Tuesday, 1 December 2015

Internet Identity, Threat Intelligence, and a need for cooperation

As I wrote a few weeks ago, a company called Internet Identity based out of Tacoma, WA decided to engage with me by requesting that information be taken down from Canary. I had considered the matter dropped after having written that entry, but it appears that I had hit a nerve with someone at their organization and received a rather patronizing e-mail earlier today:

Subject: Canary.pw - Credential Gathering and Public Distribution
Date: 2015-12-01 8:52
From: Chris Sills <chris.sills@mail.internetidentity.com>
To: Colin Keigher <colin@keigher.ca>

Hello Colin,

My name is Christopher Sills and I’m an Operations Manager over at IID
and I wanted to reach out to you and discuss the various ways your data
from Canary.pw could be abused.

I fully understand that you’re attempting to create some form of 0-day
search engine for compromised credentials and ideally you would want
major corporations signed up for your platform and attempting to recover
data leaked in dumps you present, however, even that doesn’t do much
to protect the innocent users compromised in your data.

Your service, Canary.pw, can be used as a storefront for distributing
stolen credentials. The only thing a criminal would have to do is submit
samples of their stolen credentials to you, wait for you to host them
and then point prospective buyers to you so they may verify.

Your service also contains many lists of e-mail addresses scraped from
various sources that have likely been used at one time or another as
spam lists. Canary.pw makes aggregating that data less costly and more
efficient in regards to volume of valid e-mail addresses likely still in
use and ready for more attacks.

Additionally, anyone can search for employees of major corporations who
have had accounts using their corporate e-mail address as the username
compromised. The information in your data could then be used to either
blackmail those people or obtain legitimate credentials to corporate
resources (It may be bad security practice, but not everyone uses a
unique password for each unique login).

We (IID) have noticed that leaked data pertaining to our clients is
available within your platform and we would like for you to abandon your
current model of public availability. We would feel significantly
different about your Canary service if you forced all users to have an
account in order to get data and had some form of vetting process to
ensure only Threat Intelligence Services or Professionals had access. We
believe what you’re doing is irresponsible and may cause more problems
than it solves.
If you really want to help the community at large I recommend you reach
out to the NCFTA to discuss their Internet Fraud Alert program
(https://www.ncfta.net/internet-fraud-alert.aspx) or the Canadian Cyber
Incident Response Centre (CCIRC
Both have a vetted clearinghouse for compromised credentials and will
distribute found credentials back to the involved parties. Something you
don’t seem to readily do at this time.

If you require any assistance with my recommendations please let me know
and I’ll see what I can do to help put you in contact with someone we

Thank you,

Shift Manager of Service Operations
IID _Security Central_

I don't care to respond to this unnecessary e-mail directly because it's going to work out as effectively as me yelling at my radio when a Tory comes on the air to speak their opinion about some socio-economic matter. Instead I am going to point out what is wrong in Chris' and Internet Identity's position on this matter.

Mr. Sills opens up by completely misunderstanding the purpose of Canary, incorrectly assuming that it's "zero-day" and that I built it with the intention of having corporations using the platform. First of all, I am not sure where "zero-day" comes into play but considering that many security firms like to latch on to such terms (including "APT"), it should come as no surprise that it gets dropped inappropriately. Second of all, Canary is intended to be multi-purpose in both being a research tool to correlate breaches and a tool to determine whether or not a person or organization has been compromised.

He then continues to try and place me in the same bed as the attackers, which is highly inappropriate and erroneous. For one thing, the data stored on the site is not readily indexable for search engines to digest as by design you cannot do something like N+1 to grab everything from Canary. Additionally, I do in fact keep track of searches (so no, you're not really anonymous when using it) and I would happen to notice if someone started to bombard the server with far too many requests. Really, the work required to fully scrape all of the data from Canary would be better spent on just replicating everything I did.

