HD Moore of Metasploit fame publishes a blog post about Universal Plug and Play (UPnP) vulnerabilities and now the Twittersphere is burning with prognostications of doom.
The blog post is based on some very interesting research by Rapid7 which does indeed make for worrying reading. But for me, the part that raises the greatest concern is the appendix. In it, Rapid7 lists previous research on the issue. And the scariest bit of all is the first entry, a link to a denial of service flaw reported by Milo Omega – in 2001!
A hacker/researcher of my acquaintance has been spitting blood on Facebook about the reaction to Moore’s blog post. And well he might, given that he gave a talk about this issue at a security conference nearly a year ago. And he points to the work of Dan Garcia, presented at Defcon 19 in 2011 (»PDF), which included a tool to exploit UPnP flaws to mount proxying attacks.
But the fact is that the appendix in Rapid7’s report is long – some 20 entries listed under ‘Prior research’. The fact that Moore’s revelations are getting some traction has to be a good thing because, frankly, the message clearly hasn’t been getting out.
And I think this is an enduring problem in the world of infosec research. It seems difficult to communicate what’s significant.
Part of the problem is that there’s a lot of noise. Ethical hackers and academics frequently find flaws or attack vectors that get written up in technical papers and presented at conferences but which are never going to have an impact on the real world. That’s because they’re too obscure, or require highly specific environments that just aren’t common enough to attract cyber-criminals or hackers.
One of the challenges for me as a journalist with a passion for infosecurity is wading through the reports and presentations (those I actually see, which is only a fraction of what’s out there) and trying to divine what is significant and what is of only academic interest.
I’ve often heard researchers complain that the press don’t get security – and I’d agree that a lot of reporting about infosecurity, even from the IT press, is piss-poor. But the journalists are not solely to blame. Most are generalists with no specific interest in infosecurity. Even those who do specialise rarely have technical skills.
Too often, hackers will have something important to say but will just assume that the world will understand its importance, without them having to make any effort to communicate it.
Perhaps part of the problem is that much of the most interesting information is communicated at security conferences. But cons consist largely of hackers talking to hackers. It’s an inherently insular world – great for getting together and snickering about how dumb non-hacker civilians are. But only rarely is the cause of infosecurity advanced in the world in general.
Getting the message out to the wider world is something that requires communications skills that few hackers possess. Firms like Rapid7 do have those skills and have the ability to raise the profile of an issue and grab the attention of the media, so it’s unfair to give them stick for garnering attention for what some may see as an old problem. The truth is, it remains an unfixed problem, and why is that?
So if you’re a hacker who thinks you’re on to a problem of great importance, think about how you communicate that fact.