HomeData Breaches
September 7, 2010, 3:11PM

The Effect of Snake Oil Security

By Robert Hansen

I’ve talked about this a few times over the years during various presentations but I wanted to document it here as well. It’s a concept that I’ve been wrestling with for 7+ years and I don’t think I’ve made any headway in convincing anyone, beyond a few head nods. Bad security isn’t just bad because it allows you to be exploited. It’s also a long term cost center. But more interestingly, even the most worthless security tools can be proven to “work” if you look at the numbers. Here’s how.

Let’s say hypothetically that you have only two banks in the entire world: banka.com and bankb.com. Let’s say Snakoil salesman goes up to banka.com and convinces banka.com to try their product. Banka.com is thinking that they are seeing increased fraud (as is the whole industry), and they’re willing to try anything for a few months. Worst case they can always get rid of it if it doesn’t do anything. So they implement Snakeoil into their site. The bad guy takes one look at the Snakeoil and shrugs. Is it worth bothering to figure out how banka.com security works and potentially having to modify their code? Nah, why not just focus on bankb.com double up the fraud, and continue doing the exact same thing they were doing before?

Editor's Pick

Threatpost Newsletter Sign-up

Suddenly banka.com is free of fraud. Snakeoil works, they find! They happily let the Snakeoil salesman use them as a use case. So our Snakeoil salesman goes across the street to bankb.com. Bankb.com has seen a two fold increase in fraud over the last few months (all of banka.com’s fraud plus their own), strangely and they’re desperate to do something about it. Snakeoil salesman is happy to show them how much banka.com has decreased their fraud just by buying their shoddy product. Bankb.com is desperate so they say fine and hand over the cash.

Suddenly the bad guy is presented with a problem. He’s got to find a way around this whole Snakeoil software or he’ll be out of business. So he invests a few hours, finds an easy way around it and voila. Back in business. So the bad guy again diversifies his fraud across both banks again. Banka.com sees an increase in fraud back to the old days, which can’t be correlated to anything having to do with the Snakeoil product. Bankb.com sees their fraud drop immediately after having installed the Snakeoil therefore proving that it works twice if you just look at the numbers.

Meanwhile what has happened? Are the users safer? No, and in fact, in some cases it may even make the users less safe (incidentally, we did manage to finally stop AcuTrust as the company is completely gone now). Has this stopped the attacker? Only long enough to work around it. What’s the net effect? The two banks are now spending money on a product that does nothing but they are now convinced that it is saving them from huge amounts of fraud. They have the numbers to back it up - although the numbers are only half the story. Now there’s less money to spend on real security measures. Of course, if you look at it from either bank’s perspective the product did save them and they’ll vehemently disagree that the product doesn’t work, but it also created the problem that it solved in the case of bankb.com (double the fraud).

This goes back to the bear in the woods analogy that I personally hate. The story goes that you don’t have to run faster than the bear, you just have to run faster than the guy next to you. While that’s a funny story, that only works if there are two people and you only encounter one bear. In a true ecosystem you have many many people in the same business, and you have many attackers. If you leave your competitor(s) out to dry that may seem good for you in the short term, but in reality you’re feeding your attacker(s). Ultimately you are allowing the attacker ecosystem to thrive by not reducing the total amount of fraud globally. Yes, this means if you really care about fixing your own problem you have to help your competitors. Think about the bear analogy again. If you feed the guy next to you to the bear, now the bear is satiated. That’s great for a while, and you’re safe. But when the bear is hungry again, guess who he’s going after? You’re much better off working together to kill or scare off the bear in that analogy.

Of course if you’re a short-timer CSO who just wants to have a quick win, guess which option you’ll be going for? Jeremiah had a good insight about why better security is rarely implemented and/or sweeping security changes are rare inside big companies. CSOs are typically only around for a few years. They want to go in, make a big win, and get out before anything big breaks or they get hacked into. After a few years they can no longer blame their predecessor either. They have no incentive to make things right, or go for huge wins. Those wins come with too much risk, and they don’t want their name attached to a fiasco. No, they’re better off doing little to nothing, with a few minor wins that they can put on their resume. It’s a little disheartening, but you can probably tell which CSOs are which by how long they’ve stayed put and by the scale of what they’ve accomplished.

Robert Hansen is the CEO of SecTheory. This essay originally appeared on ha.ckers.org.

Home page image via oreillyconf's Flickr photostream.

Commenting on this Article is closed.

Comments

Submitted by Mark (not verified) on Wed, 09/08/2010 - 8:38am.

