A Chapter Closes

When we registered the domain cyber.wtf, G DATA Advanced Analytics (ADAN) was only Marion, Jan, and me. Our sole offer was malware analysis and we were sharing an office that had been vacated by G DATA’s security labs and was scheduled for a thorough workover later that year. That was almost exactly six years ago.

:~$ whois cyber.wtf
Domain Name: cyber.wtf
Creation Date: 2016-02-25T10:00:20Z
Registry Expiry Date: 2022-02-25T10:00:20Z

A few months back, I had accepted the task to build a security service provider under the roof of an AV company. ADAN has grown quite a bit over the years in terms of people and portfolio, and G DATA has changed and grown as well. It’s been quite a ride and I’d like to thank everyone who supported our cause and who lent me and my colleagues their ears, heart, and brain over the years. At the end of February I’ll resign from my role as founding CEO of G DATA ADAN.

All the best,

Security for Sale? – On Security Research Funding in Europe

On Wednesday, Feb. 22. 2017, a collective of 20 journalists from eleven countries published their recherches on the European security industry. The article, Security for Sale, published at The Correspondent, mostly seems to revolve around the question of how the funding several players in the field received from Horizon 2020 (H2020) and FP7 framework programmes are put to use for the European people. H2020 is the European Commission’s current funding initiative for research and innovation. Here is the commission’s own explanation.

Simplified, the authors of Security for Sale conclude that the benefit of funding security research for the Europe as a whole is limited, but that the funding works pretty well as hidden subsidies for the industry itself. Their wording is more lenient than mine, but nevertheless I feel that the picture the authors draw is incomplete and I’d like to add another perspective. I can only assume that the data for this article stems from the Secure Societies line of funding, as its core topics are emphasized in the article and some of the articles it links to refer to that – the article does regrettably not contain any straightforward references to its sources. And in my opinion, the Secure Societies line of funding does indeed sometimes yields research results that are scary to everyone who did not answer the question of ‘how do we want to live?’ with ‘I liked the setting depicted in Minority Report quite a bit, but it’s missing the effectiveness of Judge Dredd’.

The authors describe the landscape in the security sector roughly as 1) the big players, where kinetic and digital technology converge, 2) research organizations, 3) universities, and 4) small and medium enterprises (SMEs). Our sector, of Ze Great Cybers, primarily hides in 4) and to some extent increasingly in 1). The article does not explicitly touch the field of information security and neither do many calls in the Secure Societies context, however, most of the projects need to touch the digital domain at some point or other, making it clear that a division of information security and all the other potential flavors of security is merely artificial, given our current state of technology. As the authors observe, this is also reflected by the upcoming funding opportunities:

“similar programs are being set up for cybersecurity and military research”

The EU and some of it’s member states are late to the game and I’m aware that not everybody hacking at computers likes the notion that InfoSec and defense converge. I also dislike the idea and I somehow liked the Internet better when it was still a lot emptier, or as Halvar Flake once put it:

However, I came to enjoy civilization and as most people, I rely on the critical infrastructures that make our societies tick. I’ve been leading incident response assignments in hospitals more than once in the last year and as a human, who may suddenly require the services of a hospital at some point or another, I am very grateful for the effort and dedication my colleagues and the clients’ staff put into resolving the respective incidents. If this means I’m working in defense now, then I still dislike the notion, but I see that the work is necessary and also that we need to think more on the European scale when we want to protect the integrity of our societies. Packets only stop at borders of oppressive societies and that shouldn’t be us.

Now let’s have a look at where the EU’s security research funds go to, according to the article. The authors state

“Companies received by far the most money. That’s not particularly surprising; these same companies were the ones influencing funding policy.”

and illustrate it with the following figure:

Figure 1: Security research funding distribution. Illustration by The Correspondent.

In 2015, I was directly responsible for four H2020 grant applications and consulted on several other applications for nationally or regionally managed funding opportunities. Security in its various flavors is a tiny part of the picture. I’m happy to state that we had an above the average success rate. The illustration in the article struck me as familiar: to me, Figure 1 simply shows a typical distribution of funding within the majority of grant applications I’ve worked on. So it is hardly surprising that the global distribution of funding within technology sector of the programme looks very similar. There is nothing much sinister to that.

Larger corporations do have more opportunities to influence policy, as they can afford the time/resources to lobby. But the main reason for the distribution is salaries on the one hand and grant policy on the other. An engineer working at a large corporation will be more expensive by factor 1.2 to 2.3 than a PhD student, depending on country and the respective corporation. A factor of ~1.9, as in the figure, does not look unreasonable, given that the figure accounts for accumulated costs, not just personnel and that it is more likely that a corporation or a research institute will take the effort of building a demonstrator or pilot installations of a technology, as universities regrettably tend to lack monetization strategies for research results.

