The Whys and Wherefores of Innovation in the World of Cybersecurity

April 2017 Volume 15 Issue 4

There’s No Going It Alone: Disrupting Major Cybercrime Rings Every Move You Make, I’ll Be Watching You Watching Me Watching You HSTS and New Trends for Secure Browsing Security Assurance of Docker Containers: Part 1 The Whys and Wherefores of Innovation in the World of Cybersecurity

NEW TECHNOLOGIES IN SECURITY Table of Contents DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Feature 16 The Whys and Wherefores of Innovation in the World of Cybersecurity By Avani Desai Fifteen years ago the security market was much smaller with an eclectic mix of commercial and open source tools. Now we have a tidal wave of security vendors offering a staggering number of options. The author looks at the driving forces behind the vanguard in security and the new technologies that make up second-generation security solutions.

Articles 20 There’s No Going It Alone: Disrupting Major 30 HSTS and New Trends for Secure Browsing Cybercrime Rings (a Case Study) By Marcelo Carvalho – ISSA member, Brasil Chapter By John Garris This article discusses insecure behavior between The identification and eventual disruption of a browsers and servers and potential risks associated sophisticated criminal enterprise, requiring on-the-fly with recent opt-in HTTP Strict Transport Security problem solving and groundbreaking international (HSTS) suggested by RFC 6797, heavily discussed collaboration, offers a model of how an international at recent security conferences such as OWASP cooperative effort can succeed. This article documents AppSec Europe, CNASI Brasil, InfoSecurity Europe, the efforts that ultimately brought down Rove Digital, an and OWASP APPSEC Latin America. It also briefly Estonian-based criminal operation that compromised describes new trends regarding web browsing security. millions of computers. 35 Security Assurance of Docker Containers: 26 Every Move You Make, I’ll Be Watching You Part 1 Watching Me Watching You By Stefan Winkel By Tanya Forsheit and Daniel Goldberg The Notary project, recently introduced in Docker, Smart TVs, like other Internet-connected devices, is built upon the assumption that the software come with their fair share of privacy and data security distribution pipeline can no longer be trusted. In risks. This article explores a few noteworthy recent this article, the Notary service will be explored with and high-profile developments that cast some doubt regards to an in-depth look at security testing of on the security of smart TVs and suggests that device Docker containers. manufacturers may not be sharing complete information about the data collected and used by those devices.

Also in this Issue 3 From the President 4 [email protected] 5 Sabett’s Brief This Time, It Really Is a Game Changer 6 Herding Cats My Machine Learns 7 Gray Hat It’s the Technology, Stupid 8 Open Forum It Is Time for New Thinking and Different Approaches to Cybersecurity 9 Perspective: Women in Security SIG Security Technology Market, Predictions, and Future Cyber Focus ©2017 Information Systems Security Association, Inc. (ISSA) 10 Security in the News The ISSA Journal (1949-0550) is published monthly by 11 Howard A. Schmidt Tribute Information Systems Security Association 11130 Sunrise Valley Drive, Suite 350, Reston, Virginia 20191 14 Association News 703.234.4095 (Direct) • +1 703.437.4377 (National/International)

2 – ISSA Journal | April 2017 From the President

Greetings ISSA Members International Board Officers Andrea Hoy, International President President Andrea C. Hoy, CISM, CISSP, MBA, Distinguished Fellow Vice President Justin White s we enter the second quarter of privacy, governance, Secretary/Director of Operations the year, we are seeing securi- and audit. We need Anne M. Rogers ty and privacy challenges from to identify better CISSP, Fellow Athreats and growing vulnerabilities, as means for protect- Treasurer/Chief Financial Officer predicted, blossoming like spring flow- ing data. In many Pamela Fusco ers. So how do we combat what is now places we are seeing Distinguished Fellow upon us. This month I am excited to see that data breach notification laws now Board of Directors emerging technologies being addressed. include the loss of data encryption keys. Debbie Christofferson, CISM, CISSP, As a CISO, I’ve found that watching What if through emerging technologies CIPP/IT, Distinguished Fellow Gartner’s “Hype Cycle of Emerging we could eliminate complex protection Mary Ann Davidson Technologies” gives business a competi- schemas or external encryption key Distinguished Fellow tive advantage and insight into projects, stores? I’ve already seen one product Rhonda Farrell, Fellow but to a CISO it is the ability to align or- that is addressing this, and I believe Geoff Harris, CISSP, ITPC, BSc, DipEE, ganizational strategic planning of where 2017 will see these emerging technolo- CEng, CLAS, Fellow our infosecurity program should be gies embraced by security. DJ McArthur, CISSP, HiTrust CCSFP, EnCE, GCIH, CEH, CPT aligned as to the technology businesses On a personal note, in this issue we Shawn Murray, C|CISO, CISSP, CRISC, are predicted to engage in the near fu- honor Howard Schmidt, a key ISSA FITSP-A, C|EI, Senior Member ture. leader and leading light in security. For Alex Wood, Senior Member We see how well our technology encryp- Howard, “making it better” was his sole Keyaan Williams, Fellow tion protocols have assisted those using agenda in the many security causes he Stefano Zanero, PhD, Fellow ransomware to encrypt and hold hos- championed—it was never about him, tage data. It’s now time for us to learn but always about bettering the security The Information Systems Security Asso- different ways to protect, detect, and re- landscape for all. He made our commu- ciation, Inc. (ISSA)® is a not-for-profit, cover from the unidentified threats that nity better. He made us better people. international organization of information security professionals and practitioners. It our current controls can’t combat. There I still remember our first meeting during provides educational forums, publications is so much dynamic collaboration and a SANS training in New Orleans, both of and peer interaction opportunities that en- information sharing that is expected in hance the knowledge, skill and professional us sitting on the floor talking about the growth of its members. business and our lives these days that we changing dynamics of rules on routers With active participation from individuals cannot just depend on our perimeter de- and firewalls. Even then, I could tell he and chapters all over the world, the ISSA fenses. Application wrappers are trend- was a true thought leader. I will miss our is the largest international, not-for-profit ing as we see more services delivered in association specifically for security pro- thought-provoking conversations on fessionals. Members include practitioners the cloud. Our ISSA Journal has looked any and all topics. And at RSA he would at all levels of the security field in a broad at mobile, BYOD, IoT; we know that new always ask to “save a dance for him” at range of industries, such as communica- approaches are critical to data protec- tions, education, healthcare, manufactur- the end of the day to relieve the stress ing, financial, and government. tion and privacy. of continuous learning and network- The ISSA International Board consists of Emerging technology that looks at the ing. He never stopped loving his family some of the most influential people in the security industry. With an internation- DNA of our systems, determining our while still finding time for giving to his al communications network developed normal baseline, identifies anomalies ISSA family. He will be greatly missed. throughout the industry, the ISSA is fo- that may be potential viruses or bacte- cused on maintaining its position as the At the end of one’s life, it is neither pos- preeminent trusted global information se- ria trying to harm us; artificial intelli- sessions, nor accolades, nor “things” curity community. gence monitoring our systems needs that matter. It is about the lives you The primary goal of the ISSA is to promote to be what our new security controls have touched. Howard not only touched management practices that will ensure the provide to protect us. The thought of confidentiality, integrity and availability of many lives; he enriched those lives in information resources. The ISSA facilitates self-protecting data is an idea whose a way that few have, and in a way that interaction and education to create a more time has come. New security solutions inspires us all to be successful environment for global informa- still must help us meet compliance is- tion systems security and for the profes- more like him. sionals involved. sues, reaching down to the data level for protection of our clients’ and employees’

April 2017 | ISSA Journal – 3 [email protected]

New Technologies in Security Thom Barrie – Editor, the ISSA Journal Editor: Thom Barrie [email protected] Advertising: [email protected] first got to ed by phone while he was racing to an 866 349 5818 +1 206 388 4584 know How- airport or some other such destination, ard Schmidt other times Skyping from Europe and Editorial Advisory Board Ishortly after I once, I believe, from Singapore or on his Richard Abbott came on board way there. I once actually did catch him James Adamson at the Journal. at home, but only that one time; he was Phillip Griffin, Fellow Dave Cullinane always on the move. Michael Grimaila, Fellow was finishing up During one of our final talks Howard Yvette Johnson his term as president and Howard was intimated that he was on the short list John Jordan, Senior Member about to begin his second tenure leading to go to the White House. Sometime the the association. following month or so Kevin Richards, Mollie Krehnke, Fellow As you’ll see in the tribute section, How- ISSA Vice President, stepped up to take Joe Malec, Fellow ard was gracious, affable, and friendly in the vacated spot as Howard headed off Donn Parker, Distinguished Fellow addition to the range of attributes folks to be President Obama’s White House Jean Pawluk, Distinguished Fellow describe. I finally met him face-to-face Cybersecurity Coordinator. And that’s Kris Tanaka at the Anaheim Conference in 2012, but the last I spoke with Howard until the Joel Weise – Chairman, we got together monthly throughout his Anaheim conference. I did, however, Distinguished Fellow tenure as we worked on his President’s follow him in the news, as I’m sure many Branden Williams, Letter. I initially approached the task of us did. Distinguished Fellow with a bit fear and trepidation as I was Oh, we did have one interaction after he Services Directory new to this and he was a major industry went to the White House. I know we get figure. inundated with requests to connect on Website Turns out I had nothing to fear. We social media, and they’re no big deal, [email protected] would talk through what he wanted to but I was pleasantly surprised—and I, 866 349 5818 +1 206 388 4584 say, and he immediately put me at ease. of course, accepted—when the Special Chapter Relations Our monthly 40 or so minute conversa- Assistant to the President, Cybersecu- [email protected] tions would always start with five to ten rity Coordinator at the Executive Office 866 349 5818 +1 206 388 4584 minutes of just chatting about life here of the President, White House, asked to in the Pacific Northwest, motorcycles, connect with me on LinkedIn. Member Relations [email protected] and trying to get his wife, Raemarie, ~ Thom as excited with 866 349 5818 +1 206 388 4584 riding as he was. Executive Director But we never [email protected] had a set time 866 349 5818 +1 206 388 4584 to talk as he was always on Advertising and Sponsorships the way some- [email protected] where, so typ- 866 349 5818 +1 206 388 4584 ically we talk-

The information and articles in this mag- the best knowledge of the author and the official policy of ISSA. Articles may poration and is not owned in whole or in azine have not been subjected to any editors. If the reader intends to make be submitted by members of ISSA. The part by any manufacturer of software or formal testing by Information Systems use of any of the information presented articles should be within the scope of in- hardware. All corporate information se- Security Association, Inc. The implemen- in this publication, please verify and test formation systems security, and should curity professionals are welcome to join tation, use and/or selection of software, any and all procedures selected. Techni- be a subject of interest to the members ISSA. For information on joining ISSA hardware, or procedures presented cal inaccuracies may arise from printing and based on the author’s experience. and for membership rates, see www. within this publication and the results errors, new developments in the indus- Please call or write for more information. issa.org. obtained from such selection or imple- try, and/or changes/enhancements to Upon publication, all letters, stories, and All product names and visual represen- mentation, is the responsibility of the hardware or software components. articles become the property of ISSA tations published in this magazine are reader. The opinions expressed by the authors and may be distributed to, and used by, the trademarks/registered trademarks Articles and information will be present- who contribute to the ISSA Journal are all of its members. of their respective manufacturers. ed as technically correct as possible, to their own and do not necessarily reflect ISSA is a not-for-profit, independent cor-

4 – ISSA Journal | April 2017 Sabett’s Brief

This Time, It Really Is a Game Changer

By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter

o I’ve finally reached that dreaded intelligence” (or “machine learning” day’s solutions. It’s point in life where my son thinks (ML)) have been appearing together in important to note he knows more than me (which is popular literature. According to CB In- here that “network” Sabundantly evident when he explains all sights, discussions of cybersecurity and here can be any of the new social networking platforms). AI combined increased significantly in type of network Of course, he is quite pleased with him- 2016, showing that they have become in- (e.g., it could be referring to the CAN self on these occasions. I still have it, creasingly linked in media chatter1 (fig- bus that exists in automotive applica- however, when it comes to cyber, which ure 1). Co-mentions for cybersecurity tions). became clear the other day when I ex- and ML also rose in 2016. One outstanding question, however, is plained to him that artificial intelligence Historically, cybersecurity and who makes the decision to take a cer- (AI) was becoming the next big thing in AI developed independently tain action? The human-based approach cybersecurity. Let’s take a look at why. from one another, in relative- might look something like this: First, let’s review some basic concepts ly separate tracks. Figure 1 AI performs anomaly detection so we’re all on the same page. From indicates that no longer • • Human notified • IT analysis • Human response while the machine-based approach might look something like this: • AI performs anomaly detection Figure 1 – Trends analysis: cybersecurity, AI, and ML in the same conversation • AI performs analysis a definitional perspective,general AI appears to be the case. For a variety of • AI decides best method of re- represents the classic view of this tech- reasons, the intersection of cybersecu- sponse nology (think “Data” from Star Trek: rity and AI now represents one of the From a liability perspective, a complete- The Next Generation or “Sonny” from most promising avenues toward im- ly machine-based approach has some in- iRobot). General AI typically manifests proved overall cyber health. In light of teresting characteristics. On one hand, itself as a machine that replicates at least the continuing and escalating levels of as AI-based cybersecurity becomes a the functionality of the human brain, breaches, the results of that intersection best practice, more reliance on the AI as envisioned by many futurists since cannot come soon enough. portion will be the default. On the other about the 1940s. In contrast, narrow AI AI and machine learning have the po- hand, the AI may make decisions that involves a machine that does a specific tential to be among the most (if not the lead to harm to others. For example, if task that traditionally has been done most) effective defenses available for decision made by the AI is to engage in by humans. Think here of things like critical systems. While the list of possible some sort of active action, one view is speech recognition, self-driving cars, uses of AI and ML is extensive, the ability that AI becomes an autonomous cyber and automated vacuum cleaners that to provide real-time pattern-finding and weapon engaging in questionable activ- learn about their environment. Lastly, anomaly-seeking capabilities remains ity. there is machine learning, which refers at the top. In particular, the ability to In any event, artificial intelligence and to algorithms that can learn and adapt utilize machine learning algorithms to machine learning have a firm seat at the from information to solve future prob- efficiently and instantaneously respond cybersecurity table. Numerous security lems more efficiently. to potential network threats would be vendors and service providers are build- With those definitions as the founda- a major improvement over many of to- ing this technology into their products tion, let’s now examine an interest- and actively advertising their capabil- ing trend showing how and when the 1 Blog, “Cybersecurity’s Next Step: Artificial Intelligence ities. A few have even started to boast Is Helping Predict, Prevent, and Defeat Attacks,” CB terms “cybersecurity” and “artificial Insights, November 2, 2016 – https://www.cbinsights. about their results (at least in broad com/blog/cybersecurity-artificial-intelligence/. Continued on page 42

April 2017 | ISSA Journal – 5 Herding Cats

My Machine Learns

By Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter

his year at remembers the behavior-based intru- one new tool in could equal anywhere RSA Con- sion prevention systems from the days from one to three tools out. Perhaps one ference there of yore, those were some of the earlier of the greatest benefits of new tooling Tdidn’t seem to be implementations of machine learning to like this is that the diversity between one big over-arching be deployed in the information security environments will continue to grow, theme like we’ve seen in previous years. field. making life as an attacker increasingly It was as if all of our popular themes I do not consider myself a data sci- difficult. were sitting in the White House press entist, but more of a data enthusiast. Perhaps machine learning could also be room, all begging to be singled out. Per- Some of my favorite research recently used as a defensive mechanism when haps the most common themes I saw was debunking the widely held myth combined with software-defined net- across multiple products was commen- that customers will defect when a com- working. If certain behavior looks like tary on supporting DevOps in security pany suffers a breach.1 You could say I an attacker, it could dynamically change and machine learning. DevOps may be know enough to be dangerous, but I’m systems around to confuse a bad ac- the best over-arching, unifying theme the kind of dangerous where I wouldn’t tor who is working within the system that brings together the cloud, agile, make a recommendation based on data while alerting those who operate the rapid prototyping, and security com- analysis without really understanding network to a potential intrusion. If the munities. I was actually bummed that how the algorithm works. This is some- machine learning capabilities stretched machine learning didn’t play a more thing you don’t tend to see in the ways far enough, it could even automatically prominent role, but perhaps that is an the solutions are marketed. adjust control points to block further ac- indicator that the technology’s status is tion from the attacker. so early in the emerging phase that the There is no doubt that you have seen marketing people don’t know how to a product come across your desk that Smart deployment of security resources talk about it without looking like char- claims to leverage machine learning in is what wins the daily battle with people latans. a way to make your life better. Sifting inside and outside your organization. through the marketing noise to get to It’s easy for me to write that, but it’s Of all the new tech out there, I believe the meat of what is actually happening much more difficult to execute. It re- machine learning has the most promis- can be challenging as well. Data sci- quires deep understanding of the tools ing future. It will be able to replace some ence’s explosion in recent years reminds you deploy, the threats you face, and the tools while augmenting others. If we can me of the explosion of HTML and Web business strategy your company uses to figure out how to balance the capabili- technologies in the mid 1990s. Everyone compete in the open market—the latter ties while at the same time preventing had a neighbor, brother-in-law, whiz kid part perhaps being the most critical to SkyNet, machine learning will be a criti- in college, or Tom that could do great your success. cal contributor and layer in our security things with websites. Now that extreme- stack. ly powerful platforms such as Python About the Author The technology is not new by any means, and R are mature and freely available, Branden R. Williams, DBA, CISSP, but it’s made a resurgence in the vendor anyone can be an armchair data scien- CISM, is a seasoned infosec and pay- space now that data science is much more tist. I’ve gotten so used to it nowadays ments executive, ISSA Distinguished prominent due to distributed computing that my first inclination is to pull data Fellow, and regularly assists top global power that was previously unavailable. into R instead of Excel because of the firms with their information security and Now that we can leverage some of these power of the tool (and it’s propensity to technology initiatives. Read his blog, buy algorithms to build real-time scoring, it be stable with large data sets). his books, or reach him directly at http:// allows us to make better decisions about As you evaluate these technologies, re- www.brandenwilliams.com/. activity we see. New(ish) companies member that we’re all operating with like Cylance and Invencea are poised to limited but expanding budgets and that completely change how we think about endpoints, due in large part to the way 1 You can see that here: http://brando. we can leverage these models. If anyone ws/2016Consumer.

6 – ISSA Journal | April 2017 Gray Hat

It’s the Technology, Stupid

By Mark Anderson – ISSA member, Australia Chapter

’m going to break with conventional For me, the two items that really bring technologies that thought processes here to reveal in home the issue are firstly, why can’t I minimize reliance a most politically incorrect manner read an email, whatever it is, and not on a requirement for Ione of the many elephants in the infosec have my computer totally trashed; I just robotic perfection room. want to read it! Is it really that hard to of humans. You can We are always being told that if only we design and implement a system so that try and educate humans to the nth de- had strong passwords (some practices you don’t have to wonder whether you gree, but without being equipped with now call for 13 plus random characters) should open an email and get the cyber friendly, genuinely functional security that we don’t write down and are differ- equivalent of anthrax? In some of my technology, it’s not going to work; the ent for all of our accounts, and we are research, under controlled conditions first-order problem really lies with our suspicious of emails we can’t recognize, my team used a project technology to security architectures and how we con- along with a huge set of other proce- demonstrate the automatic construction struct networks and the technology mix. dures, things would be OK. We are told of a spear phishing email regarding an Let’s stop pretending that current patch- that if only if there is more education invoice expected by a user and containing along with everyone becoming mas- and awareness and caution on the part ing an automatically selected exploit de- terful cyber detectives are realistic prior- of the “unwashed masses,” the secure signed for the user’s machine. This was ities to secure the net and its endpoints. nirvana is within reach. done by analyzing open source data. The We need genuinely functional, properly user didn’t have a chance by inspecting But what about when you follow all implemented security architectures and the email header, or even its contents, clear guidelines where providers know these rules and you still get hacked like and saying, hey, this is suspicious, no a hot knife through butter? During my quickly what to expect from your com- matter how much training he or she had. puter’s posture and how to deliver their time in defense, at any one time I had My team and I worked out that training to remember 29 different passwords and web data according to your appetite for and awareness wasn’t going to cut it in risk; not the other way around where safe combinations, change them every the long run for phishing. 90 days (some needed changing every you have to drop your defenses to the 30 days), not write any of them down, Secondly, why can’t I just disable JavaS- lowest common denominator otherwise along with a massive number of oth- cript, which is the vector of choice for 99 nothing works. er rules and procedures. Well, I wasn’t percent of malware coming in via web Secure systems equals good practice plus blessed with a photographic memory so attacks? I don’t need to see the flying lo- good technology. Guess which variable I did write them down but avoided cen- gos, so why can’t the server detect this is really underdone, causing a massive sure by locking the paper list up in a safe declaration and serve up a nice simple compensation of constraining practice accredited for extremely sensitive mate- static webpage alternative, given my and procedure that the vast majority of rial. And yet, my organization-supplied more conservative security posture. But users cannot be expected to follow slav- machine (for very low-level work only) you know as well as I do you can’t op- ishly to make up the shortfall. It’s the for which I was forced to follow all these erate anymore without JavaScript. Oh, I Technology, Stupid. rules including rapid patching was still forgot, this would also disable the ven- hacked. I found out since there were two dors’ own spyware. About the Author hackers inside that started a little war Having had the temerity to point out Gray Hat is an ACM Distinguished En- between them to try and eject the other. the issue, I now seemingly backflip and gineer and principal inventor for several Their fight caused a range of symptoms say that education, awareness, and good patented devices and major systems that in the machine, and I had one of my en- practice are absolutely essential and re- have entered operational service with gineers rather than the rule-book-wav- quire significant ongoing investment the US Armed Forces, as well as other ing network administrator do the anal- for infosec. There is little excuse for a national governments for high-grade in- ysis with me to get to the bottom of it laissez faire approach to your practice formation security purposes. He can be using my own “special sauce” forensics. and procedures or the presence of neg- contacted at [email protected]. For my sensitive stuff I used my own air- ligence. But for it to work, really work, gapped accredited networks of course. and deliver the goods, it needs proper

April 2017 | ISSA Journal – 7 Open Forum The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board. It Is Time for New Thinking and Different Approaches to Cybersecurity By Zuly Gonzalez

umor can against yesterday’s known attacks, but on to the final destination – the users’ be a great they are essentially useless against the computers – are graphic representations way to new attacks of today and tomorrow. Re- of that content. To the end user, those Hcommunicate with active, detection-based approaches can representations look, act, and respond people about serious subjects. One good only protect you from what they already exactly like the actual website does, but example of this is the series of TV ads know is bad. Additionally, taking a re- no website content ever reaches the us- currently being run by a big identity active approach means that malware is er’s computer. When a user’s browsing theft-protection company. detected only after it has already pene- session ends, the entire virtual machine, We have all seen these ads. One shows a trated an organization. At that point it and any malware it may have encoun- guard in a bank during a robbery. One is too late. tered, is completely destroyed. of the customers lying on the floor says That is why we need some “the-world- The elegance of this approach is that it to him, “Do something.” His response: is-round” type of thinking around cy- eliminates the need to try to determine “Oh, I’m not a security guard; I’m a secu- bersecurity. To put it another way, it is whether a website or specific web con- rity monitor. I only notify people when time we recognize the obvious and irre- tent poses any threat. Browser isolation there’s a robbery. There’s a robbery.” futable fact that we need new and more treats all sites and all content as poten- Besides being clever and funny, the effective ways to combat new and unrec- tially dangerous, and stops any of it company’s ad captures a shortcoming in ognized attacks. from reaching the user’s computer. With traditional security products and com- This is especially true in the web brows- this approach, users can view and inter- municates it very clearly. Then the nar- ing realm, which is the source of around act with web content as they normally rator asks the question: “Why monitor a 85 percent of all malware today.1 Trying do – without the potential risk of com- problem if you don’t fix it?” Perhaps the to discern which websites are good or promising endpoints. more important question to ask is “Why bad, or which parts of those websites are Why detect threats when you can stop them? monitor a problem, when it makes more safe, is an endless game of catch-up that Browser isolation is a radically different sense to prevent it?” the good guys just cannot win. but highly effective way to mitigate the This is the very same question that we in Isolation: A new approach to an old problem significant web-based malware threat. information security should be asking Instead of focusing on hunting down the To gain this protection for their organi- today, especially cybersecurity. It’s time possible evil, a better approach is to pre- zations, leaders need to be open mind- to start thinking differently about new vent ALL web code from ever reaching a ed about new, innovative approaches to ways to solve these classic problems. user’s computer. That is the idea behind classic problems that have been plagu- Why now? Do we not have a decent han- isolation-based security, specifically ing the security industry for decades. dle on cyber threats and attacks? The browser isolation. As the bank customers in that TV ad answer is a resounding “No!” as is made Browser isolation essentially creates might say, “Don’t just recognize the clear by even a cursory look at recent a terminal point that is the end of the problem. Fix it.” With browser isolation, industry statistics and trends. Security line for all website content. It is a place organizations can do just that. spending is already substantial and con- safely removed from the network be- About the Author tinuing to grow rapidly, yet attacks are ing protected. None of the web content Zuly Gonzalez is co-founder and CEO growing at an even faster pace and suc- goes any farther than that terminal at Light Point Security. Previously, she ceeding quite often. The reality is that point, which is an isolated virtual ma- was a program manager at the NSA. traditional, detection-based security ap- chine either hosted in the cloud or in an She has decades of experience in cyber- proaches are not working well. on-premise server. What does continue Today’s pervasive detection-based ap- security and national security as both a proaches are largely reactive. That is 1 Chris McCormack, “The Four Rules of Complete Web practitioner and a manager. She may be Protection,” Sophos, Dec. 11, 2011 – https://www. reached at zuly.gonzalez@lightpointsecu- to say, they provide solid protection sophos.com/en-us/medialibrary/Gated Assets/white papers/sophos4rulescompletewebprotectionwpna.pdf. rity.com.

