Bill Gertz, one of the leading national security reporters in the United States, broke the story that the Obamacare web software was developed in part in Belarus. Belarus became an independent country in 1991. While on paper the country is supposedly democratic, in fact it operates as a kind of dictatorship where the military, police, government and media are controlled. The OECD calls the country “un-free. The U.S. relationship to Belarus is somewhat strained, but Belarus has been a way-point for supplies to the ISAF in Afghanistan.
Gertz raised the issue of possible backdoors planted in the software for the Obamacare system. A backdoor would make it possible for personal information stored on an Obamacare site to be secretly collected by an intruder or hacker. No one has yet determined whether the software provided has been corrupted, but as Gertz reported, U.S. intelligence agencies warned DHS of the potential risk and news reports say that DHS is investigating the HealthCare.gov web software. In addition to the government web site, the same software is also being used by all American medical insurance companies and most medical facilities in the U.S.
There have been numerous reports and complaints that the Obamacare websites lacked security. The lack of security is a major design flaw. On top of the design problem, the system has been plagued with technical problems. Sloppily made software can account for many errors, but clumsy backdoors inserted into otherwise operable software can also cause multiple points of failure when the system operates.
Why would software development be outsourced to a foreign country? The reason is cost. Belarus is a low cost provider of software services, with prices that are far below costs in the United States.
The U.S. government when it writes a contract agrees in advance to how services are priced. Usually the standard is provided by the GSA.
Below you will find a comparison of costs for software programming in Belarus and U.S. GSA pricing:
Average software development rates for Belarus in 2010 were:
29 USD/hour – Project Manager
26 USD/hour – Senior developer
22 USD/hour – Middle developer
18 USD/hour – Junior developer
GSA Hourly Rates
Applications Software Subject Matter Expert
Business Systems Analyst
Database Admin (DBA)
Desktop Support Engineer
ERP Software Subject Matter Expert
Help Desk Support
Junior SQA Engineer / Software Quality Assurance
Principal Software Engineer
Senior Business Systems Analyst
Senior Database Admin (DBA)
Senior Network Engineer
Senior Project Manager
Senior Software Engineer
Senior SQA Engineer
Clearly there is a huge difference between U.S. prices and those in Belarus.
The Obamacare website, developed by the company CGI, cost $630 million. This is a staggering price, and could be one of the largest expenditures ever for any health insurance system.
The CGI contract was a sole source contract. After much controversy, CGI was fired and another contractor, Accenture, was hired for one year at $91 million. In all these contracts there was no competition and little or no visibility on the contract parameters. Thus, for example, we don’t know if the contract permitted subcontracting outside of the United States, and we don’t know if foreign contracting was allowed, whether the contractor was still able to charge DHS at GSA rate levels.
One would think that the Justice Department, as well the the DHS Inspector General, should be examining the CGI contract and considering how charges were made for contract performance.
Don’t hold your breath on any investigation, though. There is no sunshine in Obamacare.
Samsung is offering a special version of its Samsung IV Galaxy smartphone called Knox. Knox is targeted on the high end financial, business and government communities. Does Knox solve the problem of smartphone insecurity and significantly reduce risk for its users?
What is Knox: Knox is a partitioned mobile platform running two operating systems, one for personal use and one for enterprise use –the enterprise (private) side being within a “container.”
There are other Knox-like partitioned mobile platforms either in the market or entering the market coming from other vendors such as LG, Blackberry, etc. None of them have been around long enough to know how well they are engineered in relationship to multiple Android vulnerabilities and OS/Kernel weaknesses.
The Knox container has its own separate home screen, launcher, applications and widgets. All the data and applications stored in the container are said to be isolated. It is claimed that no application or process inside the container can interact or communicate with any process outside of it and vice-versa.
All files within the container are encrypted using the Advanced Encryption Standard (AES) cipher algorithm with a 256-bit key.
