The first by Eugene Kaspersky. Well known name, quite interesting title:
The Dark Side of Cybercrime: Details on the Latest Hacker Tactics from Around the World. What would you expect when reading this? I myself expected to actually learn about attack vectors etc since this guy must be exposed to them on a daily basis.
Well, Mr. Kaspersky didn't think so. He spent the first 40-45 minutes on recounting the history of attacks, viruses, worms, trojans, etc. Some statistics thrown in, some pictures of authors. Then in the last 5-10 minutes he talks about attacks going on today but still only at the level of
there will be phishing attacks, and data theft, and .... And suddenly it was all over?
If the title promises the
latesttactics, why waste time on ancient history? When promising
details, why only scratch the surface and throw out a few buzzwords? This was probably one of the most wasteful hour I've spent in a long time. Heck, I might have enjoyed an HR seminar more than this baloney.
Still not time to leave, so I go into the podium discussion about
Virtualization and Security. I was skeptical from the get go. A panel without anyone who actually works on virtualization technology. Only
security professionals, i.e., the people who benefit from security problems. Turns out this discussion is really meant as a big fright fest. It was an enumeration of additional problems in security, monitoring, auditing when you deploy virtualization. Close to the end one of the panelists actually asked (I paraphrase)
And who in the audience still considers deploying virtualization after what you heard here today?
I'm always willing to accept that there are some new problems. They are mostly concerning the introduction of a new code base (hypervisor or the hardware emulation like KQEMU) and the interfaces between it an the VMs. But many (most?) of the problems they mentioned are home made or are simply problems which exist without virtualization. For instance, they were complaining about VLANs which are created between the domains so that a single NIC is sufficient for all domains. Dah! If this is a problem for you, don't do it. Use separate network cards for each domain. PCI forwarding is there and by the time people actually start deploying Intel will have VT-d in their chips (and AMD whatever they need). We'll soon enough have NICs with virtualization supoprt built in (Infiniband already can do this today). Once this is true I hear them shout
but who audits the firmware which implements this(it'll indeed something mostly implemented in firmware). The answer here is again: do you audit the firmware of the NIC today? I don't think so and still it can very well be a security risk.
I took away from this that the security industry sees virtualization as yet another source of money and full employment. Yes, you'll have problems if you do stupid things when deploying virtualization. But the same is true without virtualization. I fail to see the difference. And the panel constantly reminded everybody that no company out there has a person who understands all the problems, front to back, from technical details about virtualization to specific problems of SOA deployments in virtualized environments. That's most probably true. But how is this difference from non-virtual deployments. I dare a
security professionalto step forward and prove s/he knows all this. Heck, I can think of a gazillion security-relevant details at low levels which are not known except to people who actually work on that code.
The organizers claim that they try to keep the sessions clear from being marketing sessions. Mr Kaspersky certainly didn't manage to do this, my podium discussion obviously couldn't (it was after all about three specific implementations), and this virtualization session was a big
see, we are more than ever relevantsession byt the security professions (with special plugs of the Center for Internet Security).
What was is there are sessions which actual practical advice for programmers, i.e., to cure the root of all the evil. My Thursday session is probably one of the very few exceptions. And the funny thing is: during my podium session people actually made it known that one of the things they like to hear about at conference is specifically this.
My opinion thus far: if you are a security professional, CSO, etc, run to San Francisco, don't walk. You'll get plenty of stories you can tell your boss to frighten her/him and give you a large budget and many underlings to have fun with. You'll also find people who want to sell you piece of mind and that should be well worth it to you. After all, you somehow have to spend the money your scared boss throws at you.
If you actually are interested in fixing the problem, don't bother. The organizers don't either.