The Effect of Snake Oil Security

By Robert HansenI’ve talked about this a few times over the years during various
presentations but I wanted to document it here as well. It’s a concept
that I’ve been wrestling with for 7+ years and I don’t think I’ve made
any headway in convincing anyone, beyond a few head nods. Bad security
isn’t just bad because it allows you to be exploited. It’s also a long
term cost center. But more interestingly, even the most worthless
security tools can be proven to “work” if you look at the numbers.
Here’s how.

I’ve talked about this a few times over the years during various
presentations but I wanted to document it here as well. It’s a concept
that I’ve been wrestling with for 7+ years and I don’t think I’ve made
any headway in convincing anyone, beyond a few head nods. Bad security
isn’t just bad because it allows you to be exploited. It’s also a long
term cost center. But more interestingly, even the most worthless
security tools can be proven to “work” if you look at the numbers.
Here’s how.

Let’s say hypothetically that you have only two banks in the entire
world: banka.com and bankb.com. Let’s say Snakoil salesman goes up to
banka.com and convinces banka.com to try their product. Banka.com is
thinking that they are seeing increased fraud (as is the whole
industry), and they’re willing to try anything for a few months. Worst
case they can always get rid of it if it doesn’t do anything. So they
implement Snakeoil into their site. The bad guy takes one look at the
Snakeoil and shrugs. Is it worth bothering to figure out how banka.com
security works and potentially having to modify their code? Nah, why
not just focus on bankb.com double up the fraud, and continue doing the
exact same thing they were doing before?

Suddenly banka.com is free of fraud. Snakeoil works, they find!
They happily let the Snakeoil salesman use them as a use case. So our
Snakeoil salesman goes across the street to bankb.com. Bankb.com has
seen a two fold increase in fraud over the last few months (all of
banka.com’s fraud plus their own), strangely and they’re desperate to do
something about it. Snakeoil salesman is happy to show them how much
banka.com has decreased their fraud just by buying their shoddy product.
Bankb.com is desperate so they say fine and hand over the cash.

Suddenly the bad guy is presented with a problem. He’s got to find a
way around this whole Snakeoil software or he’ll be out of business.
So he invests a few hours, finds an easy way around it and voila. Back
in business. So the bad guy again diversifies his fraud across both
banks again. Banka.com sees an increase in fraud back to the old days,
which can’t be correlated to anything having to do with the Snakeoil
product. Bankb.com sees their fraud drop immediately after having
installed the Snakeoil therefore proving that it works twice if you just
look at the numbers.

Meanwhile what has happened? Are the users safer? No, and in fact, in some cases it may even make the users less safe
(incidentally, we did manage to finally stop AcuTrust as the company is
completely gone now). Has this stopped the attacker? Only long enough
to work around it. What’s the net effect? The two banks are now
spending money on a product that does nothing but they are now convinced
that it is saving them from huge amounts of fraud. They have the
numbers to back it up – although the numbers are only half the story.
Now there’s less money to spend on real security measures. Of course,
if you look at it from either bank’s perspective the product did save
them and they’ll vehemently disagree that the product doesn’t work, but
it also created the problem that it solved in the case of bankb.com
(double the fraud).

This goes back to the bear in the woods analogy that I personally
hate. The story goes that you don’t have to run faster than the bear,
you just have to run faster than the guy next to you. While that’s a
funny story, that only works if there are two people and you only
encounter one bear. In a true ecosystem you have many many people in
the same business, and you have many attackers. If you leave your
competitor(s) out to dry that may seem good for you in the short term,
but in reality you’re feeding your attacker(s). Ultimately you are
allowing the attacker ecosystem to thrive by not reducing the total
amount of fraud globally. Yes, this means if you really care about
fixing your own problem you have to help your competitors. Think about
the bear analogy again. If you feed the guy next to you to the bear,
now the bear is satiated. That’s great for a while, and you’re safe.
But when the bear is hungry again, guess who he’s going after? You’re
much better off working together to kill or scare off the bear in that
analogy.

