.
Miller's
keynote, entitled "Why the Bad Guys are Winning the InfoSec War," will use the
recent security breaches at PBS.org, RSA Security and
HBGary Federal as examples, Miller told
eWEEK. Miller analyzed recent events and
determined that the common denominator across all the incidents was unknown
vulnerabilities and zero-day exploits.
"You are doing
everything right, but the bad guys are coming in because they know about
vulnerabilities no one else does," Miller said.
Enterprises
and governments for the most part have been doing security long enough that
they know they have to keep their systems patched. But when most attacks involve
a zero-day exploit, no patch is available. Organizations don't even know they
are vulnerable, Miller said.
In the case of
PBS.org, Lulz Security, a group of
cyber-pranksters usually out for laughs (or lolz) did not like the way
whistleblower site WikiLeaks was portrayed in the Frontline documentary
WikiSecrets. They uncovered a zero-day vulnerability in Movable Type 4, the
content-management system used by PBS, and broke in, defacing the site and
posting a fake news story about Tupac Shakur supposedly being alive.
Miller blamed
the software vendors for the situation. Companies are shipping products with bugs
and issues they haven't fixed, and the ones suffering for it are the customers
and end users, Miller said. The malicious Excel spreadsheet that attackers used
to exploit a zero-day vulnerability in Flash did not affect Microsoft or Adobe,
but instead,
RSA Security, back in March, Miller said.
The company
that actually makes the software has little incentive to make the investment to
ship bug-free code, according to Miller. It's difficult and expensive to write
secure code. As long as companies don't see a direct benefit to being secure,
they won't spend the extra time, resources and money to address bugs.
Companies like
Microsoft and Apple should be focusing on better coding practices and check for
bugs during development. Before the product ships, they should have a security
team or outside researchers come in as consultants to help look for bugs in the
code, according to Miller.
Miller also
suggested that the software industry and its customers have to give some
incentive for researchers and security consultants to devote their time and
effort to looking for security holes and then reporting them to the vendors.
"Researchers can report to the company and get their names on a Website when
the patch comes out, or they can sell it to a bad guy on the black market and
make some money," Miller said. "We shouldn't be putting people in that position
to have to choose in the first place," said Miller.
Miller said a
bounty program like the one Google has for its Chrome Web browser is a step in
the right direction because it gives researchers incentive to look for and
report issues.
The battle is
harder for the software vendors to fight, since they have to ensure every bug
is addressed, while the attackers just have to find one, according to Miller.
Attackers
aren't using all the exploits they find at once, either. Many of them hold
zero-day vulnerabilities in reserve so that they always have a backup attack
method to fall back on after the company fixes the flaws that come to light.
Miller cited
some statistics from an organization that does penetration testing. The average
lifespan of a zero-day vulnerability is 348 days, Miller said. That is, it
takes nearly a year for a zero-day to be patched from the day it is reported.
The fastest a zero-day that an organization reported got fixed was 99 days, and
the slowest was over three years, according to Miller.
If companies
were doing a better job testing and fixing bugs before shipping each new
version, it would be "harder to hang onto the zero-day," Miller said.
Miller is
currently a principal research consultant for Accuvant Labs, a company that
specializes in penetration testing, application and enterprise security
assessments, and vulnerability research. Miller is also well-known for hacking
Apple products. He co-wrote The Mac Hacker's Handbook with Dai Zovi and has won
three
Pwn2Own contests at CanSecWest for successfully
compromising up-to-date, fully patched MacOS X systems and iPhones.
Email
Print
