Chris Hoff has a very interesting post on the hype revolving around recent Cloud failures but reading the post I couldn't find answers for a few but important issues:

The Cloud model of business depends on highly-available infrastructure running software and hardware covered by limited liability warranties. Carbonite may try to sue Promise but anyone that reads the Limited Warranty offered by the vendor, knows that Carbonite will have troubles getting any compensation for their losses, other than hardware costs. It is in fact a funny situation where its SLA with the customer governs service availability while its contract with the technology providers does not offer any sort of warranty.

BTW: The Carbonite lawsuit against Promise is a perfect example on why bugs are negative externalities (and why the "No more free bugs" initiative is indeed a positive shift.)

Another interesting point is the reference to the IBM Cloud Certification Program; certainly one of the weirdest ideas I've ever heard but probably a great marketing opportunity... Let's start with the basic question, who would hire IBM, the Cloud customer or the Cloud provider? And, hey, it is an IT service provider doing auditing others…

If the customer is responsible for the hire, it would be incurring in expenses that would be latter used as marketing by the cloud provider. Not to mention the issue of having an ITO provider auditing its competitors. I can tell you from my own experience that it is possible to audit your competitor on a behalf of a common customer but this is a hell of a weird situation where results are bellow optimal, not to mention the clear conflict of interest…

So, the most probable outcome will be the Cloud provider hiring the certification agent as it currently happens with the ISO standards such as 27001, 9000, etc. Oh gosh, so after the PCI conundrum we are set for the "ISO/IEC XTC for Cloud Computing Quality Management System"? Freaky! VERY freaky! Think PCI! Now think Heartland! And now think RBS! Now try to go sleep…

What makes a professional? Is the income one earns? The knowledge one holds? The code of ethics one subscribes to? Maybe a title one holds?

Most of us, "security professionals" are members and subscribers to the "Code of Ethics" of at least one information security related body, such as the ISC², ISACA and the ISSA, as such, we commit to be "professionals" but curiously enough one question is seldom raised: What means to be a professional.

Looking at the CISSP Prep Guide Golden Edition or similar material, you notice a cookie cutter approach so common in certification preparations material, but surprisingly enough discussions about the subject are still rare and few are the certified practitioners seem to understand the implications of being a "professional".

But if the definition of profession and professional are already concerning, even more concerning is the lack of debate on what professionalization means to the information security market. In fact, most certified practitioners believe professionalization will lead to higher quality standards to the work conducted by its peers. Still the current market situation seems to prove the opposite.

The market we are part of, is almost a circus where one can easily find heralds of fear, compliance preachers, soldiers of fortune, marketers, über-hackers obsessed with the latest vulnerability research and risk gurus that know absolutely nothing about threats.

But what if the circus is eventually healthy? Perhaps yes, especially because I can't stop developing the impression that information security isn't a science, but an art where creativity is vital.

Sadly, during the process of professionalization and the occupational closure, the definition of a core body of knowledge and learning path, are built at the expense of a greater range of experiences and opinions. The suppression of diversity creates a more cohesive labor force, but also creates professionals with less experience from other areas other than IT, or as William Barrett points, the more specialized a professional; the sharper is its focus and shorter is its sight.

So instead of pushing towards professionalization, we should seek exactly the opposite, looking into other fields, promoting new ideas.

We depend more on the ingenuity of the criminal than on the resourcefulness of the security specialist but we can still try to forecast the troubles.

PS: It is important to point that this is not a critique on the certification industry itself, but on the aspiration of certain professionals in the industry to frame it within certain parameters. As unconventional friend of mine once said (in Portuguese), certifications are useful way of setting learning targets (as much as a degree).

Let's put it clear. I am a supporter of full disclosure, after all, criminals have motivation to detect and keep bugs to themselves.

But I must also say that I fully support the point defended Dino Dai Zovi and some of our peers when they say that researching security bugs should be a paid job.

As Camp and Wolfram noted bugs can be considered negative externalities, in this case, a situation where the producer weak quality control has negative "economic consequences for others for which there is no compensation". At the same time, economists agree that the originator of the negative externality will not take it in consideration unless prevented or discouraged, therefore producing more faulty software than it would, had it have to pay for the cost of testing it.

