The problem with 'pumpkin spice' security bugs

Pumpkin Spice Sign, Whole Foods, Pics by Mike Mozart of TheToyChannel and JeepersMedia on YouTube #Pumpkin #Spice

Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fear mongering and jargon with expertise, a friendly voice and a little levelheaded perspective.

When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes. Fixing and patching, we're led to believe, is almost as fun as a trip to the dentist. Which is true. Heartbleed, Shellshock, Stagefright, Sandworm, Rootpipe, Winshock and the truly terror-inducing nom-de-sploit POODLE are not, in fact, a list of situational phobias. These were named with intent to become PR markers -- although looking at the way some of these vulns (vulnerabilities) got their names and brands, it seems like the focus was more on the credit for naming them, rather than the actual usefulness of trying to "pumpkin spice" a bug.

The problem is, it's widely understood that a seasonally branded latte is a simple sugary gimmick that the public finds both irresistible and strangely offensive. Heartbleed -- birth name CVE-2014-0160 -- was the first seriously branded bug. It was not the worst of all those other names I rattled off in the previous paragraph. It was also not in any way widely understood. While everyone heard of it, few outside infosec could really explain what it was. Mostly, the media didn't really know what Heartbleed was either, but its logo was on major news outlets spanning local to global in a matter of days after the bug's... launch

Heartbleed was branded like an overpriced startup on purpose, and its branding was as divisive within infosec communities as pumpkin pie spice Pringles are to normal people. Many information security professionals were above-normal suspicious about the intentions behind giving the vuln a branding package and website before most affected companies had even heard of it. And for infosec, where paranoia is more than just a way of life, that's saying something. The CEO of Codenomicon, Heartbleed's branding origin, told The Guardian, "I think that the fact that it had a name, had a catchy logo that people remember, really helped fuel the speed with which people became aware of this."

This being true, then so was the inverse: Heartbleed's viral branding most likely helped fuel the speed in which attackers learned about it, too. Heartbleed attacks appeared within days.

My first trip down the infosec rabbit hole of naming conventions came from endpoint security firm CrowdStrike's 2014 Global Threat Intel Report. I had pitched a piece on the report for an enterprise security news outlet, and it seemed like a really good idea at the time. The report was my first real experience with the practice of information security companies "discovering" things that were already there, and naming each discovery to assert ownership -- the infosec version of manifest destiny, but as I was about to discover, way weirder.

No one had warned me that CrowdStrike named its discoveries, in this instance, criminal attack groups, in such a manic way as to suggest someone there is desperately trying to fight the advance of Alzheimer's. Or perhaps they just have better drug connections than me. Possibly both. I found myself totally freaked out by Goblin Panda, CrowdStrike's name for a cyberattack group primarily targeting Vietnam. The visuals I got from seeing Vixen Panda and Deep Panda's names together put me on an internet porn fast for about a week. Predator Panda was surely going to hunt me for sport in the jungles of Guatemala. Pale Panda may have appeared in a nightmare after reading the report, telling me to put the lotion on its skin. Keyhole Panda didn't help my standard level of hacker-grade paranoia.

All of these names had me wondering if someone somewhere wasn't telegraphing a tortured cry for help from the same basement (painted over to hide the bloodstains) in which seasonally branded lattes are created.

I didn't end up filing my analysis of the CrowdStrike report, and I never got behind all the reporting on Heartbleed. It all felt too much like I'd be selling some company's product. And I worried that the cutesy, bizarre little names are only raising public awareness of my infosec colleagues' prurient interest in its situational phobias. I mean, what kind of anxious pervert names a privilege escalation "Rootpipe"?

[Image credit: JeepersMedia/Flickr]