Showing posts sorted by relevance for query revolution will be monitored. Sort by date Show all posts
Showing posts sorted by relevance for query revolution will be monitored. Sort by date Show all posts

Thursday, May 31, 2007

I Have Seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Future, and It Is Monitored

Today I spoke at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ISS World Spring 2007 conference in Alexandria, VA. ISS stands for Intelligence Support Systems. The speakers, attendees, and vendors are part of or support legal and government agencies that perform Lawful Intercept (LI) and associated monitoring activities. Many attendees appeared to be from county, state, and federal law enforcement agencies (LEAs). Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs were wired and wireless service providers who are responsible for fulfilling LI requests.

This was a very different crowd. Even when cops attend security conferences (like Fed, I mean Black, Hat) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vibe is different. At security cons it's seen to be cool if one has mad offensive sk1llz. This group was all about acquiring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information needed to go to court to convict bad guys.

One cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me immediately grabbed my attention, and it's going to eventually affect every entity that provides technological services:

Today lawful intercept monitors lines. Tomorrow lawful intercept will monitor services.

I cannot emphasize this enough. What does it mean?

Today (and previously), if I wanted to perform surveillance against a target, I would tap his phone line. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very old days I would physically attach to phone lines, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days I work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 telephone company to obtain electronic access. The telcom is a service provider and as such is subject to CALEA, which mandates providing various snooping capabilities for LEA use.

Also today, and definitely tommorow, targets are using VoIP. VoIP can be monitored by watching broadband lines, but "tapping a line" is not sufficient. The classic deficiency is call forwarding. As described at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference today, assume a LEA is watching all broadband traffic to and from a target. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target enables call forwarding through his VoIP provider, a LEA watching network traffic will not see a call come in if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VoIP provider forwards it elsewhere.

Therefore, gaining access to that critical information requires monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line.

Extend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services to be monitored beyond VoIP. Suddenly you can probably imagine many scenarios where LEAs would want to essentially be inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service, or able to tap data directly from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service. The line to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target is secondary. For example, why try to follow a target from Internet cafe to Internet cafe if you can just watch his chat room, Web forum, or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r meeting place directly?

This seems less like Big Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and more like Embedded Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Any application wich law enforcement might consider a source of data on a target could be compelled by law to provide a means for LEA to perform lawful intercept. Already we are seeing signs of this through various data retention directives. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference panelists mentioned a story from Germany that makes this point. He said Germany (or at least part of it) has a system that tracks cars paying tolls. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system was deployed it was forbidden to use such data for tracking car owners, even if crimes were committed. However, a person was run down at a toll booth. After cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crime happened, an outcry erupted to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 toll logs to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culprit. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of "emergency thinking" that results in powers be granted to LEAs to become ever deeper into technology services.

One financial note: consider buying stock in log management and storage vendors. All of this data needs to be managed and stored.

My previous thoughts on this subject appear in posts containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lines The Revolution Will Be Monitored.

In one of my classes I list cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons why people monitor, in this progression:

  1. Performance: is our service working well?

  2. Fault: why does our service fail?

  3. Security: is our service compromised?

  4. Compliance: is our service meeting legal and regulatory mandates?


Many companies are still at step 2. Step 3 might be leapfrogged and step 4 might be here sooner than you think. Hopefully data collected for step 4 will inform step 3, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby serving a non-LEA purpose as well.

Incidentally I did not hear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term encryption mentioned as a challenge for law enforcement. I'll let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conspiracy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365orists chew on that one. In a service-oriented lawful intercept world, I would imagine LEAs could access data unencrypted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service provider if end-to-end encryption were not part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, maybe your VoIP call is encrypted from you to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 provider, and from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 provider to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recipient, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LEA can intercept at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hub of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communication.

Update: I want people to understand that me predicting this development does not mean I agree with it. I prefer privacy to what's going to happen.

Wednesday, January 10, 2007

The Revolution Will Be Monitored

I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest SANS NewsBites:

Revised Civil Procedure Rules Mean Companies Need to Retain More Digital Data (4 January 2007)

The revised Federal Rules of Civil Procedure, which took effect on December 1, 2006, broaden cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 types of electronic information that organizations may be asked to produce in court during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discovery phase of a trial. The new types of digital information include voice mail systems, flash drives and IM archives. This will place a burden on organizations to retain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event it is needed in a legal case.

