Tag Archives: security


by Stephen Bryen*

There is no reason to any longer trust Europe.  Europe is a collection of incompetent and dangerous nation-states with reduced sovereignty that are incapable of defending their borders and inept at ferreting out the terrorists in their midst.  Typically greedy and stupid, Europe’s police and military are all but emasculated, and Europe’s tolerance for domestic and imported terrorism is outright frightening.

With all the refugees pouring in, what are they doing to screen out terrorists?  Nothing.  They have failed to allocate money to buy minimal equipment.  Their security authorities are “detached” keeping their distance from densely populated Muslim communities and the refugees. Madness?  You bet.

While Europeans amuse themselves by beating up on Israel and practicing snarky antisemitism,  they have voluntarily surrendered their countries (such as they are) to domestic and imported Muslim terrorists who are steadily taking control of key neighborhoods, importing large quantities of weapons and explosives, and building close-knit, difficult to penetrate networks. The fact that most law-enforcement and security members speak no Arabic doesn’t help.

Had the terror cell responsible for the Paris and Brussels attacks delayed the attacks, they may have been able also to carry out their reported plan to attack a nuclear power station.

Most Euro-police forces lack the will and, therefore, the tools to go after suspected Muslim terrorists.  They show up after a terror event and parade around wearing body armor, protective helmets, and rapid fire guns. But they are poorly equipped, uncoordinated, and held in check by political leaders who don’t want to rock the boat of their illusions.

Consider the suicide bomber Ibrahim El Bakraoui.  He was deported twice by the Turks who warned the Belgian authorities he was a terrorist threat.  No matter.  The Belgians who promptly ignored the warnings are now responsible for the killing of at least 31 people, more than 330 wounded and for the short and long term enormous economic cost caused by the recent attacks.  But the Belgians insist it’s not their fault. They claim they are doing their best. The prevalent attitude is, “Once people get it into their minds that they’re going to kill people, you can’t stop them,”

No matter what European bigots say about Israel, and they are always screaming the Israelis are Nazis –  even worse, Jews – the fact remains that Israel has one of the best intelligence operations in the world.  Unlike their incompetent counterparts in Europe, they want and work hard to stop terrorism.  They would also like to protect Jews and Israelis who are all too often the target of terror attacks, as they were recently in Belgium.  One can rightfully ask: how come European intelligence, or the CIA, or Interpol didn’t issue proper warnings?

Europe, in its current condition, is not only living in a terrible threat environment largely of its own making. It also presents a major threat to the United States.

Why?  The lax security conditions and gross incompetence in Europe mean that terrorists can get on a plane and come to the United States.  The risk of hijackings, crashing planes or importing terrorists is very high.  Given the lack of effective European intelligence and monitoring, the U.S. should consider stopping all flights from Europe to the U.S. until the mess is cleaned up.

Many will say such measures are extremist and unjustified.  Really?  A flight from Brussels to Dulles Airport, with one or more ISIS terrorist on board could end up smashing into the White House or the CIA complex, or hitting NSA, south of Baltimore or a nuclear power station is frightfully real and immensely dangerous.  Such an event would make Fukushima look small by comparison.  Yet we already know that the same terrorists who blew up the Brussels airport and metro had also planned to blow up a nuclear plant there. Do we think through some heavenly miracle that won’t happen in future?

The European security situation is, at the moment, beyond hopeless.  It is a train wreck with existential implications for America.   Our President’s inability to grasp the danger makes matters that much worse.

America can’t trust Europe right now.  It is urgent that we take measures to protect our homeland.


The terror cell responsible for the Paris and Brussels attacks was planning to attack an unidentified nuclear power station, it has been reported. Pictured is the power plant in Doel, Belgium Read more: http://www.dailymail.co.uk/news/article-3507417/Brussels-bombers-DID-plan-attack-nuclear-power-station-police-uncover-12-hours-footage-jihadists-filmed-outside-plant-director-s-home.html#ixzz43pbfRWDU



*Dr. Stephen Bryen’s latest book is Technology Security and National Power: Winners and Losers (Transaction Publishers).

Tagged , , ,

Regulating Encryption: Can it be done? Yes.

by Stephen Bryen

NIST Scanner

The Director of the FBI in a warning to Congress points out that ISIS is now using encryption to mask messages it is sending to thousands of Americans favorable to the ISIS cause, exhorting them to kill military and police and other hated targets. He, along with others in the Obama administration are urging “Silicon Valley” to consider building backdoors into encryption products they sell so that law enforcement can tap encrypted phones or computers and properly “do its job.”

But the question is, is there a practical solution?

I have been in the encryption business, or more clearly I have built commercial products that use encryption. In the early 1990’s I founded a company called SECOM (for Secure Communications). We developed a computer chat program that provided a secure, encrypted chat. In those days the Internet was only just getting underway and everyone was using modems (there was no WIFI or data connections except for big business and banks). Nor were there smartphones. The PC, however, was very popular and we built our product to run on PC’s running MSDOS or Windows. And because computers were slow, we built a little plug in computer card which did the actual encryption and decryption work.

