Sunday, May 20, 2007

Latest Plane Reading

I'm on the road again, en route to Gold Coast for AusCERT, followed by a public course on Network Security Monitoring in Sydney on Friday 25 May 2007. There are still seats left -- check it out if you want to attend!

Here are a few thoughts on items I read on my flight from IAD to LAX.


  • The latest Cisco IP Journal article on DNS Infrastructure by Steve Gibbard is awesome. Read it if you really want to understand global DNS in a few pages.

  • The Hotbots paper Peer-to-Peer Botnets (.pdf) is awesome. I question the use of PerilEyez for forensic work, but I haven't tried it before. I need to check out Trojan.Peacomm and Kademlia.

  • Baller Herbst has helpful CALEA docs. I also liked the Aqsacom LAWFUL INTERCEPTION FOR IP NETWORKS White Paper (.pdf).

  • Kudos to Matt Blaze for more cool research, specifically his co-authored paper The Eavesdropper's Dilemma. If you think you're doing network forensics you need to develop a strategy to address his conclusion:

    Internet eavesdropping systems suffer from the eavesdropper’s dilemma. For electronic wiretapping systems to be reliable, they must exhibit correct behavior with regard to both sensitivity and selectivity. Since capturing traffic is a requisite of any monitoring system, considerable research has focused on preventing evasion attacks and otherwise improving sensitivity. However, little attention has been paid to enhancing selectivity or even recognizing the issue in the Internet context. Traditional wisdom has held that eavesdropping is sufficiently reliable as long as the communicating parties do not participate in a bilateral effort to conceal their messages.

    We have demonstrated that even in the absence of cooperation between the communicating endpoints, reliable Internet eavesdropping is more difficult than simply capturing packets. If an eavesdropper cannot definitively and correctly select the pertinent messages from the captured traffic, the validity of the reconstructed conversation can be called into question. By injecting noise into the communication channel, unilateral or third-party confusion can make the selectivity process much more difficult and therefore further diminishes the reliability of electronic eavesdropping.


    Life just got more complicated.

  • We need to take out Hackistan.

  • CIO Magazine has a good article with percentages of companies not in compliance with various rules and regulations. It contains gems like:

    Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation. How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what’s right for the bottom line, not necessarily what’s right in terms of the regulation or even what’s right for the customer...

    “We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What’re the most important things that are absolutely required by law?”...
    The CISO told Taylor that she had received an e-mail from one of her programmers informing her that the school may have experienced a breach that may have exposed students’ personal information. The programmer was unsure if the law required the school to report the incident and asked the CISO for guidance.

    Taylor asked her what she did. She said she wrote back to the programmer telling him not to do anything. Taylor told the CISO that the university should have reported the breach. The CISO disagreed, saying, essentially, that because very few people review system log files and because only one or two people at the university understood the systems and the data in them, it was probable that the breach would go unremarked and undiscovered...

    The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests...


    All of this rings true to me.

  • Who's Had a Taste of Your Intellectual Property? in Information Security magazine is good.

    According to a 2006 report from the office of the United States Trade Representative (USTR), U.S. businesses are losing approximately $250 billion annually from trade secret theft. Federal law enforcement officials say the most targeted industries include biotechnologies and pharmaceutical research, advanced materials, weapons systems not yet classified, communications and encryption technologies, nanotechnology and quantum computing...

    [I]t can take years until a trade secret theft is detected, says Smith: "You wouldn't even know it [your IP] was missing for five years, when a competitor would suddenly introduce a product that sold for one-third to one-fifth of the price of yours."..

    For organizations that depend heavily on commercializing the product of their R&D activities, trade secrets are particularly important. Patents are equally important, but trade secrets differ from patents in a significant way. They are--as their name implies--secret. Whereas patents represent a set of exclusive rights granted by the government in exchange for the public disclosure of an invention, a trade secret is internal information or knowledge that a company claims it alone knows, and which is a valuable intangible asset.

    While patent owners have certain legal protections from anyone using their patents without permission, companies are responsible for proving they have the right to legal protection of their trade secrets. According to the UTSA, your company must demonstrate that the specific information or knowledge is not generally known to the public, therefore it derives independent economic value; and that you have made reasonable efforts to make sure the knowledge remains secret.

    A trade secret's validity can only be proven via litigation; there's no automatic protection just because your company believes it possesses one. Ironically, a trade secret must be stolen or compromised before you can attempt to demonstrate it is legally a trade secret. Once in litigation, your company must convince the court of three points: secrecy, value and security. Inevitably, the most difficult element to demonstrate is that your company had reasonable controls in place to protect the secrecy of the IP in question...

    John Landwehr, Adobe's director of security solutions and strategy, believes that the best protection of sensitive data happens at the document level: "Given the range of devices that IP can live on--from desktops, to laptops, to PDAs and mobile phones--we think that the only viable way to persistently protect that information is if the protection travels with the document."

    However, a word of caution about some of these products designed to protect confidential data: Because the vast majority are based on rule-set driven engines, the number of false positives they generate can be significant.


    Oh, that last point sounds too much like IDS. It must be bad?

5 comments:

Clint Laskowski said...

The first link of the second bullet point ("Peer-to-Peer Botnets") is bad and needs to be fixed.

Anonymous said...

P2P bot paper is here (and very interesting as Richard says) : http://www.usenix.org/events/hotbots07/tech/full_papers/grizzard/grizzard.pdf

PS. Hackistan is a lovely country with friendly locals and excellent beer. I highly recommend a visit.

Anonymous said...

Re: The CIO magazine article. The next paragraph after the quoted text bears further consideration:
"That reasoning is “shortsighted,” argues Ari Schwartz, a privacy expert at the Center for Democracy and Technology. The cost of notification is only a small part of the potential cost to a company. Damage to the corporate brand can be significant. And if the FTC rules that the company was in any way negligent, it could face multimillion-dollar fines. In 2006, the FTC fined information aggregator ChoicePoint $15 million after the company admitted to inadvertently selling more than 163,000 personal financial records to thieves. The FTC ruled ChoicePoint had not taken proper precautions to check the background of customers asking for the information."

LonerVamp said...

It is going to be "risk management" just to determine whether to disclose breaches or not. Is the risk of it being found out slim? If so, may as well just hide it. Of course, this is not new to our culture and is "taught" from childhood. Hide mistakes whenever possible.

And it most certainly is a short-sighted approach, but I think it is an approach that a *huge* majority of companies practice, I have no doubt about that. Not only do we hear only about a very small percentage of breaches, but a very small number of breaches are likely to even be detected at all.

Rob Lewis said...

The most likely cause of intellectual property leaks is probably authorized insiders. Since victim companies must prove both the theft of the IP and show the presence of adequate internal controls, most enterprises are sitting ducks.

User centric access and audit controls at the data file level is an alternative to having the protection travelling with the document, because it makes for more intuitive management of business data flows and data access in the first place. In other words, you can make rules about who can access documents and what they can do with them.

This is one area where multilevel security will have value.