illurity-logo
Log in

Site menu:

Categories

Tags

Site search

September 2016
M T W T F S S
« Dec    
 1234
567891011
12131415161718
19202122232425
2627282930  

Links:

Archives

More Deep Than DPI*

Once upon a time, the Internet was a friendly, happy, flourishing place populated by academics and scientists. Like all idylls, this attracted predators and parasites, and soon the Internet was overrun by the confederates of our appetite-satisfying service economy: commercial advertisers, pornographers, and money. And this attracted criminals, which in turn attracted venture capitalists, who lent money to the displaced academics and scientists (and some mediocre criminals) to create a new industry: network security. Below is a quick recap of the past 25 years of the network traffic inspection subset of that industry, and its major (and interim) stages of development, but before we dive in, a quick riddle: What do ants, cars, and neurons have in common? If you answered, “they all have some form of antenna,” you score points for good abstract association, but it’s not the answer we’re looking for. We’ll come back to this.

1 – The Packet Age

Packet Filters – Started in the late 1980’s as an outgrowth of access-control lists (ACLs) on routers. Inspection and policy focused entirely on L2-L4, and treated each packet discretely, lacking any notion of a connection or a flow.

2 – The Flow Age

Stateful/Flow Inspection – Stateful firewalls and flow tracking technologies (such as Netflow) were introduced in the early to mid 1990’s. This advanced the inspection capabilities of packet filters by adding state-tables or connection-caches for tracking flows, moving the primary unit of inspection from the packet to the L4 flow. The result was improved throughput and defense against an emerging class of TCP-level attacks that exploited the naïve header-focus of packet filters.

3 – The Application Age

Proxies and Deep Packet Inspection (DPI) – In the early 2000’s, attackers, thwarted by stateful firewalls, moved to the next layer in the network stack, the application layer. In response, network security vendors developed two approaches to application layer inspection, the proxy and DPI. Proxies were an early effort to inspect what was happening within common applications such as HTTP, FTP, SMTP, POP3, and DNS. They worked by brokering the client/server connections with their own “secure” version of the application, so an HTTP connection when from “Client<->Server” to “Client<->[Proxy(Server)—Proxy(Client)]<->Server”. This approach worked acceptably well for a while, but then network speeds jumped from megabits to gigabits, and network applications grew from the tens to the thousands.

To solve the limitations of early proxies came Deep Packet Inspection. DPI is a stream (or flow) based scanning technology with the ability to statefully inspect the content of every byte in every packet in every flow. Its reassembly and transformation engines allow it to process fragments, out-of-order packets, and all common encoding/presentation formats so that it can always reliably match patterns (or signatures) within flows.

With DPI-powered next-generation firewalls (NGFW) and a new breed of application proxies (in the form of Web-Application and Database Firewalls) fairly effectively blocking known application attacks and exploits, attackers and data thieves again had to change their tactics. And so began the epidemic of polymorphic multi-platform malware (PMPM).

AVTest 

Whereas the incidence of novel malware and exploits capable of evading detection by signature-based detection engines such as DPI or application proxies used to be rare, requiring the manual effort of one highly skilled in the art, it is now trivially simple thanks to automation. Exploit kits, packers, and obfuscators allow for anyone with little more than malicious intent and a few hundred dollars to create and distribute PMPM virtually undetectable by signature or norms-based inspection or proxy engines. As the chart above indicates, 2011 saw about 17.5 million new pieces of malware (AVTest), but 286 million unique variants (Source: Symantec ISTR 2011). One might, if one were so inclined, interpret this is as “16 detected variations of each strain”. 2011 saw 18 million new pieces with 403 million variants, or 22 variations of each strain, for a 37.5% increase in variation over 2010. Following that trend, and considering that we are at 12.5 million new pieces of malware at the start of July, we might expect to see 25 million new pieces in 2012, with 30 variations (flat 37.5% increase on 22) for a projected total of 750 million variants. And these numbers barely account for alternative/mobile computing platforms such as smartphone, tablets, and Internet-enabled consumer electronics which—unlike PCs that have been under attack for decades—have somewhere between “alarmingly immature” and “totally non-existent” host-based security options.

So what do ants, cars, and neurons have in common? They are all often-cited examples of emergence. The concept of emergence is broadly multidisciplinary, but in virtually all forms it states, at it simplest: the whole is greater than the sum of its parts or more specifically that the whole is a novel entity that emerges irreducibly from assemblages of its component parts. Ants form colonies with complex social organizations that cannot be understood simply by studying the seemingly programmatic behavior of ants. Cars form traffic whose dynamics remain frustratingly unintuitive (particularly on the Beltway in D.C.) despite the intuitive “follow-the-leader” model that most individual drivers employ. Neurons collect to form brains from which emerges consciousness, yet despite our comprehensive microscopic-level understanding of neuroscience, we still often find each other’s behavior puzzlingly mercurial or irrational. In other words, macro-level behaviors of complex systems cannot be predicted through micro-level analysis.

Files, created by adaptive authors, and processed by applications or run by operating systems constitute such complex systems. Trying to understand their emergent qualities and effects such as process, file-system, network, and API activity is impossible through even the deepest of packet or flow inspection. Understanding what emerges from collections of packets and flows can only happen through inspection at the macro-level: the interaction between the files they convey and their diverse operating environments.

Recognizing this, a small but growing number of security vendors such as FireEye, Norman, and GFI have recently started offering virtualization and sandboxing platforms capable of “detonating” or dynamically analyzing executables and other files typically associated with PMPM. Their approach to date has the following characteristics:

  • Either a stand-alone analyzer that must have files delivered to it, or a mediating gateway model with:
    • Limited transport application support, typically only HTTP and SMTP, and often without DPI classification for non-standard ports of operation.
    • <1Gbps throughput, and with no simple model for deployment scalability.
    • A focus on Windows malware (in particular Win32) with limited or no ability to analyze files for or on other platforms, e.g. an Android .apk file, or a Java archive or PDF run on a Mac.
    • Detonation is a very computationally expensive operation, yet it is largely undiscriminating:
      • It is commonly employed such that all payloads are detonated and evaluated irrespective of their likeliness (i.e. reputation, point of origin, signature characteristics, etc.) of being malicious.
      • A payload that is determined to be malicious by a Windows sandbox will likely generate false-positives when downloaded by a non-vulnerable, non-Windows client. The inverse (attack against non-vulnerable sandbox, vulnerable client) will result in a false-negative.
      • A payload that can successfully exploit an older version of an application (e.g. Java) will likely generate false-positives when downloaded by a non-vulnerable client that has updated the application. The inverse (newer version on sandbox, older version on client) will result in a false-negative.

While these detonation platforms offer clear advantages over signature or norms-based security devices, they are too limited in their scalability, and in their support for the necessary diversity of file-formats, operating-systems, and transport/application protocols to effectively defend against the full scope of PMPM. They have advanced beyond the application age, but haven’t, for all their shortcomings, fully made it to the next stage. History might remember them as the missing link. The time has come for the fourth stage.

4 – The File Age

Having briefly recounted the industry’s evolution from packets, to flows, to applications, to an intermediate stage of limited detonation, the trajectory should become clear: in order to more competently deal with the PMPM threat, we need a platform that can efficiently and adaptably deal with the current and future diversity of protocols, platforms, and file-formats.

RTE (Real-Time Extractor) is a system within the Solera DeepSee Threat Profiler platform that is designed to provide generalized file-level analysis across a broad and extensible set of protocols, platforms, and file-formats. It effectively does for files what DPI does for packets and flows. RTE builds on the DeepSee Extractor platform, advancing Extractor’s capability to reconstruct packets and flows into files from an operator-driven, on-demand process to a fully programmable part of an automated analysis workflow. To accomplish this, RTE encompasses the following components:

  1. Detection – The rule identifying files within flows that warrant further analysis. Detection policies (Rules) can incorporate any Filters or Favorites that can be used in the DeepSee path bar, including network attributes, application context, application metadata, user context, geo-IP information, or any combination thereof. It’s simple, for example, to set a detection policy that triggers extraction on “all executables, PDFs, and Java Archives coming from servers other than ‘Trusted Servers’ delivered over HTTP or SMTP” and to submit them for analysis via a configurable Action
  2. Extraction – The process of extracting the target file from a network flow across a set of common network applications and transport protocols, and across a set of common file types.
  3. Action – A configurable and extensible set of analysis options including hash calculations and lookups against a variety of reputation services, interpretation of javascript content, quick scanning of portable executable (PE) files for indicators of maliciousness, file transfers for archival or indexing purposes, or submission to a variety of multiplatform malware analysis tools and services. Further, if the target of an Action provides verdict information (e.g. goodware, malware, unknown, etc.) that information will be presented through the DeepSee interface.

The result today is a platform (above) that projects network analysis into the file age while simultaneously providing some of the industry’s most robust packet, flow, and application analyzers, arming security professionals with a highly competent network visibility, analysis, and reporting platform. In the near future the RTE platform will be the engine that powers automated workflows that will:

  • Dynamically discover novel malware transported on any known protocol, and targeting any replicable operating environment
  • Update file, IP, URL, and domain reputation databases
  • Assess relatedness to past and future file activity to more efficiently discover polymorphism
  • Inform control points on networks for automatic rule updates and enforcement
  • Fingerprint discoveries to create defensive signatures for deployment to a site, an enterprise, or an entire subscriber-base

 

* – with apologies to the Tyrell Corporation and White Zombie

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Chapcrack and CloudCracker

Some of the biggest news that came out of DEFCON 20 was coverage of Moxie Marlinspike’s latest evisceration of MS-CHAPv2. There are papers dating back to 1999 describing weaknesses in MS-CHAPv2, Microsoft’s “updated” version of their original challenge/response system for authentication. The scheme’s weakness described briefly: a Server sends a Client a 16 byte challenge, from which the client cryptographically derives an 8 byte value. The Client then transforms this value into the 24 byte response by padding its 16 byte password hash to 21 bytes with zeros, splitting those 21 bytes into three DES keys of 7 bytes each, and encrypting the 8 byte value. The last key (the “K3” reference inside the chapcrack code) really only has 2 bytes of key material, significantly reducing the key space, and simplifying attacks like this one.

But this has been known for a long time, so this is not news. The news is in part Moxie’s python tool that automates the extraction of the readily available cipher text, plain text, and key material from an MS-CHAPv2 exchange. For example, running a PPTP packet capture containing successful authentication against chapcrack produces the following:

Got completed handshake [192.168.1.2 –> 84.45.76.99]
Cracking K3………
User = joelevy@gmail.com
C1 = f8e699cbcc6ca0d5
C2 = 534f2da52b977b26
C3 = d1194e961cf2c996
P = 7daffd76455abb44
K3 = 74670000000000
CloudCracker Submission = $99$fa/9dkVau0T45pnLzGyg1VNPLaUrl3smdGc=

That last line can be submitted to CloudCracker, and $200 and less than 24 hours later, the entirety of DES space (7.2 * 10^16) will be walked, and a key will be provided that can be fed to chapcrack to decrypt the source packet capture file.

The second part of the news is the attention brought to CloudCracker, a years old Cracker-as-a-Service platform that makes perfectly affordable what was practically infeasible a decade ago. Consider this now comically shortsighted description of the weakness offered by Microsoft in 2002:

“If the password is strong enough, it will take a single 200 MHz Pentium Pro computer an average of 2,200 years to find the keys derived from it and 5,500 years to find the password itself (or 2.2 years and 5.5 years with 1,000 such computers, and so forth).” – Source

But the biggest news is the unmistakable demonstration of how truly numbered are the days of weak crypto systems hiding behind perceived economic impracticabilities. Vendors need to learn to stop ignoring weaknesses and attacks as “theoretical” simply because they seem out of reach by today’s standards. Multi-core, cloud, and (someday) quantum computing totally invalidate such an irresponsible posture. Broken things need to be fixed upon discovery because sooner or later exploitation will become affordable, and the longer they are allowed to remain in use, the more expensive they tend to become to replace.

How big of a problem is the announcement? Big for anyone still using PPTP for their VPN solution despite a decade of awareness of the problem. But if someone is still using PPTP instead of some form of SSL-VPN or IPsec, that’s a signal of generally questionable IT competence, which means there are likely other problems that can more easily be exploited. As for the possibility of using this attack to crack WPA/WPA2 Enterprise traffic, that seems unlikely to happen on any sort of meaningful scale given how rare WPA/WPA2-EAP (extensible authentication protocol) using MS-CHAPv2 without TLS is in practice. By far the most common form using MS-CHAPv2 is WPA/WPA2-PEAP, which uses TLS to protect the MS-CHAPv2 exchange. Only if the attacker manages to gain access to the TLS private-key for decryption of the outer layer (which is a far greater problem) could the inner layer be attacked with chapcrack. The other WPA/WPA2 cracking options that’s been available on CloudCracker (and Moxie’s wpacracker.com before it) attacks passwords in WPA/WPA2 PSK (pre-shared key) not EAP, and is unrelated to chapcrack. The fact that they are both present on CloudCracker might be confusing, and unnecessarily alarming to some, but most properly designed enterprise wireless systems should be safe from this method of attack.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Hunting the Chimera

Whatever side you’re on, an undeniable effect of the ongoing debate over the reality of cyberwarfare is the infiltration of the term “cyberwar” into our vernacular. We have all gradually come to accept “cyber” as the fifth present or potential domain of warfare after land, sea, air, and space. We are becoming increasingly aware of such previously arcane terms as ‘SCADA’ (Supervisory Control and Data Acquisition systems), and what these computer systems monitor and control, namely, our ‘critical infrastructure’, defined ominously by the Department of Homeland Security as the collection of assets that “our society depends upon such that if it were damaged or destroyed, it would have a significant impact on our ability to function. Think of the nation’s power grid or banking system. The Internet. Water treatment facilities. Nuclear power plants. Transportation. Our food supply chain and agriculture.” And whatever side you’re on, we are wondering at the costs—economic, political, and not least of all, social—of abstaining or engaging in such a war.

Both sides of the debate are replete with pundits and other outspoken personalities from intelligence, defense, legal, and information security backgrounds, and both sides make cogent, albeit familiar arguments. Cyberwar deniers argue that while there is certainly rampant cyber crime, it is a far stretch from qualifying as warfare; after all – if it is war, where are the casualties? More injuriously, they claim that the hype is plain scaremongering with thinly veiled financial and power ambitions. Financial beneficiaries would be the defense-industrial base players (Lockheed Martin, Northrop Grumman, Raytheon, Boeing, General Dynamics, Booz Allen Hamilton, etc.) with their mushrooming cyber services divisions, as well as commercial information security vendors. Power beneficiaries, far more worryingly, would be governments, as they legislatively wrest Internet freedoms away from the public, coercing people to trade civil liberties and what little online privacy is left for the promise of increased security. Substantiating these warnings are programs such as the NSA’s recently announced “Perfect Citizen”, a surveillance program intended to protect primarily privately owned critical infrastructure systems, and the 40 pieces of cyber-legislation currently circulating on the Hill.