Section V, Depositions and Discovery, Rule 34 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal Rules of Civil Procedure reads, in part,

"Any party may serve on any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r party a request to produce and permit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 party making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 request, or someone acting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requestor's behalf, to inspect, copy, test or sample any designated documents or electronically stored information - including writings, drawings, graphs, charts, photographs, sound recordings, images, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data or data compilations stored in any medium from which information can be obtained ..."


This ComputerWorld article adds:

According to a 2006 study by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 American Management Association and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ePolicy Institute, more than half of those who use free IM software at work say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir employers have no idea what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're up to.

There are two ways to look at this problem. The first involves limiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of data available, i.e., data creation. Brian Honan mentions this in his commentary for SANS:

Make sure to include how to deal with personal electronic devices such as PDAs and pen drives - hint best to prohibit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir use in a corporate environment in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first place.

Yeah, right. Everything is going to have USB/Bluetooth/whatever connectivity and a flash drive sooner or later. We're already seeing this will cell phones and integrated cameras. It's almost impossible to not buy a new cell phone without a camera. One of my clients is considering banning cell phones with cameras in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 office. That absolutely will not work. Who is going to enforce that policy? They don't have guards and no guard is going to strip-search employees to find cell phones with cameras.

The second way to look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem involves limiting data retention. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, don't save as much data and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore have less data available for legal scrutiny. That is absolutely going to fail too. The trend across all sectors is to retain more information. Section 10 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCI Security Standard is just one example. Since 2003 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Association of Securities Dealers (NASD) has required financial firms to retain IM for three years. The Securities and Exchange Commission (SEC) has already fined companies millions of dollars for not retaining email for at least three years.

I would not be surprised to see best practice evolve into requiring network traffic retention systems, perhaps at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 session level or maybe even at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full content level. I would also not be surprised to see requirements for intercepting outbound encrypted traffic for inspection and retention purposes. The only reason we don't see those requirements yet is regulators don't understand how any protocol can be tunneled over any protocol, as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 endpoints understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mechanism involved.

Tuesday, November 20, 2007

Network Monitoring: How Far?

In my January post The Revolution Will Be Monitored and elsewhere I discuss how network monitoring is becoming more prevalent, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r we like it or not. When I wrote my first book I clearly said that you should collect as much data as you can, given legal, political, and technical means because that approach gives you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best chance to detect and respond to intrusions. Unfortunately, I did not provide any clear guidance for situations where I think monitoring might not be appropriate. While this is by no means a political blog, I would not want my NSM approach to be taken as justification for monitoring and retaining every electronic transaction, especially beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security realm.

In that spirit I would like to point out three recent stories which highlight some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contemporary problems I see with electronic monitoring.

First is Boeing bosses spy on workers. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story:

Within its bowels, The Boeing Co. holds volumes of proprietary information deemed so valuable that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company has entire teams dedicated to making sure that private information stays private.

One such team, dubbed "enterprise" investigators, has permission to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private e-mails of employees, follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m and collect video footage or photos of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Investigators can also secretly watch employee computer screens in real time and reproduce every keystroke a worker makes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Seattle P-I has learned...

"Employees should understand that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 law generally gives employers broad authority to conduct surveillance, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r through e-mail, video cameras or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r forms of tracking, including off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job in many cases."

The law grants companies cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves from employees who break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 law, such as by embezzling money or using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company warehouse to run a drug-smuggling ring.

The problem, [Ed] Mierzwinski [consumer program director at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 federation of Public Interest Research Groups] said, is when companies use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 surveillance tactics available to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to root out whistle-blowers.

"We need greater whistle-blower protections," he said. But, "if you're using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's resources and you think it's protected because you're using Hotmail, think again."


My first point on this story is that I have never advocated NSM as a means to combat fraud, waste, and abuse by employees, let alone whistle-blowers. I have almost exclusively focused on external threats. I say let legal and human resources look for non-security policy violations.

