Category Archives: Technology and Security

Hacking Back and the Cyber Balance of Power

The Washington Post carried a front page article on October 10th “Hacked Firms Quietly Talk about Fighting Fire with Fire”  about growing corporate anger over successive cyber attacks.  The new theme: go on the offensive.  Hack back!

They are not alone.  The Pentagon has set up a secretive unit called Plan X which is supposed to fight back against hacking. Its “rules of engagement” are classified, and nobody really knows if Plan X is operational or pie in the sky.

But how would “hacking back” work?  The corporate approach, as reported in the Post, seems to be that one can attack the hackers, send them bogus information, as a way of closing them down.  Would this work?

Most of the really bad hacking, attacks on government computers and networks and on America’s critical infrastructure is foreign government sponsored.  The latest banking attacks are thought to be Russian-sponsored, Putin’s reaction to American-led sanctions because of the Ukraine crisis.   And the Senate Armed Services Committee has found that American defense companies are being systematically looted by China through cyber espionage.

Well-financed foreign governments do not directly launch attacks on American companies or our government and military. They would be foolish to do so, especially since they have plenty of other options.  The Russians and Chinese have cadres of hackers who can operate on their behalf.  Occasionally these state-sponsored “independent” hackers make a few extra dollars by stealing credit cards and emptying bank accounts.  Sure you can hack them back, but they will just get another computer and do it again.  Living abroad they are beyond American law enforcement.  The FBI may want to investigate; one can expect few results.

Then there is the problem of recognizing that a hack has occurred.  A study by Verizon which was done with the cooperation of many businesses, security firms and government experts points out that it often takes a long time to uncover an intrusion. If you don’t know you have been ripped off you may in the end find your coffers empty when it is too late.

The level of angst circulating in business and government circles caused by huge financial losses from cyber intrusions (one study says $300 billion per year goes out America’s cyber “pipeline”) suggests we are rapidly reaching a tipping point. The security model we are trying to apply is a failure.

In fact as I have pointed out elsewhere, the security model we have cannot work for the simple reason that it is impossible to protect computer networks when the networks, fixed and mobile platforms, and transmission equipment are composed of open-source computer code and foreign sourced hardware, predominantly manufactured in China.  The time has come for the government to realize we cannot protect America’s resources or critical systems such as telecommunications, energy, health care and banking if they are running on foreign produced equipment and globalized software.

And there is more.

It makes no sense to go after hackers who are employed by foreign governments.  If we want to be serious when our banks are attacked or our nuclear power plants are damaged we have to respond in kind.  This is the ancient rule of warfare. We need to establish a cyber balance of power.  To do so, we have to act like a grown up superpower that is no longer willing to be picked on by hackers and intruders ad nauseam.  It is doubtful the Pentagon’s Plan X rules of engagement allow it to attack the other guy’s critical infrastructure, but maybe they should. If the White House is timid maybe Congress can put some backbone into our leadership.

Successive administrations have kicked the ball down the hall on cyber security.  Leaders have bought into the idea that there is some nice solution just around the corner and all we needed to do is to be more rigorous, spend more money, and apply the right security safeguards. If anything, as spending on security has increased, so have cyber attacks.  There is no empirical evidence that more spending has produced anything approaching a cure.  While it may get them off the hook by throwing more dollars at the problem, a more serious and comprehensive approach is needed and soon.  That approach is tit for tat for those attacking us, and weaning our computer networks and communications systems off  weak, compromised software and Chinese-made hardware.  We would not give our soldiers rifles made in China?  Why do we run our nuclear power plants and government computers on Chinese supplied parts?

The partying going on in Beijing and Moscow will go on until we get serious.  We are still buying the beer.

Tagged , , , , , ,

The “StealthGenie” Complaint May Not Accomplish Anything

[Update: It turns out that police departments around the country have been giving out software so parents can monitor their kids computers, tablets and phones. This controversial spyware distribution flies in the face of the Justice Department's StealthGenie indictment --in fact it makes Justice likely to lose the case if it is ever adjudicated.  It is indeed strange that the DOJ failed to do its homework and seems to have taken a Don Quixote-like approach to the problem, leaving out most of the really bad stuff to go after one amateur.
See http://www.cnet.com/news/police-boosted-parental-control-app-is-a-privacy-mess-says-report/ for one report on the matter.]

Two US Assistant United States Attorneys, Kevin Mikolashek and Jay Prabhu have filed a civil Complaint (Civil No. 1:14-ev 1273) against Hammad Akbar for selling a spyware product called StealthGenie. StealthGenie is an APP that works on a variety of smartphones. The APP surreptitiously records incoming and outgoing phone calls, allows the purchaser to intercept calls in real time without the knowledge of the smartphone user; allows conversations in a boardroom or bedroom to be recorded without the knowledge of the smartphone user, allows incoming and outgoing email, SMS (text) messages and voicemail to be recorded and read; steals the user’s contact list, photos, videos and appointments.
 
StealthGenie works through a commercial server. StealthGenie used Amazon Web Services located in Ashburn, Virginia. All the intercepted information from StealthGenie is stored on Amazon’s server.
 
Hammad Akbar and his employees are Pakistani citizens and Akbar lives in Lahore. The chances of catching up with him are precisely zero. Amazon is not a defendant in the case, although clearly Amazon Web services facilitated StealthGenie operations.
 
The US government view is this kind of APP is an “interception device” under US Code and Federal Rules of Civil Procedure and the sale, marketing, advertising of mobile spying applications is illegal. The US Attorneys evinced specific concern that the spread of this kind of APP would help stalkers, although as the Complaint says, the product was advertised as a means of dealing with spousal cheating, which according to StealGenie’s owners, a company called InvoCode Pvt. Ltd., constituted 65% of the purchasers of the APP.
 
This is the first case brought in a Federal court against spyware APPS. It is unlikely to ever be successfully prosecuted, so the civil Complaint really amounts to a warning to others who make similar products.
 