Apologists warn of public ignorance of the commonness and frequency of ongoing attacks, and a gross underestimation of the consequences of the looming “electronic Pearl Harbor.” They offer vividly traumatizing movie-plot examples from collapsing water treatment facilities, oil pipelines, air-traffic control systems, and electrical grids to financial armageddon scenarios such as the one presented at an Intelligence Squared cyberwar debate on June 8, 2010 by former Director of National Intelligence and of the NSA, Mike McConnell:

“Let me give you just a way to think about it. The United States economy is $14 trillion a year. Two banks in New York City move $7 trillion a day. On a good day, they do eight trillion. Now think about that. Our economy is $14 trillion. Two banks are moving $7 trillion to $8 trillion a day. There is no gold; they’re not even printed dollar bills. All of those transactions, all those transactions are massive reconciliation and accounting. If those who wish us ill, if someone with a different world view was successful in attacking that information and destroying the data, it could have a devastating impact, not only on the nation, but the globe. And that’s the issue that we’re really debating.”

Despite the nightmarish portrayals, and in dismissal of the denier’s “where are the casualties?” cry, exponents generally acknowledge that while we are not in the midst of a cyberwar, if a real war were to erupt, cyber is certain to be a theater, and that we are currently ill prepared for such engagement, both defensively and offensively. One thing all parties can agree on is that we’re facing colossal levels of cyber threats and cyber crime, and that something must be done to mitigate the epidemic. And here emerges the fundamental difference between the two camps: whether or not any degree of governmental surveillance or militarization of the Internet is necessary to accomplish this. At its core, the debate is about openness, transparency, anonymity, and privacy; it is a question of trust.

When considering the issue of privacy versus security on the Internet, technologies such as DPI (deep-packet inspection, capable of scanning and performing pattern-matching on all the content of all network traffic, a centerpiece of EINSTEIN3 program) and trusted identity systems (such as the recently proposed NSTIC – National Strategy for Trusted Identities in Cyberspace blueprint) immediately spring to mind.  Skeletons of earlier Big Brother initiatives, such as Clipper, Carnivore, Total Information Awareness, and Echelon are dragged out of the closet by the ACLU, EFF, and EPIC, a ritual that some claim is little more than eye for an eye scaremongering disguised as education. Bandwagon accusations of everything from government incompetence to outright evil are made, and emotional terms like “fascist” and “mark of the beast” are flung by many who clearly never bothered commenting on or even reading any of the proposals.

Take, for example, NTSIC, which was drafted in collaboration with civil liberties and privacy communities. NTSIC’s Identity Ecosystem proposal is voluntary, and among its guiding principles is adherence to the eight Fair Information Practice Principles (FIPPs): Transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing. Regardless, the din of accusations of a government power grab have smothered this evolving and open-program’s well-deserved positive reviews. Much to our detriment, facts are among the most recent casualties of popular distrust for government.

Have there been bad government actors throughout history who have betrayed the public’s trust? Yes, but despite such past events and our deeply engrained negativity bias, it is neither reasonable nor in our best interest to mechanically and uncritically distrust all government. Instead, we should seek to restore trust. Only actions and their effects can achieve this, so we should endeavor to collaboratively move forward rather than to filibuster and stifle, after all “any jackass can kick down a barn, but it takes a good carpenter to build one.” Cyber legislation is new terrain, and we owe ourselves participation as co-navigators. By taking the time to evaluate government initiatives, we can assess whether or not they have in sufficient degree the requisite ingredients of trust: political process, oversight, and public accountability.

Further, we must be reasonable in accepting that governments must operate with a certain level of secrecy as a means of ensuring national security. McConnell illustrates this point well:

“The equivalent of the National Security Agency was breaking Nazi Germany’s code in World War II. Historians argue that that probably shortened the war by 18 months to two years, saved countless lives and incredible resources. Did the American people have the right to know that NSA was breaking Nazi Germany code in World War II? Because if they had known, the Germans would have known, and all they had to do was take it away by changing the rotors. Secrecy gets a very bad name in our society. American citizens don’t like spies in spite of the fact that the first spy master was George Washington. Secrecy is a necessity.”

What are the government’s goals in proposing such controversial technologies as identity systems, data collection, and DPI? To spy on their citizens? To foment public discontent? To squander taxpayer dollars? To implement a stopgap until fMRI’s are finally embedded in all of our smartphones?

No. The goal of these technologies is to hunt a chimera, a mythical creature composed of multiple parts: one part “Attribution” and one part “Situational Awareness”.

Attribution, the accurate identification of an actor or agent, is an elusive beast in the cyber domain. In the real-world, sources of actions can generally be traced because few of us have mastered the arts of astral projection or telekinesis. The Internet, however, provides the perfect environment for virtualization, abstraction, and indirection. IP addresses are not trustworthy as traffic can be tunneled through proxy servers and onion routers, either to conceal identities and location, or to maliciously implicate other parties in an act. Worse, even if hosts can be identified, there is no reliable connection between actor and host, whether due to the attacker employing a botnet, or simply because of our inability to know who was really at the keyboard.

Situational awareness (SA) may be defined as an attempt to develop a comprehensive and intelligible common operating picture of complex, dynamic, multivariate systems across multiple commands. Or it may be defined, more tersely, as omniscience. It is the military equivalent of Laplace’s Demon, described by its 19th century inventor, Marquis Pierre Simon de Laplace, as follows:

“We may regard the present state of the universe as the effect of its past and the cause of its future. An intellect which at any given moment knew all of the forces that animate nature and the mutual positions of the beings that compose it, if this intellect were vast enough to submit the data to analysis, could condense into a single formula the movement of the greatest bodies of the universe and that of the lightest atom; for such an intellect nothing could be uncertain and the future just like the past would be present before its eyes.”

The thought experiment is an interesting one, but its conjectured strain of determinism has been largely refuted by such discoveries as quantum mechanics and psychopathology. Reality, it turns out is simply not that predictable.

While not as evasive as attribution, SA is the more formidable quarry. We pursue it through combinations of DPI and log, netflow, and statistical analysis. But these methods are as imperfect as Laplace’s Demon, at once empowered and thwarted by determinism. We identify events of interest with finite automata, heuristics, and algorithms, but these all rely on signatures, rules, pre-classification, and prediction. So long as we can describe events, we can detect and prevent them, but the moment they escape the realm of the predictable (as the more highly evolved adversarial attacks are wont to do) they become invisible.

A good way to illustrate the shortcoming of such purely predictive security models, and of omniscient SA aspirations, in general, is to contrast the difference between the seemingly similar terms “no sign of infection” and “sign of no infection”. The first term ,“no sign of infection” means that our current methods of classifying and detecting an infection have resulted in negative results (no infection). The second term, “sign of no infection” means that there is unequivocal evidence of negative results (no infection). No doctor in his right mind would ever use the second term. Why? Malpractice aside, because that sort of certainty is unattainable. At best, we can hope for “no sign of infection” where, to the best of our predictive abilities, we can be confident that results are negative, but we know that this might be a false negative (infection). This is how all situational awareness initiatives work, by saying “we are as confident as we can be that infection results are negative, but don’t get too comfortable because it might be a false negative.”

And it is for this reason—that we cannot predict everything—that situational awareness must also have a retrospective component. This allows us to concede that we are not omniscient and that we cannot know everything in advance, but to have the ability to go back and reexamine the past once we have the benefit of future knowledge. This is why data collection, and the persistence of surveillance information, is critical to any serious security program.

Are perfect attribution and situational awareness achievable? No, they are lofty illusions. But there are valuable incremental gains to be had here, so neither should we allow the perfect to be the enemy of the good, nor should we allow an irrational fear of government to deny us the potential of improved defenses. On the contrary, we should instead do what might, in our imperfect awareness, seem counterintuitive and support the hunt for the chimera. Rabid privacy advocates, minarchists, and those who would commit the all-too-common informal fallacy of making a slippery-slope argument about the perils of ceding rights to the government are advised to steel themselves by referring to the part in the Constitution’s preamble about “provide for the common defence”, and apply it to the 21st century. Government does not consider us the enemy, but we must accept that in our virtualized, interconnected, malware infested cyber-dependent world, the enemy is among us, and it is government’s charter to defend us.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

The Singularity Is Not All That Near

By now, no one with electricity hasn’t heard about the NSA data-center that is planned for Utah. First mention of it was seen in the wild as far back as May 2009 in H.R. 2346 (“Making Supplemental Appropriations for the Fiscal Year Ending September 30, 2009, and for Other Purposes” (search for ‘Utah’). Digging just a bit deeper takes the time line back as far as April in a supplemental Whitehouse document that included Department of Defense appropriations (see page 66) for “site preparation in advance of data center facilities construction projects to be constructed at the Utah National Guard site at Camp Williams, Utah”. The same document also provides some evidence of the seriousness of our nation’s posture on cyberwarfare, as page 67 explains: “The FY 2009 Defense Appropriations Act funded a National Security Agency project in the Operation and Maintenance, Defense-wide account. It has been determined that the project is more properly funded through the Military Construction, Defense-wide account. This provision would realign these funds from Operations and Maintenance, Defense-Wide to Military Construction, Defense-Wide.”

Understandably, Utah has been abuzz about the NSA data center for some time. Performing a search for “NSA” on the Salt Lake Tribune site yields a number of variably interesting results, each shedding bits of light on the plan and its progress. The earliest piece, dating back to July 1st, does a good job rationalizing the decision to build the massive data center in Utah, opening with: “Hoping to protect its top-secret operations by decentralizing its massive computer hubs…” and later explaining that: “The NSA’s heavily automated computerized operations have for years been based at Fort Meade, Maryland, but the agency began looking to decentralize its efforts following the terrorist attacks of Sept. 11, 2001. Propelling that desire was the insatiable energy appetite of the agency’s computers. In 2006, the Baltimore Sun reported that the NSA — Baltimore Gas & Electric’s biggest customer — had maxed out the local grid and could not bring online several supercomputers it needed to expand its operations.” Environmentalists will both mourn and be fueled by the juicy tidbit from this same piece that the data center “will also require at least 65 megawatts of power — about the same amount used by every home in Salt Lake City combined.”

Curiously, an additional piece of historical information the article fails to mention as possible site-selection rationalization is that Utah was previously selected by the NSA, back in February of 2006, for the linguistic capabilities of its returned missionaries. It would not be at all surprising if this was a factor in Utah’s being the place for what’s been described as a “collection point for surveillance of domestic and international telecommunications“.
So as they say: السلام عليكم, 企鹅性骚扰, יישר כח, etc., Utah.

The piece from July 2 provides some more information on the purpose, cost, and composition of the data center: “The supercomputers in the center will be part of the NSA’s signal intelligence program, which seeks to ‘gain a decisive information advantage for the nation and our allies under all circumstances'” and “President Barack Obama last week signed a spending bill that included $181 million for preparatory construction of the Camp Williams facility and tentatively agreed to two future phases of construction that could cost $800 million each” and “About $70 million has been budgeted for security, including vehicle inspection facilities, fencing, surveillance and separate visitor control centers for construction and technical personnel.”

I can’t yet say anything about the collection of supercomputers, but the eyewitness commentary I can provide as a commuter who drives past the planned construction site everyday is that it seems they’ve already spent more than $70 million on fencing alone, and it’s mostly resulted in heaping piles of deer roadkill. Inexplicably, the rutting deer seem to excel at finding their way through the fence to get onto the road, but can’t seem (literally, to save their own lives) to find their way back through to get off the road. Perhaps experimentation on bloated stinking mangled deer is somehow part of the grand government conspiracy.

July 7 offers up two pieces. The first objectively treats the data center as little more than fiscal stimulus (construction is planned to employ 4,000 to 5,000 people), while the second seems its calculated social counterbalance, offering up the obligatorily banal “we’ll follow orders and won’t ask any pesky questions about civil rights” shtick. At least the comments prove to be far more entertaining than the articles themselves.

The piece from October 23 was the first “mainstream” report in the Tribune on the event, getting somewhat lost in the echo chamber of reports and blogs and tweets that hit at about the same time, triggered by the Office of the Director of National Intelligence press conference (video and transcript). Win-win-win!

It’s an excerpt from this piece that is among the most important of all the coverage offered, noting the crucially irreplaceable role of people in the technologically-driven field of cybersecurity, and citing a report that is recommended reading for anyone in the information security field or the Intelligence Community:

But only a very small slice of the information stored at the center in southern Salt Lake County will ever be scanned by human eyes. And that’s the reality for most of what is collected by the nation’s other spy agencies as well.  In a report commissioned by the Department of Defense last year, the Jason defense advisory group warned that the millions of terabytes of data coming into U.S. spy agencies through ever-improving sensors are being wasted. … It cited Massachusetts Institute of technology defense expert Pete Rustan, who complained that “70 percent of the data we collect is falling on the floor” [because sensor data was failing to be captured and processed].

“We have been blessed with a lot more sensor-type capabilities,” [
said George Eanes, vice president of business development at Modus Operandi, a Florida software company that serves the defense intelligence community.] “That can be a big advantage to have in the theater, but it’s just data. You still got to have the humans in the loop before you make any decisions.”

Data Analysis Challenges

The same report cited above was also recently referenced by FAS (Federation of American Scientists) through their Secrecy News project (“Through research, advocacy, and public education, the FAS Project on Government Secrecy works to challenge excessive government secrecy and to promote public oversight”) in a post on the challenges of dealing with large data sets. The December 2008 JASON (not an acronym) report titled “Data Analysis Challenges” is a must read. Seriously – read it. Notable concepts from this “study commissioned by the Department of Defense (DOD) and the Intelligence Community (IC) on the emerging challenges of data analysis in the face of increasing capability of DOD/IC sensors”:

As the amount of data captured by these sensors grows, the difficulty in storing, analyzing, and fusing the sensor data becomes increasingly significant with the challenge being further complicated by the growing ubiquity of these sensors.  (page 1)

The JASON report opens by summarily describing the challenges facing the Intelligence Community as storing, analyzing and fusing the ever-increasing amounts of data. Storing the data, obviously, should be recognized as foundational to anything but the most cursory analysis, the kind of superficial examination that the report describes as “rapid time scale” (more on this later). Yet despite storage being an unmistakable prerequisite to any kind of deeper, longer time scale analysis, there are today technology vendors hawking data-analysis wares that fail to meet this basic requirement. Because they haven’t figured out how to solve the technical challenge, they attempt to dismiss their critical deficiency with one of two arguments from ignorance: either that high-speed data capture is not possible, or that it’s not necessary.