8 – ISSA Journal | April 2017 Perspective: Women in Security SIG WIS SIG Mission: Connecting the World, One Cybersecurity Practitioner at a Time Security Technology Market, Predictions, and Future Cyber Focus By Rhonda Farrell – ISSA Fellow, Baltimore, National Capital, and Northern Virginia Chapters

ultiple recent studies have • Utilization of non-traditional securi- mation and train- placed cybersecurity market ty workforce personnel [1][2][3][4][5] ing), agility (learn forecasts at a low of $3.5B in For the last decade plus for cyber the and practice new M2004 to a high of $120B in 2017, a 3500 approaches), net- focus has been on creating value to the percent increase over thirteen years. business and stronger alignment to the work (strong relationships), direction Additional growth is expected to fall mission through the intelligent imple- (performance directions), and outcome into the twelve-to-fifteen-percent rate mentation and operation of a multi-fac- expectations (predictive outcomes and through 2021, while further trending eted cybersecurity program focused on implications), while HP Enterprises depicts a $1 trillion market by 2025. The driving workforce efficiencies, deepen- focuses on the following three in their president’s FY 2017 budget alone in- ing cyber expertise strengthening de- MOC approach: (1) lead by example cludes $19B, a 35 percent increase over fensive capabilities, and increasing op- (walk the talk); (2) use communication 2016 levels of $14B [1]. erational resiliency [6][7][8]. However, and engagement to drive awareness and Industry prognosticators indicate that focusing on these disparate program- understanding; and (3) focus on change likely future expenditures in security matic elements individually usually re- internalization opportunities [10][11]. technologies are due to (1) rising levels sults in sub-optimal results in each area, Additionally, both non-technical and of cybercrime, including data damage or unless the initiatives are tightly coupled technical considerations need to be destruction, intellectual property theft, to strategic intent and supported by taken into consideration when under- personal and financial asset and data more than the likely largely over-bur- taking cyber changes. Advocates of this theft, operational disruption, and rep- dened chief information security officer. approach, much like the above, speak utational harm; (2) mobile malware; (3) If we look at these security technolo- to incorporating a multi-disciplinary destructive DDoS vulnerable (industry) gies as part of a bigger governance, risk, approach, which focuses on people, IoT architectures and devices; (4) ran- and compliance puzzle, we see that the processes, and technologies across ev- somware gains; (5) cyber propaganda; collection, assessment, selection, and ery level of an organization. Previously (6) drone-jacking; (7) insider threat; (8) implementation of new security tech- successful security technology change voice-activating AI; and (9) the first of- nologies is really a global change man- implementations have utilized a pro- ficial act of cyberwar [1][2][3][4]. agement opportunity. gram that includes integration with domain-specific stakeholders, high levels A brief analysis of the technological ca- There are a plethora of change models of communication, cost/benefit analy- pabilities being focused on by industry for enterprises to integrate into cohesive sis, and cross-functional impact analysis include giants such as: and effective change-management pro- to reduce risk and keep the enterprise’s grams and models, including ADKAR, • Adaptive security architectures stock value high (if applicable) [9]. Re- Kotter’s 8-step, McKinsey 7-S, Lewin’s Cloud security advances cent research has shown that for most • force-field analysis, management of or- Drones executives cybersecurity-related change • ganizational change (MOC), and other drivers include macroeconomic influ- • Hardware authentication approaches [11]. Contrary to popular ences (policy and regulations, political Internet of Things belief, the model selected does not have • environment, competitive landscape), IPv6 buildouts to be elaborate. Two industry resources • organizational changes, and a plethora advocate for a workforce-centric (em- • Mobile security of technological changes, thus making ployee) change focus that not only helps Security analytics (artificial intelli- change a continuous and ongoing activ- • to reduce change fatigue but can increase gence and machine learning) ity versus discrete periodic events. The the firm’s bottom line via productivity Software-defined networking and rate of acceleration is causing problems • enhancements along the service-profit WANs for the workforce and enterprise as a chain. CEB, Inc. Global identifies core whole, oftentimes further inducing de- • Threat intelligence sharing building blocks of a change-capable clining productivity, project failures, workforce as (1) comprehension (infor- Continued on page 34

April 2017 | ISSA Journal – 9 Security in the News News That You Can Use… Compiled by Joel Weise – ISSA Distinguished Fellow, Vancouver, BC, Chapter and Kris Tanaka – ISSA member, Portland Chapter

House Republicans Would Let Employers Demand Workers’ Genetic Test Results http://www.msn.com/en-us/money/careersandeducation/house-republicans-would-let-employers-demand-workers’-genetic-test-results/ar-AAo5Qb1?li=BBnb7Kz ; http://www.natlawreview.com/article/house-committee-passes-hr-1313-allowing-employers-to-collect-genetic-information From a privacy standpoint—I’m speechless. Even if genetic tests were only used for their intended purpose, which is suspicious at best, where are the protocols and measures for protecting such information? Who owns it? What rights does an individual have to correct erroneous results? And the list goes on. As the National Law Review states, “If H.R. 1313 passes…employers will still need to meet the requirements of…state laws regarding storage of sensitive personal information.” Why do I not feel better reading that? Lessons from the CIA Hacking Leak: How to Keep Your Data Secure https://www.bloomberg.com/news/articles/2017-03-08/lessons-from-the-cia-hacking-leak-how-to-keep-your-data-secure Here’s a reasonable perspective on the latest WikiLeaks release of CIA hacking tools. In short, don’t panic! The tools that are used, such as Signal and Whatsapp, are secure in and of themselves. It appears that the tools the CIA has employed fall into the usual categories of zero-day exploits and good old-fashioned man-in-the-middle attacks. Therefore one of the best things you can do to protect yourself is refrain from downloading untrusted apps or fall for clickbait. Federal Criminal Probe Being Opened into WikiLeaks’ Publication of CIA Documents http://www.cnn.com/2017/03/08/politics/wikileaks-cia-investigation/index.html To leak or not to leak, that is the question. On one hand, watchdog reporting is important when it comes to government organizations. On the other hand, what happens when those disclosures equip attackers with tools and information that could do us harm? How to Keep Messages Secure http://www.teenvogue.com/story/how-to-keep-messages-secure You know that message security is going mainstream when an article like this one appears in Teen Vogue. When it comes to apps, I’m a fan of Signal and Facebook Messenger since both platforms are well designed and contain the type of tools that I would recommend. Overall, the article offers good advice for readers of all ages. Google Invites Open Source Devs to Give E2Email Encryption a Go http://www.technewsworld.com/story/84351.html In related news, Google has released the E2Email encryption code to open source. Currently, the code apparently only supports text and PG/MIME, but I guess you have to start someplace. Let’s see where this goes. Apple iPhone and Android Phones Hacked by CIA: WikiLeaks http://www.siliconbeat.com/2017/03/07/apple-iphone-and-android-phones-hacked-by-cia-wikileaks/ You might not be paranoid after all, thanks to the latest WikiLeaks reveal. It turns out that the CIA does have the power to spy on you from your mobile phone. This is another good reason for end-to-end encryption. Google Voice Search Records and Keeps Conversations People Have around Their Phones – But the Files Can Be Deleted http://www.independent.co.uk/life-style/gadgets-and-tech/news/google-voice-search-records-stores-conversation-people-have-around-their-phones-but-files-can-be-a7059376.html Apparently the CIA is not the only one listening to us. Google, in order to improve its language recognition functionality, has been quietly recording our conversations for years. Proposed Bill Would Legally Allow Cyber Crime Victims to Hack Back http://thehackernews.com/2017/03/hacking-back-hackers.html There could be a real debate on this topic, but let’s keep the politicians out of it. The retributivist in me would like to see something like this become a reality. But, when thinking more rationally, it’s not really a good idea. The article provides some good insights into the different scenarios that politicians may not have considered. For example, what happens when a DDoS attack occurs using millions of innocent victims’ computers, which then in turn get attacked? A possibility for unintended consequences? IBM’s Quantum Leap Could Redefine “Magic” http://www.technewsworld.com/story/84349.html Is quantum computing revolutionary or evolutionary? I, for one, am not sure, but the author seems to think it is revolutionary. Certainly there is some potential here. And from an information security perspective, it is something we should keep an eye on. Imagine what a quantum brute-force-based crypto-attack would look like. US Senate Votes to Let Broadband ISPs Sell Your Browser Histories http://www.theregister.co.uk/2017/03/23/senate_votes_to_let_isps_sell_browser_histories/ It’s back. In a nutshell, “The US Senate has voted to kill privacy rules that would have prevented ISPs from selling your browser history, under the fantastic logic that mobile operators aren’t under the same restric- tion.” Seriously?

10 – ISSA Journal | April 2017 Howard A. Schmidt Howard A. Schmidt ISSA Legend and Tribute Industry Lion Lost at 67

The ISSA family lost a friend, a mentor, and a leader.

On Thursday, March 2, 2017, at age of 67 Howard A. Schmidt lost a long battle with brain cancer.

He is survived by his wife, Raemarie J. Schmidt, a computer forensic scientist, and his four children and eight grandchildren.

Howard was a key ISSA leader. He served as the ISSA International President from 1999-2002 and again from 2006-2010. He was also the most decorated member of ISSA, having achieved all of the highest honors bestowed to an ISSA member: Distinguished Fellow, Hall of Fame, Honor Roll, and the President’s Award for Public Service. He was a true friend and mentor.

We will miss him greatly.

~ Andrea Hoy, ISSA International President

April 2017 | ISSA Journal – 11 From the Beginning, He Served Others… HOWARD STARTED his decorated mili- sis for the formation of the tary career by enlisting in the US Air Force Defense Computer Forensic in 1967. He completed three tours of duty Laboratory (DCFL). in Southeast Asia during the Vietnam In 1997, Howard joined Mi- War, earning three Bronze Stars. He was crosoft as the Director of a Chief of Transportation and Deputy Di- Information Security, Chief rector of Resource Management until Information Security Offi- 1982. He served in the Arizona Air Nation- cer, and later Chief Security al Guard with the 161st Communications Officer. In December 2001, Squadron from 1989 until 1998 when he shortly after 9/11, Howard transferred to the US Army Reserves as was appointed by President a Special Agent, Criminal Investigation George W. Bush as the vice Division (CID), where he served until his chair of the President’s Critical Infrastruc- (W7HAS), a private pilot, and an avid Har- military retirement. ture Protection Board (CIPB) and as the ley-Davidson motorcycle rider. He was an Howard was a police officer for the Chan- Special Adviser for Cyberspace Securi- “early adopter” who was always eager to dler Police Department in Arizona from ty for the White House. While there, he realize the full potential of the latest tech- 1983 to 1994. He served on the SWAT assisted in the creation of the National nology. He loved to travel with his wife team, the Organized Crime and Drug Strategy to Secure CyberSpace and later and spend time with his grandchildren. Enforcement Unit, and formed and led assumed the role as chair of the CIPB. In the Special Enforcement Team. In 1994, May 2003, he joined eBay as a Vice Pres- He Left His Mark As an Industry he accepted a position with the FBI’s Na- ident and Chief Information Security Of- Leader and Mentor tional Drug Intelligence Center, where ficer. Howard’s diverse interest in a wide array he headed the Computer Exploitation In December 2009, Howard was named of topics made him a highly effective in- Team. He then joined the Air Force Of- Cybersecurity Coordinator and Special formation security industry leader and fice of Special Investigations (AFOSI) as a Assistant to the President for National Se- mentor. He was always interested to lead Supervisory Special Agent and Director curity Affairs by President Barack Obama. others to solve some of the most complex of the Computer Crime and Information He retired from the White House and problems. His gift was to understand the Warfare Division. In 1996, while serving government service in May of 2012. capabilities of the individual and bring in that position, he established the first them together as a team. He was gener- Howard was a board member of (ISC)², dedicated computer forensic lab in the ous with his time of which he gave exten- a professor of practice at the Georgia federal government, which was the ba- sively to ISSA members and the industry Institute of Technology, Professor of as a whole. Upon his passing, many came Research at Idaho State University, forward with remembrances of how he adjunct distinguished fellow with touched them personally and profes- Carnegie Mellon’s CyLab, and a sionally. distinguished fellow with the Pon- emon Institute [1].

www.ISSAEF.org A Renaissance Man Through In honor of Howard’s leadership, industry and Though accomplishments, and mentorship, the Howard had a passion for life and ISSA Education Foundation has established the Howard A. Schmidt Scholarship wide interest in many worldly in his name. You can make donations by pursuits. He was an avid out- visiting www.issaef.org/donate. doorsman, a ham radio operator MANY OF YOU KNEW HOWARD as a pres- all feeling is not merely a "leading light" in port, and although he is gone too soon, he ident of ISSA, a speaker at your local ISSA security—he was all of that—but the loss of accomplished more in his time than any of us events, an inspiration to your career, a men- someone we all knew and treasured, because can dream to match. Godspeed, Howard, and tor, and a friend. Howard was a consummate he treasured each of us as individuals and as thank you for your wisdom and friendship. professional, a dedicated patriot, and a cham- friends. A dear soul: he will be so dearly and ~ Jim Reavis, Former ISSA Executive Director pion of ongoing learning. On a personal note, dreadfully missed. and CEO, Cloud Security Alliance [4] Howard was the one who first gave me the ~ Many Ann Davidson, ISSA International HE QUICKLY BECAME a dear friend and con- moniker the Godmother of ISSA, which we Board Member and CSO, Oracle. both smiled about over the years, and a title I fidante. Over the years, he has been a caring regard fondly, remembering him. HOWARD WAS SUCH A GOOD person who mentor and friend to so many of us who play served our country, served the information different roles in this space. He quite simply ~ Sandra M. Lambert, ISSA founder and security community, and served ISSA Interna- was a pioneer who helped shape this indus- Past President 1984-1985, chair of the ISSA tional so well for a very long time. Thank you, try. I will miss him. We all will. Education Foundation. Howard, for who you were, what you did, and ~ Illena Armstrong, Vice President AFTER MEETING HOWARD, I recognized how you lived your life. of Editorial, SC Media [5] instantly his leadership skills….having a win- ~ Bill Danigelis, former ISSA International AS THE AUTHOR of this tribute article I ning smile and warm personality. Howard Board Member and ISSA Silicon would like to say, I will miss Howard as an in- was perhaps one of the single, most-recog- Valley Chapter President. nized information security personalities since dustry giant and generous mentor. However, the inception of the practice. He is famous HOWARD AND I SERVED on committees I will miss his friendship the most. It was my and known worldwide simply as Howard. and boards together in ISSA and (ISC)². He honor to serve with him on the ISSA Interna- lent his gravitas to both organizations, and tional Board and the (ISC)² North American ~ Patricia A. Myers, ISSA Past President, ’97-’99 when he became a political figure at the Advisory Board. During our meetings How- HE WAS GENUINE and approachable and White House, he gave our entire profession a ard would always find a moment to vigorous- truly wanted to hear everyone’s thoughts boost. We will miss him. ly debate the latest cyber challenge, always and concerns. His friendship meant a lot to ~ Ralph Spencer Poore, ISSA looking for a better solution. While he deep- me. He will be truly missed—by me person- Distinguished Fellow. ly loved his profession, he valued his family ally, and by our industry. Howard was one of most and offered me meaningful sage ad- the greats. INTEGRITY AND HONESTY were of the ut- vice: Brian, make sure you spend quality time most importance to Howard…he was such a ~ Kevin Richards, ISSA Past President 2010-2012 with your family. What we do is important, stand-up guy. SecureWorld wouldn't be Se- but nothing is more important than family. HOWARD WAS A LONGTIME leader of ISSA. cureWorld today without Howard. Howard always sought justice, insisted on ex- He served because of his love of the profes- ~ Michael O'Gara, ISSA member, founder and cellence, and vigorously exercised integrity in sion and his duty to help the association. President of SecureWorld [2] everything he did. I will miss him greatly. His ~ Ira Winkler, ISSA Past President 2012-2015 impact on our industry, our association, and IN MY ROLE AS CEO of (ISC)², I had the op- us personally will endure. HOWARD WAS A MENTOR to me as well as portunity to travel and work closely with many others. It was he who encouraged me Howard. He was always someone I found easy ~ Brian Schultz, ISSA Distinguish Fellow, former to stand for the International Board. He was to admire professionally, but the opportunity ISSA International Board Member and an amazing inspiration to us all! to get to know him personally is something NOVA Chapter President ~ Geoff Harris, ISSA International Board I will always cherish. We’ve not only lost an Member and former ISSA UK Chapter President. incredible person, we’ve lost a long-standing [1] http://www.beckerritter.com/memsol.cgi?user_id=1930466. contributor to the global security community. [2] https://www.secureworldexpo.com/indus- I CAN STATE CATEGORICALLY that much try-news/in-remembrance-of-howard-schmidt- ~ David Shearer, CEO, (ISC)² [3] of my professional success I owe to Howard’s cyber-legend?utm_campaign=Industry%20 News&utm_source=hs_email&utm_medium=email&utm_con- drawing me into things, like the National HOWARD WAS A KEY FIGURE in many of tent=46098964&_hsenc=p2ANqtz-9eOruQF7HdRhP8h-RucXa- Strategy to Secure Cyberspace. That said, the industry's seminal milestones, from the He-sPRHHHdwY2n85HPBBLxbGKohtOFLJVowdimuoATTF_T09di- MaSUnpSTLSWjcfi9b3Elg&_hsmi=46098964. what I remember most and will miss the most launch of Trustworthy Computing at Micro- [3] https://www.isc2.org/longtime-isc2-volunteer-professor-how- is that Howard had one of the biggest hearts soft to the establishment of a cybersecurity ard-schmidt-leaves-lasting-legacy-on-information-security-in- of anybody I know. He radiated kindness. capability in the federal government in the dustry.aspx. [4] http://www.csoonline.com/article/3176764/techology-busi- When you talked to him, his involvement was wake of 9/11. Howard was a bundle of energy ness/infosec-mourns-over-howard-schmidt-who-helped-make- such that you felt like the most important that was fueled by intense patriotism and a the-country-a-safer-place.html. [5] https://www.scmagazine.com/howard-schmidt-leaves-indeli- person in the world to him. The loss we are great sense of humor. He had a friend in every ble-influence-on-cybersecurity/article/641746/. Association News

