Tag Archives: Twitter

Chinese government attacking American journalism?

Posted on 2013-02-02 | Leave a comment

What a week: disclosure of compromises at the New York Times, Wall Street Journal, and Washington Post. A Java update released on a Friday evening 18 days early due to active exploitation. Twitter compromised affecting 250k users, including me. I may have more to say about the Twitter compromise later.

Journalists in China

If they don’t respect them there, they won’t respect them here.

I’ve assumed for some time that state-sponsored attackers have long targeted major media outlets, especially those who regularly report on national security issues. While we don’t need to start putting on tinfoil hats, the ill-fated Wikileaks partnership with the NYT should have provided a pretty obvious starting point for people to think about these issues. Even more obviously, at least to me, journalists have had to take OPSEC seriously for a very long time, whether due to drug cartels or US presidents unhappy with political and legal revelations. I wouldn’t characterize these incidents as an assault on our way of life, exactly, because the Fourth Estate has always had conflicts with power. We should become far more suspicious when governments don’t concern themselves with the press, because that says something about their relationships with it or, perhaps, their views of popular opinion.

An extraordinary claim requires extraordinary proof.

Others have criticized the reporting and the completeness of the stories. For what it’s worth, as noted above, I certainly don’t think claiming that governments have tried to attack journalists really presents an extraordinary claim. And I have seen enough evidence first-hand to believe that Chinese-based actors actively exploit networks around the world. Combining the two, we know how the Chinese government regards free speech and a free press.

But if you want us to believe that this represents the greatest transfer of wealth in history and all the other hyperbole that surrounds discussion of “the APT” and “China” and “cyberwar”, you need to present evidence. Declassify it, make it public, show it to the American people. If you’re a news outlet dedicated to informing the public, give us the facts. When the government wants to make a case for war, it discusses specific incidents and presents intelligence. If we face such a great threat, don’t just assert the threat, prove it. (Note: I don’t actually expect any of this to happen.)

Whether the intelligence will amount to proof, however, remains to be seen.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

Twitter review: 2012-03-23

Posted on 2012-03-24 | Leave a comment

While I’m dissecting the Verizon DBIR and the Mandiant M-Trends report, plus preparing for my talk to the NAISG Dallas chapter next week (“Evolution of an IRT”), I thought I’d take a look at some relevant Twitter data.

Storification

First, I assembled a Storify to document a conversation on Twitter today related to those two reports. Take a look at DBIR and M-Trends: Different Perspectives. Credit to @bond_alexander for kicking it off.

Twitter dataviz

I also generated the below visualization using xefer. It shows activity by hour of the day, by day of the week, and the ratios of tweets / replies / retweets, all in US Central time (GMT-6 or -5 during DST).

Click to enlargeinate

A few things jumped out at me:

  • I usually go offline around 11pm and don’t get going again until 7 or 8am the next day. Typical sleep cycle.
  • Twitter activity declines during the noon (lunch) hour.
  • During the 5pm hour, I have very little to say. This represents the time I wrap up my daily work, drive home, and see my family.
  • Activity drops off during the weekend, when I spend time with the family or generally relax (e.g. gaming).
  • Thursday and Friday evenings slow down considerably compared to Monday through Wednesday evenings. I know why that happens on Friday (going out), but not Thursday.
  • Wow, I chat a lot. But if you follow me, you probably knew that already.

Blocking Trending Topics

Lots of us can’t stand to read the “trending topics” on Twitter. They usually revolve around celebrity “news” and other useless bits. If you have Adblock Plus for Chrome or Firefox, though, just add the following two lines to your filter list:

twitter.com##.trends-inner
twitter.com##.wide-trends

Other tweets this week

A few relevant Twitter postings:

Next time, I’m doing that in Storify.

→ Leave a comment

Posted in Twitter Review

Tagged , , , , , , , , , ,

OSINT monitoring with scripts

Posted on 2012-03-13 | Leave a comment

"Moleskine Concept Diagram 1" by Josh DiMauroMy last post mentioned briefly the difference between “high level” and “low level” threat intelligence.

High level intelligence includes human-understandable information that we can’t immediately parse into specific data, like a warning that “hacktivists” have targeted an organization. In contrast, low level intelligence usually consists of atomic data (network addresses, malware indicators, payment card information, etc.)

However, we should see this as a spectrum rather than a dichotomy: continuous, not discrete. As an example of this, what about monitoring social media from within your SIEM? For example, many analysts have noted the value of Pastebin as an OSINT source. So Xavier Garcia wrote a post on monitoring Pastebin leaks. This served as a basis for Xavier Mertens to post on monitoring Pastebin.com within your SIEM. Maybe you can use this to look for compromised logins on your domain, then correlate against login attempts for those accounts?