The problem isn't Dino Dai Zovi belief that he should be paid, he should. If he doesn't charge, companies will keep doing wrong and providing software improperly coded under the cloak of "innovation". Also it's not about greed, after all competition tends to reduce Dino's profit, no wonder the brilliant researcher is chasing after other subjects…

The problem is the lack of transparency on the vulnerability exchange markets.

Who buys the vulnerabilities? For what purpose?

Well… I'm not sure we want the answers.

In future there will be two different types of illiteracy: Those who are unable to read and those who are unable to use computers.

Do you agree? Well, nowadays the sentence is a cliché but imagine yourself spending your childhood hearing this exact sentence? No I wasn't raised by Arthur Luehrmann, I guess the issue is that my mom quickly realized that despite the modest adoption of computers in South America before the 90s, computing was the future and LOGO was the first step... (oh gosh, better change the subject).

Back in 2000 CFSEC Security Architects I've noticed the ascension of Windows based Automated Teller Machines and speculated about the creation of ATM specific worms would follow. My assumption was that although ATM are usually deployed on separated environments, criminals would be able to bypass segregation by collusion or by attacking fragile elements of the network, such as the communication facilities used by standalone Lobby Cash Dispensers. The idealized concept was a worm able to instruct De La Rue Talaris cash dispensers to "spit money" out of the ATM cash cassettes or dynamically reassign the cassettes denomination of the ATM system.

The first feature was clearly influence of the movies, while the second originated from a Brazilian student tale about an incident where an ATM started dispensing bills incorrectly, and customers formed a long queue to withdraw $20 and instead receive two $50 bills. The ATM was said to be located at the UFRJ's Computer Sciences building.

The concept led to a series of interesting off-record discussions with people from the banking industry but failed to go main stream until... Last week, when The Register reported about the discovery by Sophos of a malware targeting ATMs, another of my bizarre ideas came to reality.

Sadly enough the malware failed to achieve cinematographic status by relying on an effective but still boring strategy:

The malware just recorded the details of cards used on the ATM.

Blah... :-)

The polemic Ayn Rand once wrote:

"If there is any one way of confess one's own mediocrity, it is the willingness to place one's work in the absolute power of a group, particularly a group of one's professional colleagues. Of any form tyranny, this is the worst: it is directed against a single human attribute: the mind – and against a single enemy the innovator. The innovator, by definition, is the man who challenges the established practices of his profession. To grant a professional monopoly to any group, is to sacrifice human ability and abolish progress; to advocate such a monopoly, is to confess that one has nothing to sacrifice."

Those who want PCI DSS to be more prescriptive should reflect about what they want.

The same applies for those who think PCI DSS is fine as it is.

More about Rand's words soon.

Since the beginning of the industrial revolution, the industrial society passed thru a huge number of changes, from the limitation of child work in the western societies to the introduction of the lines of production by Ford, passing by the popularization and ongoing decline of the mass newspaper industries. I wonder to know if the buzzword malady was also reality for the early workers and capitalists. Probably yes.

At the moment few buzzwords are more shocking to me than the idea of SaaS & Cloud security are anything rather than pure old security. I confess I try, but every time I stop to read the general discussion about the three subjects I notice a gigantic amount of… well… nothing.

I really try, but I can't read Chris Hoff idea of Economic Denial of Sustainability and see it as something new. In fact, the model Hoff uses to present his concept is a clear and very smart case of DoS made the right way, but calling it by other names, may sound brilliant to some and silly to others.

Those who old enough in the industry will remember that Cray supercomputers where an idealized target for hackers seeking to crack passwords, but once the hacker succeeded into getting an account, he would face the challenge of dealing with a large number of users totally obsessed with their CPU quota consumption. And if this is not convincing enough, I remind you that even Gus Gorman discovered how to achieve "death by 1000 cuts" long before Chris would craft the EDoS term!

