GCHQ cyber-chief slams security outfits peddling 'medieval witchcraft'

It's not Advanced Persistent Threats, it's Adequate Pernicious Toerags

witch

Usenix Enigma 2017 The chief technical director of GCHQ's National Cyber Security Centre has rebuked infosec companies for spreading fear, uncertainty and doubt about hackers to sell products.

At the Enigma 2017 conference this week, Dr Ian Levy said world-plus-dog were trying to flog security defenses to tackle "advanced persistent threats," usually using photos of hoodie-cloaked blokes poised over a keyboard with Matrix-style green lettering in the background. But such figures – seen as untouchable, unbeatable, and untraceable – are chimeras, and it’s just “adequate pernicious toe-rags” who are doing the hacking, he argued.

“We are allowing massively incentivised companies to define the public perception of the problem,” he said.

“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine.’ It’s medieval witchcraft, it’s genuinely medieval witchcraft.”

He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination, he said.

Part of the job of the NCSC is to take action against these very threats, he noted. The agency is the merger between six different government departments and wants to develop security systems that work, and offer them to companies for real-world deployment.

In November, the agency published its National Cyber Security Strategy 2016 to 2021 detailing these plans, and Levy suggested people take a read because “for a government strategy review it’s not completely crap.” The NCSC wants to promote “active security” – not active as in attacking but active as in “getting off your arse and doing something.”

One aspect of this was instituting a domain-based message authentication, reporting and conformance (DMARC) system for a gov.uk department that shunted spoofed emails into a discard folder. On the first day this system slurped up 50,000 emails and identified the domains they were coming from, enabling the agency to block them.

Within four days, the supply of spoofed emails had dried up and the system is now going to be rolled out for the Inland Revenue service and other UK government departments that ask for it. It’s also going to be offered to ISPs in the UK and those operators, like BT, who have foreign business arms can use it there too.

The agency also now acts as a central hub for getting rid of malware or phishing that’s being hosted on domains. By working with ISPs, it has cut the average time to take down general phishing sites from 27 hours in March to one hour this past month.

Over the same time period, the takedown time for sites hosting malware has been cut from 525 hours to 48 hours, and domains hosting UK government-branded phishing sites now remove the pages in around five hours, down from 45.

Levy’s talk was interrupted by a rather irate conference attendee who accused the agency of setting up a system that could possibly be used for censorship, similar to the UK’s infamous anti-porn firewall.

Levy said any such system would be voluntary, just like the anti-smut systems. But the attendee disputed this, saying that several of his friends have tried to turn off the anti-porn filter with no joy. Levy offered to have a chat with him afterwards and see if he could lend a hand. ®


Biting the hand that feeds IT © 1998–2017