This has grown, of course, and so now we have examples of monitoring RSS feeds and tracking tweets from within a SIEM environment. If you tie this to case management (which many of us do within the SIEM, e.g. using ArcSight), then you’ve got a head start on OSINT monitoring. I suspect you could combine this with Yahoo! Pipes to monitor all sorts of loosely-structured data, whether for correlation or integration into your workflow.

→ Leave a comment

Posted in Links

Tagged , , , , , , ,

Evernote as memory extension

Posted on 2012-02-19 | 1 Comment

"photo.jpg" by By {Guerrilla Futures | Jason Tester}Several months ago, I mused about mining my own personal data for various purposes. Several areas that interested me had to do with what I read, especially online. So having recently discovered Evernote, I think this will work perfectly. For the last couple of weeks, I literally clip every single article I read online. Well, except for the ones that bore me so much that I bail after the first paragraph or two.

Yes, this means that if I read your blog post, or a news story, or anything else from Hacker News or Paper.li or Twitter, I clip it. Usually, I’ll do this with the Clearly extension for Chrome, unless I find it when using my phone. Later, I go through whatever is in my inbox notebook and tag it before moving it to an archive notebook. This has the effect of building up data for a decent tag cloud, although I haven’t built one yet. And if I can even remember a snippet of an article, I can go back to find it.

Of course, Evernote has other use cases, but so far using web clipping as a sort of external memory has stood out as the primary one for me.

→ 1 Comment

Posted in Notes

Tagged , , , ,

What I want out of an RSS reader

Posted on 2012-02-17 | 2 Comments

I’ve nearly reached the breaking point with Google Reader and its devolution. The simplified interface and reduced functionality has me seeking out a new RSS reader. If you have any pointers, please met me know. Here are the things that matter to me:

Must-Haves:

  • Web access: Not living purely in the client, although syncing is possibly okay
  • Mobile access: Android access best but I can live with mobile web.
  • Evernote integration: This has become my archival tool for everything I read.
  • Stats: Help me understand what I read, what I’m ignoring, what’s happening with my feeds, etc. Alternately, an API I can mine may suffice.
  • HTTPS support: I must encrypt my login and traffic with the site. This is not negotiable and I cannot accept any substitute. (You should feel the same, dear reader…)

Nice-to-Haves:

  • Twitter integration: I don’t always share links, but when I do, I prefer Twitter.
  • Podcast client: Would like to use podcasts from the same reader if possible.
  • Delicious integration: Good for tagging and link blogging. If I can do a link blog with the site, I may consider it.

→ 2 Comments

Posted in Notes

Tagged , , , , , , ,

Scope expansion for data science

Posted on 2012-02-14 | Leave a comment

"Connecting to the Interweb Tubes" by Nick WheelerI’ve discussed my interest in data science and big data quite a bit on Twitter. This partly has to do with my contention that good SIEM and log analysis work should overlap significantly with data science, among other fields. It also has to do with my ongoing search for fulfillment in finding ways to work on stuff that matters (i.e. not pure infosec).

So then today I just asked the question straight out:

I got a bit of feedback from some of my usual Twitter crowd, encouraging me to simply grow the scope of this site. I have two concerns: one, will the (relatively small) existing reader base get frustrated with posts that have, at best, a tangential relationship to security? Two, will any new readers pigeonhole the blog – or me – as an information security blog, passing over the data content?

The sorts of things I intend to start including, whether here or elsewhere, include technical discussion of data analysis, walkthroughs of techniques as I’m exploring them myself, and applications in other fields. As an example, right now I have some processes running to analyze refugee trends based on data provided by the United Nations High Commissioner for Refugees.

Any thoughts, suggestions, or other pointers?

→ Leave a comment

Posted in Meta

Tagged , , , , ,

Musings on personal data mining

Posted on 2011-11-23 | Leave a comment

"Can House at Nettleton's First Shaft" by Garry

Unless you live in a Montana shack, you’ve heard concerns about governments and corporations mining your personal data for various purposes, not all of which you may like. Surveillance and marketing probably top that list. But, like in most other cases,  we can use the basic approach and technology for good instead of evil.