Knox features are (1) Customizable Secure Boot, (2) TrustZone-based Integrity Measurement Architecture (TIMA), and (3) Security Enhancements for Android. Secure boot, the company claims, is the Knox-enabled device’s first line of defense, ensuring that only verified and authorized software can run on the device bootup. TIMA monitors the kernel.
Knox depends on the user to carefully delineate use between partitions. Knox does not protect the public partition. Knox runs an APP store for the private side that provides safe APPS for Knox.
Problems with Knox
Ben Gurion University of Israel is located in Be’er Sheba, Israel
In the past two months there have been reports of vulnerabilities and flaws in the Knox system.
The latest report comes from the Ben Gurion University Cyber Security Laboratory in Israel. There two researchers Mordechai Guri and Dudu Mimran (the Security Laboratory Chief Technical Officer) claim that a hacker can easily intercept any data on the secure side of the Knox platform. The researchers also believe that professional hackers could actually modify the Knox platform, effectively compromising it by planting malware or spyware on the platform. In response a Samsung spokesperson said “Rest assured the core Knox architecture cannot be compromised or infiltrated by such malware.”
Until now, no one has explained how spyware, planted on the public side of the Knox platform, won’t seriously compromise the Knox user.
Researchers should look into two security problems that arise in a dual platform device.
The first problem is what happens if spyware is planted on the public side of the smartphone. This is the “open” platform that is generally unprotected. Spyware, or what is called a spy phone, can intercept literally any conversation and any transaction (email, text, video, photo) on the public side of the smartphone. Professional spy phones can activate a phone’s microphones and cameras without the knowledge of the user and even if the phone is switched off. Since among the data normally targeted by spy phones are calendars, the intruder knows when to activate the spy phone. When the intruder does this, either he can immediately stream the information secretly back to his web address, or alternatively he can store it in a hidden folder and stream it back later. In short, the user remains entirely vulnerable on the public side to spy phones and other malware.
The second problem revolves around the question of the use of hardware on Knox. A smartphone consists of numerous sensors and transmitting systems including cameras, microphones, Bluetooth, WIFI, voice and data radios, etc. When a Knox user is booted up on the private side of the phone, are the sensors and radios fully and securely controlled by the Knox platform? If not, then a spy phone or other malware on the public side can take information from these same sensors being used on the private side of the platform. This would facilitate spying on the private side as well as on the public side of the platform.
APPS for the private side of the Knox platform are controlled through a store run by Samsung. Experience with attempts to block malware on Android platforms by auditing APPS in places such as Google Store, have been less than successful. One anti-virus company reported this past summer that some 1,200 APPS on the Google store over a 7 month period were malware. And these are the easy ones to detect. Really sophisticated malware is often embedded in legitimate programs. Because of the plethora of APPS available today, and the diversity of sources (APP production is truly a global enterprise), finding the “bad” ones is a challenge. If we learned anything from anti-virus software, the “bad” stuff is usually found after many computers are already infected. When you think of the small universe of enterprise and government users of a product like Samsung, the risk is exponential if a “bad” APP or “bad” modified APP infects the smartphone.
No one really knows if Samsung will be any more successful than Google in protecting APPS, yet this protection is critical under the Knox scheme. If history shows us anything, one should not be optimistic or confident in the result.
The Knox system offers an effort at a serious security system for an Android platform. Other companies, such as LG and Blackberry, are working on the same thing. While the jury is still out on Knox, there is no doubt there are many problems. It is unlikely either the U.S. government or enterprise customers will, as Samsung says, “rest assured” that Knox is safe.
They didn’t tell us, and we did not ask, out of being polite we can assure you. But we can certainly guess how it was done.
There are both internal and external vulnerabilities in smartphones. Let’s look at them.