Today there are hundreds of companies in all parts of the world producing products that resemble StealthGenie. These products are available on the Internet. Some of them are free; others can can be purchased. The simplest of them require physical access to the target’s phone to install the malicious APP. More sophisticated stealthy spyware can get downloaded on a phone without the need for physical access. One way is to embed the spyware into a legitimate product and offer it to the user. Another is to plant a Trojan or other bug in the hardware of the device. Recently some Chinese phones have been found to have built in spyware. There are plenty of other techniques available for professional spies. StealthGenie was meant for amateurs.
 
Whether the government’s legal argument is sound is less than clear. There are many cases where intercept software can be sold where its use is legal. Two examples come to mind: the sale of intercept software to law enforcement and government; the sale of intercept software to business. Business has a right to monitor its employees, and this right has been generally supported in US courts. This right extends to smartphones, computers and other electronics (such as GPS trackers). It would seem, therefore, that if StealthGenie advertised its APPS for certain business spying, there would not have been any grounds for an indictment.
 
Another use of spyware APPS is for parents monitoring children. The US Government Complaint does not address this point. But, again, if an APP is advertised for this purpose, is it legal?
 
Spyware is also extensively used by companies spying on their competitors. Certainly this is not legal, but the government has not bothered to act on such spying? Why?
 
One thing is certain, the government’s action, no matter how well-intentioned, misses the mark in important ways. The widespread spying going on in our society, some of it easily accomplished by monitoring social APPS like Facebook and Twitter, is a real scourge. So too is the monetization of personal information by many of the tech-giants, who are making a fortune exploiting our privacy. We have a very long way to go before any of this is brought to a halt.
Tagged , , , , , ,

What Dura Europos Means to Jews and Christians

The ancient city sits ninety meters above the Euphrates river.  Known in ancient times as Dura Europos, its history spans the most important time for change and strife for Jews and the formative period of Christianity.  Dura Europos (the nearest Syrian village is Salhiyé ) is now under ISIS control.  ISIS has put diggers there who are pick pocketing the artifacts of the city and selling them to brokers on the spot.

Dura Europos has three sanctuaries, a synagogue, an early Christian church and a Roman temple.  The city was founded by the Seleucids in 303 BC.  It would be captured by the Romans in 165 AD  who held it until 256 or 257 AD. Established as a trade hub for caravans and river traffic, Dura Europos also was a melting pot of culture and a place of religious ferment.

The period between from 303 BC to 250 AD marks a time of great change in Judaism and Christianity.  It is the period of struggle between the Roman occupiers and Jewish zealots who believed the Romans were polluting the Temple and undermining religion.  It is a period where notions of a savior took hold in both the Jewish and Christian communities and where it was not always possible to distinguish between Christians and Jews.  In the finds at Qumran (popularly known as the site where the Dead Sea scrolls were discovered) we can get an extraordinary insight into the religious fervor, the striving for purity, the anticipation of a messiah, that became the core idea of Christianity.

Of particular importance is the work of the prophet Ezekiel. He was Ezekiel ben-Buzi, who lived in exile in Babylonia between 593 and 571 BC.  Ezekiel’s writings were modified and added to many times, so it is uncertain what truly belongs to him and what his successors added over the years.

Chapter 37 by Ezekiel is most famously known as “dry bones.”

The hand of the Lord was on me, and he brought me out by the Spirit of the Lordand set me in the middle of a valley; it was full of bones.  He led me back and forth among them, and I saw a great many bones on the floor of the valley, bones that were very dry. He asked me, “Son of man, can these bones live?”

“I said, “Sovereign Lord, you alone know.”

” Then he said to me, “Prophesy to these bones and say to them, ‘Dry bones, hear the word of the Lord! This is what the Sovereign Lord says to these bones: I will make breath enter you, and you will come to life.  I will attach tendons to you and make flesh come upon you and cover you with skin; I will put breath in you, and you will come to life. Then you will know that I am the Lord.’”

” So I prophesied as I was commanded. And as I was prophesying, there was a noise, a rattling sound, and the bones came together, bone to bone.  I looked, and tendons and flesh appeared on them and skin covered them, but there was no breath in them.

Then he said to me, “Prophesy to the breath; prophesy, son of man, and say to it, ‘This is what the Sovereign Lord says: Come, breath, from the four winds and breathe into these slain, that they may live.’”  So I prophesied as he commanded me, and breath entered them; they came to life and stood up on their feet—a vast army.”

“Then he said to me: “Son of man, these bones are the people of Israel. They say, ‘Our bones are dried up and our hope is gone; we are cut off.’  Therefore prophesy and say to them: ‘This is what the Sovereign Lord says: My people, I am going to open your graves and bring you up from them; I will bring you back to the land of Israel. Then you, my people, will know that I am the Lord, when I open your graves and bring you up from them.  I will put my Spirit in you and you will live, and I will settle you in your own land. Then you will know that I the Lord have spoken, and I have done it, declares the Lord.’”

These verses speak for themselves and it is this vision that takes hold and dominates Qumran and early Christianity.

Remains of the Dura Europos Synagogue

The incredible Dry Bones mural from Dura Europos

Civilization is possible thanks to historical memory, and the artifacts of the past intensify and validate the integrity of our culture and give proof that our beliefs grow out of the struggles of our forbearers.  We cannot describe in words what we owe to them, but when they leave behind remnants of their vision it moves us spiritually and emotionally.

The Dura Europos synagogue is now threatened as never before by ISIS.  What a tragedy for all of us if we lose this precious symbol of our religious heritage.

Losing the Cyber War: How to Get Out of the Box and Win

by Stephen Bryen

The United States is losing the cyber war.  Despite hugely increased expenditures on cyber security, every day the situation worsens and we continue to fall behind.  As I write there is no government or military website that has not been hacked and vital information stolen. It is not just the government –banks, health care systems, financial transactions, credit card data, identity theft, social security numbers, legal briefs, strategy documents, corporate secrets, intellectual property –the list is nearly endless.

