White House Lures Mudge From Google To Launch Cyber UL 23
chicksdaddy writes: The Obama Whitehouse has tapped famed hacker Peiter Zatko (aka "Mudge") to head up a new project aimed at developing an "underwriters' lab" for cyber security. The new organization would function as an independent, non-profit entity designed to assess the security strengths and weaknesses of products and publishing the results of its tests.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
Zatko is a famed hacker and security luminary, who cut his teeth with the Boston-based hacker collective The L0pht in the 1990s before moving on to work in private industry and, then, to become a program manager at the DARPA in 2010. Though known for keeping a low profile, his scruffy visage (circa 1998) graced the pages of the Washington Post in a recent piece that remembered testimony that Mudge and other L0pht members gave to Congress about the dangers posed by insecure software.
Aww, so close (Score:2)
Publishing results? (Score:1)
I don't think so, not without very heavy handed censorship, which the 'industry' will demand, and will turn this into a paper tiger, saying nothing more than, *We take security very seriously, and the perpetrators will be caught* in their press releases.
Good luck with that... (Score:2)
I wish them luck. Security is less of a "can't" thing as opposed to a "not worth the trouble" item.
The fundamentals are widely known, and were in place for ages -- use private WANs (although settling for Private IP MPLS networks is better than nothing) for traffic that should not be on the Net, use basic firewalling, run an IDS/IPS.
On the system level, SIEM is a big thing. Had Sony had AD policies that alerted if passwords were being guessed and locked accounts (even if the lockout time is just 1-5 minute
Re:Good luck with that... (Score:4, Insightful)
I wish them luck. Security is less of a "can't" thing as opposed to a "not worth the trouble" item.
The fundamentals are widely known, and were in place for ages -- use private WANs (although settling for Private IP MPLS networks is better than nothing) for traffic that should not be on the Net, use basic firewalling, run an IDS/IPS.
On the system level, SIEM is a big thing. Had Sony had AD policies that alerted if passwords were being guessed and locked accounts (even if the lockout time is just 1-5 minutes), the intrusion would have been mitigated.
Yes, the enterprise stuff is costly, but on the SOHO/SMB level, one can easily use a PC as a decent firewall, either using Windows Server 2012 and RRAS or a UNIX and its innate routing capabilities. There are open source tools (snort, nagios) for IDS/IPS work, and for logs, Splunk, SolarWinds, or GrayLog.
Next to will, there is the fact that competent computer security people are rare. For every clued person, there are at least ten suit wearing chatter monkeys who are willing to sell some "solution".
I still wonder if the answer is something similar to the Great Firewall of China, but this is a double-edged technology. However, the good side is that it could be used to break international botnets as well as block known malware origination sites via IP until the IP owner cleans their mess. This way, there are far fewer attacks actually hitting sites inside the US, and it would force intruders to compromise domestic machines. Of course, the bad thing is that it could easily be a censorship tool, just like China's version.
Even a UL stamp for sites that do parameterized SQL injection would be an improvement over today's utter lack of standards. Add to that a browser-based warning for sites without a UL stamp and you've reduced XSS attacks.
Security is so bad that small improvements can make big differences.
Re: (Score:3)
True. Right now, -anything- is better than what we have now, as it is hard to fall off the floor.
The only real way I see security improving is if insurance companies start mandating some security guidelines. May not be PCI-DSS3 strict, but with some semblance of auditing and accountability. Businesses have basic guidelines for physical asset protection (alarm on building, sprinklers, locks on the door, deposit safe), and if insurance demands they have computer and network protection, it would be one of t
Difficulties... (Score:2)
Well one, it's bad enough for a single company to have their 'security' teams meaningfully assess the security beyond the obvious. Good security really has to be ingrained throughout the process.
The obvious security issues that something like a 'CyberUL' would catch are generally not the issues. The problem is that once a new issue is discovered, the existing install base is not be updated. Either because updates are available but IT teams are slack, or because everyone has jumped on the bandwagon of usi
Products not organizations (Score:2)
This organization would just be responsible for verifying that software is secure, not than an organization is secure. Just like you can still electrocute yourself with a UL listed device if you insist on using it in an unsafe manner, it will be entirely possible for organizations to use CyberUL software in horribly insecure ways. The point of the listing is just to verify that the software can be used securely, if you keep it patched and use it correctly.
Re: (Score:2)
This organization would just be responsible for verifying that software is secure
That was my assumption going in. I'm saying that 'verifying that software is secure' is a complex beast that I don't think is such a trivial undertaking. I was thinking of a company that has a 'development' team and a 'security' team, which I have experience in. The security team generally devolves into effectively black box testing of a system without understanding the real purpose and potentially fishy stuff going on internally that will pave the way to future vulnerabilites. CyberUL would be in thos
key based auth (Score:2)
Why not use key based auth instead of password based?
Probably for the same reasons that crypto email never worked out, but I wish it were an option on things like banking websites.
I'm now using a password manager, so I can use pretty hard passwords without having to try to remember them. But using signed certs would be much much stronger still.
"The L0pht"? (Score:1)
I thought it was "L0pht Heavy Industries"? Good times, good times.
Re: (Score:2)
No comparison to UL (Score:2)
There is an important difference between any government agency and UL. UL's product safety standards are developed in partnership with those who produce the products and with other safety agencies, notably IEC and CSA. This brings credibility, skill, and independence into play.
For government officials the desire to be seen "doing something" favors haste and visibility rather than long term effectiveness. UL's primary focus is product safety, not favorable media coverage.