Dan Geer, one of the foremost leaders in the field of security metrics and security economics recently gave a keynote address at the Source Boston Information Security Conference. Sadly I was not able to attend the conference due to prior commitments, however I did take the time to read the transcript of they keynote. Now I'm not generally one for discussing the theoretical merits of the information security field, instead I tend to find myself a bit more grounded in the practical research areas of our specific area of study. Because of this particular sentiment I read the keynote with much trepidation. To the average person, Dr. Geer is most known for his publishing of the paper "Cyberinsecurity: The Cost of Monopoly" that got him fired by his (and my at the time) employer. In this paper he discusses the monoculture of today's enterprise computing infrastructures and the dangers of a monoculture as evidenced by biological demonstration. The keynote takes a much higher level point of view than the paper, however many of the same points are reinforced from his previous work.

The keynote contained many quoteable moments that make even the most casual reader say "Wow, that's cool".

"On this basis and others, bot-nets are a life form."

"Patching behavior is precisely like radioactive decay -- in each succeeding interval, half of the then unpatched machines are patched and, in any case, 80% of exploits appear within the first half-life of patch-announced vulnerability and wreak 85% of their damage in the first fortnight.

And my favorite of the quotes (that I will most likely use myself in the future):

"defense in depth is simply a referendum on your willingness to spend money for layers; it is rarely, if at all, a research-grade problem.

In this speech, Dr. Geer asserts the growth of security as a service, analyzes the virulance of malware using empirical evidence of the last decade, equates computer monocultures to beehives, and indirectly discusses the transition of the attacking class from hobbyists to pay for play professionals. Only in a few cases did I disagree with the text, but I'll leave those spots for you to pick out. Now go and read the transcript.

I know that this is old news to most of you. But I finally got around to viewing "The Last Lecture". This was a lecture given by Randy Pausch who is a computer science professor at Carnegie Mellon University. Randy is dying from pancreatic cancer and was asked by CMU to give a talk at their last lecture series. I had been avoiding it due to the fact that I generally consider myself a rather non emotional person and I didn't think I would really enjoy a talk such as this. I was completely wrong, this talk is PHENOMENAL. Everyone should watch this talk at least once and really try to understand the points he is making. Please give it a watch, I'm fairly certain you will enjoy it too.

So I whined in a silc channel today that I haven't posted on any cool topics in quite a while and this interesting link was pointed out to me (Thanks Chris for the pointer to the site and Ben Laurie for writing it up originally). The basis of the posting is how it's possible to remotely modify the firmware on some wired network cards and essentially create and deploy a piece of firmware level malware without having to ever take control of higher layers of the system. This is huge.

Once exploits are written for these issues we could see attacks that never really hit the OS and won't be detectable by current anti-virus and OS level security mechanisms. Detection should be relatively straight forward by looking at a hash of the firmware of the NIC and comparing that against known acceptable hash values. This could be done in hardware or software, however this isn't being done currently and is a somewhat new thought process.

Using this attack technique, the quoted author of the post was able to create a "Jedi Packet Trick" that would allow him to bypass CheckPoint FW-1 and Strongwall based firewall systems. This is really just the tip of the firmware rootkit iceberg. Using similar techniques it should be fairly straight forward to effect higher layers of the system and essentially create a very dangerous subversive system.

I am so behind in my reading at this point, that I feel really out of touch from the rest of the information security world. So I'm not going to post anything interesting today. Just a picture of me from graduation, mostly because I know how you all love it when I post stupid pictures on my blog!