The cyber security industry talks a big game. There is a certain amount of truth to the notion that security companies' marketing departments play up viruses or Trojans or known vulnerabilities to alert the public to their products. Security is a $16 billion industry and hyper-competitive. Yet, with all the news of exploits, big hacks and viruses in the news, one has to ask: are the security companies really doing their jobs?
That is up for debate. A Google security researcher (acting independently of Google) named Tavis Ormandy reverse engineered part of security firm Sophos's security products and published his research (PDF). He presented his findings at the Black Hat security conference in Las Vegas yesterday and had some hearty criticism not just for Sophos, but for the security industry in general. The issue, in part, is about how open security companies are with the codes and algorithms they use to protect users' computers. How open do security companies need to be to have the most effective product?
Ormandy starts the abstract of his paper with a fairly simple declaration:
"Antivirus vendors often assert they must be protected from scrutiny and criticism, claiming that public understanding of their work would assist bad actors. However, it is the opinion of the author that Kerckhoffs's principle applies to all security systems, not just cryptosystems. Therefore, if close inspection of a security product weakens it, then the product is flawed."
The notion is that security companies hide their algorithms, codes and practices so that the bad actors will not be able to study them and easily sidestep them. Kerckhoffs' principle (from 19th century cryptographer Auguste Kerckchoffs) states: "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge."
What Ormandy did with Sophos was pick apart a couple different subsections of the overall security product, including parts of Sophos's cryptology and obfuscation practices that it uses to protect data. Specifically, Ormandy looked at Sophos's buffer overflow protection, signature matching and cryptography (SPMAA, proprietary to Sophos) and its "genes and genotypes" product that detects the behavior of malicious programs.
Only A Piece Of The Puzzle
Sophos researcher and blogger Graham Cluley said that Ormandy is not an ordinary security engineer or computer user.
"No doubt he is a very bright chap," Cluley said in a call to ReadWriteWeb. "I think he comes at this problem from a very unusual angle. I imagine he is the type of fellow who analyzes every piece of code that he puts on his computer ... That is not something that scales. Tavis's mom could not do that."
Yet, Cluley notes that while what Ormandy did was helpful and informative for Sophos, it was only a piece of the company's larger security product. Cluley notes that Ormandy did not actually test the product against malware and that if he did he would have found that it is quite capable of blocking malicious programs.
Yet, Ormandy does have some pertinent points and Sophos is right to acknowledge them. The security vs. cyber-criminal battle is a two-step, a dance where one actor tries to take a step ahead of the other. If a hacker has specific knowledge of how the company detects malware and encrypts data, they have the advantage. A Sophos researcher that attended Ormandy's talk downplays that aspect.
"Malware writers have to be very generic in terms of what they write," Sophos researcher Vanja Svajcer said, according to Forbes. "They don't have time to investigate forty or fifty vendors to circumvent their products."
In general, that is true. Malware writers are interested in the richest targets available with the lowest barrier to success. Yet, that does not preclude any specific hacker from studying the weaknesses of a particular security product and finding ways around it. Spear phishing, attacks designed to exploit specific targets (nominally through some type of social engineering like email) is on the rise and as we have seen with the attacks against Sony, Booz Allen Hamilton and the state of Arizona by LulzSec and Anonymous, dedicated attacks can be successful. As much as the security industry likes to tout their own products (which are effective for the most part), they are not perfect. Part of what Ormandy is doing with Sophos is pointing that out. At the same time, even the best security products cannot protect against employees not following best practices and poorly instituted security policies, which is often the case in large-scale hacks, such as Sony or HB Gary.
Not Cluley v. Ormandy: Round 2
Cluley wanted to point out that Ormandy's latest criticism of Sophos products was not another case of "Ormandy v. Cluley." Last year Ormandy published zero-day vulnerabilities in Microsoft's code that led to attacks. Cluley slammed Ormandy for not giving the security industry or Microsoft enough time to respond to the vulnerability. Cluley says that is not the case this time around.
"This is not some Ormandy v. Cluley feud," Cluley said. "One of the things about this is that Tavis and Sophos have been working really closely together. It has been a friendly and open process."
Cluley responded to Ormandy's findings in a blog post at Naked Security stating that the cryptography algorithm that Ormandy found to be "weak" was being phased out and that the company is working to fix the other vulnerabilities in the next version of its product.
Yes, You Can Trust Your Security Companies
Yet, the question remains: can the security companies be trusted? In short, yes. For the most part, security products are an effective way to detect and eliminate malware. Some products are better than others. That does not excuse the industry from, at times, creating hype or fear (as an industry, not specifically Sophos) in reference to certain exploits. It is decent business sense - scare people in to buying your product. Cluley says that the security companies have been guilty of that in that past and he hopes the industry is more responsible recently.
"I think industry has gotten better and more responsible. The thing that fascinates me is that you are stuck between a rock and a hard place," Cluley said. "You want people to wake up and stop clicking on naked pictures of Angelina Jolie. Still, we have to get the message out there."