When you are in a war you look for metrics to understand just how well you are doing and what the conflict outcome will be. An Army general surveys the battlefield, estimates his resources, evaluates his technology, and decides on his strategy.  If the general believes he will lose the war, he tells his political leaders and waits for guidance.

There are four possible outcomes in a war: fight to win; fight to a stalemate of some kind; negotiate with the enemy; surrender.

Looking at the current state of affairs in the ongoing cyber war, we can reach some conclusions.

Firstly, right now we cannot fight to win because we do not have either the troops or the technology to win.  No one has figured out a satisfactory offensive strategy other than to convert cyber war into a traditional war.  This is impractical and no one is really willing to go down this path (other than to threaten some sort of offensive cyber warfare).

Secondly, there is no stalemate in cyber warfare available to the United States.  One of the most serious potential threats, China, is too important economically and politically to be seriously challenged. Beyond China there are plenty of other cyber war makers, as in Russia, Iran, Syria and even hackers embedded in countries around the world.   While the US and some of our friends have tried to prosecute some hackers, the triumphs are few and far between.  None of the threats are under sufficient pressure to stop hacking; in fact they are more emboldened than ever.

Thirdly, there is no one to negotiate with today.  Attempts have been made to talk to the Chinese; they deny everything and blame the US for spying on them.

This leaves the surrender option, but unlike territorial war, there is no one to surrender to so we face the prospect of going on losing.  Our critical infrastructure is exposed, our government is losing control of its systems, and our military is watching as its command and control and its vital technology spills out through the back end of its networked systems or through its industrial partners.

Throwing more money at “the problem” is not a panacea.  Our government, military, and critical infrastructure cannot continue running around like chickens with their heads cut off.  That is the sum of what is happening today.

The entire infrastructure of information technology is based on mostly an open architecture approach to computer systems and network infrastructure.  That is conducive to a fairly rapid spiral development of new commercial technology. Unfortunately, the commercial approach downside is that security plays second or third fiddle to the push for bagging commercial dollars from investors and customers alike.

It is very well known that spending money on security does not “produce” anything, so putting money and resources into security systems is resented by investors and corporations, even by individual users who often chafe under security restrictions and operational limitations.

The commercial computer space is heavily tilted toward entertainment and not to business or industry, No where has the entertainment element enjoyed more success than in mobile devices such as smartphones and tablets; for the most part there is not even a pretense of security in these systems.

We have to recognize that the entertainment function of computer systems and networks, mobile and fixed, is a fact of life. Where we go wrong is to use the same operating systems and network support for entertainment as we do for government, business, and the military.  Adding to that, the same underbelly developmental system, a global collection of non-vetted persons and risky manufacturing locations, adds to the conundrum.

A great indicator of the collective mindset today is shifting everything over to so-called cloud systems, even where we don’t have the slightest idea of how these clouds are managed or how easily they can be compromised.  The Pentagon, which obviously knows better, is today endorsing cloud systems that are big risk, just as they are supporting mobile platforms that have been hacked to death.

It is time to break free from the open source globalized approach when it comes to government, military and critical infrastructure mobile and fixed computers and networks.  Instead of wasting billions on hopeless security “solutions” while we continue to fall behind in the cyber war battle, is senseless, wasteful, frustrating and demonstrates bad leadership and hopeless management.  Let’s stop.

What we need a an American secure operating system and an American secure network environment built in a trusted environment by reliable people in safe manufacturing locations.  Not in China.  Not offshore.  Here.

The talent to do this surely exists, it is just being wasted today on “other” projects.

A Strategic Plan would look like this:

1. Replace all critical infrastructure operating systems and networks with a US developed secure operating system in three to five years.

2. Assure that connectivity outside of the secure environment is carried out separately from vital secure computing.

3. Impose the massive use of encryption and truly protected authentication on the new secure operating system.

4. Make sure all OS and Secure Network users are properly cleared and vetted.

5. Put in place a compartmentalization system based on need to know and create a series of decentralized and regulated security centers to make sure the thresholds on need to know and a permission based environment are carefully maintained.

6. Do not use any equipment made outside the United States in the critical infrastructure.

7. Create a T&E center to check all hardware, firmware, software with independent auditors and engineers.

8. Create a Red Team to constantly try and break the system, point out vulnerabilities, and fix them immediately.  The Red Team should be large and heavily incentivized to find problems.

9. Never, ever, share the US system with anyone outside the US.  Make sure that the technology is controlled fully by the US government.  And design the system so that if a piece is lost, it can be deactivated remotely and never be useful to an adversary or enemy.

10. Make sure the intellectual property, the technology developers, the Red Teams, and the system of compartmentalization are secret.

Clearly we cannot continue to run our country when there is global knowledge parity of computer systems, hardware and software we use and where most of our critical products are produced outside the US, especially in China.  Nor can we sit around and wait for the inevitable collapse of our military command and control, electrical grid, transportation network, banking services or our health care system.

The above proposal sets a direction for a solution.  We can win the cyber war.

Tagged , , , , ,

Give Me $46 Billion and I will Build a Safe Computer System

ABI Research estimates that cyber security spending on the critical infrastructure was $46 billion last year. The largest part of these dollars was spent in the United States.

2014-09-05-pptLower.PNG

Meanwhile, in the United States, Federal government agencies have stepped up their efforts to improve cyber security protection. The Pentagon is tripling its staffing of cyber security professionals even while critical defense programs are being cancelled or curtailed. By 2016, the Pentagon should have 6,000 cyber professionals at work. In a boastful speech describing the Defense Department’s investment in cyber, Defense Secretary Hagel says they are on the way to building “a modern cyberforce.” To back up his words, the Pentagon announced last June that by 2018 the Pentagon planned to spend $23 billion on cyber security.

