Two weeks ago, someone created a website that became viral very fast. The site was primarily just some text that referred to two potential new attacks dubbed Skyfall and Solace. A few days later, the creator of the site revealed that it was a hoax and relaunched the old but not old-fashioned debate about naming vulnerabilities. Is branding good or bad for security industry?
Skyfall and Solace hoax
After the Meltdown and Specter attacks, the computer and security community was still shocked and began to wonder if some people would find new issues related to the architecture of modern microprocessors. In this context, further theoretical attacks were announced simultaneously in two websites skyfallattack.com and solaceattack.com1.
Both vulnerabilities had a James Bond movie-inspired name (like Spectre), and both had fancy logos based on the Intel and Solaris logos. According to the site, these vulnerabilities made use of the speculative and out-of-order execution, but full details remained confidential due to an embargo.
The website had made some controversy until its creator revealed his purpose:
That made me think: Is branding good or bad for security industry?
The age of naming vulnerabilities
For years, researchers had to classify vulnerabilities with plain old CVE numbers, but everything changed in 2014 when Heartbleed2 took the Internet by surprise and captured all the attention. After that, a trend had emerged: giving vulnerabilities catchy names, fancy logos and dedicated websites.
Branding a security threat isn’t new, but the practice has evolved over the time. Flashy names were used to nick worms and viruses (like Morris worm, Michelangelo, ILoveYou or Zeus) a long time ago.
In the beginning, this kind of marketing was supported by the community because it made it easier for the general public to understand a security problem and arguably led to higher rates of remediation. This idea was transposed to the C-Level guys who didn’t know much about security and would take an interest in the patching of vulnerabilities and raise its rates.
I think that the fact that it had a name, had a catchy logo that people remember, really helped fuel the speed with which people became aware of this, said David Chartier, the CEO of Codenomicon, the security testing firm which found Heartbleed3.
While some believed branding helped to promote awareness among those who wouldn’t usually concern themselves with software flaws and bugs, others thought that it was just a marketing ploy and a way for researchers to promote themselves. Also, detractors argued that this publicity helped weak vulnerabilities to get all the attention over those most critical and contributed cybercriminals to gain more knowledge to carry out their attacks.
Get a balance
Named vulnerabilities are addressed faster in most of the organizations because executives hear something on the news about them and want them fixed straight away. People are overwhelmed by the news and begin to become aware of cybersecurity. Finally, researchers obtain professional recognition. A WIN-WIN-WIN scenario.
Going back to the Heartbleed example, the underlying marketing campaign -with a fresh logo and a website- helped to make noise and generate headlines around the world. Although the vulnerability itself was severe, without branding, it’s hard to imagine the same amount of media coverage.
A name and a logo do not imply any severity. Dozens of vulnerabilities named by their creators have disappeared, and we stopped to talk about it. However, we will continue talking about Heartbleed, Meltdown, and Spectre for a long time due to its higher importance (despite its bright colours).
So, you guys continue naming vulnerabilities!
Footnotes
1. Actually the websites are down – A cache version is available here.
2. The Matter of Heartbleed – Durumeric, Zakir (2014).
3. Heartbleed: why did a computer bug have a name and a logo? – The Guardian.