maandag 4 juni 2012

a few honest questions about Flame ... answer 'em

While I invited some of the most vocal people on the issue of #flame to our humble podcast tonight, nobody actually stepped up to the opportunity to openly discuss the issue. Too bad, so I'll put out the random questions that are floating around my head right now that I can't find a good answer to.  If you have additional questions, I'm happy to add them to the list.

1) Microsoft, WHAT THE F- HAPPENED THERE ??? You're practically the only vendor that I've read sensible documentation on how to build a reasonably secure PKI infra from and now you come telling me that FOR ALL THESE YEARS any customer with a Terminal Services License was able to sign code, create MITM certs, etc.? If this actually was malware created by a "western intelligence agency" (see question 6 ;-)) you were pretty much thrown under the bus at terminal velocity.  Here's a *hug*

2) Infosec community, WHAT THE F- HAPPENED THERE ??? We're there when Google updates the certs blocked by Chrome to cry wolf on a forged cert because that kills people but we succeed in missing a flaw that should be blatantly obvious in a product of a vendor that is probably the most scrutinized in the world?  (obviously, part of that blame is mine. I'm ashamed for the lot of us.)

3) AV companies, WHAT THE F- HAPPENED THERE ??? So yeah, samples dating back to 2010 (unsigned, I've learned by now) didn't trigger any of the automated triage systems you employ. If  we had triage systems like that in disaster situations ... WE WOULDN'T NEED TO BE LOOKING FOR SURVIVORS !

4) AV companies, WHAT THE F- HAPPENED THERE ??? Everybody's pushing out Flame-related content front, left and center but it doesn't even sound like you're all speaking the same languages. Is there actually any communication between you guys? Or is it each to their own and everybody trying to outrun eachother?

5) AV companies, WHAT THE F- HAPPENED THERE ???  So, Kaspersky got some major DNS providers to work with them and sinkhole domains identified to be related to the Flame malware.  So, are you guys aware of those actions? Do you guys tip each other off? Wouldn't it make sense TO DO THIS TOGETHER? WTH are y'all spending resources on analyzing that piece of malware and one of you is jokingly redirecting all C&C traffic to their own servers.  Seriously, last time I checked you needed a court order or you needed to be the US government to sinkhole domains.

6) US gov, Israel, WHAT THE F- HAPPENED THERE ??? Nope, I don't believe you guys are actually behind this one.  You're scratching your head in disbelief and are actually happy that people are attributing you with the leet skills needed to pull this one off ;-)

Geen opmerkingen:

Een reactie posten