New York Times gets Pwned, Responds all New School

So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.”

I just listened to the NPR story with Nicole Perlroth, who closed out saying:

“Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it happened, here’s what they took’ because they’re probably scared of what it will do to their stock price or their reputation. In this case, what was interesting was that it was my own employer that had been hacked. We felt that it was very important to come out with this and say ‘this is how easy it is for them to break into any US company and here’s how they’re doing it. [Link added.]

On Twitter, Pete Lindstrom suggested that “seems they are highlighting successes, not woes.” Zooko suggested several things including “perhaps since it is news, the NYT is happy to print it, because *any* news sells papers?” and “Or is this a cultural change, where people stop attempting trying to secure their perimeter and hiding their failure to do so?”

Me, I believe it’s culture change, but am aware of the risk of confirmation bias. When I think back to 2008, I think the peanut gallery would have been pointing and giggling, and I think we’re over that.

Thoughts?

Breach Analysis: Data Source biases

Bob Rudis has an fascinating and important post “Once More Into The [PRC Aggregated] Breaches.” In it, he delves into the various data sources that the Privacy Rights Clearinghouse is tracking.

In doing so, he makes a strong case that data source matters, or as Obi-Wan said, “Luke, you’re going to find that many of the truths we cling to depend greatly on our own point of view:”

Breach count metatype year 530x353

I don’t want to detract from the work Bob’s done. He shows pretty clearly that human and accidental factors are exceeding technical ones as a source of incidents that reveal PII. Without detracting from that important result, I do want to add two points.

First, I reported a similar result in work released in Microsoft SIR v11, “Zeroing in on Malware Propagation Methods.” Of course, I was analyzing malware, rather than PII incidents. We need to get away from the idea that security is a purely technical problem.

Second, it’s time to extend our reporting regimes so that there’s a single source for data. The work done by non-profits like the Open Security Foundation and the Privacy Rights Clearinghouse has been awesome. But these folks are spending a massive amount of energy to collect data that ought to be available from a single source.

As we talk about mandatory breach disclosure and reporting, new laws should create and fund a single place where those reports must go. I’m not asking for additional data here (although additional data would be great). I’m asking that the reports we have now all go to one additional place, where an authoritative record will be published.

Of course, anyone who studies statistics knows that there’s often different collections, and competition between resources. You can get your aircraft accident data from the NTSB or the FAA. You can get your crime statistics from the FBI’s Unified Crime Reports or the National Crime Victimization Survey, and each has advantages and disadvantages. But each is produced because we consider the data an important part of overcoming the problem.

Many nations consider cyber-security to be an important problem, and it’s an area where new laws are being proposed all the time. These new laws really must make the data easier for more people to access.

Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and checking your settings regularly is a drain.

Enter PrivacyFix.

PrivacyFix is a Firefox & Chrome plugin that you might want to check out. It looks at your Facebook and G+ settings, and helps you fix things. It also helps you send opt-out email to web site privacy addresses, which is awesome.

Not having a Facebook or G+ account, I can’t really test it. I do find the model of a plugin that works when you’re on their site (versus local UI) to be confusing. But maybe I’m not their target audience. Anyway, I did want to refer back to my Lessons from Facebook’s Stock Slide, in which I talked about intent versus identity.

Facebook tracks
Google tracks

I don’t know if PrivacyFix’s estimates of revenue are accurate. But unless they’re off by 2 orders of magnitude for each of Facebook (under-estimating) and Google (over-estimating), then wow.

Why the Star Wars Prequels Sucked

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.)

But the issue of exactly why they sucked is complex and layered, and most of us prefer not to consider it too deeply. Fortunately, you no longer have to. You can simply get “Why the Star Wars Prequels Sucked, and Why It Matters,” a short “Polemic on Aesthetics, Ethics and Politics. With Lightsabers.”

Really, what else do you need to know?

An example? Ok, the diner scene, and how it compares to the cantina scene. The cantina exudes otherness and menace. The diner looks like it was filmed in 1950s and then had a few weird things ‘shopped in. The scene undercuts the world which Star Wars established. Or the casual tossing in that Anakin was a virgin birth, and how after tying to one of the most enduring stories in western culture, the subject is then never referred to again.

Or the utter lack of consequence of anything in the stories, since we already know how they’ll come out, and how, by focusing on characters whose fates we know, Lucas drains any dramatic tension of of the story. The list goes on and on, and if you want to know why you hated the prequels so much, this is a short and easy read, and highly worthwhile.

Oh, and you’ll learn how Lando Calrissian is Faust. So go buy it already.

One last thing. Delano Lopez? That’s a name I hadn’t heard in a very long time. But he and I went to school together.

Privacy and Health Care

In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.”

However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that talks about this in great detail, “The Case for Informed Consent” by Patient Privacy Rights.

So let me quote two related numbers from that report.

First, between 13 and 17% of Americans admit in surveys to hiding health information in the current system. That’s probably a lower-bound, as we can expect some of the privacy sensitive population will decline to be surveyed, and some fraction of those who are surveyed may hide their information hiding. (It’s information-hiding all the way down.)

