The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

CERIAS Blog

Page Content

Panel #2: Infosec Ethics (Symposium Summary)

Share:

Tuesday, March 30, 2010

Panel Members:

  • Nicolas Christin, Carnegie Mellon University
  • Cassio Goldschmidt, Symantec Corporation
  • Aaron Massey, North Carolina State University
  • Melissa Dark, Purdue University

Summary by Preeti Rao

March 31, 2010, Tuesday afternoon’s panel discussion at the Eleventh Annual CERIAS Symposium was on Information Security Ethics. The panel consisted of four pioneers from academia and industry - Nicolas Christin from Carnegie Mellon University, Cassio Goldschmidt from Symantec Corporation, Aaron Massey from North Carolina State University and Melissa Dark from Purdue University.

Melissa Dark introduced the panel and put forth the thought that Information Security Ethics is a really messy topic because it involves a variety of stakeholders. Identifying all the stakeholders, their competing interests and balancing the competing interests is not an easy trade-off. There are a number of incentives and disincentives to be considered. Information security ethics is interesting when discussed with respect to certain scenarios and the panel chose to do that.

The first presentation was from Nicolas Christin and he presented on Peer-to-Peer Networks, Incentives and Ethics.

He started off by talking about Peer-to-peer (P2P) networks in general, their interdisciplinary nature, their benefits and costs. He quoted that P2P traffic is a very sizable amount of load and that 30 to 70% of internet traffic is from P2P networks. They carry a bad reputation because of copyrighted materials dissemination. But they have numerous benefits too ñ software distributors save on infrastructure by distributing free and proprietary software to legitimate users through P2P networks. Another advantage is in censorship resilience.

Christin identified five stakeholders in P2P networks and discussed about their ethical dilemmas and competing interests. End users, content providers or copyright holders, electronics manufacturers, software developers and internet service providers (ISPs) were the five stakeholders he talked about. While end users tend to download content for free, content providers or copyright holders are worried about unauthorized replication of their content. Electronic manufacturers benefit from digital media portability on P2P networks — electronics like iPods would not have been this successful if people did not get music for free or for very low cost. Software developers potentially benefit from increased P2P use. ISPs have interesting ethical dilemmas. While ISPs benefit due to increased bandwidth usage from users downloading content, a number of users are into copyright infringement — downloading content for free through P2P networks through the bandwidth provided by these ISPs. Sometimes ISPs assist companies of content providers. He quoted a very good example of Comcast. Is it ethical to download TV shows using Comcast’s Internet, or watch the TV shows using Comcast’s cable TV service?

He summarized the competing interests and ethical dilemmas of the stakeholders identified on P2P networks as end users producing and downloading infringing content, content industry poisoning P2P networks, content industry launching Denial of service attacks on P2P hosts, ISPs advertising access to movies, promising users that they will get access to the movies, and then filtering out BitTorrent traffic, electronics manufacturers advertising ripping and copying capabilities of the devices.

He left the audience with a set of intriguing questions. Is downloading content ethical or unethical? How do we decide what is ethical and unethical in Information Security? What are the criteria to be applied to make this decision? Are the decisions ever ethically justified? The bottom line is the unclear set of incentives.

The second presentation was on Responsibility for the Harm and Risk of Software Security Flaws by Cassio Goldschmidt.

He identified five stakeholders in analyzing the situation of software security flaws. The stakeholders were Independent Software Vendors (ISVs), Users, Government, Software Vulnerabilities and Security Researchers.

He quoted Microsoft’s example as an ISV and how users always blame ISVs for faulty software. For software industries, the weakest links are software developers and software testers. ISVs are doing a lot to build secure software they have started training classes to teach how to write secure code and how to secure every stage of SDLC and test life cycle. But, software by nature is vulnerable, no matter what. Users buy software because of its features; when a user is ready to buy software there is no way he can make out whether that software is secure. Goldschmidt argued that managing software security is very difficult when one cannot compare two pieces of software are more secure; hence we cannot expect users to buy and use “secure software”. There are many non-technical users who do not know the importance software or system security. Users definitely have something to do with the software vulnerabilities.