In regard to internal vulnerabilities, commercial smartphones (the majority of them manufactured in Asia) contain hardware, firmware and software combined with lots of sensors and radios. The operating systems of smartphones (such as iPhone, Android-phones, Windows phones, Blackberry and the others) are designed to link up the phone’s hardware, its sensors, and its radios together. Most of the computer “code” is written to get the job done, but for the most part security plays second or third fiddle on commercial platforms. Indeed, there is so much social networking and connectivity demanded by smartphone users, that the idea of putting in any kind of security perimeter for the smartphone platform is all but verboten. This makes it easy for intruders, thieves, private eyes, lawyers and governments to spy to their heart’s content. All these need to do is to exploit some social APP (the technique is called ‘Phishing’), plant some malware, or install a spy phone on the mobile device.
What is a Spy Phone
A spy phone is specialized spying software that lives “in the background” on a smartphone. An intruder or hacker controls the smartphone remotely meaning the phone itself can be switched on at any time without the screen lighting up, conversations can be recorded and surreptitiously broadcast, and virtually all the information on the phone can be hijacked. This means contact lists, emails, text messages, photos, videos and files can be grabbed at will.
Spy phones vary in level of sophistication, but if you want to buy one you can find a commercial spy phone for every type of mobile phone and smartphone. It is, of course, illegal to listen to someone’s conversations without their permission, but professional spy phone users, and a fair number of amateur sleuths, don’t worry about the legal nicety. That’s why in the U.K. there is a major phone hacking scandal which has to do with stealing text messages, emails, photos and voice mail messages.
More than 100 major UK firms, not counting a number of newspapers, are said to have engaged in smartphone spying activities, usually working through cutouts (in the main private investigators). This kind of spying either was for economic gain, efforts to compromise a person by learning about their private life, or for salacious reasons. The fact that it was widespread and virtually out of control in the UK should forewarn us that the same is true in the United States.
Chancellor Merkel’s Phone
German Chancellor holds her mobile phone during the plenary session of the European Parliament in Brussels, 27 June 2007.
Angela Merkel has a smartphone, and she likely has APPS installed that please her. So one avenue of attack for an intruder is to plant spy phone software on her mobile. Is this what the German counter-intelligence services (probably the BND or Bundesnachrichendienst) found? While totally speculation, if they did then they probably could “sanbdbox” Mrs. Merkel’s phone and pretty quickly figure out who was doing the listening. We don’t know that this is what happened, but some event certainly triggered Merkel to pick up the phone and complain directly to President Obama. These things, as one knows, just are not done. Gentlemen don’t read the mail of other gentlemen or women, to paraphrase Henry L. Stimson, former U.S. Secretary of War (before we decided we should only be for Defense and not for War).
External Spying and Intercepts
The second way to break into a smartphone is external –that is, to intercept conversations. There are a number of ways to do this. One can create a false cell phone tower and intercept calls that way. This method, called IMSI Catching after the International Mobile Subscribe Number that is in every phone, is how you can grab calls from a near proximity to the caller.
In our initial review we thought that “It is unlikely the U.S. used IMSI Catching. ” Now De Spiegel is reporting that the spying on the Chancellors phone, which may have gone on for more than 10 years, may have been run out of a U.S. installation in the German capital, a spying operation that was not legally registered with the German government. The location is about one mile from the offices of the Chancellor. This would put it in range for an IMSI catcher. Therefore the use of the IMSI catcher cannot be ruled out.
Another way is to get the cooperation of the telephone company or mobile phone company. This works in your home country (as the NSA has proven by downloading all the metadata of the phones of U.S. citizens, and who knows what else) but it is not likely to have worked in Germany because the NSA is not in a position to twist the arms of German cell phone and telephone companies. But it is possible, as an alternative strategy, to tap into trunk lines that carry calls over fiber optic lines. It seems this is a major shared industry between the NSA and their UK counterparts in GCHQ. While they might not get all of Merkel’s calls that way, they could get some of them.
Most Likely Spying Method
In short, NSA had plenty of options. We would think the most likely one was to plant a spy phone on Chancellor Merkel’s phone, but it could also have been through an IMSI catcher.