Secondly, 1 in 8 Americans (12.5%) put their health at risk because of privacy concerns, including avoiding their regular doctor, asking their doctor to record a different diagnosis, or avoiding tests.

I’ll also note that these numbers relate to general health care, and the numbers may be higher for often-stigmatized mental health issues.

"Cyber" Insurance and an Opportunity

There’s a fascinating article on PropertyCasualty360 “
As Cyber Coverage Soars, Opportunity Clicks
” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention:

Parisi observes that pricing has also become more consistent over the past 12 months. “The delta of the pricing on an individual risk has gotten smaller. We used to see pricing differences that would range anywhere from 50-100 percent among competing carriers in prior years,” he says.

I’m not quite sure how that pricing claim lines up with this:

“The guys that have been in the business the longest—for example, Ace, Beazley, Hiscox and AIG—their books are now so large that they handle several claims a week,” says Mark Greisiger, president of NetDiligence. Their claims-handling history presumably means these veteran players can now apply a lot of data intelligence to their risk selection and pricing.

but the claim that there’s several breaches a week impacting individual insurers gives us a way to put a lower-bound on breaches that are occurring. It’s somewhat dependent on what you mean by several, but generally, I put “several” above “a couple”, which means 3 breaches per week, or 150 per insurer per year, which is 600 between Ace, Beazley, Hiscox and AIG.

Then there’s this:

Despite a competitive market and significant capacity, underwriting appetite for high-risk classes varies widely. For instance, schools have significant PII exposure and are frequent targets of attacks, such as the October 2012 “ProjectWestWind” action by “hacktivist” group Anonymous to release personal records from more than 100 top universities.

So schools can be hard risks to place. While some U.S. carriers—such as Ace, Chartis and CNA—report being a market for this business class, Kiln currently has no appetite for educational institutions, with Randles citing factors such as schools’ lack of technology controls across multiple campuses, lack of IT budgets and extensive population of users who regularly access data.

Lastly, I’ll add that an insurance company that wants to market itself could easily leap to the front of mind for their prospective customers the way Verizon did. Think back 5 years, to when Verizon launched their DBIR. Then, I wrote:

Sharing data gets your voice out there. Verizon has just catapulted themselves into position as a player who can shape security.

That’s because of their willingness to provide data. I was going to say give away, but they’re really not giving the data away. They’re trading it for respect and credibility. (“Can You Hear Me Now?“)

I look forward to seeing which of the big insurance companies, the folks who are handling “several claims a week”, is first to market with good analysis.

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. I went to a tiny school, Simon’s Rock, and on December 14, 1992, Wayne Lo murdered my friend Galen Gibson and Professor Ñacuñán Sáez. He also shot my friend Tom McElderry. I can still remember the phone call from my friend Chi, telling me that Tommy had been shot and was in the hospital. I remember being up all night, spreading what little information we had by phone, and wondering what the hell was going on. I remember that weeks later, I’d get emails from co-workers whose local papers in places like Japan finally carried the story. For years after, I took December 14th as a day off, because it was hard to handle life with that weighing on you.

It’s a sad reality that we now have enough school shootings that one of them was going to fall on an anniversary of another. (Statisticians call this the birthday problem.) It’s also a sad reality that we have enough of them that schools, police and emergency responders have plans for them.

What a fucking world.

Some people like to say things like “time heals all wounds,” but you know? Greg Gibson isn’t going to get his son back. Ñacuñán’s family isn’t going to get him back. And twenty or more families in Sandy Hook will never again be the same. I’m having trouble editing this more than a month later because of how the memories flood back.

All that to say that I have some understanding of these events, and I think I can talk about them differently than a random observer.

A lot of people are using this tragedy to say we need gun control. I understand where they’re coming from, and I disagree. We’ve had a lifetime of marijuana control, and it didn’t work. We suffered under crypto controls, and they didn’t work. Assholes who want a gun will likely to be able to get a gun whatever regime we put in place. There’s some truth to the claim that if guns are outlawed, only outlaws will have guns. Maybe we’d gain some ability to catch these nuts early, but maybe not. Those who say that easy availability of guns drives murder rates must do better than simply cherry picking data. What makes the US worse than Switzerland or Israel?

Yesterday, the President outlined a set of proposals including expanded background checks, and signed executive actions including one to “encourage federal agencies and state governments to share more information.” And now I find it hard to speak, and hard to remain silent.

Infringing privacy would not have stopped the events at Sandy Hook, and I worry that reducing privacy around mental health care is going to deter people who need health care from getting it. That may mean that more people will end up hurt or dead. I’m confident that no one wants that, and we need to rationally consider the tradeoff.

I also see a lot of people who are worried about gun control being so strident that they’re undercutting their own case. I agree that gun control is a poor response, and I think the NRA are coming off like a bunch of idiots. I’m trying not to be strident, just add a voice to say that even from a position of grief, it’s possible to see that what’s proposed probably will not meet the goals.