Then the fun began. NSA did not like our solution because it was too hard to crack, so they “recommended” reducing the key size. It got to the point where the key size was too small to assure security, and after thinking it over (and investing a lot of development money), we decided we could not sell a product that failed in its critical mission: to protect the users from intercepts. We closed the company.

It was a bad outcome for us. And, as we pointed out at the time, because we used hardware and software we could have controlled who the end users were and assured that only bona fide users, not criminals or terrorists, would have access to the product.

What we went through was nothing new. A few years before IBM had proposed building encryption into all PCs so that all the data stored by them would be secure. NSA again objected, and despite IBM bringing rather heavy guns to bear on the problem, in the person of a direct appeal from the chairman of IBM to the head of the NSA, IBM had to stand down. No encryption chips would live on the IBM circuit board.

NSA and its counterpart the National Institute of Science and Technology (NIST) wear two different hats: on the one hand NSA is charged with carrying out spying in support of its US government “customers”; on the other NSA and NIST produce guidelines for security and even sponsor encryption solutions such as the Advanced Encryption Standard (AES) which has replaced the old Data Encryption Standard (or DES). These sponsored products can be used without any licenses and can be exported abroad.

It may seem odd, therefore, that the government is worried about encryption if it is also facilitating its development and export.

We can add to that known efforts by NIST to actually publish a random number generator for so-called elliptical curve encryption was found to be buggered. The buggered product found its way into corporate security systems in the US and around the world.

The latest alarm in our government is more a consequence of the embarrassing and dangerous leaks by Edward Snowden then anything directly to do with ISIS. Terrorists have been using encryption for a number of years, and they easily get it on the open market. The Russians, Chinese, Europeans, Israelis as well as many companies in the United States develop and sell a wide range of security products that use encryption. And the “Dark Web” on the Internet is also a source of supply for covert type programs and applications.

My own thought is that the government is trying very hard to cut a deal with Snowden so that he will serve a little jail time and then shut up. It seems he still has a large bagful of information that exposes US spying activities. In fact that is the only logical way to interpret statements by our former attorney general Eric Holder who says a deal is possible with Snowden. He should know.

Whatever the case, the availability of encryption on a global scale seems to suggest that trying to control it is a furtive exercise. But that is what the government is saying. So the question is what can the government actually do to mitigate the situation?

Many in Silicon Valley (and here we are talking about most of the really big high tech computer and mobile players in the United States) worry that the government will insist on putting a back door into their encryption schemes, or some other way where the government can get into encrypted communications and data transfers. Clearly this is a scheme the government has pursued for a long time, but it brings with it two risks: either the “security” is so weak as to be meaningless, pushing users to outside solutions or the backdoor or hole in the system is uncovered, as Snowden has already proven. But there is even a third risk: that the backdoor or hole is uncovered by a professional adversary such as China or Russia, meaning that everything you thought was safe is out the window. Given the plethora of escalating exponential cyber attacks on our government and on corporate America, this “solution” is far more dangerous than abandoning encryption altogether, largely because it creates a false expectation of security.

An alternative solution the government could pursue is simply to make the use of encryption in the United States illegal. Such a thing would be very hard to enforce, but in the mobile world it can be done basically by shutting down any encrypted communication that is unauthorized. The technology for this certainly exists today in the form of network sniffers and scanners.

A modified form of the no encryption approach is to allow encryption only on authorized devices that US industry and licensed political and social organizations can use. To me this makes a lot of sense, and in fact I proposed an alternative idea back in the 1980’s when I dealt with export controls.

The idea propounded then was a sort of Gold Card for industry allowing them to get around the red tape and delays that hurt their business performance.

The idea has merit. We are using it today at American airports, either to have more rapid treatment in security processing (the so called “PRE” benefit) or as part of the Global Access Program to allow Americans who travel a lot to get past long lines at border crossings, especially airports.

Such a scheme would make sense in protecting America and allowing us to secure our communications and data. Naturally it would not stop terrorists from using encryption, but they would not be able to use it with their clients and wannabes in the United States. Such communications would be taken down by scanners.

I think this is an excellent solution for law enforcement because it forces the bad guys out into the open. Then it is law enforcement’s job to put them out of business here. And it is the job of the DOD and CIA to shut them down beyond our borders.

Above all else it is vastly important to make America safe, and it is vital that our communications can be secure and our data repositories free from exploitation. This the government itself should understand from its gross mishandling of sensitive but unclassified information, like the millions of non-encrypted records recently stolen by the Chinese.

Let’s hope we can arrive at a sensible solution to security for America.