In Germany there are many that think Merkel should have taken sterner action when the first Snowden revelations about tapping German phones became public. They say Merkel is, in fact, now also a victim because she did not act.
The security company Secusmart and the mobile phone producer Blackberry presented their new secure smartphone – with the German eagle – to the Chancellor.
The plain truth is, of course, that the BND and other German security services were either sleeping at the switch or did not care. Otherwise they would not have let their chancellor’s phone get compromised by NSA or by anyone else.
The United States has been shaken up by the news of pervasive U.S. government spying that touches millions of American citizens. The first swing of the bat was news that Verizon Business Services was providing on a daily basis a dump of all its land line and mobile metadata to the NSA as a result of a secret type of court order. While the Verizon story was a leak, it is easy to figure that all the other Verizon phone services, and their competitors such as AT&T, Spring and T-Mobile (and the lesser players) are also coughing up their meta data.
Just as the Verizon story was peaking, another story hit the wires, also originating from the London Guardian. This, much bigger story, said that pursuant to another court order, all the social media including VOIP favorites such as Skype, were being mass downloaded by the government. All the stories about these channels being encrypted, turn out to be only partly the truth. The encryption is not a problem, it seems, if you are inside the servers at Microsoft or Google or Amazon or any of the other players. And NSA, according to its PRISM program (which was revealed by the Guardian) was clearly inside the servers. Of course all the “biggies” immediately denied this: but the truth is that they are under a legal obligation to give such denials.
How does this come about? Public officials, to the extent they will tell, say that the Patriot Act is the authority under which they are authorized to conduct surveillance “suspected terrorists, those suspected of engaging in computer fraud or abuse, and agents of a foreign power who are engaged in clandestine activities.” While terrorism is the explanation most often given, the mandate is much broader than that, and it is highly subjective.
In fact, the U.S. government has made a decision that to effectively maintain coherence in government and protect national security, the full-blown Patriot Act is an essential component. We live in an age of rapidly proliferating Internet connectivity, social media, and communications globalization. In this exponentially growing sector, nation states survival may be threatened as never before.
Consider, first of all, the security of leaders in government and industry. They live in a fishbowl environment where their every move can be tracked and every sentence they write or speak intercepted. Not only, but the actions of leaders can open important information doors for cyber thieves by outlining connections such as relationships and alliances that can be exploited. On top of all this, leaders can be represented fraudulently by impostors fakers, and “mal-verts.” This can lead to significant mistakes, errors, frauds and disasters.
Consider also the security of technology and the protection of intellectual property. There are credible studies that show that U.S. technology is being stolen of huge value, estimated as some $300 billion annually. The U.S. spends roughly $645 billion annually on defense, which includes all war spending and personnel costs. About $128 billion is spent on procurement each year. So the cyber thefts of defense designs are double what is spent on what is being purchased. When you add what is being sucked out of the private sector, it is clear that trying to prevent these crimes is, and must be, a priority if the country’s prosperity is to continue, its social compact preserved, and its security safeguarded.
Finally physical threats to America and American citizens also is a major worry. The Patriot Act is concerned in the first instance with terrorism. There is broad agreement that the United States is engaged in what is called sometimes the “long war” against terrorism threats. It should not surprise that a significant part of the “long war” originates in radical Islam, which sees the United States as the Great Satan. Attacks on Americans, and American allies, is considered a religious duty. Western values are off the table. Attacks on churches, synagogues, airlines, communities, public places, is part of the long war. And the long war is on the verge of getting far worse, not better. By setting a standard for viciousness and ferocity, the long war is being taken up outside Islam by other radicals and anarchists, right and left. Fascism is again starting to spread in Europe, and anarchism is rising again in America. Trying to get a handle on these threats and deal with the broadening threat is a critical duty of government. The Patriot Act sets the framework for this.
What we don’t know is whether the Patriot Act is being used fairly and honorably. As it is set up today, there is no satisfactory way to prevent abuses, and it is fairly likely there have been more than some. If you can go looking for “foreign agents” and “spies” you have a free hand to use these means for intimidating people and for ruining reputations and careers. There have been enough examples in recent years to make us more than wonder how often this occurs.