He talked about security researchers and vulnerability disclosures. There are conflicting interests and possible risks in security researchers disclosing software vulnerabilities. Before one does a full disclosure of vulnerabilities, one needs to think about how people and media would take advantage of it. He quoted an example of the concept of Microsoft’s “Patch Tuesday” and the following “Exploit Wednesday”. Sometimes software industries buy products from companies because of strategic partnerships, long term relations, money, etc. The decision is not always based on security.

Government has a role to play in promoting software security. But if the government enacts laws to enforce software security, there will be serious financial issues for the ISVs. For example, software development process would become very expensive for start-ups. He concluded that enacting laws for software security can be hard.

He summarized — software is dynamic. People have yet to understand the meaning of software. Some call it a product. Some call it a service. Some even call it free speech because it has a language and associated grammar. The problem of software security is very complex. It needs attention and awareness.

The third presentation was from Aaron Massey on Behavioral Advertising Ethics.

Behavioral advertising which targets custom-made advertisements to users based on their behavior profiles uses technologies like cookies, web bugs and deep packet inspection. Massey opined that Behavioral Advertising Ethics is interesting and overlaps with Advertising, Privacy and Technology domains. He quoted examples of some ethical dilemmas associated with these domains:

  • Advertising: Is it ethical to target ads based on user’s profile/history For Example: a door salesman posing questions to customer to know more about their preferences and suggesting products based on gathered information.

  • Privacy: For example, a Facebook program which tracked user A’s online shopping history and displayed ads on user B’s (friend of user A) homepage suggesting to buy the product bought by user A. Is this a probable privacy breach for user A?

  • Technology: Where does the ethical value lie? And, is it in the technology itself? Is it in the use of technology, or is it in the design? As an example, take a hammer. It can be used in a constructive or destructive way and the design does not restrict the purpose of usage.

Considering these questions when building a behavioral advertising technology, is there a way we can make it secure without compromising the utility of the technology?

Melissa Dark summed up the panel presentations considering the three keys for information security ethics: the stakeholders, their competing interests and tradeoffs, the incentives and disincentives. She mentioned that incentives and disincentives have been long standing norms and expectations. We need to think about how these norms and expectations affect ethics, how our mindsets affect the larger ethical debate. She opened the floor for questions.

Questions and Discussions

Question 1: Often with online shopping and ethics, users usually do not have many options. Either you buy the product or leave it. For example, the Facebook scenario discussed earlier. In such situations, if you disagree with the ethics then how can you affect the changes? Usually most companies just have ethics externally posed on them.

Aaron Massey: There are privacy policies that are in place and FTC enforces these privacy policies. If a company violates its privacy policy, though as an individual you cannot sue the company, you can file a complaint to the FTC. FTC would review company’s business practices and take necessary actions. Companies like Facebook, Google work with FTC right from the beginning to get everything right.

Melissa Dark: Masses can make use of consumerism and market forces. She mentioned that there are 45 Data Breach Disclosure state laws, but no single federal law in the US for handling data breach disclosures. The usage of right language to talk about information security is very important.

Victor Raskin: Supported Melissa on that and said the language, the framework used to talk about information security is very important.

Eugene Spafford: Awareness is equally important for software security. Our current mission should be to make security visible.

Audience: Informal collective action (example - blogosphere) is very powerful, can be used as a weapon against unethical actions.

Aaron Massey: Danger and the slippery slope is the connotation in ethics.

Question 2: What are the roles of users, government in realizing information security? In Australia, ISPs are now restricting access to end users on certain resources because a recent law put liability on the ISPs to take corrective action; the end users are just notified.

Nicolas Christin: There are similar laws on P2P networks. But again, managing the tradeoff between ISPs and users is critical. Users can easily conceal their actions and ISPs have to make a decision on restricting their users. Ethical and legal dilemmas are happening because the legal scholars who usually write the laws usually have no technology background.

Eugene Spafford: It is hard to strike the right balance and create good laws.

Question 3: Educational institutions are not doing a good job teaching how to write secure software. What should an institution do to give good security education?

Melissa Dark: Public institutions have a lot of masters to serve. They take tax payer money and are under many obligations. Yet security education curriculum is being modified and improved constantly. There has been tremendous growth in the past decade. There is still a lot more to be done for security education.