ISSA.org => Learn => CISO Executive Forum Chapter Events he CISO Executive Forum is a peer-to-peer event. The ISSA.org => Learn => Event Calendar unique strength of this event is that members can feel • April 3-7, 2017: Austin, Texas. “Computer Hacking Fo- free to share concerns, successes, and feedback in a rensic Investigator (CHFI v9) Training and Certifica- Tpeer-only environment. Membership is by invitation only tion.” For details and registration: www.issa.org/events/ and subject to approval. Membership criteria will act as a EventDetails.aspx?id=923857&group= guideline for approval. • April 9-11, 2017: Dubai, UAE. “2nd Annual - GCC ICS Washington, DC Cyber Security Forum Dubai 2017.” For details and Information Security, Privacy, and Legal Collaboration registration: www.issa.org/events/EventDetails.aspx- April 20-21, 2017 ?id=894790&group= Las Vegas, NV • April 19, 2017: Denver, Colorado. “Denver Chapter Security Awareness and Training—Enlisting Your Entire Women in Security Kick Off Event.” For details and Workforce into Your Security Team registration: www.issa.org/events/EventDetails.aspx- July 23-24, 2017 ?id=941558&group= San Diego, CA • April 20-21, 2017: Columbus, Ohio. “10th Annu- Payment Strategies: The Game Has Changed al Central Ohio InfoSec Summit.” For details and October 11-12, 2017 registration: www.issa.org/events/EventDetails.aspx- For information on sponsorship opportunities, contact Joe ?id=946797&group= Cavarretta, [email protected]. Get your events published in the ISSA Journal and E-News. You will build chapter activities, and your sponsors will appreciate the extra publicity. Send your events with the follow- CSCL Pre-Professional Virtual Meet-Ups ing information in this exact format: Date, Chapter Name, Time, Location, Title, Speaker, Sponsor, and a hyperlink to o, you think you want to work in cyberse- Details and Registration. Email to [email protected]. For curity? Not sure which way to go? Not sure more ISSA and industry events, visit the ISSA Calendar. if you’re doing all you need to do to be suc- Scessful? Check out Pre-Professional Virtual Meet-Ups to help guide you through the maze of cybersecurity. ISSA.org => Learn => Web Events => CSCL Meet-Ups April 27, 2017: 11am – 12:30pm ET. Navigating Different Ca- reer Paths into the Profession. Elevate Your Career with Writing Many wonder how to get started in information security. This Experience meetup will talk about the various paths into the profession s a security professional, you have unique and valu- and the different types of roles within the profession. It’s not able experiences, insights, and information that just hacking anymore. Information security requires a vast va- could positively impact infosec practitioners around riety of skills to perform all of the functions of the profession. Athe world. Exchanging that wealth of knowledge in our ev- From pen tester to security program manager, learn about the er-evolving field is vital in helping us all do our jobs better different skillsets needed, and what the job is really like. and achieve our individual career goals. Effective writing is an essential skill for achieving your career goals. Yet very few of us are published authors. Do you have an article in mind? ISSA CISO Virtual Mentoring Series Would you find it helpful to bounce your ideas off of other EARN FROM THE EXPERTS! If you’re seeking a ca- members who have been published, and get their feedback on reer in cybersecurity and are on the path to becoming your drafts? a CISO, check out following as well as the 20 webinars The Journal’s Editorial Advisory Board will match you with fromL April 2015 through January 2017! an experienced author as a resource to help you practice and ISSA.org => Learn => Web Events => CISO Mentoring We- refine your skills, communicate your knowledge, and raise binar Series your visibility and stature. April 13, 2017- 1:00 pm - 2:00 pm Eastern. So You’re in Join Friends of Authors today: Charge of a Security Program, Now What? ISSA.org => Learn => Members => Author Support

14 – ISSA Journal | April 2017 ISSA.org => Career => Career Center Strategic Partners Looking to Begin or Advance Your ISSA International has entered into strategic partnerships with a number of organizations that include cross-promotion Career? of our mutual activities. he ISSA Career Center offers a listing of current job openings in the infosec, assurance, privacy, and risk fields. Visit the Career Center to look for Ta new opportunity, post your resume, or post an opening. There are 1059 job opportunities as of 3/30/17. Questions? Email Monique dela Cruz at mdelacruz@ ISSA, MindEdge Bring Online Education issa.org. to ISSA Members ISSA members now have access to state-of-the-art online learning under an alliance with MindEdge Learning. The alliance provides a special discount for MindEdge’s catalog of courses, which includes cybersecurity and Special Interest Group Webinars business courses including CISSP exam prep, project ISSA.org => Learn => Special Interest Groups management, six sigma, business communication, sus- tainability, finance, creativity and innovation, entrepre- Want to hear more from ISSA’s Special Interest neurship, and others. Groups? Join free. “This new alliance with MindEdge is an excellent tool to Women in Security SIG increase the value of ISSA membership,” stated Keyaan April 10, 2017: 4:00-5:00 pm Eastern. Technology Lead- Williams, international director and chairperson for the ership Series - Part II Strategic Alliances Committee. Healthcare SIG Founded in 1998 by Harvard and MIT educators, Mind- April 6, 2017: 12:00-1:00 pm Eastern. Open Healthcare Edge specializes in higher education and professional SIG Meeting development content and technology solutions and continues to innovate in the rapidly changing landscape of online education. “We’re delighted to join with ISSA in offering online learning that is both convenient and effective for its members,” said Jefferson Flanders, CEO Evolution of Cryptography and president of MindEdge. 2-Hour Live Event: Tuesday, April 25, 2017 All of the courses are mobile-enabled, meaning that 9 am US-Pacific/ 12 pm US-Eastern/ 5 pm. ondon ISSA members will have the option to access information via a desktop, laptop, tablet, or smartphone. Encryption, the ultimate protection for individuals or a weapon of mass destruction for terrorists. This debate has been going on Visit ISSA.org => Learn => Mind Edge Courses to puruse since the early ’90s; has anything really changed? This webinar will the catalog or over one hundred courses. frame the debate and provide the background for the next round of these discussions. As the password dies and the Internet of Things rises, cryptography is destined to become the backbone of data protection and access control. And yet cryptography remains The Open Forum a niche in most organizations and many harbor concerns over The Open Forum is a vehicle for individuals to provide opinions or commen- “back doors,” quantum threats, relying on out-of-date standards taries on infosec ideas, technologies, strategies, legislation, standards, and (FIPS), poor key management, lack of security training, and limited innovation. So, can cryptography take the heat? Is cryptography other topics of interest to the ISSA community. Open Forum articles are not ready for prime time? Click HERE to register. intended for reporting news; they must provide insight, opinion, or com- mentary to initiate a dialog as to be expected from an editorial. Articles For more information on this or other webinars: should be 700-800 words and include a short bio and photo. Please submit to ISSA.org => Learn => Web Events => International Web [email protected]. Note that accepted articles may be eligible for CPE credits. Conferences

April 2017 | ISSA Journal – 15 The Whys and Wherefores DEVELOPING AND CONNECTING ISSA of Innovation in the World of CYBERSECURITY LEADERS GLOBALLY Cybersecurity The Whys and Wherefores of Innovation in the World of Cybersecurity

By Avani Desai Fifteen years ago the security market was much smaller with an eclectic mix of commercial and open source tools. Now we have a tidal wave of security vendors offering a staggering number of options. The article looks at the driving forces behind the vanguard in security and the new technologies that make up second-generation security solutions.

ere we are in 2017, and it seems as if there is at least The article looks at the driving forces behind the vanguard in one new security firm filing papers in Delaware -al security and the new technologies that make up second-gen- most every day. Cybersecurity is a hot topic, with eration security solutions. Hsecurity threats and attacks increasing at a rate never seen before. This is creating a demand for fixes, and cybersecurity Opportunities driving cybersecurity technologies is big business with CIO magazine placing cybersecurity as The explosion in security technologies is a reaction to the ex- 1 one of their eight hottest startup trends of 2017. plosion in security threats. This is driving the market with Fifteen years ago the security market was much smaller with vendors and investors alike wanting a piece of the cybersecu- an eclectic mix of commercial and open source tools. Now rity pie, which has resulted in an increase in security spend- we have a tidal wave of security vendors offering a staggering ing—Gartner points out the market spend on security in number of options. This leaves security practitioners with a 2016 being around the $82 billion mark.2 And this spend is real problem: How do we balance the best of the new with expected to increase markedly, with analysts Cyber Security the risks that our organizations face when we must consider Ventures forecasting the future cybersecurity market will be legacy tools and infrastructure? worth over $1 trillion by 2021.3 These sorts of figures attract investment, and the first ever Cyber Investment Summit4 was Fortunately, the security industry is helping us to solve this held last year in New York. conundrum by bringing out new technologies. These technologies have been developed to replace first-generation securi- This is translating into vendors focusing in on certain trends ty tools that relied on more closed infrastructures and a less and areas of technology to build a product to meet the chang- distributed attack surface. These new generation tools offer a ing security needs of commerce. The eyes of software design- more intelligent approach toward dealing with a modern cy-

bersecurity threat profile. Many of these new tools bridge the 2 Gartner, “Gartner Says Worldwide Information Security Spending Will Grow 7.9 gap between modern working methods and legacy systems. Percent to Reach $81.6 Billion in 2016,” Gartner Newsroom, August 9, 2016 - http:// www.gartner.com/newsroom/id/3404817. 3 Cybersecurity Ventures, “Cybersecurity Ventures Predicts Global Cybersecurity 1 James A. Martin, “8 Tech Startup Trends to Watch in 2017,” CIO, Nov. 30, 2016 Spending Will Exceed $1 Trillion from 2017 to 2021,” Cybersecurity Ventures – – http://www.cio.com/article/3145457/startups/8-tech-startup-trends-to-watch- http://cybersecurityventures.com/cybersecurity-market-report/. in-2017.html. 4 2017 Cyber Investing Summit – http://cyberinvestingsummit.com/.

16 – ISSA Journal | April 2017 The Whys and Wherefores of Innovation in the World of Cybersecurity | Avani Desai ers and developers are not only on openings created by new ing solutions in the form of new security tools that can handle technology paradigms, such as the Internet of Things, but more complex policy challenges. also by new ways of working. This combination of technology Everything connected: The Internet of Things (IoT) has tak- and human ecology is bringing with it new cybersecurity at- en off like a proverbial rocket. Industry sectors as different tack vectors too—creating a circle of supply and demand. The as agriculture and health are embracing the IoT and find- security ducks are lining up to create a perfect landscape for ing novel ways to increase productivity and lower costs. The cybersecurity good guys to take on cybersecurity bad guys downside to the IoT, however, is that some IoT vendors ignore with new and effective products. the security knowledge and crank out shovelware that’s vin- The areas that are driving innovation in cybersecurity in- tage 1994. A second factor is the effect of creating a massively clude the following. distributed attack surface for cybercriminals to take advan- The complete deperimeterization of the enterprise: The last tage of. The amounts of data and the complex life cycle of data 10 years have seen major changes in the way we work. Global being shared across multiple, disparate endpoints is a massive Workplace Analytics5 found that since 2005, non-self-em- opportunity for cybersecurity vendors. In addition, the IoT ployed, regular “at-home” working has increased by 103 per- is proving to be a perfect medium for DDoS attacks against cent. In other words, more of us work remotely. This change commercial sites, as the Mirai botnet attack against the Dyn 6 in the way we work brings with it technology challenges. How servers late last year testifies. do you access your enterprise network remotely, being one Compromise for an easy living: Once upon a time, being a such challenge. And when you do pop back into the office, do cybercriminal was hard work. You had to have a reasonable you use the same laptop you did at home? This has had the level of technical competence, and you usually had to know effect of breaking down the security walls previously used to how to program. Now, cybercrime has entered the world of keep the bad guys out. This area alone has opened enormous automation and is accessible to all. One of the greatest chal- challenges: how to identify and authenticate a person across lenges of the security industry is the proliferation of “cyber- multiple domains, being just one example. This has opened crime-as-a-service” tools. The cybercrime “tools of the trade” market opportunities for security vendors who are develop- have never been easier to use, with rental models springing

5 “Latest Telecommuting Statistics,” Global Workplace Analytics – http:// 6 Scott Hilton, “Dyn Analysis Summary of Friday October 21 Attack,” DYN, Oct 26, globalworkplaceanalytics.com/telecommuting-statistics. 2016 – http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/.

Manage Risk. Build Trust. Embrace Change. Key benefits • Reinvent your approach to security and risk for the digital age • Embrace new ways of protecting vital assets without slowing interactions • Learn how to shift to more adaptive, dynamic, people-centric approaches to security • Build a trusted, resilient environment for digital business

For more information and to register, visit gartner.com/us/securityrisk. Use promotion code GARTMP1 to save $300 on the standard registration rate.

Gartner Security & Risk Management Summit 2017

June 12 – 15 / National Harbor, MD / gartner.com/us/securityrisk

© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a Jeffrey Wheatman registered trademark of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com. Director, Gartner Research

April 2017 | ISSA Journal – 17 The Whys and Wherefores of Innovation in the World of Cybersecurity | Avani Desai up across the dark Web. And with 2016 and 2017 seeing great- nology. Below are some of the key technological innovations er numbers of malware appear than ever before,7 cybercrime working towards cybersecurity threat resolution. really does seem to pay. This onslaught of attack models with fluid and obfuscated malware signatures is yet another driv- Machine learning technologies/behavioral analytics ing force for security firms to innovate in cybersecurity solu- Machine learning algorithms are being deployed in several tions. ways in the fight against cybercrime. One of the main ap- Extended supply chain: A mix of globalization and Internet plications of machine learning in cybersecurity is in event connectedness, including the IoT and cloud computing, has monitoring. Detecting events that are anomalies is often a led to the supply chain becoming increasingly complex. Risk way of spotting something untoward happening on a system. factors across the chain are forcing innovation to manage the This may be malware becoming active on the system, or per- wide scope of cybersecurity threats that can travel across the haps an insider threat coming to fruition. Without machine chain, impacting all members. learning a human being must be skilled enough—and have enough time—to wade through the plethora of data to spot Security policy updates: As our working environment chang- those anomalies. Machine learning algorithms, trained to es, the policies and legislation that cover the wider security identify unusual behaviors, are now being increasingly used arena are updating to accommodate those changes. Over the to do this job. last two years several policy updates affecting privacy and security have been made. These include the NISTCybersecurity One of the complaints about machine learning applied to cy- Framework8 updated in January 2017 and the executive order bersecurity is that it tends to throw up false positives. MIT 10 from the Trump administration on “Strengthening US Cy- has come up with a solution to this using a mix of artificial bersecurity and Capabilities.”9 This executive order sets out intelligence (AI) and human interaction. The system, called the intention to look at ways of incentivizing private industry AI2, uses machine learning to look through masses of data to to adopt cybersecurity measures stating that: find patterns, which it then presents to human operators who analyze those patterns. It has shown to be effective in spotting “All agencies shall comply with any request of the co- 85 percent of security breaches. chairs to identify those economic policies and incentives capable of accelerating investments in cybersecurity tools, In the case of an insider threat, anomaly detection and trend services, and software. “ spotting are even more subtle as it is often entitled users who are perpetrating the attack—being able to tease out legitimate Which cybersecurity technologies are advancing events from illegitimate ones requires a layer of behavioral these opportunities? analytics. The opportunities set out above are driving innovation in There are a lot of companies working in machine learning several key areas in cybersecurity. Product designers and de- and behavioral analytics as applied to cybersecurity. The velopers, as well as security consultancies, are focusing in on companies are integrating AI and machine learning products several of those areas, hoping to resolve the issues generated directly into their commercial computers to offer advanced by the changes we are seeing in our work practices and tech- malware detection. Deception technologies 7 AV Test, “Malware” – https://www.av-test.org/en/statistics/malware/. 8 NIST, “Framework for Improving Critical Infrastructure Cybersecurity,” National As antivirus software struggles to keep up with the increas- Institute of Standards and Technology, January 10, 2017 – https://www.nist.gov/ sites/default/files/documents/2017/01/30/draft-cybersecurity-framework-v1.1-with- ing numbers of malware types, the new vanguard in malware markup.pdf. prevention—deception techniques—is being used to fight 9 “Read the Trump Administration's Draft of the Executive Order on Cybersecurity,” Washington Post – https://apps.washingtonpost.com/g/documents/world/read-the- “fire with fire” in the world of cybercrime. These are traps trump-administrations-draft-of-the-executive-order-on-cybersecurity/2306/. to catch a cybercriminal in the act. They are usually small pieces of code, or fake assets, left on a system that are strategically placed to entice and catch a hacker, sending alerts once tripped. Several companies are offering this type of new approach to preventing malware infection. Cloud access security brokers Evolution of Cryptography In our new world cybersecurity order, we have two challeng- 2-Hour Live Event: Tuesday, April 25, 2017 es that are compounding problems: one is the movement of 9 am US-Pacific/ 12 pm US-Eastern/ 5 pm. London services into the cloud, and the other is the lack of security Click HERE to register. talent. This is opening new solutions via security-as-a-service. Gartner predicts that by 2020 85 percent of enterprises For more information on this or other webinars: will be using a cloud access security broker (CASB), but just ISSA.org => Learn => Web Events => International Web Conferences 10 Adam Conner-Simons, “System predicts 85 percent of cyber-attacks using input from human experts,” MIT News, April 18, 2016 – http://news.mit.edu/2016/ai- system-predicts-85-percent-cyber-attacks-using-input-human-experts-0418.

18 – ISSA Journal | April 2017 The Whys and Wherefores of Innovation in the World of Cybersecurity | Avani Desai what does this technology offer? A CASB is a software ap- browser session within a virtual machine, isolating it from plication or “middle-man” that ensures your security policies the rest of the network. Even if a worker goes to a malicious are applied across the divide between on-premise devices and site, any malware on the site will not affect him nor the rest your cloud provider. A CASB will enforce policies around au- of the network. thentication, encryption, single sign-on, and tokenization to protect the security and privacy of data, following the NIST Let battle commence 11 Cybersecurity Framework protocols. The past three years in the world of cybersecurity have been disturbing. According to an IBM/Ponemon Institute study13 Evolving alternatives to signature-based malware detection the average cost of a data breach for a US company in 2016 Malware detection is becoming difficult because cybercrim- was just over $7 million, a seven percent increase over 2015— inals are becoming ever more aware of methods of avoiding 12 also a bad year for data breaches. Ransomware costs have also detection. The recent Stegoloader malware, which uses an spiraled in 2016 with an estimated $1 billion paid out.14 With obfuscation method known as steganography, is a case in cost levels of this magnitude hanging over our heads, we have point. To counter this, new technologies to detect malware are little choice in turning to security vendors to help us. Thank- being developed. Solutions such as anti-exploit software can fully, the industry is taking this seriously and building fit- protect against the harm of online exploit kits, which are typ- for-purpose second-generation toolkits that will give us the ically behind the drive-by-download phenomena of automat- means to take on the cybercriminals and win them at their ed malware infection through browser-based vulnerabilities. own game. The mix of intelligent solutions, with an aware- Firms offer protection against malware infection through a ness and understanding of the tricks of the cybercriminals community approach: endpoint detection being based on the trade, will give us the ability to not be so many steps behind. output from security intelligence gathered across millions of endpoints. This is a very responsive approach compared to About the Author the older signature-based antivirus solutions. As it is, the pro- Avani Desai is a principal and the Executive tection of endpoints from malware is likely to be an ongoing Vice President at Schellman. She has more and multi-layered approach, using machine learning, decep- than 15 years of experience in IT attestation, tion techniques, and alternatives like anti-exploit products. risk management, compliance, and privacy. Browser isolation/remote browsing Avani’s primary focus is on emerging health- With many of our security attacks entering through the win- care issues and privacy concerns for organi- dow of the browser, this then seems a natural point to apply zations. She may be reached at [email protected]. protection. Browser isolation, or remote browsing, places a

13 “Cost of Data Breach Study,” IBM Security – http://www-03.ibm.com/security/data- 11 “Cybersecurity Framework,” NIST – https://www.nist.gov/cyberframework. breach/. 12 Lordian Mosuela, ”How It Works: Steganography Hides Malware in Image Files,” 14 Danny Palmer, “The Cost of Ransomware Attacks: $1 Billion This Year,”ZDNet , Virus Bulletin – https://www.virusbulletin.com/virusbulletin/2016/04/how-it-works- September 8, 2016 – http://www.zdnet.com/article/the-cost-of-ransomware-attacks- steganography-hides-malware-image-files/. 1-billion-this-year/.

The ISSA Journal on the Go! Have you explored the versions for phones and tablets? Go to the Journal home page and choose “ePub” or ”Mobi.”

Mobile Device ePubs iPad/tablet • ePubs are scalable to any size device: iPad/tablet provide an excellent user experience iPhone • You’ll need an ePub reader such as iBooks for iOS devices

NOTE: choose ePub for Android & iOS; Mobi for Kindles Take them with you and read

anywhere, anytime… April 2017 | ISSA Journal – 19 DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY There’s No Going It Alone: Disrupting Major Cybercrime Rings (a Case Study)

Foto: Erakogu, Eesti Ekspress By John Garris

The identification and eventual disruption of a sophisticated criminal enterprise, requiring on- the-fly problem solving and groundbreaking international collaboration, offers a model of how an international cooperative effort can succeed. This article documents the efforts that ultimately brought down Rove Digital, an Estonian-based criminal operation that compromised millions of computers.