No one would disagree that in intelligence work, data analysis is more productive than raw data capture, but likewise, no one should suggest that meaningful data analysis is possible today without having all of the data to analyze. As the report states on page 3: “the notion of fully automated analysis is today at best a distant reality.” Companies making a claim that effectively amounts to “we analyze 100% of the data that we don’t fail to capture” does nothing but betray their lack of understanding of the requirements of the Intelligence Community. Best-effort approaches can make sense when coping with current real limitations of computation or storage, but only when employed sensibly; failing to store all relevant data means never being able to analyze that un-captured data, whereas failing to analyze captured data superficially in real-time still means being able to analyze it more deeply subsequent to capture.

But storage should really only be considered table stakes. The practical utility of any storage system comes from the combination of efficient capture *and* efficient retrieval. The capture of the data should be considered the relatively easy part, and the report correctly makes clear that “the main issues in managing this volume of data are not rooted in hardware but in software” (page 23). It goes on to offer an example from the Pan-STARRS project of how commodity-off-the-shelf (COTS) hardware can be used to “serve 3 Petabytes for roughly $1M”.  (The Pan-STARRS “Distilling Science from Petabytes” presentation itself is cited in the report’s end notes. A web search by name will turn up a link to the presentation which is also worth a glance. It’s of service for me to note the bullet on slide 10 which advises: “Science goals require all the data to be accessible and useful: waste no photons“.)  Further, the JASON report describes some of the greater challenges when dealing with these quantities of data, namely, those of managing large data sets:

These include dealing with the complexity in the name-space that is introduced by the enormous capacity of these high performance file systems, and managing the vast archives of data that are produced by both simulation and data collection systems. Old paradigms for locating data based on a simple file path name break down when the number of files exceeds 10^9 as they now frequently do. Users have expressed the desire to locate data based on other properties of the data beyond its file name, including but not limited to its contents, its type and other semantic properties. Such a location service will require new indexing techniques that are currently subjects of academic research. (page 28)

In addition to limitations of conventional filesystems, the report also describes frustrations with commercially available databases, focusing on the paradigmatic experiences of the scientific community:

Broadly speaking the segment of the scientific community that is pushing the forefront of large-data science has been disappointed with the capability and the performance of existing databases. Most projects have either resorted to partitioned smaller databases, or to a hybrid scheme where metadata are stored in the database, along with pointers to the data files. In this hybrid scheme the actual data are not stored in the database, and SQL queries are run on either the metadata or on some aggregated statistical quantities. (page 61)

The authors of the report were astute to make this connection, acknowledging in the executive summary (page 1) that “it is of value to consider the evolution of data storage requirements arising from data-intensive work in scientific fields such as high energy physics or astronomy.” This perspective strongly validates some of Solera Networks inventions in the areas of massively-scalable (DSFS), attribute-based (GaugeFS) filesystems and databases (SoleraDB) (details available under NDA); it also helps illuminate the unique value of having a Chief Scientist (Matt Wood) who is hours from completing his Theoretical Physics PhD work in the Telescope Array Physics group at the University of Utah.

As a quick exercise to appreciate the value of real solutions to the problems encountered with traditional filesystems and databases when attempting to capture and use large sets of network traffic, consider the following:

So you’ve captured just over 3 days of traffic on your generally 1/3 utilized 10Gbps network:

  • That’s about 100TB of data
  • For around 183 billion “average” sized packets (600 bytes)
  • At an average of 650,000 packets per second

And now you want to find all the packets from IP address 71.213.89.177:

  • Do you read through 50 x 2TB or 50,000 x 2GB files?
  • Wouldn’t it be helpful to have an index?
  • Which databases efficiently handle 650,000 inserts per second?

Time Scales

As mentioned earlier, there are different time scales on which data analysis can be performed. Sensitivity to different time scales is important, and the report notes this in the executive summary: “The key challenge is to empower the analyst by ensuring that results requiring rapid response are made available as quickly as possible while also insuring that more long term activities such as forensic analysis are adequately supported.” In greater detail, it broadly distinguishing three cases (page 51):

Long time scale Here there is no critical timeliness requirement and one may want to establish results on a time scale of perhaps days. Applications which match well include retrospective analysis of multiple data sources, fusing of new data to update existing models such as geographic information systems or to establish correlations among events recorded through different information gathering modalities.

Medium time scale Such a time scale corresponds to activities like online analysis with well structured data. Typically this is accomplished in an interactive way using a client-server or “pull based” approach.

Rapid time scale In this scenario, one wants to be cued immediately for the occurrence of critical events. The time scale here may be very near real time. We will argue that a “push based” or event driven architecture is appropriate here.

The long time scale section makes cloud-computing recommendations to  MapReduce / Hadoop, and also makes the wise suggestion “to move computation close to the data rather than move the data to a central point where computation takes place. This minimizes congestion and is more scalable in that there are fewer load imbalance bottlenecks due to data motion or computation” (page 59). With regard to network forensics, it would reasonable to consider such tasks as cryptanalysis, steganalysis, and statistical data mining as likely long time scale candidates.

The medium time scale section recommends the use of a service oriented architecture (SOA – the fundable version of RPC) noting its attractiveness in “applications where large data stores need to interoperate and where fusion of their data is required at a higher level.” It covers IARPA‘s open-source Blackbook 2 project (“a graph analytic processing platform for semantic web”) which appears to be a non-commercial alternative to the impressively scalable and extensible Palantir data analysis platform (you can get a feel for it by playing an online game they provide, or using it to work with data from data.gov). In the spirit of the JASON report’s recommendation to modularity and sharing, and consistent with Solera Network’s practice on platform collaboration, Palantir avers a “fundamental belief that this openness will lead to long-term customer success over inflexible, closed, and proprietary solutions.” Most sorts of collaborative data analysis could fit into into the medium time scale, and scalable, high-performing, intuitive platforms will make it easier for human analysts to find interesting and valuable results in the data.

The rapid time scale is also described by the report as an “event driven architecture” (EDA) where an event is “simply a significant change of state associated with some data that is being constantly monitored.” The report differentiates an EDA from an SOA by explaining

EDA applications use a publish/subscribe model where loosely coupled software components subscribe to event streams and then either react by actuating some response or by emitting subsequent events to other components. The key idea behind this approach is asynchronous broadcasting or “push” of events.

This fairly accurately describes the sort of integration that exists between Solera Networks platforms and other event generating platforms such as SonicWALL and ArcSight, where pre-classified security events are detected on a rapid time scale through DPI pattern-matching, or security information/log aggregation. Since the platforms generating these sorts of events (either directly, or indirectly, e.g. through a SIEM) are generally in-line traffic-processing devices, their classification of events must occur in real-time (i.e. with latencies imperceptible to users), and cannot today be compared to the deeper sorts of data mining analyses that are possible in medium to long time scales. That is not to say that longer time scales are better than rapid time scales, but rather that both are necessary. I am simply recognizing the difference that exists today between a necessarily fast-twitch intrusion detection/prevention system, and a necessarily more persistent data analysis platform. Rapid time scale, event driven architectures are very good at detecting and preventing reconnaissance attempts, denial of service attacks, and known-exploit attacks easily identifiable by machines, and this type of defense is essential to protecting the day-to-day operation of information systems against tools the like of those found on milw0rm or exploit-db. But it requires longer time scales and the neocortex of a human analyst to detect the unique and unpredictable actions executed by a competent and determined criminal or terrorist agent.

That’s A Very Expensive Cat

I don’t take the fact that Utah’s NSA data center is expected to include more than 1 million square feet of space staffed by only 200 people as an indication that the NSA believes computers provide more value than analysts. Instead, I see these numbers as acknowledgment of a recognized shortage of qualified analysts. Whether its a DHS initiative to hire 1,000 cybersecurity experts over the next 3 years, or a Booz Allen Hamilton study stating that “There is a radical shortage of people who can fight in cyber space—penetration testers, aggressors and vulnerability analysts… My sense is it is an order of magnitude short, a factor of 10 short” there’s no shortage of evidence that we need more human analysts. Today’s silicon and algorithms—fast and clever as they are—get ever-better at assisting humans, but they are still far from being up to the task of understanding or analyzing the behaviors and actions (particularly the pathological behaviors and actions) of other humans.

For perspective on where state-of-the-art computing is relative to the human analytic capabilities, I’ll close with one of the more interesting announcements that just came out of SC09:

Scientists, at IBM Research-Almaden, in collaboration with colleagues from Lawrence Berkeley National Lab, have performed the first near real-time cortical simulation of the brain that exceeds the scale of a cat cortex and contains 1 billion spiking neurons and 10 trillion individual learning synapses.

The simulation was performed using the cortical simulator on Lawrence Livermore National Lab’s Dawn Blue Gene/P supercomputer with 147,456 CPUs and 144 terabytes of main memory.

We need more human analysts, and they need the government, academic, and private sectors to understand their needs well enough to provide them genuinely functional, constantly evolving tools. Kurzweil (either unfortunately or fortunately) was off by a few years. We still have quite a while to go before this:

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

National Breach Notification Laws

As a follow-up to a post from February 2009, I’m mostly happy to comment on the recent progress that’s been made toward the establishment of National breach notification laws. As reported on November 5, 2009 by GovInfoSecurity.com, “the Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.”

The first, S.139 “Data Breach Notification Act”, is a short and fairly high-level bill “to require Federal agencies, and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information.” Strangely, while a bill titled “Data Breach Notification Act” would seem to be a generalized proposal for full disclosure and transparency in the event of a data breach, rather than a specific protect individuals against identity-theft measure, S.139 focuses almost neurotically on personally identifiable information. The Definitions section reasonably describes “Sensitive Personally Identifiable Information” (PII) as the usual set of some combination of name, social security #, passport #, address, birth date, biometric data, or account information. Puzzlingly, however, it perfunctorily defines “Security Breach” as:

(6) SECURITY BREACH
(A) IN GENERAL- The term ‘security breach’ means compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, acquisition of or access to sensitive personally identifiable information that is unauthorized or in excess of authorization.

The second, S.1490 “Personal Data Privacy and Security Act of 2009” is a toothier and far more detailed proposal “to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.” Title I introduces penalties both for the perpetration of identity-theft crimes, and also for the intentional concealment of data breaches. Title II sets transparency requirements and enforcement for data brokers. Title III and its subtitles define the requirements and enforcements for a Personal Data Privacy and Security Program and security breach notifications, and establishes within the FTC the Office of Federal Identity Protection to help victims of identity theft. Finally, Title IV sets compliance standards for awarding contracts to data brokers, requires Federal agencies to complete privacy impact assessments before obtaining from data brokers any PII on US citizens, and amends the duties and responsibilities of the Chief Privacy Officer, reporting to the Deputy Attorney General.

Why the mixed feelings? The good: These bills offer a single national standard rather than a mélange (or sometimes completely nonexistent) state data breach laws, they seems to take the stance of “expenses be damned, we’re going to start doing the right things,” and they establish some pretty stiff enforcements and penalties. The bad (this is going to take a bit longer): First, S.139 greatly neuters the potential effectiveness of a national law by limiting itself to a delineated bag containing only personally identifiable information. What about breaches involving such losses as corporate information whose disclosure might be of interest to shareholders, or client-attorney data, or redacted medical records, etc.? Was this confinement really necessary considering the single-minded focus S.1490 has on identity-theft?

Second, the “Exemptions” sections in both S.139 and S.1490 both basically say parties are exempt from the notification requirements if they have encrypted the data or otherwise rendered the data indecipherable. Makes perfect sense given that we also accept that encryption is unbreakable, and that the ultimate utility of stolen data is something that can be assessed prior to the occurrence of a data breach.

Third, and most importantly, the surprisingly prescriptive Section 302 of S.1490 does well enough with some conventionally safe and wise words about risk assessment, training, vulnerability testing, the iterative nature of security, and a nod to the great and powerful cloud, but it falls short in the area of risk management and control. Section 302 4B basically says “control access”, “detect breaches”, “protect data at rest, in use, and in transit”, “employ data destruction”, “trace access to records”, and “ensure access entitlement”.

So what’s the failing? That this is a bill concerned primarily with breach notification–essentially a prescription for what should be done when security controls fail–but its “risk management” section is single-mindedly and conceitedly preventative. Rather than offering guidance for being better able to “determine the scope of a breach,” it basically says “don’t have a breach”. The “trace access to records” entry is the only bit that comes close to forensics, but myopically perpetuates the unfortunate industry fallacy that such information as netflows and access logs are sufficient for this task. When will we acknowledge that flows only show that a communication session took place, not what was communicated, or that logs are good at recording access that goes through conventional channels, but not so good at recording unsanctioned access that was intentionally subversive or exploitative?

Despite the obligatory criticisms, these bills are steps in the right direction. Both are good signs that our political leadership seems to be on the right track in the pursuit of information security.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Fooled by Information Asymmetry

On July 24, 2009 Trina Thompson sued her alma mater, Monroe College for the full cost of her tuition after graduating with a bachelor of business administration degree in information technology. Why? Because she couldn’t find a job. Before sympathizing with Thompson’s claim that “they [the counselors] have not tried hard enough to help me”, consider this other quote from that article:

“As Thompson sees it, any reasonable employer would pounce on an applicant with her academic credentials, which include a 2.7 grade-point average and a solid attendance record.”

You mean, not only did she have a superlatively covetable 2.7 GPA, but she also showed up? “She showed up, your honor! She… showed… up. How derelict in their duty must those counselors have been to not find her a job?”

The article further states “she suggested that Monroe’s Office of Career Advancement shows preferential treatment to students with excellent grades. ‘They favor more toward students that got a 4.0. They help them more out with the job placement,’ she said.”

Some will read this and say: “another American with a distorted sense of entitlement and fairness playing the legal system like the lottery” or simply “how ridiculous!” Others will read it and say: “why didn’t I think of that?” Among those in this second camp, there will be the expected lot of ambulance chasers and compensation culturists, but there will likely also be another class… paranoid, attribution-biased, epiphenomenalists. In other words, most CEOs.

In fact, one CEO in particular comes to mind: Robert Carr, CEO of Heartland Payment Systems. In a recent interview following the HPS data breach, possibly the largest breach to date, Mr. Carr made the statement “the audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever”. While I tend to largely agree with him (based on my personal experience with a certain of these unfortunately ironically named service providers), it is not a long stretch from “no value whatsoever” to litigation. After all, when your strategy consists of one part transference of responsibility + one part don’t waste my very important 15 second attention span with details + one part blind faith in soothsayers, soapbox orators, or snake-oil salesmen, you are very likely the sort of person who takes all the credit for your occasional random successes, and shifts all the blame to other agents for your collection of failures. But if you are among those prone to take umbrage at that – wait. Instead, let me first distract you with this, and then a stoking of your paranoia and egotism: you are being watched.

