A CFO.com interview with Mark Russinovich is funny. Mark’s done a lot of really stellar work on technical issues but the interview reveals more about his social and economic philosophy. They introduce him by comparing him to Edison. They probably meant this as a compliment.

Russinovich is to rootkits as Edison was to electricity

Edison was a ruthless marketing hack who electrocuted animals to death publicly to falsely convince people of the risks from his competitors products.

In order to make sure that [the elephant] emerged from this spectacle more than just singed and angry, she was fed cyanide-laced carrots moments before a 6,600-volt AC charge slammed through her body. Officials needn’t have worried. [The elephant] was killed instantly and Edison, in his mind anyway, had proved his point.

Edison proved that power can be dangerous in the hands of the wrong man. And I’m not even going to rant here about how he copied others’ ideas and tried to patent them as his own.

If I were Mark I’d be insulted. They should have used Westinghouse, Tesla or some other more notable engineer and inventor. Anyone but Edison.

The bottom line is that unless Mark is going to start launching rootkits on Apple computers to convince people to buy Microsoft, he shouldn’t be compared to Edison. Now to the interview:

Does the Internet make the world a more dangerous place?
It’s the complete dependence on the Internet. Even small businesses. Think about it. You go to your doctor or your dentist. What would happen if their computer wasn’t working? What would happen if their data was destroyed? They’d be out of business.

Scary. But strangely enough I have been in doctor and dentist offices when their computer is not working and they do not seem panicked about going out of business. If anything they seem content to say something like “damn Microsoft systems are always broken”.

Where is this complete dependence Mark speaks about? Maybe my experience is behind the times and he goes to a more modern clinic with robots and all. Does Roomba make a dental unit yet? He certainly is not speaking about “the world” of doctors and dentists I know. They embrace technology while keeping it at arms length.

Next example:

How much damage can a virus realistically do?
It’s pretty well accepted that the Stuxnet virus, which was spread by USB keys, was created by Israel and the U.S. for the sole purpose of destroying the Iranian centrifuges that enriched uranium for its nuclear program.

Pretty well accepted? That sounds like he’s not convinced. I know I’m not convinced. The world was pretty well accepted as flat. Very different from saying that it has been proven.

Mark, who is known for providing tools that are meant to offer hard evidence, is offering us a vague and unconfirmed statement when it comes to Stuxnet authors and purpose. Why does he lower the bar? Imagine if Sysinternals released a tool that said “this virtual memory region is pretty well accepted to be unusable”.

And how much damage did Stuxnet really do? The report I read from nuclear investigators who know the risk/threat model says the centrifuges were already expected to fail at a high rate. Rust is said to have been a major source of centrifuge problems for the Iranian program. Oxidation is apparently causing more failures than Stuxnet, so the answer is…?

I could go on about his answers on the cloud and a bank versus house model of risk but I’ll skip to the conclusion.

What’s the endgame?
We’re not going to take cybersecurity seriously enough until something real bad happens, and then we’ll overreact. That’s the way things usually happen, isn’t it? When something real bad happens, the government will step in and say now we’ve got to do something, and they’ll put in all these bizarre regulations that won’t really do much and will result in a big loss of productivity.

That’s like describing a doctor who treats you after you break your legs as the cause of your mobility loss. The doctor will regulate your ability to get up and walk around to protect your body from further harm — increasing your chance of long-term recovery and regaining productivity. What is so bizarre about that?

After the “something real bad happens” (e.g. breaking your legs) a loss of productivity is already in play, long before any regulator shows up to help. In other words, a huge gain in productivity from regulations is also conceivable if we’re just going to talk theory. Basel II comes to mind… Now, if Mark wants to mention a specific “bizarre” regulation and how it hurts productivity, then we can really talk about technical details instead of just some socioeconomic philosophy.

ISACA has released what they call an “exposure draft” of COBIT 5 and is asking for public comment.