Audience: College education is just once, but industry education and training needs to be constantly revised.

Nicolas Christin: Security education: should it be industry driven or college education driven? In college education, the main goal is to train students to get good jobs. University respond to market demands. Selling security and security education is hard. Knowing how to write secure code needs lot of training and experience. For a new graduate the most important thing is to secure a job, need not necessarily be a secure software coding job.

Aaron Massey: Even before security education: what is security? How do you measure security? Should you concentrate on secure programming, testing or design?

Eugene Spafford: Purdue CERIAS is doing a great job in giving security education. But still, lot of awareness is needed.

Question 4: What is ethical software or ethical coding? Does the society have a role to play in making the society ethical?

Aaron Massey: Society is addressing ethical questions. For example, the FTC is holding workshops on how to treat privacy online. There is no single solution yet.

Question 5: What are the best practices from other disciplines that can be adopted into Infosec ethics? Do other disciplines have a generic framework? Aaron Massey: Healthcare legislations, HIPAA are evolving. Generic framework is a good domain to look at. Investigations are on in this regard. Professional code of ethics is as applied to a profession. But Information security profession, its demands and roles are not yet clearly defined.

Question 6: How does ethics depend on the perception of truth? How can advertising be a win-win situation, if advertising is just informational and not manipulative? Does anyone read the privacy policies where information is there, but not consumable?

Aaron Massey: Research is being done and people are coming up with Nutritional labels for privacy policies ñ an alternative way of understanding privacy policies instead of reading a lot of privacy policy text.

Audience: An idea based on agricultural domain: suppose companies identify themselves as data-collection free companies and certify themselves as ones who do not collect information about people, would that help?

Nicolas Christin: There are companies that produce privacy practices in machine readable form so that you do not have to read the whole document. Companies are trying different methods for privacy policy reading.

Panel #1: Visualization of Security (Symposium Summary)

Share:

Tuesday, March 30, 2010

Panel Members:

  • Steve Dill, Lockheed Martin
  • Donald Robinson, Northrop Grumman
  • Ross Maciejewski, Purdue
  • Alok Chaturvedi, Purdue

Summary by Ryan Poyar

The first panel of the 2010 annual security symposium kicked things off to a great start and an interesting discussion. The topic was the Visualization of Security. The focus of the panel was to address the issue of how to use the vast amounts of data that is available in a way that can help predict and protect systems from future threats. Alok Chaturvedi, a professor at Purdue, initiated the discussion by describing how using visualization could potentially make it possible to display large amounts of data in a meaningful way. Donald Robinson from Northrop Grumman rationalized the use of using visualization with his argument that as humans we are naturally very good at recognizing patterns and making sense of visualizations as opposed to dealing with raw data. Currently, this technique is being researched through the project VACCINE (Visual Analytics for Command, Control, and Interoperability Environments) which is primarily focused on helping the mission of the Department of Homeland Security. As one of the researchers working on VACCINE, Ross Maciejewski described that the goal of the project was to be able to determine potential threats from an abundance of streaming real-time data sources and then further to provide real-time targeted counter measures against each threat. While all of this sounds very good in theory, getting it to work in practice requires many hurdles to be overcome. The discussion for the remainder of the panel was a debate on who should be responsible for making the threat determination from the data and then who should determine the correct response. Even in a non-real-time environment with only humans this is a very tricky endeavor. It seems that it is necessary for a specific expert in each field to analyze the data from their perspective and look for threats based on their expertise only. If a threat is found, it is then very difficult to determine who has the right background and is the best choice to mitigate it. Further, who has the ability to foresee threats that cross multiple disciplines? If we have a difficult time answering these questions in a detailed, comprehensive, non-real-time environment how will we be able to design a system a priori that can answer future questions in real-time?

Opening Keynote: Mike McConnell (Symposium Summary)

Share:

Tuesday, March 30, 2010

Summary by Jason Ortiz

Mike McConnell, retired Admiral of the Navy, former Director of NSA and former Director of National Intelligence delivered the opening keynote speech for the eleventh annual CERIAS Security Symposium. The majority of this keynote was devoted to recounting his experiences and efforts to move forward national cyber capabilities. The following is a summary of those efforts.