Gina Moore, a portfolio manager at investment firm Aronson + Johnson + Ortiz, a Philadelphia investment firm with $17 billion under management, says she doesn’t talk with executives of companies she’s considering investing in, but instead monitors their levels of insider trading. This, she explains, provides her with more accurate information about where executives “think their company is going without the corporate spin.” This is just an example of signalling, a term that describes ways in which principals (uninformed parties) try to gain information on agents (informed parties) in asymmetric information scenarios. This is analogous to the Trina Thompson situation above – in one case it’s insider (agent) activity signalling the portfolio manger (principal), and in the other it’s Trina’s (agent) 2.7 GPA signalling prospective employers (principals). But there is a difference: While the GPA is an enduring fait accompli (and probably not high enough to enable Trina to change it), insider trading is ongoing, so it is subject to manipulation.

So perhaps Gina Moore should not have done that interview with Business Week… Platitudinous as it is, few would disagree, in general,  that “power corrupts”, and that executives gravitate to the stereotypic.  Armed with the knowledge that their trading activity is being monitored for signals by investors attempting to counterbalance information asymmetry, executives are either:

  1. Already engaged in such signal manipulations
  2. Ashamed of themselves for not yet having concocted an appropriate set of such manipulative schemes.

Investors might be inclined to worry more about this were it not for the fact that an executive’s predisposition toward corruption is rivaled by his predilection for exec-speak, sports and war metaphors, and unintelligible references to Sun Tzu, all of which add up to almost guaranteed failure of a reverse Turing test. As Nassim Taleb describes:

What is a Turing test? The brilliant British Mathematician, eccentric, and computer pioneer Alan Turing came up with the following test: A computer can be said to be intelligent if it can (on average) fool a human into mistaking it for another human. The converse should be true. A human can be said to be unintelligent if we can replicate his speech by a computer, which we know is unintelligent, and fool a human into believing it was written by a human.

Taleb then goes on to provide some postmodernist examples created with Andrew C. Bulhak’s recursive grammar Dada Engine. And these engines are easily adapted to other grammars, such as the highly entertaining brag generator, or the just plain sad Corporate Gibberish Generator.

After reading some of the output from the Corporate Gibberish Generator, it’s worthwhile to keep in mind (even in today’s climate) Taleb’s closing in that section:

If this bears too close a resemblance to the speech you just heard from the boss of your company, then I suggest looking for a new job.

So while we might not need to worry much about information warfare adversaries who can be replaced by a python script, we should worry about adversaries who could write such scripts, or worse. For example, a friend of mine recently had a rather valuable domain hijacked by a cyberthief who managed to crack a certain registrar’s account authentication system. After doing so, the thief then changed registrant passwords and domain contact information to a different email address. This action, of course, sent a notification to my friend, who, unable to login to his account at the registrar, immediately reported the matter to them. To this point, the attack was similar to the DomainZ hack described in this ICANN report titled “Measures to Protect Registration Services Against Misuse”. But then it turned; rather than exploiting the theft to redirect visitors to a malicious site, the thief in this case produced a very convincing set of fraudulent identification and supporting legal documentation so as to sell the domain for a large sum of money through a well-known domain marketplace. Fortunately, said marketplace flagged the offer as suspicious, and their (not your typical) CEO contacted the registrar. The registrar, having already been notified, was monitoring all activity around the domain, and immediately contacted my friend with a “get a load of this” email. This situation is still in-progress, so more details will have to wait until it is resolved, but I mention it to make a point:

Counterintuitively, sometimes it is better to allow certain types of attacks or illicit activities to go on even if you can stop them. Why? So that you might gain information on your adversary. On any effort more targeted and intent than a simple recon scan or scripted-attack, outright prevention, termination, or other types of detectable intervention are signals to the attacker that they have been discovered. And while in some cases this may work to thwart the attack and prevent or limit any damage, there is also the chance that it will prompt the attacker to adopt more cryptic tactics. Even worse is the chance that the damage has already been done, and that by scaring-off the attacker prematurely, you lose all hope of discovering either the full scope of the damage or your attacker’s identity. Signal with care.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Forensic Soundness

While Solera Networks’ technology is commonly used in network forensic examinations for the purposes of incident review and response, we are also often asked if our platform can produce “court admissible” evidence. Before this can be addressed, a distinction must first be made between the two main classes of electronic information currently recognized by courts:

  • Human generated – Records that are created by humans, such as emails, IM conversations, word processing documents, spreadsheets, digital photos/audio/video,  etc. that are transmitted or stored electronically. These sorts of records fall into and must comply with hearsay rules for admissibility.
  • Computer generated – Records that are produced programmatically by a computing device, such as logs, netflow output, content analysis, packet captures, reconstructed artifacts, etc. Since some, if not most, computer data and network traffic content is incepted by humans, this class may be inclusive of the former, but its admissibility is unrelated to the reliability and trustworthiness of the statements of any human-generated content; its admissibility depends entirely upon its own authenticity.

Therefore, as becomes the concern with any computer generated electronically stored information, the question of admissibility is fundamentally a question of whether or not the information was acquired, retained, retrieved and delivered in a “forensically sound” fashion. For the purposes of this article, evidence may be considered “forensically sound” when it remains “complete and materially unaltered.”

In that respect, the Solera Network platform does employ forensically sound methods: the network capture (unless otherwise configured or indicated) is a complete and lossless record of all network transmissions; the patented DSFS file system in which the captured packets are stored is of an opaque, proprietary design, and does not allow data to be written by any means other than the capture system itself; all data retrieval is access-controlled, and all access is logged for documentation purposes; and artifacts reconstructed by DeepSee are MD5 and SHA1 hashed. These methods will continue to evolve as additional layers of hashing, encryption, and access controls are developed and added.

But what about court admissibility of computer generated electronic evidence? The good news is that this topic is very well defined by the (relatively terse) Federal Rules of Evidence. The FRE provides guidelines for the authentication and identification of evidence for admissibility under sections 901 and (somewhat less directly to electronic evidence) 902 and the more detailed “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations”  (digest here).

The bad news? June 2009. Two events occurred this past June that are likely to make the topic of “the admissibility of evidence” just a little murkier.

The first is the recently media-covered publication of a paper in the “Forensic Science International: Genetics” journal which describes how DNA, the gold-standard for forensic evidence, can be faked:

“Nucleix scientists have demonstrated the viability of creating artificial DNA and ‘biological identify theft.’ Using basic equipment and know-how, DNA with any desired profile can be fabricated in the lab, and this artificial DNA can then be planted in crime scenes as fake evidence.”

This is rather alarming since, as the article rightly states “we’re creating a criminal justice system that is increasingly relying on this [DNA] technology.” But just when things seem darkest, there appears hope:

“Until recently, there has been no way to distinguish between genetic profiles obtained from falsified DNA samples, which can appear identical to real biological profiles based on current analytical protocols and technologies.  Nucleix’s proprietary assays can distinguish between “fake” (in-vitro synthesized) DNA, and “real” (in-vivo generated) DNA.  The company is committed to developing state-of-the-art “DNA authentication” assays that can be integrated into the standard forensic procedure, in order to maintain the high credibility of DNA evidence in the courtroom and other uses.  For additional information on Nucleix, please visit the company’s website at http://www.nucleix.com.”

Wait a minute. Nucleix both developed the “DNA Authentication” technology as well as the methods of falsifying DNA? Brilliant! That’s like an IPS vendor developing and launching attacks concurrent with their zero-day signatures, or George Went Hensley holding the patent on anti-venom. To be fair, if Nucleix hadn’t devised the falsification methods, someone else would have, but it’s irresistible to consider the pharmaceutical industry conspiracy theory implications.

The second is the recent Supreme Court decision in Melendez-Diaz v. Massachusetts (07-591) which extends the Confrontation Clause (“…the accused shall enjoy the right … to be confronted with the witnesses against him;”) of the Sixth Amendment to include forensic analyst reports as “testimonial” evidence rather than “business records”. The chief repercussion to the forensic sciences, should this stand, is that any forensic evidence presented in a case could require the investigating analyst to provide in-court testimony about the findings, or that the defense be allowed to cross-examine the analyst on the findings.

Never mind that it overturns over 200 years of understanding of the Sixth Amendment. Never mind that it begs for abuse by unscrupulous defense attorneys. Never mind that it is rationally incomprehensible. The economic implications of Melendez-Diaz v. Massachusetts alone would suggest that its days are numbered, but the two cited events nonetheless intensify the need for understanding and emphasizing the distinction between human-generated and computer-generated evidence, as well as for maintaining the strongest “forensic soundness” of evidence practicable.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Rumors and Preparedness

There are rumors circulating around SANS and full-disclosure circles that there is a 0day SSH exploit in the wild that might be announced sometime around the upcoming Black Hat event. Whether or not it is true is to be seen, but beyond the question of “is it or isn’t it,” it’s interesting to consider the evolution of a rumor’s details, and how you choose to respond. Do you believe that recent versions of SSH are not susceptible and feel safe if you only use recent versions? Do you upgrade any older versions you have and feel somewhat safe that you’ve minimized your window of exposure? Just how recent is recent? Do you think that this could be a sensitized reaction primed by all the reports of cyberwar that we’ve been hearing lately? Do you think it could be a well-timed vehicle to garner support for the Cybersecurity Act of 2009? Do you think it’s a publicity stunt for BH?

Keep in mind that rumors love a vacuum, and details will be invented to fill a void of information – but don’t let that stop you from reasonable and affordable precautions:

  • If you haven’t already done so, it would probably be a good idea, in any event, to upgrade to the latest version of SSH.
  • If you have no publicly accessible SSH servers, don’t assume that you are totally safe – it is possible that other systems on your network are compromised and can serve as launch points for internal attacks.
  • If you can disable SSH on any servers, setup additional IP level access controls, or even change the listening port to make systems less discoverable, you might consider doing so, if such a reaction is not too expensive relative to the value of your systems.
  • Examine your highest risk SSH systems for anything unusual (e.g. strange processes or network activity, anti-forensics, file, or log tampering, rootkits, etc.)


Am I suggesting these to foment fear? Hardly. These are just some ways in which we might choose to respond to such rumors. Another way would be to bury our heads in the sand. Or we might learn to expect the unexpected, invest in preparedness, and to sleep somewhat more soundly.

If the rumor turns out to be a hoax or a stunt, then this will fade into the history of other rumors. If, however, it (or its ilk) turns out to be true, then what? The updated packages that will be provided by vendors and distros won’t help after the fact. Neither will the “zero day” signatures that will be pushed by your IPS provider, at least not directly. But there is a way that you can use those signatures, ex post facto, to know if any of your systems might have been affected, and to precisely determine the scope of any breach.

With a full historical capture of network traffic, you could simply play back the entirety of your SSH traffic within your capture window to your recently enlightened IPS system, enabling it to retrospectively determine if any of your systems were compromised in the past (obviously, the same method could be used for any “known only after the fact” event, be it an exploit, attack, data leakage, etc.) Presuming a sufficiently large capture window, a signature positive would provide a map for targetted response, and a negative would provide peace of mind. How large is sufficiently large? That question can only be answered as particularly as its twin “how much insurance do I need?”.

By the way, did you hear that eating fish might cause Mad Cow Disease? Fish eaters might want to look into more life insurance.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

On the Cybersecurity Act of 2009

Making predictions is hard, especially about the future. In descending order, when predictions come true, it is likely because of: 1) some undisclosed foreknowledge of the event; 2) discernible writings on walls, patterns, trajectories, trends, or nigh inevitabilities; 3) pure random luck; 4) voices, visions, and other sorts of esoteric transmissions. The recent introduction of S773, better known as the Cybersecurity Act of 2009 would suggest that last December’s article Quackery was the result of one or more of the above causes. I won’t say which, but I will admit that my neighbors have a black Labrador retriever.

The body of the Cybersecurity Act opens with 14 findings about how important and vulnerable our government and critical infrastructure (i.e. SCADA) information systems are, and how we lack “a coherent national strategy” for dealing with threats and incidents. That this is largely the same material we’ve been hearing and saying for as long as we’ve been in infosec should not dilute the message. What follows is not entirely the same toothless posturing that we’ve seen in the past… much of what is proposed is more than simply a new cause at which civil-liberties advocates (largely idle since the end of the Bush administration) will be able to disgorge their vitriolic righteous-indignation, and will likely cause concern among productive people, as well.

Section 3 begins the proposals, starting with the President appointing a Cybersecurity Advisory Panel comprising members from industry, academia, government, and interest groups whose overarching duty will be to advise the President on “matters relating to the national cybersecurity program and strategy” and to write reports at least every two years. It also offers-up taxpayer dollars to cover non-Federal members’ travel expenses, ensuring that participants will always get to fly first-class.

Section 4 has the Secretary of Commerce working with the Office of Management and Budget to create a security dashboard (something like a cross between this and one of these or this) for all Federal Government and Department of Commerce information systems. As long as it’s not done by the same visualization virtuosos who brought us this, then mandating the mythical single pane-of-glass will likely provide some benefit, so long as those who gaze upon it don’t tragically believe it to have the power to confer omniscience.

Section 5 proposes the Secretary of Commerce create Regional Cybersecurity Centers to “enhance the cybersecurity of small and medium sized businesses in United States” by disseminating “cybersecurity strategies, best practices, standards, and technologies” developed by the National Institute of Standards and Technology (NIST). Great idea, but as written, this section is trouble. First, it uses the term “best practices” which is immediately at least partially invalidating because “best practices,” in practice, are usually little more than tokenistic fantasies of the ill-informed or lazy. We should be encouraging understanding and critical thinking, not oblivious rote mimicry or distorted reinterpretations.

Next, since it doesn’t indicate that the training would be mandatory, it must be optional, and with “firefighting” being the normative mode of operation for most infosec people, it is likely that attendance will be low for non-mandatory training. Further, since there is no mention of a measurement of the effectiveness of the training (i.e. testing), it would be fair to assume that many of the people who do attend will merely be doing so either because their boss made them, or because they prefer a day in a classroom (or a vendor seminar, or a trade show, etc.) to a day at the office; not ideal conditions for learning.

In addition to training companies and enterprises, another of the activities of these funded, non-profit Centers is to “make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees.” Huh? Like a public library full of firewalls instead of books? What objective criteria will they use to select the gear that they will stock? Will they decline to stock the gear of those foolishly paranoid vendors who fecklessly try to avoid selling product to their competition? Will they offer both hardware and software? Will they offer technical support, or will the repeated burden (but only the one time revenue) fall to the vendor? Will they charge late fees?