Tagged , , ,

11 Cyber Security Suggestions for Political Campaigns

by Stephen Bryen
As we are now in the midst of a Presidential campaign I am offering some free advice on how to keep the playing field as level as possible.  
Today we are deeply immersed in social media, email, texting and the widespread use of all kinds of APPS either to share information or carry out tasks.  Every modern political campaign is going to use all these tools and many more.  So here are suggestions on how to protect yourself.
Suggestion #1.  Do not use web based email, even encrypted web based email.  All web based email passes through servers controlled by the companies who offer the service, sometimes for free (like Google and Yahoo) and sometimes for a fee.  What really matters is that anything that passes through a third party server is a big risk.  Given that folks get pretty spun up over ideological and political issues, even the most security conscious companies can’t really control their employees.  The insider threat is greatest where sensitive information is exposed.  Web based email lives off revenue that is generated by key words that are “read” by machines and the information passed to advertisers or anyone who wants to buy the information.  Thus if I plug in the word “Liberal” as a key word, I will automatically know who the “Liberal” folks are on the email system.  That’s for starters. Then you come to the problem that someone wants to know what a particular campaign is doing, or planning, and plugs in a key word such as a candidate’s name, and then harvests the information.  From this one can deduce who are the active supporters and what they are up to.  From there lots of trouble starts.
Instead of web based email set up your own server and make sure the server is well protected by a firewall and by some form of two step authentication for the users.  Every campaign should have its own server for email and should make sure it is under their full control and carefully monitored.
Suggestion #2.  Do not use Skype, Hangouts or any other “free” service for conferencing.  In fact, don’t use any web based conferencing, even if it is paid.  Set up your own conferencing and your own server.  Listening in on Skype, for example, has been a favorite past time for NSA, but it is also easily hacked by anyone with technological sophistication.  There is sure to be a big secondary market in intercepted Skype calls, with all kinds of juicy bits either offered up at no cost or bought by desperate candidates, probably using cutouts.  Avoid the problem.
Suggestion #3. Do not use any APP on your cellphone unless you are sure it is clean and safe, and above all don’t use any APPS you get from the Apple Store or Android Play Store. These APPS often steal your information such as your contacts lists or schedule, or report your location.  It is astonishing how many “permissions” APPS ask for that have nothing to do with their functionality.  This is a tip off that the APP comes with an ulterior motive.  To make matters worse, many of the APPS out there in the public are buggered and have malicious code attached to them in the form of malware and spyware. It is very hard to tell what APPS are clean and which are not. Avoid them all.  If you have designed a special APP for campaign use, it is very important to test its integrity and make sure it is not leaking vital information.  And the APP should not be distributed in a public way.
Suggestion #4.  Be careful about cell phone calls, especially if you are in a public area such as an airport, coffee shop, hotel or restaurant.  Today there are lots of cheap IMSI catchers around. An IMSI catcher is a tool that pretends to be a cell tower.  Your cell phone is built to look for the strongest cell phone signal and connect to it.  An IMSI catcher if it is nearby will appear to the phone like a strong signal and it will connect to that “tower.”  Then the IMSI acts as a man in the middle: it grabs your call and connects you to a legitimate cell tower and then to the person you are connected with through the phone company. Meanwhile the IMSI can record your entire phone conversation.
Suggestion #5.  Avoid public WIFi.  Public WiFi is very dangerous because it is not encrypted in any way.  Whatever you do across a public WIFI connection is easy to intercept. Like the IMSI catcher it is also common these days for snoops to set up what looks like a public WIFI to snare your connection, even on airplanes or trains.  This means that you are connected through a snooper to the external network and everything you do or say across the WIFI can be picked off. You are far better off using the data connection from the telephone company than using the data connection of a public WIFI.
Suggestion #6.  Consider secure smartphones for communications at the top levels of a campaign.  The best secure phones both encrypt the conversation so that if it is intercepted it can’t be listened to, and protect the phone from malware and spyware.  Be aware that most secure phones work through servers, and the people who run the servers, if they are third party, may or may not be reliable.  Be careful here and consider running your own secure phone server.
Suggestion #7. Train your staff to follow sound cyber security procedures in all their activities.  Training is very important for two reasons: it helps reduce the chance of human error which is one of the biggest sources of security compromise and it makes people alert to intrusions and threats.  Being ready for various threats is very important.  A denial of service attack could close down a campaign because all its messaging and communications could be blocked.  Knowing what to do when that happens and having alternatives in place means your campaign will not be shut down.
Suggestion #8. Vet companies you hire to provide cyber services checking carefully about who are their customers and whom they employ.  The first rule is to ask for a list of a cyber security company’s customers and their employees.  Then hire a private investigations firm to check them carefully.  Outsourcing cyber security support may be very necessary, but it is also risky. One ringer in the bunch and your campaign could be badly compromised.
Suggestion #9. Make sure that all campaign personnel who have social media accounts clean them before they come on board.  Set rules on what is allowed or not allowed during the campaign. People today are very careless on what they post on social media.  People “tweet” before they think, and Post before they consider the consequences.  They also give out too much personal information, location information, even family information that might be used by an adversary.  Rules are very important to help mitigate this risk, and monitoring is not only important but probably mandatory.  
Suggestion #10.  Keep your most strategic documents, membership lists, and other vital data off line on computers that are not connected to the Internet.  This is the best way to keep your campaign plans safe.  It is also a good idea to encrypt everything, even what is offline.  One of the cottage industries in Washington DC is for cleaning ladies to be accompanied on their late night work by intruders and poachers who download everything they can from office computers.  If the material is encrypted, then it has no value to any intruder.  Be safe; not sorry.
Suggestion #11.  Don’t allow cell phones or tablets in any meeting you have.  Cells phones and tablets are walking time bombs.  Their microphones and cameras can be switched on by spyware and can listen in and record your meetings and conversations.  And if there is a computer in the room, unplug it!  Even when not having a conversation make sure your webcam is unplugged (if you can) or covered if you can’t.
Above all remember that a political campaign is like any other business or organization in that it must be operated in a responsible way.  If your campaign lacks cyber security you are not only hurting your chances for election but you are hurting your cause and bringing potential harm to colleagues and friends.  Cyber security is not only very important in political campaigns -you can’t succeed without it.
Tagged , , , , ,