Abstract The telling of this law enforcement success story would be en- tirely deficient, however, if the central role played by a large The identification and eventual disruption of a sophisticat- number of cybersecurity researchers and IT security organi- ed criminal enterprise, requiring on-the-fly problem solving zations were not adequately noted. The partnerships amongst and groundbreaking international collaboration, offers a private sector individuals and organizations, alongside the model of how an international cooperative effort can succeed. efforts of law enforcement agencies from several countries, The efforts that ultimately brought down Rove Digital, an Es- were critical in assessing and identifying this complex fraud tonian-based criminal operation that compromised millions scheme and bringing about its eventual demise. Not only did of computers, provides just such an example. The approach this effort require a significant amount of skill and commit- taken by law enforcement from several countries, coupled ted willingness to work cooperatively, a multi-disciplinary with the important roles played by security researchers, can approach was vital in formulating and executing a strategy to be built upon to address burgeoning threats that can only be minimize the disruption to more than four million victims of tackled cooperatively. these crimes (the number of victims was much higher when measured over the lifespan of this criminal operation) [15]. n July 8, 2015, Vladimir Tsastsin pled guilty to One particularly impressive aspect of this coalition is that it charges relating to his development and long-term worked cooperatively for approximately five years. This large- management of a criminal enterprise that conduct- ly informal coalition was central to developing the informa- Oed a complex, highly profitable Internet fraud scheme in- tion needed to successfully execute arrest and search warrants volving millions of compromised computers located in over simultaneously in Estonia and the United States. In his press 100 countries. Tsastsin’s guilty plea helps conclude the Unit- conference announcing the arrests of the six Estonians, Mr. ed States’ prosecution of six Estonian nationals, including Preet Bharara, United States Attorney for the Southern Dis- Tsastsin, who had been extradited to the United States from trict of New York, noted the critical investigative work of the Estonia following extensive coordination and notable coop- NASA Office of Inspector General (OIG), FBI, and the Esto- eration between the two governments. A seventh individual nian Police and Border Guard Board, as well as the National indicted by the US government, Andre Taame, remains at- High Tech Crime Unit of the Dutch National Police Agency. large [3]. Mr. Bharara made a point of highlighting the many private

20 – ISSA Journal | April 2017 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris sector partners that were part of the overall effort, includ- These operations were vital to the rapid growth of a global ing Georgia Tech University, Internet Systems Consortium, network of infected personal computers primarily through Mandiant, National Cyber-Forensics and Training Alliance, tricking individuals into downloading and installing fake Neustar, Spamhaus, Team Cymru, Trend Micro, Universi- antivirus software, as well as fake video codec software. The ty of Alabama at Birmingham, and members of a group of infection of personal computers was a significant source subject matter experts known as the DNS Changer Working of revenue for Rove Digital, but more importantly it was a Group (DCWG) [23]. means to build what would become an extensive network of An accurate recounting of the many contributions by the compromised systems. Those infected systems would become specific cybersecurity organizations recognized by Mr. Bha- central to a highly lucrative fraud scheme to hijack advertis- rara in his 2011 press conference is constrained by the lim- ing revenue [1]. ited amount of publicly available reporting produced by Rove Digital – clear some of these participants. However, viewed in a different warning signs The fact that the light, the limited information published by these individu- majority of cybersecurity als and groups is noteworthy in itself. The fact that such a As noted earlier, Rove large grouping of participants, many with commercial prof- Digital (Rove) grew out organizations conduct it-making pressures, either published little with regards to of a wide range of crim- themselves so responsibly inal activities supported their involvement, or fastidiously withheld key information may oftentimes be lost at critical junctures in the investigation, is evidence that par- by the various services ticipants placed larger community concerns above self-inter- hosted under Esthost, amidst the clatter over the est. Given the growing torrent of reporting on a wide range of EstDomains, and relat- most recent high-profile cybersecurity events over the course of the past several years, ed front companies. Al- the fact that the majority of cybersecurity organizations con- though Rove did not ap- intrusion event. duct themselves so responsibly may oftentimes be lost amidst pear to be actively used the clatter over the most recent high-profile intrusion event. as a corporate entity relating to Internet-based criminal activity until around 2005, Background Ravelli’s [17] earlier research found that the formal incorporation of Rove originated in Tartu, Estonia, in 2002. The doc- The IT security firm, Trend Micro, reported a significant umentation of incorporation notes that Rove’s business would number of malware infections that involved the systematic center on software development, and the initial capitalization altering of the DNS resolutions of infected systems staring claimed at the time of incorporation was 10,000,000 EEK in 2005. Over the subsequent five years, Trend Micro worked (Note: the Euro replaced the Estonia Kroon (EEK) in 2011). cooperatively with several public and private organizations investigating these activities. Trend Micro’s Forward-Look- Before Rove’s illegal activities were widely revealed, its ing Threat Team was able to piece together a fairly compre- growth and financial success were noted publicly in Estonian hensive picture of the mechanisms and key organizational news outlets. For one, Äripäev Business Daily, an Estonian structures comprising the larger criminal enterprise behind news service specializing in reporting on Estonian business these activities [15]. According to their research paper on the topics, listed Rove as the “Estonian IT company of the year matter, Trend Micro found that a collection of companies, in 2007” [17]. Despite this designation, clear indications that primarily registered in Estonia, were central to the larger Rove’s founder had a proclivity for criminal activity was evi- criminal activities responsible for infecting approximately 10 dent in Tsastsin’s 2008 criminal conviction by Estonian crim- million systems over several years. inal courts. This conviction stemmed from an earlier arrest of Tsastsin by Estonian authorities for a credit card fraud The principal company, or at least the one chosen as the mon- and money laundering scheme where fictitious refunds were iker for the overall criminal efforts, was Rove Digital. Rove made to credit cards and those refunds were withdrawn via Digital’s roots have been traced back to many other compa- ATMs. Ultimately, Tsastsin was found guilty by an Estonian nies, notably Esthost, EstDomain, and Cernel. While fully court of committing these crimes and was sentenced to time active, these accredited domain registrars directly support- he had already served since his initial arrest [20]. ed “bulletproof” hosting services via data centers largely based in New York, San Francisco, and Estonia. In addition Looking at this setback from Tsastsin’s perspective, it is like- to domain registration, Esthost’s customers used their host- ly that the more troubling aspect of his conviction was the ing services to run any number of criminal activities, such temporary disruption dealt to Rove’s burgeoning operations. as command-and-control servers for botnets, phishing sites, As noted in their July 25, 2013, pre-sentencing brief to the malware dump-sites, and DNS changer Trojans. As Esthost’s US Circuit judge overseeing the trial of the Rove defendants, hosting services gained popularity with various criminal a lead Southern District of New York Assistant US Attorney elements, their infrastructure and overall operations grew prosecuting this case noted that based on Tsastsin’s 2008 con- significantly [15]. This growth in activity was along several viction, the Internet Corporation for Assigned Names and fronts that include DNS registrations and a growing wave of Numbers (“ICANN”) “…revoked EstDomains’ accreditation malicious activities via various ISPs. as a registrar, meaning that any IP address or domain name

April 2017 | ISSA Journal – 21 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris

for their click-fraud operations can be seen in figure 1, developed by Trend Micro. Atrivo, also known as “Inter- cage,” eventually became infa- mous within the cybersecurity community for hosting all manner of malicious activities. In its earlier years of operation, one of its largest customers was the “Russian Business Net- work” (RBN), known for being a preferred hub for many cyber criminals. As Atrivo drew more unwanted attention from cybersecurity practitioners and law enforcement, RBN began to disperse its operations to other ISPs in an apparent risk-reduction move [6]. In his article on Atrivo, Brian Krebs reported that different portions of Atrivo’s business operations spe- Figure 1 – Rove Digital’s infrastructure for hijacking the search results of its victims. (Source: Trend Micro’s whitepaper “Operation Ghost Click – Rove Digital’s Takedown) cialized in particular services for their highly suspect customer base. For example, Atrivo’s “Hostfresh” registered through EstDomains, for all practical purposes, provided routing through Hong Kong and China. With the would not exist on the Internet” [9]. departure of RBN, it appears Atrivo became increasingly dependent on Rove’s business, as even around the time RBN Although Rove would experience an additional setback in was migrating their business operations elsewhere the secu- 2008 through the loss of a US-based ISP, these events proved rity firm iDefense identified Atrivo as being one of the single only temporary impediments for Tsastsin. Once the US and largest hosts of malicious activity on the Internet [6]. Estonian criminal investigation was underway, it became clear Tsastsin had been busy working to overcome the dam- The hue and cry of the cybersecurity community continued age of his conviction by shifting Rove’s assets under a newly to build to the point that Atrivo’s upstream service providers formed corporate body. As related in the Southern District of took notice and began to distance themselves from Atrivo. New York US Attorney’s request to Estonian authorities for Shortly after the security company HostExploit published assistance, “Rove Digital” was acquired by Tamme Areudus detailed evidence that approximately 78 percent of Atrivo’s OÜ (Incorporated) on September 19, 2008. This acquisition hosted services where clearly of the malicious variety, the was obviously a method to paper-over the true ownership of upstream providers of Global Networks, Bandcon, and WV- Rove, as Tamme Areudus lists the address of “Lai 6, Tartu, Fiber ceased business with Atrivo [6]. At this point, Atrivo’s Estonia,” as their headquarters—the same address as Rove. only remaining upstream provider was Pacific Internet Ex- If the timing of the transfer and location of the new business change (PIE). Spamhaus, a non-profit cybersecurity compa- entity were not proof enough this was all a sham orchestrat- ny specializing in subscription-based anti-spam data feeds, ed by Tsastsin in light of his 2008 conviction, all the major had been collecting extensive information on Atrivo for some board members of Tamme Areudus Inc. were Tsastsin’s close time as well and continued to observe hostile activity emanat- relatives [14]. ing from Atrivo after PIE was the only remaining upstream provider. Spamhaus’ engagement, benefiting from the heft Continued adaptation and sleights of hand of its reputation in the cybersecurity community, appears By way of framing the major architectural features of the en- to have been the knock-out blow for Atrivo. Not long after terprise, it’s useful to understand Rove’s key touch points for Spamhaus placed PIE on its blocklist in 2008, PIE dropped Internet access. Through their extensive research of Rove and Atrivo, essentially causing Atrivo to go dark [5]. its related companies, Trend Micro was able to stitch together Despite 2008 being a challenging year for Rove operations an impressively detailed overview of the key infrastructure with Tsastsin’s conviction, ICANN’s revocation of EstDo- used to further and grow Rove’s profitable criminal activities. main’s listings, and loss of Altivo’s services, Tsastsin and his According to Trend Micro, one of Rove’s key Internet Service staff displayed the ability to adapt and innovate. Now that Providers (ISP) included Atrivo, located at the time in San Rove’s Pilosoft-based operations were elevated in relative Francisco, CA. Another important ISP for Rove was Pilosoft, importance, Tsastsin had to work to preserve this critical as- located in New York, NY. Rove’s principal Estonia-based ISP set. Apparently learning from their experiences via Altivo’s was Elion [15]. A very helpful overview of Rove’s framework closure, Rove developed methods to help them lower their

22 – ISSA Journal | April 2017 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris profile while still growing their highly profitable illicit click- is clear is that Rove’s early revenue generation efforts were di- fraud business. According to Trend Micro’s reporting [15], versified and included the infection of millions of personal Rove’s principal approach to lowering their profile and help- computers with DNS Changer malware (Note: DNS Changer ing obfuscate the importance of their command and control allows attackers the ability to alter the routing of traffic to (C&C) servers and DNS infrastructure hosted at Pilosoft was and from a victimized system). Rove’s to use VPN tunneling. Rove used VPNs within their net- diversified operations shifted steadily works to tunnel their suspect traffic away from Pilosoft before towards more specialization, namely According to it went to Pilosoft’s upstream providers, thus avoiding one fa- towards click-fraud operations [1]. Trend Micro’s tal flaw in Rove and RBN’s earlier use of Altivo. It should also Spamhaus took note of the DNS be pointed out that Trend Micro’s study of Rove developed Changer malware-related activity of research, Rove evidence that Elion, Rove’s Estonia-based ISP, had rebuked Rove at least as early as 2007 when had, at one time Rove earlier, so Rove’s options for reliable ISP access were not one of Rove’s spoofed Google Ads sites at least, the limitless [15]. appeared on Spamhaus’ list of sites to Through Rove’s extensive use of VPN tunneling, Pilosoft ap- block. This site proved to be just one largest botnet pears to have received few complaints associated with Rove’s small piece of an extensive DNS infra- in existence for malicious DNS infrastructure. Thus, Rove was able to buy structure that was constructed and ma- themselves additional time as security researchers attempted nipulated to steal advertisement rev- several years. to identify the critical nodes controlling a growing amount enues by directing unwitting victims of DNS Changer-related activity. Perhaps more importantly, to ads Rove controlled [18]. As noted this sleight-of-hand provided Rove access to a vital veneer of in Trend Micro’s assessment of Rove’s evolving operations legitimacy by giving them the flexibility to contract with oth- [15], Rove very quickly shifted much of their core operations, er mainstream providers, such as Level-3 Communications. most significantly the C&C servers used to manage their These sources of dependable bandwidth were needed to reli- click-fraud efforts, to Pilosoft-hosted services not long after ably leverage the millions of infected systems Tsastsin manip- Altivo’s demise. By leveraging the extensive botnet they had ulated via Rove C&C servers physically hosted at Pilosoft [15]. developed through the infection of millions of systems with True of most any relatively young company, Rove’s financial the DNS Changer malware, they had the means for generat- success was largely dependent on growing market share and ing large volumes of online fraudulent advertisement activity. establishing viable avenues for revenue generation. With the This botnet also provided a very effective approach for avoid- disruption of his Atrivo-based operations, Tsastsin appears ing detection by the major online advertisement companies to have been forced to take note of the pitfalls associated with [15]. After all, given that the victims whose systems com- the unwanted attention inherent in being the proprietor of prised Rove’s botnet were unwitting to the fact their traffic bulletproof hosting services. It is unclear precisely what Rove was being hijacked, their day-to-day Internet activities would Digital’s long-term strategic business plans were, or whether be very difficult to distinguish from legitimate user-generated or not Tsastsin seriously used such management tools. What advertisement activity.

Click here for On-Demand Conferences www.issa.org/?OnDemandWebConf

IoT: The Information Ecosystem of the Future--And Its Issues Internet of Things 2-Hour Event Recorded Live:August 23, 2016 2-Hour Event Recorded Live: March 28th, 2017 Hacking the Social Grid: Gullible People at 670 Million Cyber Residual Risk Miles per Hour 2-Hour Event Recorded Live: February 28th, 2017 2-Hour Event Recorded Live: July 26, 2016 When TLS Reads “Totally Lost Security” Legislative Impact: When Privacy Hides the Guilty Party 2-Hour Event Recorded Live: January 24, 2017 2-Hour Event Recorded Live: June 28, 2016 When TLS Reads “Totally Lost Security” Breach Report Analysis – SWOT or SWAT? 2-Hour Event Recorded Live: November 15, 2016 2-Hour Event Recorded Live: May 24, 2016 How to Recruit and Retain Cybersecurity Professionals The Sky Is Falling... CVE-2016-9999(nth)? 2-Hour Event Recorded Live: October 25, 2016 2-Hour Event Recorded Live: April 26, 2016 Security Architecture & Network Situational Awareness Security Software Supply Chain: Is What You See What You Get? 2-Hour Event Recorded Live: September 27, 2016 2-Hour Event Recorded Live: March 22, 2016

A Wealth of Resources for the Information Security Professional – www.ISSA.org

April 2017 | ISSA Journal – 23 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris

Rove’s click-hijacking – a windshield tour clicks on links and images sponsored by various advertisers were frequently only fractions of pennies. However, as seen According to Trend Micro’s research, Rove had, at one time through the lens of law enforcement’s eventual insight into at least, the largest botnet in existence for several years. This Rove’s financials, those pennies and fractions of pennies cer- network, controlled principally via the C&C structure host- tainly added up. ed at Pilosoft, was reasonably well-engineered. The thought- fulness of the architects of Rove’s C&C systems is evident in Where’s a cop when you need one? their apparent ability to manage all their rogue DNS servers through one or two configuration files. This span of control To quickly recap, the collective efforts of an informal alliance allowed Rove to serve up altered traffic to systems infected of cybersecurity professionals had succeeded in amassing a with DNS Changer so that they could redirect the results for fairly detailed picture of much of Rove’s evolving network of major search engines such as Google, Yahoo, and Bing. Im- criminal activities. These efforts eventually succeeded in tem- pressively, Rove was believed to have been able to manipulate porarily disrupting Rove’s operations, most notably through the millions of infected systems they controlled so they could the shuttering of Atrivo. However, Rove quickly adapted serve up altered search results and DNS resolutions for ap- and their subsequent illegal activities only grew. It became proximately 14,000 unique domains [15]. The results of the clear to many of these security professionals that the active multinational investigation revealed Rove’s capabilities to involvement of law enforcement was becoming increasing- have been even greater than what could be discerned with- ly important as a potential avenue for targeting Rove’s ever out the insight and accesses law enforcement authorities can more expansive and sophisticated operations. provide. The affidavit submitted on March 1st, 2010, to the US Dis- In order to more fully understand Rove’s click-fraud oper- trict Court of the Southern District of New York (USDC-SD- ations, it is useful to view the activity from the perspective NY) [12] in support of a search warrant to be executed on of one of the millions of victims whose system was infected the premises of Pilosoft for specific Rove servers offers inter- with DNS Changer malware. In the indictment of Tsastsin esting insight into US law enforcement’s formal engagement and six of his crew filed in US Circuit Court, the Assistant in this matter. The affidavit notes the central role of “numer- US Attorney describes several examples of how a victimized ous private-sector researchers” and a “NASA agent” in the user’s online activities were hijacked via Rove’s DNS Changer development of the facts used to support the application for malware. Broadly, the fraud involved the hijacking of select- the search of Pilosoft [12]. Interestingly, the involvement of ed portions of a user’s Internet activities, notably, search re- NASA can be found in the earliest court filings supporting the sults. When an infected user searched for a particular word investigation and eventual conviction of Tsastsin and his crew. or phrase using a major online search engine, such as Yahoo. Affidavits submitted to support applications for several com, the results presented to the victim would be altered so as search warrants filed in the USDC-SDNY during the US to provide results that when clicked on would generate reve- law enforcement’s investigation of Rove point to October 14, nue for Rove through one or more of its advertising contracts. 2009, as the date when US federal law enforcement’s efforts This hijacking activity encompassed both user-generated started in earnest. Regularly noted in most of the affidavits searches as well as sponsored links [12]. submitted by the FBI agents investigating Rove is the founda- Another example in the indictment also included advertise- tional statement, “I have discussed this investigation in detail ment replacement fraud, which required a more sophisticated with a Special Agent of the Office of the Inspector General approach than simply substituting legitimate search results of the National Aeronautics and Space Administration (the for those crafted by Rove. In this subtler approach, Rove “NASA agent”), and have learned the following....” [12]. The would render the majority of a requested webpage to a victim active involvement of the FBI in the investigation of such sig- accurately, but replace specific advertisements found on that nificance seems obvious. Why then is a NASA agent playing webpage with their own. For example, when a DNS Changer such a prominent role in kicking-off and pushing forward US victim requested the Wall Street Journal on May 31, 2010, the law enforcement’s investigation of a criminal enterprise that, majority of the Wall Street Journal webpage would be ren- at least at that time, controlled the largest malicious botnet dered accurately. In actuality, the legitimate website would in existence? be presenting an American Express advertisement for their A review of the many filings with the US Circuit Court in “Plum Card.” The altered results received by an individual support of the US government’s case reveals the prominent using a system infected with DNS Changer, at least on May role played by the NASA Office of the Inspector General that 31, 2010, would display an advertisement for “Fashion Girl appears to have stemmed from two aspects of the case. First, LA” where the “Plum Card” advertisement was intended to the NASA agent so widely referenced in court documents ob- appear [9]. Even simple views of this altered page, referred viously played a significant role in conducting the nuts and to as “impressions” in on-line advertisement parlance, would bolts of the investigation. This can be seen in how frequently generate revenue for Rove. More revenue would be generat- he personally submitted affidavits in support of search war- ed when users actually clicked on content for advertisements rant applications and protective orders, or was referenced that Rove controlled. Individually, these impressions and in the affidavits of others. A holistic view of the court docu- Please contnue on page 43

24 – ISSA Journal | April 2017 2017 Conference Theme:

SecureWorld conferences provide more resources and facilitate more connections than any other cybersecurity event in North America. Our regional events are designed to equip and inspire those defending the digital frontier.

Join like-minded security professionals in your local community for high-quality, affordable training and education. Attend featured keynotes, panel discussions and breakout sessions, and learn from nationally-recognized experts. Network with fellow practitioners, thought leaders, associations and solution vendors.

Don’t go it alone. Register for a SecureWorld conference near you.

www.secureworldexpo.com

Announcing our 2017 conference schedule. In addition to our lineup of 14 regional events, we’re excited to introduce two new markets: Chicago and Twin Cities. Mark your calendars and make plans to attend!

Spring: Fall: Charlotte, NC - March 2 Twin Cities, MN – September 6 Boston, MA - March 22-23 Detroit, MI - September 13-14 Philadelphia, PA - April 5-6 St. Louis, MO - September 20-21 Portland, OR - April 19 Bay Area, CA - October 5 Kansas City, MO - May 3 Dallas, TX - October 18-19 Houston, TX - May 18 Cincinnati, OH - October 24 Atlanta, GA - May 31 - June 1 Denver, CO - November 1-2 Chicago, IL - June 7 Seattle, WA - November 8-9 DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY Every Move You Make, I’ll Be Watching You Watching Me Watching You By Tanya Forsheit and Daniel Goldberg

Smart TVs, like other Internet-connected devices, come with their fair share of privacy and data security risks. This article explores a few noteworthy recent and high-profile developments that cast some doubt on the security of smart TVs and suggests that device manufacturers may not be sharing complete information about the data collected and used by those devices.

hen we were kids, the notion of a smart TV with that supports direct streaming of movies and other programs which we could interact was an unimaginable from content providers such as Netflix, Hulu, and Amazon.”2 dream. You can’t talk to a TV; that’s crazy! But Smart TVs necessarily raise issues related to their enhanced Whow cool would that be? SO cool. Today that fantasy is realty. capacity for the collection, use, and sharing of sensitive con- Smart TVs are widely available and relatively inexpensive. In sumer information. There are few laws that directly regulate November 2015, Gartner forecasted that there will be more such data processing. One notable exception is California’s than 20 billion appliances, TVs, and other devices connect- Business and Professions Code sections 22948.20-22948.25, 1 ed to the Internet by 2020. Not surprisingly, smart TVs, like which took effect January 1, 2016. It is one of a kind but lim- other Internet-connected devices, come with their fair share ited in its application. The California law prohibits the oper- of privacy and data security risks. ation of a voice recognition feature in an Internet-connected This article explores a few noteworthy recent and high-pro- television without first prominently informing the user of the file developments, including news stories and regulatory en- feature. It also prohibits the use or sale for advertising pur- forcement, that cast some doubt on the security of smart TVs poses of recordings of spoken words and conversations cap- and suggests that device manufacturers may not be sharing tured by a connected television for improving its voice recog- complete information about the data collected and used by nition feature. those devices. The article will also provide some key take- Although legislation is not there yet, the Federal Trade Com- aways for how information security and privacy professionals mission’s (FTC) recent settlement with smart TV manufac- can take a proactive role in helping their organizations that turer Vizio, Inc. (Vizio),3 opens up a more in-depth discussion are building and marketing smart devices, including smart of the many privacy issues raised by smart TVs going beyond TVs, to build better safeguards, transparency, and consumer voice recognition data. As part of its recent focus on the In- choices into these and all things that make up the “Internet ternet of Things (IoT) and smart devices, on February 6, 2017, of Things.” the FTC in conjunction with the Office of the New Jersey -At Privacy concerns torney General announced a settlement with Vizio, including payment of $1.5 million to the FTC and $1 million to the New What exactly are “Smart TVs”? The United States Judicial Jersey Division of Consumer Affairs, with $300,000 of that Panel on Multidistrict Litigation defined them in one recent case as “televisions that have integrated Internet capability 2 In re: Vizio, Inc., Consumer Privacy Litig., 176 F. Supp. 3d 1374, 1376 (U.S. Jud. Pan. Mult. Lit. 2016). 3 “VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected 1 Nathan Eddy, “Gartner: 21 Billion IoT Devices to Invade By 2020,” InformationWeek, Viewing Histories on 11 Million Smart Televisions without Users’ Consent,” FTC November 10, 2015, available at http://www.informationweek.com/mobile/mobile- press release, available at https://www.ftc.gov/news-events/press-releases/2017/02/ devices/gartner-21-billion-iot-devices-to-invade-by-2020/d/d-id/1323081. vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it.