Admiral McConnell opened the address with a simple statement: “The nation is at significant risk.” He pointed out that the United States’ economy and livelihood is in information streams. If those streams are interrupted or tampered with, the United States could lose trillions of dollars almost instantly.

McConnell continued the keynote by making three predictions. The first of those was the idea that the United States will continue to talk about cyber defenses but not really do anything until after a catastrophic cyber event. The Admiral supported this idea by pointing out that if extremist groups were to focus their efforts on cyber attacks, they could disrupt transportation and the economy. As evidenced by attacks last spring in California (criminals cut fiber optic cables), they could also disrupt services such as 9-11 service, internet connectivity, and cellular phone service.

McConnell’s second prediction was that after a catastrophic event, the government of the United States would suddenly lurch into action. They will pass laws, appropriate money and work to prevent the same sort of catastrophe from reoccurring. After all, Washington D.C. responds to four things: crisis, the ballot box, money and law. A catastrophic cyber attack would generate changes or problems in all four of these areas.

McConnell then proceeded to explain the most important aspects of cyber security as he learned as Director of the NSA. The first most important aspect is authentication. The second most important aspect is data integrity. The third aspect is non-repudiation. The fourth is availability, and the least important aspect is the ciphertext itself (encryption).

Finally, the third prediction made by Admiral McConnell was that the United States would reengineer the internet. He explained how the military uses the internet and predicts that the entire national network will be implemented in a similar manner in the future. Concerning the government, it is McConnell’s belief that the government can help to implement the redesigned and more secure network.

Making the CWE Top 25, 2010 Edition

Share:
As last year, I was glad to be able to participate in the making of the CWE Top 25. The 2010 Edition has been more systematically and methodically produced than last year's. We adjusted the level of abstraction of the entries to be more consistent, precise and actionable. For that purpose, new CWE entries were created, so that we didn't have to include a high-level entry because there was no other way to discuss a particular variation of a weakness. There was a formal vote with metrics, with a debate about which metrics to use, how to vote, and how to calculate a final score. We moved the high-level CWE entries which could be described as "Didn't perform good practice X" or "Didn't follow principle Y" into a mitigations section which specifically addresses what X and Y are and why you should care about them. Those mitigations were then mapped against the top-25 CWE entries that they affected.

For the metrics, CWE entries were ranked by prevalence and importance. We used P X I to calculate scores. That makes sense to me because risk is defined as Potential loss x Probability of occurrence, so by this formula the CWE rankings are related to the risk those weaknesses pose to your software and business. Last year, the CWEs were not ranked; they instead had "champions" who argued for their inclusion in the Top-25.

I worked on creating an educational profile, with its own metrics (of course not alone; it wouldn't have happened without Steve Christey, his team at MITRE, and other CWE participants). The Top-25 now has profiles; so depending on your application and concerns, you may select a profile that ranks entries differently and appropriately. The educational profile used prevalence, importance but also emphasis. Emphasis relates to how difficult a concept is to explain and understand. Easy concepts can be learned in homeworks, labs, or are perhaps so trivial that they can be learned in the students own reading time. Harder concepts deserve more class time, provided that they are important enough. Another factor for emphasis was how much a particular CWE is helpful in learning others, and its general applicability. So, the educational profile tended to include higher-level weaknesses. Also, it considered all historical time periods for prevalence, whereas the Top-25 is more focused on data for the last 2 years. This is similar to the concept of regression testing -- we don't want problems that have been solved to reappear.

Overall, I have a good feeling about this year's work, and I hope that it will prove useful and practical. I will be looking for examples of its use and experiences with it, and of course I'd love to hear what you think of it. Tell us both the good and the bad -- I'm aware that it's not perfect, and it has some subjective elements, but perhaps comments will be useful for next year's iteration.