What Chris and IID are failing to understand is this: the barn doors have already been opened and their fix is closing them after the horses have long-since escaped. If the concern is that the data is now available for everyone to see and they're looking to protect their clients, the solution is to not police the information off of the Internet, but instead they need to tell their clients to change passwords and let them know of the risks going forward. Trying to get the Internet to forget things simply does not work.

If we're going to protect users on the Internet, we need to come up with more open systems to alert everyone to what is going on. It simply won't work to contact each user individually, so there needs to be a system in place that anyone can subscribe to. I'll elaborate on what I mean a bit later.

Infuriatingly, they seem to suggest that I should stop allowing anyone to access the data and go through some "vetting process" and to put all data behind a wall. I guess it's only fair that since I called out their seemingly shady business practices that it was acceptable for IID to talk me down further and tell me that I am to make changes on how I operate my service.

This suggestion that I build what is effectively a "walled garden" makes absolutely no sense because I am sourcing the data from services that require no such access to begin with. As I've already pointed out, any person can go on to the sites that I monitor and again start taking the data for themselves and do as they please. Is IID going after other services that publish data it doesn't like to see?

How should I go about vetting people on that note? Besides routinely removing accounts that make use of untrustworthy e-mail services or banning access for those who abuse Canary, I simply cannot determine who's a security or IT professional by asking for them to register. It's time-consuming and is going to do absolutely nothing in terms of preventing whatever problem IID is conjuring.

Of course when his company is charging money for access to the same data that I am providing, I guess it should come as no surprise that this the narrative that they wish to take considering that my model is a threat to theirs.

While I cannot speak for IID's prices, I've had other threat intelligence services request over $150,000 USD for a year's worth of services for what appeared to be just a glorified list of IP addresses being sent to us on a regular interval. Being that they cited Chase Bank as a client to me in the originate complaint, I can only imagine how much they're worth to them and how much they likely charge to their other customers. So when I or anyone else comes on the scene offering a service that effectively undercuts them, I guess I cannot say that I am surprised that I'd get this sort of reaction.

And it should be apparent that I am indeed a competitor. Here's an article from Reuters, published this past September where they announced their product "Rapid Insight" (now renamed "Dossier") that seems to do some pretty familiar things:
IID, the source for clear cyberthreat intelligence, today announced the launch of a new threat indicator research tool, Rapid Insight. IID's Rapid Insight allows threat analysts and other security professionals to simultaneously search a dozen or more sources in one place for contextual information about questionable domains, hostnames, URLs, IP addresses, email addresses and more -- providing faster and more accurate responses to cyberthreats.
Rapid Insight allows researchers to simply paste a suspicious threat indicator into the search field found in the Rapid Insight search section of ActiveTrust, IID's big data solution for Internet security. These search strings may be in the form of a domain, hostname, URL, IP address, email address, MD5, SHA1 or SHA256. Rapid Insight checks that information against intelligence found in over a dozen sources, including: Alexa, DNS Lookup, IP Geolocation, Google Custom Search, Google Safe Browsing, IID ActiveTrust, Passive DNS, Reverse DNS, Reverse WHOIS via DomainTools, Virus Total and WHOIS via DomainTools. More sources are scheduled to be added in the near future. 
And this is sort of the problem that companies like IID present to cyber security as a whole: they make their products grotesquely expensive for what is really just stuff they sniffed out on the Internet no differently than say myself, Troy Hunt, and others. Canary does all of these things that "Dossier" does and has an open API, but IID is threatened by it because it offers what they have for free.

One of the things I am interested in doing and have been talking about it in closed circles is forming a working group to deal with breaches and other related data. There are many of us out there who have an interest in approaching this from a sane point-of-view and also doing it in a manner where it doesn't require participants to pay an arm and a leg.

Data breach details should be available in a similar fashion to that like an RBL. Companies like Google and Facebook do keep track of the same data that I do, but for good reason only focus on their own users. Individuals, small businesses, and NGOs have very few options and forking out six-figure sums to companies is not going to work.

If you're interested in helping me form this idea, please let me know.