Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations.

With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. 

Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference:

• 10006   Symantec pcAnywhere Status Service Detection (UDP)
• 10794   Symantec pcAnywhere Detection (TCP)               
• 10798   Symantec pcAnywhere Service Unrestricted Access       
• 20743   Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation
• 32133   Symantec pcAnywhere Access Server Detection Service
• 35976   Symantec pcAnywhere CHF File Pathname Format String Denial of Service
• 57795   Symantec pcAnywhere Installed (local check)
• 57796   Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

In addition, running a credentialed scan with Nessus plugin 20811 provides the ability to detect installed software on Windows computers, which can be useful to find instances of pcAnywhere that may be installed, but not actively running. Note that strings and versions vary from release to release. An example string as reported by a recent Nessus scan is “Symantec pcAnywhere [version 11.5.0]”.

Network traffic can also be monitored with the Passive Vulnerability Scanner to identify instances of pcAnywhere on the network. A current list of passive plugins to detect pcAnywhere is shown below. 

• 03306 Symantec pcAnywhere Detection
• 06087 Symantec pcAnywhere Detected

Finally, Tenable’s Log Correlation Engine, will normalize logs from the PVS for observed pcAnywhere sessions in real-time with an event name of “PVS-PCAnywhere_Detected”. These sessions are automatically detected and analyzed for anomalies and connections from known botnets.

External Nessus scans can be performed to determine if your network has any Internet facing instances of pcAnywhere. The Nessus PerimeterService is ideal for this type of scanning as it can scan an unlimited number of Internet-facing IP addresses very rapidly. Users of the Passive Vulnerability Scanner have automatic detection of any Internet-facing service, including pcAnywhere.

An in-depth Nessus Discussions Forum post details how SecurityCenter, Passive Vulnerabiltiy Scanner and Log Correlation Engine users can track pcAnywhere vulnerabilities and usage in realtime.  

In this week's Risky Business podcast, Patrick Gray and I chatted about the recent rise in cyber insurance. Insurance companies have been working on a variety of insurance packages for years and the recent rash of RSA, Sony and other high-profile attacks have raised the interest level and demand for this. The key point here is that if an insurance company can offer this type of coverage, they need to understand the risk much better than the customers buying the service. 

• Listen to Risky Business #198

The Now "Infamous" Sony Hack

It was reported late last month that attackers had penetrated Sony's PSN (PlayStation Network) platform. It has been rumored that reverse engineering the PlayStation firmware, coupled with vulnerabilities in Linux servers and unencrypted data traversing the network, led to the exposure of over 77 million users’ information being leaked, possibly including 2.2 million credit card numbers.

Successful Attacks from Automated Malware

Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news:

Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center.

From LizaMoon SQL Injection Attack Hits Websites

LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

Recently I attended the Secure World Boston conference to sit in on a panel with industry experts about APT (Advanced Persistent Threat, for a great write-up on the definition see Richard Bejtlich's article titled, "What Is APT and What Does It Want?"). Following are some of my thoughts on the topic:

• Is APT something that everyone should be worrying about and planning for (is APT pervasive or just hype)? – APT is a new buzzword, but of course such threats have been around as long as there have been computer networks. It makes me think back Clifford Stoll’s book titled “The Cuckoos Egg”. I love Cliff’s analogy of “jiggling” the keys over the communications lines to disrupt the attackers just enough, but still give them enough access to keep an eye on them.

• Explain how APT works (reconnaissance, phishing, infection, exfiltration)? – The recon phase is the toughest to defend against and the most important phase to an attacker. Pre-texting is so important, yet much of the information has to be public and it’s tough to detect when someone is doing recon. This may turn into targeted phishing attacks, which are increasingly more successful. No matter how hard we try, we can’t educate all our users and expect them to catch 100% of the attacks - we have to rely on technology and training to ward off these attacks. Inevitably, people get into our systems and we need to have measures to detect unauthorized access to our systems. It’s presumptuous to think that your organization will never have a breach.

The CCDC 2011

The Collegiate Cyber Defense Competition (CCDC) is always a fantastic and educational event, and this year was no exception. Hundreds of people converged to share ideas, learn how to hack, learn how to defend and talk about security. Below is a brief summary of the happenings at the event:

• The Attackers - Many of the same people as previous years filled the role of the "hackers". They did a great job this year and showed how much they've learned over the years. The big takeaway from the Red Team is sharing. Using a new tool called "Armitage", they were able to share shell access to the Blue Team hosts, proving that sharing truly is caring.
• The Defenders - By design, the Blue teams are put at a disadvantage. This is meant to emulate the real world, where attackers have vast resources and often stay a step ahead. However, the Blue teams were very creative, employing reverse sabotage by leaving pieces of paper around the event with usernames and passwords written on them, which were completely fake.