While not entirely analogous, this section does bring to mind the recent controversy stirring over the Obama administration’s recent move to reintroduce the “comparative effectiveness” method of evaluating medical treatments (as part of the American Recovery and Reinvestment Act of 2009). Looking at the debate between proponents (who say “such studies are essential to curbing the widespread use of ineffective treatments and to helping control health care costs”) and opponents (who invoke the tritely lame slippery slope warning that the “movement could lead to inadequate treatment for some patients and even the rationing of health care”), it’s reasonable to expect that this section will similarly elicit accusations of “socialist cybersecurity”. Despite that fact that this section forces nothing upon anyone, we should be prepared for some such melodramatic rhetoric.

Section 6 charges NIST with creating a research program to develop metrics and “automated tools” for measuring the economics of cybersecurity, including the measurement of risk and the cost of defense. I imagine the good people at NIST will look at this and say “You want what? Why don’t you just ask us to calculate how much Thursday weighs while you’re at it.” Not to say that measuring risk is not possible (e.g. risk = threat * (vulnerabilities – countermeasures) * impact), but making the transition from this abstract to the concrete (i.e. a representation that people expect… dollars) is painstakingly particular, and nearly impossible to make simultaneously accurate and automated.

It’s easy to ask questions such as “how many servers do you have?”, “what is the estimated daily value of your Internet connection?”, and “do your workstations run up-to-date anti-virus software?” and for many, it will provide a better measurement of their assets and risks than they have ever before had. But what about the less-easy, ponderously imponderable considerations like “do you run any software written by a company who had one or more lazy, incompetent, disgruntled, or sleep-deprived-because-they-were-driven-by-their-capitalist-boss-to-meet-a-deadline employees on the development team, and/or that employed inadequate code-review procedures?“ or something like “do you employ any servers whose CPUs have undocumented or otherwise unprotected interfaces to microcode or System Management Mode code updates that might be catastrophically re-written by an attacker sending a maliciously crafted packet over the network exploiting the interaction of simultaneous vulnerabilities in your network card driver and your operating system’s System Management Interrupt handler?” Really, can you blame China for developing Kylin or Loongson?

NIST is also asked to “establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.” It’s laudable that they had the sense to say “known attacks”, and while there is certainly value to preventing known-attacks (e.g. even though it’s about 7 months old, given the number of unpatched systems it still reasonable to block Conficker), it ignores a natural, thoroughly neutering sequence:

  1. A vulnerability is discovered, and an attack is created. At this stage, there is no way to ensure detection or defensibility. Encouragingly, even some preventative security vendors get this, and are working to expose the problem.
  2. Once the attack becomes known, the specific attack becomes preventable, and the underlying vulnerability becomes remediable.
  3. Countermeasures will be created. As they are circulated over time, exploitation begins to drop.
  4. When sufficiently ineffective as to no longer provide adequate utility to its employers, the attack will be superseded (by variants and/or entirely new attacks).
  5. Variant species of the attack will be manufactured. Systems on which the underlying vulnerability has been remedied will not be exploitable, but systems merely protected by some form of prevention will likely again become exploitable. These system will be condemned to a loop between step 2 and step 5 until the vulnerability is remedied, or until the attackers stop creating variants.
  6. The reentrant cycle starts over at step 1.

Further, it asks that the Institute establish standards for “measuring the software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities” (such as CWE (Common Weakness Enumeration) and maybe CVE (Common Vulnerabilities and Exposures)),
“…computer-readable language for completely specifying the configuration of software…“ and “…security settings for operating system software and software utilities…” (like NIST’s FDCC (Federal Desktop Core Configuration), SCAP (Security Content Automation Protocol), or MITRE’s CCE (Common Configuration Enumeration) which attempts to map overlapping guidelines from NIST, NSA, DISA, and “…computer-readable language for specifying vulnerabilities in software…“ (OVAL (Open Vulnerability Assessment Language), or something akin to
CVSS (Common Vulnerability Scoring System), CWSS (Common Weakness Scoring System), or Microsoft’s Exploitability Index.

Surprisingly absent from section 6a is an area that is at least as practically essential as the rest. Allow me to correctively propose 6a (8):

INCIDENT RESPONSE METHODS AND PROCEDURES – The Institute shall establish standards for technological and procedural preparedness in response to the inevitable security events that will occur even on the best defended networks, ensuring the ability to effectively determine the scope and detail of the breach.”

Cynics might say this seems a bit self-serving, a forensics company suggesting that forensics provisions be incorporated into law. Some might even invoke the poetically censorious words of U.S. Supreme Court Justice Oliver Wendell Holmes (from Abrams v. United States):

“If you have no doubt of your premises or your power and want a certain result with all your heart you naturally express your wishes in law and sweep away all opposition.”

Holmes then exposes the folly of mandating ideas into law by explaining that:

“…the ultimate good desired is better reached by free trade in ideas — that the best test of truth is the power of the thought to get itself accepted in the competition of the market…”

I do not agree that the free market for ideas is always the most effective or beneficial; for proof, simply ask the typical 5 year old if he’d rather have cotton-candy or broccoli for dinner, or even the typical 35 year old if he’d rather have potato chips or broccoli as a snack. Left to our own devices, we don’t always make the best decisions. Sometimes we need guidance, and there is no shame, freedom-robbing conspiracy, or overtly oppressive statism in such an admission. Yes, the suggestion might boost the sales of forensic technology vendors, but it (along with my recommendation to choose the broccoli) is entirely altruistic.

Section 6 next offers a prescription to achieve “representation in all international standards development related to cybersecurity“ and compliance with “standards based on risk profiles.” These read as conspicuous endorsements for a broader adoption of Common Criteria, while the focus on risk profiles seems a foreshadowing of the imminent transition from Evaluation Assurance Levels (EAL ratings) to Robustness assessments. This should, at the very least, be encouraging to the folks at Corsec and Infogard.

The final item in section 6 refers to section 6001(k) of the American Recovery and Reinvestment Act, which calls for a national broadband plan. It asks that the FCC “report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.” Of course, the immediate concern here will be that this stretches the scope of the act from Federal and critical infrastructure into the private sector, but before anything starts yelling about “nationalization” or “privacy invasion” or “economic or innovative suffocation”, consider that this is simply calling for a report and recommendations, not regulations. There is nothing wrong with the government helping to make private sector information systems more secure, so long as they don’t mandate security measures. Steering is good, rowing is bad, and this seems like some much needed steering.

Section 7 is one of the more controversial bits. It asks that the Secretary of Commerce institute “national licensing, certification, and periodic recertification program for cybersecurity professionals”. It goes on to mandate that within three years “it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.”

This is not as oppressive or Machiavellian as some might make it out to be. Suffice it to say, we expect licensure in most professions that require any skill, or wherein malicious or supremely incompetent practitioners have the ability to kill their patronage.

Section 8 calls for a review of the NTIA (National Telecommunications and Information Adminstration) IANA (Internet Assigned Numbers Authority) contracts. Not too surprising, considering recent issues with ICANN and unrestricted generic top-level domains, as well as Senators Snowe (R-Ma) and Nelson’s (D-Fla) concerns that “much of the progress ICANN has made could be jeopardized if its historic link to the United States is diminished” (yes, the same Snowe and Nelson who co-authored S.773).

Section 9 charges the Assistant Secretary of Commerce for Communications and Information to secure the foundationally critical DNS infrastructure against attacks, clearly a reference to DNSSEC. This is a much needed move, and at first glance the 3 year timeline might seem a little lax (especially considering that Verisign and ccTLDs such as Puerto Rico, Mexico, and the Czech Republic are already in pilots); but considering that DNSSEC is at the intersection of PKI, crypto, national interests, and commercial interests, all at a global level, then 3 years might not be enough time for resolution.

Section 10 calls for the Secretary of Commerce to develop cybersecurity public awareness campaigns. No firm direction or dates. I’m imagining 1970’s-style public service announcements. Maybe they can get Bob Dorough to do the music.

Section 11 (particularly 11a) attempts to boil the ocean. Followed by freezing it into ice cubes, sublimating them, condensing the vapor, electrolyzing it with palladium, and then powering Navy vessels with the output. In other words, this one is biting off a bit much. In essence: Section 11a proposes the NSF (National Science Foundation) research ways to build near-perfect software and protocols, guarantee privacy of data-at-rest and data-in-motion, provide attribution for internet communications, and thwart insider threats. Wow.

Section 11b and 11c more realistically call for secure coding research and education. 11d asks that grants be awarded for academic innovations in the area of modeling cyber attacks and defenses, and 11e-11l make some modifications to the CyberSecurity Research and Development Act.

Section 12 allocates some tens of millions of dollars to scholarships programs “to recruit and train the next generation of Federal information technology workers and security managers” with preferential treatment to those who’ve participated in the challenge described in section 13.

Section 13 asks the Director of NIST to establish cybersecurity competitions to “attract, identify, evaluate, and recruit talented individuals for the Federal information technology workforce” and to stimulate innovation of technologies “that have the potential for application to the Federal information technology activities of the Federal Government.” Although not stated explicitly, one would expect that such competitions would include both offensive and defensive components, with offense  (i.e. “hack this”) being somewhat easier to measure and judge, but with defense being of greater value to the initiative. However, it’s worthwhile to recognize recent reports indicating the emerging value of offensive operations, and to consider the effect such positions might have on the nature of such competitions (and on cybersecurity technologies, in general):

“We are not comfortable discussing the question of offensive cyberoperations, but we consider cyberspace a war-fighting domain,” said Bryan Whitman, a Pentagon spokesman as reported by the New York Times. “We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment.”

Section 14 designates the Department of Commerce to “serve as the clearinghouse of cybersecurity threat and vulnerability information.” Section 14c seems the most functionally interesting piece of 14, stating that “within 90 days after the date of enactment of this Act, the Secretary shall publish in the Federal Register a draft description of rules and procedures on how the Federal Government will share cybersecurity threat and vulnerability information.” Assigning this role to Commerce (rather than NIST or DHS (via NCSD or US-CERT)) seems designed to reinforce the idea that cybersecurity will not come at some economic expense that might threaten our non-negotiable American way of life.

But it is section 14b (1) that is the most concerning component of this section. It states that the Secretary of Commerce “shall have access to all relevant data concerning such networks [Federal Government and private sector owned critical infrastructure information systems and networks] without regard to any provision of law, regulation, rule, or policy restricting such access.” That “without regard” bit might be more than merely irresistibly delicious fodder for conspiracy theorist nutcases; in this case they might have a point. This should probably be toned down.

Section 15 calls for a risk management report, including a feasibility study on “(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and (2) requiring cybersecurity to be a factor in all bond ratings.” I’ve talked about the potential role of insurance in infosec before, so it’s good to see (1), but the foreseeable difficulty of assessing and enforcing (2) is likely to limit its adoption and effectiveness.

Section 16 calls for a review and report on “the Federal statutory and legal framework applicable to cyber-related activities in the United States.” In other words, an exhaustive review of any acts or orders directly or indirectly cyber-related. Just one year?

Section 17 asks for a report “on the feasibility of an identity management and authentication program.” Yes, it’s the mark-of-the-beast law… the “with the appropriate civil liberties and privacy protections” verbiage fools no one.

Section 18 is, by far, the most troublesome section of the act. This is the one that has patriots issuing warnings that “Rockefeller is shutting down the Internet”. Section 18 gives the President certain powers and obligations, including that he “(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network” and that he “(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security.” First, even though it is inclusive of public-sector “critical infrastructure information system[s],” it is clear that this is not “the whole Internet”. Second, and more importantly, since this is not really currently feasible on anything but the smallest of scales, it seems that this is more a provisional tool in the event of a worst-case cyber-scenario than it is a potentially practicable commandeering of the Internet. Section 18 also says some other stuff, but no one notices.

Section 19 calls for a cyber-review every four years, starting in the year 2013 involving the Advisory Panel designated in section 3. This is not an agricultural report, this is a cybersecurity report… Quite a lot can happen in 4 years.

Section 20 calls for the Director of National Intelligence and the Secretary of Commerce to submit an annual cybersecurity report to Congress. Much better than quadrennial.

Section 21 encourages the President to work with foreign governments to create more cyber-bureaucracy, and to report on the initiatives to Congress.

Section 22 calls for the establishment of a Secure Products and Services Acquisition Board to work in conjunction with NIST and the OMB on devising standards for the “review and approval of high value products and services”. Of importance to software-vendors (and static and dynamic code analysis tool vendors) is the piece that says “[the] Board may consider independent secure software validation and verification as key factor for approval [of software].” It further says that “any proposal submitted in response to a request for proposals issued by a Federal agency shall demonstrate compliance” with the published standards.

Section 23 provides a definition of terms, including some disturbingly circular reasoning that basically says “critical infrastructure information systems are whatever the President says critical infrastructure information systems are.”

Will it pass? I won’t make a prediction on that one, but I will advise preparing for it.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

“Experts Warn of Epidemic of Swine Flu Warnings”

Experts have issued a warning of an impending epidemic of swine flu warnings. The number of victims of these thinly disguised, commercially-motivated warnings is expected to exceed the number of victims of the actual swine flu by many orders of magnitude. “Be leery of anyone using the phrase ‘orders of magnitude’ in casual conversation,” cautioned Larry McWhortle, spokesperson for the Consortium of Industry Experts Consortium (CIEC), “it’s the third most overused credibility-enhancement term in the industry today, just after ‘heuristic’ and ‘statistically significant’.” People are being urged to be on the lookout for vendors shamelessly hawking their wares under the guise of helpful advice.

The CIEC’s undercover watchdog division spoke with representatives from several security and telepresence companies, collecting such candid comments as: “It sure was tough building a convincing ROI model for a quarter of a million dollar video conferencing system,” explained Louis Zephyr, General Manager of NimbusGear, “so being able to add ‘and it will help you not die’ has been quite a boon.” Larry Pawarpointe, Director of Product Management at security vendor MiasmaShield said “we predict a deluge of email spam campaigns, news and social media-linked phishing sites, and questionable pharmaceutical suppliers attempting to foment and capitalize on the swine flu scare.” He then added “And we just don’t think that’s fair. I mean, shouldn’t we get to capitalize on it, too?” Pawarpointe went on to explain that their AngeleDei N95 and N99 appliances can block all spam, phishing URLs, intrusions and malware “better than your box can”. Mark Atingei, a spokesperson from content-management vendor ProtectoBox said “to be honest, their box sucks… our technology has been proven to be at least 58% more effective at twice the speed and half the price.” Baited with questions about their technology’s effectiveness against polymorphic H1N1 variants, he offered, “oh yeah, our next firmware release will protect against all variants, H1N1, H-1B, all of them.”