26 – ISSA Journal | April 2017 Every Move You Make, I’ll Be Watching You Watching Me Watching You | Tanya Forsheit and Daniel Goldberg amount suspended, over claims that Vizio’s smart TVs col- deceived consumers by failing to adequately disclose that the lected information about consumers’ video-viewing behavior Smart Interactivity feature collected and shared consumers’ and shared that data with third parties without sufficient no- video viewership information. Finally, the FTC maintained tice or consent. that Vizio deceived consumers by falsely representing that The FTC’s allegations (and pending class action litigation the Smart Interactivity feature en- against Vizio involving similar issues) revolved around the abled program offers and suggestions “Smart Interactivity” feature found on Vizio’s smart TVs. when it actually collected and shared Vizio’s smart consumers’ video viewership infor- According to the FTC, starting in 2014, Vizio pre-installed TVs collected its Smart Interactivity feature on new smart TVs and automation. matically installed the feature on older models. According to It is worth noting the nature and information about the complaint, only older models of the devices included a status of the similar class action liti- consumers’ video pop-up making consumers aware that the feature had been gation as well. The television owners installed. The FTC alleged that Vizio described the feature as have contended that Vizio violates viewing behavior enabling “program offers and suggestions,” which could be both the federal Video Privacy Pro- and shared that turned off through the smart TV settings. tection Act (“VPPA”)5 and Wiretap data with third Act6 by tracking what consumers The FTC’s complaint went on to allege that the Smart Inter- parties without activity feature did not actually enable program offers or sug- watch and selling that information to gestions, but rather collected “highly-specific, second-by-sec- third-party data brokers and adver- sufficient notice ond information” about consumers’ video-viewing behaviors, tisers, exposing their personally iden- or consent. including what content they watched, when they watched it, tifiable information. In March 2017, a and the length of their views. Vizio allegedly determined federal judge allowed the claims for what consumers watched by matching pixels from consum- violation of the VPPA, invasion of ers’ television screens with publicly available pixels from privacy, and intrusion upon seclusion to survive a motion movies, shows, and commercials. Vizio then allegedly shared to dismiss and granted plaintiffs leave to amend their alle- this viewing data, along with persistent identifiers it collect- gations as to the Wiretap Act. The judge also allowed claims ed from consumers, with third-party data brokers in order for fraudulent omission to move forward based on allegations to license that data to still other third parties for purposes that Vizio fraudulently hid its data practices by failing to of measuring audience viewership, determining advertising mention the software it uses to collect data and how to dis- effectiveness, and serving targeted advertisements to specific able the software or that the data is sold, despite a “very small consumers on their various devices. In its contracts with the font” privacy policy that claims the company collects anony- 7 data brokers, Vizio allegedly prohibited the data brokers from mous and non-personal data. re-identifying consumers by name but allowed the data bro- Privacy takeaways kers to append data from their own internal databases such as sex, age, and income (thereby building a more robust con- What are the privacy takeaways for developers of smart TVs sumer profile). and other connected devices that are part of the Internet of Things? The FTC claimed that Vizio’s actions violated Section 5 of the FTC Act4 in three ways. First, the FTC alleged that Vizio • Make accurate disclosures and do not omit material acted unfairly by collecting and sharing sensitive informa- facts. The FTC’s primary concern with respect to Vizio tion (i.e., video viewership information) without consumers’ appears to be that the company allegedly collected and consent and through a medium consumers would not expect to be used for tracking. Second, the FTC alleged that Vizio 5 18 U.S. Code § 2710, available at https://www.law.cornell.edu/uscode/text/18/2710. 6 18 U.S. Code § 2511, available at https://www.law.cornell.edu/uscode/text/18/2511. 7 In Re: Vizio, Inc., Consumer Privacy Litigation, CASE NO. 8:16-ml-02693-JLS-KES 4 15 U.S.C. § 45, available at https://www.law.cornell.edu/uscode/text/15/45. (C.D. Cal. March 2, 2017).

ISSA Special Interest Groups Security Awareness Women in Security Health Care Financial Sharing knowledge, Connecting the world, one Driving collaborative thought Promoting knowledge experience, and cybersecurity practitioner at and knowledge-sharing sharing and collaboration methodologies regarding a time; developing women for information security between information security IT security education, leaders globally; building leaders within healthcare professionals and leaders awareness and training a stronger cybersecurity organizations. within financial industry programs. community fabric. organizations. Special Interest Groups — Join Today! — It’s Free! ISSA.org => Learn => Special Interest Groups April 2017 | ISSA Journal – 27 Every Move You Make, I’ll Be Watching You Watching Me Watching You | Tanya Forsheit and Daniel Goldberg

shared video viewership information without accurately a manner that is more aggressive than traditional small- and fully disclosing its practices. Two of the three counts print privacy policies linked to the bottom of web pages. against Vizio involved deceptive acts or practices. Accord- • The $2.2 million payment does not tell the whole story. ing to the FTC, the alleged description of the Smart In- Vizio allegedly collected video viewership information teractivity feature was misleading and the pop-up, with- from more than 10 million televisions prior to entering out further information, insufficient. Companies should into the settlement. So companies might think that the carefully review the representations they make, including risk of a $2.2 million settlement seems minuscule in com- those made outside of their privacy policies. parison to the potential upside. However, the settlement • Make sure your practices align with consumer expec- also requires Vizio to destroy all video viewing informa- tations. The FTC also voiced concern that Vizio’s alleged tion collected without opt-in consent prior to March 1, practices of collecting and sharing video viewership infor- 2016, establish a mandatory privacy program, have an in- mation did not align with consumer expectations. Per the dependent third party routinely assess its data practices, FTC, when using a television, consumers do not expect the keep extensive records and report to the FTC, and create television manufacturer to figure out exactly what they are new policies among other things. Thus, the real cost is sig- watching and share that data with third parties for retar- nificantly higher than $2.2 million. geting purposes. Manufacturers should understand that, • Dealing with data brokers attracts scrutiny. The FTC has even if a practice does not violate a specific statute, it may shown consistent interest in regulating data brokers. For carry a “creepiness factor” that could attract regulatory example, the FTC issued the report “Data Brokers: A Call scrutiny or impact a company’s public perception and bot- for Transparency and Accountability” in May 2014 and tom line. To the extent companies intend to engage in such the report “Big Data: A Tool for Inclusion or Exclusion” in practices, companies should clearly and prominently alert January 2016. In the settlement with Vizio, the FTC specif- consumers of their practices. ically cited Vizio’s contract prohibiting data brokers from • Get opt-in consent prior to sharing video viewership in- re-identifying consumers yet allowing them to append formation. In the Vizio settlement, the FTC refers to vid- certain forms of data. Smart device manufacturers should eo viewership information as sensitive information that therefore be extra careful with regard to their practices requires opt-in consent and potentially a separate video when dealing with data brokers. policy, prior to collection and sharing. Interestingly, acting Chairman Maureen Ohlhausen issued a concurring Data security issues statement to the settlement questioning whether video The hackability of connected devices, and smart TVs in par- viewership information should be treated as sensitive in- ticular, has been the subject of discussion for several years. formation. While there may be some disagreement over There is something very intimate about the relationship be- the sensitivity of video viewership information, legislators tween consumers and their televisions that makes this secu- have taken the position that such data warrants greater rity vulnerability particularly compelling to the media and scrutiny than many other forms of data (as evidenced by consumer advocates. And yet, it does not appear that much the federal VPPA and similar state laws). Under the VPPA, has changed with respect to the security (or lack thereof) in companies are prohibited from knowingly disclosing smart TVs since their emergence several years ago. “personally identifiable information” concerning a con- In December 2012, Ars Technica published a piece entitled sumer to any person unless an exception applies. There “How an Internet-connected Samsung TV can spill your is currently a circuit split as to what constitutes person- deepest secrets.”8 The story discussed the findings of a really identifiable information under the VPPA with some searcher who claimed at the time he had uncovered a vul- courts finding that video viewership information in con- nerability in most Samsung models that made it easy for him junction with a static identifier (e.g., an IP address) is suf- to locate their IP address on the Internet. Armed with this ficient to plead a case. The VPPA and similar state laws information, he claimed he could remotely access the device provide consumers with a private right of action with an and exercise the same control someone in the same room accompanying right to statutory damages even in the ab- would have, including gaining root access and installing ma- sence of a showing of harm. licious software. Be creative with respect to your disclosures. As part of • “At this point the attacker has complete control over the settlement, the FTC required Vizio to prominently dis- device,” he wrote in an email to Ars Technica. “So we are close its practices. The FTC emphasized that Vizio must talking about applying custom firmwares, spying on the provide unavoidable visual disclosures, and, more relevant victim if camera and microphone are available, stealing for the IoT space, audible disclosures delivered in “a vol- any credential and account stored...on the device, using ume, speed, and cadence sufficient for ordinary consumers his own certificates when accessing HTTPS websites, and to easily hear and understand.” Companies should view the audible disclosure requirement as a signal that the FTC 8 Dan Goodin, “How an Internet-Connected Samsung TV Can Spill Your Deepest expects IoT devices to provide conspicuous disclosures in Secrets,” Ars Technica, 12/12/2012 https://arstechnica.com/security/2012/12/how-an- internet-connected-samsung-tv-can-spill-your-deepest-secrets/.

28 – ISSA Journal | April 2017 Every Move You Make, I’ll Be Watching You Watching Me Watching You | Tanya Forsheit and Daniel Goldberg

tracking any activity of the victim (movies, photos, music, device world are likely to be a much more effective and prac- and websites seen) and so on. You become the TV.”9 tical solution to meet the concerns of regulators and consum- More than four years later, Wikileaks released a cache of doc- ers alike and to take steps, if only modest, to beat back bad uments in March 2017 purporting to show that the Central actors who would seek to hack into the majority of American Intelligence Agency (CIA) hacked into smart TVs (and oth- living rooms and bedrooms. There is already such industry er smart devices) and that “[d]evelopers used vulnerabilities action in a number of IoT sectors, including connected cars. in Samsung TVs to ensure the products would capture con- In 2014, the Alliance of Automobile Manufacturers and the versations even when they appeared to be switched off…The Association of Global Automakers proposed a set of privacy 13 CIA’s engineering development group had a ‘to do’ list for the principles for vehicle technologies and services. It does not smart TV that included the ability to record video and break appear that the Consumer Technology Association has yet into its browser and apps.”10 There are even reports of smart taken similar steps vis-à-vis smart TVs or other connected TVs being hijacked by ransomware.11 home devices. Attacks on connected devices have consequences for the Information security professionals can play a critical role by larger Internet as a whole. In October 2016, it was discovered bringing these issues to the attention of other relevant stake- that a major distributed denial of service (DDoS) attack was holders within the organization, particularly those involved caused by a botnet largely made up of connected IoT devic- in design and marketing, legal, and compliance. Information es.12 security professionals are ideally situated to help develop products with better security in mind, right from the start. The law is not well equipped to incentivize device manufac- They should have a seat at the table during the product devel- turers to build in more robust security controls or design with opment stage. privacy in mind. Existing state and federal data breach notification laws generally cover only certain narrow categories Conclusion of information such as name with Social Security number, Smart TVs and other connected home devices are here to driver’s license number, payment card information, health or stay. As with so many other technology verticals, it would be- medical information, but a few state laws have been expanded hoove the consumer electronics industry, policy makers, and to require notification when usernames and/or email address- consumer advocates alike to work together to put forth a set es together with passwords and/or security questions and an- of appropriate, risk-based, self-regulatory principles to help swers are exfiltrated. However, a security breach involving a ensure that privacy interests are protected and information smart TV is more likely to involve information about a user’s security advanced without stifling innovation. viewing habits or movements as opposed to these more traditional categories of personally identifying information. About the Authors It seems somewhat more likely that continued enforcement Tanya Forsheit is co-chair of Frankurt Kur- from the FTC and European regulators, and private class nit Klein + Selz’s Privacy & Data Security action litigation, will serve as an instigator. The $2.2 million Group, and a partner in the Technology & fine, order to delete previously collected data, and years of Digital Media, Litigation, and Advertising, oversight imposed on Vizio is not nothing, not to mention Marketing & Public Relations groups. She what must be extraordinary legal fees to negotiate with the represents multi-national and emerging com- FTC and defend dozens of class actions that are now before panies in the media, entertainment, consum- the United States Judicial Panel on Multidistrict Litigation in er products, health care, technology, and professional services the Central District of California. Further, when the EU Gen- industries, and serves as outside privacy counsel for numerous eral Data Protection Regulation takes effect in May 2018, even organizations. She may be reached at [email protected]. US companies that process personal data (broadly defined to include device identifiers for smart TVs and similar devices) Daniel M. Goldberg is an associate in of EU data subjects will be forced to comply with more signif- Frankurt Kurnit Klein + Selz’s Privacy & icant privacy and data security obligations or face penalties of Data Security Group focusing on advertis- up to four percent of global turnover or €20 million. ing, branded entertainment, interactive entertainment, technology, digital media and But we all know that the law is ultimately incapable of keep- privacy, and intellectual property matters. ing up with technology, which will continue to advance at He represents multi-national and emerging breakneck speed. Industry self-regulatory efforts in the smart companies in a wide range of privacy and data security-related matters involving the collection, use, 9 Ibid. storage, and monetization of confidential data. He may be 10 Hannah Kuchler, “The Internet of Things: Home Is Where the Hackers Are,” reached at [email protected]. Financial Times, March 10, 2017, available at https://www.ft.com/content/cb880bc2- 057c-11e7-ace0-1ce02ef0def9. 11 Ibid. 13 Jules Polonetsky, “Connected cars are accelerating consumer benefits and driving 12 Nicky Woolf, “DDoS Attack That Disrupted Internet was Largest of Its Kind in privacy issues,” The Hill, November 21, 2014, available at http://thehill.com/blogs/ History, Experts Say,” The Guardian, October 26, 2016, available at https://www. pundits-blog/technology/224954-connected-cars-are-accelerating-consumer- theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet. benefits-and-driving.

April 2017 | ISSA Journal – 29 DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY HSTS and New Trends for Secure Browsing

By Marcelo Carvalho – ISSA member, Brasil Chapter

This article discusses insecure behavior between browsers and servers and potential risks associated with recent opt-in HTTP Strict Transport Security (HSTS) suggested by RFC 6797, heavily discussed at recent security conferences such as OWASP AppSec Europe, CNASI Brasil, InfoSecurity Europe, and OWASP AppSec Latin America. It also briefly describes new trends regarding web browsing security.

Old and well known web security issues TLS specialized security forums (Crypto Forum Research Group,4 CA/Browser Forum,5 and Qualys SSL Labs6), we can rotecting network participants during web communi- say it is pretty straightforward to achieve OSI Fourth Layer7 cations is not a new task, and you can easily find mul- protection using these protocols. But when it comes to the tiple solutions using cryptography for that purpose. upper OSI layers and integration on compatible clients (i.e., PA general scenario is a client requesting page content from a browsers), then it’s a different story. webserver that will send it via default protocol or a mutually agreed upon (and hopefully more secure) encrypted channel. The main security problems may be summarized as a two- fold aspect of the implementation: HTTP traffic sent by default is in plaintext format and allows attackers to read or modify the traffic through man-in-the- A. Low-level crypto implementation: Presenting the low- middle (MITM) attacks. These include phishing, session hi- er-layer protocol-control mechanism (i.e.,. SSL certificate jacking, and sensitive-data modification. As an HTTP con- validation process errors) for needed interaction/decision nection cannot authenticate peers, some attacks will try to upwards through the user and user interface, for instance, the validity check of the presented digital certificate from downgrade encrypted protocols negotiated by the client-serv- 8 er down to a plaintext vulnerable state (Moxie Marlinspike’s parties negotiating SSL/TLS. At this point, FQDN, expi- SSLstrip1 for instance [1]). This downgrade is most likely in- ration dates, anchor bounds, CRL/OCSP checking among visible to the client side: a regular user cannot visually attest others is performed but due to “operational-focus” em- to cryptography being applied to the communication. Still, braced by clients/browsers (ability to keep browsing even to date no consistent user interface (UI) icon has been agree when facing an error) will be most likely be parsed to upon to easily identify encrypted channels. trusting the user’s discretion in order to proceed or cancel the process. This scenario may vary from browser ven- When it comes to the web environment, the most prevalent dors, some more dramatically emphasizing the potential encryption solutions apply SSL/TLS. Despite the many de- damage if choosing to continue than others; this is ulti- veloped attacks and different flaws discovered over time (see mately a user decision. An end user may choose to pro- the ISSA Journal, August 2011 – “SSL/TLS Revisited” and ceed even when nasty errors are shown, such as a revoked 2 3 March 2013 – “PKI under Attack”; CRIME, BEAST, MD5 certificate or a different domain message appears. collisions, and other more recent attacks described at SSL/

1 SSLstrip - Tool applying a MITM technique to remove encryption from client’s 4 Crypto Forum Research Group – https://irtf.org/cfrg. browser (more at: https://moxie.org/software/sslstrip/). 5 CA/Browser Forum – https://cabforum.org. 2 CRIME - A security exploit against secret web cookies over connections using the HTTPS (more at: https://www.ekoparty.org/archive/2012/CRIME_ekoparty2012. 6 Qualys SSL Labs – https://www.ssllabs.com/. pdf). 7 OSI Model – https://en.wikipedia.org/wiki/OSI_model. 3 BEAST - Browser Exploit Against SSL/TLS explores CBC type of crypto 8 FQDN - Fully Qualified Domain Name used to distinguish domain-based implementation on TLS 1.0 and SSL 3.0(more at: https://www.owasp.org/ application service Identity within Internet (more at: https://tools.ietf.org/html/ images/1/10/Taming_the_B.E.A.S.T..pdf). rfc6125).

30 – ISSA Journal | April 2017 HSTS and New Trends for Secure Browsing | Marcelo Carvalho

2. Uncontrolled page content: Protecting sensitive brows- Thanks to Same Origin Policy (SOP)16 and process separation er content against unauthorized access or tampering via on browsers, these types of vulnerable HTTP pages being MITM attacks; for example, the ability to use HTML tags opened within multiple tabs on a browser could exploit lo- (iframe or include, for instance) to load external data to an cal variables only in very specific scenarios such as relaxed or originally served and trusted page (even embedding inse- misconfigured Cross-Origin Resource Sharing (CORS)17 and cure HTTP data, calling it explicitly in cleartext mode, or old or unpatched plugins running on the page. relying on the assumption that the main page is securely All these discussions were part of seminars and security pre- 9 10 running HTTPS) (See figure 1). Googleapi, jQuery, and sentations I have attended last year. HTTP headers is now other external content/code are popular these days and back as hot topic in discussion. OWASP Secure Headers Pro- most likely embedded using the “SRC” (source) external ject,18 for instance, is discussing and promoting header con- reference tag. As stated by Sivakorn et al. [2], a great num- figuration awareness, balancing security and functionality ber of Chrome extensions allow connections over unpro- aimed at reducing this attack surface. tected HTTP to Google sites. Partners, advertisements, and other uncontrolled content are also examples of this Usual protection examples and their limitations scenario. Locally stored values and data (cookies, DOM,11 and other local/session storage containing sensitive in- HTTPsec formation) are an attacker’s target that falls into this fold. Although not so popular and rarely used, it’s worth mention- Any authentication-related credential can lead to later im- ing that an old possible protection can be achieved by using personation attacks. HTTPsec. It’s performed using HTTP headers and can protect the page head and body content as well as URL integrity (see figure 2). As in HTTPS, it uses digital certificates to identify peers. Diffie-Hellman exchanges establish the secret key protecting PUT, POST, etc., HTTP request methods and body message confidentiality. Different from HTTPS though, this non-negotiable HTTP scheme is deployed over default web port 80 as opposed to 443 and relies on a very few cryp- to-aware algorithms to allow mutual authentication with the webserver.

Figure 1 – Content trust issue on HTML page Regarding expected trust by the client’s implementation, “A” is clearly more concerned with the mechanisms that prove a party’s identity and embedded authentication, while “B” is more about protecting already loaded content. As depicted in figure 1, a plausible vulnerable scenario is the user having secure and non-secure content both carried on Figure 2 – HTTPsec initialization header representation the same web page. If the insecure part of the page is suscepti- ble to attacks like XML-RPC requests,12 XSS,13 XST,14 or other HTTPS covert channels, an attacker could use client-side code like The HTTPS protocol is the most widely used security im- JavaScript15 (embed from non-trusted source) to snoop and plementation and plays an important role in protecting con- access cookies or other locally cached valuable information. tent confidentiality and integrity by loading data only from authenticated sources. However, returning to the mixing of 9 Googleapi - Google APIs is a set of application programming interfaces (APIs) developed by Google (more at https://console.developers.google.com/apis/library). HTTP and HTTPS elements on a page, the cookie retrieval 10 JQuery - JQuery UI is a cross-browser curated set of user interface interactions, vulnerability can be significantly diminished by applying the effects, widgets, and themes to enable browser functionalities (more at:https:// jquery.com/browser-support/). secure tag. As insecure flagged or unmarked cookie informa- 11 DOM - Document Object model is a platform and language-neutral interface that tion can serve both HTTP and HTTPS requests, this opens allows dynamic access and update the content, structure and style of HTML, style sheets and scripts (more at: https://www.w3.org/DOM/DOMTR). room for the uncontrolled page content problem aforemen- 12 XML-RPC requests - Is a remote procedure call (RPC) protocol which uses XML to encode its calls (more at: https://www.w3.org/2000/03/29-XML-protocol-matrix). 13 XSS - Cross-Site Scripting (XSS) attacks are a type of malicious where scripts are 16 SOP - Same Origin Policy restricts how a document or script loaded from one origin injected into web sites pages (more at: https://www.owasp.org/index.php/Cross- can interact with a resource from another origin (more at: https://www.w3.org/ site_Scripting_(XSS)). Security/wiki/Same_Origin_Policy ). 14 XST - A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting 17 CORS - Cross-origin Resource Sharing is a mechanism that allows restricted (XSS) and the TRACE or TRACK HTTP methods (more at: https://www.owasp.org/ resources on browser to comply SOP container (more at: https://www.w3.org/TR/ index.php/Cross_Site_Tracing). cors/). 15 Javascript - Is an interpreted programming or script language from Netscape(more 18 OWASP Secure Headers Project – https://www.owasp.org/index.php/OWASP_ at: https://www.javascript.com/). Secure_Headers_Project.