The Red Team was able to re-configure the Blue Team's phones and leave them messages on the display, a digital "love note" if you will. Phones for the Blue Team were ringing throughout the event, playing random WAV files from a server as well.

I appeared on Risky Business episode 181 for the "sponsor interview" segment of the show. I really enjoy talking to Patrick Gray - he asks great questions and we always have a great chat. This time around I discussed some topics regarding defensive measures that actually work, including:

• Creating listening services that "trap" web spiders
• Putting intelligence inside your documents to detect attackers
• Monitoring various services and including the results in your SEIM

These topics, and more, will be the topic of my upcoming talk debuting at SOURCE Boston titled "Bringing Sexy Back: Defensive Measures That Actually Work".

Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year. Despite the weather issues, I've always found it to be a conference worth attending. It features quality talks, leading security researchers sharing thoughts and ideas and several extra events such as "Firetalks" and "Hacker Karaoke".

From Printer to Domain Admin

I've always been fascinated with the concept of attacking printers. The common misconception of "oh, it’s only a printer" makes them a prime target for attackers because people believe that printers pose little to no security risk. This mindset typically translates to the following conditions, which help to fuel my fascination:

Attackers have been very naughty, IT departments have been mostly nice and Microsoft has fulfilled the role of “Bad Santa”. This holiday season, Microsoft has filled your stockings with 17 security bulletins fixing 40 vulnerabilities. But where does that leave us?

What Else Could You Say?

Note: The word "could" appears in the title of all 17 security bulletins this month

I could say a lot of things about this month's Microsoft Patch Tuesday release. I could say that you should apply patches (except that my boss hates the word “should”). I could say that despite all of the patches released, there are still most likely to be 0-day exploits for several unpublished vulnerabilities. I could also say that your organization needs a solid patch management program. I could say, well, you get the point. After more than a year of writing up each one of the Microsoft Security bulletins, there's a lot I could say. The fact remains that several trends continue in the Microsoft "Black Tuesday" madness:

Balancing Risk

Security continues to be a balance between providing users with features and mitigating risk. . Client-side vulnerabilities seem to be the hole that many of us are stuck spinning our wheels in.

Tenable Network Security was ranked 251st on the Deloitte 2010 Technology Fast 500™ program (15th in Greater Washington DC area). This program ranks the fastest growing companies in technology, media, telecommunications, life sciences and clean technology in North America. Rankings are based on the percentage of fiscal year revenue growth during the past five years. Tenable’s revenue grew 363% during this period.

This is the second year in a row that Tenable Network Security has been named on this list!

"Silent" Worms: Stuxnet

The vulnerability patched with MS10-061 is perhaps one of the most interesting we've covered in a "Patch Tuesday" post this year. The vulnerability was discovered when antivirus researchers at Kaspersky Lab analyzed malware called "Stuxnet". The malware was one of the first worms to use the LNK vulnerability, and contained code to exploit three other vulnerabilities, the print spooler vulnerability patched by MS10-061 and two other unnamed privilege escalation vulnerabilities that have yet to be patched. Its not everyday that we hear of malware in the wild exploiting 4 0-day vulnerabilities.

I am not easily impressed (in fact, I am even less than impressed) with the capabilities of most malware in the wild. However, there are some facts about the "Stuxnet" malware that do impress me:

• Stuxnet also contains an exploit for a vulnerability from 2008. It will only execute this exploit if it determines it is inside an organization using SCADA systems and not a typical corporation.
• Stuxnet was written specifically to attack control systems, and is the first publicly known malware to contain a rootkit for PLCs, devices that control SCADA systems. The rootkit silently waits for commands.
• Stuxnet gains access to control systems using default passwords and is rumored to have compromised 14 different control systems-based organizations.
• Stuxnet was first thought to primarily use USB devices to propagate (likely to get around "air gapped" security measures)

There was an interesting quote from Symantec that stated, "Symantec gained control of the domain used to send commands to infected machines shortly after Stuxnet was discovered". Apparently, this turned over control of Stuxnet-infected systems to Symantec. I just don't understand the logic behind the malware authors; if they had used fast flux, they may still have control over the botnet they seemed to have worked so hard to implement.

