Wednesday, July 31, 2013

We still fail at log analysis

Recently I've been working a couple of data analysis projects, and writing  
some software in support of that. Much of it has direct application to 
automated log analysis, alerting, and decision-support. While I am still tweaking, 
I have been pleased with those results.

Which is a Good Thing, because we need to be lot better at it than the data 
suggests we currently are. Good data are scarce, but the Verizon Data Breach 
Reports do provide some. Exactly what is reported each year, and the format 
in which it is reported changes each year. To some extent it has to; the 
landscape changes rapidly.

Back in 2010

  • 86% of victims had evidence of the breach in their log files
  • 3% of breaches were discovered by log analysis or review
  • 4% were detected by the combination of event monitoring and log analysis (This is a drop from the 6% of 2009)
  • 30% were in compliance with PCI Requirement 10: "Track and monitor all access to network resources and cardholder data." A better number than the abysmal 5% in 2009

Fast forward to the report for 2012 (published in 2013), where the data 
are again presented in a slightly different way. Overall, detection via logs was 
1%, broken into undefined Small (nothing reported), Large (4%), and Overall (1%).

There was no figure for how many victims had evidence of the breach in their logs, 
but there is no reason to believe it is substantially different than the 86% 
reported in 2010. So it would appear that there is significant room for 
improvement in log analysis.

I think we can all agree that the worst-case scenario is to not only suffer a 
breach, but to have it discovered by an external party. Anyone doing incident 
response is (or should be) aware that the clock is ticking. If it's public, 
there could be a lot of people watching it tick.

Perhaps it's time to look at your log analysis systems again, including a check 
to ensure that the system is inclusive enough. It's common for organizations to 
not even know where all the logs are. The problems can be as varied as that 
they're being written by unfamiliar or misconfigured software, or systems 
being installed incorrectly or surreptitiously. 

If any of that is found, the problems are obviously more extensive than just logs.

Thursday, July 4, 2013

First Actionionable Item From Snowden NSA Leaks

Here it is, the Fourth of July, and I am putting up a post. That is dedication!

Actually, the barbeque is going, and the spud salad and the rest of it is done. Even though the recent Oregon heat wave has broken, I don't want to be sitting next to that barbeque, since I cleverly placed it in the hottest, most uncomfortable place available. I really need to take care of that. I just spent a couple of hours at a state park, I'll be outside most of the afternoon and evening, and I managed to get a bit of sunburn standing in the river behind my house yesterday, which I do not want to make any worse. So I'm good with being in a nice cool office for a bit, and I'll probably finish up sometime later today.

On June 7, I posted 
NSA overreach: is it actionable, or just random news? in which I intimated that there is little that is actionable from the perspective of a security practioner.

Since then, the revelations have continued, and NSA are about as FUBARed as it is possible to be. The popular press is where much of this is coming from, and this issue is not going away. I may talk about why in another post. I do keep up with this stuff, out of professional interest. Still, you might roughly classify news organizations into members of the

generic mass media,
generic IT media,
pop security media,
technical security media,

though the lines occasionally wander. I use many news sources, which I divide into tiers, based on accuracy, level of detail (these are not the same thing), frequency of update, political skew, etc. Efficiently keeping up with security news (and it must be done efficiently, lest it become a full-time job), is a difficult to do well. Note that this does not include research papers, or what corporate white papers have become over recent years. Those have to be read too, but I don't regard them as media, in the same sense as the above list.

Here is something you do not see every day.  Another piece from The Guardian, New NSA leaks show how US is bugging its European allies, the UK newspaper (generic mass media) which was one the first to take this whole thing public, reveals information on attacks against diplomatic embassies and  missions of the EU and member nations.

The generic IT media and pop security media have already begun to lump this entire thing into PRISM. It's easy to remember and search for, which is an advertising revenue win. Without which, they do not exist. Meanwhile, the generic mass media Guardian is more accurate than generic IT media, or pop security media  in their code names for attacks (NSA will have changed all these the moment they were revealed, but they may become useful search terms, if only for students of history).