McWhortle said that in addition to ignoring unabashedly self-interested pseudo-advice, that the CIEC also recommends avoiding the grip of panic-mongering mob broadcasts. “As much as you want to avoid unnecessary exposure to Mexico, confined places, and eschatologists, you should also avoid the seductive allure of misinformative chatter. Stick to reputable and trustworthy sources for your information, and don’t feed on or into the frenzy.” He added that the CIEC will be releasing more complete information on the phenomenon next month in the opaquely titled report “On the social and intellectual decay and morbid delectation of budgerigarish narcissism”.

Clear and Present Danger
It’s intriguing to watch this first significant intersection of an imminent pandemic and broadcast social networks. For all the heat that Twitter is taking for its role in inciting uninformed hysteria, there is a balancing number of accusations that the torrent of tweets is merely filling the void created by outdated and irrelevant methods of traditional government and media communications. While both sides can be argued cogently, a bigger concern is the potential for this new medium to be used not just as a channel for terrorism, but also as its actual weapon. For example, it’s not difficult to imagine concerted psy-ops efforts of terror-inclined human and botnet cohorts tweeting and retweeting messages about water supplies being poisoned, governments waging chemical warfare on their own citizens, or just asking supporters to bring all traffic to a debilitating crawl.

But it would be wrong to blame Twitter for the problem. To borrow a familiar rhetorical structure: “Twitter doesn’t cause stupidity, stupidity causes stupidity.” Twitter is just the latest form of mob broadcast, an easy way to quickly disseminate information, for good or bad. So given the potential for damage that any form of misused mob communications might have, it might not be unreasonable to look to a real-world precedent for handling this sort of propagation of fear: 1919’s Schenck v. United States. Presided over by Supreme Court Justice Oliver Wendel Holmes, Jr. this case is perhaps best known for giving us the phrase “(falsely) shouting fire in a crowded theater”. In effect, it and its descendants criminalize the act of inciting “imminent lawless action” (e.g. a riot) through speech designed to cause a panic, and is not protected under the (unfortunately frequently abused) First Amendment of the US Constitution. In other words, there’s hope that it could squelch some of the mindless nitwittery by making the worst offenses a misdemeanor. As a means of defense against the sizable potential for this most-recent method of mob communication to incite widespread panics, I expect such rulings to be inevitable. The lesson: Freedom remains more defensible when not abused.

Macrolife Imitates Microlife
One of the more interesting aspects of this hybridized, triple-reassortant H1N1 flu cocktail is the possibility that it can induce a cytokine storm. In oversimplified terms, this is a broadcast-storm-like feedback loop in a healthy immune system that causes exaggerated lung and systemic inflammatory reactions that can prove to be more harmful than the causal virus itself.

The potential for launching an indirect attack against a target by inciting its own immune system to do the bulk of the damage has long fascinated me… The human innate immune systems developed over a long-period of time in response to non-specific threats to which we’ve been chronically and protractedly exposed. It’s evolved to non-adaptively defend against certain pathogen-associated molecular patterns (think signatures), as well as against injury or trauma. This comes in handy when you are gored by a wild boar – the site on the injury becomes inflamed, blood flow is slowed, and you hopefully do not bleed to death. In fact, inflammation is one of the innate immune system’s favorite tactics. Unfortunately, modern life does not present many wild boar encounters, but our immune systems haven’t figured that out yet, so they still like to be inflammatory. Add to that the fact that our average modern diets consist of anywhere from 2-5 times more inflammation-inducing sodium than we really need, and it’s little wonder that we have a spate of auto-immune and inflammatory conditions and “syndromes.”

Just another natural fractal phenomenon, where the parts resemble the whole: virus incapacitates its target by overexciting the targets’ immune system, and news of virus incapacitates informative communication by overexciting the communication channels.

Advice: Afford important matters more than 140 characters. Eat less sodium. Buy stock in Roche.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Determine the scope? How?

Not a month after the Heartland breach, we now have reports of another malware-driven payment system breach of as-yet unknown proportions. Despite the proliferation of anti-threat devices and well-intentioned compliance programs such as PCI, we continue to see an increase in the number and cost of reported data breaches. The ITRC reported 656 breaches in 2008, an increase of 47% over 2007’s total of 446. As of today, Feb. 25, 2009, Privacyrights.org reports 57 data breaches, and DataLossDB reports 92 breaches, just 56 days into 2009. And Ponemon’s recent study shows that the average cost per compromised record is now $202, with the greatest cost coming from lost business.

These statistics should come as a surprise to no one, given the increasing organization, motivation, and sophistication of criminals. What should come as a surprise is the common public response to reports of such events: “How were they breached? They just passed a PCI audit!” – this is as sane and erudite as asking “How did she get spyware? She has a firewall!” or “How did he get cancer? He takes vitamins!”

But instead of an understanding that “compliance does not equal security”, we should instead expect an inevitable backlash against PCI and other such efforts, questioning their potency, bemoaning their expense, and demanding their reform. The same sort of pathological reasoning that has some people lament “ever since Obama’s been in office the economy has gotten much worse”. Despite the popular perception that all problems are easy to solve as long as they are someone else’s, complex systemic problems cannot be solved overnight, unless wholesale system replacement is an option. Of course, it generally isn’t, either for reasons of cost, or experiential immunity to Pollyannaism.

Some will argue that trying to regulate security is ineffectual at best and injuriously protectionist at worst. Yes, over-regulation and over-protection can be harmful, but employing such a one-size-fits-all perspective is simplistic and parochial. In reality, some things need protection. Saying that, I must also say that any good Darwinist should be opposed to the phenomenon of nanny statism. The intentional creation of dependency (whether well-intentioned, demagogic, or despotic) debilitates, whereas reasonable adversity, independence, and self-accountability fortifies. But even compassionless, godless Darwinists know that some things need protection. Putting our more-moral-than-thou, feel-good pretense aside for a moment: protecting some thing makes sense when it is temporarily infirm or in its infancy, but on the course to recovery or maturity. Examples of this would be protecting an emerging government or economy, or protecting an infant child. However, protecting the terminally weak does not make sense because there is no benefit (accepting that virtue is not a benefit, but rather is its own reward), only cost. Examples of this would be protecting irrecoverably diseased banks or businesses, or kind-heartedly administering chicken soup to someone with Marburg fever. Clearly, the effect of such misguided behavior is not only unproductive, but is actually destructive, as it prolongs suffering and imperils the healthy.

The point is not mercilessness, but rather that we are in the infancy of the information age, and to achieve information security at this vulnerable stage requires well-designed protection. Imperfect as the situation seems, the collection of regulatory and compliance programs designed to protect us as we move toward maturity were not divinely engineered, so they, themselves, must also evolve. And for all its incompatibility with our livelocked postmodern attention spans, we need to have patience as they go through their necessary iterations.

So what is the current state of regulation to defend against data breaches? The National Conference of State Legislators provides a set of breach notification laws that have been enacted by 44 U.S. States, DC, Puerto Rico, and the Virgin Islands (caveat emptor et creditor if doing business with companies in AL, KY, MS, MO, NM, or SD). Looking a little more closely at some of the states’ laws (a sample selected below for their incorporation popularity and proximity), it seems that government editions of Microsoft Word might include a “Data Breach Law” template:

Delaware:

12B-102. Disclosure of breach of security of computerized personal information by an individual or a commercial entity.
… Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

Nevada:

NRS 603A.220  Disclosure of breach of security of system data; methods of disclosure.
… The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.

Utah:

(2) A person required to provide notification under Subsection (1) shall provide the notification in the most expedient time possible without unreasonable delay:
(a) considering legitimate investigative needs of law enforcement, as provided in Subsection (4)(a);
(b) after determining the scope of the breach of system security; and
(c) after restoring the reasonable integrity of the system.

California:

… The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

But how? How does the victim of a data breach determine the scope of the breach? By going back through logs – logs that likely contain information no more specific or telling than the IP addresses that accessed the affected web-server? IP addresses that were most likely, based on the malicious intent of the activity, obscured by Tor or proxies? Audit trails whose recording facilities rely on proper methods and paths of user access, but whose invocation is never triggered when the method of access is premeditated circumvention or vulnerability exploitation? Logs that were generated by the IPS, SIEM, or DLP platforms that have demonstrated blindness to the threat, having failed to detect or prevent it in the first place? This is reality. It will not be possible to rely on your firewall’s olfactory sense to help you determine how many records were affected in a breach that occurred last month when it detected nothing out of the ordinary.

Despite the well-intentioned constant reminders that traditional security tools will inevitably fail, I am not suggesting a decrease in risk mitigation efforts. Instead, the reminders should reinforce that we can’t expect technology to save us both from our adversaries and from our own doltishness; we need more effort to get the “people” and “process” components of mitigation caught up and working with the technology, not against it. Further, we should remember that risk can be managed in other ways, too, including avoidance (“I’m afraid of having my credit card stolen, so I won’t use credit cards”), acceptance (“I will drive in the HOV lane because the fine is only $35, and it saves me six hours of commute time”) and transference (“I will pay an insurance premium so that when a bad thing happens, my insurer will cover my expense”). Typically, as an industry we eschew (often justifiably) avoidance and acceptance, spend far too much time and money on technology-as-savior mitigation, and lack awareness of transference – frequently even erroneously classifying a mitigator like a firewall as “insurance”. But as we mature, there are real forms of transference that we need to more seriously consider.

Some insurance companies, such as InsureTrust, are providing “cyber risk management” products. While the concept might seem strange for those with an appliance-centric view on security, insurance is one of most effective and common ways of managing risk in our adult lives. If it’s not obvious why I say “adult lives”, consider that the question “how will you deal with costly medical expenses?” is generally answered differently by a 10 year old (“I just won’t get sick”) than by a 40 year old (“I will select my employer based on the health insurance package they offer”).

The Professional Liability Underwriting Society quotes Stephen Haase, CEO of InsureTrust who cautions that when responding to a data breach: “’One of the biggest struggles for companies is to determine the scope of the breach. So often the leadership of a company will rush to try to get out the notification on a breach,’ … However, Haase explained that making an announcement before the magnitude of the breach is clear can be a mistake. ‘You should not rush to notify. Going out too early without more of the concrete factors in place can do more harm than good.’”

This message is reiterated by the Executive Director of the Identity Theft Resource Center (“Preventing the Unpreventable: Best Practices to Minimize Exposure to Information Losses”) who says “the companies that are sued are not those that quickly disclose a breach but, rather, those that do so poorly.”

Observing trends in information security and antecedent paradigms, it’s reasonable to extrapolate that information security insurance is due to soon become more popular, first voluntarily, and later mandatorily. Initially, we should see increased adoption among a small set of business savvy IT practitioners and analysts. This will be followed by the evolution of mandates by financially interested consortia (think PCIv3), and finally at various government levels. At that point, much as we get discounts on our home and auto insurance for having smoke-alarms, fire-extinguishers, anti-lock brakes, and clean driving records, we can expect similar discounts (or conversely, increases) for every statistically material step we take to reduce (or magnify) our insurance company’s exposure.

Not to put too fine a point on it, but economics dictates that if “one of the biggest struggles for companies is to determine the scope of the breach” then most-favored insuree status should be granted not only to those with the most effective preventative measures, but also those with the most effective forensic measures.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Quackery

The 1980’s marked the beginning of what many consider to be the Information Age. A quarter of a century into it, my waning hope that science might someday have a fighting chance against superstition is somewhat renewed by the fact that President-elect Obama is planning to appoint the first Chief Technology Officer for the United States. Beyond the immediate heartening we should feel from this gesture, I am further encouraged by a certain historical “coming of age” analogue: the regulation of the practice of medicine in the Industrial Age. Although past performance is no indication of future returns, history tends to repeat itself, mostly because human nature doesn’t change, at least not all that quickly.

In particular, I am reminded of the history of “nostrum remedium” (Latin for “our remedies”), better known as “patent medicines” that were prominent from the 17th to 19th centuries. Patent medicines were the pile of liniments, tonics, tinctures, and salves that collectively came to be characterized as “snake oil”. More broadly, patent medicines fell into the general realm of “Quackery,” (a pejorative labeling of unscientific claims to certain knowledge, skills, capabilities, or attributes) short for “quacksalver”, one who “quacks” or boasts about his salves.

The long and infamous history of quackery is morbidly fascinating. Perusing the chronicles of some of the more egregious, and shameful, and grievous offenses, a common response is to wonder how people can be so gullible as to fall for such chicanery. But consider the combined effect of such elements as:

  • The unavailability or expense of honest medical practitioners, practices, and goods relative to the availability and affordability quackery (which doesn’t require such expenses as years of schooling, research and development, or testing)
  • The desperation of those suffering from some disorder to identify a treatment or remedy, particularly when conventional and scientific methods continue to produce ostensibly trivial, profit-obsessed commercial advances, but fail to yet provide cures for real maladies
  • The tendency for people to try to find shortcuts – it is much easier to take a pill or even undergo a surgical procedure than it is to exercise a degree of self-discipline.  This is intensified by phenomenon such as mass cultural “syndromization” (which dissolves that vestigial psychological nuisance, personal accountability), and insurance co-pays for semi-cosmetic procedures and fad drugs (which has the economic effect of making vital medical practice, treatment, and insurance even more expensive)
  • The extent, irrespective of intent, to which pseudoscience goes to simulate adherence to the scientific method (i.e. observable, testable, measurable, repeatable, modifiable, verifiable)
  • The “exceptionality of correctness” delusion – Typified by the culturally rampant concept of “I’m on a diet,” which is essentially as silly as saying “my network is on security”. You either have a nutritionally well-balanced diet or you don’t. Your information systems are either securely designed or they’re not. You can’t bolt on some piece of technology in pursuit of legitimate security any more than you can engage in some symbolic temporary deviation from an unhealthful diet in pursuit of fitness. Fitness is an ongoing process, a lifestyle. Security is also an ongoing process. But, alas, these systems are complex
  • The fact that complex systems are, well… complex – You couldn’t describe this to a goldfish, but you could tweet “Bacon good, bread bad” with 119 characters to spare.

So what could protect a quarry that well-nigh demands to be preyed upon against unscrupulous predators endowed with unlimited supplies of elixirs and avarice? Only the bane of every system of supply and demand: government regulation.  The first signs of efforts to regulate the quack industry began in the early 19th century with the formation of U.S. Pharmacopeia in 1820, followed by the Drug Import Act of 1848 to stop the flow of adulterated medicines which were coming in from Europe. But it wasn’t until Abraham Lincoln established the US Department of Agriculture that there was a foundation for real improvement.

