The Golden Age of Surveillance
November 1, 2019
Back in 2016, then-FBI general counsel Jim Baker famously fought tooth and nail to force Apple to grant the Bureau access to an encrypted phone following a terrorist attack in San Bernardino. (The FBI eventually found another way to access the data, so the legal issue was sidestepped.) Now we learn Baker has evolved on the issue in the write-up, “Former FBI General Counsel who Fought Apple Has Now ‘Rethought’ Encryption” at 9To5Mac. Writer Ben Lovejoy pulls highlights from a lengthy piece Baker wrote for the Lawfare blog describing his current position on encryption. While he stands by his actions in the San Bernardino case, he now sees the need to balance law enforcement’s need for information and the rest of society’s need to protect valuable data from bad actors. Lovejoy writes:
“Baker says that strong encryption still poses a substantial problem for law enforcement, but he now recognizes that there is no way to square the circle of protecting both personal and government data on the one hand, and allowing law enforcement to access data on the other.
‘A solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.’
“He says that forcing US companies to create compromised systems would simply shift demand to foreign-made products that remain secure. Additionally, a lot can be done with metadata- that is, records of who contacted who, rather than what was said.
‘Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data- especially metadata- than ever before is available for collection and analysis by law enforcement.’”
“Golden age of surveillance” indeed—the man has a point. He stresses, in particular, the importance of avoiding potential spyware in Chinese-made equipment. He urges government officials to embrace encryption as necessary or, if they refuse to do that, find another way to guard against existential cyber threats. He observes they have yet to do so effectively.
Cynthia Murrell, November 1, 2019
Another Cyber Firm Reports about Impending Doom
October 29, 2019
Identity intelligence firm 4iQ summarizes the results of recent research in the write-up, “Identity Protection & Data Breach Survey.” They polled 2,300 participants regarding data breaches and identity protection issues. You can see a slide show of the results here that presents the results in graph-form.
Researchers found that fewer than half the respondents had been notified they were victims of a breach. Most of them were offered identity protections services as a result, but about half of those felt that fell short of adequately addressing the problem. We also learn:
“*Nearly 40% of respondents believe they have already suffered identity theft and more than half of respondents, 55%, believe that it’s likely their personally identifiable information (PII) is already in the hands of criminals. As a result, 62% of respondents are concerned that their PII could be used by someone to commit fraud.
*More than half, 52%, of respondents said they would expect their own online security error to negatively or very negatively affect their standing with their employer—an additional stress for working Americans—so it’s not surprising then, that 60% of respondents believe there’s a ‘blame-the-victim’ problem with cybercrime.
*A strong majority, 63%, are concerned that prior breaches could lead to future identity fraud, and 37% believe they have already been a victim of fraud as a result of a cybercrime incident.”
As for protecting personal identifiable information, 75% feel their employers are doing a fair to excellent job, but only 42% feel the government is do so effectively. They feel even less confident about their personal efforts, however, with only 15% calling themselves “very effective” (23% rated their employers as “very effective”).
On that last point, 4iQ states it demonstrates that “everyday consumers may feel unprepared to contend with the threats presented by cybercrime,” which is not surprising from a company that sells solutions to that problem. We know there are free and low-cost measures individuals can take to boost their own security, but some will be willing to pay for extra reassurance on top of those precautions. Based in Los Altos, California, 4iQ was founded in 2016.
Cynthia Murrell, October 29, 2019
Security Industry Blind Spot: Homogeneity
October 24, 2019
Push aside the mewlings about Facebook. Ignore Google’s efforts to quash employee meetings about unionization. Sidestep the phrase “intelligent cloud revenue.”
An possibly more significant item appeared in “Information Security Industry at Risk from Lack of Diversity.” The write up states:
The Chartered Institute of Information Security (CIISec) finds that 89 percent of respondents to its survey are male, and 89 percent over 35, suggesting the profession is still very much in the hands of older men.