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

Tenable was in attendance for Black Hat 2010 in Las Vegas last week. In addition to having a vendor’s booth, we presented four days of Nessus training, our very own Carole Fennelly organized Hacker Court and we hosted a party at Margaritaville. Below are some pictures and more details on the events:

Cars, Cell Phone, GPS, and Blenders.... Oh My!

1. Your Car - Your company may have vehicles, and certainly a good percentage of your employees drive to work every day. The security implications surrounding company vehicles are not something you need to lose sleep over now, but you may want to keep an eye on this for the future. I had some fun with injecting audio into Bluetooth systems on cars some time ago. While this is a neat “party trick", there is no immediate security threat to your organization's data via audio injection attacks. However, what if I told you I was able to listen to conversations happening in the car? This might be a threat, especially if your executives like to have conversations on the way to work with clients, potential customers or each other. If we take this a step further, what if Wifi systems inside cars could be compromised and used as a trojan horse to get within wireless proximity of a secure building? I don't think this is something that most organizations need to take proactive steps to prevent today, but high security facilities could possibly be infiltrated this way some time in the near future (of course, you could also attach a device to the car that is authorized to enter the secure facility).

Which Vulnerabilities Are You Looking For?

When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as:

In MS10-042: "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad. Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer.

Microsoft's Language

No, I'm not talking about C# or Visual Basic, I'm referring to Microsoft's very own version of the English language ("Minglish"?). An example of the Microsoft variation on the English language is shown here:

"The vulnerability could allow remote code execution if a user visits a malicious e-mail server."

We've addressed the "could allow" statement in a previous post (for example, changing your shoes “could allow” you to win the lottery). We've also addressed the "remote code" execution and dug into what that really means. In this case, it takes on a slightly different meaning from the traditional remote buffer overflow or client-side attacks. The part that is brand new to the "Minglish" language is "if a user visits a malicious e-mail server". Let me get this straight: you not only have to be running the vulnerable software but must also think to yourself, "Gee, I wonder what a malicious e-mail server looks like? I think I will re-configure my email client to connect to pop3.evilbadguy.com and find out".

Article Title: Navy Fleet Cyber Command Expected to Have Predictive Capabilities Within Two Years

Date: April 6, 2010

Vice Admiral Bernard McCullough, commander of the Navy Fleet Cyber Command, estimates that the command will establish a proactive defense posture by October 2010. Speaking at the Center for Strategic and International Studies, McCullough said that the military is traditionally reactive and static, but we need to be proactive, dynamic and predictive. He noted that we have to start seeing the network as a weapons system, and the domain as the battlefield. McCullough acknowledged that transforming perceptions will take time but believes the command will have predictive capabilities within two years...

Reference: Navy cyber leader expects proactive capabilities this year

I like "proactive" - it's a good dynamic buzzword, if you're the kind of person who is impressed by action-y sounding verbs. But "predictive"?

It’s A Bird, It’s a DoS, It’s Remote Code Execution!

I've always cautioned people about the danger of disregarding vulnerabilities that are labeled as "Denial of Service" (Such as MS10-014 from February) for a couple of reasons. First, when a bug exists in the code that allows something to "crash", there is usually a potential that the "crash" could somehow allow for code execution (remember that a buffer overflow is just a controlled crash). Second, when code is being analyzed so that the bug can be fixed, the surrounding code is often analyzed to be certain there are no other bugs or vulnerabilities. This analysis could lead to the disclosure of other vulnerabilities or a new way to turn a DoS into remote code execution. This appears to be the case with MS10-20, which was first publicly disclosed as a DoS bug in the SMB client. Microsoft is now reporting it as a vulnerability that "could” allow remote code execution. Upon further inspection, the security bulletin reports five vulnerabilities related to the SMB client that are patched in MS10-20. The first is the original DoS bug reported by Laurent Gaffie to the Full Disclosure mailing list on November 11, 2009. The general consensus was to dismiss this bug because it was "just a DoS".

Security In The Cloud Is Still Just Security

A recent paper published in the International Journal of Services and Standards titled "A 'cloud-free' security model for cloud computing", written by Manal M. Yunis, outlines six security considerations for cloud computing. Upon reading the six considerations, I can't help but think that they do not present new challenges but merely rehash old ones. Let’s take a look at each of the six common cloud computing security considerations in more detail:

1. Resource Sharing

"On shared services, there is the possibility that another user on the same system may gain access inadvertently or deliberately to one's data, with potential for identity theft, fraud, or industrial sabotage."

