Tag Archives: Civil Liberties

Cyberintelligence legislation: not just CISPA

Posted on 2012-04-14 | 1 Comment

"thε allεgory oƒ Camεra▲Obscura . ." by jef safiNB: As previously stated, my interest in these bills has nothing to do with partisanship or traditional political ideology. My opinions do not necessarily reflect those of my employers or anyone else and may evolve as I learn more about the issues.

As I’ve continued to look into CISPA in greater detail, I’ve started to understand better the objections raised by its opponents. I should also note that alternatives exist to CISPA: other bills trying to accomplish something similar with slightly more specificity. Anyone interested in this area should almost certainly read The Who, What and Why of Information Sharing in Cybersecurity Legislation on Lawfare by Paul Rosenzweig of the Heritage Foundation. Specifically, he looks at the Lieberman-Collins bill (Cybersecurity Act of 2012) and the McCain bill (SECURE IT Act), each of which cover far more than just intelligence sharing. They also originate in the Senate, while CISPA comes from the House. I really recommend reading his entire post, but I’ll note here some of the points I found most important.

  1. The other two bills contain specific definitions of the sorts of intelligence that the new programs would share. Actually, both of them classify threat indicators in some detail, and the Cybersecurity Act actually specifies that the intelligence should remove PII of other individuals (collateral privacy damage). I suspect that these sorts of definitions can go a long way to ease the minds of those who have concerns about the lack of specificity in CISPA.
  2. The Cybersecurity Act essentially designates the DHS as the lead agency to coordinate information sharing. Actually, it allows the DHS to decide which agency will take the lead, but interdepartmental politics almost guarantee that the DHS will select itself, probably attached to US-CERT in some fashion. On the other hand, the SECURE IT Act essentially lets private organizations choose from any available federal option, including the DHS, NSA, FBI, and others. These both take different approaches from CISPA, which designates the DNI as the coordinating point but doesn’t restrict private-sector organizations from sharing intelligence with any federal agency.
  3. Shared intelligence under the Cybersecurity and SECURE IT Acts can only be used for certain purposes, and they each have some restrictions on what law enforcement can do with the data. CISPA allows broader usages here.

None of these bills include anything like the censorship provisions in SOPA. None of them require any group to share information with the government or anyone else, though only the Cybersecurity Act seems to include major restrictions on sharing data of individuals unrelated to the threat. No federal dollars go to any private organization to fund whatever data collection and analysis systems they use. I think that CISPA opponents have triggered on the “notwithstanding any other provision of law”, but the courts don’t interpret that phrase in the same way you and I might.

From a civil liberties perspective, the intelligence sharing provisions in the Cybersecurity Act seem less controversial than CISPA. The SECURE IT Act is somewhat more nuanced in its approach to law enforcement, but generally takes a broader approach. However, the Cybersecurity Act more or less hands the coordination directly to law enforcement, whereas CISPA hands it to the intelligence community and the SECURE IT Act treats the agencies fairly neutrally.

As previously stated, these other two bills go further than just sharing cyberintelligence, including a broader approach to security in their scope. I haven’t looked at the rest of what they cover. But I think that, if the authors of CISPA continue to focus their legislation on the DNI, they could garner a lot of support by using some of the definitions and restrictions from the other bills. And I don’t know that the SECURE IT Act will do much more for threat intelligence than continue existing confusion because it will almost certainly lead to significant duplication within the government.

→ 1 Comment

Posted in Links

Tagged , , , , ,

Turning the tables with OSINT

Posted on 2012-02-05 | Leave a comment
Baby platypuses with fedoras

You never know who's on the case

The SANS ISC originally started as a place to share threat intelligence and analysis, partly based on DShield data and partly based on near-real-time input from the wider network security community. These days, it principally acts as a network security blog with little connection to active threat intel, though it does highlight patch releases.

Earlier in the week, an ISC post on OSINT tactics grabbed my attention. While we await the imminent release of the new version of Maltego (and CaseFile), other tools can help as well. FOCA (Spanish-language site) handles metadata parsing from local documents and simplifies using Google for finding interesting documents on a site, aka “Google hacking“. Apparently, it can also try some direct connections (like HTTP brute-forcing and DNS enumeration).

On a related note, as seen in the comments on that post, Cryptome released a DHS document this year entitled “Publicly Available Social Media Monitoring and Situational Awareness Initiative Update“. This really just lists a lot of publicly available social media sites, tools, and aggregators. What you need might not exist, though, and it’s worth understanding APIs like what Twitter provides. Unfortunately, the Google Social Graph API will go away this spring. I don’t know of any good replacements, but I’d love to find one.

While I have a few concerns related to civil liberties about DHS trolling through all of these, that doesn’t change the fact that your adversaries, regardless of affiliation or organization, will go about this. So while you should think about monitoring your own organization proactively, also consider the possibility and appropriateness of engaging in OSINT against them. Krypt3ia has explained this use of OSINT, though he’s not teaching you to find jihadists. That doesn’t mean, of course, that an intelligent, motivated analyst can’t research techniques and data on his own.