Government entities, as the next in line, tend to have very limited personnel resources for research projects and do not have a lot of wiggle room when in comes to contributions.  With a funding scope that aims at technological advances, funding for advisories is often politically limited, and rightly so. As the figures are very much aggregated, I can only assume that the complete sum also contains Coordination and Support Actions (CSAs), which are rather limited funding schemes, financially speaking, that aim at connecting related projects and generally at the systematization of knowledge to avoid arriving at one insight at twice of thrice the funding. This work is sometimes done by entities that could classify as advisories. ‘Other’ can be translated to network and dissemination partners, or dedicated project management (which makes a lot of sense, H2020 projects can be large in terms of the number of partners).

Now let’s not talk militarizing corporations enriching themselves, as the article’s authors suggest, let’s talk research funding effectiveness. I my conversations with the granting side of research funding, it is a constant pain that there is a significant amount of research projects being funded that do not amount to a product. I have seen quite a few projects where I would judge without hesitation that the project was a WoMBaT (i.e., Waste of Money, Brains, and Time) and did primarily serve to compensate for the lack of public funding towards universities.

But that is only a small part of the picture. Another part is that there is a very expensive zone between ‘things you can publish’ and ‘things you can actually use’. Simplifying, technological progress has a tendency to increase complexity. To specify their expectations regarding the results of a funding measure, the European Commission adopted NASA’s Technology Readiness Levels (TRL). In the rather broad field of engineering, we often see the requirement for a validation under lab conditions (TRL 4), to the extent of a working prototype under field conditions (TRL 7), depending on the class of funding action. The funding of a given project often ends at that point.

Using my terminology from above, in the best case you then have something you can publish and/or show off, i.e., an interesting approach that has been shown to be feasible. Between that and monetization are the roughly two to seven years you’ll often need in engineering to go from a prototype to a product. And strictly speaking, research funding ends here, because research ends here. There are almost no publicly funded actions that will allow you to go towards product development, although piloting of a technology in the field can be funded (TRL 9). Nevertheless, either a company is now able to fund the continued development towards a product, or not. This is still a limited view, as I don’t need a new product to monetize research results. It is just as desirable to to improve an existing set of products and services, based on new research results. It is, however, by far not as visible.

Now why more so much funding for the big players? Research grants tends to have a bias towards those applicants, who were able to successfully complete a project, presented impressively in the past and are generally held in good standing. Sounds familiar? Yep,sounds like selecting talks for Black Hat or any other non-academic security conference, where the process is single-blind and the committee needs to judge based only on an abstract, not a full paper with a proper evaluation section and extensive related work. If the data is relatively poor, judgment needs to rely on the applicants reputation and previous work to some extend. And in comparison to a well-backed research paper, grant applications are in their nature always speculative, although very much more detailed than the abstract of a conference submission. If one knew how something was done in the first place, there’d be no need to call it research and there’d be no reason for a grant. The important point is not to fail, if one wants to continue receiving grants (cf. bias, above).

And that still does not fully account for the observation that big players are doing very well in grant applications. A H2020 application is a lot of work, it’s often a hundred pages just for sections 1 to 3, which can easily amount to 100 person days for the coordinator until everything is properly polished. The acceptance rate for Research and Innovation Actions can be as low as 6%. Academic Tier-1 conferences are relaxed in comparison. A small company may simply be unable to compete, economically, i.e., it cannot accept the realistic risk of putting a lot of effort into naught. It’s not as hard in other types of actions, but the risk is still significant and acceptance rates have been getting worse, not better.

“Our investigation reveals that EU security policy emphasizes technology: a high-tech solution is being sought for a societal problem.”

From an outside position I feel that I’m unable to judge the intention and the mindset of the various individuals responsible for the actual wording of the H2020 calls. The persons from this context I’ve met in the past did, however, not leave an impression of exceptional naivety. I genuinely believe that it is in the best interest of European countries and the EU to fund security research, without denying that there may be recipients of funds with a questionable ethical standard. As Europeans, we need to address these issues. I do not want to live in a militarized society and I don’t believe in solving societal problems purely through technology. However, I see a significant amount of opportunities, where usable, efficient technology can enable solutions for societal problems. Given my socialization, I may have a bias towards the security spectrum of research, but that said, I see quite a few things that can and should be done to positively impact the security of our societies. In a changing political climate, Europe needs to step up its security game, also and especially in the digital domain.

And now excuse me, I need to continue that research grant proposal. I’m not doing that for kicks and neither in pure self-interest.

G DATA ADAN at WKÖ eDay:16 in Vienna

Yesterday, G DATA Advanced Analytics was present at the WKO eDAY:16 in Vienna; a magnificent event, gathering Austrian economists and security professionals. Talks and panels were centered around the question, how to level up on Austrian corporate security in times where the internet is a hostile place.

Live on stage that day was our own Marion Marschalek, who was invited to hold the afternoon keynote. The keynote topic, translated to English, would be “The good, the bad, and the clueless”, a title potentially covering so much that’s happening on today’s internet. There are a lot of WTFs in the cyber, right? On that specific occasion, the focus of ‘cyber’ was all on the wild, wild west of the internet. Just like Clint Eastwood and Lee Van Cleef in the prairie back in the days, we now all have fictional roles and lots of pretentions while hunting for the lost treasure. In reality, roles and intentions aren’t super clear anymore on the cybersinterwebs.