I don’t know what we should do. I do think that taking the entire TSA budget and moving it to mental health care would be a fine start.

Another fine way to proceed would be to threat model and try to judge the efficacy of the mitigation techniques. (For those who don’t know me, I spent a few years designing threat modeling tools and techniques which you can read about here.) Perhaps that starts from data on how people who use guns to hurt themselves or others get them. There’s an easy trope of “buys a gun and shoots someone.” Is that because it’s common, or because the stories are highly “available” and spring to mind? I don’t know, and in that vein, more studies of gun ownership and gun violence are probably going to help. Whatever approach to threat modeling we take should also include the hundreds of millions of guns owned by hundreds of millions of people and not misused.

We can and should do better than bringing back ideas that didn’t pass muster in calmer times. We should be cautious about trading a little liberty for a little safety. And whatever we do, we should do so respectful of the victims.

Comments are closed.

“The Phoenix Project” may be uncomfortable

The Phoenix Project as an important new novel, and it’s worth reading if you work in technology. As I read it, I was awfully uncomfortable with one of the characters, John. John is the information security officer in the company, and, to be frank, John does not come off well at the start of the book.

Before I get to the details, I want to talk about Gene Kim, the lead author. Gene got his start in security, having written the first free Tripwire program. Since then, he’s done key research in control effectiveness. He also accidentally demonstrated how far the complianciness industry has to go, as the COBIT standard hasn’t been updated based on his work, nor have they attempted to replicate it or refute it. Regardless, Gene gets operational information security very deeply.

So let’s talk frankly about John. John is a shrill jerk who thinks it’s a good idea to hold up business because he sees risk. He thinks of his job as risk prevention and compliance, and damn the cost to the business.

I’ve been there. Perhaps you have too. And if you’ve been there, John is an uncomfortable archetype to watch. Perhaps John is even treated too harshly. But as I said to Gene, pride goeth before the fall, and the fall cometh before redemption.

Me, I went through a lot of learning when Zero-Knowledge Systems pivoted. We had an amazing team, great technology, influencers and supporters out the wazoo, and we didn’t deliver on the goals. I spent a lot of time wallowing in what sells in security, what value propositions motivate people to buy, and how security is often a feature, not a value proposition.

Understanding where security fits in a business proposition gives me not only understanding but even sympathy for business leaders who listen to someone claim that if only the CSO reported to the CEO, they’d have a voice. That’s backwards. If the CSO has an understanding of the business, they’ll have a voice, and won’t need to report to the CEO. Also, the CEO is not the person with cycles to mentor a CSO to that understanding.

So if you’re outraged by how John is portrayed, I want to encourage you to ask yourself, are you outraged because it’s wrong, or outraged because it hurts?

The alcoholics say, the first step is admitting you have a problem. If you’re not there, maybe the first step is to go read the Phoenix Project and see if it hurts.

On Disclosure of Intrusion Events in a Cyberwar

[This guest article is by thegruq. I’ve taken the liberty of HTML-ifying it from his original, http://pastie.org/5673568.]

On Disclosure of Intrusion Events in a Cyberwar

The Nation State’s guide to STFU

In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, on some occasions, strategic and political considerations will be more powerful motivators. These rare disclosure events don’t negate the primary motivations for remaining silent, they simply demonstrate that sometimes there are better reasons for speaking out.

TL;DR; actors in a cyberwar are motivated not to disclose incidents, but sometimes strategic and/or political realities take precedent.

I discussed this briefly with Adam Shostack over Twitter, but the constraints
of the medium limited the depth of the discussion. Recently Adam posted a blog post that more deeply explored his position. He believes that actors in a cyberwar are not (always) motivated to remain silent. He also proposes a methodology for selecting incidents to disclose, and then lays out several benefits that he believes such disclosure provides. I still think he is wrong. Rather, he got the right answer for the wrong reason.

Rather than addressing his arguments in detail (because I don’t find fault with his logic, it is his premise that is incorrect), I will lay out the reasoning behind my position. This will provide a more comprehensive understanding of an important aspect of cyberwar, one frequently ignored in the discussions — Counter Intelligence (COINTEL). I’ll briefly outline some core COINTEL concepts, then apply them to the current cyberwar, and then finally agree with Adam’s conclusion anyway.

Firstly, yes, my understanding of the motivations of the actors in the cyberwar is partially informed by discussions I’ve had with active participants. However, more importantly, I’ve spent the last year studying counter intelligence and looking at how to apply it to cyberwar. Part of that research was presented in my [OPSEC for Hackers] talk. The following arguments are therefore from the point of view of someone who views the ongoing cyberwar as primarily a series espionage operations and activities.

NOTE: I must emphasize that what I outline here is pure speculation. I have no security clearance with any country, so I have no secret knowledge. My opinions are informed only by open source materials (re: I read books and stuff).

Continue reading “On Disclosure of Intrusion Events in a Cyberwar”