Cowed Through DNS

Share:
May 2010 will mark the 4th aniversary of our collective cowing by spammers, malware authors and botnet operators. In 2006, spammers squashed Blue Frog. They made the vendor of this service, Blue Security, into lepers, as everyone became afraid of being contaminated by association and becoming a casualty of the spamming war. Blue Frog hit spammers were it counted -- in the revenue stream, simply by posting complaints to spamvertized web sites. It was effective enough to warrant retaliation. DNS was battered into making Blue Security unreachable. The then paying commercial clients of Blue Security were targetted, destroying the business model; so Blue Security folded [1]. I was stunned that the "bad guys" won by brute force and terror, and the security community either was powerless or let it go. Blue Security was even blamed for some of their actions and their approach. Blaming the victims for daring to organize and attempt to defend people, err, I mean for provoking the aggressor further, isn't new. An open-source project attempting to revive the Blue Frog technology evaporated within the year. The absence of interest and progress has since been scary (or scared) silence.

According to most sources, 90-95% of our email traffic has been spam for years now. Not content with this, they subject us to blog spam, friendme spam, IM spam, and XSS (cross-site scripting) spam. That spam or browser abuse through XSS convinces more people to visit links and install malware, thus enrolling computers into botnets. Botnets then enforce our submission by defeating Blue Security type efforts, and extort money from web-based businesses. We can then smugly blame "those idiots" who unknowingly handed over the control over their computers, with a slight air of exasperation. It may also be argued that there's more money to be made selling somewhat effective spam-fighting solutions than by emulating a doomed business model. But in reality, we've been cowed.

I had been hoping that the open source project could make it through the lack of a business model; after all, the open source movement seems like a liberating miracle. However, the DNS problem remained. So, even though I didn't use Blue Frog at the time, I have been hoping for almost 4 years now that DNS would be improved to resist the denial of service attacks that took Blue Security offline. I have been hoping that someone else would take up the challenge. However, all we have is modest success at (temporarily?) disabling particular botnets, semi-effective filtering, and mostly ineffective reporting. Since then, spammers have ruled the field practically uncontested.

Did you hear about Comcast's deployment of DNSSEC [2]? It sounds like a worthy improvement; it's DNS with security extensions, or "secure DNS". However, Denial-of-service (DoS) prevention is out-of-scope of DNSSEC! It has no DoS protections, and moreover there are reports of DoS "amplification attacks" exploiting the larger DNSSEC-aware response size [3]. Hum. Integrity is not the only problem with DNS! A search of IEEE Explore and the ACM digital library for "DNS DoS" reveals several relevant papers [4-7], including a DoS-resistant backwards compatible replacement for the current DNS from 2004. Another alternative, DNSCurve has protection for confidentiality, integrity and availability (DoS) [8], has just been deployed by OpenDNS [9] and is being proposed to the IETF DNSEXT working group [10]. This example of leadership suggests possibilities for meaningful challenges to organized internet crime. I will be eagerly watching for signs of progress in this area. We've kept our head low long enough.

References
1. Robert Lemos (2006) Blue Security folds under spammer's wrath. SecurityFocus. Accessed at http://www.securityfocus.com/news/11392
2. Comcast DNSSEC Information Center Accessed at http://www.dnssec.comcast.net/
3. Bernstein DJ (2009) High-speed cryptography, DNSSEC, and DNSCurve. Accessed at: http://cr.yp.to/talks/2009.08.11/slides.pdf
4. Fanglu Guo, Jiawu Chen, Tzi-cker Chiueh (2006) Spoof Detection for Preventing DoS Attacks against DNS Servers. 26th IEEE International Conference on Distributed Computing Systems.
5. Kambourakis G, Moschos T, Geneiatakis D, Gritzalis S (2007) A Fair Solution to DNS Amplification Attacks. Second International Workshop on Digital Forensics and Incident Analysis.
6. Hitesh Ballani, Paul Francis (2008) Mitigating DNS DoS attacks. Proceedings of the 15th ACM conference on Computer and communications security
7. Venugopalan Ramasubramanian, Emin Gün Sirer (2004) The design and implementation of a next generation name service for the internet. Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
8. DNSCurve: Usable security for DNS (2009). Accessed at http://dnscurve.org/
9. Matthew Dempsky (2010) OpenDNS adopts DNSCurve. Accessed at http://blog.opendns.com/2010/02/23/opendns-dnscurve/
10. Matthew Dempsky (2010) [dnsext] DNSCurve Internet-Draft. Accessed at http://www.ops.ietf.org/lists/namedroppers/namedroppers.2010/msg00535.html