My second point on this story is that I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operative word here is surveillance. NSM is not a surveillance methodology. NSM does not advocate identifying a person of interest, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n examining all traffic generated by or directed at that person. NSM is more channel- and system-centric. If I am going to conduct network surveillance of any type, I expect legal and human resources tasking. I do not engage in network surveillance for my own security purposes. I conduct NSM.

The next story is Cal-Ore Telecommunications on Solera Networks. This is a blog posting advertising cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adoption of a packet capture appliance sold by Solera Networks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cal-Ore ISP in California. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story:

Cal-Ore, a rural telephone company and ISP headquartered in Norcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rn California, has been serving customers for more than 55 years. In order to comply with CALEA requirements, Charles Boening, Cal-Ore’s network manager considered three choices. First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could do nothing and hope cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y never received a lawful intercept warrant request. Second, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could contract with a trusted third-party (TTP) that would perform any tapping services and bring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m into compliance: at a six-figure price tag with ongoing fees. Or third, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could purchase a Solera DS 1000 from Solera Networks...

“We not only capture traffic that goes to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, we can also use those extra Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet ports to capture traffic from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r areas of our network,” Boening said...

While not being used to fulfill a warrant, Boening uses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Solera DS 1000 for complete network packet capture and storage. This has become an integral component to network management at Cal-Ore...

“We’ll hear from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r providers telling us that we have a customer who is sending out spam,” said Boening. “Before I disconnect that customer, I need to verify it is a legitimate compliant. I use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Solera Networks box to find specific traffic over a period of time and put it into an analyzer, such as WireShark, to determine whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it is junk. If it is, I will cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n turn off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer.”


When I read this I thought "This ISP is logging all traffic that customers send to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet?" I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir terms of service and found this:

Use of any Cal-Ore Telephone network service constitutes consent to monitoring at all times. If monitoring of any device in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cal-Ore Telephone network reveals any evidence regarding violation of copyright laws, security regulations or any instance of unauthorized use of any system, this evidence and any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r related information, including identification information about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user, can and will be provided to law enforcement officials.

It appears Cal-Ore is relying on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consent exception to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wiretap act to not break Federal law. They could also hope that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir activity "is a necessary incident to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rendition of his service or to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protection of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rights or property of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 provider of that service" and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby receive anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r exception to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wiretap act.

However, California law is a little different. As noted in Applying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wiretap Act to Online Communications after United States v. Councilman, California is a two-party consent state, meaning that both parties to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 communication must give consent in order to make interception of a communication permissible. I am not a lawyer (I may have to rectify that situation at some point), but it sounds like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consent exception is lost when a Cal-Ore user who has not granted consent communicates via IM to any Cal-Ore user.

The third story is actually a set of articles posted by The Baltimore Sun about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Security Agency and "cyber security." A slightly more recent article called In focus: Targeting Internet terror offers a few items of interest:

President Bush quietly announced yesterday his plans to launch a program targeting terrorists and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who would seek to attack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, according to lawmakers and budget documents.

Bush requested $154 million in preliminary funding for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initiative, which current and former government officials say is expected to become a seven-year, multibillion-dollar program to track threats in cyberspace on both government and private networks...

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 White House, spokesman Sean Kevelighan would say only that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money would be used for "increased monitoring capabilities, as well as to increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of our networks."


I'm interested in this article because it and previous stories hint that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government might monitor private networks for security purposes. This would be quite a step if true.

Monitoring remains a hot topic, so I plan to keep my eye on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues going forward.

Friday, March 30, 2007

Full Content Monitoring as a Wiretap

I received cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following question today:

When installing Sguil, what legal battles have you fought/won about full packet capture and its vulnerability to open records requests from outside parties? I am getting concerns, from various management, regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legal ramifications of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation of a system similar to Sguil in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state government arena. Do you have any advice for easing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir worries? I know how important full data capture is to investigating incidents, and I consider it of paramount importance to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of our state that we do so. Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re any legal precedents that can be cited?