Nice analysis.

Submitted by Trevor (not verified) on Wed, 09/08/2010 - 10:29am.

Interesting article.

Submitted by Ed (not verified) on Wed, 09/08/2010 - 10:40am.

Nice, incidentally typo para 2, line 2, word 2. IMHO the dig at CSOs in the final para doesn't add to the post and may even detract.

Submitted by Anonymous (not verified) on Wed, 09/08/2010 - 10:51am.

Businesses don't like IT and don't trust them.  The ONLY security they feel good about is outsourcing and holding thier hand over the big red "You're fired!" button.  That's as much decision making as they can be bothered with.

Submitted by Ivan Pavlov (not verified) on Wed, 09/08/2010 - 12:04pm.
Some simple experimental designs will allow any good customer to correct their flawed causal analysis. A simple reversal design (banka(condition A - no snakeoil))=fraudsub1, then implement trial (banka(condition B - with snakeoil) = fraudsub2, then reimplement A then B. If snakeoil is having an effect it will reverse. If the attacker is responding to the "perception" of the security (i.e. a fake security sign in front of your home) then, in fact, it does 'work' - perhaps not in the way described. Second, if banka has more than one bank, or several computer centers, it can distribute the roll out in phases and determine, perhaps statistically, any variance in fraud across the units as a function of the roll out. This is an A-B design essentially but rolled out unevenly across multiple sites A-B(bank1), then A-B(bank2), then A-B(bank3) some level of causal analysis can be had. If there is a "perception" question - rather than causal - the experimental modification itself should be hidden. If it cannot be hidden then a non-causal element ("a placebo") should be implement across all conditions to create the perception of a bank wide roll out when, in fact, only one bank unit has been changed. A placebo element would see the drop off across all units - thus exposing the 'perception effect' and not the actual causal relationship. The term "snakeoil" is highly prejudicial and for the sake of simple discussions of causal relationships you tend to want to at least give the impression of neutrality.
Submitted by Paul (not verified) on Wed, 09/08/2010 - 12:15pm.

Snakeoil???

Trusteer.com

Trusteer works with more than 60 leading banks around the world to keep your online bank account safe from online fraudsters. Trusteer Rapport has been downloaded by more than 11 million customers. It picks up where anti-virus and firewalls leave off, preventing new, sophisticated attacks that anti-virus and firewalls are not always updated to protect you from. To download Rapport now, click here

Submitted by Anonymous (not verified) on Wed, 09/08/2010 - 12:18pm.
Interesting article, but really you can apply your analogy to all security improvements. To summarize your article until perfect security is invented, the only net result a security improvement will bring is too redirect attackers to less secure systems which are equally lucrative. Once the improvement is circumvented then new technologies will need to be developed. This investment in your "snake oil" technology funds the next generation of security technologies. It is a cat an mouse game. Your article implies that banks simple don't care about perfect security, that is not true, they just realize that security is far from perfect and never will be (while being usable). To do sweeping changes, doesn't guarantee improvement, and usually will do more harm than good. It is not surprising that nobody listens too you.
Submitted by Jeff Martin (not verified) on Wed, 09/08/2010 - 12:34pm.

Since as you say the real world has many attackers, wouldn't at least some of them crack Snakeoil just to avoid having to compete with all the others over bankB?

Submitted by Brian (not verified) on Wed, 09/08/2010 - 1:08pm.

BankB are a bunch of jerks.  I had a savings account with them and they started charging me $14 per month and the account had only $64 in it!!  I hope BankB has fun dealing with their viruses, I clicked some popups once and had to get my computer cleaned out good.  Thankfully all my important pictures were safe at Facebook.

Submitted by OrugTor (not verified) on Wed, 09/08/2010 - 1:24pm.
Good article. The bit about CSOs is relevant but if the CSO's only option is better snake oil can we really blame them? You avoided the inevitable solution: put a bullet through the bear's brain. I'm not advocating executing criminal hackers (I wish, but impractical) but putting a few away for draconian sentences may be more effective than giving a 5-year sentence, out in three and hiring the "reformed" bad guy as a security consultant. If the resources devoted to all those CERTs were used to hunt down and neutralize the bad guys we might see real gains ...eventually.
Submitted by Anonymous (not verified) on Wed, 09/08/2010 - 2:27pm.

Dude, gross oversimplifications. Give up!

Submitted by Ralph Dratman (not verified) on Wed, 09/08/2010 - 3:00pm.