The primary objective of this exposure is to obtain public input and comment regarding the completeness, quality and value of the development work undertaken. Please complete the short survey questionnaire below to provide your feedback on the work completed to extend, improve and advance ISACA guidance in this area. This online questionnaire will remain open until 31 July 2011.

The primary differences from COBIT 4.1 seem to be twofold:

1) A move to pull all the ISACA frameworks and guidance together under COBIT as well as synchronize better with external standards

– Board Briefing on IT Governance, 2nd Edition
– Business Model for Information Security™(BMIS™)
– IT Assurance Framework™ (ITAF™)
– Risk IT Framework
– Taking Governance Forward
– Val IT™ Framework
Connect to other major frameworks and standards in the marketplace (ITIL, ISO standards, etc.)

Most notable is the integration with a capability maturity model to measure progress (e.g. ISO/IEC 15504 Based Capability Levels). This helps COBIT audits work on a more standardized measurement system.

2) Streamlined guideline process. Version 4.1, for example, had 36 processes to follow while version 5 is trying to organize them into just 7 slices (21 total — no bullseye). I heard it originally had 8 slices but “Where do you want to go today” ran into some kind of legal issue. The following graphic also has the advantage of being easily converted into a fortune wheel of audit that IT managers can spin or throw darts at…

McAfee Labs has released an interesting analysis of recent DoS attacks that targeted South Korea. They criticize the code for numerous mistakes; and they speculate the mistakes were caused by multiple teams working together and unsuccessful at developing a cohesive product. Here are a few examples of the criticisms.

Short-term objectives

While highly destructive code like this was common with early malware, it has long since given way to bots that allow for long-term command and control. Cybercriminals realized that compromised computers under their full control are much more valuable to them for sending spam, proliferating malware, and for harvesting valuable data from the compromised device.

Lack of flexibility

Unlike many other botnets, the malware installed as these C&C clients lacked command interpreter functionality. This results in very limited flexibility in how the bots are used.

Inconsistent use of encryption

While the C&C application also decrypts the configuration’s filename with 128-bit AES, the initial dropper contains this filename in plain text. This design hints at multiple authors that were not all aware of this filename being encrypted in other parts of this attack.

Typos from cut/paste in the code

The code to check file extensions suffers from some mistakes due to copy and paste; for example, not only .java but .javanything files will be deleted.

Inconsistent execution

…the code then utilizes a huge C++ CAB file implementation to create a new CAB file per overwritten file and adds the already zeroed-out file to the CAB. This is another indicator of multiple engineers working on this codebase without everyone understanding the entirety of the code.

Despite all the criticism, McAfee analysis still rates this as “sophisticated”.

The level of technical sophistication behind Ten Days of Rain, being used for the relatively simplistic act of a DDoS attack, doesn’t track.

What are those levels of sophistication? They don’t say but they give us this simile.

DDoS, malware-leveraging encryption, and multitier botnet architectures are not new. Nor are attacks against South Korea that suspiciously align with North Korea’s agenda. However, the combination of technical sophistication juxtaposed with relatively limited execution and myopic outcome is analogous to bringing a Lamborghini to a go-cart race.

On the one hand their analysis pushes us to consider the engineering flaws and disconnected “myopic” work, while on the other hand it concludes with the imagery of a Lamborghini.

I suspect they do not mean bringing a Lamborghini hat to a go-cart race. They must mean the car, and a modern one at that.

Ooops, I meant the other imagery of a Lamborghini.

Ah, well, maybe they are making a more subtle point. If you see someone show up to a go-cart race wearing a pair of shiny red suede Lamborghini slippers…

It also is worth noting that although almost 20% of the command and control servers they tracked were in the US, far more than the next country, McAfee steps away completely from any mention of motives tied to national interests.

Beyond the threat mitigation, the questions of how, who, and why still remain.

They did a very nice job in this whitepaper on the how, and they admit to speculation (based on an odd assumption about collaboration instead of plagiarism) about the why, but they basically don’t touch the question of who.

Too bad they did not go for the who too; I had fun writing Operation Sloppy Night Dragon.