But this can include areas other than getting involved in geopolitical controversy. Perhaps you’re working on an investigation where you have at least some information on the attacker. In some cases, you may choose to take the additional step of gathering further data. (You also might want to consult with your legal counsel, depending on what you choose to do.) I have worked in the past on situations where we identified the attacker in great detail before notifying law enforcement. And because his OPSEC frankly sucked, we could do this through entirely legal and open methods. This distinguishes itself from “hacking back” by restraining itself to gathering information through public data sources only, rather than engaging in any vulnerability exploitation or accessing unauthorized systems and data.

Alternately, consider the uses for other types of investigations. Perhaps you’ve taken an interest in suspicions of local corruption, or you have some reason to believe that somebody on the Internet (e.g. a site, company, or charlatan^W evangelist / expert) has some dirty laundry that needs washing in the open air.

The world has changed, and we can either change with it or hide from it. If you’re already working in network security, only one choice makes any sense.

→ Leave a comment

Posted in Links

Tagged , , , , , , , ,

Analysis failures in .IL.US SCADA incident

Posted on 2011-12-02 | Leave a comment

"Blue sky" by BousureThe infosec community this week has buzzed with news of an embarrassing non-incident at an Illinois water plant. You can get the whole story at Threat Level, but the gist goes something like this: a water treatment plant experienced a failure in one of its pumps. The staff initially treated it as another common mechanical failure, but at some point someone saw logs that indicated a remote login from a Russian IP address and decided that one event caused the other. Subsequent investigation by a government terrorism and intelligence fusion center revealed that the two events had no relation and we can all flush our toilets relatively free of anxiety. The story has much more detail, all of which will cause moments of extreme facepalm.

Others have addressed the ongoing questions around SCADA security and vendor FUD. But I want to discuss some common failures in threat analysis and incident response that this particular case has highlighted.

Someone at some point jumped to the conclusion that a security incident had occurred. Before I even read the article, the precise phrasing “out of an abundance of caution” seemed like the cliché of the moment, and sure enough, a water district trustee had used those precise words. Apparently, the sight of a .ru address led to fantasies of a “digital Red Dawn” scenario and thus escalation to the intelligence and counter-terrorism community. But equipment failures occur much more frequently than SCADA intrusions by any measure – by many orders of magnitude. As doctors know, when you hear hooves, you should look for a horse, not a zebra.

Additionally, no one validated the login with the user.In this case, a contractor had logged in from an unusual location, and investigating that could make sense for a small water treatment plant in the Midwestern United States. But an anomalous event may have a good explanation; a quick phone call or email to the user would have straightened this out quickly.

No other corroborating evidence appears to have existed. If an attacker had logged in with stolen credentials five months earlier and somehow caused one pump to fail many months later, additional artifacts should have existed: perhaps some exploratory probing inside the network, or other logins, or (one might think) greater damage. In other words: if an investigator has a hypothesis to explain one data point, then he should seek other data that could confirm it. The lack of that data should cause him to re-examine his hypothesis. In particular, the timeline alone should have given pause based on critical thinking (the core of good troubleshooting).

I have no particular knowledge of this specific incident. Therefore, while I will talk about possible root causes for the analysis failure, I can only base it on my experience in similar situations across a number of organizations.

  • Undertrained analysts: I don’t mean the tech who originally noted the address, although as noted above, he should have thought about the timeline. But the analysts at the fusion center clearly lacked the training, judgment, and experience for even this simple scenario.
  • Poor validation workflow: Once the center received the report and, I assume, a first-level analyst looked at it, more senior analysts should have validated it. Either those senior analysts never saw the analysis before it got out to the public, or they have even less qualification for their roles than front-line analysts.
  • Institutional culture: In many such centers (whether private or public sector), the culture rewards analysts who find “things”. After all, if the center receives enough data, then many organizations will assume the data contain lots of evil. This can happen when the management does not construct their metrics with care, for example. But human nature also plays a part: finding evil is fun and sexy; finding banality is not.

I’d draw two core lessons here. First, train analysts in analysis, not just technology. Many organizations focus on spending huge amounts on systems and possibly data feeds, trusting in “smart people” who understand the tech to know how to analyze it. Certainly, analysts must have domain-specific technical qualifications, but the mental toolbox matters every bit as much. As an example, one of the best texts ever for analysts of any stripe is Turning Numbers into Knowledge by Dr. Jonathan G. Koomey. The book doesn’t focus on statistics or any particular methodology. Instead, it  discusses the mindset of an analyst and the sorts of thinking required to do this successfully. Organizations need to focus on this kind of training to help analysts sift through data to find useful information.

Second, government doesn’t have special powers to find and understand threats. While clearly this problem has existed for a long time, it bears repeating at a time when the drive to suck up greater and greater amounts of data for mining and analysis threatens to infringe on core civil liberties. Seeking out evil, whether online or on the streets, doesn’t (necessarily) mean lots of data.

It means getting relevant data and knowing what to do with it. And clearly, we still have a long way to go.

→ Leave a comment

Posted in Notes

Tagged , , , , , , , , , , ,

Aside

Here are some articles worth reading, but which I didn’t get to discuss in more detail due to time constraints. Hopefully I’ll get around to some of the themes later. Reflections on the Oral Argument in United States v. Jones, … Continue reading

→ Leave a comment

Posted on 2011-11-09