Marion Marschalek during her keynote (CC-BY Paul Landl/wkoe)

To sum it up: Today, you could be chatting with a fridge on IRC. Also, your network could be nuked by a DDoS attack, carried out by an army of… home routers. Yes, indeed there are DDoS botnets operating on CPUs of routers. Furthermore, there are botnets being operated by criminals. And then, there are botnets being operated by spooks. One of those was used by the GCHQ to nuke Anonymous [1]. Now go back home to check up on your router, will you? Scary.

Just like “Hello Barbie”, Mattel’s latest Barbie doll, pretty as ever, and, since recently, extravagantly smart. Because “Hello Barbie” can now listen, understand, and answer things your kid tells her [2]. Or you. Or anyone else who is around, for that matter.

The keynote then moved on to critical infrastructures: lights in Ukraine went out early this year and the BlackEnergy malware was found to be the root cause of trouble [3, 4]. The world was shocked for this attack on critical infrastructure being the first of its kind on such large scale. Security pros on the other hand may be impressed the effort that went into the attack and its minute coordination [5], but aren’t really surprised by the attack itself, silently whistling told ya, told ya, told ya so.

Meanwhile, on the cybercomputerycrime venue — the mere continuation of longstanding objectives with the more or less novel means of information technology [6] — incident responders have taken a step back from the general “It’s China”-attribution to accept that other nationals might also be occasionally involved. Nation states have done their share of espionage on corporations too [7-9], but we don’t quite know yet what that is all about.

What we do know is that nation states have done their share on espionage in general; not only in the Snowden era but naturally since the invention of secret services. The issue now with that particular wild, wild west at hand, is now that espionage has gotten a whole lot easier for nations with offensive capabilities in the information, computer, and network domain (commonly sold as cyber*) [10].

So it happened that some of this planet’s nations turned on to their own citizens with digital weapons. Countries like Bahrain and the UAE put political figures and activists to prison under the pretext of national security, based on information gathered on the cybers. The arms traders in that game are plenty, the two most nefarious are likely HackingTeam, and Gamma Group with their FinFisher product [11]. Those companies operate on the lawful interception market and sell digital surveillance gear to those countries who opted to not develop their own [12].

If, in the end, you do want our advice on how to weapon up for the prairie: keep your eyes open and watch your data carefully, but don’t go crazy. It isn’t your fault wild west has turned upon us, but we all need to deal with it. A vast part of crime on the one side and privacy loss by surveillance on the other side are political concerns rather than technological ones. Meanwhile, ‘cyber’ has entered the agendas of parliaments and roundtables, on some occasions even us normal cowboys and -girls are asked for an opinion. Don’t be shy if that comes to you, Clint Eastwood wouldn’t be either.

Event website: https://www.wko.at/Content.Node/kampagnen/E-Day/index.html

[1] UK Government Used ‘Rolling Thunder’ DDoS Attacks Against Anonymous, LulzSec and Syrian Electronic Army, IBTimes
[2] About Hello Barbie, Mattel
[3] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents, SecureList
[4] First on CNN: U.S. investigators find proof of cyberattack on Ukraine power grid, CNN
[5] Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid
[6] Russian hackers used Windows bug to target Nato, BBC
[7] Brazil-Canada espionage: Which countries are we spying on?, CBC News
[8] Snowden Documents Show U.S. Spied on Petrobras, Globo TV Reports, Bloomberg
[9] French Said to Spy on U.S. Computer Companies, New York Times
[10] Long-Term Strategy Needed When Analyzing APTs: Researcher, Security Week
[11] Schrodinger‘s cat video and the death of clear text, CitizenLab
[12] Here are all the sketchy goverment agencies buying HackinTeam‘s spy tech, Motherboard

Cyber? WTF!

“The only real difficulties in programming are cache invalidation and naming things.” — Phil Karlton

Everything needs a name to go by, right? So did this blog. When we scrolled through the seemingly endless list of new TLDs, we stumbled upon .wtf and while it is all a bit of a blur looking back, our fingers must have developed a dynamic of their own and out came ‘whois cyber.wtf’, which was unregistered for whatever reason¹. During the several days of juggling alternative names – actually spending quite a few thoughts on ‘we probably shouldn’t do this’, anticipating what corporate communications and marketing might think of it – we kept returning to cyber.wtf. When you hear or read people prefixing ordinary, proper, and once actually useful nouns with ‘cyber’, what are your thoughts? We think that ‘WTF?’ might actually be the only appropriate letters to follow on ‘cyber‘. Anyway, this will be our home for the time being. Don’t expect a fixed post frequency, we don’t intend to post for the general sake of creating more bytes on the internet. Expect a post whenever there is both content and time for posting. Expect content that is mostly malware- and/or security-centric, the occasional nifty thing we find mixed in, and where we happen to give a talk. We’ll probably start out with the latter. Judge us by our content, naming is hard.

¹ which at that time actually resulted in

No whois server is known for this kind of object

because whois is pleasantly old-fashioned in its default. -h whois.donuts.co or the line

\.wtf$ whois.donuts.co

in your whois.conf catapults it into a part of the modern age of completely unnecessary but partially wonderful TLDs.