I spent a lot of time trying to think about what to write for a BlueHat pre-conference blog entry and had a pretty hard time focusing on one topic. To handle this, I decided to comment on the state of security.
While I’ve found plenty of things to be excited about with security, including improved awareness, ~~~~enhanced vendor responsiveness to issues (although some still lag behind), increasing global awareness of security concerns, etc., I’ve still found plenty of things to be concerned about.
Security problems of our past rarely disappear for good. You have new progress all the time… new types of bugs, new ways of combating old problems… but you also have old problems coming back into play.
See the GIFAR/Content Ownership stuff, multiple blended threats, hypervisor-based attacks, Clickjacking, Dowd’s null pointer exploit, etc., as new attack vectors. ASLR/DEP (whatever else you want to call it) memory protections as a new defense (and of course, Dowd and Sotirov’s mad hotness to bypass these mitigations).
See Dan’s nasty DNS vulnerability, the SNMP vulnerability, IP stack flaw, etc., as examples of old concerns coming back into play (in dramatic fashion as well). Shoot, there was even a directory traversal flaw recently on Apache Tomcat that reminded me of the old Unicode IIS flaw.
It’s concerning that we can’t get passed the vulnerabilities of our past. Of course, things keep moving on as well. New technologies have created a wider threat landscape than ever before. Mobile devices, virtualization, and technologies of the future will provide us new challenges. I recently had a client plead with me about virtualized environments saying, “If we can’t even secure our physical machines that we can see and touch, how the heck are we going to secure a virtual one that could actually be removed from our company via the network?” A great question, to which I had little in the way of answers.
I will say that while I’m concerned about the cyclical nature of security vulnerability and the potential for even greater vulnerabilities in new technology, I won’t be the one to stop innovation, and I’m excited about all of these new technologies. As security researchers/professionals/consultants/whatever, we have to remain vigilant and strive to find vulnerabilities before those who would use them against us. I’m very excited about what I see with security research from a global aspect. I was fortunate enough to speak at Black Hat Japan in Tokyo this year. Beyond the wonderful hospitality of the people of Tokyo, I was also impressed by a few of the native Japanese speakers and what they brought to the table. Some of the discussion around Japanese-based character encoding brought up some interesting research thoughts for myself.
I doubt that research and new defense technologies will ever outpace the growth of new technology and new threats. I also doubt that we’ll be able to prevent old concerns from coming back to life, but we’re on the verge of making major strides here. Security is, as always, an arms race… it’s one we might never win completely, but maybe we can catch up a good deal if we stay vigilant.
-Nate Mcfeters, Ernst & Young