It's time for me to don my grumpy old man pants and have a whinge about how the attention of the main stream media is like a kitten with glittery bauble. Running all over the place focusing on the flashy and the new instead of focusing on the real issues. Now this is by no means an issue constrained to just computer security, it happens in all fields but that's what I'm going to be focusing on.
I'd like to run through a few examples where I look at an incident that got a lot of media coverage and a comparable one that got almost none.
Ashley Madison Vs Office of Personnel Management
Both were disclosed about a month apart, the OPM breach kind of made it into the main stream press (In Australia at least) but was really a non-event. Despite the fact that a significant amount of very personal details was leaked about tens of millions of people. It was not just information about personnel leaked but details of their friends, family and even neighbours. There was a recent update that over 5 million fingerprints were lost, in a world where we are using our fingerprints to unlock smart phones it this is a serious issue1.
Meanwhile the Ashley Madison breach was announced and it was a media frenzy. Stories where running wild because of the saucy nature of the site. There were announcers2 on the main stream TV and Radio stations giving the story a good run in peak times.
Heartblead Vs CVE 2015-0093
The odds are pretty good you won't even know what CVE-2015-0093 is unless you look it up, and that's completely understandable. Unlike Heartbleed it did not have it's own fancy name, logo, dedicated website and PR campaign. I heard ridiculous terms bandied about with heartbleed even from reputable names like Bruce Schneier describing saying
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
yet if I was to have read the two CVEs with no background, having never seen any of the hype at all
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093.
I wonder which I'd be more worried about; the remote code execution as root from simply viewing3 a font that could be embedded in a web page or PDF (regardless of browser or PDF viewer used) or the information disclosure bug that could leak any data (including private keys) that was in memory. The adobe font driver bug just got a CVE and a patch without making headlines. Although there was an incredibly in depth write up over at project zero if your interested.
Now I want to be clear here, heartbleed was a very serious bug. It affected a huge percentage of the internet facing infrastructure and will show up in unexpected (and hard to patch) locations for years to come, was very easy to exploit and had fairly serious ramifications but I don't think it would have got even a tenth of the media coverage it did without massive PR campaign behind it.
The "Unhackable kernel" Vs Wordpress 3.7+ Background Updates
The "Unhackable Kernel" was the thing that triggered this whole rant. I turned on the radio the other day and a pop science show came on with a couple of guys talking about how the University of New South Wales had developed an "Unhackable operating system4" and all our security problems will be solved in the next couple of years as this thing gets rolled out, and wouldn't it have been great if Ashley Madison had been using it, it could have stopped that breach. Now I want to be careful not to rip into the wrong people here. The seL4 project is very interesting research that is just starting to have some real world practical applications. It's done by some very smart and reasonable people who do genuinely understand security. From their FAQs
If I run seL4, is my system secure?
Not automatically, no. Security is a question that spans the whole system, including its human parts. An OS kernel, verified or not, does not automatically make a system secure. In fact, any system, no matter how secure, can be used in insecure ways.
But I'm not sure what happened if it was an over enthusiastic press release or a media groups misunderstanding but it's been getting a fair bit of traction.
Meanwhile there are many great wins for security happen every day with real wold effects. Like when WordPress switched on automatic security updates in 3.7. They removed one of the top causes of websites getting hacked and defaced, and there was hardly a peep from the media. In fact from their release notes:
"You might not notice a thing, and we’re okay with that."
Charlie Miller and Chris Valasek 2013 Vs Charlie Miller and Chris Valasek 2015
In 2013 Charlie Miller and Chris Valasek presented at DEF CON 21 and then again at DEF CON 23. Now admittedly the bugs they were talking about at DEF CON 23 were more interesting but the underlying vulnerability (that you can get to the CAN bus and reflash chips from the entertainment system) didn't really change. But the first response could largely be summed up as "Meh, you need physical access to do any of that stuff, and if you had physical access you could just slash the tires or whatever... Come back when you have something real to show us." It was referred to as "Junk Hacking". Then before DEF CON 23 after they disabled the breaks on Andy Greenberg while he was driving a Jeep down the highway. They got an amazing writeup and suddenly the response could be summed with the headline Patch your Chrysler vehicle before hackers kill you.
There is now a class action law suit about this, but the real vulnerability (or at least the one addressed by the suit) that the CAM bus should never have been physically connected to the entertainment system is not something new. The new part is the PR drama.
Now I understand that journalist write what people want to read. I understand that a big PR splash can help get bugs fixed. But it doesn't mean that I have to like it.
Unlike passwords you can't just reset your fingerprint after it gets leaked. ↩
With an almost comical lack of understanding about even basic IT. ↩
I believe you don't even need to "view" the font, just load it into memory to trigger this vulnerability. So potentially it could affect a headless box that was parsing PDFs. ↩
Not just a kernel any more but a full blown OS, it's amazing how these rumours grow ↩