Ebay, Attribution and Digital Forensics
Ebay’s announcement today is fascinating to read:
“After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.”
Here’s our question: How exactly do they know? Can they prove it to their stakeholders?
Despite all the advances in technology over the last 40 years somehow it feels that digital forensics hasn’t advanced much since the 1980s. The status quo for forensics is still for an investigator to use imaging tools and try and figure out what happened after the fact.
To quote another 80s phenomenon: “You cannot be serious”.
The most fundamental flaw with forensics today is the ex post facto nature of evidence collection. Due to the volatile nature of electronic data any hacker worth his salt knows how to delete logs or worse, manipulate logs to cover his tracks and attribute his activity to an innocent party, which is why attribution of crimes on the Internet is so hard, whether a 16 year-old manipulating school records, a nation-state attack on critical infrastructure or cybercriminals hacking into Ebay’s network.
KSI: a universal standard for digital evidence.
When the inventors of KSI set out they weren’t thinking of digital evidence – simply a new signature scheme that uses only hash-functions. The the application for digital evidence is clear.
“The key feature that attract my interest is the “keyless” inside the KSI name. If there is no key, an attacker can obviously not compromise it.” – Rainer Gerhards, author of rsyslog
By eliminating the need for keys, key management the benefits for digital evidence are clear.
By integrating KSI into Cloud, Networks and Big Data Governance platforms there is no need to conduct a forensic examination after an incident has occurred – the forensic auditability is built in as a part of the data lifecycle.
Portability of Evidence
Evidence that can cross organizational and service provider boundaries – there is no trusted party that needs to be referred back to.
Independent verification is probably the most important innovation in KSI. It means that the verification of an event in cyberspace can be verified without reliance on implementation of procedure, security of keys or any trusted human. As a practical example consider the implications of a connected car involved in a collision. Who is liable: the driver, the vehicle manufacturer, the software vendor, the network hardware manufacturer, or the service provider? With independent verification there is no dispute as to exactly what happened when it can be verified without the need to trust any of the parties involved.
The entire world’s dataset, even an exabyte a second can automatically and naturally come with a KSI signature with close to zero network, storage and compute overhead.
The long term vision of Guardtime is to create the Attributed Internet, tag, track and locate functionality for the world’s electronic data. Modern security solutions such as firewalls and sandboxing search for vulnerabilities but they can’t guarantee their absence. KSI allows for different assumptions – by real time monitoring of the integrity of you network you can assume compromise and mitigate in real-time when malware acts.
A universal standard for digital evidence may be just a side-effect of the Attributed Internet but it sure looks like a powerful one from where we are sitting.