Technology and Security Podcast on Itunes

Washington DC, June 26, 2015
For Immediate Release

Technology and Security has launched a new podcast series by the same name.  Episodes will be available at


Users will need iTunes to download the new podcast series.

Look for this cover in Itunes

Look for this cover in Itunes

While having an audio version is somewhat of an experiment for us, there have been enough requests for a podcast series that we decided to go ahead and make the programs available.

Some of the podcasts will be based directly on our well-regarded blog, Technology and Security.  Others will be available only in podcast format.

Technology and Security aims to relate the importance of technology to national security and national power. The blog’s author, Dr. Stephen Bryen’s recent books include: Essays in Technology, Security and Strategy and the forthcoming Technology Security and National Power: Winners and Losers.

America has long enjoyed being the world’s technology leader.  But in some sectors that is starting to change as American technology increasingly has gone off shore, fueling China’s rapid growth and military expansion, and as other countries have closed the technology gap with the United States.  These changes and shifts represent a challenge for the future, and for the most part America’s guard still remains down.  Should this persist, America will find its ability to maintain its standard of living and safeguard its security increasingly difficult.

Technology and Security explores these issues and more.  Part of the blog’s focus is on cyber security, an area where adversaries are having their way harvesting American technological information and undermining governmental and infrastructural functions.  Technology and Security helps to explain why this is happening and proposes ways to cope with the situation or strengthen the protection of vital computer networks.

Tagged , , , ,

The Real Cybercrime

by Stephen Bryen

[A version of this article appeared in the Huffington Post with Rebecca Abrahams]

It now seems that the Office of Personnel Management, which had outsourced its data storage to other Federal agencies, has lost an astonishing 18 million personnel records, including most of those involving security clearances.  The information is now in the hands of unknown hackers who almost certainly have bartered the stolen information to willing buyers.  Most experts think that the buyer is most likely China, with Russia running a close second.

When a prospective employee applies for a job that requires a security clearance he or she fills out a form called an SF-86 which is called a Questionnaire for National Security Positions. The Questionnaire is extensive and demanding and requires so much information to be handed over to the government that there is virtually nothing left one could dream of adding to it.  Your friends, colleagues, bosses, neighbors are all included along with all your personal information. In the wrong hands this document at minimum guarantees easy identity theft. Worse, in the hands of a determined adversary, a person’s vulnerabilities can be exploited including tracking the employee and making sophisticated “phishing” operations possible.  Phishing is a technique where a false email or message can be sent to an employee that, when opened, puts spyware on the employee’s computer.

You would think given the explosive importance of the SF-86 form that the government would take strong steps to protect the information.  Perish the thought.  Nothing like that has been done: in fact, the government passes around these forms to other agencies (such as the FBI) and gives them to contractors for “processing.”

Our government has consistently failed at computer security from the beginning. The first Computer Security Act was passed in 1988, and there have been many subsequent legislative initiatives since then along with Executive Orders and pronouncements from agencies including NSA and the National Institute of Science and Technology (NIST), the latest one just this week.

None of them understand the problem or demonstrate any real willingness to solve it.  All of them have the wrong cart in front of the wrong horse.

The truth is that unless special steps are taken to protect sensitive unclassified information the game is lost from the start.

What are those steps?  Most fundamentally there are two: compartmenting information and encrypting it.   For unclassified information which is what the SF-86 is considered to be, the government neither compartments nor encrypts. NSA won’t let them because the information is not classified: our government security experts keep thinking they can do it another way.  No they can’t.

NIST has just put out a new directive for contractors.  It is worthless.  Why?  Because it does not require either compartmentalization or encryption.

Compartmentalization means that not everyone can access everything.  It is as simple as that.  It can be made weightier by adding a “need to know” requirement, meaning that you are only entitled to look at what is absolutely necessary for your job.  Properly administered need to know and compartmentalization protects any major theft of information particularly if the data itself is stored in an encrypted format.

