Paid Advertising
web application security lab

Odds, Disclosure, Etc…

12 posts left…

While doing some research I happened across an old post of mine that I had totally forgotten about. It was an old post about betting on the chances of compromise. Specifically I was asked to give odds against whether I thought Google or would survive a penetration test (ultimately leading to disclosure of data). Given that both Google and are under constant attack, it stands to reason that sitting in the ecosystem is virtually the equivalent of a penetration test every day. I wasn’t counting things like little bugs that are disclosed in our sites, I was specifically counting only data compromise.

There are a few interesting things about this post, looking back 4 years. The first thing is that pretty much everything I predicted came true in regards to Google:

… their corporate intranet is strewn with varying operating systems, with outdated versions of varying browsers. Ouch. Allowing access from the intranet out to the Internet is a recipe for disaster …

So yes, this is damned near how Google was compromised. However, there’s one very important thing, if I want to be completely honest, that I didn’t understand back then. I gave Google a 1:300 (against) odds on being hacked before would be. While I was right, in hindsight, I’d have to change my odds. I should have given it more like 1:30. The important part that I missed was the disclosure piece. Any rational person would assume that Google has had infections before (as has any large corporation that doesn’t retain tight controls over their environment). That’s nothing new - and not what I was talking about anyway. I was talking only about publicly known disclosures of data compromise.

So the part that I didn’t talk to, and the part that is the most interesting is that Google actually disclosed the hack. Now if we were to go back in time and you were to tell me that Google would get hacked into and then disclose that information voluntarily, I would have called BS. Now the cynics might say that Google had no choice - that too many people already knew, and it was either tell the world or have someone out you in a messy way. But that’s irrelevant. I still wouldn’t have predicted it.

So that brings me to the point of the post (as you can hopefully see, this is not a Google bashing post or an I told you so post). I went to Data Loss DB the other day and I noticed an interesting downward trend over the last two years. It could be due to a lot of things. Maybe people are losing their laptops less or maybe hackers have decided to slow down all that hacking they were doing. No, I suspect it’s because in the dawn of social networking and collective thinking, companies fear disclosure more than ever before. They don’t want to have a social uprising against them when people find out their information has been copied off. Since I have no data to back it up, I have a question for all the people who are involved in disclosing or recovering from security events. How many compromises of data security, that you are aware of, have been disclosed to the public as a percentage? You don’t have to post under your own name - I just want to get some idea of what other people are seeing.

If my intuition is correct, this points to the same or more breaches than ever before, but less and less public scrutiny and awareness of what happened to the public’s information. Perhaps this points to a lack of good whistle-blower laws against failing to disclose compromises (and monetary incentives for good Samaritans to do so). Or perhaps this points to a more scary reality where the bad-guys have all the compromised machines and data that they need for the moment. Either way, it’s a very interesting downward trend in the public stats that seems incongruent to what I hear when I talk to people. Is the industry really seeing less successful attacks than a few years ago?

4 Responses to “Odds, Disclosure, Etc…”

  1. stucky Says:

    Have you written one posts left yet?

  2. LonerVamp Says:

    I think your intuition will be correct, even without the informal survey in the comments here. I don’t think there is any security person out there that doesn’t know of one breach and/or disclosure that wasn’t disclosed. Even small incidents like a single waiter swiping cards at a restaurant.

    Even more so in the vein of, “We have no indication of misuse but our balls certainly were exposed.” Or more obfuscated releases like, “something happened,” but then being quiet and letting it blow over…a sort of PR/legal CYA.

    The same with many general net/sys admins. I imagine most know of situations where exposure was possible but unknown.

    Not to open that huge discussion again, but the whole Google disclosure, I feel, definitely had a different agenda driving it. Without the extra agenda, I doubt Google would have said anything as long as the public/media didn’t start getting wind of it. Why would they? There isn’t a lawsuit or fine that would outweigh the attention, I bet. They know it. They know it with their street view and wireless scanning/sniffing actions… And even if it did cost them more, there’s still that whole Big Gamble that everyone plays when it comes to bumping up against ethics/regulations/rules and profits (kinda like current NCAA football investigations…you better believe every organization bends and crosses any rules they can get away with to get an advantage).

  3. buonzz Says:

    the concept is simple:

    “There is no such software that is bug-free”, therefore, there is no such thing as “Secured Software”.

    Neither or Google could said they are not suffering succesfull hacking attempts.

  4. Alex Says:

    I think that knowing that someone compromised your systems and revealing it to your customers are two very different ideas that should not be mentioned in the same argument. Many companies that have valuable information would not even know that they were compromised. From my personal experience it appears that compromises are most noticeable when someone who doesn’t know how to cover their tracks creates a mess on your network/host. Once a company realizes that they were compromised they begin to reflect internally and start making positive temporary changes whose complexity to maintain is often beyond the scope of what the company’s structure can maintain. The reason I believe that revealing compromises should be put in a different context is because it targets something completely different. A data compromise is nothing really but bad news. Whose data, what data, where did the data go? Does anyone really honestly care in these situations? The business-customer agreement usually does not lay out in any detail about how the business will secure the customer’s information. That is considered minor in comparison to the service that the customer is buying. The average individual/business has a very vague understanding of what a compromise means or what security means in each respective context. The whole announcement only plays to excite speculation and a negative outlook towards those who were compromised. On average few actually look into or even care about what happened.

    I believe that a very large proportion of the large companies are not prepared or equipped to detect a complex security breach. This leads me to conclude that disclosure is not about whether data was extracted or not but only fuels this negativity around a “state” of known compromise |unknown compromise.

    0% disclosed