The Defense Department also created a United States Cyber Command (originated in 2009) which is located at Ft. Meade, Maryland, the home of the National Security Agency. The Cyber Command (officially USCYBERCOM) is headed by a Navy Admiral, Michael S. Rogers, and is subordinate to the US Strategic Command. Strategic Command involves space operations (such as military satellites), information operations (such as information warfare), missile defense, global command and control, intelligence, surveillance, and reconnaissance , global strike and strategic deterrence (the United States nuclear arsenal), and combating weapons of mass destruction. Thus USCYBERCOM is part of the Defense Department’s most sensitive organization that includes control over America’s strategic nuclear missiles.

But despite this massive spending and the hiring of thousands of security professionals, the United States has thus far failed to protect government agencies, the rest of the critical infrastructure of the United States, regular businesses, and personal security. Despite the billions sunk into the effort each year, none of the investment has stopped the Russians, the Chinese, the Iranians, the Syrians, or the tens of thousands of hackers from pounding America’s computer networks. To date there have been massive hits against government computer systems, health care systems, banking and finance, power companies including nuclear facilities and energy companies, and defense companies. Vast amounts of information have been either stolen, overwritten or mutilated by hackers. Today no one can be sure whether our communications are safe, whether the lights will stay on, whether our early warning systems will function. Instead of curtailing the threat, every evidence points to its escalating out of control.

Has anyone bothered to ask why this is so? Now, our leaders, bureaucrats and their academic and industry advisers keep telling us they need to spend more, and like Pavlov’s dogs, when the bell rings, they appropriate more money to fight the threat.

If you have a spare $46 billion laying around there is an answer to computer security. But the answer will not be found in any Federal government plan. All of them are, like Hans Brinker, trying to stick their finger in the leaking dyke.

The reason is easy to discern. All computers, including all mobile devices, operate on open systems that were developed by countless software engineers worldwide. The computer industry and its allied software development is a global industry that is totally insecure. You don’t know who writes the code, the level of competency, the degree of security training, the level of auditing and internal testing for vulnerabilities, or whether some of the engineers are owned by foreign intelligence services or are promoting various ideological causes. Even in the United States, major companies such as Microsoft, Apple, or Google are run by nameless developers who come from a plethora of places (including lots of foreigners). These companies have no ability to properly vet their employees, nor do they have any real incentive to do so.

What makes matters even worse is that we have grown a security industry, already embedded in government and in corporate America, that feeds off the vast amounts of money being thrown at the computer hacking problem. To be frank, these folks have a vested interest in insecurity, because insecurity fuels their budgets. And even if the majority of them are sincere and want to help, their efforts will always fail.

The brilliant Pentagon, which is supposed to know what it is doing in cyber matters, has hired Amazon to provide “cloud” services for Pentagon information and data. The Pentagon has also cleared Samsung (a Korean company), Apple (an American company) and Blackberry (a Canadian company) to provide mobile phones for top Pentagon employees. These Pentagon decisions are intellectually defective and demonstrate that throwing billions of dollars at a problem may only compound the issue. Who clears the people at Samsung, or Blackberry, Apple or Amazon? A lot of folks in Hollywood right now, who stupidly “trusted” Apple’s cloud service, now find their naked bodies (and more) posted on the Internet.

The truth of the matter is that public systems and “open source” software are the real danger. Give us $46 billion and we can fix the problem, at least for the Pentagon and the critical infrastructure by building a truly secure, totally encrypted system that is self contained and invulnerable to hacking. To be safe you must eliminate all open source, public systems for government and critical business enterprises.

Right now you cannot buy a safe operating system because no one has invested in one. That investment is absolutely necessary for our survival and our security, not to mention the protection of our freedom and democracy. Open source public systems will always trample on human rights. They are sources of constant abuse by our enemies.

Let’s face it. The US government made a huge mistake when it decided to rely on public systems for critical communications and data storage. When you think that almost all the hardware is made in China and the folks producing these systems are everywhere around the world, you can see the enormity of the security disaster before us..

Given the destabilizing events around the world, the risks to American vital defense systems and critical infrastructure are reaching the tipping point. It is urgent for our leaders to recognize the nature of the threat and implement a radical change in our computer networks and systems. The Pentagon, DARPA, CYBERCOM, NSA and everyone else involved have a responsibility to figure it out and not just play dumb

PLEASE NOTE: This article, written by Stephen Bryen and Rebecca Abrahams was published on September 5, 2014 in the Huffington Post.  

http://www.huffingtonpost.com/rebecca-abrahams/give-me-46-billion-and-i_b_5773316.html 

 

 

Tagged , , , , , , , , ,

Is China’s New Computer Operating System a Threat?

by Stephen Bryen and Rebecca Abrahams

Originally appeared in the Huffington Post at http://www.huffingtonpost.com/rebecca-abrahams/is-chinas-new-computer-op_b_5738068.html

China has announced it will introduce a new computer operating system in October to replace Windows. Already deeply embarrassed and unhappy over alleged spying on its computers by the US Government, China has vowed to take action.

2014-08-29-_77158751_7e1c290b038944588753fb1fda1d8075.jpg
Its first step was to stop government agencies from using Microsoft’s most recent Windows 8 on their machines. But its latest project, to replace Windows altogether puts China into a new category as challenging US dominance in the ultra-sensitive computer operating system league. Controlling computers today is part and parcel of political power, and China understands this. That’s why China is not only replacing Windows, but it wants to get rid of Apple’s iOS and Google’s Android too.

China has three related opportunities and can be expected to exploit all of them.
The first involves better controlling China’s domestic computers and mobile devices by regulating through the operating system what users can, or cannot, do. China is likely to achieve this through a strongly controlled computer software registration system managed not by Microsoft, Google or Apple but by the Chinese government.