And since Chris talks about economy, better we start with the Microeconomics 101 and remember that scarcity is one of the bases of the current economic thinking; so in fact every DDoS attack is an attack on scarce resources. The point is that people on our industry focus on the link, CPU, but businesswise, the question is one and only: Is the hassle (of being online) cost less than the benefit achieved?

Would you call of EDoS a company attempt to take over human capital from a competitor? I guess most of us would call it business as usual, in the same way that keeping control of the CPU quota was business as usual for the supercomputer users.

But if Hoff's EDoS concept is also a very good attempt to think out of the box. My problem with his idea emerges not from the concept itself but from the attempt to create a new class of attacks within the scope of "cloud security", a classical buzzwording attempt.

My impression is that things like cloud security come from the industry habit of seeing security problems with too much focus in technology, and to project our own cultural perspectives on the interpretation of the circumstances. These are people inventing magical solutions to solve models that are confuse from inception and may not survive in the next decades.

It is sad to say, but I have a feeling that the "professionalization" of the security practice is starting to show the disadvantage of specialization, or as put by William Barrett "the more specialized… the more nearly total the blind spot toward all things that lie on the periphery of this focus". No wonder a large part of the industry fails to identify the cloud and SaaS as new names for a model of business that came and left the IT industry several times during the previous years.

The buzzwords are becoming more and more deep-rooted into the information security leadership and this is something concerning after all, even students on Microeconomics 101 learn that when the advertisement leads to increased monopoly power or is self-canceling, the consequence is the good old economic inefficiency.

We realized, we submitted and we presented, still the Antivirus provider market proved once again why they are frequently spotted as lagging behind the creativity of the malware creators. Conflicker seems to be the first botnet engineered with the PRNG idea we (Barros, Fucs & Pereira) presented on Blackhat Europe 2007. This isn't all, at the bottom of the Symantec Security Response Blog, they explain:

"As we have said previously, the authors of Downadup are not beginners and they may have the feeling that someone—sooner or later—would break their domain prediction algorithm. So, to avoid losing their botnet, they put a secondary (strong) protection into the threat, which makes it impossible for anyone (other than the original authors) to upload new malicious components onto compromised machines."

Symantec still did not release details but I guess that Conflicker also introduced the use of digital signatures to ensure integrity and why not, authenticate the content downloaded by the bot.

The idea did not come out of the blue and I hate to sound smug but it was also presented by us… :-)

Botnets – and P2P if that matters – lacked security features to ensure their longevity. We presented 4 main concepts that would emerge as solutions of existing issues on botnet design:

• Modularity, including the use of XML based commands;
  
• Peer 2 Peer communications;
  
• Public key encryption, including support for digitally command messages;
  
• One time tokens used to identify command pages scattered over the network.
  

Still, despite our alert, the antivirus emergency teams were quite surprised by the emergence of the new generation of the Conflicker malware.

It may sound obvious but I have reasons to believe that the use of pseudo random C&C tends to replace the now highly ineffective IRC channel control, however, unlike the Conflicker approach of using domain names, the C&C centre will rely on some other form of reasonably unrestricted traffic channels.

It is hard to guess with precision but I would not be surprised with an attempt to use Google Apps, SSL or another DNS attempt using alternative DNS root servers in the near future. Each of the approaches has its own limitations and I'm sure the botnet designers will soon get to the point that only a hybrid multigenerational P2P botnet[*] will be able to circumvent these limitations.

One possibility that flashes in my mind is that the Conflicker designers did prefer DNS domains for tree main reasons; the first is that DNS traffic is largely unrestricted; the second was an expectation that ICANN would not be able to react quickly to the issue and the third the simple flexibility of the DNS protocol.

Fact is that we all now where botnet design are moving to but a question remains: Are the antivirus development teams already working on it?

Only God knows…

[*] What a hell of a long name for a P2P botnet that still lightly relies on seeding SPoF to wake up, but is able to continue talking with previous generations of botnet on a P2P basis... exactly like... Conficker! :)

Update I: A post from SRI confirms the use of Signed Binaries by the Conficker bot to check downloaded executables. (10 Mar 2009 @ 9:36 GMT)