In evolutionary terms, your CSOs (??) are parasites, not real participants. They don't contribute to the long-term health of a host company. Just the opposite: they cause a company to consume more, and raise metabolic levels. to create a short period of high growth, but when the parasites eventually drop off (think of ticks) the companies are worse off than before.

The long-term result is that not only the affected companies, but also the parasite community eventually die off. They end up among evolution's failures.

Submitted by WNight (not verified) on Wed, 09/08/2010 - 4:53pm.
This article is spot on. Even total snake-oil can appear effective and thus when evaluating security products you need to go on more than their claims. Even though they may be true they may not mean what either party thinks they do. As to working on proper security, no level of snake-oil is ever going to add up to anything useful. A single error can ruin an otherwise great security system. The idea that buying worthless product now funds a worthwhile one later is like expecting Homeopathic "research" to lead to real medical advancement. Garbage in, garbage out. My (insecure) bank currently asks me four different things plus my account number when I login. Some of these things they prompt me for with pictures or phrases. None of it adds any more security than one good password but instead of one password I'm left remembering twelve different pass words, numbers, and phrases, all of which must be identical down to the capitalization and spacing. But a bad-guy would capture that key-for-key plus screenshots and in watching a maximum of four logins would have all this extra information and be able to login without a single problem. They could text my prearranged cell-phone with a login code when I attempted to login, or something. There are a lot of ways to actually add some extra security but they keep increasing the hoops instead of the security because it's easier and looks about the same. The CSO might be the specific position in charge of this, but where they're rewarded on false metrics you really need to blame the board and investors as well.
Submitted by Lewis (not verified) on Wed, 09/08/2010 - 5:43pm.

This is the same behavior exhibited in the Auto Security Industry. The Club does not keep anyone from stealing a car, most joy riders just get annoyed by it so they'll break your window and move on to one without. In the late 80's Chevy introduced the VAT system to supposedly keep your Corvette safe. It didn't. Most Chevy's could be started with a screwdriver well into the 90's. Most foreign cars had the same weakness. The fact is that the car manufacterers were glad to have their cars stolen and hoped the customers would come back to them for replacements. I'm sure most people have seen cars on the back of a tow truck or flatbed with the alarm going off. I for one have yet to see a cop stop one. I've heard enough stories of cops seeing an active LoJack and not bothering to go after it, because it's a pain in the ass. Like he said, the hacker/thief will go after the easier prey, it doesn't mean that they can't take down the big dogs with a little more effort, and they eventually will when they're done with the rest or they feel up to a challenge.

Submitted by Joe McDonagh (not verified) on Wed, 09/08/2010 - 11:24pm.

This article is horrid, except for maybe the last third or so which I mostly agree with. But that would never even be gotten to IRL because crackers would just break into $nameless_software for bankA, then loot and plunder both banks A & B. I really think you're mis-representing the psyche of hackers and crackers by this first part of the article. These guys (whatever your label is, I don't really care) like to break shit for the sake of breaking shit (even worse if they are true criminals and just want money they're more determined!). if you think an unknown piece of software is going to scare them away then I have trouble believing this was even written by you?? So, what is with this article?

Submitted by Sehrwood Botsford (not verified) on Thu, 09/09/2010 - 8:17am.
While this is an oversimplification, it's valid. Problem is that it valid for non-snake-oil advances too. The difference between them would show up in the amount of time it takes the Black Hats to circumvent the new protocol. Due diligence by a bank CSO would see them form a consortium about bank security, splitting the costs of developing real security. Indeed the best technique may be to hire two teams of such people -- one to invent new security protocols, and another to test them.
Submitted by Seataka (not verified) on Thu, 09/09/2010 - 8:25am.

heh, good one, - Just goes to show that George Carlin was right when he said:

It IS all #ullXhit AND it's BAD for you.

Submitted by Brian is an idiot (not verified) on Thu, 09/09/2010 - 6:27pm.
You, Sir (Brian), are an idiot. The bank cannot charge you unless you agree in writing to their terms. // Nothing is safe at Facebook. I will concede that this depends on your definition of "safe". If by "safe" you mean that there are multiple copied of your images, stored forever, and stored in multiple servers, then you would be right. But if "safe" implies any notion of privacy, you are sorely mistaken. // Having to get your computer cleaned out serves you right for clicking on pop-ups. Don't do it! That's a Computer Security 101 mistake. Next you'll be telling us that you let strangers into your house simply because they rang your doorbell, and then are surprised that they robbed you and raped your family.

 

Copyright © 2012 threatpost.com | Terms of Service | Privacy