Of course if you’re a short-timer CSO who just wants to have a quick
win, guess which option you’ll be going for? Jeremiah had a good
insight about why better security is rarely implemented and/or sweeping
security changes are rare inside big companies. CSOs are typically only
around for a few years. They want to go in, make a big win, and get
out before anything big breaks or they get hacked into. After a few
years they can no longer blame their predecessor either. They have no
incentive to make things right, or go for huge wins. Those wins come
with too much risk, and they don’t want their name attached to a fiasco.
No, they’re better off doing little to nothing, with a few minor wins
that they can put on their resume. It’s a little disheartening, but you
can probably tell which CSOs are which by how long they’ve stayed put
and by the scale of what they’ve accomplished.

Robert Hansen is the CEO of SecTheory. This essay originally appeared on ha.ckers.org.

Home page image via oreillyconf‘s Flickr photostream.

Suggested articles

Discussion

  • Mark on

    Nice analysis.

  • Trevor on

    Interesting article.

  • Ed on

    Nice, incidentally typo para 2, line 2, word 2. IMHO the dig at CSOs in the final para doesn't add to the post and may even detract.

  • Anonymous on

    Businesses don't like IT and don't trust them.  The ONLY security they feel good about is outsourcing and holding thier hand over the big red "You're fired!" button.  That's as much decision making as they can be bothered with.

  • Ivan Pavlov on

    Some simple experimental designs will allow any good customer to correct their flawed causal analysis. A simple reversal design (banka(condition A - no snakeoil))=fraudsub1, then implement trial (banka(condition B - with snakeoil) = fraudsub2, then reimplement A then B. If snakeoil is having an effect it will reverse. If the attacker is responding to the "perception" of the security (i.e. a fake security sign in front of your home) then, in fact, it does 'work' - perhaps not in the way described. Second, if banka has more than one bank, or several computer centers, it can distribute the roll out in phases and determine, perhaps statistically, any variance in fraud across the units as a function of the roll out. This is an A-B design essentially but rolled out unevenly across multiple sites A-B(bank1), then A-B(bank2), then A-B(bank3) some level of causal analysis can be had. If there is a "perception" question - rather than causal - the experimental modification itself should be hidden. If it cannot be hidden then a non-causal element ("a placebo") should be implement across all conditions to create the perception of a bank wide roll out when, in fact, only one bank unit has been changed. A placebo element would see the drop off across all units - thus exposing the 'perception effect' and not the actual causal relationship. The term "snakeoil" is highly prejudicial and for the sake of simple discussions of causal relationships you tend to want to at least give the impression of neutrality.
  • Paul on

    Snakeoil???

    Trusteer.com

    Trusteer works with more than 60 leading banks around the world to keep your online bank account safe from online fraudsters. Trusteer Rapport has been downloaded by more than 11 million customers. It picks up where anti-virus and firewalls leave off, preventing new, sophisticated attacks that anti-virus and firewalls are not always updated to protect you from. To download Rapport now, click here

  • Anonymous on

    Interesting article, but really you can apply your analogy to all security improvements. To summarize your article until perfect security is invented, the only net result a security improvement will bring is too redirect attackers to less secure systems which are equally lucrative. Once the improvement is circumvented then new technologies will need to be developed. This investment in your "snake oil" technology funds the next generation of security technologies. It is a cat an mouse game. Your article implies that banks simple don't care about perfect security, that is not true, they just realize that security is far from perfect and never will be (while being usable). To do sweeping changes, doesn't guarantee improvement, and usually will do more harm than good. It is not surprising that nobody listens too you.
  • Jeff Martin on

    Since as you say the real world has many attackers, wouldn't at least some of them crack Snakeoil just to avoid having to compete with all the others over bankB?

  • Brian on

    BankB are a bunch of jerks.  I had a savings account with them and they started charging me $14 per month and the account had only $64 in it!!  I hope BankB has fun dealing with their viruses, I clicked some popups once and had to get my computer cleaned out good.  Thankfully all my important pictures were safe at Facebook.

  • OrugTor on

    Good article. The bit about CSOs is relevant but if the CSO's only option is better snake oil can we really blame them? You avoided the inevitable solution: put a bullet through the bear's brain. I'm not advocating executing criminal hackers (I wish, but impractical) but putting a few away for draconian sentences may be more effective than giving a 5-year sentence, out in three and hiring the "reformed" bad guy as a security consultant. If the resources devoted to all those CERTs were used to hunt down and neutralize the bad guys we might see real gains ...eventually.
  • Anonymous on

    Dude, gross oversimplifications. Give up!

  • Ralph Dratman on

    In evolutionary terms, your CSOs (??) are parasites, not real participants. They don't contribute to the long-term health of a host company. Just the opposite: they cause a company to consume more, and raise metabolic levels. to create a short period of high growth, but when the parasites eventually drop off (think of ticks) the companies are worse off than before.

    The long-term result is that not only the affected companies, but also the parasite community eventually die off. They end up among evolution's failures.

  • WNight on

    This article is spot on. Even total snake-oil can appear effective and thus when evaluating security products you need to go on more than their claims. Even though they may be true they may not mean what either party thinks they do. As to working on proper security, no level of snake-oil is ever going to add up to anything useful. A single error can ruin an otherwise great security system. The idea that buying worthless product now funds a worthwhile one later is like expecting Homeopathic "research" to lead to real medical advancement. Garbage in, garbage out. My (insecure) bank currently asks me four different things plus my account number when I login. Some of these things they prompt me for with pictures or phrases. None of it adds any more security than one good password but instead of one password I'm left remembering twelve different pass words, numbers, and phrases, all of which must be identical down to the capitalization and spacing. But a bad-guy would capture that key-for-key plus screenshots and in watching a maximum of four logins would have all this extra information and be able to login without a single problem. They could text my prearranged cell-phone with a login code when I attempted to login, or something. There are a lot of ways to actually add some extra security but they keep increasing the hoops instead of the security because it's easier and looks about the same. The CSO might be the specific position in charge of this, but where they're rewarded on false metrics you really need to blame the board and investors as well.
  • Lewis on

    This is the same behavior exhibited in the Auto Security Industry. The Club does not keep anyone from stealing a car, most joy riders just get annoyed by it so they'll break your window and move on to one without. In the late 80's Chevy introduced the VAT system to supposedly keep your Corvette safe. It didn't. Most Chevy's could be started with a screwdriver well into the 90's. Most foreign cars had the same weakness. The fact is that the car manufacterers were glad to have their cars stolen and hoped the customers would come back to them for replacements. I'm sure most people have seen cars on the back of a tow truck or flatbed with the alarm going off. I for one have yet to see a cop stop one. I've heard enough stories of cops seeing an active LoJack and not bothering to go after it, because it's a pain in the ass. Like he said, the hacker/thief will go after the easier prey, it doesn't mean that they can't take down the big dogs with a little more effort, and they eventually will when they're done with the rest or they feel up to a challenge.

  • Joe McDonagh on

    This article is horrid, except for maybe the last third or so which I mostly agree with. But that would never even be gotten to IRL because crackers would just break into $nameless_software for bankA, then loot and plunder both banks A & B. I really think you're mis-representing the psyche of hackers and crackers by this first part of the article. These guys (whatever your label is, I don't really care) like to break shit for the sake of breaking shit (even worse if they are true criminals and just want money they're more determined!). if you think an unknown piece of software is going to scare them away then I have trouble believing this was even written by you?? So, what is with this article?

  • Sehrwood Botsford on

    While this is an oversimplification, it's valid. Problem is that it valid for non-snake-oil advances too. The difference between them would show up in the amount of time it takes the Black Hats to circumvent the new protocol. Due diligence by a bank CSO would see them form a consortium about bank security, splitting the costs of developing real security. Indeed the best technique may be to hire two teams of such people -- one to invent new security protocols, and another to test them.
  • Seataka on

    heh, good one, - Just goes to show that George Carlin was right when he said:

    It IS all #ullXhit AND it's BAD for you.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.