April 2017 | ISSA Journal – 31 HSTS and New Trends for Secure Browsing | Marcelo Carvalho tioned. We can thus explicitly mark sensitive cookie data to This means no content will be displayed if the connection(s) ensure it will be visible only from the SSL/TLS trusted server are not fully encrypted or if any of the X.50919 field valida- over an HTTPS channel. Spicing the scenario a bit, we can tions made during the server’s certificate authentication fails imagine an HTTP-embed content site that contains mali- during the communication process. The project was later cious code allowing attackers control and cookie stealing. Af- incorporated into browser specs as HTTP Strict Transport ter grabbing the unflagged cookies available (if any) from that Security (HSTS). This specification defines a mechanism- en page, the attacker then redirects it to HTTPS, pointing also to abling websites to declare themselves accessible only via se- a webserver under his control and now continuing to capture cure connections. the secure flagged cookies as well. HSTS is an opt-in type protocol: a compatible web applica- Addressing also the low-level crypto implementation prob- tion needs to state the capability via server headers in order lem, more and more HTTPS-aware implementations are pro- to achieve the three mentioned security features. This advis- viding for different secure icons and alerts, showing untrust- able instruction (see figure 3) declares the protocol and sets ed sources or insecure content being loaded on page, leaving parameters for time and include subdomains for protection. less room for users to mistakenly accept or proceed when prompted with error messages. ForceHTTPS ForceHTTPS, first described by Collin and Adam back in 2008 [3], takes this error-prone scenario a lot more seriously. Figure 3 – HSTS initialization over HTTP This project states three different features: As other header-based options, HSTS relies on untrusted 1. Only HTTPS allowed (automatic redirect) HTTP traffic to set the initialization values to only then make 2. Insecure content along with encrypted page is not allowed use of HSTS benefits. This is a vulnerable stage that may allow an MITM attacker to even strip out those parameters, keep- 3. All SSL/TLS error messages happening at the lower OSI ing the browsing in cleartext. One proposal to circumvent the layer are fatal and will not be sent to user for any decision. MITM attack is to preload a set of sites on the browser (inner list), pretty much like we do for PKI trusted anchors; but this cannot reach the extent of worldwide websites to be included. Perhaps we will see DNS-Sec20 playing a role to cover this gap in the near future as we did to ensure more secure SMTP senders binding authorized IPs and those constraints referred ISSA.org => Career => Career Center by RFC 7672. There’s still some debate whether one should set he ISSA Career Center offers a listing of cur- a larger time interval parameter, resulting in the site’s HSTS rent job openings in the infosec, assurance, enrollment for a longer period, therefore long-lived cookies privacy, and risk fields. Among the current and browsing history-related info being kept as well [4]. In T1059 job listings [3/30/17] you will find the following: the other way, a short value will result in new arrangements frequently needed, perhaps protecting long exposure of a not- • Senior Security Sales Engineer, Orange Business Services – New York, NY so-trusted initialization. • Information Security Analyst, K-LOVE & Air1 New trends using cryptographic protection Radio – Rocklin, CA, As mentioned, once we define a more trustworthy header ne- • Alarm Industry Technology Systems Sales Man- gotiation scheme for HSTS, we may see a much wider imple- ager, Secure Global Solutions (SGS) – Irvine, CA mentation. The HTTP connection may be seen only in URLs presenting public-tagged information as we expect a signifi- • NOC Tier I Security Technician, Computer Ser- vices, Inc. (CSI) – Fort Collins, CO cant increase of encrypted protocols used on sensitive content pages. In that scenario, because of scalability and per- Security Analyst II, Universal Health Services – • formance issues, we will also see a considerable effort aimed King of Prussia, PA at encryption compression solutions. The CRIME attack • Foreign Service Security Engineering Officer, launched by Rizzo and Duong explored the DEFLATE oper- Department of State – Domestically/Worldwide, ations of HTTP compression [5]. Acting as a side-channel ap- Other / Non-US proach for cryptanalysis, the length of the ciphertext reveals information about the amount of compression in the plain- • Chief Information Security Officer, General Elec- tric – Houston, TX text before encryption stages. As a result, mitigation would Questions? Email Monique dela Cruz at mdelacruz@ 19 X.509 - X.509 is a standard that defines the format of public key certificates (more at: issa.org. https://www.ietf.org/rfc/rfc3161.txt). 20 DNS-sec - Domain Name System Security Extensions (DNSSEC) is a suite of security for DNS over IP protocol (more at: https://tools.ietf.org/html/rfc4035).

32 – ISSA Journal | April 2017 HSTS and New Trends for Secure Browsing | Marcelo Carvalho have compression disabled on servers (TLS configuration). plores the validity of browser fingerprinting in today’s web Contributions advising new techniques using a fixed-dic- environment and the extensive use of plugins (Flash—pro- tionary for HTTP compression and decompression (in both gressively disappearing, Silverlight, QuickTime, Java, and browser and server sides accordingly) instead of the default others). Actually, the study reported 2,458 distinct plugins DEFLATE are being discussed to allow us to resume some collected as a fingerprint sample. bandwidth saving while encrypting web browsing content by Originally meant to provide compatibility, the browser fin- enabling compression again. gerprint gathers a collection of end user browser configura- The browser itself represents a huge limitation for effective tions: browser version, platform, primary language, content protection though. While covered by the World Wide Con- encoding, time-zones, and coded IDs are fingerprints exam- sortium (W3C), browser implementation diversity is huge, ples. “A major source of information for browser fingerprint- making protection effectiveness vary from vendor to vendor, ing comes from application and system developers that add even using compatible and publicly available cryptography. arbitrary information in headers by either modifying exist- Even the security options within different browsers in the ing headers (e.g., the user-agent) or by adding new ones.” As web ecosystem are inconsistent. This not only makes it dif- this can be used also to identify users, it may pose a threat ficult to select a single protection for browsers as a whole but to private information. Google and other large-scale websites also makes them prone to misconfigurations. Actually, Conte are adopting this type of identification nowadays. published findings that browser configurations from differ- The HTML5 canvas element and WebGL API were used by ent vendors are very alike from user’s perspective, making it the authors [7] to demonstrate how to access the fingerprint more difficult to disseminate the security awareness needed information collected during proof-of-concept tests. As de- [6]. After assessing more than a thousand browser configu- scribed, the collection of data is likely unique per user and rations (in three major browser vendors: Mozilla, Chrome, can be positively used for tracking purposes. Also, the study and Internet Explorer), they found that only 17 had common pointed out that this vulnerability occurs not only in desktop names with common semantics at the user interface. apps but also on mobile as well. The use of generic headers is Recently, some banks have started offering a more controlled advocated as a possible mitigation along with discretion on app so they won’t have to rely on the user’s browser for se- using browser plugins. You can find more about fingerprint- cure transactions. More trivial web services can still accept ing, it’s use, statistics, and exploitations at Am I Unique.23 the browser as a client, offering the app only as an option. By using specialized apps for specific communication purposes, Conclusion we might end up overwhelmed by a collection of program The HTTPS protocol is the most prevalent protection imple- shortcuts on our computers and phones. Off course, this mentation for web connections these days. Yet, current ver- leaves room for internal and privately held security solutions sions of browsers rely on user discretion over UI messages to and consequently raises the old discussion regarding law en- deal with unexpected protocol behaviors or certificate errors. forcement’s right to access communications for investigative It allows for insecure content to be embed on secure pages, al- purposes. At 2016 RSA Conference, Marlinspike discussed lowing for cookie hijacking even if the web developer follows 21 that the Signal–Private Messenger is being integrated into the good practice to flag it secure. well-known and used messaging and social network apps. As HSTS circumvents both situations, but as an opt-in protocol opposed to the “browser world,” apps have fewer compatibil- it is vulnerable to having initialization instructions stripped ity concerns and can overcome security flaws their own way. off by an attacker at website’s first access. Back to the browser world, we can see a few interesting se- New trends point to the use of apps in reducing the need for curity trends being published recently. One that caught my relying on client-browser security in some specific industries attention was an add-on capability (available to Chrome, such as banking. Also, new techniques for hardening en- Firefox, and Opera) that rewrites HTTP requests to HTTPS crypted communications and a balance between functional- for configured sites. Named “HTTPS Everywhere,”22 it states ity and private issues while using browser plugins are advised its main advantage is the fact of not being web designer de- to restrict the ability of generate trackable fingerprints. pendent as it overwrites any calls from iframes or inner content carried originally using the cleartext protocol (similarly References to ForceHTTPS first property). As a side-effect of not having 1. Davanian A, Kumar GA, Helge Wolf J. Man in the Middle HSTS robust enough to be used widely, we should tend to see Attacks Demos the Scenario. Network Security Lab – Univ several client-side options like this piling up additional cryp- Trento. 2016. to layers for secure web browsing. 2. Sivakorn S, Polakis I, Keromytis AD. The Cracked Cookie “Diverting Modern Web Browsers to Build Unique Browser Jar: HTTP Cookie Hijacking and the Exposure of Private Fingerprints” [7] is another interesting recent article. It ex- Information. Proc - 2016 IEEE Symp Secur Privacy, SP 2016. 2016; 724–42 – https://www.cs.columbia.edu/~angelos/Pa- 21 Signal–Private Mesaenger - A encrypted communications for mobile application pers/2016/cookiejar.pdf. (Android and iOS) (more at https://whispersystems.org/). 22 The Electronic Frontier Foundation –https://www.eff.org/pt-br/https-everywhere . 23 Am I Unique – https://amiunique.org.

April 2017 | ISSA Journal – 33 HSTS and New Trends for Secure Browsing | Marcelo Carvalho

3. Jackson C, Barth A. ForceHTTPS: Protecting High-Securi- (SSCI), 2016 IEEE Symposium Series on. 2016; (December) ty Web Sites from Network Attacks. Comput Soc [Internet]. – http://ieeexplore.ieee.org/document/7849910/. 2008;525–33. Available from http://portal.acm.org/citation. 7. Laperdrix P, Rudametkin W, Baudry B. Beauty and the cfm?id=1367569. Beast: Diverting Modern Web Browsers to Build Unique 4. Dabrowski A, Merzdovnik G, Kommenda N, Weippl E. Browser Fingerprints. Proc - 2016 IEEE Symp Secur Browser History Stealing with Captive Wi-Fi Portals. 2016 Privacy, SP 2016. 2016;878–94 – http://ieeexplore.ieee.org/ – https://www.sba-research.org/wp-content/uploads/publi- document/7546540/. cations/Dabrowski2016Browser.pdf. 5. Sankalpa I, Dhanushka T, Amarasinghe N, Alawathugo- About the Author da J, Ragel R. On Implementing a Client-Server Setting Marcelo Carvalho, CISSP, CISA, CRISC, has to Prevent the Browser Reconnaissance and Exfiltration 17 years of information security experience via Adaptive Compression of Hypertext ( BREACH ) at telecom and digital certificate companies Attacks. 2016 (October) – http://ieeexplore.ieee.org/docu- and is currently an IS auditor for informa- ment/7780263/. tion assurance security and a IT/IS professor 6. Conte D de L, Bhandari VA, Jillepalli A. Using a Knowl- at various universities. He may be contacted edge-Based Security Orchestration Tool to Reduce the at [email protected]. Risk of Browser Compromise. Computational Intelligence

Security Technology Market, Predictions, and Future Cyber Focus Continued from page 9 low return on change investment, and change fatigue, thus 7. Carter, Ashton. The DOD cyber strategy. Department of exponentially compounding the negative effects [10]. Defense: Washington, DC (2015), https://www.defense.gov/ Portals/1/features/2015/0415_cyber-strategy/Final_2015_ So, embrace the constant change that is the cybersecuri- DoD_CYBER_STRATEGY_for_web.pdf. ty world we live in and prepare to be engaged and amazed at what is possible to achieve, given implementation of these 8. Newhouse, B., Keith, S., Scribner, B., & Witte, G., NIST SP 800-181: National Initiative for Cybersecurity Education performance-enhancing change elements. They are innova- (NICE) Cybersecurity Workforce Framework (NCWF) tive, success-oriented, and just may be the perfect thing that (November 2016), http://csrc.nist.gov/publications/ helps CISOs foil the next big cyber attack. drafts/800-181/sp800_181_draft.pdf. References 9. Powers, Larry. Cybersecurity and Organizational Change Management : Communication, Boxley Group (December 1. Morgan, Steve. Cybersecurity Market Report, Cybersecurity 11, 2016), http://boxleygroup.com/cybersecurity-and-orga- Ventures (February 17, 2017), http://cybersecurityventures. nizational-change-management-communication/. com/cybersecurity-market-report/. 10. CEB Inc. Executive Guidance – Boosting Corporate Perfor- 2. Hogg, Scott. A Look Ahead at 2017, 6 Network and Security mance During Change Initiatives, https://www.cebglobal. Trends you can expect in 2017, Network World (December com/content/dam/cebglobal/us/EN/top-insights/execu- 09, 2016), http://www.networkworld.com/article/3148871/ tive-guidance/pdfs/eg2016q1-boosting-corporate-perfor- internet-of-things/scott-hogg-s-2017-technology-predic- mance-during-change-initiatives.pdf. tions.html. 11. Brusse, Joshua. 3 Elements for Management of Organiza- 3. Mello, John. 5 Emerging Security Technologies Set to Level tional Change, Hewlett Packard Enterprise Digital Transfor- the Battlefield, TechBeacon (2017), https://techbeacon. mation Community (January 03, 2o12), https://community. com/5-emerging-security-technologies-set-level-battlefield. hpe.com/t5/Digital-Transformation/3-elements-for-man- 4. Lohrmann, Dan. The Top 17 Security Predictions for agement-of-organizational-change/ba-p/5437447#.WNby- 2017, Government Technology (January 08, 2017), http:// 4jvys2w. www.govtech.com/blogs/lohrmann-on-cybersecurity/ the-top-17-security-predictions-for-2017.html. About the Author 5. Panetta, Kasey. Gartner’s Top 10 Strategic Technology Dr. Rhonda Farrell, J.D., CISSP, CSSLP, CCMP, CSQE, is an Trends for 2017, Gartner (October 18, 2016), http://www. Associate at Booz Allen Hamilton (BAH) and a member of gartner.com/smarterwithgartner/gartners-top-10-technolo- the Board of Directors at ISSA Intl and ISSA-NOVA. She also gy-trends-2017/. holds a regional committee position within IEEE and a chair 6. Department of Defense. (August 11, 2015). Cyberspace position within ASQ. She is the global SIG chair, co-founder of Workforce Management (DOD Directive 8140.01), http:// the Women in Security Special Interest Group (WIS SIG), and www.dtic.mil/whs/directives/corres/pdf/814001_2015_ works cross-organizationally to actively enhance cybersecuri- dodd.pdf. ty-oriented programs internationally. She can be reached at [email protected].

34 – ISSA Journal | April 2017 DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY

Security Assurance of Docker Containers: Part 1

By Stefan Winkel

The Notary project, recently introduced in Docker, is built upon the assumption that the software distribution pipeline can no longer be trusted. In this article, the Notary service will be explored with regards to an in-depth look at security testing of Docker containers.

Abstract in his book the contrasting perspectives of the growth of With recent movements like DevOps and the conversion to- DevOps when he states “Some people see DevOps as anoth- wards application security as a service, the IT industry is in er innovation, the newest thing over‐hyped by Silicon Val- the middle of a set of substantial changes to how software is ley and by enterprise vendors trying to stay relevant. Others developed and deployed. In the infrastructure space, soft- believe it is an authentically disruptive force that is radically ware developers have seen the uptake of lightweight con- changing the way that we design, deliver, and operate sys- tainer technology, while application technologies are moving tems.” [4] No matter what one believes, you cannot ignore towards distributed microservices. There is a recent explo- that many companies, from small startups to Fortune 500 sion in popularity of package managers and distributors like companies including Google, Netflix, Etsy, and Amazon, are OneGet, NPM, RubyGems, and PyPI. Amid this process, having real success with DevOps at scale. In 2014, Amazon application container technologies like Docker, LXC, and deployed 50 million changes: that is more than one change Rocket used to compartmentalize software components are every second of every day [5]. Google, well known for var- getting immensely popular. More and more software devel- ious cloud services like Gmail, Google Maps, etc., has also opment becomes dependent on small, reusable components embraced DevOps technologies. Joe Beda, a senior staff en- developed by many different developers and is often distrib- gineer at Google, recently stated at a conference that “Google uted by infrastructures outside the control of development. spins up more than two billion containers per week, more As a result, the threat landscape is changing. Because of these than 3,300 containers per second.” [3] changes the risk of introducing vulnerabilities in the devel- The various recent DevOps technologies that are being development cycle has increased manifold. The Notary project, oped catalysis the speed of software development even further recently introduced in Docker, is built upon the assumption when used in conjunction. Victor Farcic, a senior consultant that the software distribution pipeline can no longer be trust- at CloudBees, explains in his book DevOps 2.0 Toolkit, the ed. Notary attempts to protect against attacks on the software relation between cloud services and containers. “On the first distribution pipeline by association of trust and separation of look, continuous deployment (CD), microservices (MS), and duty to Docker containers. In this article, the Notary service containers might seem like three unrelated subjects. After all, will be explored with regards to an in-depth look at security DevOps movement does not stipulate that microservices are testing of Docker containers. necessary for continuous deployment, nor microservices need to be packaged into containers.” [18] But he goes on to explain DevOps, SecDevOps, and DevSecOps that when these three concepts are bundled together, they are ith recent growth of software and services de- very powerful. Combining these concepts allows for split-sec- livered through cloud computing, information ond deployments, which decreases the time to market, while security is playing a catch-up game with rapid at the same time the combination improves the quality of Wcontinuous development. One of the latest trends is around the services by providing a continuous quality feedback loop DevSecOps and/or SecDevOps. Jim Bird, author of DevOps- and hence benefiting both worlds. Farcic explains that “MS Sec: Securing Software through Continuous Delivery, explains are used to create complex systems composed of small and

April 2017 | ISSA Journal – 35 Security Assurance of Docker Containers: Part 1 | Stefan Winkel

VMs The First Way: Systems Thinking

App App App App (Business) (Customer) Containers Bin/Libs Bin/Libs Bin/Libs Bin/Libs

App AppApp AppApp The Second Way: Guest Guest Guest Guest Amplify Feedback Loops OS OS OS OS Bin/Libs Bin/Libs Bin/Libs

Hypervisor LXC

Host OS Host OS The Third Way: Server Server Culture of Continual Experimentation and Learning

Figure 1 – VMs and containers resource utilization comparison. autonomous services that exchange data through their APIs and limit their scope to a specific bounded context.” These services provide us with more freedom to make better deci- Figure 2 – The Three Ways of DevOps [36] sions, faster development, and easier scaling of our services. Finally, “containers provide the solution to many deployment Introduction to Docker problems, in general, and especially when working with mi- Docker is a platform that combines applications and all their croservices. They also increase reliability due to their immu- dependent components (e.g., libraries, tools) into an archive tability.” [18] To summarize, microservices are abstracting called a Docker image. A Docker image can be run on many software problems while the use of containers solves issues different platforms like PCs, data centers, VMs, or clouds. As related to deployment scenarios of software updates. a Docker image compartmentalizes the application(s) and all One major benefit of using containers over virtual machines its dependencies, it provides various benefits over bare metal (VMs) is that containers have less overhead associated with such as portability and scalability. These features, combined server density as they are typically 1/10th to 1/00th the size with a reduced footprint that Docker images have over virtual of a similar application packaged within in a VM. A tech- images, result in deployments of Docker images in many dif- nology called Linux Containers (LXC) achieves this reduced ferent environments such as data centers and cloud solutions. server density. In LXC, a Linux kernel is shared to manage the Started in 2013, Docker is an open source project and was re- underlying Operating System (OS). If, for example, a phys- leased under the Apache 2.0 license, which efficiently allows ical server would be running four VMs, this would require for the creation, shipment, and running of containers within four OSes in addition to a hypervisor. But with containers, a single Linux instance. Docker was initiated as a project to the server could share the same OS, binaries, and libraries as build single-application Linux containers (LXC) and intro- shown in figure 1. duced numerous improvements to LXC that made containers Though containers share the same Linux kernel, they are more flexible and portable to use than LXC, as well as some platform agnostic, which makes them portable to any envi- other older container technologies like FreeBSD Jails and So- ronment. Other benefits of using containers include encap- laris Zones. sulation and scalability. Encapsulation packages everything LXC, based on a user-space, lightweight virtualization mech- needed by the application (e.g., dependencies, environment anism that implements namespaces and control groups variables) within the container. The containers are also scal- (cgroups), manages resource isolation. Chenxi Wang, strate- able, which means that they can be dynamically reduced or gy officer at container security firm Twistlock, describes this expanded in size. “Scalability can be applied to either one or isolation: “Namespaces deal with resource isolation for a sin- multiple instances through centralized orchestration.” [4] gle process, while cgroups, originally developed by Google, These powerful container concepts explain why there has manage resources for a group of processes.” [35] Cgroups iso- been an immense growth in container usage in DevOps envi- late and limit a given resource over a collection of processes ronments in the past few years. to control performance and security. Furthermore, combining containers with microservices Portability is probably amongst the biggest advantage of makes it possible to support micro-segmentation; each mi- Docker over LXC [35]. Portability allows the container to run croservice is running in a separate runtime environment. on different OS distributions and hardware configurations This is the catalyst for container technologies like LXC, Rock- without any changes to the image itself. This makes it very et, and especially Docker. attractive to be used in a multitude of different architectures suitable in cloud environments.