Irresistible Digression
Those who are “so scientifically illiterate” as to be inclined to indulge the supernatural might see auspiciously presaging similarities between President-elect Obama and Abraham Lincoln. But even though (much like divination) “Lincoln is a Rorschach test… Everybody finds themselves in Lincoln… Everybody finds what they want to find in Lincoln” it’s still worth noting that just as Obama is planning to appoint our Nation’s first CTO, Lincoln in 1862 appointed the first national chemist to what became the Bureau of Chemistry, the precursor to the FDA. Coincidence? Hardly. Using some tannaic period numerology, a simple gematria calculator, and far more time than I should have wasted, it’s simple to prove that this is no mere coincidence:

  • בראק הוסינ אובמה – Transliteration of “Barack Hussein Obama”. Gematria value 488
  • אברהמ לנכולנ – Transliteration of “Abraham Lincoln”. Gematria value 434
  • טכנולוגיה – The modern hebrew word for “Technology”. Gematria value 139
  • כימיה – The modern hebrew word for “Chemistry”. Gematria value 85
  • 488 – 434 = 54
  • 139 – 85 = 54
  • חמאה – The biblical hebrew word for “butter”. Gematria value 54
  • Proof!

Okay, so I took some liberties with the calculations… Partly because “chemistry” and “technology” weren’t big topics in the bible, although they were probably there in the way that microbes were. And if that seemed a strange illustrative detour, try this for perspective.

I’m from the government and I’m here to help
Anyhow, with Lincoln having set the ball in motion, a sequence of other milestones followed, frequently in response to what tends to be our greatest incitement to legislation: some sort of scare, outrage, or tragedy. For example:

  • In response to contaminated vaccines that caused the deaths of 22 children, the Biologics Control Act was passed in 1902, which went on to establish the Center for Biologics Evaluation and Research (CBER), overseeing biological, as contrasted to chemical drugs.
  • In 1910, “Dr. Johnson’s Mild Combination Treatment for Cancer” made false curative claims, and even shamelessly attacked the effectiveness of legitimate treatments (a common ploy of pseudoscience). When brought to court, the “treatment” was found to not be in violation of the Pure Food Act since it was not misbranded. In response to this loophole, Congress in 1912 enacted the Sherley Amendment to the Pure Food and Drug Act making a drug illegal “…if its package or label shall bear or contain any statement, design, or device regarding the curative or therapeutic effect of such article or any of the ingredients or substances contained therein, which is false and fraudulent.”
  • Following the death of more than 100 patients caused by a treatment for infection distributed in a solvent that turned out to be toxic, the Federal Food Drug, and Cosmetic Act was passed by congress in 1938, giving authority to the Food and Drug Administration (FDA). It required that companies perform safety testing on their proposed drugs and submit the data to the FDA for review and approval before the drug could be brought to market. It also served as the foundation upon which a significant number of additional protective amendments stand.
  • In response to the 1950’s Thalidomide tragedy that caused more than 10,000 birth-defects worldwide, Congress passed the Kefauver-Harris Amendment in 1962, requiring drug manufacturers to prove the effectiveness of their products before marketing them.

Conspicuously absent from the partial chronicling above is an event that deserves special attention: 1906’s Pure Food Act, which mandated that all food and drugs clearly and accurately list their contents. The Pure Food Act was the culmination of years of work by legislative, journalistic, and medical professionals who crusaded to expose the fraud and danger of patent medicines. Of particular interest was a scathing piece of muckraking journalism by Samuel Hopkins Adams titled “The Great American Fraud”, which exposed hundreds of dangerous patent medicines, products and their hucksters, documented the deaths of hundreds of their victims, and revealed that they contained mostly valueless inert ingredients, alcohol, and various toxic and addictive compounds. This multipart series from 1905 opened with the line “Gullible America will spend this year some seventy-five millions of dollars in the purchase of patent medicines.” (For reference, by today’s standards, $75 million would just barely pay for 90 minutes of interest on our national debt, but according to this Consumer Price Index calculator, $75 million in the year 1905 has the same “purchase power” as $1.8 billion in the year 2007. Still, this number is a fraction of analyst’s estimates on worldwide network security spending.)

Leaving no stone within the ecosystem unturned, the Great American Fraud also described the “selectivity” of advertising, and the corrupt nature of the relationship between the advertisers and publications:

“We see recorded only the favorable results:  the unfavorable lie silent.  How could it be otherwise when the only avenues of publicity are controlled by the heavy advertisers?  So while many of the printed testimonials are genuine enough, they represent not the average evidence, but the most glowing opinions which the nostrum vender can obtain, and generally they are the expression of a low order of intelligence.”

“If there is no limit to the gullibility of the public on the one hand, there is apparently none to the cupidity of the newspapers on the other… Pin a newspaper owner down to the issue of fraud in the matter, and he will take refuge in the plea that his advertisers and not himself are responsible for what appears in the advertising columns. Caveat emptor is the implied superscription above this department. The more shame to those publications which prostitute their news and editorial departments to their greed.”

Suffice it to say, the practical implications of such ethical considerations are not only timeless, but are even more relevant in today’s overabundance of and overdependence on the media for edification.

Regulate? Why?
While most legitimate practitioners and scientists in the medical industry presumably appreciate that regulation serves to separate the qualified from the unfit, sparing them the need to directly have to compete against the (often more attractive, and still, unfortunately, partly on the loose) riff-raff, the grass remains greener on the other side for some. In response to the general “regulation is bad” argument, I offer that this is not about regulation for the sake of bigger government, it’s about injecting some much-needed science into an increasingly critical system. There are instances where bad things happen (Enron) because of calculated villainy, and our knee-jerk response is to suffocatingly over-regulate, and there are unintended tragedies that occur, such as the 1937 Elixir Sulfanilamide incident’s still troublesome Diethylene glycol-tainted catalyst to 1938’s Federal Food, Drug, and Cosmetic Act, which make regulation seem indispensable. The difference? Regulation designed to protect against premeditated bad guys will fail to thwart the devious and lawless, affecting only the good and law-abiding, whereas regulation designed to protect against accidental harm caused by ignorance, incompetence, negligence, or superstition can prevent misfortune.

Some might be inclined to say that it’s not fair to compare medicine to information security – one is a matter of life and death while the other is simply a matter of bits and bytes. But as we move further into the information age, and become more, and more, and more, and more dependent on our information systems, we’ve “optimized” ourselves into a position where our military, our public transportation, our communication systems, our hospitals, our power plants, and our emergency services are all susceptible to attacks against our overstretched, outstripped information systems; Information systems that are inherently crippled with outdated protocols and a capitalist driven mandate for backward compatibility; designed at a time when systems weren’t critical and everyone was friendly; held hostage by rapacious commercial interests who chant “openness”, “transparent connectivity”, and “ease-of-use” just so as to not clog the pipes through which the money flows, and abetted by mountebanks and supernaturalists with a disdain for any scientific motions toward security. And unlike conventional warfare, these attacks can be launched remotely, anonymously, and with zero expense incurred by the attacker – in other words, an enemy that is both invisible and inexhaustible. When faced with actual threats from a foe with mythical potency, how do we respond? By employing whatever parlor tricks and panaceas we can that will create the illusion of security, just as long as it doesn’t hamper profitability. Regrettably, given current economic conditions and outlooks, we can probably expect the effect to worsen. <ahem>

Some say that regulation is not well-defined, thorough, or effective enough, and that too much continues to fall through the cracks, so that it’s not only an expense and hindrance, but inadequate, to boot. However, considering this as a condemnation of regulation would be akin to asserting that “there are still crimes being committed on the streets, so since the police can’t stop them all, we’d better get rid of the police.” On the contrary, this is a call for better standards, and as history shows, ongoing relevance requires adaptability and evolution. But it does raise the important question: “how much testing is enough?” There are still plenty of instances of drugs being approved and later recalled because of insufficient testing. Why? Simply, because not all conditions can be known in advance, and testing cannot be perfectly exhaustive or it will never be completed, meaning the product will never be brought to market, thus denying potential beneficial treatment to those who need it. Like the FDA, Quality Assurance (QA) departments in every information technology developer deal daily with this conundrum. To further complicate the task are such paradoxes as “customers demand more features, which increases complexity, which increases test-cases, test-time, and the overall potential for product failure” and “increasing economic pressures demand that we bring products to market sooner and more cost-effectively than the competition, which tempts cutting development corners, QA resources and test-time.” For the software development lifecycle itself, there are an overwhelming number of standards and frameworks available, and for the finished products there are better recognized industry certifications like FIPS and Common Criteria to help to ensure cryptographic integrity, to protect against attacks targeting development environments and supply-chains, and to weed-out fraudulent vendor claims. But the effectiveness of these methodologies and certifications are crippled by the fact that they are not universally understood or applied.

For the QA testing process itself, there is no answer to the question “how much testing is enough” because there will always be unknown unknowns. Even if we defined some set of sane minimally acceptable QA practices (e.g. peer code-reviews, static code-analysis, validation/sanitization testing, input-output comparison testing, stress/load testing, mutation testing) how could we ensure that vendors adhere to them unless regulated? Sure, economics suggests that those vendors who went to the expense of voluntarily producing and distributing such reports would earn a competitive advantage through the enhancement to consumer confidence that the practice would offer, but this naively presupposes that consumers know and care about such disclosures. Not to mention that as a strictly voluntary, unregulated practice there would be no assurance of the legitimacy of the claims. Imagine the value of Common Criteria evaluation assurances if self-certification was permitted rather than going through a licensed testing lab?

Economics of regulation
Of course, there will be costs to properly fund such a regulatory effort, both direct and indirect. There is also the Economics 101 “law of unintended consequences” argument against any form of regulation which basically states: more regulation = greater development/operating costs = decreased company profits = less incentive to innovate = fewer breakthroughs/advances brought to market = anti-capitalists kill babies. True as the fact that “sometimes interference with a system committed to protect a victim only makes that victim weaker” (e.g. the illusion of security), this argument is typically only invoked when convenient to the rhetorician, and only to the extent that it serves his agenda, for example, against affirmative action, rent controls, minimum wage, and equal opportunity employment. Certain economists have even gone so far as to argue against child-labor laws, asking “If child labor were legalized tomorrow, would you send your eight-year-old to the factories to bring home an extra $200 or so a month?” Absurdly, this asks the question only of an audience who, predictably, does not need the extra $200 a month – what about people for whom the $200 would mean the difference between paying the rent and eviction, feeding the family or going hungry? This sort of demagogic, one-dimensional logic would also suggest that “practicing moderate caloric intake could result in hunger, which could lead to binge eating and weight gain, therefore no one should eat in moderation lest they risk obesity.”  And if that’s not ridiculously myopic enough, why not invite this law’s pretend disciples to apply it to the administration of antibiotics when they or their loved ones contract strep or some other life threatening infection. After all, a well-known unintended consequence of antibiotics is that they create stronger, antibiotic-resistant pathogens. In other words, complex, multivariate systems are not black and white – sometimes applying this principle makes sense, sometimes it doesn’t.

It would be rationally and morally satisfying to see the discontinuation of the willy-nilly application of the “law of unintended consequences” to vital consumables. Consider what the state of medicine would be today without regulation… True, innovative new drugs might make it to market much more quickly and inexpensively, but then the average citizen would have to be a chemist to know what drugs, services, and procedures are safe and effective to use. Anti-regulationists will argue that no rational free-market enterprise would go to the extents necessary to develop, manufacture, and distribute a product for financial gain only to then lose their market to the ill-effects of an inferior product, such as reputational defamation, customer migration, or manslaughter.  But this line of reasoning, relying on economics in a vacuum, presupposes that it would be relatively prohibitively expensive to enter into the purveyance of said product. This is why these economist’s examples often use industries or products where there are obvious, practical barriers to entry, such as automobiles or airplanes. What they ignore is that today, but for the aegis of regulation, there are no such barriers to medicine or information technology. Anyone with little more than an exam-cram style education can mix herbs, vitamins or legal chemicals, can administer electrical stimulation or therapeutic massage (to be fair, cracking your bones does require 4,500+ classroom hours), can configure your mission-critical ESX server or router, and can use a melange of iptables, iproute2, spamassasin, and clamav to create a “UTM appliance.” But are these sufficiently safe and effective?

Buying anything on which critical systems depend (e.g. drugs, medical services, information technology goods and services) is not the same as buying a pair of jeans. While we can certainly expect free-market forces to eventually filter-out a particularly poorly made or ugly pair of jeans, the difference is that at worst, the fashion-illiterate might be ridiculed, but they will surely not suffer real harm, such as having their identity stolen, their database breached, or their health or lives compromised or taken as a result of their illiteracy. Anti-regulationists will then further argue that there is plenty of information available today to allow consumers to educate themselves, and that anything short of this sort of freedom is tantamount to a nanny state. Seriously, even with the Internet, do most people have the resources, namely, time and expertise, to diagnose themselves? To decide on the correct treatment? To select the most appropriate and effective network protection? Intentionally or unintentionally, through advertising or testimonials, deception or ignorance, unmoderated forums will invariably at times contain bad, biased, or incomplete information. And for perspective on the cost for the protection offered by regulation, the FDA has an FY09 budget of $2.4 billion dollars, the same figure as the cost of waging one week of the war in Iraq (the benchmark for downplaying the cost of anything we’d rather not pay for… The “B” word is reserved for monetary comparisons of 11 digits or more) .

Finally, every process has its byproducts, so we could expect variations of the inevitable lobby backlash, scandals (real and alleged), pursuit by ambulance-chasers, and every other idiosyncratically human form of corruption and parasitism. But we’re used to this, mostly because human nature doesn’t change, at least not all that quickly.

Science cures
“There are none so credulous as sufferers from disease. The need is urgent for legislation which will prevent the raising of false hopes of speedy cures of serious ailments by misstatement of facts as to worthless mixtures on which the sick will rely while their disease progresses unchecked.” (William Taft, 1911, on the need for greater protection against patent medicines)

Is it really a stretch to liken the current state of information technology to a disease sufferer, desperate for a cure?  Our quest for remedies and palliatives has spawned a new generation of quacksalvers making exaggerated, jargon-laden claims, and hawking goods and services of questionable worth. They are supported by symbiotic relationships of dubious ethicality with analysts and trade rags, overhyping by the media, and flagrant touting in commissioned reviews that present themselves as objective analyses. In some respects, many information security products are “real” just like snake oil is “real”; There might be some underlying validity at the component or principle level, but only thinly, and with limited practical value. And unlike medicine, information systems seem to derive little benefit from the placebo effect.

