Crims share vulns but vendors don't. This needs fixing

Interview Attackers like to re-use code, but vendors don't find out because they don't share, according to Centrify's David McNeely.

In Sydney for Gartner's Security and Risk Management Summit, McNeely – the company's veep of product strategy – said that realisation was driven home to him during the recent Black Hat conference in Las Vegas.

Just like anybody working with software, black-hats prefer the tried-and-true to creating something new.

This year's point-of-sale horrors are a good example: “Attackers tend to re-use their technologies,” McNeely said. “If they work out something in a point-of-sale system, they try it again and again.

“The industry needs to share information about what happens, how the attack worked, how to prevent it.”

That means overcoming the all-too-common shyness and shame: vendors dislike being “outed”, dislike outing themselves even more, and are fearful of going public in case knowledge enables more attacks.

“People are shy about how they secure things, in case they give away too much information about how a breach happened,” he added.

The Register also took the chance to sound out McNeely about the National Institute of Science and Technology (NIST) recommendation that its community (US federal government IT) deprecate the use of SMS for two-factor authentication.

While the recommendation has been controversial, criticism mostly misses NIST's role – its recommendation is not, for example, something that influences other bodies like PCI (which regulates security of payment cards).

McNeely said the NIST publication is “good news – people are talking about it, and working through a lot of the different use cases. In some cases, SMS might be a satisfactory way to identify a person.”

Centrify said the document made it take a look at its own identify and access management products.

The decision they came to, he said, was that SMS should be separated from the act of identifying the user. “That means going from SMS as carrying the token, to SMS delivering a link to something else.

While the user has an additional action – somehow approving or following the link send to their phone – the validation “feels much the same to the user, but it's a much stronger authentication”. ®