36 – ISSA Journal | April 2017 Security Assurance of Docker Containers: Part 1 | Stefan Winkel

Role of Docker in DevOps John Willis, an evangelist at Dock- er, explains the concepts of DevOps discussed above in something that he calls “The Three Ways of DevOps,” which are systems thinking, amplify- ing and shortening feedback loops, and continuous learning [36]. All other DevOps patterns use these three principles. Figure 2 describes these development patterns. Figure 2 visualizes the continuous feedback loops in the third drawing. In this model, “the way of continual experimentation and learning,” development and operations teams adjust production environments on the fly, based upon customer feedback. Through features like portability and micro-segmentation, Docker amplifies this third way of continual experimentation and learning, which leads to “faster innovation, higher quality, and a feedback loop of continuous learning, advancing to a higher rate of success.” [36]. The fact Figure 3 – Waterfall versus DevOps development cycle that Docker has been embraced by large software powerhous- es like Red Hat, IBM, Microsoft, Huawei, Google, and Cisco, built and then trying to fit some security checks just before who are also the top contributors to the Docker project [14], release” [4]. By shifting left, he means that security needs be indicates that Willis might be right when he states that Dock- integrated earlier in the development stage. As the second im- er is a great adjunct to the third way of DevOps. The embrace- age shows, in a pure DevOps environment security needs to ment of the software power houses has led to a quick adoption be integrated from the design phase and not be implemented rate and to extensive investments being made in Docker. Jack as an afterthought. In other words, security becomes an in- Dougal, author at Banking.com, confirms this when stating tegral part of the software development life cycle (SDLC) in that Docker has been included in the financial industry by a pure DevOps environment. This is aligned with the Third firms like Goldman Sachs and Bank of America[17]. Way of DevOps as explained above (e.g., only when integrated with the development cycle through continuous security, The faulty software distribution pipeline code can be securely deployed in a DevOps world). As many organizations are starting to integrate Docker into Separation of duties and other critical controls their continuous integration (CI) and continuous delivery (CD) practices to help speed up system provisioning, reduce One of the most difficult challenges in DevOps is separations job time, and improve the overall infrastructure utilization, of duties (SoD). Breaking down silos and sharing responsibil- they are becoming more dependent on small, reusable com- ities between developers and operations seem to be in direct ponents developed by many different developers and often conflict with SoD [4]. In the continuous development mod- distributed by infrastructures outside control of develop- el the developer cannot hand over code to the next phase as ment. Because of these changes the risk of introducing vul- there are continuous adjustments being made. The developer nerabilities in the development cycle has increased manifold. becomes part of the end-product; and closer interaction with The threat landscape is shifting because of these changes. The customers is crucial to streamline efficiency. The roles of the Notary project, recently introduced in Docker, is built upon developer and the operator are merging. In an interview for this assumption that the software distribution pipeline can ACMQueue, Amazon’s CTO Werner Vogels explains why no longer be trusted. Amazon promotes this development model: “You build it; you run it” [34]. Similar to Amazon, John Allspaw, CTO at Changed security life cycle Etsy, explained why at Flickr they promote giving develop- One disadvantage/shortcoming of Docker is the impact of se- ers access, or least limited access, to product environments curity on the software development cycle. As companies are [2]. But this also raises concerns. Giving developers access to adopting continuous deployment workflows, implementing managed systems, even giving them read-only access, raises microservices, and embracing containers, security needs to questions and problems for regulators, compliance, infosec, adapt at this rate of change when there is no time to do pen and customers. To address such concerns, you will need to testing or audits [4]. Figure 3 shows how in a traditional wa- put strong compensating controls in place [4][29]. Such con- terfall development cycle security is often part of the harden- trols can only come from automation (e.g., security tools). ing phase—at the end of the release cycle just before putting Are security tools ready for DevOps? the code base in production. Bird states that “Security must ‘shift left’ earlier into design and coding and into automated With continuous learning through experimentation, we have test cycles instead of waiting until the system is designed and seen that the DevOps model not only changes the develop-

April 2017 | ISSA Journal – 37 Security Assurance of Docker Containers: Part 1 | Stefan Winkel ment phases, but we have seen also a shift regarding responsi- indicated that “all OEM vendors had at least one vulnerability bilities as developers become directly responsible for the end that could allow for a man-in-the-middle (MITM) attacker to product. Use of security tools in this changed model is key to execute arbitrary code as SYSTEM” [6]. Whether it is through success. “CIS critical security controls (CSCs) describe a set of different package managers or through automatically applied specific actions designed to improve an organization’s ability updates in an OEM environment, it is obvious there are many to resist or recover from information security incidents” [11]. different attack vector on the distribution pipeline. Use of automated tools is an effective way to enforce policies There are many known attacks on software update systems associated with CSCs. Tools will help to continuously mea- from arbitrary software installation and mix-and-match at- sure, test, and validate the effectiveness of an organization’s tacks to fast-forward attacks. See an overview of many known current security measures. Tool usage is even more import- attacks on these update systems at tuf/SECURITY.md [30]. ant in a DevOps environment where the approach to change management is reversed (e.g., optimize small and frequent Diogo explains in a Docker blog that HTTPS and GPG by it- changes). Robinson concludes in her paper, “Continuous self are not sufficient to trust the content. GPG is not a frame- Security: Implementing the Critical Controls in a DevOps work but a message format in which one applies a signature Environment,” that “we can expect increased maturity for to an application and then verifies the signature, which leaves new security tools developed for DevOps as the shift towards the system open to, for example, downgrade attacks. Such DevOps continues”[29]. The question remains if security attacks mean that if there is a man in the middle, or some- tools are currently on par with the DevOps landscape. one has control over the actual cloud, the adversary can then serve the victim an old (vulnerable) version of the content as Container integrity: Docker Notary there is no revocation scheme. Who do you trust? The update framework As applications become more dependent on external com- Software update systems that do not authenticate updates have ponents, having secure software update systems becomes received increased scrutiny in recent years. Unfortunately, increasingly important. Diogo Monica, a security architect due to this attention many of these systems have implement- at Docker, argues that software developers and publishers ed simple authentication mechanisms that cannot survive should start to include in their risk analysis the possibility key compromise [15][16]. The Update Framework (TUF) is a that considers the distribution infrastructure itself as being flexible, comprehensive security framework that is used for actively malicious. He explains, “They should start following securing software update systems that mitigate such attacks. best practices concerning role responsibility separation, off– “TUF allows both new and existing systems to benefit from line storage of signing keys, and routine rotation of signing a design that leverages responsibility separation, multi-signa- keys” [27]. So basically to securely deliver updates, checks and ture trust, trust revocation, and low-risk roles” [15][16]. There balances need to be put in place during the delivery phase it- are many different update systems in use today, but TUF is self. No longer can one assume that the content can be trusted different in the sense that it is built upon a specification and blindly. library that can be used universally to secure update systems. Diogo blames the ease of package installation being a root Notary cause of the distribution infrastructure potentially becoming malicious. “More and more our infrastructures are depend- To securely publish Docker images with content that is ver- ing on external sources of content like NPM and package ifiable, Docker introduced the Notary utility. “Notary is a managers such as RPM. The funny part is that these things Docker utility built upon the TUF framework for securely are all being managed by thousands of developers that we publishing and verifying content, distributed over any inse- don’t know in infrastructures that are totally outside of our cure network” [27]. Notary has a few important objectives: control, while the number • Survivable key compromise of package managers keeps Freshness guarantee on increasing” [27]. Figure • 4, a comic from xkcd.com, • Configurable trust thresholds shows how a modern install • Signing delegation script calls the many dif- Use of existing distribution ferent package mangers to • install packages from many • Untrusted mirrors and transport different locations. The TUF specification outlines these and other implementa- Figure 4 – Universal install script tion directives [31]. from http:/xkcd.com/1654/ Notary implements various recommendations from the TUF Another example that the framework. For example, through signed collections it sup- distribution infrastructure might be tainted comes from a reports software to have relations where versions are depen- cent security analysis of OEM updates by Duo Security, which dent on other versions. With survivable key compromise and

38 – ISSA Journal | April 2017 Security Assurance of Docker Containers: Part 1 | Stefan Winkel signing delegation, Notary allows for key delegation. Best practices would be to store the most crucial key (GPG master key) offline. Other keys that are less sensitive and should have a short expiration could live in the cloud. Such keys could, for example, be keys that Figure 5 – Pull trusted Docker container from local registry fails sign certain portions of the software development life cycle. is used to test the Docker client in order to test various trust Transparent key rotation is another feature that allows keys operations. to be rotated at different intervals. In case the root key is the The registry server container is a local registry service where source key of trust, the administrator cannot rotate it without Docker images can be stored. The Notary server container is taking the system offline. By using trust delegation, the root the service that does all the heavy-lifting of managing trust. key can be taken offline. New keys can be signed and sent The Notary signer service ensures that the keys are secure, to the user. Adversaries cannot compromise the trust chain while the MySQL container has the database that stores all as the root key was offline. Trust delegation allows for key the trust information. Docker Hub has these components al- rotation multiple times a week/day. One could, for example, ready built-in, so one would not need those if working exclu- rotate CI keys every month. sively with the Docker Hub. Notary threshold signing The commands below, with minor modifications, are obtained from Docker’s website [15][16]. See Appendix Section One of the advantages of Notary from a security assurance A “Prerequisites Docker Content Trust Sandbox” for prereq- perspective is that it allows users to sign packages by multiple uisites and Appendix Section B “Setting up Docker Content keys unlike GPG key signing, where there is only one key. For Trust Sandbox” for setting up the trust sandbox. Appendix example, a software package needs to be built and signed by files are available for downloaded at: the CI system and then later the security team need to rubber stamp it. A second example could be where different types of ISSA.org => Learn => Journal => Article Resources Button the assurance process could get signatures, such as a unit test, Testing Notary trust operations integration test, security test, etc. Clients should be able to verify all keys being signed. Packages can get as many signa- When the content trust sandbox is up and running, various tures as desired. This features also protects against non-tech- trust operations will be executed to demonstrate the Notary nical attacks like subpoenas by nation states. For example, functionality. These operations are as follows: multiple keys could be hosted in different countries (e.g., Rus- # Test Trust Operations sia, China, US). So, US companies would need approval from # Download a Docker test image a security team in China. $ docker pull docker/trusttest # Tag it to be pushed to sandbox registry Deploying and testing Docker Notary $ docker tag docker/trusttest sandboxregistry:5000/test/trusttest:latest The Notary and registry services have much different scaling and security requirements, so decoupling them has many # Enable content trust $ export DOCKER_CONTENT_TRUST=1 benefits. Notary has both a server and client component. In the section below a sandbox will be set up to demonstrate # Identify the trust server $ export DOCKER_CONTENT_TRUST_SERVER=https:// trust operations locally without impacting production imag- notaryserver:4443 es. The sandbox will be used to test the Notary service and # Pull the test image look at the various security tools for testing Docker imag- $ docker pull sandboxregistry:5000/test/trusttest es. To use Notary, the user must be familiar with the command-line environment [19]. Note that this sandbox is just You will get an error with the pull command as shown in fig- for development purposes. When moving from deployment ure 5 as the content does not exist in the sandbox registry yet. to production, there are various considerations like high availability, databases, and certificates to ensure security and # Push and sign the trusted image $ docker push sandboxregistry:5000/test/ scalability. See the online Docker documentation for how to trusttest:latest run the Notary service in production [15][16]. # Pull the pushed image Setting up a Docker content trust sandbox $ docker pull sandboxregistry:5000/test/trusttest In this section, the example shows various containers and Once the image is signed correctly, the pull is successful as how to set up a sandbox to demonstrate the functionality of shown in figure 6. Docker Notary. A container called Trustsandbox will be gen- # Test with a malicious image erated, which has the latest version of the Docker engine with # Open terminal into sandboxregistry some preconfigured certificates. In the example the sandbox $ docker exec -it sandboxregistry sh

April 2017 | ISSA Journal – 39 Security Assurance of Docker Containers: Part 1 | Stefan Winkel

Figure 6 – Notary signing and pulling of the signed image

# Change into registry storage erations on Docker containers. By using Notary one can start # cd /var/lib/registry/docker/registry/v2/blobs/ securing the distribution infrastructure by simple operations sha256/aa/ as the ones above. #Add malicious data to one of the trusted layers $ echo “Malicious data” > data Notary integration with third-party repositories #Return to sandbox terminal and list the trusted The section above shows how to use Notary with a private image $ docker images | grep trusttest Docker registry as a repository. Instead of using a private Docker registry, the same also works with cloud repositories # Remove the trustiest:latest image $ docker rmi -f a9539b34a6ab like Docker Hub as well with third-party repositories like Nexus and Artifactory. See for example, JFrog’s Artifactory #Pull the image again $ docker pull sandboxregistry:5000/test/trusttest User Guide on how to setup Notary with Artifactory [25].

Figure 7 shows that the pull operation did not complete because the trust system could not verify the image. The user will get an error similar as the one listed in figure 7. This error validates that Notary works as expected. # Bring down services $ docker-compose down -v

This section illustrates how Docker Notary can be used to implement various basic trust op- Figure 7 – Docker pull fails on corrupt image

40 – ISSA Journal | April 2017 Security Assurance of Docker Containers: Part 1 | Stefan Winkel

Google Container Registry cisecurity.org/tools2/docker/cis_docker_1.6_benchmark_ v1.0.0.pdf. In early 2015, Google introduced Google Container Regis- 10. Center for Internet Security. (2016, April 12). CIS Docker try for managing private Docker images. Its functions are 1.11.0 Benchmark. Retrieved from https://benchmarks. described by the company as follows: “The Google service, cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Bench- which runs on Google’s cloud platform, stores, shields, en- mark_v1.0.0.pdf. crypts, and controls access to a customer’s Docker contain- 11. CIS Critical Security Controls. (n.d.). Retrieved October 1, ers, offering a higher level of security for containers than has 2016, from https://www.cisecurity.org/critical-controls.cfm. been available in the past” [20]. While the Google registry has 12. Cole, E., & Tarala, J. (2016). Implementing and Auditing Docker V2 API registry support, it is not clear at the time of the Critical Security Controls – In Depth. The SANS Insti- this writing if this includes Notary functionality as well. But tute. it shows that containers cannot be trusted as is and a verifi- 13. Conjur, inc. (2016, June 18). Securing Docker with Se- cation service is needed to secure the distribution pipeline. crets and Dynamic Traffic Authorization [Web log post]. Conclusion Retrieved from https://blog.conjur.net/securing-docker-with-secrets-and-dynamic-traffic-authorization. As explained, the software distribution pipeline can no longer 14. Docker - Updated Project Statistics · GitHub. (n.d.). be trusted. Notary protects against attacks on the software Retrieved October 2, 2016, from https://gist.github.com/ distribution pipeline by association of trust and separation of icecrime/18d72202f4569a0cab1ee60f7583425f. duty to Docker containers. This article describes how to use 15. Docker Inc. (2016). Play in a Content Trust Sandbox. notary to sign Docker images by setting up a Docker content Retrieved October 15, 2016, from https://docs.docker.com/ trust sandbox. In part two we will explore some commercial engine/security/trust/trust_sandbox/. solutions as well as various other aspects of using Notary in a 16. Docker Inc. (2016, October). Content Trust in Docker. CD/CI environment. Retrieved October 18, 2016, from https://docs.docker.com/ References engine/security/trust/content_trust/. 17. Dougal, J. (2015, December 19). The Container Factor | 1. Alfresco. (2015, December 3). Docker Security Tools: Banking.com [Web log post]. Retrieved from http://bank- Audit and Vulnerability Assessment | Alfresco DevOps ing.com/analysis/the-container-factor/. Blog [Web log post]. Retrieved from https://www.alfresco. 18. Farcic, V. (2016). The DevOps 2.0 Toolkit: Automating the com/blogs/devops/2015/12/03/docker-security-tools-au- Continuous Deployment Pipeline with Containerized Micro- dit-and-vulnerability-assessment/. services. CreateSpace Independent Publishing Platform. 2. Allspaw, J. (2009, June). 10+ Deploys per Day: Dev and 19. Gallagher, S. (2016). Securing Docker: Learn How to Secure Ops Cooperation at Flickr. Paper presented at Velocity, Your Docker Environment and Keep Your Environments San Jose, CA. Retrieved from http://www.kitchensoap. Secure Irrespective of the Threats out There, Birmingham, com/2009/06/23/slides-for-velocity-talk-2009/. UK Packt Publishing, 2016. 3. Beda, J. (n.d.). Containers at Scale. Paper presented at 20. Google Inc. (2015, January 1). Google Cloud Platform GlueCon 2014, Denver, Colorado. Blog: Secure Hosting of Private Docker Repositories in 4. Bird, J. (2016). DevOpsSec, Securing Software through Google Cloud Platform [Web log post]. Retrieved from Continuous Delivery. O’Reilly – http://www.oreilly.com/ https://cloudplatform.googleblog.com/2015/01/secure-host- webops-perf/free/devopssec.csp. ing-of-private-Docker-repositories-in-Google-Cloud-Plat- 5. Brigham, R., & Liguori, C. (n.d.). AWS re:Invent 2015 | form.html. (DVO202) DevOps at Amazon: A Look at Our Tools and 21. Grattafiori, A. (2016). Understanding and Hardening Processes [Video file]. Retrieved from https://www.youtube. Linux Containers. Retrieved from https://www.nccgroup. com/watch?v=esEFaY0FDKc. trust/globalassets/our-research/us/whitepapers/2016/april/ 6. Camp, D., Czub, C., & Dadidov, M. (n.d.). Out-of-Box ncc_group_understanding_hardening_linux_contain- Exploitation - A Security Analysis of OEM Updaters. ers-1-1pdf/. Retrieved fromhttps://duo.com/assets/pdf/out-of-box-ex- 22. Gummaraju, J., Desikan, T., & Turner, Y. (2015, May 1). ploitation_oem-updaters.pdf. BanyanOps Analyzing DockerHub. Retrieved from https:// 7. Cappos, J. (2008). A Look in the Mirror: Attacks on Package banyanops.com/pdf/BanyanOps-AnalyzingDocker- Manager (Doctoral dissertation, University of Arizona). Hub-WhitePaper.pdf. Retrieved from https://isis.poly.edu/~jcappos/papers/cap- 23. Gurkok, C., & Falko, A. (2016, June 27). Salesforce Usage of pos_mirror_ccs_08.pdf Notary [Digital image]. Retrieved November 3, 2016, from 8. Cappos, J., Samuel, J., Baker, S., & Hartman, J. H. (2008). A http://image.slidesharecdn.com/dockercon-2016-cg-se- Look in the Mirror. Proceedings of the 15th ACM confer- curingthecontainerpipelineatsalesforce-sf-6-23-2016-pub- ence on Computer and communications security - CCS ‘08. lic-160627171137/95/securing-the-container-pipeline-at- doi:10.1145/1455770.1455841 salesforce-by-cem-gurkok-14-638.jpg?cb=1467047655. 9. Center for Internet Security. (2015, April 22). CIS Dock- 24. Humble, J., & Farley, D. (2011). Continuous Delivery. Upper er 1.6 benchmark. Retrieved from https://benchmarks. Saddle River, NJ: Addison-Wesley.

April 2017 | ISSA Journal – 41 Security Assurance of Docker Containers: Part 1 | Stefan Winkel

25. JFrog. (2016, October 5). Working with Docker Content Trust: JFrog Artifactory User Guide [Web log post]. Re- This Time, It Really Is a Game trieved from https://www.jfrog.com/confluence/display/ continued from page 5 RTF/Working+with+Docker+Content+Trust. Changer 26. Microsoft Corporation. (2016, September 26). Microsoft terms of faster time to detect and respond to malicious ac- Previews Project Springfield, a Cloud-Based Bug Detector tivity). - Next at Microsoft [Web log post]. Retrieved from https:// blogs.microsoft.com/next/2016/09/26/microsoft-pre- Whether AI radically changes our approach to cybersecurity views-project-springfield-cloud-based-bug-detector/. remains to be seen, but initial indications are looking pretty 27. Monica, D. (2015, August 1). Introducing Docker Content good. In light of that, I’m headed off to use my Google Home Trust - Docker Blog. Retrieved from https://blog.docker. to start up the Roomba, then query the fridge about any at- com/2015/08/content-trust-docker-1-8/. tacks that were repelled overnight, and finally fire up my 28. Red Hat Corporation. (2016, June). A Security State of NS-5 so it can take the dogs out for a walk. Mind: Container Security. Paper presented at Usenix, Aus- tin, Texas. About the Author 29. Robinson, A. (2016, December 20). Continuous Security: Randy V. Sabett, J.D., CISSP, is vice chair of the Privacy & Implementing the Critical Controls in a DevOps Environ- Data Protection Practice at Cooley LLP, and a member of the ment. Retrieved from https://www.sans.org/reading-room/ advisory boards of MissionLink and the Georgetown Cyberse- whitepapers/critical/continuous-security-implement- curity Law Institute, along with being the immediate past se- ing-critical-controls-devops-environment-36552. nior VP of ISSA NOVA. He was a member of the Commission 30. tuf/SECURITY.md at develop · theupdateframework/tuf on Cybersecurity for the 44th Presidency, was named the ISSA · GitHub. (n.d.). Retrieved October 4, 2016, from https:// Professional of the Year for 2013, and can be reached at rsa- github.com/theupdateframework/tuf/blob/develop/SECU- [email protected] RITY.md. 31. tuf/tuf-spec.txt at develop · theupdateframework/tuf · GitHub. (n.d.). Retrieved from https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt. Advertise Strategically 32. Virdi, K., Kalyan, R., & Kaur, N. (2015). Software Testing as a Service (STaaS) Using Cloud Computing. IJECS, 4(1), Place your advertising strategically to 7. Retrieved from http://docplayer.net/12543741-Software- surround our monthly themes with your testing-as-a-service-staas-using-cloud-computing.html. organization’s products and services... 33. Vliet, J, & Paganelli, F. (2011). Programming Amazon EC2. Sebastopol, CA: O’Reilly Media. MAY 34. Vogels, W. (2006, June 30). Learning from the Amazon The Cloud Technology Platform. Association for Computing Machin- JUNE ery (ACM), 4(4), 8. Retrieved from http://queue.acm.org/ Big Data/Machine Learning/Adaptive detail.cfm?id=1142065. Systems 35. Wang, C. (2016, May 6). Containers 101: Linux Containers JULY and Docker Explained | InfoWorld. Retrieved from http:// Cybersecurity in World Politics www.infoworld.com/article/3072929/linux/containers-101-linux-containers-and-docker-explained.html. AUGUST 36. Willis, J. (2015, July 31). Docker and the Three Ways of Disruptive Technologies devOps. Retrieved from https://www.docker.com/sites/ SEPTEMBER default/files/WP_Docker and the 3 ways devops_07.31.2015 Health Care (1).pdf. OCTOBER About the Author Addressing Malware Stefan Winkel, CISSP, GSEC, GNFA, GCIA, NOVEMBER GREM, GPEN, GWAPT, GCIH, GCPM, has Cryptography and Quantum Computing 15+ years’ experience of security, business, DECEMBER and software development and assurance in Social Media, Gaming, and Security the high-tech industry, working for Oracle Corp, Symantec Corp, VERITAS Corp, Or- Contact Joe Cavarretta dina Integrity, and Philips Electronics. Ste- [email protected] fan holds a MBA degree from St. Mary’s, California, and BSc degree from Saxion University, The Netherlands. He may be reached at [email protected]. IT’S GOOD FOR BUSINESS

42 – ISSA Journal | April 2017 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris

