Narrowly Constructing National Surveillance Law

Orin Kerr has a new article that argues for narrowly constructing national security law:

This Essay argues that Congress should adopt a rule of narrow construction of the national security surveillance statutes. Under this interpretive rule, which the Essay calls a "rule of lenity," ambiguity in the powers granted to the executive branch in the sections of the United States Code on national security surveillance should trigger a narrow judicial interpretation in favor of the individual and against the State. A rule of lenity would push Congress to be the primary decision maker to balance privacy and security when technology changes, limiting the rulemaking power of the secret Foreign Intelligence Surveillance Court. A rule of lenity would help restore the power over national security surveillance law to where it belongs: The People.

This is certainly not a panacea. As Jack Goldsmith rightly points out, more Congressional oversight over NSA surveillance during the last decade would have gained us more NSA surveillance. But it's certainly better than having secret courts make the rules after only hearing one side of the argument.

Posted on November 11, 2014 at 2:13 PM14 Comments

Hacking Internet Voting from Wireless Routers

Good paper, and layman's explanation.

Internet voting scares me. It gives hackers the potential to seriously disrupt our democratic processes.

Posted on November 11, 2014 at 6:37 AM28 Comments

Sophisticated Targeted Attack Via Hotel Networks

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. "Darkhotel" is the name the group and its techniques has been given.

This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew's most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.

Good article. This seems pretty obviously a nation-state attack. It's anyone's guess which country is behind it, though.

Targets in the spear -- phishing attacks include high-profile executives -- among them a media executive from Asia­as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. "All nuclear nations in Asia," Raiu notes. "Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments." Recently there has been a spike in the attacks against the U.S. defense industry.

We usually infer the attackers from the target list. This one isn't that helpful. Pakistan? China? South Korea? I'm just guessing.

Posted on November 10, 2014 at 2:34 PM36 Comments

The Future of Incident Response

Security is a combination of protection, detection, and response. It's taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of detection products and services.

This decade is one of response. Over the past few years, we've started seeing incident response (IR) products and services. Security teams are incorporating them into their arsenal because of three trends in computing. One, we've lost control of our computing environment. More of our data is held in the cloud by other companies, and more of our actual networks are outsourced. This makes response more complicated, because we might not have visibility into parts of our critical network infrastructures.

Two, attacks are getting more sophisticated. The rise of APT (advanced persistent threat)--attacks that specifically target for reasons other than simple financial theft--brings with it a new sort of attacker, which requires a new threat model. Also, as hacking becomes a more integral part of geopolitics, unrelated networks are increasingly collateral damage in nation-state fights.

And three, companies continue to under-invest in protection and detection, both of which are imperfect even under the best of circumstances, obliging response to pick up the slack.

Way back in the 1990s, I used to say that "security is a process, not a product." That was a strategic statement about the fallacy of thinking you could ever be done with security; you need to continually reassess your security posture in the face of an ever-changing threat landscape.

At a tactical level, security is both a product and a process. Really, it's a combination of people, process, and technology. What changes are the ratios. Protection systems are almost technology, with some assistance from people and process. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with critical assistance from process and technology.

Usability guru Lorrie Faith Cranor once wrote, "Whenever possible, secure system designers should find ways of keeping humans out of the loop." That's sage advice, but you can't automate IR. Everyone's network is different. All attacks are different. Everyone's security environments are different. The regulatory environments are different. All organizations are different, and political and economic considerations are often more important than technical considerations. IR needs people, because successful IR requires thinking.

This is new for the security industry, and it means that response products and services will look different. For most of its life, the security industry has been plagued with the problems of a lemons market. That's a term from economics that refers to a market where buyers can't tell the difference between good products and bad. In these markets, mediocre products drive good ones out of the market; price is the driver, because there's no good way to test for quality. It's been true in anti-virus, it's been true in firewalls, it's been true in IDSs, and it's been true elsewhere. But because IR is people-focused in ways protection and detection are not, it won't be true here. Better products will do better because buyers will quickly be able to determine that they're better.

The key to successful IR is found in Cranor's next sentence: "However, there are some tasks for which feasible, or cost effective, alternatives to humans are not available. In these cases, system designers should engineer their systems to support the humans in the loop, and maximize their chances of performing their security-critical functions successfully." What we need is technology that aids people, not technology that supplants them.

