I agree with the intent of this proposal, and believe that limiting CybOX
to one locality's legal restrictions would needlessly hamper the intent of
the language.
As Terry recommended, an organization that cannot legally store specific
information should implement a solution that redacts or hashes that data in
an acceptable way. CybOX can already express sensitive account information
in account objects, so transfer of the same sensitive information can
already occur in the current version.
My concern is that the credential array may duplicate functionality of an
array of account objects, which would also duplicate the number of objects
to redact/hash for legal liability. I support also adding financial
institution specific information to the current account object, or the
proposed credential object, like credit card numbers, CVV, PIN, etc., as
alluded to in the proposal.
Steven Hilton
On Sun, Jan 15, 2017 at 8:43 PM Terry MacDonald <
terry.macdonald@cosive.com>
wrote:
> I disagree. Why hold off on implementation if we're not sure it's going to
> cause a problem? And why wouldn't vendor's implement this functionality if
> its something that customers want? It's one of the most common things I get
> asked when people want to know what they can share through STIX. If there
> is a need for it, why would we wait on the basis that there is a potential
> issue in some jurisdictions?
>
> Rich, is this something you're able to raise with the DHS lawyers to get
> some guidance on for the US jurisdiction? I'd prefer we got firm advice
> from lawyers before wiping something that I know is wanted (and that
> already is exchanged over email right now).
>
> This is not a complicated object to create, and it's 90% there. This is
> not a significant body of work, and IMHO its a policy problem not a STIX
> level one.
>
> Cheers
>
> Terry MacDonald
>
> Cheers
>
> *Terry MacDonald *| Chief Product Officer
>
>
>
> M: +64 211 918 814 <+64+211+918+814>
> E:
terry.macdonald@cosive.com> W:
www.cosive.com>
>
>
>
> On Mon, Jan 16, 2017 at 2:31 PM, Bret Jordan <
bret_jordan@symantec.com>
> wrote:
>
> I am not a lawyer but my guess is that a lot of countries, especially in
> Europe, would have an issue with this as well. I also see this as an area
> that vendors will avoid or choose not to implement due to the
> potential legal liability. So if vendors do not implement support for
> it????
>
> I guess at this stage I would argue that we push this topic to 2.2+. Lets
> work on the things we know we need that are not going to be controversial
> and get them done first. As it looks right now, 2.1 will be a significant
> release anyways.
>
> Bret
>
> ------------------------------
> *From:*
cti-stix@lists.oasis-open.org <
cti-stix@lists.oasis-open.org> on
> behalf of Terry MacDonald <
terry.macdonald@cosive.com>
> *Sent:* Sunday, January 15, 2017 5:49:35 PM
> *To:* Struse, Richard
> *Cc:* Terry MacDonald; Jason Keirstead; Bret Jordan;
>
cti-cybox@lists.oasis-open.org;
cti-stix@lists.oasis-open.org;
>
cti-users@lists.oasis-open.org> *Subject:* [cti-stix] Re: [cti-cybox] Re: [cti-users] Re: [cti-cybox]
> STIX 2.1 Cyber Observable Proposal - Credential Dump Object
>
> I guess my stance would be why arbitrarily restrict people due to what is
> effectively a policy issue? It is only in some jurisdictions this is
> potentially a problem, why stop the rest of the world having a pre-defined
> ability to share this information?
>
> Additionally, by showing value in legitimate sharing of credential dump
> objects for remediation purposes, we may be able to help demonstrate the
> need for various exemptions in law for legitimate credential sharing for
> remediation purposes. We can't do this unless we actually have examples
> where sharing credentials help speed up remediation.
>
> Implementers could always have a 'US Mode' that they can engage when
> dealing with US based entities that would restrict the use of the
> Credential Dump object in that location. Or maybe at least provide a
> wanrning saying something like 'Use of this object potential violates US
> privacy laws. We recommend discussing the use of this object with your
> lawyers before answering. Click 'Yes' to enable the Credential Dump object
> or 'no' to disable the Credential Dump object on this platform', Maybe
> that's enough?
