Tag Archives: security

11 Cyber Security Suggestions for Political Campaigns

by Stephen Bryen
As we are now in the midst of a Presidential campaign I am offering some free advice on how to keep the playing field as level as possible.  
 
Today we are deeply immersed in social media, email, texting and the widespread use of all kinds of APPS either to share information or carry out tasks.  Every modern political campaign is going to use all these tools and many more.  So here are suggestions on how to protect yourself.
 
Suggestion #1.  Do not use web based email, even encrypted web based email.  All web based email passes through servers controlled by the companies who offer the service, sometimes for free (like Google and Yahoo) and sometimes for a fee.  What really matters is that anything that passes through a third party server is a big risk.  Given that folks get pretty spun up over ideological and political issues, even the most security conscious companies can’t really control their employees.  The insider threat is greatest where sensitive information is exposed.  Web based email lives off revenue that is generated by key words that are “read” by machines and the information passed to advertisers or anyone who wants to buy the information.  Thus if I plug in the word “Liberal” as a key word, I will automatically know who the “Liberal” folks are on the email system.  That’s for starters. Then you come to the problem that someone wants to know what a particular campaign is doing, or planning, and plugs in a key word such as a candidate’s name, and then harvests the information.  From this one can deduce who are the active supporters and what they are up to.  From there lots of trouble starts.
 
Instead of web based email set up your own server and make sure the server is well protected by a firewall and by some form of two step authentication for the users.  Every campaign should have its own server for email and should make sure it is under their full control and carefully monitored.
 
Suggestion #2.  Do not use Skype, Hangouts or any other “free” service for conferencing.  In fact, don’t use any web based conferencing, even if it is paid.  Set up your own conferencing and your own server.  Listening in on Skype, for example, has been a favorite past time for NSA, but it is also easily hacked by anyone with technological sophistication.  There is sure to be a big secondary market in intercepted Skype calls, with all kinds of juicy bits either offered up at no cost or bought by desperate candidates, probably using cutouts.  Avoid the problem.
 
Suggestion #3. Do not use any APP on your cellphone unless you are sure it is clean and safe, and above all don’t use any APPS you get from the Apple Store or Android Play Store. These APPS often steal your information such as your contacts lists or schedule, or report your location.  It is astonishing how many “permissions” APPS ask for that have nothing to do with their functionality.  This is a tip off that the APP comes with an ulterior motive.  To make matters worse, many of the APPS out there in the public are buggered and have malicious code attached to them in the form of malware and spyware. It is very hard to tell what APPS are clean and which are not. Avoid them all.  If you have designed a special APP for campaign use, it is very important to test its integrity and make sure it is not leaking vital information.  And the APP should not be distributed in a public way.
 
Suggestion #4.  Be careful about cell phone calls, especially if you are in a public area such as an airport, coffee shop, hotel or restaurant.  Today there are lots of cheap IMSI catchers around. An IMSI catcher is a tool that pretends to be a cell tower.  Your cell phone is built to look for the strongest cell phone signal and connect to it.  An IMSI catcher if it is nearby will appear to the phone like a strong signal and it will connect to that “tower.”  Then the IMSI acts as a man in the middle: it grabs your call and connects you to a legitimate cell tower and then to the person you are connected with through the phone company. Meanwhile the IMSI can record your entire phone conversation.
 
Suggestion #5.  Avoid public WIFi.  Public WiFi is very dangerous because it is not encrypted in any way.  Whatever you do across a public WIFI connection is easy to intercept. Like the IMSI catcher it is also common these days for snoops to set up what looks like a public WIFI to snare your connection, even on airplanes or trains.  This means that you are connected through a snooper to the external network and everything you do or say across the WIFI can be picked off. You are far better off using the data connection from the telephone company than using the data connection of a public WIFI.
 
Suggestion #6.  Consider secure smartphones for communications at the top levels of a campaign.  The best secure phones both encrypt the conversation so that if it is intercepted it can’t be listened to, and protect the phone from malware and spyware.  Be aware that most secure phones work through servers, and the people who run the servers, if they are third party, may or may not be reliable.  Be careful here and consider running your own secure phone server.
 