The real problem with resource sharing in the context of cloud computing is that software logically separates one system from the next, but not physically. You can think of it as a "virtual server rack"; whereas traditionally you would have a physically separate server from your neighbor, but in the "cloud”, software is used to separate systems. Unfortunately, software is prone to vulnerabilities that could be exploited and in this case lead to complete access to your server or system. A great example of this in action is the "Cloudburst" exploit from the researchers at Immunity, Inc. that allows an attacker in a guest operating system to break out and gain access to the host operating system.

The resource sharing via software problem is similar to VLANs on switches that are controlled by software, requiring you to carefully design a network and be certain your most critical assets are not on the same switch as something less critical. This is a risk-based decision, and must be constantly evaluated whether you are using a "cloud" provider or designing VLANs on a switch.

Attacks Happen

There are many reasons why attackers may target your organization: they could be after your intellectual property, they may have political reasons or there may be financial motivations (if you have credit card data stored on your network). I've often heard people say, "Why would someone want to attack us?" The question should really be phrased, "Why would someone need to attack us?" Often you are targeted not because of who you are, but what you have. Google hosts email accounts that are interesting to certain parties. You may be a university with plenty of bandwidth or a business partner with a company who makes electronics that the attacker is after. The point is that you can't limit the reasons why you are going to be attacked. You have to secure your network with the mindset that someone will eventually come after you.

This brings us to this month's "Patch Tuesday". Two bulletins have been released by Microsoft, and I've included some examples of how they can be used for targeted attacks:

It's important to get the funds to support a security initiative - but even more important that these funds are well spent. In the article titled "$90M err-ports" from the New York Post Murray Weiss writes:

A nearly $90 million security system designed to thwart terrorists trying to get onto runways at the metro area's four major airports still isn't up and running four years after it was purchased by the Port Authority -- and it may never work, officials told The Post.

The safety network -- dubbed the Perimeter Intrusion Detection System, or PIDS -- was supposed to provide state-of-the-art electronic fencing complete with sensors and closed-circuit cameras that would immediately pinpoint someone trying to get on a runway to attack a plane at JFK, La Guardia, Newark and Teterboro airports.

Sources: Questions about a new airport security system, $90M err-ports, Raytheon Wins $100 Million Contract for Airport Perimeter Security

This story came to my attention while watching the news the other day. The term "Perimeter Intrusion Detection System" sounded familiar and triggered further investigation on my part. The New York Port Authority signed a more than $100 million contract with Raytheon to build and install perimeter fencing, sensors and cameras around the four major airports in New York (John F. Kennedy International and LaGuardia) and New Jersey (Newark Liberty International and Teterboro). The system is designed to prevent a potential terrorist from accessing a runway to attack a plane. The article states:

"provide state-of-the-art electronic fencing complete with sensors and closed-circuit cameras that would immediately pinpoint someone trying to get on a runway to attack a plane"

ShmooCon has always been one of my favorite conferences. It is very well run and provides a small, intimate environment to discuss all things related to hacking and information security. You truly feel a part of this conference in every way. For example, you are encouraged to throw small stress balls called "Shmooballs" at any speaker you disagree with. The conference founders felt that many conferences had talks that were complete nonsense yet no one would stand up to say anything in opposition. As a speaker at ShmooCon you may literally find yourself running for cover. This year there was even a "Shmooball Launcher" contest,
that scored the homemade launchers in several different categories.

Larry Pesce participating in the Shmooball launcher contest at ShmooCon 2010 in Washington, DC. Larry's Shmooball launcher proudly displayed the Nessus banner throughout the conference and received a lot of attention from curious conference attendees.

This year's ShmooCon had some excellent presentations and workshops, including one that reportedly used Nessus to find a directory traversal vulnerability in VMware (more to follow on that one). Some of the other highlights include:

Patch Tuesday Gives Birth to "Zombie Wednesday"

The Tenable research team spent the night writing 14 new plugins to check for the latest round of Microsoft patches. While many will have to schedule patch installations, those who run with full automatic updates enabled are theoretically all patched by now. However, it doesn't hurt to check with a quick Nessus patch audit.