081203-N-2147L-390 NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

The real crime is the failure of both the administration and the Congress to put in place a higher standard of information protection applying these known and effective tools.  While everyone is running around thinking about firing the head of the Office of Personnel Management, perhaps they should think about firing themselves for the crimes against privacy they have perpetrated.

Tagged , , ,

Attacks on Religious Institutions is a Global Problem: Is there a solution?

by Stephen Bryen

Church attack in New Delhi

Church attack in New Delhi

Attacks on religious institutions, churches, schools, community centers and offices, is far from only an American problem, although the United States has had plenty of it.

In our country churches, synagogues, mosques and temples have been attacked and worshippers going to and from these places have been murdered. Whether we are speaking about Christian churches, Catholic churches, Sikh Temples, Mosques or Synagogues, all of them have been hit by terrorists. I strongly prefer the term “terrorist” to racist or anti-Semite because it best describes what we are up against.

Around the world terrorism against religious institutions is rampant. Whether we talk about Pakistan where religious school children are wantonly murdered, or India, or Iraq and Syria we find such atrocities. In Europe there have been attacks on synagogues and churches and murders of citizens for example in France, Belgium and Denmark among many others.

While some of the attacks are clearly by radicalized individuals, others involve state backing or, state complicity. The bombing of the Asociación Mutual Israelita Argentina which killed 85 people in the building and wounded more than 100 others, there is little doubt, outside of the corrupt politicians of Argentina that the bombing and murder was accomplished by Iranian operatives perhaps in a conspiracy with Argentinian politicians or police.

State sponsored attacks are a growing threat. Outfits like al-Qaeda, the Taliban, ISIS and Boko Haram can operate because they are sponsored and supported by nation-states, providing them with equipment, intelligence and even naming targets. Coptic Christians would not be murdered in Egypt without the help of the Moslem Brotherhood, which the Obama administration befriended. Chechen terrorists in Russia have got backing from Saudi Arabia either directly or through religious cutouts.

For Americans the question is how to confront the problem. It is one thing to try and build community support against terrorism and racism, but at the end of the day there isn’t any empirical evidence that this is a sufficient strategy to combat such crimes. In fact it may act as a deterrent to hard headed preventive strategies that are badly needed. But there is one thing the community writ large can be encouraged to do: when they see a threat either because someone says something or writes something or threatens someone, people do need to respond and bring it to the attention of the larger community and make law enforcement aware. Here we can talk about the importance of social responsibility and the need to act against terrorists, racists and anti-Semites.

Most religious institutions in the United States are unprotected. The same is true in other countries. Their doors are open to terrorists and externally their perimeters are easily penetrated by bombers, either on foot or in vehicles. Few have active surveillance or even passive barriers to prevent such attacks.

There is no single technology that can guarantee complete protection against a fanatic or group of fanatics, and particularly against professional killers like the ones in Buenos Aires. Even so, protection helps reduce the frequency of successful attacks, helps to identify the perpetrators, and can save lives.

The most important first step is to understand the nature of the threat and to have critical intelligence if the risk level is high. More importantly, real time intelligence may help identify the person or persons who plan an attack.

It is no secret that a lot of this information can be found on social media. Dylann Roof, the 21-year-old man charged with the murders at the Emanuel A.M.E. Church in Charleston, had a Web page with his outrageous rantings posted since last February. No one paid any attention. Law enforcement can easily track social media, but they need to be more proactive and not only warn about risk but also confront those threatening the community. Had information on Dylann Roof been distributed to churches and synagogues (he hated Blacks and Jews and many others), they would have been on the lookout for him and maybe the tragedy could have been prevented. Just distributing his photos (from his web site) could have alerted the folks at the A.M.E. Church.

This is a far better strategy than opining about gun control. Gun control is not going to stop a fanatic any more than it is going to stop a determined criminal.

Once you have information that is useful, you must implement a proper organization to aid in protecting a religious institution. Technology can help, but without a good organization and equally vital good training, the risk remains.

While some synagogues have put in place perimeter protection because of their exposure to constant threats, and some have hired guards, there is not much in the way of organization or training of lay people. There is even less at churches.

The Department of Homeland Security has provided funds here and there to buy defensive equipment such as surveillance cameras or alarm systems, but the Department has not thought to provide organizational training. Some police departments do make an effort to help, but usually they have to be asked to do so and often they themselves are not trained to provide perimeter protection services.

Unfortunately the ball has mostly been dropped, which is why alleged terrorists like Dylann Roof can operate and why the greater threat of state sponsored terrorist attacks on religious institutions in the United States is not far from us.

Surely we can do better.