Suggestion #7. Train your staff to follow sound cyber security procedures in all their activities.  Training is very important for two reasons: it helps reduce the chance of human error which is one of the biggest sources of security compromise and it makes people alert to intrusions and threats.  Being ready for various threats is very important.  A denial of service attack could close down a campaign because all its messaging and communications could be blocked.  Knowing what to do when that happens and having alternatives in place means your campaign will not be shut down.
 
Suggestion #8. Vet companies you hire to provide cyber services checking carefully about who are their customers and whom they employ.  The first rule is to ask for a list of a cyber security company’s customers and their employees.  Then hire a private investigations firm to check them carefully.  Outsourcing cyber security support may be very necessary, but it is also risky. One ringer in the bunch and your campaign could be badly compromised.
 
Suggestion #9. Make sure that all campaign personnel who have social media accounts clean them before they come on board.  Set rules on what is allowed or not allowed during the campaign. People today are very careless on what they post on social media.  People “tweet” before they think, and Post before they consider the consequences.  They also give out too much personal information, location information, even family information that might be used by an adversary.  Rules are very important to help mitigate this risk, and monitoring is not only important but probably mandatory.  
 
Suggestion #10.  Keep your most strategic documents, membership lists, and other vital data off line on computers that are not connected to the Internet.  This is the best way to keep your campaign plans safe.  It is also a good idea to encrypt everything, even what is offline.  One of the cottage industries in Washington DC is for cleaning ladies to be accompanied on their late night work by intruders and poachers who download everything they can from office computers.  If the material is encrypted, then it has no value to any intruder.  Be safe; not sorry.
 
Suggestion #11.  Don’t allow cell phones or tablets in any meeting you have.  Cells phones and tablets are walking time bombs.  Their microphones and cameras can be switched on by spyware and can listen in and record your meetings and conversations.  And if there is a computer in the room, unplug it!  Even when not having a conversation make sure your webcam is unplugged (if you can) or covered if you can’t.
 
Above all remember that a political campaign is like any other business or organization in that it must be operated in a responsible way.  If your campaign lacks cyber security you are not only hurting your chances for election but you are hurting your cause and bringing potential harm to colleagues and friends.  Cyber security is not only very important in political campaigns -you can’t succeed without it.
Tagged , , , , ,

Technology and Security Podcast on Itunes

Washington DC, June 26, 2015
For Immediate Release

Technology and Security has launched a new podcast series by the same name.  Episodes will be available at

https://itunes.apple.com/us/podcast/technology-security/id1012525063

Users will need iTunes to download the new podcast series.

Look for this cover in Itunes

Look for this cover in Itunes

While having an audio version is somewhat of an experiment for us, there have been enough requests for a podcast series that we decided to go ahead and make the programs available.

Some of the podcasts will be based directly on our well-regarded blog, Technology and Security.  Others will be available only in podcast format.

Technology and Security aims to relate the importance of technology to national security and national power. The blog’s author, Dr. Stephen Bryen’s recent books include: Essays in Technology, Security and Strategy and the forthcoming Technology Security and National Power: Winners and Losers.

America has long enjoyed being the world’s technology leader.  But in some sectors that is starting to change as American technology increasingly has gone off shore, fueling China’s rapid growth and military expansion, and as other countries have closed the technology gap with the United States.  These changes and shifts represent a challenge for the future, and for the most part America’s guard still remains down.  Should this persist, America will find its ability to maintain its standard of living and safeguard its security increasingly difficult.

Technology and Security explores these issues and more.  Part of the blog’s focus is on cyber security, an area where adversaries are having their way harvesting American technological information and undermining governmental and infrastructural functions.  Technology and Security helps to explain why this is happening and proposes ways to cope with the situation or strengthen the protection of vital computer networks.

Tagged , , , ,

The Real Cybercrime

by Stephen Bryen

[A version of this article appeared in the Huffington Post with Rebecca Abrahams]

It now seems that the Office of Personnel Management, which had outsourced its data storage to other Federal agencies, has lost an astonishing 18 million personnel records, including most of those involving security clearances.  The information is now in the hands of unknown hackers who almost certainly have bartered the stolen information to willing buyers.  Most experts think that the buyer is most likely China, with Russia running a close second.