>
> IMHO custom objects are unlikely to gain traction unless they are defined
> at a community-wide level and that community has a large number of active
> members.
>
> Cheers
> Terry MacDonald
>
> Cheers
>
> *Terry MacDonald *| Chief Product Officer
>
>
>
> M: +64 211 918 814 <+64+211+918+814>
> E:
terry.macdonald@cosive.com> W:
www.cosive.com> <https: clicktime.symantec.com/a/1/lo6-qjtal2dvnqh2qwwequmiad4iidkg-jo88g6njiq="?d=TuKFUhXbFVTHhJ6MMSmKJ5olXflMxQprGptig79DHk7hY_Bu9KlZx2LosV77nw0sdTp3TVLxxW0obg6JcPG-pVBTYpOWRDTIAUFJQN0Keq02XcmVbXtlyBHgHXx9hK3BAXhcZRhs7TQkEdK2Y4Jzm7CFq5EiK8HOYpFq47fz9HFaL9lbSWkgoqxjEmyk8zJ8n-4KCM9XoiAVjmj-UdtMp4H3XDfKWE-7tyFEk1EgqARWWTmSJg0C8sL40qWsrlk96CsBz2Kw54-RLoZUPKrl9OEfIrFlk1fe4uBVtYwt-0cSl4fWD4XqS3HpwsJbKA3nyTp9USjzqT23jXvEBj_mIPmvr2Y_mew-hNcRm_1T6e2YejacyNnspZyhHBcwSLP9u02TRJz572ZuwhEt6oBA2E23BiPufo_HiYt4P76DCuiDL4QHFqOHWFq95p_-n6DfpcbbhFoFIS08IhrGhmA-Nzgyz0khIs03JXy2nx_9ONGkgImS9NYc5xZVlENG4R33ti_BBu-WrGIZ_4LeKvHmF1gOPtmjHLBbhSx9ZGc%3D&u=https%3A%2F%2Fwww.cosive.com%2F">
>
>
>
>
> On Mon, Jan 16, 2017 at 1:19 PM, Struse, Richard <
>
Richard.Struse@hq.dhs.gov> wrote:
>
> One thing we may do well to remember is that it is possible to use STIX to
> convey information that STIX doesn’t not standardize the representation
> of. That is, if there is a community of practitioners in incident
> response that wish to exchange credential dump information with each other,
> they can always use STIX 2.0’s ability to define custom object and
> observable types for this purpose. This way the CTI TC and STIX can remain
> somewhat distant from this controversial issue without sacrificing the
> ability for specific communities to exchange such information.
>
>
>
> *From:*
cti-cybox@lists.oasis-open.org [mailto:
>
cti-cybox@lists.oasis-open.org] *On Behalf Of *Terry MacDonald
> *Sent:* Sunday, January 15, 2017 4:34 PM
> *To:* Jason Keirstead
> *Cc:* Bret Jordan;
cti-cybox@lists.oasis-open.org;
>
cti-stix@lists.oasis-open.org; Terry MacDonald;
>
cti-users@lists.oasis-open.org> *Subject:* [cti-cybox] Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber
> Observable Proposal - Credential Dump Object
>
>
>
> I understand the wariness of people with this, but the fact is that a lot
> of this information is already being shared within trustgroups. Not every
> country in the world restricts the sharing of this sort of information for
> remediation purposes, and so we need to think of the world community rather
> than concentrating on restrictions in some of the countries in the globe.
>
>
>
> The issue here is IMHO an implementation-level problem i.e. that
> implementations from vendors need to be able to ignore Credential Dump
> information (or encrypt it, or obfuscate it) if their customers require
> them to. This is at a different level from us adding support for Credential
> Dump object within STIX. I believe we need to provide the ability for
> organizations within jurisdictions that allow the sharing of credential
> information for remediation purposes to actually transmit and receive this
> kind of information so that the good guys and gals can be effective in
> their responses to intrusions. We need to be able to work as a group to
> provide this sort of information back as quickly as possible to the
> organizations that have been breached so that they can respond to the issue
> and minimize the damage to them and their customers.