If a pervasive culture of data gathering and access has already started to exist, what insights could we glean from collecting and mining our own personal data? Some obvious answers include health, social connections, news, purchases, locations, and more. So as a first pass, I’d like to look at doing something like the following:

  • Social media (Twitter, Google+, Delicious, blogging): What am I reading? What am I missing that might be more relevant than some things I read now? Who do I talk to? Where can my expertise be more useful?
  • Email: Am I handling it efficiently? What slips through the cracks? How can I process it more effectively?
  • Browser: Where is that article I read last week? Have there been any follow-ups to that story? Have I missed some relevant data sources? Do I waste too much time on some sites without getting enough value in return?
  • Transactions: Where do I spend my money? Which vendors get most of my money? Where should I cut expenses? Can I make my expense reporting for work more efficient?
  • Location: How much time do I spend in my commute? Would alternate routes be more effective? Could I improve my gas mileage?
  • Productivity: What sorts of tasks in my personal kanban get the most attention? Am I estimating task size properly? What keeps getting left behind? What have I not tracked but should?
  • Health data: Besides the obvious things like vital signs (weight, BP, etc.), how do my various choices correlate with my mental state? What times of the day work best for exercise and increased activity? What affects the quality of my sleep?

The really big value comes when you correlate this stuff. At least two dimensions make immediate sense here: time (maybe via an annotated, filtered timeline) and location (plotting social activity, purchases, etc. on a map). We could find more, of course, but those make good starting points.

Of course, the core idea itself has been around for a while, but we’d want to approach it with security in mind. After all, if you gather all that information in one place, it needs good protection, both at rest and while processing it. This gets even more important when you consider financial data, location over time, and perhaps reading material. Privacy matters, and this entire project focuses on getting the benefits of our own data for ourselves rather than for others.

I have a few ideas of things I want to test over the long weekend, so I should report back next week on early results.

→ Leave a comment

Posted in Notes

Tagged , , , , , , , ,

Data flow for personal consumption

Posted on 2011-11-15 | 2 Comments

This post is mostly for my benefit as I’m sorting out my information flow and consumption. But in addition to the meta-cognition of thinking about what I’m thinking about, I thought I might get some ideas from people. If this seems boring or overly pedantic, feel free to skip it, but I enjoy these sorts of things from time to time.

Input

So, like almost everybody else, I have a surplus of incoming data. The firehose unleashes as soon as I wake up:

  • Work email
  • Personal email
  • Twitter
  • Google+
  • Blogs
  • Reddit / Hacker News / occasional forum usage

Meatspace interactions should probably count here as well, but talking with my wife and kids, or the friendly barista who brews my soy latte, don’t need the same sort of management process. Depending on how much time I spend on the items in that list, or rather how much energy I choose to devote to them, that can become overwhelming. Some of them offer more value or take higher priority. For example, work email gets much more of my attention than Reddit (most days).

Tools

In order to handle that flow, I have several tools with which I’ve grown comfortable (and a few others that I use for experimentation).

This lets me filter and organize diverse inputs, possibly collating them into several tools (e.g. blogs -> RSS feeds -> Google Reader) or even structuring data that may not be presented as such. Yahoo! Pipes in particular may need replacement soon, as I haven’t set up any new projects with it in a while.

Outputs

Sometimes, I want to share what I’ve come across. This might be for fun or it might be due to work needs. Other times, I end up producing something as I integrate and synthesize this information (like in a blog post or internal analysis).

  • Work email
  • Personal email (rare)
  • Blog post
  • Internal document or other work product
  • Sharing (Google+, Twitter)
  • Link blog / social bookmarking

I notice that nothing here really comes from Reddit and Hacker News. That stuff mostly just goes straight to internal consumption; I certainly don’t share back there much except for the occasional comment and really occasional link submission.

Process

I really need to stay focused on continual improvement here, because the real bang for the buck comes from focusing on things that matter. The best example of this? Eliminating almost all Internet fora (message boards) has helped, not just in terms of time spent but also in my general mental state.

However, I make a point of starring things in Twitter or Reader that deserve more attention than I can give at the moment. Emails get flagged for attention so that they show up in my Outlook Tasks, or perhaps get added to my personal kanban. If I’ve read it and think it might be worth someone else’s time, I’ll share it via Delicious. If I think I’d like to invite some discussion on it or find it particularly awesome, I’ll share on Twitter or Google+ (rarely both as I don’t have much intersection between my networks).

When I notice that some class of input seems to require more manual processing than it should, I look for ways to streamline it. That might mean a rule in Outlook or assigning an OIB label, or finding an appropriate method to automate its processing. Like any other optimization process, this usually involves looking for the best bang for the buck — including possibly dropping the input altogether if it doesn’t give enough value.

As part of my job, I often handle incoming threat (or risk) intelligence, including via internal methods like an FS-ISAC alert or via my own open source monitoring. That’s a special case and one I’ll tackle in a future article due to its sensitive and specialized nature.

→ 2 Comments

Posted in Notes

Tagged , , , , , , , , , , , , , , , , ,