Hack in the Box – DNS expert swings a punch

I’m currently in Kuala Lumpur, capital of Malaysia, for HITB – the 8th Hack in the Box conference.

HITB prides itself on being a “deep knowledge” security event – no commercial speeches from vendors and no way to buy a speaking slot. You know you are in a techie conference when two or more of the official Conference Crew have digits in their names. At HITB, that’s at least three people.

It looks as though the conference is going to produce some serious controversy, at least with me.

In one of the opening keynotes, for example, Paul Vixie, of the BIND DNS server fame, summed up and dismissed the anti-malware industry in just a few seconds, with words to this effect: “I understand the anti-virus industry pretty well. It’s dud. It’s reactive.”

Fighting words.

Interestingly, Vixie went on to describe Passive DNS, a technique for mapping IP numbers onto all possible hostnames. (DNS lookups only let you discover the name-to-IP mapping in use at any instant in time. They don’t tell you which hostnames might have resolved to that IP yesterday, nor do they advise you which names might be in use tomorrow.)

Mapping the bad guys using Passive DNS works by accumulating historical DNS lookups. Useful, indeed, but it only answers the question of which names resolved to which IPs yesterday.

So Vixie dismissed the whole anti-virus industry – which he seems to imagine is signature based, an approach we stopped relying on back in the late 1980s when the first polymorphic, self-mutating viruses came out – for being reactive, whilst promoting his own technology for mapping the Bad Guys which is itself based entirely on aggregated historical data. In a word, reactive.

The truth is that no-one in computer security, except perhaps the crooks themselves, can predict what tomorrow’s malware, tomorrow’s dodgy domain names, tomorrow’s bot command and control servers, or tomorrow’s illegal money-making scams are going to be.

But we can guess what tomorrow’s cybercriminality will be like, if we are well-informed about what has happened so far. (The fancy name for this is “heuristics”.) And, indeed, the anti-malware industry is getting better and better at proactivity all the time.

This, paradoxically, is why the rate of appearance of new malware is increasing. Not because the crooks are getting smarter, but because we are making life harder for them. Trust me. The cybersecurity glass is not half-empty, as some might like to to think. It is at least half-full, and filling.

We’ll fill the glass even faster if the various subsects of the computer security industry stop pointing fingers at each other, and calling each others’ technologies “dud” without fair cause. We have a common enemy, and we know that.

We really need to learn to love each other a bit more – and I intend to use the rest of my time at HITB to promote that message.

Nevertheless, watch for some fireworks in tomorrow’s panel session! I’m on the panel, and so is my long-time friend-but-competitor Mikko Hyppönen. Neither of us likes being called “dud”, and in both of our opinions (I just asked Mikko), we genuinely don’t deserve it.

Watch this space for further news.