The issue with 'pumpkin spice' safety bugs
Dangerous Password is a hacking and safety column by Violet Blue. Each week she’ll be exploring the fashionable new cyberhysteria, the state of the infosec group and the ever-eroding factor that was referred to as “privateness.” Dangerous Password cuts by way of the greed, worry mongering and jargon with experience, a pleasant voice and slightly levelheaded perspective.
When requested, “Why give a vulnerability an internet site, emblem and model picture?” many infosec professionals will confidently reply that flamboyant bugs increase consciousness towards fixes. Fixing and patching, we’re led to consider, is nearly as enjoyable as a visit to the dentist. Which is true. Heartbleed, Shellshock, Stagefright, Sandworm, Rootpipe, Winshock and the really terror-inducing nom-de-sploit POODLE are usually not, in reality, an inventory of situational phobias. These have been named with intent to turn into PR markers — though wanting on the method a few of these vulns (vulnerabilities) acquired their names and types, it looks like the main target was extra on the credit score for naming them, moderately than the precise usefulness of making an attempt to “pumpkin spice” a bug.
The issue is, it is extensively understood that a seasonally branded latte is an easy sugary gimmick that the general public finds each irresistible and unusually offensive. Heartbleed — delivery identify CVE-2014-0160 — was the primary critically branded bug. It was not the worst of all these different names I rattled off within the earlier paragraph. It was additionally not in any approach extensively understood. Whereas everybody heard of it, few outdoors infosec might actually clarify what it was. Principally, the media did not actually know what Heartbleed was both, however its emblem was on main information retailers spanning native to international in a matter of days after the bug’s… launch
Heartbleed was branded like an overpriced startup on objective, and its branding was as divisive inside infosec communities as pumpkin pie spice Pringles are to regular individuals. Many info safety professionals have been above-regular suspicious concerning the intentions behind giving the vuln a branding package deal and web site earlier than most affected corporations had even heard of it. And for infosec, the place paranoia is greater than only a lifestyle, that is saying one thing. The CEO of Codenomicon, Heartbleed’s branding origin, informed The Guardian, “I feel that the truth that it had a reputation, had a catchy emblem that folks keep in mind, actually helped gasoline the velocity with which individuals turned conscious of this.”
This being true, then so was the inverse: Heartbleed’s viral branding most certainly helped gasoline the velocity by which attackers discovered about it, too. Heartbleed assaults appeared inside days.
My first journey down the infosec rabbit gap of naming conventions got here from endpoint safety agency CrowdStrike’s 2014 International Menace Intel Report. I had pitched a bit on the report for an enterprise safety information outlet, and it appeared like a very good concept on the time. The report was my first actual expertise with the follow of data safety corporations “discovering” issues that have been already there, and naming every discovery to say possession — the infosec model of manifest future, however as I used to be about to find, approach weirder.
Nobody had warned me that CrowdStrike named its discoveries, on this occasion, legal assault teams, in such a manic means as to recommend somebody there’s desperately making an attempt to struggle the advance of Alzheimer’s. Or maybe they only have higher drug connections than me. Probably each. I discovered myself completely freaked out by Goblin Panda, CrowdStrike’s identify for a cyberattack group primarily concentrating on Vietnam. The visuals I acquired from seeing Vixen Panda and Deep Panda’s names collectively put me on an web porn quick for a few week. Predator Panda was certainly going to hunt me for sport within the jungles of Guatemala. Pale Panda might have appeared in a nightmare after studying the report, telling me to place the lotion on its pores and skin. Keyhole Panda did not assist my commonplace degree of hacker-grade paranoia.
All of those names had me questioning if somebody someplace wasn’t telegraphing a tortured cry for assist from the identical basement (painted over to cover the bloodstains) during which seasonally branded lattes are created.
I did not find yourself submitting my evaluation of the CrowdStrike report, and I by no means received behind all of the reporting on Heartbleed. All of it felt an excessive amount of like I might be promoting some firm’s product. And I frightened that the cutesy, weird little names are solely elevating public consciousness of my infosec colleagues’ prurient curiosity in its situational phobias. I imply, what sort of anxious pervert names a privilege escalation “Rootpipe”?
[Image credit: JeepersMedia/Flickr]