So if it is agreed we need a Patriot Act, we should also put in place some independent safeguards. Without them, there is a great risk that the system will run a muck, out of control, sucking up information that will wind up being used nefariously. This can’t be 100% prevented, but Congress and the Administration need to figure out a way to put serious controls in place to stop abuse in its tracks and punish those who do that.
The alternative could be public revulsion so great that the Patriot Act and the agencies it feeds will be changed significantly and our security the worse off.
No matter what President Obama and China’s President Xi Jinping agree this week, China will not stop cyber espionage.
China may decide, as a result of the upcoming summit meeting, to crack down on hackers who operate independently, or who moonlight for profit in the hours they are not working for either China’s government or China’s military. That will be a bone to try and lower the tension that has been building between China and the U.S. on the issue of cyber theft. But it won’t really make a big difference.
The first is based on vicarious hacking by groups of computer geeks who want to show off their prowess and gain bragging rights for successfully attacking important institutions and organizations. The “thrill” involved is to show how smart they are, how brilliantly they can defeat the CIA or the Pentagon.
The second group grows out of the first but it has become ideological. Ideological hacking is hacking for a political purpose. Many of the ideological hackers are really anarchists in modern dress. This kind of hacking has been growing and is illustrated by phenomena such as Wikileaks and its leader Julian Asange, currently holed up in the Ecuadorian Embassy in London while wanted by Sweden where he has been charged with rape.
The third type of hacking is “For Profit.” Information is stolen, bank accounts and money machines are pilfered, sometimes blackmail is used. For Profit hacking is not always separable from ideological hacking or from vicarious hacking.
Fourth is cyber crime against individuals and political groups carried out by governments. Sometimes this is pursuant to law and follows a legal process, but not always (even in the U.S. where phones can be tapped and computers can be invaded without a warrant or clearance by a court).
Fifth is cyber crime for national security reasons. This is a specialty of China. Recent information says that China is annually stealing $300 billion worth of national security information, much of which is weapons designs.
Why? There are essentially three reasons why China is doing this.
The first is that stealing the information is easy to do. There are hardly any credible barriers to scooping up defense information, government data, and the proprietary information of private companies.
The second reason is that there are not any consequences. This is crime without punishment. And because China owns a large part of the U.S. Treasury, the enthusiasm by U.S. government leaders to crack down is tempered by concern that our own economy would unravel if we push too hard. On top of that, a lot of our top industry people are making money on China.
And the third reason is that China cannot be a superpower without U.S. technology. There is very little innovation in China, despite large investments, the presence of foreign companies, a strong electronics industry, and a huge number of Chinese nationals educated abroad (subsidizing plenty of American graduate schools of engineering, science and cyber studies).
Taken together this put the U.S. in a bind. Lacking a credible strategy to confront the losses, the U.S. defense posture is at risk thanks to the China thieves. And more and more companies will also feel the heat as China’s clones of their products swamp the U.S. market.
Meanwhile, one thing Xi Jinping will not do is allow China to be anything less than a superpower, so he must continue robbing the U.S. blind. And he will.
Instead of new draconian gun laws of dubious effect, consider the ubiquitous E-Z pass.
Like millions of other Americans, I pay a small monthly fee for my handy E-Z Pass transponder. It gets me through toll booths on highways, bridges and tunnels quickly and efficiently; it crosses State lines without interruption. For the most part, the E-Z Pass billing system is accurate and gives you a helpful record of your travels.
The E-Z Pass is a passive sensor, actually a transceiver activated by a radio signal from the toll booth or toll lane. The transceiver operates at 915 mhz and transmits information at 500 kilobits per second. No battery or other power source is needed. The specific E-Z Pass technology is proprietary, but transceivers for other applications have already been built. Today, RFID (radio frequency identification) devices are inserted into credit cards, building passes, garage gate openers, and Metro fare cards, to name just a few applications.