Before I say anything else it is important to realize I am not a lawyer, I don't play one on YouTube, and I recommend you consult your lawyer racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than listen to anything I might say.

With that out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, I have written about wiretaps a few times before. Let me get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se generic wiretapping issues out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way before addressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question specifically.

The pertinent Federal law is 18 U.S.C. §2511.

A great place to look for commentary and precedents on digital security issues is Orin Kerr's Computer Crime Case Updates. This search for wiretap may or may not be helpful.

Finally, for recent commentary by a lawyer (but not your lawyer), I recommend Sysadmins, Network Managers, and Wiretap Law (.pdf slides) by Alex Muentz. These notes from his LISA 2006 talk are helpful too.

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key element of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question originally posed was full packet capture and its vulnerability to open records requests from outside parties. It sounds like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question asker is worried about discoverability of full content data. I touched on this briefly in The Revolution Will Be Monitored.

My answer to this problem is what I would consider both practical and technically limiting: do not store more full content data than you need. For any modern production network, capturing and storing days or weeks of full content traffic can be an expensive proposition. For example, in one client location I have about 200 GB of space available for full content storage. That space allows me to save a little more than 10 days of full content, even with fairly draconian BPFs limiting what is stored. If for some reason I needed to produce that data to management or attorneys, I could only provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 10 days of information. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event in question occured prior to that period, I just don't have it.

I do know of some locations that operate massive storage area networks to save TBs of full content. I do not advocate that for anyone but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most specialized of clients. I do recommend collecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of full content (if possible, legally and technically) that works for your investigative window. For example, if you have a requirement to review your alert and session data such that you are never more than 5 days past an event of interest, you might want to save 7 days of full content. From an investigation point of view, more is always better. From a practical point of view, it might be too costly.

Remember that any network data collection should be considered a wiretap. Full content is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of network data that most resembles a wiretap.

With respect to session data, I recommend saving as much of that as possible. In practical terms it comes down to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of space you're willing to devote to database files. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same client I am collecting as many sessions as I can, without filters. 30 days of such session data is producing about 20 GB of uncompressed MySQL table files. As you can see I can store many more days of session data as compared to full content data. That means much more session data is discoverable. I might choose to limit storage of that session data to meet whatever guidance corporate legal counsel might provide.

Session data is like pen register/trap and trace data, because it does reveal content. I still treat it like a wiretap but it probably does not meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same standards.

Event data, i.e. IDS alerts, take so little space as to not require any real storage consideration (compared to full content and session data). Therefore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary limiting factor is legal and policy, not technical.

I think anyone who really wants a better answer would do well to check our Prof Kerr's list, and potentially ask him. Alex Muentz would be anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r good resource.

Wednesday, March 21, 2007

Ubiquitous Monitoring on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Horizon

In January I wrote The Revolution Will Be Monitored. Today I read Careful, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Boss Is Watching:

Recently, software vendor Ascentive LLC installed its new BeAware employee monitoring application on all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCs at one of its new corporate clients. The corporation notified its employees that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Web surfing habits -- as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir email, instant messaging, and application usage -- were now being monitored and recorded.

"Internet usage at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporation dropped by 90 percent almost overnight," recalls Adam Schran, CEO of Ascentive. "As soon as employees knew cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were being monitored, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y changed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir behavior."


Wow, what a bandwidth saver. Who needs to upgrade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 T-3 when you actually take measures to enforce your stated security policy? The story continues:

While tools for tracking employee network usage have been available for years, emerging products such as BeAware take monitoring to a whole new level. The new BeAware 6.7 lets managers track workers' activity not only on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network or in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 browser, but also in email, chatrooms, applications, and shared files. And at any unannounced moment, a manager can capture an employee's screen, read it, and even record it for posterity.

Such exhaustive monitoring may seem a bit draconian to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uninitiated, but analysts and vendors all say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of such "Big Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r" software can make a drastic impact on productivity and security. In a recent study by AOL and Salary.com, 44.7 percent of workers cited personal Internet use as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir top distraction at work. A Gallup poll conducted in 2005 indicated that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average employee spends more than 75 minutes a day using office computers for non-business purposes.