The best way I've found to think about this is OODA loops. OODA stands for "observe, orient, decide, act," and it's a way of thinking about real-time adversarial situations developed by US Air Force military strategist John Boyd. He was thinking about fighter jets, but the general idea has been applied to everything from contract negotiations to boxing--and computer and network IR.

Speed is essential. People in these situations are constantly going through OODA loops in their head. And if you can do yours faster than the other guy--if you can "get inside his OODA loop"--then you have an enormous advantage.

We need tools to facilitate all of these steps:



  • Observe, which means knowing what's happening on our networks in real time. This includes real-time threat detection information from IDSs, log monitoring and analysis data, network and system performance data, standard network management data, and even physical security information--and then tools knowing which tools to use to synthesize and present it in useful formats. Incidents aren't standardized; they're all different. The more an IR team can observe what's happening on the network, the more they can understand the attack. This means that an IR team needs to be able to operate across the entire organization.

  • Orient, which means understanding what it means in context, both in the context of the organization and the context of the greater Internet community. It's not enough to know about the attack; IR teams need to know what it means. Is there a new malware being used by cybercriminals? Is the organization rolling out a new software package or planning layoffs? Has the organization seen attacks form this particular IP address before? Has the network been opened to a new strategic partner? Answering these questions means tying data from the network to information from the news, network intelligence feeds, and other information from the organization. What's going on in an organization often matters more in IR than the attack's technical details.

  • Decide, which means figuring out what to do at that moment. This is actually difficult because it involves knowing who has the authority to decide and giving them the information to decide quickly. IR decisions often involve executive input, so it's important to be able to get those people the information they need quickly and efficiently. All decisions need to be defensible after the fact and documented. Both the regulatory and litigation environments have gotten very complex, and decisions need to be made with defensibility in mind.

  • Act, which means being able to make changes quickly and effectively on our networks. IR teams need access to the organization's network--all of the organization's network. Again, incidents differ, and it's impossible to know in advance what sort of access an IR team will need. But ultimately, they need broad access; security will come from audit rather than access control. And they need to train repeatedly, because nothing improves someone's ability to act more than practice.

Pulling all of these tools together under a unified framework will make IR work. And making IR work is the ultimate key to making security work. The goal here is to bring people, process and, technology together in a way we haven't seen before in network security. It's something we need to do to continue to defend against the threats.

This essay originally appeared in IEEE Security & Privacy.

Posted on November 10, 2014 at 6:51 AM11 Comments

Friday Squid Blogging: Dried Squid Sold in Korean Baseball Stadiums

I'm not sure why this is news, except that it makes for a startling headline. (Is the New York Times now into clickbait?) It's not as if people are throwing squid onto the field, as Detroit hockey fans do with octopus.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 7, 2014 at 4:11 PM120 Comments

Testing for Explosives in the Chicago Subway

Chicago is doing random explosives screenings at random L stops in the Chicago area. Compliance is voluntary:

Police made no arrests but one rider refused to submit to the screening and left the station without incident, Maloney said.

[...]

Passengers can decline the screening, but will not be allowed to board a train at that station. Riders can leave that station and board a train at a different station.

I have to wonder what would happen if someone who looks Arab refused to be screened. And what possible value this procedure has. Anyone who has a bomb in their bag would see the screening point well before approaching it, and be able to walk to the next stop without potentially arousing suspicion.

Posted on November 7, 2014 at 9:59 AM51 Comments

Why Hyping Cyber Threats is Counterproductive

Robert Lee and Thomas Rid have a new paper: "OMG Cyber! Thirteen Reasons Why Hype Makes for Bad Policy."

Posted on November 6, 2014 at 2:54 PM12 Comments

How the Internet Affects National Sovereignty

Interesting paper by Melissa Hathaway: "Connected Choices: How the Internet Is Challenging Sovereign Decisions."

Abstract: Modern societies are in the middle of a strategic, multidimensional competition for money, power, and control over all aspects of the Internet and the Internet economy. This article discusses the increasing pace of discord and the competing interests that are unfolding in the current debate concerning the control and governance of the Internet and its infrastructure. Some countries are more prepared for and committed to winning tactical battles than are others on the road to asserting themselves as an Internet power. Some are acutely aware of what is at stake; the question is whether they will be the master or the victim of these multilayered power struggles as subtle and not-so-subtle connected choices are being made. Understanding this debate requires an appreciation of the entangled economic, technical, regulatory, political, and social interests implicated by the Internet. Those states that are prepared for and understand the many facets of the Internet will likely end up on top.

Posted on November 6, 2014 at 6:46 AM10 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..