China will gain many benefits. It will have tens of millions of users virtually on launch, and it will control all access by being able to directly regulate software and applications that run on its approved operating system. Likewise, China will likely build in some sort of encryption system linking computers to the Internet, which will create problems for any outside organization to penetrate. And China will stimulate development of domestic software alternatives to Western software products. China will also gain vast experience in how to manage an operating system evolution, how to fix vulnerabilities, how to add features, and how to support software in the field. This will grow a domestic industry that will rapidly mature and will benefit the Chinese state.

Beyond its domestic market, China will be able to look to introducing its software in the global market. China can find a number of opportunities to spread its operating system in many parts of the world. For example, it could potentially challenge both Microsoft and Android computer laptop platforms by offering a cheaper and stronger operating system to users. Price is a big factor in low end laptops and netbooks. China controls most computer manufacturing today. Put an operating system on top, especially one that is open enough to support popular software and social networking products and China could well have a winner. Of course, China’s commercial OS will be different from the one it promotes internally, but this can easily be handled especially if registration and OS downloads are managed by a location-sensitive server.

A third an even bigger opportunity for China is to team with a non-American foreign company to offer an “independent” operating system to customers. This may prove to be attractive to a European partner because the Europeans are quite unhappy with American spying, and they have far less concern, if any, about China than America has. There are plenty of large European companies who are, in the IT world, always playing second fiddle to the U.S. Here is a great chance for them to get ahead. And they can do it on the cheap, since the software investment will be heavily China’s operational and financial responsibility.

Where does this leave US companies? Certainly China will emerge as a heavy weight challenger to the likes of Microsoft, Google and Apple. But it is not just US companies that matter here. The loss of control over where operating systems come from could pose a security challenge for America’s intelligence agencies that will be formidable and hard to overcome. While that is still in the future, it would be foolish not to prepare ourselves for the problems on the road ahead.

Tagged , , , , , ,

Deep Panda: Chinese Leaders Want to Reap the Benefits of Cyber Spying But They Will End Up Depressed

by Stephen Bryen

China shifted its focus from spying on the countries around China to spying on Iraq according to cyber experts who follow Chinese hacking. Called “Deep Panda” it appears China’s leaders were trying to figure out what the United States was going to do about the Iraqi situation after ISIS seized over a third of Iraqi territory. To get answers, the Chinese Deep Panda folks targeted the top strategic think tanks in Washington to try and get answers.

It has long been the case that China’s “official” hackers targeted U.S. government organizations and institutions. But focusing on Think Tanks is something that is, apparently, new.

One presumes that the Chinese wanted to read the emails, texts and opinion pieces of the experts to try and estimate America’s strategic posture to Iraq. While we don’t know the Think Tanks the Chinese targeted, it is likely they chose the ones they feel are most closely aligned with the current administration because their experts would have close ties to Obama’s National Security Council, Pentagon, CIA, State Department and, possibly, to other “insiders” who use the Think Tanks as sounding boards.

Foreign governments with representation in Washington generally devote a lot of effort to gleaning policy information, and it is easier for them to talk to outsiders in Think Tanks then to get appointments with actual decision makers. China, like Russia, and all the friendlier countries (UK, Japan, Israel and many others) collect information and send it home.

But China opted for collecting information by hacking, than by meeting Think Tank specialists. Why?

By relying on a secret operation to steal information China’s leaders probably thought they might find out much more than Think Tank specialists were willing to tell them. China is not in good odor today, even with the liberal Think Tanks that support Obama. That’s is because China is a growing power and increasingly a threat to American interests, of course. But the bigger reason is that China’s increasingly poor track record on human rights and freedom is offensive both to liberal and conservative thinkers in Washington. If a Chinese official, even one who approaches a Think Tank as an ostensibly independent academic, seeking information is likely to find himself or herself accosted about complaints of China’s behavior against dissidents and minorities. From China’s perspective, this means low productivity in garnering needed information. Thus there is good reason to believe that China needs to steal information because it cannot get it through “normal” channels.

China almost certainly has been following the contacts of Think Tank experts with administration officials for years. China maintains a sophisticated cyber-hacking capability with all the latest technology. The incorrigible sloppiness of Americans toward their own security is certainly well known to the Chinese, and it goes without saying they exploit it. The blabbermouths on cellphones, Twitter, Facebook, LinkedIn and everywhere else not only provides timely information on specific policy subjects to the Chinese, but they can very easily connect the dots and figure out who is connected to whom and which relationships are the most productive ones to follow. A Think Tank leader, therefore, will be known by much more than what he or she says; the Chinese will know his best connections, his reliability as a source, and his influence in decision making circles. The rapid shift of operational hacking resources to find out about Iraq, therefore, was quite easy for the Chinese, because they already previously mapped the network and only needed to probe more deeply and urgently to get answers to specific questions they had.

China is a relatively big industrial player in Iraq. Iraq is China’s fifth-largest overseas oil supplier, behind top producer Saudi Arabia, and China as an imported oil consumer is larger than the United States. Unlike the United States, however, China has no military capability of any significance in the Middle East and cannot assure either the stability of oil-supplying regimes nor can they protect the sea lines of communication (SLOC) that bring the oil to China’s refineries. Ironically, while China is in the midst of a significant military build up challenging U.S. interests in Asia, China is depending entirely on the U.S. for its vital oil supplies. While Americans don’t recognize it, a big part of our defense budget directly benefits China in this way while, at the same time, China is assiduously stealing American defense secrets in an unparalleled, brazen manner.

While China could live without Iraq’s oil, and can afford even to lose the $3 billion or so it has invested in Iraqi oil projects, the main Chinese interest is the risk that an out of control Iraq will lead to a general political collapse even beyond Iraq’s borders. A blow up in Saudi Arabia, for example, would create chaos in China and might well spell the end of China’s neo-Communist government.