>
>
>
> Cheers
>
> Terry MacDonald
>
> *Cosive*
>
>
>
> On 16 January 2017 at 05:32, Jason Keirstead <
jason.keirstead@ca.ibm.com>
> wrote:
>
> Its worth investigating most certainly; but I agree with Brett that we
> have to tread carefully.
>
> As an example of why this is dangerous - downloading credential dumps
> (which normally house PII) is essentially illegal for organizations in many
> countries with strong privacy laws (example, Canada), and even when it is
> not illegal it is often blocked by policy (sites blocked by their proxy
> firewalls) in many large organizations for fear of legal repercussions.
> Therefore, if any given TAXII feed has the potential to house credential
> dumps, then it might lock people out of that TAXII server, unless they have
> some way to easily filter them out of their view (which we don't have right
> now in TAXII)
>
> -
> Jason Keirstead
> STSM, Product Architect, Security Intelligence, IBM Security Systems
>
www.ibm.com/security| www.securityintelligence.com
> <https: clicktime.symantec.com/a/1/00dahcajos1ttuhjqr7b3ckixeprwrot5vae43cnaom="?d=TuKFUhXbFVTHhJ6MMSmKJ5olXflMxQprGptig79DHk7hY_Bu9KlZx2LosV77nw0sdTp3TVLxxW0obg6JcPG-pVBTYpOWRDTIAUFJQN0Keq02XcmVbXtlyBHgHXx9hK3BAXhcZRhs7TQkEdK2Y4Jzm7CFq5EiK8HOYpFq47fz9HFaL9lbSWkgoqxjEmyk8zJ8n-4KCM9XoiAVjmj-UdtMp4H3XDfKWE-7tyFEk1EgqARWWTmSJg0C8sL40qWsrlk96CsBz2Kw54-RLoZUPKrl9OEfIrFlk1fe4uBVtYwt-0cSl4fWD4XqS3HpwsJbKA3nyTp9USjzqT23jXvEBj_mIPmvr2Y_mew-hNcRm_1T6e2YejacyNnspZyhHBcwSLP9u02TRJz572ZuwhEt6oBA2E23BiPufo_HiYt4P76DCuiDL4QHFqOHWFq95p_-n6DfpcbbhFoFIS08IhrGhmA-Nzgyz0khIs03JXy2nx_9ONGkgImS9NYc5xZVlENG4R33ti_BBu-WrGIZ_4LeKvHmF1gOPtmjHLBbhSx9ZGc%3D&u=http%3A%2F%2Fwww.securityintelligence.com">
>
> Without data, all you are is just another person with an opinion - Unknown
>
>
>
>
> From: Terry MacDonald <
terry.macdonald@gmail.com>
> To: Bret Jordan <
bret_jordan@symantec.com>
> Cc:
cti-cybox@lists.oasis-open.org,
cti-stix@lists.oasis-open.org,
> Terry MacDonald <
terry.macdonald@cosive.com>, "
>
cti-users@lists.oasis-open.org" <
cti-users@lists.oasis-open.org>
> Date: 01/14/2017 03:25 PM
> Subject: Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber Observable
> Proposal - Credential Dump Object
> Sent by: <
cti-users@lists.oasis-open.org>
> ------------------------------
>
>
>
>
> I'm not sure how this could derail everything, as this information is
> already shared via trust group mailing lists. Surely people would already
> be assured of our was that dangerous?
>
> It's also important to realise that sharing happens outside of the US
> legal system, and the rules in other countries may allow for credential
> dump sharing in situations the US does not.
>
> It's at least worth investigating further IMHO...
