Friday, 20 November 2015

Internet Identity and actually being effective with threat intelligence

A few weeks ago, I wrote about my problem with threat intelligence. It's sort of the new hotness in the cyber security sector as instead of actually trying to fix problems, we have new companies emerging to tell you that they cannot help you more than scream that the sky is falling.

Last week, I received a curious e-mail from a company based outside of Seattle called "Internet Identity" or "IID": 
Subject: Requesting assistance: Fraud placed on canary.pw
Date: 2015-11-11 15:24
From: IID SIRT <alert@internetidentity.com>
To: support@canary.pw

Sir or Ma'am,

We are contacting you on behalf of our client Chase Bank to notify 
you that your website, canary.pw, has been compromised and a phishing 
page has been hidden in one or more of its directories.

I work with an Internet security company based in Washington State 
called Internet Identity, and am contracted by our client to assist 
in mitigating the attacks targeting their customers.

The files in question can be found at the following location:

canary [.] pw/view/?item=c1aa76c1226a80bdf050e0d7d14f1ff7

Should you have any questions or concerns, please call our 24/7 
Security Team at the phone number listed below. Simply reference 
the case number and any one of my colleagues will be able to help.

Thank you very much for your time.

Best regards,

Security Incident Response Team
I responded to them with a short, one-sentence e-mail asking if they had bothered to read the "About" page on the website. Clearly the e-mail sent to me indicated that they were under the impression that I was somehow breached myself. They then went to send a clarification e-mail:
Subject: Stolen Credentials
Date: 2015-11-11 15:51
From: IID SIRT <alert@internetidentity.com>
To: support@canary.pw

Team,

We are working on behalf of Chase Bank in order to remove the stolen 
credentials at the following URL:

https://canary.pw/view/?item=c1aa76c1226a80bdf050e0d7d14f1ff7

[...]

The credentials posted here have been fraudulently acquired and need 
to be removed as soon as possible.

Please take action to suspend this account or remove the offending 
webpage.

Please let us know if you need any further information.  We greatly 
appreciate your prompt attention to this issue and request that you 
advise us regarding what actions you take.

Regards,

Security Incident Response Team
To which I replied:
Subject: Re: Stolen Credentials
Date: 2015-11-11 15:57
From: Colin Keigher <colin@keigher.ca>
To: IID SIRT <alert@internetidentity.com>

Hello,

You are contacting another threat intelligence service. Please read the 
"About" page (https://canary.pw/about/):

> Canary is an open-sourced project created for members of the security 
> community to share and distribute information relating to data loss. Data 
> is sourced from a variety of sources through community members. The goal 
> is to allow for researchers and organisations to better understand and 
> react to data loss.
>
> What is collected for this website are documents from various 
> document-sharing websites, Internet forums, and social media that may or may 
> not contain data that is not intended for the general public but otherwise 
> has. The intention is to allow individuals, organisations, and researchers to 
> be able to identify where exposed data is being posted and what history it 
> may or may not have with other leaks. The idea is to ensure data integrity 
> and to dispel any ambiguity about information that is out there.

Please contact the affected individuals in the dump that was posted to change 
their passwords as that is what makes most sense--do you not agree?

This information was retrieved from Pastebin in September 2015 and was not 
"frauduently acquired" by us. We monitor several websites for information that 
has been posted.

Thanks,
Colin
And then left it at that. There was no response or anything from them. The solution for this company's client was simple: change the password. The cat is already out of the bag, right? How are you going to put that genie back in the bottle?

But nope. It appears that either IID is either run by completely inept individuals who don't get the concept of addressing actual threats or they're attempting to make themselves look like they're worth the amount of money they charge to their clients by going and harassing my hosting provider, telling them I am hosting "fraudulently acquired" material. They're not really addressing any sort of "threat" here by trying to scrub the Internet of anything: have they not heard of the "Streisand effect"?

Yes. The data was probably "fraudulently acquired" as someone probably breached some bankers' association website and then dumped the contents on Pastebin for all to see. My software picked up on it, put it up on Canary, and now it's there so we can track future breaches. For a company like IID, the concept of what I am doing should be pretty basic if they're going to make claims like this on their website:
Our Threat Intelligence team continuously validates and processes incoming data, adding classifications and attributes for context, and then pursuing organic intelligence that adds further value to the data. In collaboration with security researchers and experts around the world, our team can turn a whirlwind of incidental blips into a coherent, actionable assessment.

Whenever our investigators find a suspicious event, file or situation, they quickly validate and verify the symptom, identify and analyze malware and malicious campaigns, and conduct background reputation checks on any associated IP, domain and URL. The team can monitor Denial of Service attacks and provide intelligence to affected customer targets, or perform network forensics to identify compromised hosts throughout an organization using DNS log data.
Or maybe how they explain their acquisition of threat intelligence data through their service:
Security analysis depends on compiled and correlated emerging threat data to stay ahead, but investigating threat indicators has been a tedious manual process.

Dossier provides contextual information about a potential threat so you can make informed decisions about defensive actions. And it’s so fast and effective, you end up with lots more time to do your job.
So here's a question for IID: was it your organization that decided that a password posted on the Internet for everyone to see should be removed from wherever you find it to justify how much you charge your clients or was it your client that made the "informed decision" to then tell you to act as Internet police? Based on your Glassdoor reviews, I can safely assume the answer here.

Here's a pro-tip from someone who enjoys working with breach data and actually can provide "informed decisions" you can make based on them: think that the password has been exposed to the Internet for all to see? Change it and don't get upset at seeing it posted elsewhere; instead get pissed off at whoever lead to having your data exposed in the first place.

IID demonstrates the problem with threat intelligence: justifying charging your clients for your services. What good is a threat intelligence service like this company if all they're going to do is let you keep your passwords as is and then just go and police the data off of the Internet; it doesn't work that way and any service provider that tells you that they can scrub all instances of any specific data is outright lying.

For the hell of it, I decided to do something with the original data that they complained about.

In the sample, there were 6,147 accounts listed off. Of those accounts, none of the passwords repeated so we're off to a good start. How many of the passwords have existed in previous dumps? Well, if we use our good friend 'rockyou.txt', which contains about 14.3 million unique passwords from a database dump from half-a-decade back, we can determine that 1,484 passwords (24%) had appeared in previous dumps.

Of those 6,147 accounts, 52 of them belonged to IID's client, Chase Bank--or about 1% of the total. If I take the list of the Chase users and compare them to the passwords from the password list that were found in the dump, 24 of them had matches, meaning that almost half (46%) of their affected client's users have used passwords that have been found elsewhere.

This means that IID has completely idiotic policies for handling database breaches, leading them to be more of a threat to their clients than the data that is leaked themselves. They have no clue about breaches and are dealing with matters in a way that cannot scale at all.

As a result of the idiocy displayed by IID, I've gone about doing two things.

Firstly, the data has been reposted to Canary in a redacted form, where the passwords have been replaced with their MD5 equivalents and a notice has been placed at the top of the sample indicating what has happened (this is policy going forward). If they take issue with the e-mails being posted here, then IID is being outright malicious and is in my opinion looking to take out a potential competitor that does their work for free. IID is more than welcome to prove my opinion wrong here however.

Secondly, I am in the midst of migrating my host off of the hosting provider and am placing it elsewhere. I don't have time to waste dealing with inept companies that don't understand the data that they're working with. IID had spent time on my website reading the contents and yet still opted to go down this avenue.

IID is no longer welcomed to use Canary going forward. Should the company take exception to this, they're more than welcome to contact me.

No comments:

Post a Comment