Once employees know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir activities are being monitored, however, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir personal computer use is quickly curtailed, Schran observes.


This reminds me of an event that happened when I was working cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 night shift at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT in 1999. We had witnessed a rash of attacks against vulnerable Microsoft Front Page installations. Around 2 or 3 am I noticed someone altering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web site of an Air Force base in Florida. Looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source IP it looked like it might belong to someone who worked on base. I managed to tie a home telephone number to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP and I called, asking if so-and-so was currently modifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 af.mil Web site. I remember a surprised lady answering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phone and asking, "So you can see what I'm doing right now?"

I have never been a fan of monitoring network traffic to reduce what .mil and .gov call "fraud, waste, and abuse." You won't read recommendations for using Network Security Monitoring to intercept questionable Web surfing, for example. However, this story is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data point for my prediction that we are moving to a workplace where everything is monitored, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time.

If you try to implement this sort of activity, you better be sure to have an ironclad policy and support from your legal staff. I would call this level of invasion of privacy a wiretap.

Tuesday, January 16, 2007

Brief Response to Marty's Post

Marty Roesch was kind enough to respond to my recent posts on NSM. We shared a few thoughts in IRC just now, but I thought I would post a few brief ideas here.

My primary concern is this: just because you can't collect full content, session, statistical, and alert data everywhere doesn't mean you should avoid collecting it anywhere. I may not have sensors on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of network Marty describes (high bandwidth, core networks) but I have had (and have) sensors elsewhere that did (and do) support storing decent amounts of NSM data on commodity hardware using open source software. I bet you do too.

I'm not advocating you store full content on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to your storage area network. I don't expect Sony to store full content of 8 Gbps of traffic entering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir gaming servers. I don't advocate storing full content in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core. Shoot, I probably wouldn't try storing session data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 core. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, you should develop attack models for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of incidents that worry you and develop monitoring strategies that best meet those needs given your resource constraints.

For example, almost everyone can afford to monitor almost all forms of NSM data at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir users exit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intranet and join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. I seldom see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sorts of access links carrying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loads typically thought to cause problems for commodity hardware and software. (ISPs, this does not include you!) This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 place where you can perform extrusion detection by watching for suspicious outbound connections. If you follow defensible network architecture principles, you can augment your monitoring by directing all outbound HTTP (and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r supported protocols) through a proxy. You can inspect those proxy logs instead of reviewing NSM data, if you have access.

Marty also emphasizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems caused by centralizing NSM data. I do not think centralization is a key aspect, or necessarily a required aspect, of NSM. One of my clients has three sensors. None of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m report to a central point. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own sensor, server, and database components.

The existing Sguil architecture centrally stores alert and session data. Full content data remains on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor and is periodically overwritten. I am personally in favor of giving operators cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 option of storing session data on a database local to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor. That would significantly reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems of centralization. I almost never "tune" of "filter" statistical or full content data. I seldom "tune" of "filter" session data, but I always tune alert data. By keeping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 session data on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor, you can collect records of everything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor sees but not waste bandwidth pushing all that information to a central store.

Marty also said this:

Then we've got training. I know what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 binary language of moisture vaperators, Rich knows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 binary language of moisture vaperators, lots of Sguil users know it too. The majority of people who deploy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se technologies do not. Giving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m a complete session log of an FTP transfer is within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir conceptual grasp, giving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m a fully decoded DCERPC session is probably not. Who is going to make use of this data effectively? My personal feeling is that more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analysis needs to be automated, but that's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r topic.

Excellent Star Wars comment. I don't like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alternative, though. As I described here, I'm consulting for a client stuck with a security system cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't understand and for which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data required to acquire real knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network. I don't understand how providing less information is supposed to help this situation. As I wrote in Hawke vs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Machine, expertise grows from having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right forms of data available. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data that makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expert. I don't have any special insights into alerts from an IDS or IPS. I can make sense of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m only through investigation, and that requires data to investigate.

Recording everything, everywhere will never scale and isn't feasible. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 revolution will be monitored, which will help us understand our networks better and hopefully detect and eject more intruders.