Tagged , , ,

Hillary’s Phone and the True Security Risk to the United States

By Stephen Bryen

Larry Klayman’s Judicial Watch has filed a lawsuit in the U.S. District Court for the District of Columbia to obtain the release of documents regarding Hillary Clinton’s efforts to gain approval for use of an iPhone or iPad to conduct official business while she was secretary of state (Judicial Watch, Inc. v. U.S. Department of State (No. 1:15-cv-00646)).  The notion is that no such documents exist –that is, during the time she was Secretary of State Ms. Clinton was allegedly using an iPhone, iPad or both and allegedly never asked for clearance.

Unfortunately there is widespread use of smartphones and tablets by US officials, mostly without permission.  While these are supposedly for private use and not official business (the latter would entail getting an approval), not much has been made of the use of these devices.  But the truth is they constitute a huge security risk for two important reasons: smartphones and tablets are unsafe; officials conduct business on them notwithstanding the risks and in spite of regulations that would require approval to use them.

While the practice no doubt has led to the compromise of sensitive information, most of the time we don’t hear about it.  A foreign intelligence service with access to a senior official’s phone would not want to disclose they were listening in, because that would give away an intelligence gold mine.  We do know, of course, following disclosures by Edward Snowden, that the US on its own and in cooperation with foreign intelligence services such as GCHQ in the United Kingdom and the BND in Germany, routinely spy on the smartphones and tablets of foreign officials.  Indeed, it appears the BND cooperated with NSA in spying even on Chancellor Merkel’s smartphones (over the years at least five of her smartphones were compromised in this way).  Even so, anxious not to come up against her own intelligence services or to lose American support on issues of paramount importance to Germany, Mrs. Merkel has defended the BND and tempered her anger over NSA-led spying in Germany aimed at German officials and corporations.

Nuland’s Phone

With Ukraine in an uproar in 2013, violent protests in the street, Victoria Nuland called Geoffrey Pyatt, the US Ambassador in Kiev. A full transcript of their conversation was leaked to the press.  Here is just one small part of what Nuland and Pyatt had to say:

“Voice thought to be Pyatt’s: I think we’re in play. The Klitschko [Vitaly Klitschko, one of three main opposition leaders] piece is obviously the complicated electron here. Especially the announcement of him as deputy prime minister and you’ve seen some of my notes on the troubles in the marriage right now so we’re trying to get a read really fast on where he is on this stuff. But I think your argument to him, which you’ll need to make, I think that’s the next phone call you want to set up, is exactly the one you made to Yats [Arseniy Yatseniuk, another opposition leader]. And I’m glad you sort of put him on the spot on where he fits in this scenario. And I’m very glad that he said what he said in response.

“Nuland: Good. I don’t think Klitsch should go into the government. I don’t think it’s necessary, I don’t think it’s a good idea.”[1]

Our two genius diplomats, working on an open line, spoke in uncomplimentary terms about Ukrainian leaders.  Nuland and Ambassador Pyatt made it even worse by acting as if they were the decision makers on who would take over leadership in the Ukraine.

It isn’t clear what type of phone, landline or cellular, Pyatt was using, but Nuland’s call seems to have been made on a mobile phone.  Had she called from her office and had Pyatt been in his, they would have used a secure telephone.

As for the wiretap, that was the easiest part.  The Ukrainian telephone system was put there by the Russians before Ukraine became independent.  Its trunk lines passes through Moscow.  While Nuland’s phone conversation call could have been leaked by anyone, the Moscow connection seems the most likely source.  The Russians would surely gain from embarrassing the United States.[2]

A Danger to State Department Employees

State Department officials posted overseas are at significant risk using commercial smartphones and tablets.  Most of the time they are on diplomatic assignments with their families, meaning that the already blurry line between “official” business and personal affairs dissolves into nothingness, especially if the host country is unwelcoming or dangerous.  Even assignments to posts in such “safe” places as European capitals is a risk, because there are moles in the local intelligence services and police and because terrorists today use sophisticated intercept tools as part of their arsenal of weapons to track targets. A good example is France where Islamic radicals exploited social media connections, especially Facebook, to identify targets in the Jewish community. When you think about the vulnerability of families of diplomats using smartphones equipped with accurate GPS the fact of their personal vulnerability is easy to understand.

Who is Responsible?

It is easy to say that public officials are responsible for their behavior, and if they are using smartphones and tablets without government approval, they create a security risk.  But what if they got approval to use these devices from their agency?  Does that make it acceptable?[3]

The truth is that using commercial smartphones by government officials is extraordinarily risky and dangerous.  It means, as already noted, that conversations can be intercepted, contacts identified, and locations pinpointed.

While convenient to say that officials are acting improperly, or agencies have given approval thoughtlessly, it is even more the case that proper security policy is lacking, not just in the State Department, but throughout the US government. The Pentagon, for example, or the military are no better than State, neither is the White House any safer than the Department of Homeland Security.

We are bombarded these days by different cyber plans concocted by the US government, most of which are unmitigated garbage that achieve nothing. If our government just got smart about smartphones it would be a significant achievement.  That our government security experts have failed, and failed dismally, should tell you more than you may want to know about our lack of security and preparedness.