>
> Cheers
> Terry MacDonald
> Cosive
>
> On 14 Jan. 2017 15:56, "Bret Jordan" <
bret_jordan@symantec.com> wrote:
> I really worry about this. CTI is already a concern for privacy groups.
> I know we need to figure this out, but I would like to make sure our ship
> sales and we get positive news/feedback before we try and do something like
> this. We just need to be super careful, something like this could derail
> the entire effort before it actually takes off.
>
> Bret
> ------------------------------
>
>
> *From:*
cti-cybox@lists.oasis-open.org<
cti-cybox@lists.oasis-open.org> on
> behalf of Terry MacDonald <
terry.macdonald@cosive.com>
> * Sent:* Thursday, January 5, 2017 1:51:29 AM
> * To:* OASIS CTI TC CybOX SC list;
cti-stix@lists.oasis-open.org;
>
cti-users@lists.oasis-open.org> * Subject:* [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential
> Dump Object
>
> Hi All,
>
> In the spirit of gift giving at this time of year, I have yet another
> proposal to offer the grou pfor discussion at the upcoming F2F...
>
> *?2.7.Credential Dump Object*
> Type Name: credential-dump
> The Credential Dump Object represents credential dump containing username
> and password information that attackers have gained access to and dumped
> somewhere on the web in public or traded for money. It is primarily to
> enable the sharing of credential dump information to allow the remediation
> of affected users.
>
>
>
>
> If you wish to comment, please do so as a reply to this email, or leave a
> comment on the Google Doc here:
>
https://docs.google.com/document/d/1u9z0XB6A-0q5CZnC9rx0rGfRJpP5u6jS1sio6w1OrJ0/edit?usp=sharing>
> PDF version attached for those who prefer those.....
>
> Cheers
>
> *Terry MacDonald *| Chief Product Officer
>
>
>
> M: +64 211 918 814 <+64+211+918+814>
> E:
terry.macdonald@cosive.com> W:
www.cosive.com> <https: clicktime.symantec.com/a/1/g0c9xodm5pwrp7mrtica9nrkncdy-ygabxrmqczmvge="?d=w3adHj8lmJq3Phtha1hEred8fqoEbyq8qU9QDFScfqhNLckE_vYRnC4CZfGjkHsnu9_UePvSpK-rFQHIjGhQmannuaZful3jDClCGKn_nuavxe0U1mThBxwWPSv_4XPJ5Ps8s7Cq0uYUocNmf2e95rzZYN7xPBNyDdX2kA_KNWPjUoJwEomOl55BZBNEEEgoqfQ7YyFmfs1e5uH_H3kwfO8Ec5PjJeLsMWnfpCyOgNQgGC8wnumROP2_NBNSV5sq7N8F0xCVTnDBotXMAYK2moPNrjiGbYwhnhPAnaRkeNtOzBro8Q1_AavFdmGwdWz2NQhO8Fl10EBttFXfUi4o43oN1-LNe7Pv07h2rotxL9u9mqurQ2sHSe4YaYbCOR2NalfPx6WTOT-9NIwTKTXbOzMknB-TVbolZZNoRoK39ptuX118p7mR3UAFrnejjEqVQV_LcgGRSanDk-2JZgjiJrKeZyO8SLsIOPVZIJabQEj72cF8e51CnAdBBWH_Yf6B&u=https%3A%2F%2Fwww.cosive.com%2F">
>
>
>
>
>
>
>
>
>
</https:></
terry.macdonald@cosive.com></
cti-cybox@lists.oasis-open.org></
bret_jordan@symantec.com></
cti-users@lists.oasis-open.org></
cti-users@lists.oasis-open.org></
terry.macdonald@cosive.com></
bret_jordan@symantec.com></
terry.macdonald@gmail.com></https:></
jason.keirstead@ca.ibm.com></https:></
terry.macdonald@cosive.com></
cti-stix@lists.oasis-open.org></
bret_jordan@symantec.com></
terry.macdonald@cosive.com>