Microsoft is in Love With the Word "Could"

There are several terms used by Microsoft throughout their advisories that spread uncertainty about the risk of the vulnerabilities presented. The excessive use of the world "could" is one such example. In the MS10-002 bulletin Microsoft states:

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

I “could” also win the lottery, inherit millions of dollars and walk on water. In the case of this exploit "could" is an exceptionally bad word choice as there are several example videos showcasing the exploit in action using open-source software. The other issue with the above statement is the obligatory "users with less rights on the system will be less impacted". Someone should tell the Microsoft PR team that there are two privilege escalation exploits on the list this month, and one has been widely publicized for almost a month. On that note, let’s take a closer look at the 14 bulletins and 26 vulnerabilities that were patched this month.

Recent investigations into the Google "Aurora" incident uncovered evidence that Chinese attackers used a 0-day exploit for Internet Explorer to gain access to Google employees’ computer systems. This event has sparked the release of Microsoft Security Bulletin MS10-002 - Critical , and a public exploit for the vulnerability. To mitigate this vulnerability, Microsoft originally recommended that customers upgrade to Internet Explorer 8, and enable DEP (Data Execution Prevention). On January 21, 2010 Microsoft released an "out-of-band" patch for the vulnerability, which fixes the problem on Internet Explorer version 6, 7 and 8. Methods exist to reliably exploit Internet Explorer versions 6 & 7, and there are several people who have working exploits for IE version 8, including Dino Dai Zovi, a well-respected vulnerability researcher. (A concise list of the details surrounding this issue can be found in this article).

Being Proactive

Many organizations are likely to implement the patch released by Microsoft since the issue has been receiving a lot of media attention. Patching because of a media event is an all-too-common mistake made by many organizations that cannot be convinced to implement new security measures until exploits make the news. Patching systems needs to be part of an organization’s overall strategy – not just a reaction to a media event. When new technologies become available as upgrades to your existing systems, put a plan in place to test and migrate to them, especially if they offer increased security. The organizations doing this today are looking at the latest exploit and implementing their patch strategy as part of the standard operating procedure.

The story:

US and Russia Discussing Cyber Warfare and Cyber Security

Officials from the US and Russia are meeting to discuss improving Internet security and establishing cyber warfare policy. The Russians would like to see a cyber warfare disarmament treaty between the two countries. The talks are a step forward for the US, as the previous administration refused to engage in cyber warfare discussions with Russia.

Date: December 13 & 14, 2009

Sources: In Shift, U.S. Talks to Russia on Internet Security & U.S. and Russian officials talk cyberissues

I see this as a positive step toward acknowledging that "cyberwarfare" between superpowers is stupid, unless it's done in the context of full-on conflict. We'd all rather avoid that, thank you!!

Afterbites is a blog segment in which Marcus Ranum provides more in-depth coverage and analysis of the SANS NewsBites newsletter. This week Marcus will be commenting on the following article:

Gartner Report Says Two-Factor Authentication Isn't Enough
(December 14, 2009)

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.

References: 2-Factor Authentication Falling Short for Security, Gartner Says & Strong Authentication Not Strong Enough

I found this article interesting because it typifies, for me, the end result of the "whack-a-mole" approach to computer security. Certain technologies are sold as "security enablers" but customers don't seem to understand (and/or aren't informed) of the reality: security is a top-to-bottom problem that doesn't have any single place where you can add a widget that'll magically make you safe.

Tenable's CSO Marcus Ranum was quoted in an article from SC Magazine titled "Industry pioneers". In it Marcus gives us some insight into how he perceives his accomplishments:

“I like to think of myself as a filter for good ideas.”

We also get some insight as to how he came up with the idea for building the world's first firewall:

The firewall was really born on a day in 1986 when Ranum, then a network administrator at Johns Hopkins University, noticed something strange: Someone was able gain access to an MRI machine via a Sun Workstation default configuration. Nothing malicious happened, but Ranum knew right then that big problems weren't far off. “People were connecting to the internet and they had no idea what they were doing,” he recalls. Not long after, he built the first commercial-grade firewall for Digital Equipment Corp. and later, the White House. A few years later, he was among the first to market intrusion detection systems. “A lot of my career has consisted of moving ideas from the research world into the commercial world,” says Ranum, who turns 47 this month. “I like to think of myself as a filter for good ideas.” But don't count on any new inventions from him. Today's development tools lead to too many bugs: “I'm still using coding models from the early 80s,” he says.

Marcus is in good company too, others highlighted in the article include Bruce Schnier, Dan Geer, and Whitfield Diffie and Martin Hellman.