1] http://www.bbc.com/news/world-europe-26079957

[2] Excerpted from my forthcoming book, Technology Security and National Power: Winners and Losers (Transaction Publishers, 2016).

[3] The Defense Department has recently “approved” three smartphones as “secure,” which is a reckless and unjustified step that enhances the danger of using smartphones and tablets in official business.

Tagged , , , ,

Is Hollywood Going Back to Flip Phones?

Hollywood stars, producers and writers are so worried by hacks at Sony and the compromise of “selfie” nude photos, many are saying they are going back to Flip Phones to protect themselves.  Are Flip Phones safer than today’s smartphones?
A Flip Phone is called a “Feature Phone” in the trade.  It is not a “smart” phone, but it can do some of the things a smartphone can do.  For example a typical Flip Phone can receive email, SMS (text) messages, send photos, keep a calendar and use Bluetooth.  The big difference is in the Operating System and the fact that Feature Phones typically don’t use high speed data connections such as 3G or 4G or WiFi.
Feature Phones also don’t have operating systems like iPhone, Android or Windows, although some of them might have cut down versions of these systems. Mostly they have semi-programmable software sets that support the phone’s functions.  
But Flip Phones are certainly not “safer” than smartphones.
For example, Flip Phones have GPS chips and your location can be tracked on a Flip just as well as you can be tracked on a smartphone.
And SMS, Email and pictures can be easily intercepted by government organizations as well as by hackers.
There is even pretty good spyware that can be installed on some Flip Phones.
What Feature Phones or Flips generally don’t have is much access to social media such as Facebook which needs a data connection. Nor can you use programs like Skype for communications.  But you can access the Internet, although the connection is very slow.
If the Hollywood types can live without high quality nudie photos and the social media, maybe the Flip Phone will work for them. But it won’t make them much more secure.
Just like smartphones, communications on a Flip or Feature Phone are just as vulnerable to intercept as they are on a smartphone.  In fact, maybe even more so because you can’t put your own encryption on a Flip or Feature Phone and many Flip Phones have only rudimentary scrambling that can easily be turned off by any hacker.
The truth is there is neither much protection nor much future in Flip Phones, which is why they are increasingly losing market share.
The big problem for everyone is that as far as smartphones and Flip Phones are concerned is that we are living in the “wild West” in the sense that there are few security standards, lots of spaghetti code, too much foreign manufacturing and tampering, and a home government that exploits all these vulnerabilities meaning that our government is compromised and won’t do much to help the average citizen, or even the above average citizen (assuming such a citizen exists).  This leaves American business at risk and it violates most of the freedoms we are supposed to enjoy. Folks in Hollywood are rightfully offended, but the big picture is even more challenging.
Tagged , , , , , , , ,

Saving the Critical Infrastructure

by Stephen Bryen

founder and former head of the Defense Technology Security Administration

I have been writing about cyber security for many years.  I believe I have some credibility in this field.  I headed and ran the Defense Department’s program for technology security as the Director of the Defense Technology Security Administration and as a Deputy Under Secretary of Defense.  I also started and ran two cyber security companies, one in the 1990’s called SECOM which was the world’s first secure chat program, and currently Ziklag Systems which markets secure mobile smartphones.  Over the years I have been increasingly concerned about the vulnerability of our critical infrastructure and the risk to America.  My concern has escalated along with growing and successful cyber intrusions into our power, energy, transportation and government grids and networks.  And I have found it shocking that no one seems to  know what to do about the menace.

Somehow our leaders in the administration and Congress, even Admiral Mike Rogers who heads NSA and the US Cyber Command, all of whom clearly understand the threat and risk, seem clueless on how to fix the problem.

Meanwhile China, Russia, Iran, Syria and plenty of rogue operations are increasing the pressure on us by attacking our computer networks.  Nothing is safe.  Not our defense Command and Control systems, our missile defenses, our energy grid, our refineries, our nuclear power plants, not even our telecommunications, transportation, water supply or health care systems are secure.

The reason for that is easy to see.  All our computer networks rely on computer operating systems hardware and software that has been distributed all over the world.  Since almost everything about those systems is public, it is easy for attackers with sufficient resources to take them apart.  It should surprise no one that virtually all of our hardware is made in China, introducing a massive vulnerability into our critical infrastructure.

Add to this tremendous weakness the problem of SCADA systems.  SCADA is the supervisory control and data acquisition system used by nuclear and conventional power plants, heating and cooling systems, manufacturing centers, refineries and lots of other automated systems.  There are only two or three SCADA systems in the market with wide acceptance, and they are used worldwide.  Once again, both the hardware and software for SCADA is accessible to foreign regimes and terrorists as well as other rogue actors.  It is the SCADA that was the center of the attack on Iran’s uranium enrichment centrifuges where the US and Israel hoped to slow Iran’s acquisition of an atomic bomb.  What was done with the Stuxnet worm to damage Iran’s nuclear program likewise can happen to us.

