[Cryptography] Blogpost: CITAS, a new FBI security program proposal

Ray Dillinger bear at sonic.net
Mon Nov 24 23:16:44 EST 2014 


On 11/24/2014 07:11 PM, Tom Mitchell wrote:
> On Mon, Nov 24, 2014 at 5:24 PM, Ray Dillinger <bear at sonic.net> wrote:
> 
>> Note to list participants: check the CC line of the original message
>> before responding.
>> ....
>>> Brief: The FBI is proposing a security service to assist American
>>> companies in achieving network security. It is called CITAS, for
>>> "Computer Intrusion Threat Assessment System."
>> ......
>>> Less briefly:
>>> http://dillingers.com/blog/2014/11/24/citas-threat-assessment-system/
> In the new IPV6 world I see this as a great idea for a while.
> 
> But there is always the halting problem -- how to make these
> boxes go away.   They consume: space, bandwidth, power, cooling.
> They demand access for installation upgrade etc...  unfunded
> and unpaid for it is a hidden tax.

Space, power, cooling == tax dollars at work.  I share your
concern for reducing gov't waste, but I don't think this is
particularly wasteful, nor does it lean heavily on any small
set of taxpayers. The FBI has to pay for a datacenter to run
the honeypots.  Access is just a matter of the FBI datacenter
being inside a government-owned building, yes?  The system
as described doesn't require FBI access to assets owned by
the networks the honeypots are pretending to be on, aside
from an IP address and having routers configured to let them
send and receive packets in the first place, and that is really
minimal.

> Another problem is how to let the device discover enough about
> the world around it to be effective.   That process could result
> in many quietly owned machines.  If the honeypot signature
> was discovered by the bad guys that quietly already own many
> machines for some future purpose "badder" things might happen.

That is a good point.  In buying machines for an FBI datacenter,
it's likely that they'd get a lot of very similar machines (same
processor, same speed, same disk, same network interfaces etc)
and keep them on the same software (same OS, same servers, etc)
just to keep the admin expense controllable.  It could become
a signature set (or a few sets) of hardware known to/identifiable
by sophisticated intruders and markedly different from that run
by the company whose address space the honeypot were using.

I would not be worried about the device discovering enough
about attacks to be effective.  I see hundreds of attacks per
hour on any DMZ box, and I don't have time to figure out more
than a couple a day, let alone try to track them down. The
idea that somebody could devote the time and effort to
correlating the evolution and spread of those attacks across
a baseline created by honeypots listening in many places
would be a richer information source about attackers than
any single actor is now bringing to bear.

You are right that these machines could, and inevitably would,
serve as the source for attacks as easily as they could serve
as honeypots, and I'm concerned about that too.  The FBI will
attack Tor, Bittorrent, etc in a heartbeat, and as often as
the FBI itself has a security breach these machines will also
be the base for attacks against the companies whose network
address space they're using.

But in that regard the FBI is probably more accountable than
some random for-profit business in India. The random for-profit
in India wields just as much trust with a correctly configured
firewall as an FBI honeypot pretending to be on the firewall's
network. So I'm not seeing any added problem as far as that
goes.

That's actually one of the things I like about this; it DOESN'T
require the company to trust anything that, if misused, would
make breaking its security easier. There is no need for a
honeypot to have any trust relationship with the rest of the
network.

> A better program is to go back to operating system design and
> build a better foundation (including hardware).    One pressure is
> the industry that provides virus protection.   If M$ eliminates the need
> litigation might follow.

Hah!  That one ought to get laughed out of court, I should hope.

But you're right that if MS were to make secure operating systems
they'd also make enemies in the current security industry -- as well
as making enemies of crooks across the world and making our own
three-letter agencies angry at them for depriving them of intel
sources.  Never mind that it would also deprive all their enemies
of intel sources and avenues of attack, they'd be angry anyway.
It's a problem.

But it would be so worth it - to the whole world - in increased
economic output if it didn't cost so damn much to keep MS boxes
secure and if the expense of security failures could reduced at
the same time that would be nothing short of great.  So, yeah, I
share your dream.

Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141124/5dd40cbe/attachment.sig>

More information about the cryptography mailing list