OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] Re: [cti-stix] Re: [cti-cybox] Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object


Indeed. This is actually a much larger issue outside of the US than inside it from my knowledge.
 
In Canada and the EU you're in very shady legal territory if you're accessing credential dumps on behalf of a company - it could be seen as collecting PII without the owner's consent, which is prohibited by law.
 
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown
 
 
----- Original message -----
From: Bret Jordan <Bret_Jordan@symantec.com>
Sent by: <cti-users@lists.oasis-open.org>
To: Terry MacDonald <terry.macdonald@cosive.com>, "Struse, Richard" <Richard.Struse@HQ.DHS.GOV>
Cc: Terry MacDonald <terry.macdonald@gmail.com>, Jason Keirstead/CanEast/IBM@IBMCA, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: [cti-users] Re: [cti-stix] Re: [cti-cybox] Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object
Date: Sun, Jan 15, 2017 8:32 PM
 
I am not a lawyer but my guess is that a lot of countries, especially in Europe, would have an issue with this as well. I also see this as an area that vendors will avoid or choose not to implement due to the potential legal liability.  So if vendors do not implement support for it????  
 
I guess at this stage I would argue that we push this topic to 2.2+.  Lets work on the things we know we need that are not going to be controversial and get them done first. As it looks right now, 2.1 will be a significant release anyways. 
 
Bret
 

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Sent: Sunday, January 15, 2017 5:49:35 PM
To: Struse, Richard
Cc: Terry MacDonald; Jason Keirstead; Bret Jordan; cti-cybox@lists.oasis-open.org; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: [cti-stix] Re: [cti-cybox] Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object
 
I guess my stance would be why arbitrarily restrict people due to what is effectively a policy issue? It is only in some jurisdictions this is potentially a problem, why stop the rest of the world having a pre-defined ability to share this information? 
 
Additionally, by showing value in legitimate sharing of credential dump objects for remediation purposes, we may be able to help demonstrate the need for various exemptions in law for legitimate credential sharing for remediation purposes. We can't do this unless we actually have examples where sharing credentials help speed up remediation.
 
Implementers could always have a 'US Mode' that they can engage when dealing with US based entities that would restrict the use of the Credential Dump object in that location. Or maybe at least provide a wanrning saying something like 'Use of this object potential violates US privacy laws. We recommend discussing the use of this object with your lawyers before answering. Click 'Yes' to enable the Credential Dump object or 'no' to disable the Credential Dump object on this platform', Maybe that's enough?
 
IMHO custom objects are unlikely to gain traction unless they are defined at a community-wide level and that community has a large number of active members.
 
Cheers
Terry MacDonald
 
Cheers
 
Terry MacDonald | Chief Product Officer
 
 
 
 
 
 
On Mon, Jan 16, 2017 at 1:19 PM, Struse, Richard <Richard.Struse@hq.dhs.gov> wrote:

One thing we may do well to remember is that it is possible to use STIX to convey information that STIX doesn’t not standardize the representation of.   That is, if there is a community of practitioners in incident response that wish to exchange credential dump information with each other, they can always use STIX 2.0’s ability to define custom object and observable types for this purpose.  This way the CTI TC and STIX can remain somewhat distant from this controversial issue without sacrificing the ability for specific communities to exchange such information. 

 

From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Terry MacDonald
Sent: Sunday, January 15, 2017 4:34 PM
To: Jason Keirstead
Cc: Bret Jordan; cti-cybox@lists.oasis-open.org; cti-stix@lists.oasis-open.org; Terry MacDonald; cti-users@lists.oasis-open.org
Subject: [cti-cybox] Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object

 

I understand the wariness of people with this, but the fact is that a lot of this information is already being shared within trustgroups. Not every country in the world restricts the sharing of this sort of information for remediation purposes, and so we need to think of the world community rather than concentrating on restrictions in some of the countries in the globe. 

 

The issue here is IMHO an implementation-level problem i.e. that implementations from vendors need to be able to ignore Credential Dump information (or encrypt it, or  obfuscate it) if their customers require them to. This is at a different level from us adding support for Credential Dump object within STIX. I believe we need to provide the ability for organizations within jurisdictions that allow the sharing of credential information for remediation purposes to actually transmit and receive this kind of information so that the good guys and gals can be effective in their responses to intrusions. We need to be able to work as a group to provide this sort of information back as quickly as possible to the organizations that have been breached so that they can respond to the issue and minimize the damage to them and their customers. 

 

Cheers

Terry MacDonald

Cosive

 

On 16 January 2017 at 05:32, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Its worth investigating most certainly; but I agree with Brett that we have to tread carefully.

As an example of why this is dangerous - downloading credential dumps (which normally house PII) is essentially illegal for organizations in many countries with strong privacy laws (example, Canada), and even when it is not illegal it is often blocked by policy (sites blocked by their proxy firewalls) in many large organizations for fear of legal repercussions. Therefore, if any given TAXII feed has the potential to house credential dumps, then it might lock people out of that TAXII server, unless they have some way to easily filter them out of their view (which we don't have right now in TAXII)

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems

www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown




From:        Terry MacDonald <terry.macdonald@gmail.com>
To:        Bret Jordan <Bret_Jordan@symantec.com>
Cc:        cti-cybox@lists.oasis-open.org, cti-stix@lists.oasis-open.org, Terry MacDonald <terry.macdonald@cosive.com>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Date:        01/14/2017 03:25 PM
Subject:        Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object
Sent by:        <cti-users@lists.oasis-open.org>





I'm not sure how this could derail everything, as this information is already shared via trust group mailing lists. Surely people would already be assured of our was that dangerous?

It's also important to realise that sharing happens outside of the US legal system, and the rules in other countries may allow for credential dump sharing in situations the US does not.

It's at least worth investigating further IMHO...

Cheers
Terry MacDonald
Cosive

On 14 Jan. 2017 15:56, "Bret Jordan" <Bret_Jordan@symantec.com> wrote:
I really worry about this.  CTI is already a concern for privacy groups.  I know we need to figure this out, but I would like to make sure our ship sales and we get positive news/feedback before we try and do something like this.  We just need to be super careful, something like this could derail the entire effort before it actually takes off.

Bret



From: cti-cybox@lists.oasis-open.org<cti-cybox@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Sent: Thursday, January 5, 2017 1:51:29 AM
To: OASIS CTI TC CybOX SC list;
cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object
 
Hi All,

In the spirit of gift giving at this time of year, I have yet another proposal to offer the grou pfor discussion at the upcoming F2F...

​2.7.Credential Dump Object
Type Name: credential-dump
The Credential Dump Object represents credential dump containing username and password information that attackers have gained access to and dumped somewhere on the web in public or traded for money. It is primarily to enable the sharing of credential dump information to allow the remediation of affected users.




If you wish to comment, please do so as a reply to this email, or leave a comment on the Google Doc here: https://docs.google.com/document/d/1u9z0XB6A-0q5CZnC9rx0rGfRJpP5u6jS1sio6w1OrJ0/edit?usp=sharing

PDF version attached for those who prefer those.....

Cheers

Terry MacDonald | Chief Product Officer



M: +64 211 918 814
E: terry.macdonald@cosive.com
W: www.cosive.com



 

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]