Patching computer operating systems and fixing SCADA software won’t work.  This is proven empirically by the growing frequency of successful attacks on critical infrastructure systems,.  If patches worked, they would save us from attack.  But the plain fact is that they may help a little but not enough to stop a determined and resourceful adversary.

China, one of the countries known to be tampering with our critical infrastructure and helping to finance its growth by stealing defense designs and technology from our leading companies is already taking steps to keep us out of their networks by producing their own computer operating systems they won’t share with us.  We should take a clue from China. For critical infrastructure security we need secure operating systems and a new secure SCADA that replaces all the commercial equipment and software we have been using.

Changing over to a government proprietary secure system is a vital step in locking down our networks and management systems.  It requires a bold and determined initiative by the US government, and it needs to be accompanied by security measures that are well drawn and deeply monitored to provide an additional layer of protection.

Above all we need a policy based on “win win” not on hopes and fictions we can make what we have work. It is foolish to wait for the worst to happen, as it surely will.

Tagged , , , , ,

The “StealthGenie” Complaint May Not Accomplish Anything

[Update: It turns out that police departments around the country have been giving out software so parents can monitor their kids computers, tablets and phones. This controversial spyware distribution flies in the face of the Justice Department’s StealthGenie indictment –in fact it makes Justice likely to lose the case if it is ever adjudicated.  It is indeed strange that the DOJ failed to do its homework and seems to have taken a Don Quixote-like approach to the problem, leaving out most of the really bad stuff to go after one amateur.
See http://www.cnet.com/news/police-boosted-parental-control-app-is-a-privacy-mess-says-report/ for one report on the matter.]

Two US Assistant United States Attorneys, Kevin Mikolashek and Jay Prabhu have filed a civil Complaint (Civil No. 1:14-ev 1273) against Hammad Akbar for selling a spyware product called StealthGenie. StealthGenie is an APP that works on a variety of smartphones. The APP surreptitiously records incoming and outgoing phone calls, allows the purchaser to intercept calls in real time without the knowledge of the smartphone user; allows conversations in a boardroom or bedroom to be recorded without the knowledge of the smartphone user, allows incoming and outgoing email, SMS (text) messages and voicemail to be recorded and read; steals the user’s contact list, photos, videos and appointments.
StealthGenie works through a commercial server. StealthGenie used Amazon Web Services located in Ashburn, Virginia. All the intercepted information from StealthGenie is stored on Amazon’s server.
Hammad Akbar and his employees are Pakistani citizens and Akbar lives in Lahore. The chances of catching up with him are precisely zero. Amazon is not a defendant in the case, although clearly Amazon Web services facilitated StealthGenie operations.
The US government view is this kind of APP is an “interception device” under US Code and Federal Rules of Civil Procedure and the sale, marketing, advertising of mobile spying applications is illegal. The US Attorneys evinced specific concern that the spread of this kind of APP would help stalkers, although as the Complaint says, the product was advertised as a means of dealing with spousal cheating, which according to StealGenie’s owners, a company called InvoCode Pvt. Ltd., constituted 65% of the purchasers of the APP.
This is the first case brought in a Federal court against spyware APPS. It is unlikely to ever be successfully prosecuted, so the civil Complaint really amounts to a warning to others who make similar products.
Today there are hundreds of companies in all parts of the world producing products that resemble StealthGenie. These products are available on the Internet. Some of them are free; others can can be purchased. The simplest of them require physical access to the target’s phone to install the malicious APP. More sophisticated stealthy spyware can get downloaded on a phone without the need for physical access. One way is to embed the spyware into a legitimate product and offer it to the user. Another is to plant a Trojan or other bug in the hardware of the device. Recently some Chinese phones have been found to have built in spyware. There are plenty of other techniques available for professional spies. StealthGenie was meant for amateurs.
Whether the government’s legal argument is sound is less than clear. There are many cases where intercept software can be sold where its use is legal. Two examples come to mind: the sale of intercept software to law enforcement and government; the sale of intercept software to business. Business has a right to monitor its employees, and this right has been generally supported in US courts. This right extends to smartphones, computers and other electronics (such as GPS trackers). It would seem, therefore, that if StealthGenie advertised its APPS for certain business spying, there would not have been any grounds for an indictment.
Another use of spyware APPS is for parents monitoring children. The US Government Complaint does not address this point. But, again, if an APP is advertised for this purpose, is it legal?
Spyware is also extensively used by companies spying on their competitors. Certainly this is not legal, but the government has not bothered to act on such spying? Why?
One thing is certain, the government’s action, no matter how well-intentioned, misses the mark in important ways. The widespread spying going on in our society, some of it easily accomplished by monitoring social APPS like Facebook and Twitter, is a real scourge. So too is the monetization of personal information by many of the tech-giants, who are making a fortune exploiting our privacy. We have a very long way to go before any of this is brought to a halt.
Tagged , , , , , ,

Get every new post delivered to your Inbox.

Join 2,100 other followers

%d bloggers like this: