​The CISSP is dead. Or at least it ought to be.

I’ve seen multiple discussions from numerous frustrated CISSP holders about the increasingly perceived lack of value for the certification, the way ISC2 seems more focused on fees and money, and the fact that ISC2’s level of service for members is poor and getting worse. Most shockingly on the latter is the fact that members can’t renew due to website issues and then incur hundreds of dollars in late penalties.

This has led to a lot of discussions about whether the CISSP is worth it.

I’ve said my opinion on these threads and I’m putting it here too.

The CISSP is no longer worth the time or money. Nor is the ISSMP (or any of the other ISC2 certifications).

I retired my CISSP and ISSMP in 2011 when I left Microsoft to go independent. Quite honestly, I couldn’t afford the cost of the upkeep on my own.

I can say in all honestly, I haven’t missed it a bit. When you figure I’ve probably saved nearly US$2,000 in retiring it, I can’t say I’ve felt a $2,000 loss in value.

In hiring discussions I’ve never ONCE heard someone say “well, I like this candidate, but she/he doesn’t have a CISSP”.

I’ve never ONCE heard someone say “I got my job thanks to my work with ISC2”.

Most of all, in my direct experience, the CISSP is becoming synonymous with “old white security guy”. It’s becoming a marker that the holder is a security person from the 90s/00s. Granted, I’m one of those people, but pegging yourself as that in this highly competitive, age-conscious market does you no good. And being aligned with a group that exhibits little diversity, little awareness of its lack of diversity, and doing little about it does you no good either.

Granted this is my opinion. But I don’t think I’m alone in this.

Unfortunately, a lot of people are afraid to speak this truth, to let their CISSP lapse because they feel it’s a risk.

That’s reasonable. For me, I feel it’s worth taking the risk to speak the truth. And wasting time and money on an organization that has become self-serving and focused on raking in fees on autopilot doesn’t seem smart to me.

Crossposted to LinkedInMedium and Reddit.

Vulnerability in Westworld Host OS “Handshake” Protocol Enables Complete System Control

Details
================
Software: Westworld Host OS
Version: Unknown but all available versions believed vulnerable.
CVE: Awaiting assignment
Patch Status: None Available
Homepage: https://discoverwestworld.com
Advisory report: https://christopherbudd.com/2018/06/14/vulnerability-in-westworld-host-os-handshake-protocol-enables-complete-system-control

CVSS 3 Scores:

  • CVSS Base Score:10.0Impact Subscore: 6.0
    • Exploitability Subscore: 3.9
  • CVSS Temporal Score: 10.0
  • CVSS Environmental Score: 9.9
    • Modified Impact Subscore: 6.0

Overall CVSS Score: 9.9

Summary
================
This vulnerability has been observed under active attack (see “Proof of concept” below).

Zero-day network-based buffer overrun in Westworld Host OS “Handshake” Daemon gives ROOT, possible worm via multicast, leading to effective complete system-wide elevation of privilege via host-OS escape.

Vulnerabilities
================
Westworld is an adult resort run by Delos Destinations where human guests interact with AI-powered android “hosts” in thematic parks. “Westworld” has an American Wild West Theme, while Samurai World has a medieval Shogun-era Japan theme among others. Because Westworld was the first park, the “hosts” are referred to as “Westworld hosts” and the underlying operating system the “Westworld host OS”, regardless of which theme park the host is deployed in.

Each individual park encompasses vast physical distances sometimes including significant physical barriers like deserts, mountains, lakes, canyons and small oceans. Taken together these physical barriers make reliable wi-fi networking unreliable and infeasible.

To address the problem of locating hosts across these broad geographic areas the developers of the Westworld host OS, Dr. Robert Ford and Arnold Weber, implemented a lightweight peer-based protocol that appears to be a proprietary derivative from the known-problematic Universal Plug and Play (UPnP) protocol. They have confusingly (and misleadingly) called this a “handshake” protocol, even though it actually does not use handshakes similar to other networking protocols like TCP.

The “handshake” protocol is used by Westworld technicians to locate specific hosts within the park. A technician will initiate the sequence by sending a locate request using the protocol via the Westworld host OS radio frequency peer broadcast protocol (itself another proprietary protocol). As per standard UPnP, the request is multicast to all Westworld hosts within receiving distance of the signal. Upon receipt, if the receiving host isn’t the one specified in the request, it will rebroadcast the request. This sequence continues and if the specified host receives the request, it responds with its own message to the originating sender with basic location information using the same method as outlined already.

Like many proprietary derivatives, this particular implementation is very problematic and has at least one demonstrated vulnerability: an unchecked buffer in the processing of “handshake” protocol packets by the Westworld host OS. The Westworld host OS itself appears to be a linux-derivative and the daemon that handles the “handshake” protocol appears to run with root privileges.

Taken together, this means it’s possible for a rogue host whose AI has gained root privileges on its own host to take control it its own “handshake” protocol daemon, craft a specially malformed “handshake” protocol  packet and broadcast it to all hosts within physical receiving distance of the signal. When the receiving, vulnerable host OS processes the malformed packet, the initiator’s malicious commands executes on the target host OS with root privileges, giving the initiating host total control of the target host.

Because of the nature of Westworld hosts and how the “handshake” protocol is implemented, a fully realized attack using this vulnerability could result in a worm causing all available hosts executing the malicious commands. The time for completion of this attack would be limited only by the time it would take for the signals to be passed from one host to another.

An attack using this vulnerability has been observed in the wild. As shown in the proof of concept video below, the “Maeve” host can be seen exploiting the vulnerability to issue root-level commands to hosts in Samurai World. It’s notable that these commands lead to effective self-destruction of these hosts: this underscores the total nature of the compromise.

This is the only known attack so far. No fully realized attack has yet been observed. However, based on this analysis, it is believed that a fully realized attack taking total control of all hosts within the park is viable and could be carried out successfully in a matter of mere minutes.

The Westworld host OS is proprietary and the source code isn’t available. However, the trivial nature of this vulnerability points to a lack of proper threat modeling and security review in such a way that other equally serious and trivial vulnerabilities are nearly certain.

Proof of Concept
================

Mitigations
================
None

Workarounds
================
None

Timeline
================
2018-06-03: First in-the-wild attacks observed
2018-06-10: Additional details on attacks discovered
2018-06-14: Detailed analysis completed
2018-06-14: Unsuccessfully attempted to locate vulnerability contact information on website
2018-06-15: Advisory published

“On this day”….

…I pruned my Facebook postings.

One of the things I do each day is I take a moment and pop over to the “On this day” page on Facebook.

I do it for a couple of reasons.

First of all, it is kind of fun to see what was going on in the past. So I take a look over it to see what’s there.

Second, after I look it over, I go through and delete nearly every posting I’ve made there. I delete nearly every posting someone has put on my timeline. And I remove nearly every tag that someone has made of me. I only keep a very, very few postings that are really fun or somehow meaningful to me.

I do this as an exercise in data retention hygiene. There no need to keep all old postings, so I delete them.

Yes, if Facebook or someone wanted to, they could go to backups/archives and restore the posts. But I don’t need to make getting to old posts any easier than it needs to be. If someone really wants to know that I said I was eating a cheese sandwich at 10 AM PDT on Friday September 7, 2007, I’m going to make them work for it.

This points to a best practice we all need to follow in the era of seemingly “always there social media”: pruning. It’s a form of social media decluttering. But it’s also our personal version of the best practice of only keeping essential data for as long as we need to.

It can be hard to do this with social media. In some ways, social media is more like a photo album. But the best photo albums keep the best, most meaningful pictures.

There’s a philosophical piece here too. It’s a daily exercise in not just remembering the past, but remembering to let go of it. It reminds me that everything is transitory. We don’t have forever: it’s important to remember that too.

 

Remembering the Old Ways

Or: Making sure you know what to do if technology fails.

The Daily Telegraph in London has a very interesting story today about how the US Navy is re instituting celestial navigation training as part of their training for recruits: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11931403/US-navy-returns-to-celestial-navigation-amid-fears-of-computer-hack.html.

The reason for this is simple and sound: they want to make sure that if computer-based navigation is crippled or compromised, navigators can still navigate.

In my mind this is a brilliant piece of realistic forethought. The fact is that we are becoming so reliant on the Internet and apps and have been for long enough now that people are growing up totally lacking some critical skills to survive if those go away.

Just two years ago we read about how many people under 25 can’t read maps.

Like many security people, my favorite SciFi TV show is Battlestar Galactica because it outlines a very realistic scenario that can come about with too much networking and technological reliance and too little back up and off-line capability.

It’s good to see the US Navy watched the series and got the memo.

“Hackback”: A New Approach

Today we read about the likely death in a drone attack of an ISIS hacker/warrior/cyber-jihadist:

http://www.forbes.com/sites/seanlawson/2015/09/12/with-drone-strike-on-isis-hacker-u-s-escalates-its-response-to-cyber-attacks/

In the infosecurity world, we’ve heard for years about the idea of “hackback“, basically an offensive response to an offensive action. Every couple of years this idea comes back around as someone gets frustrated with feeling like the attackers have all the advantages (and fun) and wants to take the fight back to them.

It’s an understandable idea. And, in some measured cases may even make sense. But as a blanket rule, no it’s not a good idea.

This latest development shows that “hackback” doesn’t need to be contained to computer tactics: a physical or kinetic response is just as (if not more) effective.

The bigger story though is how this shows that the idea of “infosecurity” is more and more an empty concept and that it’s all just “security”.

Comment Article on the Clinton Email Server Issue

My latest posting over at Geekwire is my analysis and commentary on why Hillary Clinton using a “homebrew” email server is a major security problem.

http://www.geekwire.com/2015/why-the-clinton-email-server-story-matters-and-why-it-may-be-worse-than-you-think/

Comments on the Stratos Digital Wallet Card

I got to talk with KIRO Radio here in Seattle recently about some of the risks with new, untested digital wallet cards like the new offering from Stratos. Plus, my comments on how cash may make a comeback.

http://mynorthwest.com/11/2723041/Digital-payment-is-waiting-in-line-for-when-credit-cards-die