Furthermore, the security industry is wallowing in venture funding. That easy money has translated into a welter of security solutions. At cyber security conferences, one can license smart monitoring, intelligent and proactive systems, and automated responses.
The problem is that this security country club may be fooling itself and its customers.
The write up quotes from the CIISec report, presenting this segment:
“If the industry starts to attract a more diverse range of people whilst spreading awareness of the opportunity available, we could be well on the way to truly modernizing the industry,” adds Finch. “Key to all this will be both organizations and individuals having a framework that can show exactly what skills are necessary to fulfill what roles. This will not only help hire the right people. It will also mean that it the routes to progress through an individual’s career are clearly marked, ensuring that individuals who enthusiastically join the industry don’t over time become jaded or burn out due to a lack of opportunity.”
Partially correct opines DarkCyber. The security offered is a me-too approach. Companies find themselves struggling to implement and make use of today’s solutions. The result? Less security and vendors who talk security but deliver confusion.
Meanwhile those bad actors continue to diversify, gain state support, and exploit what are at the end of a long day, vulnerable organizational systems.
Stephen E Arnold, October 24, 2019
NordVPN: An Insecure Security Service?
October 22, 2019
In 2016, one of the DarkCyber research team signed up for NordVPN. We wanted to test several of the companies offering enhanced security products. After filling out the form in April 2016, the service did not activate. We heard from a person calling herself “Christina.” She was a floundering professional. We explained the misfire. The we heard from Zack in 2017 who wanted us to renew the service which was not available to the DarkCyber professionals. We concluded that NordVPN was more trouble than it was worth, and the company could take money via a credit card, fail to deliver the service, yet spam DarkCyber for a renewal. Now that’s more than foundering. That’s either clumsy, misguided, or what the Wall Street crowd calls Black Edge behavior.
We thought about Christine and Zack when we read “NordVPN Confirms It Was Hacked.” If the write up is accurate, the security company NordVPN is not completely secure. The write up reports:
NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked. The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.
We are fascinated with VPN services. Some are free and some like NordVPN seem to collect money and leave their systems vulnerable.
What’s our recommendation? DarkCyber thinks ignoring NordVPN might be a pre-installation step to consider.
Oh, Christine, when you take money, you should deliver the product. And, Zack, no, DarkCyber will not renew.
Why?
Read the articles about NordVPN finding itself which may be the digital equivalent of a security soup from a questionable cafeteria.
Stephen E Arnold, October 22, 2019
Supremely Secure?
October 19, 2019
Suprema is a South Korean security company that specializes in cyber security. One of Suprema’s products are a line of fingerprint readers. The BBC reports that the company was hacked, “Biostar 2: Suprema Plays Down Fingerprint Leak Report.” A cyber security research group hacked Suprema’s Biostar 2, accessed customer information, then alerted Suprema to the leak.
The cyber security research group’s action was benign, but it did point to a flaw in the system and Suprema was not happy. Suprema assured their clients that none of the information was breached and that the amount of customers affected was very small. A South Korean police force was worried they were among the potential victims, but apparently no biometrics systems were exposed.
“The dispute over how big the leak was can be explained by the fact the researchers say they did not, for ethical reasons, attempt to download all the fingerprint files.Rather, they had taken “hundreds” of samples of data, said Mr Rotem. And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset. They then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns. From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total. “We have evidence that biometric data was leaked,” Mr Rotem told BBC News.”
The actual data sets were not downloaded due to ethnical reasons. The research team actually did Suprema a favor by pointing out the crack before bad actors access the system, but Suprema would have preferred that one of their system regulators had discovered the issue. It should not matter who found the leak, because customers were at stake. Suprema sells security, but does not practice it.
Whitney Grace, October 19, 2019
Project Zero Targets Who? What? Why?
October 18, 2019
Google is not one to keep its eyes on its own work, as the effective Project Zero demonstrates. That initiative’s researchers (a.k.a. hackers) seek out zero-day vulnerabilities in software created by Google and many other companies. Vice examines Project Zero in its article, “How Google Changed the Secretive Market for the Most Dangerous Hacks in the World.”
Since its launch in 2014, Project Zero reports it has found and helped fix more than 1,500 vulnerabilities. More than 300 of these were in Apple products, over 500 in Microsoft’s, and more than 200 in Adobe Flash, to give just a few examples. One of these researchers was part of the team that found the Intel chips’ Spectre and Meltdown vulnerabilities. The project has also influenced the cybersecurity industry in more general ways. Reporter Lorenzo Franceschi-Bicchierai writes:
“For one, Project Zero has normalized something that years ago was more controversial: a strict 90-day deadline for companies that receive its bug reports to patch the vulnerabilities. If they don’t patch in that time frame, Google drops the bugs itself. Microsoft, in particular, was not a fan of this policy at the beginning. Today, most companies that interact with Project Zero respect that 90-day deadline as an industry standard, a tidal change in the always controversial debate on the so-called ‘responsible disclosure’—the idea that security researchers who find vulnerabilities should first disclose them to the affected company, so that it can fix them before the bugs are exploited by hackers. According to its own tally, around 95 percent of bugs reported by Project Zero get patched within that deadline.”
Then there is the effect on what the article calls the “insecurity industry,” companies like Azimuth Security and NSO Group that also seek out zero-day vulnerabilities, but for a different reason. We’re told:
“Instead of reporting the vulnerabilities to the companies who own the software, these companies sell them to governments who turn them into tools to hack and surveil targets. ‘F— those guys,’ said a researcher who works for a company that does offensive security, referring to Project Zero. ‘They don’t make the world safer.’ The researcher … said that zero-day vulnerabilities are sometimes used to go after terrorists or dangerous criminals. So when Project Zero kills those bugs, it may be killing tools used by intelligence agencies to go after the bad guys, according to the researcher.”
That is one perspective, but one with which many security experts disagree. See the article for more on that dispute. There is no doubt companies the world over have benefited from Project Zero’s work, but what does Google get out of the effort? Good press is one thing, of course, but Franceschi-Bicchierai suggests another motive—the excuse to poke around in its competitors’ software and reveal their weaknesses. Whatever the motivations, Project Zero now seems entrenched in the cybersecurity landscape.
Now what about the timing of the announcement about Apple iPhone vulnerability and downplaying Android phone issues?
Minor issue, right?
Cynthia Murrell, October 18, 2019
Cyber Security: Hand Waving Instead of Results?
October 9, 2019
Beta News published what DarkCyber views as a bit of an exposé. “Security Professionals Struggle to Measure Success within the Business” recycles information which appears to come from a services firm called Thycotic. (DarkCyber has not been able to locate the referenced report.)
Among the statements in the write up, DarkCyber noted these as particularly thought provoking:
- “Nearly half (44 percent) [of those in the Thycotic sample] say their organization struggles to align security initiatives with the business’s overall goals”
- “More [than] 35 percent aren’t clear what the business goals are”
- “The most commonly used metric is to count the number of security breaches (56 percent) followed by the time taken to resolve a breach (51 percent). It appears, however, that these criteria may not be terribly useful.”
- “Around two in five (39 percent) say they have no way of measuring what difference past security initiatives have made to the business.”
- “36 percent agree it’s not a priority for them to measure security success once initiatives have been rolled out.”
These are interesting results. If an information unit cannot demonstrate that their security efforts are useful, budgets will be cut or staff rotated. Vendors will be sucked into this negative atmosphere.
Are cyber security vendors delivering solutions which work? Are customers able to use these products? Will executives lose confidence in their staff and vendors because security challenges continue to bedevil the organization?
The big question, however, remains:
Do the hundreds of vendors have solutions that are useful?
Paying invoices for hand waving can be an issue in some organizations. Well funded cyber security start ups might run into choppy waters after several years of smooth sailing and the support of investors who believe that nothing can derail new cyber security solutions.
Stephen E Arnold, October 9, 2019
Encryption: Change May Be Imposed
October 8, 2019
In our DarkCyber videos we reported about Australia’s efforts to obtain access to encrypted communications. We noted that other Five Eyes partners would pick up the idea and move it forward. “The Open Letter from the Governments of US, UK, and Australia to Facebook is An All-Out Attack on Encryption” from the Electronic Frontier Foundation explains that several countries have demanded access to secure messages. The EFF states:
This is a staggering attempt to undermine the security and privacy of communications tools used by billions of people. Facebook should not comply. The letter comes in concert with the signing of a new agreement between the US and UK to provide access to allow law enforcement in one jurisdiction to more easily obtain electronic data stored in the other jurisdiction. But the letter to Facebook goes much further: law enforcement and national security agencies in these three countries are asking for nothing less than access to every conversation that crosses every digital device.
The EFF states:
What’s more, the backdoors into encrypted communications sought by these governments would be available not just to governments with a supposedly functional rule of law. Facebook and others would face immense pressure to also provide them to authoritarian regimes, who might seek to spy on dissidents in the name of combatting terrorism or civil unrest, for example. The Department of Justice and its partners in the UK and Australia claim to support “strong encryption,” but the unfettered access to encrypted data described in this letter is incompatible with how encryption actually works.
DarkCyber wants to point out that flows of digital information work like sandblasters; that is, the data flows erode existing structures. When societal conventions are blasted by bits, the darker side of human nature has a new greenhouse in which to flourish.
DarkCyber believes that a new context exists in the digital environment. We understand what EFF says, but it seems clear that access to encrypted content is just one facet of other changes; for example, cutting off Internet access, censorship, and similar actions.
New world. Old arguments may not gain traction.
Stephen E Arnold, October 8, 2019
A Snowden Fave Has a Quirk
October 7, 2019
If you use Signal, a fave of Edward Snowden, there’s a possible security flaw. Signal is a messaging app with a charming feature if “Signal: Incoming Call Can Be Connected without User Interaction” is on the money. The write up asserts:
Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device. The connected call will only be an audio call, as the user needs to manually enable video in all calls. The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states. I would recommend improving the logic in both clients, as it is possible the UI problem doesn’t occur in all situations.
The article provides technical information about this issue.
DarkCyber Mr. Snowden has adjusted his secure messaging opsec when he is not seeking life in France or preparing for a for-fee lecture.
Stephen E Arnold, October 5, 2019
Cyber Security: Not for Cloud Misconfigurations
September 25, 2019
DarkCyber has been discussing the apparent ineffectiveness of the cyber defense technology offered by dozens of vendors. Despite the escalation in marketing hype, security issues are like exhaust fumes — everywhere. “99 Percent of All Misconfigurations in the Public Cloud Go Unreported” flashes credibility lights with its “99 percent” and “all” headline.
The write up asserts:
The surge in adoption of cloud-based technologies and Infrastructure-as-a-Service (IaaS) has added a new facet to cyber threats — the loss of information caused by misconfigurations and weak credentials in the public cloud space.
That statement sounds plausible.
The write up adds:
The report says that the top ten most commonly-misconfigured settings in AWS, the most popular IaaS provider for enterprise firms alongside Microsoft Azure, are as below:
- EBS Data Encryption
- Unrestricted Outbound Access
- EC2 Security Group Port Config
- Provisioning Access to Resources using IAM Roles
- Unrestricted Access to Non-Http/Https ports
- Unrestricted Inbound Access on Uncommon Ports
- Unused Security Groups
- Unrestricted ICMP Access
- EC2 Security Group Inbound Access Configuration
- EC2 Instance Belongs to a VPC
If the data are accurate, Amazon is a security “challenge.”
Has Amazon done enough to make certain that its customers are not creating risks for others? If Amazon is a security problem, are the vendors of pricey cyber security systems providing tools and solutions that shore up known weak spots?
Two questions. Answers?
Stephen E Arnold, September 25, 2019
-
- Subscribe to Beyond Search
Feature archive
News archive
-