This is the same threat that, naturally, concerns the U.S. and its European allies. But, if the Chinese have been listening carefully, as they have, they won’t be very happy with what they are hearing through their hacking channels. Right now any effective military response by the United States seems rather unlikely, and it is complicated even further by the foolish moves by the administration to try and use the Iranians and Syrians as proxies (along with Hezbollah) to bail them out of the ISIS onslaught. All this moronic move will achieve is to further frighten Saudi Arabia and push them into ISIS’s outstretched but wicked arms.

In short, China’s leaders have good reason to be depressed. America is not coming to their rescue on a white horse. And China has made almost all the wrong bets in the Middle East.

Tagged , , ,

Is the Supreme Court Cellphone Decision A Bad Decision?

By Stephen Bryen
 
The Supreme Court decision on cellphones, Riley versus California, may seem like an open and shut case because the Court unanimously found that when a person is arrested a cellphone may not be searched without a warrant.   But the seemingly unanimous decision may have more fissures and cracks than most people think, and it is far from certain that in the long run that the much touted “victory” for privacy will, in fact, be sustained either by the Court itself or by Congress and State legislatures.
 
The essence of Riley versus California, and a companion case, U.S. versus Brima Wurie, is that an arresting officer or officers cannot search a person’s cellular phone without obtaining a warrant.  Riley was stopped by a police officer driving with expired number tags.  When stopped the officer found that Riley also had a suspended driver’s license. The car was impounded and searched and guns were found hidden under the car’s hood.  A search of the cell phone turned up a connection between Riley and a street gang and photographs of Riley standing in front of a car that was involved in a shooting a few weeks earlier. Riley was charged, among other things with attempted murder and was convicted with a 15 years to life sentence.  His appeal was based on the fact that the search of his cell phone violated his Fourth Amendment rights.
 
Wurie was picked up in a routine surveillance where the arresting officer thought that a drug sale was taking place.  Wurie had two cell phones that were searched and this led to a location and photos.  The search of the location, an apartment, yielded crack cocaine, weapons and drug paraphernalia.   Wurie was convicted of distributing drugs.  The search of the apartment was covered by an appropriate warrant.  Wurie got 262 months in prison but appealed that the information improperly taken from his cell phones should have been suppressed.
 
The Court needed to consider whether, in fact, the Constitutional rights of the two litigants were violated.  In the Riley case, the decision by the Supreme Court probably frees Riley from a 15 year to life sentence.  In the case of Wurie, he could not be convicted of selling drugs because of lack of proof and would need to be released.
 
It follows, therefore, that the Supreme Court decision in these two cases has a profound impact on law enforcement, and even though the Court reached a unanimous decision, there are a host of problems embedded in the decision, including the danger to society of releasing criminals from jail.
 
The Court did not say that cellphones cannot be searched.  What the Court said is that you need a warrant, in most (but not all) cases before a phone can be searched.
 
Warrants are issued based on probable cause.  The arresting officer or his superiors needs to convince a judge to issue a warrant.  Warrant requests are rarely denied, although a judge may try and narrow the scope of the warrant in certain ways or ask questions before a warrant is issued.  In a Texas case last year Federal Magistrate Judge Stephen Smith in Houston denied a request by the FBI to remotely hack a computer by planting spy software on it.  His action did not completely block the FBI, but it created legal a problem because the Judge wanted to know how to supervise the collecting of information obtained in this way to make sure it was pertinent to a case said to involve alleged bank fraud and identity theft.  Among other things the FBI wanted to remotely control the computer’s webcam. 
 
The Supreme Court, in its unanimous decision, also recognized that there were circumstances when a warrant might not be needed at all when a phone was seized.  For example, the Court noted that if there could be information on a phone that would warn officers of impending danger from associates of the person arrested, the phone could be searched.  This “concession” is a mess for law enforcement.  If they search a phone without a warrant feeling there is an impending danger and find nothing, are they guilty of an illegal search? What is to be done with evidence they may find of criminal activity, but not anything threatening of law enforcement officers?  What if the threat was to the public –e.g., a terrorist attack or other plot against either individuals or groups or sensitive locations? Must the officers abandon this information?  And finally, if they find evidence of criminal activity but not of impending threat to the officers, have they conducted an illegal search and must they abandon any prosecution based on such evidence?
 
In respect to certain categories of crime, murder, terrorism, kidnapping, rape –the Court needs to revisit its decision.  When serious threats are involved, law enforcement should not have to wait for a warrant.  This, it seems, is what Justice Samuel Alito was trying to get at in partially concurring with the other Supreme Court Justices in deciding these cases.  There is little doubt that Justice Alito was uncomfortable and he urged (State) legislatures to enact legislation that draws reasonable distinctions “based on categories of information or perhaps other variables” because, as he says, cell phones pose “new and difficult enforcement problems.”  Justice Alito warns against “using the blunt instrument of the Fourth Amendment” in deciding these matters and points out that the Supreme Court “is poorly positioned to understand and evaluate” these matters.
 
Justice Alito, unfortunately, did not follow through his logic and reach suitable conclusions that properly protect our society.  In fact, one can argue that the unanimous decision of the Supreme Court may create immense risks by creating confusion within law enforcement and in the courts which undermines civil protection and homeland security.
 
The truth is that the Supreme Court’s decision in these cases leads to less safety for citizens, even though its intent was to protect privacy.  The Courts need to recognize that there is a difference between privacy and criminality, and the level and type of threat needs to be part of any Court decision.  At the end of the day, these Supreme Court decisions, universally hailed as a good thing, are probably the reverse.
Tagged , , , , , , , ,

Bergdahl and Alan Gross, the One Who Did Not Walk Away

I have been trying to stay away from the story of Army Sgt. Bowe Bergdahl, the chap who we traded Taliban murderers for, and who knows what else.

The spin doctors tried to put out a story that the Sargent’s health was rapidly declining and that freeing him was an urgent matter for the administration.  They also characterized, and continue to say, that Bergdahl fell into the hands of the enemy while he was on patrol, leaving open the suggestion that either he was in the front or at the rear of a line of soldiers on patrol in the wilderness of Afghanistan.

But it seems that story was false.  The truth is that Bergdahl was not on patrol.  He had been on guard duty around a FOB, or Forward Operating Base. and seems to have disappeared shortly after completing his guard assignment.   According to what his comrades at the outpost say, Bergdahl left behind his weapon and his body armor, all arranged in a neat stack, and walked off, taking with him only his compass.   Where would he have been going in the middle of the night?

It would seem likely that either Bergdahl knew more or less where the “enemy” was, or he had some prior contact perhaps through a third party to give him instructions on what to do and where to go and who to meet. We don’t know that any of this is the case, but it seems bizarre to just wander off and take your chances, since the perimeter of this FOB was far from secure and all the soldiers on the base knew that they were in harm’s way.

So too does the story seem false that the trade was made for Bergdahl because he was ill.  The administration has suggested that he lost a lot of weight, or that he was suffering some incurable illness.

The Associated Press reports as follows on the health issue: ” ‘Had we waited and lost him,’ said national security adviser Susan Rice, ‘I don’t think anybody would have forgiven the United States government.’ She said he had lost considerable weight and faced an “acute” situation. Yet she also said he appeared to be ‘in good physical condition.’ “

If he was in good physical condition, then we are to suppose he had a mental problem?  How could that be diagnosed in conversations with a kid who in talking to his father only spoke in Pashto, claiming he had “forgotten” English, his native language?

The AP also reports that  two administration officials said that the Taliban may have been concerned about his health, as well, since the U.S. had sent the message that it would respond harshly if any harm befell him in captivity.

There is a serious problem with what the unidentified administration officials are saying.  Bergdahl was not a prisoner of the Taliban.  He was a “prisoner” of the Haqqani Network.  While the Taliban and the Haqqani Network sometimes work together, the Haqqani is also closely linked to al-Qaeda and is probably the organization that facilitated Osama bin Laden’s transfer from Afghanistan to Pakistan.   So it is fair to ask, what did the Haqqani network get out of the deal with Washington?  Certainly not the release of five Taliban terrorists.  Was it money?  Or something else?

Finally, the AP reports that in 2010 the Defense Department concluded that Bergdahl walked away from his post, and this led to a decision to call off the active hunt for him.  Instead of rescuing him, says the AP, the Defense Department would use only diplomatic means to get him released if at all possible.

The release of terrorists in exchange for a U.S. soldier paints a target on the back of every American soldier.  The Taliban, well aware of their great victory over the United States and the American military, are making their success loud and clear.  Every tin horn terrorist now knows that he (or she) can benefit by snagging an American soldier.

Today there are Americans who are incarcerated where, it seems, the administration has done nothing.  The case of Alan Gross, who worked for the State Department, is a case in point.  He was “convicted” and thrown into a Cuban prison in 2009.  It would be easy to get him back if we traded some jailed Cuban spies in the U.S. for him.  But the administration, despite the pleas of the Gross family and many in the Jewish community who worked with Alan trying to aid Jews in Cuba,  has not brought Alan home.  He was working for them and he did not walk away.

 

Addendum: I want to call reader’s attention to a devastating story carried in the London Daily Mail newspaper.  The story tells of an Army officer who died trying to “rescue” Bergdahl from his captors in 2009. http://www.dailymail.co.uk/news/article-2646345/EXCLUSIVE-Outraged-parents-officer-died-searching-deserter-Bergdahl-hit-Obama-cover-just-like-Benghazi-claiming-told-LIES-hero-son-died.html

Also please visit http://www.bringalanhome.org –this is the website to help free Alan Gross.  He deserves to be free.

There is one further point that needs to be made.  The “freeing” of Bergdahl is obviously a cover for something else.  Bergdahl is a little fish in a much bigger pond.  What the administration is actually doing is negotiating a deal with the Taliban to take over Afghanistan.  I feel really certain this is the case.   The Bergdahl father had a channel to the Taliban, and I think the administration wanted to use this “innocent” seeming channel to negotiate something far bigger.  All the rest is simply noise, but the noise is unfortunately terribly harmful to the families who have suffered over the Bergdahl matter, and the prisoners who remain prisoners, because the administration has no interest in them, the most obvious case, Alan Gross.

The State Department has rejected any exchange for Alan Gross.  See http://www.timesofisrael.com/us-state-dept-no-bergdahl-like-swap-for-alan-gross/

 

 

 

 

Tagged , , , ,

YOUR CAMERA IS ON, BEWARE!

Facebook says that it will be turning on your microphone on your smartphone –for what reason, we have no idea but can guess. Turning on cameras and microphones is becoming a huge problem.

YOUR CAMERA IS ON, BEWARE!

Szymon Sidor is a Polish-born software engineering genius currently working for Dropbox as an intern –before that he served two internships with Google working on Google Chrome ®  and Google Analytics ® . Now he is working on his PhD at MIT and he writes a blog called “Snacks for Your Mind.” Sidor’s latest “snack” is a demonstration of how the cameras on your Android ®  smartphone can be turned on without you knowing it, and sequential photos sent to a third party over the Internet. Along with the photos, data on your location is displayed in the intercept so you can be easily tracked. All this happens without any awareness by the phone user –the screen can either be turned off or on, it does not matter. Szymon  has gotten around the Android requirement to display any photo preview on the screen by reducing the preview to only one pixel, which you won’t notice even when your screen is on. On top of this, his solution has gone around Android’s notification that an APP is running, so you cannot even check to see if this brilliant piece of software “mal-engineering” is running.

Spying through cameras on smartphones and webcams on computers and laptops, as well as tablets, today is widespread. GCHQ,  Britain’s NSA, ran a program called “Optic Nerve.” Optic Nerve scanned live on line webcam chats on Yahoo and probably other chat services between 2008 and 2012. Many of these images were very personal ones, and could be used to either embarrass or blackmail users. Reports in the UK say that NSA engineers helped GCHQ develop the Optic Nerve program. Many have either claimed or speculated that one way the NSA and other U.S. spy agencies got around the prohibition of spying on Americans was to let a third party do it for them. A recent case involving a U.S. law firm representing Indonesian interests was bugged by the Australia Australian Signals Directorate. Special intelligence cooperation occurs under the “Five Eyes” program. The cooperating countries are the U.S., U.K., Australia, New Zealand and Canada.

News reports, based on the leaks of NSA information by Edward Snowden, says that GCHQ  stored millions of images gleaned from its webcam surveillance. These images can be retrieved in various ways, including the use of advanced face recognition systems, so seemingly unrelated video chats from different computers and with different names or web addresses, can be linked together. Obviously, when used correctly and legally, this is an important counter-terrorism tool. But when it is used as a political tool to harass to blackmail people, the consequences are different and corrosive. A problem the U.S. government still has, new legislation notwithstanding, is how to assure the proper use of information that can be very personal and completely unrelated to any counter terrorism or criminal activity.

It is not only the NSA or GCHQ that can spy on webcams. Marcus Thomas, a former assistant director of the FBI’s Operational Technology Division in Quantico,Virginia, told the Washington Post that the FBI could spy on anyone’s webcam without turning on the camera’s indicator light. While not all webcams have indicator lights, and many laptops do not have them at all, the indicator light is a nice security feature that tells you when the camera is active. Webcam spying is part of a suite of so-called Remote Access Tools or RATS. Thomas told the Post that the FBI has had these tools for years but uses “Rattingly” (the webcam spying tool) sparingly.

But camera spying is not at all limited to governments or official spy agencies and organizations. It is so widespread today that it has even spread to schools. Just this year Lower Merion Township, a classy suburb of Philadelphia, settled a lawsuit, brought by two students, paying them $610,000 in compensation. The crime? The school provided 2,300 MacBooks® to their students and installed spy software on them that snapped pictures of the students. Photos of the students included snaps of them at home, in bed, sometimes partially clothed. In one case the school claimed a student was “popping” pills: in fact he was eating candy.

“Sextortion” is a growing problem. What is Sextortion? Sextortion is the secret control of webcams or smartphone cameras to run extortion rackets against people. A major case gained notoriety in California where a now-20 year old Jared Abrahams ” illegally hacked into the laptops of several young women in the U.S. and abroad, then took control of their webcams in order to film and photograph them while they undressed” according to the FBI. The scam included web cam pictures of Miss Teen USA Cassidy Wolf, who was a classmate of Abrahams. “Abrahams threatened to post the images to the victim’s social media accounts unless the women provided additional nude photos/videos or obeyed his commands during a five-minute Skype session” Abrahams was convicted and got an 18 month jail sentence. In another case, a Glendale California man was sentenced to five years in federal prison Monday after pleading guilty in a sextortion case that targeted hundreds of women. Interpol announced the arrest of 58 persons in the Philippines for sextortion, including one case where a17-year-old victim committed suicide in July last year following blackmailing by the group. In fact, “The scale of these sextortion networks is massive, and run with just one goal in mind: to make money regardless of the terrible emotional damage they inflict on their victims,” says Sanjay Virmani, director of the Interpol Digital Crime Center.

Webcams and phone cams are also an important source for corporate spying. This works in two ways: companies and organizations spying on their own employees, and competitors and thieves spying on corporations. By being able to activate either a webcam or microphone on a PC, laptop or smartphone, intruders can listen in on sensitive meetings and conversations and even know where the meetings are held, who attended, and everything about what was discussed.

There are plenty of vendors selling spy software, some designed for “professional” business use and marketed as a way to track employees, such as a product for employee monitoring made by InterGuard. Such spying falls into a gray legal area, but once it goes onto a mobile device such as a smartphone or tablet it clearly intrudes on privacy outside of the work space. Even so, this is an unsettled area in U.S. law.  It is of course illegal to record a conversation without getting the permission of the person or persons being recorded, but keep in mind even web conferencing software allows for proceedings to be recorded and no permission is asked. These days there are hundreds of spying products to choose from, and the best of them facilitate surreptitious webcam and mobile cam spying.

Corporate spying can facilitate “insider” trading, where the “insider” is sitting outside but has privileged access to your webcam or mobile camera and microphone. No one knows the extent of financial manipulation and computer and smartphone spying going on that facilitates insider trading, stock exchange manipulation, and trading of sensitive investment and competitive information.

It is legal to sell spy software, just illegal to use it without permission outside the workplace, unless it is used to spy by parents on their minor children. Even this “permission” is fraught with difficulty, since other kids who are not related to the parents may well be captured while the parents spy on their children.

In short, there is an epidemic of webcam and smartphone camera monitoring and spying and such spying affects everyone. Our laws have a long way to go to catch up to the reality of this powerful attack on personal privacy.

What can you do? One “solution” often proposed is to cover up the webcam on your PC or laptop. This does stop the camera, but does nothing about the microphone, but it is a partial answer providing you remember to do it religiously. But with the number of devices in homes and offices, it is not simple to manage. And tablets and smartphones often have two cameras, one in front and one on the back. Covering both is awkward and probably unrealistic.

A second solution is to get positive control over cameras and microphones so malware and intruders can’t switch them on. One product for Android is Office Anti-Spy. It makes sure the cameras and microphones are turned off and nothing can be recorded. This solution trumps Szymon Sidor’s brilliant Android hack, and other RAT tools that try to control your device.

Most important of all is to realize that the world is seething with snoops, provocateurs and criminals. No one, neither school children, teenagers, adults, corporate tycoons or government officials can escape them or live in this world unnoticed.

Tagged , , , , ,
Follow

Get every new post delivered to your Inbox.

Join 1,808 other followers