Pork Explosion? I couldn’t help but laugh at the name of a recent security vulnerability.
The name wasn’t a nod to an all-you-can-eat pork buffet. No, Pork Explosion is the name of an Android device backdoor that had the potential to sabotage all security measures of the operating system.
Pork Explosion was no laughing matter when it was discovered in October 2016, but how the heck did it get such a sidesplitting name? For that matter, why do many cyberattacks have cute or sometimes unusual names, who names them, and most importantly, why? In a break from the usual doom and gloom of the cybersecurity industry, here’s a look at who names the vulnerabilities and why these security risks usually don’t deserve the names they get.
Heartbleed Started it All
While Heartbleed wasn’t the first vulnerability to earn a name, it was the first one to earn widespread recognition because of its catchy label. Discovered by Google Security in March 2014, Heartbleed allowed anyone on the Internet to read the memory of systems protected by vulnerable versions of the popular OpenSSL cryptographic software library.
Heartbleed was marketed almost like a consumer product, and the name and the concept stuck. Codenomicon purchased the domain Heartbleed.com and designed a bleeding heart logo. For the first time ever, a cybersecurity risk had a whole package of it’s very own brand assets. Heartbleed T-shirts and hats sold like hotcakes, and before you knew it, a marketing phenomenon was born.
Before marketers took over, security experts (as you probably know) usually named vulnerabilities through the Common Vulnerabilities and Exposures (CVE) numbering system. But as Heartbleed demonstrated, it’s a lot easier to spread the word about a vulnerability with a memorable name than it is to refer to a CVE. Heartbleed’s CVE is 2014-0160, but who could possibly remember that?
Bolstered by how the Heartbleed name raised awareness, security experts now give a name, along with a CVE, to many critical flaws and vulnerabilities. Names used to be reserved only for worms and viruses – Code Red and Melissa, for example – but now vulnerabilities are branded with succinct names that try to explain how they work. I say “try” because of the half-successes and flat-out failures of some branded vulnerabilities that followed Heartbleed. Here are just some examples of unfortunate names:
POODLE: This might be the dog of all vulnerability names. POODLE is the acronym for Padding Oracle On Downgraded Legacy Encryption. Its bark was heard in October 2014, when Google researchers warned of the POODLE’s ability to circumvent SSL protections. Because it followed the same protocol as Heartbleed, this was also known as POODLE Bleed. Most stories covering the bug couldn’t resist including photos of poodles. The jury’s out on whether the name inspired caution.
Sandworm: Also from October, 2014, here’s an instance in which the name doesn’t match the threat. Named after an indestructible worm-like creature from the science fiction movie Dune, Sandworm was said to have been used in a Russian cyber-espionage campaign targeting NATO and the European Union. Well, Sandworm wasn’t exactly like a typical malware worm and it was hardly indestructible.
VENOM: CVE-2015-3456 had already existed for a decade before making headlines in May 2015. Venom (Virtualized Environment Neglected Operations Manipulation) could have allowed an attacker to escape from a guest virtual machine and gain control of the operating system hosting the VM. Trying to replicate the marketing success of Heartbleed, a security company slapped an ominous name on the 10-year-old bug, even though the vulnerability itself didn’t cause as much damage as Heartbleed. The hype didn’t match the actual threat.
Badlock: Word about Badlock started spreading in March 2016. It affects Security Account Manager and Local Security Authority remote protocols supported by Samba and Windows servers. By most accounts, Badlock was a middle-of-the-road vulnerability, something to worry about, but not a sleepless night-type of worry.
As cybersecurity companies try to popularize security threats by giving them cute, funny or flat-out bizarre names, they also give cyber criminals an advantage. With each adorably-named or ominous-sounding threat,the mainstream press tends to pick up the story, which in turn fuels the sense of urgency created by the cybersecurity firm. The media is perhaps unwittingly contributing to a marketing spin.
As the above examples show, not every vulnerability matches its hype. A relentless drumbeat of coverage on “dangerous” vulnerabilities desensitizes people, and could lead many companies to prioritize the marketed threats at the expense of paying attention to the threats that are actually much more dangerous, despite the lack of marketable names.
There’s already a backlash in the cybersecurity industry to the naming game. Take Badlock, which was publicized three weeks before patches were available, prompting debate about marketing trumping reasonable disclosure. Publicizing a vulnerability that users can’t immediately fix gives cyber criminals time to pounce. The backlash was also seen in the naming of Pork Explosion, which was a tongue-in-cheek jab at the explosion of silly marketing names.
But there are advantages to naming cybersecurity threats. People are made aware of not just specific threats, but of the dangers of connectivity in general, serving as a reminder of why security matters. Even if a particular vulnerability doesn’t have teeth, the next one could.
Attackers won’t be deterred by names; in fact, they prefer less publicized vulnerabilities. But they’ll have a harder time if the cute names prompt wide-scale cybersecurity measures.
At Cyberint, we specialize in identifying, nicknaming and of course crushing security threats, while they are still living beyond the perimeter. Are you a naming guru? Maybe you can help us name the next threat we identify. Got any juicy names in mind? Don’t hesitate to give us a shout, share or the old fashioned, drop us a line!