Tuesday, November 20, 2007

Network Monitoring: How Far?

In my January post The Revolution Will Be Monitored and elsewhere I discuss how network monitoring is becoming more prevalent, whether we like it or not. When I wrote my first book I clearly said that you should collect as much data as you can, given legal, political, and technical means because that approach gives you the best chance to detect and respond to intrusions. Unfortunately, I did not provide any clear guidance for situations where I think monitoring might not be appropriate. While this is by no means a political blog, I would not want my NSM approach to be taken as justification for monitoring and retaining every electronic transaction, especially beyond the security realm.

In that spirit I would like to point out three recent stories which highlight some of the contemporary problems I see with electronic monitoring.

First is Boeing bosses spy on workers. From the story:

Within its bowels, The Boeing Co. holds volumes of proprietary information deemed so valuable that the company has entire teams dedicated to making sure that private information stays private.

One such team, dubbed "enterprise" investigators, has permission to read the private e-mails of employees, follow them and collect video footage or photos of them. Investigators can also secretly watch employee computer screens in real time and reproduce every keystroke a worker makes, the Seattle P-I has learned...

"Employees should understand that the law generally gives employers broad authority to conduct surveillance, whether through e-mail, video cameras or other forms of tracking, including off the job in many cases."

The law grants companies the right to protect themselves from employees who break the law, such as by embezzling money or using the company warehouse to run a drug-smuggling ring.

The problem, [Ed] Mierzwinski [consumer program director at the federation of Public Interest Research Groups] said, is when companies use the surveillance tactics available to them to root out whistle-blowers.

"We need greater whistle-blower protections," he said. But, "if you're using the company's resources and you think it's protected because you're using Hotmail, think again."


My first point on this story is that I have never advocated NSM as a means to combat fraud, waste, and abuse by employees, let alone whistle-blowers. I have almost exclusively focused on external threats. I say let legal and human resources look for non-security policy violations.

My second point on this story is that I think the operative word here is surveillance. NSM is not a surveillance methodology. NSM does not advocate identifying a person of interest, then examining all traffic generated by or directed at that person. NSM is more channel- and system-centric. If I am going to conduct network surveillance of any type, I expect legal and human resources tasking. I do not engage in network surveillance for my own security purposes. I conduct NSM.

The next story is Cal-Ore Telecommunications on Solera Networks. This is a blog posting advertising the adoption of a packet capture appliance sold by Solera Networks to the Cal-Ore ISP in California. From the story:

Cal-Ore, a rural telephone company and ISP headquartered in Northern California, has been serving customers for more than 55 years. In order to comply with CALEA requirements, Charles Boening, Cal-Ore’s network manager considered three choices. First, they could do nothing and hope they never received a lawful intercept warrant request. Second, they could contract with a trusted third-party (TTP) that would perform any tapping services and bring them into compliance: at a six-figure price tag with ongoing fees. Or third, they could purchase a Solera DS 1000 from Solera Networks...

“We not only capture traffic that goes to the Internet, we can also use those extra Ethernet ports to capture traffic from other areas of our network,” Boening said...

While not being used to fulfill a warrant, Boening uses the Solera DS 1000 for complete network packet capture and storage. This has become an integral component to network management at Cal-Ore...

“We’ll hear from other providers telling us that we have a customer who is sending out spam,” said Boening. “Before I disconnect that customer, I need to verify it is a legitimate compliant. I use the Solera Networks box to find specific traffic over a period of time and put it into an analyzer, such as WireShark, to determine whether it is junk. If it is, I will then turn off the customer.”


When I read this I thought "This ISP is logging all traffic that customers send to the Internet?" I read their terms of service and found this:

Use of any Cal-Ore Telephone network service constitutes consent to monitoring at all times. If monitoring of any device in the Cal-Ore Telephone network reveals any evidence regarding violation of copyright laws, security regulations or any instance of unauthorized use of any system, this evidence and any other related information, including identification information about the user, can and will be provided to law enforcement officials.

It appears Cal-Ore is relying on the consent exception to the wiretap act to not break Federal law. They could also hope that their activity "is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service" and thereby receive another exception to the wiretap act.

However, California law is a little different. As noted in Applying the Wiretap Act to Online Communications after United States v. Councilman, California is a two-party consent state, meaning that both parties to the communication must give consent in order to make interception of a communication permissible. I am not a lawyer (I may have to rectify that situation at some point), but it sounds like the consent exception is lost when a Cal-Ore user who has not granted consent communicates via IM to any Cal-Ore user.