Can this technology be applied to guns and how would it work?
Putting RFID sensors into manufactured guns and tagging them to the owner is in fact simpler than the E-Z Pass system, because the sensor can be embedded at the time of manufacture or, for guns already in circulation, can be added at a very small cost. Putting antennas around schools, colleges, hospitals, sports stadiums (for example) and public buildings is not complex. Linking the sensors to existing security systems also is reasonably straightforward and not expensive.
Consider this. A person with a gun approaches an elementary school. If the school perimeter contained RFID antennas, they could detect the gun, automatically lock down the school, and warn school personnel that there is a potential threat.
Consider this. At the entrance of the State Department there is a security check that includes an RFID antenna to find a gun. Even if the gun is hidden or the magnetometer cannot not find it, it is likely the RFID antenna will detect it.
Consider this. At the entrances to the Cherry Hill Mall in New Jersey, there are RFID antennas. If someone enters the mall with a gun, the security guards are immediately alerted. The detectors are linked to PTZ (pan tilt zoom) cameras that can track the likely gun holder.
RFID technology can buy a lot of protection. It can be implemented quickly in new guns and existing registered guns. It is low cost.
In fact an Italian company called Chiappa Firearms has already introduced RFID chips in all its new guns. While their press release is in Italian (http://www.tiropratico.com/Cinzia_Pinzoni/RFID_chiappa.pdf) they say that the chips are virtually indestructible and that they can be read by remote detectors in microseconds.
Putting protection around schools, for example, compliments existing security systems and procedures and can be done quickly and probably within existing security and infrastructure budgets.
But isn’t the problem illegal guns? Illegal guns are a major crime problem, but — as we just saw tragically in Newtown — legal guns are often the ones used in incidents such as school shootings, work places attacks, and shootings in public access places or events. For the most part, schools, colleges, malls, work places, and public buildings have only limited, or no defenses against legal or illegal guns, with the preponderance of crime they experience coming from legal guns.
Thirty years ago, I served as Deputy Under Secretary of Defense for Trade and Security Policy, and Director of the Defense Technology Security Administration. Our offices became concerned with Glock pistols that were being made of synthetic polymers (a type of plastic). The problem was that the “plastic” Glock might not be recognized by metal detectors or X-Ray machines in airports or in secure buildings. The answer, which the Glock people accepted, was to add some metal powder to the plastic so the gun shape could be seen in an X-Ray machine and picked up by a metal detector.
The RFID tag is a modern evolution of the Glock idea, but with the advantage that it can provide early warning of danger.
In the coming months, the President and Congress are poised to consider new gun laws in response to the multi-victim tragedies of our recent past. Many of the ideas currently advanced sound draconian, may violate the Second Amendment, and are unlikely to reduce violence committed with legally registered weapons. An E-Z Pass-type solution wouldn’t reduce the likelihood of a violent attempt being undertaken by a mentally unbalanced or otherwise disturbed person, but it could very well protect innocent people from victimhood.
Dr. Stephen Bryen is President of SDB Partners, LLC based in Washington, DC
It will be a different world if the United States achieves energy independence. And now predictions are that this will happen sooner rather than later, probably by 2020. But becoming energy independent is starting to happen even now, and organizations will try and take advantage of large surpluses, especially natural gas.
Becoming energy independent has huge foreign policy and national defense implications.
Today the Great Risk Point (GRP) is the supply of oil through the Persian Gulf. An adversary could create havoc in the shipping lanes, blow up supply depots, or even set oil fields on fire.
GRP is such a big problem that the current administration is petrified that a rogue Iran will inflame the Gulf, and if not them, then al-Qaeda or the Muslim Brotherhood or their analogues. Take your pick. So the idea is to embrace them and try and redirect them away from precipitous action.