There’s No Going It Alone: Disrupting Major Cybercrime Rings Continued from page 24 ments within the context of other related reporting also show Tsastsin apparently just did not appreciate the risk that en- that without the rich competencies and extensive capabilities tailed it at the time. Actually, given the size and dynamic na- of the FBI, as well as the support of cybersecurity researchers, ture of his operations, neither he nor his staff likely even took the US case would have likely never succeeded. notice. The second reason for NASA’s prominence in the facts of the Law enforcement’s involvement brought to bear import- investigation is potentially much more relevant to public-pri- ant authorities to the longer standing efforts of security re- vate cybersecurity efforts in the future. It appears NASA, at searchers, such as the ability to least very early on in the investigation, was the only source of seek and execute search and ar- solid information regarding the adverse effects of Rove’s DNS rest warrants. Law enforcement’s 65 NASA systems Changer infections. In the application to execute the search involvement also provided pre- were infected with warrant at Pilosoft, NASA is offered as the only clear victim, viously unavailable tools to gain including estimates of monetary loss, of Rove’s deliberately insight regarding the money flows malicious software diffused and obfuscated activities. In his affidavit requesting into and out of Rove and its many controlled from court approval for the warrant, the FBI agent reports that on front companies. These unique- October 26, 2009, the NASA agent conducted searches of NA- ly governmental authorities and Rove’s C&Cs hosted SA’s database for computer security incidents and found at tools, including subpoenas and at Pilosoft. the time 65 NASA systems that were infected with malicious letters rogatory,1 were also very software controlled from Rove’s C&Cs hosted at Pilosoft [12]. important in developing a clearer In order to better understand the triggers for law enforce- picture of Rove’s various assets. Although the true origins of ment’s engagement in this matter, it’s useful to appreciate the catchphrase “follow the money” popularized in the mo- how complaints and information are typically triaged by tion picture All the President’s Men is questioned by scholars investigative agencies and US Attorney offices as a means to [19], that catchphrase has been widely embraced by law en- prioritize the use of limited resources. This prioritization, as forcement as a tried and true method for zeroing in on even logic would lead most to assume, attempts to factor in tra- the most complex of fraud schemes. Armed with subpoenas, ditional measures of significance such as losses incurred by warrants, and assistance from Estonian and Dutch law en- victims and broader societal effects. In fact, this recurring forcement, the growing cadre working the Rove case were triage of complaints and issues is so central to day-to-day law now equipped to truly “follow the money.” enforcement operations that methodologies have been me- Referenced earlier, the previously sealed 43-page indictment morialized. The core methodology for US Attorneys to assess filed by the US Attorney’s Office for the Southern District of whether to accept or decline cases is found in the Department New York is a rich source for understanding the key aspects of Justice US Attorneys’ Manual [21]. As the investigation of of the US government’s case against Tsastsin et al. Under- Rove continued to build upon the earlier work of computer standably, the indictment was originally sealed at the request security researchers, the scale and impact of Rove operations of the US Attorney’s Office as a precautionary step to help would have eventually met the threshold of nearly any US At- preclude alerting their targets before they could be arrested torney’s office. However, the initial evidence of NASA’s vic- in Estonia. Given the targets were all located overseas, an- timization seems to have provided a very useful foundation other key aspect of the indictment is that it would serve as an for US law enforcement to justify the initial resource invest- important foundation for subsequent requests for assistance ments needed to aggressively pursue this case. to Estonian authorities. Without an indictment, important Perhaps the more telling evidence of NASA’s role in law en- aspects of the Multilateral Assistance Treaty between the US forcements’ efforts to target Rove comes from Tsastsin him- and Estonia would be unavailable to US law enforcement [7]. self. As he was fighting both Estonian criminal charges and Most noteworthy is the sheer amount of information in the extradition to the US from his Estonian jail cell, Tsastsin went indictment as it foreshadowed the strong merits of the US on something of a public relations push. During an interview government’s case. by a reporter from the Estonian daily Pealinn, Tsastsin said An indictment must be written in a clear and concise manner he could trace his plight back to the fact that his software, so as to provide only the essential information necessary to which he was arguing caused no true harm, had been found address the individual charges being brought by the prose- on NASA systems. He told the reporter when referring to 1 Letters rogatory: “Letters rogatory are the customary means of obtaining judicial the genesis of his current predicament, “the initiative came assistance from overseas in the absence of a treaty or other agreement. Letters from NASA” [20]. Ironically, Tsastsin’s extensive efforts to rogatory are requests from courts in one country to the courts of another country requesting the performance of an act which, if done without the sanction of the avoid detection through VPN tunneling and other obfusca- foreign court, could constitute a violation of that country's sovereignty. Letters rogatory may be used to effect service of process or to obtain evidence if permitted tion techniques began to unravel when just 65 NASA systems by the laws of the foreign country.” US Department of State – https://travel.state.gov/ were hijacked into Rove’s botnet of over four million systems. content/travel/en/legal-considerations/judicial/obtaining-evidence/preparation- letters-rogatory.html.

April 2017 | ISSA Journal – 43 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris

ed on Rove’s Pilosoft assets was overly broad, the US government’s attorney framed her argument, in part, by referenc- ing an interesting assertion made by the defense, “…whereas the affidavit alleged approximately $25 million in fraud, the agents seized documents relating to all $1.2 billion of assets managed by the target company.” [13]. In this case, of course, Rove is “the target company.” The takedown The cooperative efforts of Estonian, US, and Dutch law -en forcement continued to build upon the work of the security researchers who had brought forward their concerns regarding Rove’s extensive criminal activities. The investigation not only developed a growing understanding of the contours of Rove’s financials, but also the tentacles of Rove’s business operations, previously obscured by their use of VPN tunneling and numerous front companies, came into much clearer view as well. Guided by a key discovery uncovered through Trend Micro’s earlier research, the FBI executed a search warrant on Pilo- soft, targeting records associated with IP address 69.31.87.98. This IP address was leased at the time to a company called SBP Group, which was found to be yet another front company used by Tsastsin. However, this server proved to be critical in expanding law enforcement’s understanding of Rove’s oper- Figure 2 – A glimpse into Rove’s financials: spreadsheet used in Nov. 1, ation [10]. This server was found to be the primary mecha- 2011, (then sealed) indictment of Tsastsin et al. (Source: US District Court nism used by Rove to control traffic to the immense number Southern District of New York) of domains Rove was regularly hijacking [15]. As outlined in the US government’s request for assistance from Estonian cutor [22]. Thus, despite its length and the large number of authorities, the subsequent analysis of this server showed it charges outlined therein, the prosecutor’s indictment essen- hosted a program used to re-route the traffic of millions of tially represents short summaries of the information deemed infected users to approximately 19,900 domains. Convenient- necessary for a judge to meaningfully assess the charges list- ly, at least from the perspective of building the case against ed. With that in mind, figure 2 offers an eye-opening sam- Tsastsin et al., was the email traffic found on the server. These pling of Rove’s financial transactions during 2009 and 2010. emails reflected back-and-forth conversations between the Extracted from the indictment, it represents how the gov- defendants regarding how they regularly handled the day-to- ernment supported several of its charges, specifically counts day challenges of managing such a large global operation [9]. 7 through 27. These transactions provide a keyhole view of Rove’s impressive revenue stream, as well as a sense of the In preparation for the takedown of the Rove enterprise, US size of its operation through some of the payments Tsastsin law enforcement laid the groundwork by obtaining court or- made to ISPs. ders to freeze Rove’s many assets, including numerous systems required to operate that enterprise. As seen in a request The Rove accounts referenced include those provided by for a protective order filed by the Southern District of New JP Morgan Chase, New York (“The Manhattan Data Cen- York’s US Attorney’s office leading up to the take down opera- ter-Chase Account”); the Furox-USD account in Denmark tions, Rove’s overall operations had demonstrated impressive to the “Chicago Data Center”; and a corporate account for growth and complexity. In addition to listing a few thousand Onwa held in Cyprus, another of Tsastsin’s front companies. IP addresses owned by Rove at the time, the post-indictment After viewing this snapshot of financial transactions, there protective order listed Rove’s forfeitable property maintained is little wonder how the US government was able to assert a by the following providers: Colosecure, Chicago, IL; The- minimum figure of $14 million in illicit gains and assets that Planet, Houston, TX; Multacom Corp, Canyon, CA; Layered would be subject to seizure and forfeiture in the case against Technologies, Plano, TX; GlobalNet Access, Atlanta, GA; as Tsastsin et al. [11][12]. In all probability, the illicit wealth well as seven other locations [8]. amassed by Tsastsin far exceeded $14 million. A strong indicator of that can be found in the Assistant US Attorney’s On November 8, 2011, US and Estonian law enforcement per- memorandum to the court in opposition to pretrial motions sonnel executed coordinated search and arrest operations at filed by the attorneys for several of the Rove defendants. In multiple locations within the US and Estonia. Six of the seven countering the defense’s argument that the search conduct- indicted defendants, Vladimir Tsastsin, age 31, Timur Ger-

44 – ISSA Journal | April 2017 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris

March 2016 May 2016 Volume 14 Issue 3 Volume 14 Issue 5 assimenko, age 31, Dmitri Jegorov, age 33, Valari Aleksejev, Do Data Breaches Matter? Crypto Wars II A Review of Breach Data and What to Do Next Fragmentation in Mobile Devices FedRAMP’s Database Scanning Requirement: Mobile Application Security The Letter and Spirit Mobile App Testing for the Enterprise Smart Practices in Managing an Identity Auditing Project On the Costs of Bitcoin Connectivity age 31, Konstantin Poltev, age 28, and Aanton Ivanov, age 26, MOBILE APPS were arrested and taken into custody in Estonia by the Esto- Do Data nian Police and Border Guard [23]. Breaches Matter? A Review of Breach Data The extensive international coordination and successful si- and What to Do Next

BREACH REPORTS: multaneous execution of numerous search and arrest war- Crypto Wars II COMPARE/CONTRAST rants in multiple time zones and international jurisdictions ★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★ was an impressive accomplishment by any measure. Howev- ISSA Journal 2017 Calendar er, the groundbreaking cooperation and creativity demonstrated in this particular case to minimize the impact on mil- JANUARY lions of victims, whose Internet access would effectively cease when the takedown occurred, was quite impressive as well. Best of 2016 Initiated largely through the initiative of a supervisory FBI FEBRUARY agent, the DNS Changer Working Group (DCWG) was Legal, Privacy, Regulation, Ethics formed through the participation of an ad hoc group of cybersecurity professionals who were familiar with the wide- MARCH spread impact Rove’s DNS Changer malware infections were Internet of Things having. The DCWG was formed primarily to try to mitigate and remediate the adverse effects the takedown of Rove’s APRIL DNS servers would have on the approximately four million New Technologies in Security systems infected at the time of the planned law enforcement operations [16]. As described in the DCWG website, it is an MAY ad hoc group of subject matter experts that includes mem- The Cloud bers from organizations such as Georgia Tech, Internet Sys- tems Consortium, Mandiant, National Cyber-Forensics and JUNE Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Big Data/Machine Learning/Adaptive Systems Micro, and the University of Alabama at Birmingham [2]. Editorial Deadline 4/22/17 The court order transferring temporary control of the core JULY Rove infrastructure seized at Pilosoft, NY, and Colosecure, IL, to the Internet Systems Consortium (ISC) provides useful Cybersecurity in World Politics insight into the legal framework used to grant ISC tempo- Editorial Deadline 5/22/17 rary authority to take any and all steps reasonably necessary AUGUST to administer the “replacement DNS servers.” In crafting the Disruptive Technologies order approved by the judge, the US Attorney’s Office of the Editorial Deadline 6/22/17 Southern District of New York, took care to request ICS be granted the authorities necessary to, “…identify computers SEPTEMBER that are infected with malicious DNS Changer software (the Health Care DNS Changer malware) by collecting the IP addresses that Editorial Deadline 7/22/17 query the replacement DNS servers, the network ports as- OCTOBER sociated with those requests, and the date and time of those requests…” [11]. Of note, the court order also set important Addressing Malware limitations in that ICS could not capture any content of the Editorial Deadline 8/22/17 victims’ communications. Another important constraint was NOVEMBER that the receivership and its underlying authorities had a fi- Cryptography and Quantum Computing nite lifespan. In the case of ICS’ receivership, it was ultimately Editorial Deadline 9/22/17 set to expire on July 9, 2012 [11]. Shortly after the Rove takedown and arrest of Tsastsin et al., the DCWG took over the DECEMBER day-to-day monitoring of the replacement DNS servers oper- Social Media, Gaming, and Security ated by ICS under authority of the court order [2]. Editorial Deadline 10/22/17 DCWG members regularly assessed the traffic related to the millions of DNS Changer infections and provided input for You are invited to share your expertise with the association possible mitigation strategies. The DCWG’s efforts com- and submit an article. Published authors are eligible plemented a media campaign the FBI launched to increase for CPE credits. For theme descriptions, visit www.issa.org/?CallforArticles. awareness of DNS Changer infections to include information on how to remediate those infections [16]. Using the [email protected] • WWW.ISSA.ORG

April 2017 | ISSA Journal – 45 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris approximate baseline of four million systems infected with cyberthreats and incidents. The Rove takedown effort suc- DNS Changer at the time of Rove’s demise and the last set of cessfully overcame at least three of these traditional barriers. data reported by DCWG, these remediation efforts appear to The shear duration and ultimate success of the collaborative have been largely successful. According to the DCWG web- efforts to extinguish Rove’s activities speaks volumes with site’s daily count of unique IP addresses of systems infected regards to the trust that clearly existed among the large and with DNS Changer, the count was down to 303,867 by June, diverse mix of participants. The fact that law enforcement was 11, 2012 [2]. Viewed less optimistically, the fact that over 300 a recipient of much of the early information developed by se- thousand systems remained infected despite all these efforts curity professionals may have helped, as it side-stepped many highlights the challenges of pushing proper computer securi- of the restrictions to sharing information derived from search ty hygiene to individual users. warrants and other legal process. Trust was likely enhanced Conclusion in the eyes of law enforcement by the fact security researchers were responsibly restrained with regards to what they pub- This case study demonstrates how, faced with a persistent and lished through critical phases of the criminal investigation. consequential cybersecurity challenge, a coalition of individ- Also, the FBI’s innovative and open approach to mitigating uals and organizations from the public and private sectors down-stream effects that would occur after the takedown of can successfully navigate past the challenges that often serve Rove’s DNS network likely helped continue to engender trust as impediments for such efforts to succeed. with private sector participants. In her analysis of public-private collaboration in cybersecu- In addition to the favorable conditions noted above, a fre- rity partnerships, Judith Germano [4] found that public-pri- quent impediment to meaningful sharing of information re- vate partnerships were essential in addressing national and garding cybersecurity events was largely avoided in this col- global cybersecurity threats. Germano’s examination of this laborative effort. Traditional disclosure concerns associated issue identified five primary barriers to successful partner- with victimized corporations wrestling with both remedia- ships necessary to address these threats. Those barriers in- tion of the incident and considerations of adverse publicity clude (1) issues surrounding trust and control of incident re- were largely absent in Rove. Helpfully, the losses NASA OIG sponse, (2) questions about obligations regarding disclosure was able to tally with regards to DNS Changer infections after and exposure, (3) the evolving liability and regulatory land- being approached by cybersecurity researchers was very use- scape, (4) challenges faced in the cross-border investigation ful in moving past loss thresholds applied when assessing the of cybercrime, and (5) cross-border data transfer restrictions potential value of law enforcement’s engagement. As noted that impede the ability of companies to respond nimbly to by Germano [4], cyber investigations are inherently complex, and some of that complexity often stems from the need to navigate international jurisdictional considerations. Fortu- nately for US law enforcement, Tsastsin and his crew physi- Easy and cally resided in Estonia, a country with a ratified Multi-Lat- Convenient! eral Assistance Treaty with the US. That is not to imply the coordination and negotiation with Estonia was not delibera- tive and procedurally involved. However, the fact that a rati- www.issa.org/store/default.asp fied treaty between the US and Estonia existed was extremely helpful. Contrast the successful outcome of the Rove investigation with so many other criminal investigations where the subjects are believed to be residing in Russia, China, or other countries with whom the US has no such treaty. As a final point to support the preceding observation, Andre Taame, a Russian citizen, is the only member of Rove indicted by the US who remains at-large. References 1. A Cybercrime Hub. (2009). Trend Micro Inc. threat research white paper. Retrieved from http://www.trendmicro. Computer Bags • Short-Sleeve Shirt co.uk/media/wp/cybercrime-hub-whitepaper-en.pdf/. 2. DNS Changer Working Group – About/Contact Informa- Long-Sleeve Shirt • Padfolio tion (n.d.). Retrieved from http://www.dcwg.org/aboutcon- Travel Mug • Baseball Cap • Fleece Blanket tact/. Proud Member Ribbon 3. Estonian National Pleads Guilty in Manhattan Federal Court to Charges Arising From Massive Cyber Fraud Place Your Order Today: ISSA Store! Scheme That Infected Millions of Computers Worldwide. USAO-SDNY. Department of Justice. (2015). Retrieved

46 – ISSA Journal | April 2017 There’s No Going It Alone: Disrupting Major Cybercrime Rings | John Garris

from http://www.justice.gov/usao-sdny/pr/estonian-nation- 15. Operation Ghost Click – The Rove Digital Takedown. al-pleads-guilty-manhattan-federal-court-charges-aris- (2012). Trend Micro Inc. Research Paper. Retrieved from ing-massive-cyber. http://www.trendmicro.com/cloud-content/us/pdfs/secu- 4. Germano, Judith. (2014). Cybersecurity Partnerships: rity-intelligence/white-papers/wp_the_rove_digital_take- A New Era of Public-Private Collaboration. The Center down.pdf. on Law and Security. New York University School of Law. 16. Public-private effort against cyberattacks could become Retrieved from http://www.lawandsecurity.org/Portals/0/ a model for online safety. Pittsburgh Post-Gazette. (Nov Documents/Cybersecurity.Partnerships.pdf. 18, 2012). Retrieved from http://www.post-gazette.com/ 5. Hruska, Joel. (Sep 23, 2008). Bad Seed ISP Atrivo Cut Off businessnews/2012/11/18/Public-private-effort-against- from Rest of the Internet. Ars Technica. Retrieved from cyberattacks-could-become-a-model-for-online-safety/ http://arstechnica.com/security/2008/09/bad-seed-isp-atri- stories/201211180217. vo-cut-off-from-rest-of-the-internet/. 17. Ravelli, Erich. “Rove Digital - Finally Gone?” InfoSecurity. 6. Krebs, Brian. (Aug 28, 2008). Report Slams US Host as N.p., 6 Sept. 2009. Retrieved from http://www.arvutikaitse. Major Source of Badware. Washington Post. Retrieved from ee/rove-digital-kas-loplikult-lainud/. http://voices.washingtonpost.com/securityfix/2008/08/re- 18. Jenkins, Quenten. Ghost Click/DNSChanger: Could ISPs port_slams_us_host_as_major.html. Have Stopped It?” Spamhaus.org, 15 Nov. 2011. Retrieved 7. Mutual Legal Assistance – Treaty between the United from https://www.spamhaus.org/news/article/676/ghost- States of America and Estonia. Signed April 2nd, 1998; click-dnschanger-could-isps-have-stopped-it. ratified Oct 20th, 2000. 19. Safire, William. “Follow the Proffering Duck.” New York 8. New York Southern District Court. Re: US v. Tsastsin et al. Times. 3 Aug 1997. Retrieved from http://www.nytimes. Case No. 1:11-cr-00878. SDNY USAO Briefing Memo to the com/1997/08/03/magazine/follow-the-proffering-duck. Court “Re: United States v. Valeri Aleksejev, S2 11 Cr. 878 html. (LAK),” dtd: July 25, 2013. Retrieved via Public Access to 20. US Case against International Clickjacking Defendant Court Electronic Records (PACER). May Be Compromised. Estonian Public Broadcasting. 9. New York Southern District Court. Re: US v. Tsastsin et (2014, April 25). Retrieved from http://news.err.ee/v/sci- al. Case No. 1:11-cr-00878. Indictment. “United States v. tech/1a7eb606-eedd-47d1-83b6-d7c67b54e232. Vladimir Tsastsin, Andre Taame,…” dtd: Nov 1st, 2011. 21. US Department of Justice. (n.d.). United States Attor- Retrieved via Public Access to Court Electronic Records neys’ Manual. Section 9-27.230 –Initiating and Declining (PACER). Charges—Substantial Federal Interest. Retrieved from 10. New York Southern District Court. Re: US v. Tsastsin et al. http://www.justice.gov/usam/usam-9-27000-principles-fed- Case No. 1:11-cr-00878. Request for Assistance to the Cen- eral-prosecution - 9-27.230. tral Authority of Estonia in the Investigation of Computer 22. US Department of Justice. (n.d.). United States Attor- Intrusion Activity in the United States by Rove. dtd: Dec neys’ Manual – Criminal Resource Manual. Section 214 6th, 2010. Retrieved via Public Access to Court Electronic – Drafting Indictments and Informations. Retrieved from Records (PACER). http://www.justice.gov/usam/criminal-resource-manu- 11. New York Southern District Court. Re: US v. Tsastsin et al. al-214-drafting-indictments-and-informations. Case No. 1:11-cr-00878. Post-Indictment Protective Order. 23. United States Attorney’s Office – Southern District of “Re: United States v. John Doe 1, et a;” dtd: Nov 3rd, 2011. New York. (2011). Manhattan US Attorney Charges Seven Retrieved via Public Access to Court Electronic Records Individuals with Engineering Sophisticated Internet Fraud (PACER). Scheme That Infected Millions of Computers Worldwide 12. New York Southern District Court. Re: US v. Tsastsin et and Manipulated Internet Advertising Business [Press al. Case No. 1:11-cr-00878. Affidavit in support of a search release]. Retrieved from http://oig.nasa.gov/press/pr2012-A. warrant for the premises of Pilosoft, 55 Broad St., New pdf. York, New York, as it pertains to IP Address 69.31.87.98, dtd: March 1st, 2010. Retrieved via Public Access to Court About the Author Electronic Records (PACER). John Garris, CISSP, GSEC, CCE, GCIH, is 13. New York Southern District Court. Re: US v. Tsastsin et al. the Deputy Assistant Inspector General for Case No. 1:11-cr-00878. “Government’s Memorandum of Investigations within NASA’s Office of -In Law in Opposition to the Pretrial Motions of Defendants spector General (OIG). He previously direct- Timur Gerassimenko, Dmitri Jegorov and Konstantin ed NASA OIG’s Computer Crimes Division, Poltev,” filed: Feb 4th, 2015. Retrieved via Public Access to one of the most successful computer crimes Court Electronic Records (PACER). organizations within the US federal govern- 14. New York Southern District Court. Re: US v. Tsastsin et ment inspector general community, as evidenced by numerous al. Case No. 1:11-cr-00878. Letter Rogatory from the US successful investigations leading to arrests and prosecutions Department of Justice to the Central Authority of Estonia. Subject: “Request for Assistance in the Investigation of of Portuguese, American, Nigerian, Romanian, Venezuelan, Computer Intrusion Activity in the United States by ROVE Turkish, Estonian, Slovenian, Italian, and Chinese computer DIGITAL, TAMME ARENDUS OÜ…”. dtd: December hackers responsible for breaches of NASA networks. He can be 6th, 2010. Retrieved via Public Access to Court Electronic reached at [email protected]. Records (PACER).

April 2017 | ISSA Journal – 47 DIGITAL DANGER ZONE ISSA 2017 INTERNATIONAL CONFERENCE

October 9-11, 2017 San Diego, California

#ISSAConf

Sponsorship information: Joe Cavarretta – [email protected]