The third story is actually a set of articles posted by The Baltimore Sun about the National Security Agency and "cyber security." A slightly more recent article called In focus: Targeting Internet terror offers a few items of interest:

President Bush quietly announced yesterday his plans to launch a program targeting terrorists and others who would seek to attack the United States via the Internet, according to lawmakers and budget documents.

Bush requested $154 million in preliminary funding for the initiative, which current and former government officials say is expected to become a seven-year, multibillion-dollar program to track threats in cyberspace on both government and private networks...

At the White House, spokesman Sean Kevelighan would say only that the money would be used for "increased monitoring capabilities, as well as to increase the security of our networks."


I'm interested in this article because it and previous stories hint that the government might monitor private networks for security purposes. This would be quite a step if true.

Monitoring remains a hot topic, so I plan to keep my eye on these issues going forward.

8 comments:

Alex Raitz said...

Re: hinting at the government monitoring of networks for security purposes, I recall getting that same hint at Black Hat this year listening to the "Traffic Analysis" talk by Jon Callas, Raven Alder, Ricardo Bettati, and Nick Matthewson.

I had the chance to talk to Mr. Bettati at lunch one day, and we discussed NSM as it related to his research. The whole table was involved and had a lot to say when it came to the potential privacy concerns when collecting all possible data, even if for "research" purposes.

jbmoore said...

NSM captures data. Data is amoral. It can be used for good or bad. How it is used is up to the people who have it. You have to train your people to be responsible.

Anonymous said...

"NSM does not advocate identifying a person of interest, then examining all traffic generated by or directed at that person. NSM is more channel- and system-centric."

i m glad you clarifyed that.
i often notice a tendency to overshoot the objective, as soon as monitoring "is able to" provide the necessary data.
i dont know how to translate it correctly, but the term "anticipated obedience" is sth i learned to be very wary of.
it describes an attitude of losing the initial motives out of sight due to fear, unawareness or the need to suit a belief, often resulting in very high total costs.
recently i had the chance to compare our approach to other colleagues. i was able to measure a significant difference in terms of expenses, motivation and legal implications.
it was amazing how management by fact made a difference.

Richard Bejtlich said...

jbmoore,

Part of my point is that the act of capturing the data can be illegal. That's a big issue.

Anonymous said...

This reminds me of "In God We Trust, All Others We Monitor" the old Intelligence field adage (attributed to NSA and many others over the years).

At what point does collecting and monitoring ALL activity become more than a "defending the enterprise" and turn into true Intelligence gathering by corporations?

It would be nice to see legislation protecting the rights of US Citizens. Even the NSA use to follow USSID 18 Annex J which required AG authorization to monitor US Citizens. Simple checks and balances. Of course Patriot Act and other Presidential Directives have eroded those check and balances in the last few years.

Off the politics soapbox....

I do think Enterprises have a right to protect their intellectual property. Surely there are more effective means of providing such protection. I can't imagine the resources it would take to accomplish what is seemingly being done at a organization the size of Boeing. Wouldn't Boeing benefit by putting resources (time,people,tech,etc) into creating a work environment that lessons the risk of malicious activity. I'm not saying for a moment that anything is 100% effective, but implementing correct role based privileges(physical/data) and putting effort into collection and analysis of deviations goes a lot further, is more reliable and less prone to abuse and in the end is more palatable to high end employees than a "1984" work and living environment.

If it turns into a case where the employee needs additional monitoring because of corporate espionage or other illegal,illicit activities, involve the appropriate authorities who can conduct the investigation from a more independent perspective. Require a judge to sign off on the monitoring and get the company's resources out of the way - that way you reduce the likelihood of abuse and let the experts do what they do best.

Anonymous said...

It would seem to me that what really needs to get tossed is the two-party consent laws. Companies and inviduals who monitor traffic for security and other reasons would have an impossible time complying with the law, and states would have an equally impossible time enforcing it.

Alex Muentz said...

The waiver is probably a belt and suspenders approach implemented by nervous lawyers.

18 USC 2511(2)(a)(i) allows a 'provider' to intercept traffic to render service or protect the rights & property of the provider.

If spam affects the rights/property of the provider, I'm not sure.

If Cal-Ore wanted to be safer, they'd just sniff the mail metadata without the content to get the broader 18 USC 2511(2)(h)(ii) protection, which only requires that they're acting to protect their users (or connected networks) from abusive/illegal/fraudulent uses.

Richard Bejtlich said...

Bush Order Expands Network Monitoring