But an energy independent America no longer faces GRP. And there are developments that may also save Europe arising from oil discoveries from Israel, to Cyprus and probably to Greece that, if they can be moved quickly enough, can make up the difference from the Gulf. The money is starting to come into these alternatives and this is shifting the geopolitical stage.
OPEC will try and fight the trend by lowering energy prices. But lowering energy prices a lot means less money that can be used at home to buy off adversaries, especially the local kind. So if prices dip, which may already be starting to happen, revolution rises. The trouble in Bahrain is a harbinger, not an oddity.
The U.S., depending on the timing of all this, is in fat city. But the loser are not only the Gulf States (including Iran), but also the outliers who do not have enough oil of their own. China could get into staggering trouble if oil supplies are interrupted. Same for Japan, Korea and many others. And Europe –already heading for its own self-made depression- could collapse. Euro-socialism will go, but what will remain could be a fierce civil war in Europe between have’s and have not’s, and between ethnic groups such as Euro-Arabs, Gypsies, Jews –some new suspects, some the usual ones.
U.S. foreign policy is built around defense of the Persian Gulf and safeguarding the flow of oil. The first Gulf war started for the United States when Saddam’s Army crossed into Saudi territory. Then the threat was clear and unambiguous. The second Gulf war also was alarm about Saddam’s intentions and his ability to blackmail the region thanks to arsenals of chemical and biological agents. (How much he had, what happened to it, remains a matter of dispute, but policy makers believed he had WMD, which is all that is really important.)
But as local oil replaces imported oil, and natural gas replaces diesel and, eventually gasoline, we enter a period of enhanced ambiguity, not clarity. Voices will ask why the U.S. should make the supply of oil safe for Europe, or safe for China? Others will explain that we cannot roll-back revolution in the region, that we lack credibility to do that, and a political upheaval is not easy to solve with military force, especially the diminished forces we now have. As we learned in Iraq and Afghanistan, the war costs probably exceed our ability to pay, at least for the next five to ten years.
Certainly there will be renewed emphasis on the southern Mediterranean, and NATO may try and strengthen its role in protecting the emerging supplies of oil. But to do that Israel will have to become either a de facto or de jure member of NATO, and the Euro-politics of that are really formidable. Other solutions may have to be found, such as new localized collective security agreements. These are in the future, but not very far.
Meanwhile we are on the precipice of a huge transformation. American domestic and foreign policy may never be the same.
Ying Ma hosts the radio program and blog Friends and Foes of Liberty. The program features in-depth discussions with thinkers and leaders about freedom, geopolitics, the global marketplace and U.S. foreign policy. Ying Ma (馬穎) writes regularly about China, international affairs and the free market. Much of her research explores the nexus between political and economic freedom with respect to China’s rising influence on the global stage. Her articles have covered issues such as the Internet revolution, democratization, climate change, state capitalism and market liberalization, and have appeared in The Wall Street Journal Asia, the International Herald Tribune, the Los Angeles Times, National Review Online, The Weekly Standard, Policy Review and other publications. She is the author of Chinese Girl in the Ghetto, which she completed as a visiting fellow at the Hoover Institution at Stanford University.
In this program, Ying Ma asks: Should the United States refuse massive amounts of money from China? Listen to the lively interview with Dr. Stephen Bryen about the national security implications of Chinese foreign direct investment in this country. Find out why Dr. Bryen opposes Chinese acquisition of U.S. telecom networks but supports a Chinese wind farm company that may have fallen victim to the Obama administration’s election-year politics.
Dr. Bryen is the President and CEO of Ziklag Systems and the President and CEO of SDB Partners. He has 40 years of experience working in national security and industry, and has previously served as a senior staff director of the U.S. Senate Foreign Relations Committee, as an Under Secretary of Defense for Trade Security Policy in the Reagan administration, and as the President of the North America operations of Finmeccanica, one of the world’s top ten global players in aerospace, defense and security.