There are many legitimate and potentially beneficial instances of information security technologies, just as there are many legitimate and potentially beneficial drugs, but the safety and effectiveness of either of these technologies cannot be measured in isolation because they act on complex, dynamic, multivariate systems. The actual effects of many of the compounds taken as drugs are not known until they are metabolized by the various systems in the human body. Even then it is an iterative process as the “output” from one system (e.g. the liver) is circulated back to all other systems, where the process repeats until metabolism completes. And that does not even account for the subtle bioactive variances from one person to the next. To better understand this, technological advances are being developed to enhance our abilities to realistically model these systems, much the same way that HPC/supercomputing clusters are being employed to create “network situational awareness” models and visualizations in pursuit of network security. To some extent, the same recursive variability that exists in biological systems also exists in information technology systems, so without operative insertion into a live environment, it is no more possible to claim that “this firewall (or NAC, or DLP, etc.) will make me secure” than it is to say that “this drug will make me well”.  At best, we can attempt to reduce the risks of harm or ineffectiveness, first by scientifically proving the remedy to be safe and effective according to some generally agreed upon standard, and second, by ensuring that it is “used only as directed.”

Indeed, information technology is a profit-seeking, commercial enterprise, but as the lifeblood of the information age, isn’t it time we start taking information technology a little more seriously? Scientific rigor and discipline are not the nemeses of the free-market, and while not many relish the costs or ministrations of bureaucracy, the rational and objective monitoring, inspection, and supervision of critical systems can help to ensure the service and safety of those who depend upon them.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Negative Day Threat Detection

Announcements of exploitable OS and application vulnerabilities are so commonplace that we’re perhaps even more inured to them than we are to a perpetually ‘Elevated’ Homeland Security threat level. While the severity of the first threat is far outweighed by that of the second, the former is far more likely to be attempted or exercised, so much so that incidents of its occurrence should be considered inevitabilities. Despite this, there continue to be examples of failures to patch systems against newly announced vulnerabilities even when updates are made available very near the zero hour. Even days later, failures to patch leave systems vulnerable, and allow attackers to devise even more methods of concomitant exploitation.

But as the article states: “Microsoft patched the vulnerability with an out-of-sequence patch on 23 October. Trojans exploiting the flaw were spotted the day afterwards. Analysis of these strains suggested they may have been in circulation before Microsoft issued its patch.” What protection is there against exploits that are launched against a vulnerability before the vulnerability is remedied by the vendor? Fortunately, there are some extremely agile, automated defensive services, such as SonicWALL’s dynamically updated Unified Threat Management technology. For MS08-067,  SonicWALL published a Gateway AV update concurrent with the Microsoft announcement, meaning that subscribers to the SonicWALL service were protected against this exploit even before applying the Microsoft patch. Other security vendors provided similar updates with varying degrees of timeliness and automation, including the open-source community.

It’s that one point from the quote above, “[that strains of the malware] may have been in circulation before Microsoft issued its patch” that is cause for concern. While zero day protection is effective against considerate attackers who wait until after the zero day patch or pattern-update has been released, what about exploitations or events that occur prior to that? At that point it becomes an issue of incident response, step 1 of which is generally “contain the damage” – but other than hoping there are detectable traces of infection, how is it possible to identify something that occurred in that past?

In homage to this prescient NSFW Onion piece, it’s time for someone in the information security space to say “Zero Day Threat Detection? A whole lot of good that does when something happened yesterday… Good luck detecting bits and bytes after they’ve faded into the ether. Well, we’ve just turned the Ethernet into the Perma-net: Let’s see someone try to evade Negative Day Threat Detection.”

In seriousness, efficient prevention is still usually far more useful than detection, but since failure is inevitable why shouldn’t we employ tools to aid in incident response? With the elements of storage getting bigger and cheaper all the time, why not put the ever increasing capacity and decreasing cost to just that use? Then, when it’s discovered that something of-interest  (any “unknown unknown” such as data-leakage, a database breach, a network outage, or a malware event) has occurred in the past, it becomes possible to retrospectively detect it and determine its severity and scope.

For the MS08-067 example, it would be possible to determine if any systems were affected prior to October 23rd by using the Emerging Threats pattern to search for instances of the offensive executable that might have traversed the network over the past two weeks by issuing a simple DeepSee query like “within:2w filetype:exe hex:C84F324B7016D30112785A47BF6EE188”

Yes... it\'s real.












Negative Day Event Detection – Take information security up to 11

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

Nothing new under the sun

The first thing that comes to my mind when reading all the “Twitter Terrorists” news headlines this week is that one of the investors in one of the 250 Twitter clones is friends with someone in the US Army’s 304th Military Intelligence Battalion, or at the Federation of American Scientists. Or maybe it was just a part of an “all publicity is good publicity” campaign. I guess it all depends on your level of cynicism.

The now highly publicized For Official Use Only Red Teaming perspective report on “Potential for Terrorist Use of Twitter” opens with with an overview on page 1 that states: “this paper briefly covers a few examples of terrorist use and potential use of mobile to web and web to mobile technologies and tactics…”, as well as a series of five additional caveats, but clearly these were either not RTFAd, or <gasp> perhaps intentionally ignored by newshounds.

So for reasons other than “it’s really popular today, so chances are our superiors will have heard of it, thus increasing our chances of relevancy” why pick on Twitter? There are plenty of other specific examples of technology named in the report, from voice changing software, to Google Earth, to Vonage, to Skype. But since voice transformers have been around for a while, and VoIP is almost equally old-news, and Skype already got the terrorist treatment, we needed our next fix of histrionics so it was only reasonable to shift our short attention spans to Twitter.

Irresistible early 2009 prediction: Expect headlines reading “Terrorists can use Ponoko to manufacture coffee-tables of mass destruction!”

This isn’t about Twitter, or about SMS linked micro-blogs, or about social networks. It’s about the following general characteristics of posting on the Internet:

Yes, flowcharts should contain essays








So reading the MI report and considering the flowchart above, there are a few general point:

  1. Technology makes instant communications simple
  2. Communications can be private, and sometimes private communications communicate bad things
  3. Communications can be public, and sometimes public communications can reveal too much information

Is this really anything new?

  • Instant or relatively instant communications have been around for a while.
  • Cryptography is old, encryption and terrorism concerns actually existed before 9/11, and while there’s no firm date reference for “evil,” it’s been around for at least 5769 years.
  • Information insecurity existed before the web, IM, SMS, microblogging, and social networks.

Advice?

  • Continue Red Team exercises, they’re good. But as a member of the media, don’t use them to irresponsibly sell copy or frighten people.
  • If you are expecting a visit from your Mom, but have to run to the market for eggs, don’t leave a note on the front door to your house that reads: “Mom – I have to run to the store for eggs. Be back in 45 minutes. The back door is open, let yourself in.” Obviously, not smart. For reference, it’s effectively how Sarah Palin’s private email account was recently compromised.
  • Data is becoming less private and more persistent, so unless you want it to eventually be retrieved by someone else, do not reveal private information.
  • Whenever possible, try to devalue of data, e.g. Use full-disk encryption and database encryption so that when a loss or breach occurs the data becomes inaccessible (or at least very expensive) to the thief; use unique passwords (with a password manager) so that if one is compromised others aren’t; use “one-time” data instances such as one-time passwords or one-time credit card numbers.
Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit

If I knew then what I know now

The eternal recursive human lament. If you’re a post-adolescent with a functional left-brain, the thought has surely occupied your mind. And it goes through stages, progressing from incompetent ignorance (“I know it all, so don’t you try to teach me anything”), to personal agnosticism (“I know enough to know that there’s a lot I don’t know”) to acceptance of inherent epistemological limitations (“not only can we never know everything there is to know, but there will always be unknown unknowns”). Call it an ironic effect of cognitive maturation, but the more we know, the more we realize we don’t know; to assert otherwise generally serves to do nothing but betray one’s own obstinacy, unconsciousness, or naiveté.

Despite this, we’ve all known people who pretend to omniscience. We expect this from the inexperience of youth, and we counsel the young to learn to appreciate the value of experience. But we’ve also known people who’ve grown beyond their youth but who persist in the pretense. And it’s toward these people that we wag our fingers, shake our heads, and with all the certainty of the imperfection of our knowledge caution “mark my words” or “just you wait and see”. Further, when such a disorder of critical faculties is exposed, the credibility of these obstinate omniscients begins to erode. The more they betray their poor judgment and inadequacies of understanding, the more they irredeemably mar their own reputations. Simply, it is ill-advised to take advice from the pathologically unenlightened, intransigent, or delusional.

But ill-advised as such misplacement of trust may seem, oddly it endures in worship to certain conventions. Specifically, I am referring to the community of thriving information technology purveyors who purport to deliver comprehensive security in the form of a piece of software or an appliance. Indeed, the forces of economics and natural selection work to eliminate the inferior, unaffordable, or ineffectual, leaving the market with the most fit. But there is often an ironic consequence to this: the more fit a security product is perceived to be, the more likely it is to recklessly embolden those whom it is employed to protect, having the paradoxical effect of instilling a deleterious illusion of security. Yet this is but a small problem compared with the fact that attacks evolve according to the same forces driving the advancement of defensive countermeasures. The fittest attacks adapt to their adversaries, becoming increasingly stealthy and subtle, both in their delivery and the perceptibility of their payload. Detection at the time of occurrence relies on intrusion detection/prevention systems that have ever-reduced visibility into increasingly covert attacks. Security Event/Information Management (SIEM) platforms can only report on and respond to the specific events they have been configured for. Log aggregation, analysis, and correlation tools can only act on the specific meta-information about the set of events that they have been configured to recognize. Application layer gateways, proxies, and their derivatives can only operate on the well-known protocols, procedures, and methods they were written to handle. Deterministic (pattern or signature based) methods of detection have mounting difficulty dealing not only with intentional obfuscations, but also with the the inevitable window of exposure that exists between the introduction of an attack and the development and deployment of antidotal signatures. In response, some defensive systems are moving—often in unequal measures of practice and marketing—toward a cocktail of deterministic and non-deterministic (behavioral/anomaly based) methods of detection; unfortunately, the latter, because of its deficient certitude relative to the former, cannot currently be employed with sufficient aggressiveness to achieve comparably material effectiveness, lest it introduce insufferable false-positives. But these technologies will, of course, mature. And naturally, once these hybrid systems become sufficiently pervasive, the survival of the attacks will depend on their fitness at simultaneously impersonating “normal” behavior while minimizing detectability.

On accepting this scenario of reciprocally adaptive, coevolutionary equilibrium (the Red Queen hypothesis), instantly exposed is the unfortunate tendency of the infosec industry to consider foremost currently manifest (i.e. un-adapted) threats, barely acknowledging the inevitability of the unknown. More regrettable is that the victims of such imperfect criteria are IT buyers and implementers, who largely depend on the guidance of these head-in-the-sand, static assessments when building their defenses. For all the fervor the industry has for the term “arms race”, why does this seemingly willful deception persist? The phenomenon is understandable considering the psychological implications of the alternative. Active countermeasures (firewalls, UTMs, IPSs, SIEMs, etc.) regardless of their actual effectiveness or ineffectiveness, also create an illusion of control, much the same way taking our shoes off at the airport is intended to create an illusion of control. This is best described by Bruce Schneier’s concept of “Security Theater”. The benefits are not entirely illusory – the firewall will stop known attacks, just like the TSA will prevent the next Richard Reid. In effect, this is defense by deterrence: we expect that the competent attacker knows what the defender is looking for, and will therefore not waste resources on that particular form of attack. But there is a big difference. The cost to an airline attacker trying the old shoe bomber attack is a plane ticket and life in prison (or worse), while the cost to an anonymous internet attacker trying the old SQL Slammer attack is virtually nil. Economically, the internet attacker has an effectively limitless resource with which to launch attacks, so he can launch it a million times at no cost, and even if only effective .001% of the time, it still hits 10 victims. The notion of deterrence does not apply when there is no cost. And as mentioned earlier, unlike certain instances of real-world security where the illusion of security is potentially beneficial (e.g. to minimize panic, or to keep shoppers shopping) this sort of illusion is entirely detrimental in the case of information security.

Other simple principles of game theory also apply. It is obvious that once a well-informed, rational attacker knows what the defender is looking for, his method of attack will evolve. It is a repetitive, sequential game where the attacker has a clear second-mover advantage for a number of reasons: The attacker chooses both who and when to engage in a round of play, allocating resources only when perfectly advantageous, and maintaining the element of surprise, while his opponent is obligated to participate in every round (i.e. attempt to defend against all known attacks from all attackers). The attacker has full access to study the systems of defense (his opponent’s move) for as much time as is needed to mount an effective attack, while his opponent lacks all visibility into the attacker’s operation. The attacker does not have quality control standards or other impediments to moving quickly (i.e. expeditious “product” deployment), whereas his opponent must methodically abide by company, market, and regulatory standards for product releases. It can seem unbalanced almost to the point of futility.

OK, let’s pull ourselves together. We need to take some action, don’t we? Psychologically, not employing active countermeasures (imperfect as they might be) in our own defense would be an admission of defeat, an exhibition of learned helplessness… merely planning to fail. Of course we need active defenses to the extent that we’ve assessed our risk and have identified appropriately practicable (effective and affordable in terms of direct, indirect and opportunity costs) countermeasures. But at the same time, we need to consider that security is composed not only of technology, but also of people and processes; that these components of security are each, on their own, imperfect; that we rely on these imperfect pieces on try to compensate for the others’ imperfections, that our adversaries’ technologies evolve as quickly as our defensive technologies; and that the very rules of the game are unfair. In short, even after mounting or best defense, we must still expect failure. As the unattributable (yet oddly Sphinx-like) saying goes: “he who fails to plan, plans to fail” – but it could be extended with “and he who fails to factor failure into that plan, plans to epic fail”.

We humans have a very difficult time with the concept of failure. We can regard its occurrence as an almost unbearable indignity, and any inadequacy in planning to avoid it as a tragic character flaw (that is, unless we have the strength to persevere, learn, and transcend – then it becomes a positive thing, at least until the next time). Failure is a very emotional experience. Fortunately, automata do not yet have quite the same response to failure, so when today’s firewall inevitably fails to defend against tomorrow’s attack, it doesn’t slip into a funk. We should aspire to such pragmatism, and embrace failure. We should accept that our emotions are at odds with our rationality, and work to correct such human emotional maladaptations as blindly ignoring the potentiality of failure, focusing disproportionate resources on often illusory active defenses, and building system after system without failure as an inherent component of design.

Ultimately, failure is not a matter of “if”, it is a matter of “when”. Pride should not prevent us from building this certainty into our systems, and we should question the faith we have in those who commit such a sin against us.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • LinkedIn
  • Facebook
  • email
  • Google Bookmarks
  • del.icio.us
  • StumbleUpon
  • Reddit