BLACKFOOT: French diplomatic mission to the UN
WABASH: French embassy in Washington
BRUNEAU, HEMLOCK: Italian embassy in Washington
POWELL: Greek UN diplomatic mission
KLONDYKE: Greek embassy in Washington
PERDIDO: EU UN diplomatic mission

Crucially, they also provide a graphic related  to DROPMIRE, an attack against secure FAX. Specifically against Cryptofax, a product of the Swiss firm Crypto AG. As an aside, there have been rumors and accusations (since confirmed to my satisfaction) since the 1980s of collusion between Crypto AG and NSA. I am surprised that The Guardian didn't pick up on that.

This where things get actionable, in two areas. The first depends on how technically well-resourced your likely adversaries may be in a pure security context.

That image was enough for Dr. Markus Kuhn, of the Computer Laboratory, University of Cambridge to go on. In a convincing post to Light Blue Touchpaper (technical security media published by the Computer Lab) he has convinced me that this was a TEMPEST attack. Another codename, referring most commonly to radio emanations. Specifically, in this case, to monitoring the radio-frequency energy emitted as the FAX machines laser was switched on and off. That may be very much actionable.

TEMPEST attacks have a long history. I am actually a bit disappointed in the EU, and EU member states for allowing a TEMPEST attack to succeed; note that the home of the University of Cambridge is the UK, an EU member state.

The second area that might be actionable depends on whether you are in the midst of, for instance, sensitive negotiations with German counterparts.

In the real world, even friendly or allied governments spy on one another. Despite the public expressions of shock and dismay that you can expect to hear from members of EU governments, they almost have to. At the nation-state level, even friendly or allied governments do not have completely aligned interests (it's almost as if they are different countries or something), and you need to know if a friendly or allied government is about to stop being friendly or allied. Even if it is limited to a single issue, if that issue is important enough. An intelligence agency that gets this wrong will be said to have suffered an intelligence failure (Google that), and will be barbequed. 

In this case, the other guys have a bit of egg on their faces, as the expertise to prevent this was available to them, but wasn't effectively used. Of course, politicians being much the same in any Western nation, they will hope it blows over, and to attempt to cover with indignation if it does not. Or cover with the 'hackers on steroids' defense that was used by so many US organizations who were hacked to the bone by the script-kiddies of Anonymous. This is entirely predictable.

Make no mistake: this is not going away soon, even if the leaks stopped immediately. The politicians, and NSA, will be disappointed. It is not going to blow over, and will feel the need to be perceived as Doing Something, even if it is The Wrong Something. Repercussions seem likely to be large and long-lived -- consider that a federal election will occur September 22 in Germany. Germany is a NATO ally, the leading economic power of the EU, and a justifiably privacy-sensitive nation. Particularly given what came out about the East German Ministry for State Security (Stasi) before reunification. It has been revealed that NSA collected against Germany, and has classified them as a valid target.

Nor is Germany the only trouble spot that lies ahead.

On a final note, I am not defending all that NSA have done; their surveillance of US citizens, and lying to all and sundry to cover it up are heinous. NSA have a history of doing things that are either dubious, or simply illegal, and they need to be reigned in periodically. I am not defending the politicians who failed to do what they were elected to do, though at least Senators Ron Wyden and Mark Udall of the Senate Intelligence Oversight Committee tried.

There is a far greater likelihood of a whistleblower going to prison than an NSA official who breaks the law. We need to fix that if we intend to become a more just society. Possibly some of the more damaging leaks may have been intended to find a sympathetic ear; to find a safe haven after the hue and cry went up from the US government. If that is the case, a trustworthy whistleblower program would have prevented the majority of the damage to our foreign relations that has so far occurred. 

Whether the service that he has undoubtedly rendered to his fellow citizens by revealing the latest NSA overreach event is outweighed by the damage that he has done to foreign relations is for history, and more practically, a jury of his peers to determine.

Wednesday, August 28, 2013 Update

And the NSA has indeed become an election issue in Germany, according to Der Spiegel, Peer Steinbr├╝ck, Chancellor Angela Merkel's challenger in Germany's September general election, called for a suspension of trans-Atlantic free trade Peer Steinbr├╝ck, Chancellor Angela Merkel's challenger in Germany's September general election, called for a suspension of trans-Atlantic free trade talks.