Google is building what it calls a “Privacy Red Team.” The company is rapidly recruiting qualified engineers for the job. In its advertisement for team members, Google says: ”Top candidates will have an intimate knowledge of the inner workings of modern web browsers and computer networks, enjoy analyzing software designs and implementations from both a privacy and security perspective, and will be recognized experts at discovering and prioritizing subtle, unusual, and emergent security flaws.”
Google’s Red Team is a good idea –in fact every technology company should consider having security expertise at the engineering level.
But the security issue is bigger than the technical elements.
Today, not only personal privacy but also personal security are at risk because of the security weaknesses of computer and mobile phone operating systems and related software applications.
In thinking about security it is not only the risk of crime or the loss of sensitive information. As we can see in places such as Iran, the risk also is to the lives of those who oppose the Iranian regime. As I wrote recently in the magazine InFocus Quarterly, Iran is buying spy gear from the West and using it against their own people. With this equipment Iran can easily spy on the mobile phones of the regime’s opponents, entrap them, and jail them, sometimes leading to executions.
Companies legally trying to do business in certain countries either tend to look the other way, don’t “officially” want to know where their technology goes or how it is used, or actively cooperate with governments trying to suppress their own people.
So in fact modern technology has created a conundrum for technology-based companies working in the computer and telecommunications fields.
I believe we can expect tougher U.S. laws in future to not only protect privacy but to deal with spy technology sold to rogue regimes.
Many of the big companies have Boards of Directors that should, with management, be addressing such issues. But if one looks at many technology companies one finds a lack of qualified Board Members that can champion privacy and security from the inside.
Today’s world is in upheaval. Modern technology has dramatically changed the game and is redefining the global political landscape. While American companies are, by far, not the only force in the technology space, as companies that live in the world’s greatest democracy U.S. companies have a responsibility to do more to make sure that our technology does not create victims domestically or internationally.
Google is moving in the right direction with its privacy red team. The next step for Google and other high tech companies is for them to enhance their Boards of Directors with security and privacy advocates and create either security committees or Security Advisory Boards.
The great majority of mobile attacks, and their malware, stem from and attack third-party markets, particularly in China and Russia. In most cases, we do not find this malware in the official Android market.
Google’s app store has suffered from some incidents, but so far those counts are moderate. McAfee Labs advises customers to use “install software” only from the official market. That step should greatly reduce the risk of compromising your Android device.
This quarter we saw significant amounts of new adware and mobile backdoor malware, along with some very simple premium-rate SMS-sending malware.
Mobile adware displays ads on a victim’s phone without permission. (This does not include ad-supported games or apps.) Adware ranges from wallpaper with added sales pitches (Android/Nyearleaker.A) to fake versions of games that send visitors to advertising sites (Android/Steek.A). Adware doesn’t necessarily reduce users’ security, but it does subject them to unwanted ads.
Backdoor Trojans on Android have gotten a bit more sophisticated. Instead of performing just one action, they use root exploits and launch additional malware.
Android/FoncyDropper.A, for example, uses a root exploit to gain control of the phone and launch an IRC bot that receives commands from the attacker. It also sends premium-rate SMS messages based on the country of the SIM card.
In a similar vein, Android/Rootsmart.A uses a root exploit to download Android/DrdLive.A, a backdoor Trojan that sends premium-rate SMS messages and takes commands from a control server.
Android/Stiniter.A uses a root exploit to download additional malware and sends information from the phone to sites under the control of the attacker. It also sends text messages to premium-rate numbers. The attacker’s control server updates the message body and the number the hijacked phone sends to.
This quarter, malware writers created one of the first destructive Android Trojans, Android/Moghava.A. Instead of damaging apps or other executables this malware goes after photos. Moghava.A searches for photos stored on the SD card, and adds the image of the Ayatollah Khomeini to each picture. The malware is also a bit buggy, so it will continue to add to the pictures until there is no more space on the card.
The writing is clearly on the wall– We must protect all devices, mobile or otherwise, that have valuable data. If not, today’s cybercriminals will be happy to handle it for us.