When a prospective employee applies for a job that requires a security clearance he or she fills out a form called an SF-86 which is called a Questionnaire for National Security Positions. The Questionnaire is extensive and demanding and requires so much information to be handed over to the government that there is virtually nothing left one could dream of adding to it.  Your friends, colleagues, bosses, neighbors are all included along with all your personal information. In the wrong hands this document at minimum guarantees easy identity theft. Worse, in the hands of a determined adversary, a person’s vulnerabilities can be exploited including tracking the employee and making sophisticated “phishing” operations possible.  Phishing is a technique where a false email or message can be sent to an employee that, when opened, puts spyware on the employee’s computer.

You would think given the explosive importance of the SF-86 form that the government would take strong steps to protect the information.  Perish the thought.  Nothing like that has been done: in fact, the government passes around these forms to other agencies (such as the FBI) and gives them to contractors for “processing.”

Our government has consistently failed at computer security from the beginning. The first Computer Security Act was passed in 1988, and there have been many subsequent legislative initiatives since then along with Executive Orders and pronouncements from agencies including NSA and the National Institute of Science and Technology (NIST), the latest one just this week.

None of them understand the problem or demonstrate any real willingness to solve it.  All of them have the wrong cart in front of the wrong horse.

The truth is that unless special steps are taken to protect sensitive unclassified information the game is lost from the start.

What are those steps?  Most fundamentally there are two: compartmenting information and encrypting it.   For unclassified information which is what the SF-86 is considered to be, the government neither compartments nor encrypts. NSA won’t let them because the information is not classified: our government security experts keep thinking they can do it another way.  No they can’t.

NIST has just put out a new directive for contractors.  It is worthless.  Why?  Because it does not require either compartmentalization or encryption.

Compartmentalization means that not everyone can access everything.  It is as simple as that.  It can be made weightier by adding a “need to know” requirement, meaning that you are only entitled to look at what is absolutely necessary for your job.  Properly administered need to know and compartmentalization protects any major theft of information particularly if the data itself is stored in an encrypted format.

081203-N-2147L-390 NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

081203-N-2147L-390
NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released)

The real crime is the failure of both the administration and the Congress to put in place a higher standard of information protection applying these known and effective tools.  While everyone is running around thinking about firing the head of the Office of Personnel Management, perhaps they should think about firing themselves for the crimes against privacy they have perpetrated.

Tagged , , ,

Attacks on Religious Institutions is a Global Problem: Is there a solution?

by Stephen Bryen

Church attack in New Delhi

Church attack in New Delhi

Attacks on religious institutions, churches, schools, community centers and offices, is far from only an American problem, although the United States has had plenty of it.

In our country churches, synagogues, mosques and temples have been attacked and worshippers going to and from these places have been murdered. Whether we are speaking about Christian churches, Catholic churches, Sikh Temples, Mosques or Synagogues, all of them have been hit by terrorists. I strongly prefer the term “terrorist” to racist or anti-Semite because it best describes what we are up against.

Around the world terrorism against religious institutions is rampant. Whether we talk about Pakistan where religious school children are wantonly murdered, or India, or Iraq and Syria we find such atrocities. In Europe there have been attacks on synagogues and churches and murders of citizens for example in France, Belgium and Denmark among many others.

While some of the attacks are clearly by radicalized individuals, others involve state backing or, state complicity. The bombing of the Asociación Mutual Israelita Argentina which killed 85 people in the building and wounded more than 100 others, there is little doubt, outside of the corrupt politicians of Argentina that the bombing and murder was accomplished by Iranian operatives perhaps in a conspiracy with Argentinian politicians or police.

State sponsored attacks are a growing threat. Outfits like al-Qaeda, the Taliban, ISIS and Boko Haram can operate because they are sponsored and supported by nation-states, providing them with equipment, intelligence and even naming targets. Coptic Christians would not be murdered in Egypt without the help of the Moslem Brotherhood, which the Obama administration befriended. Chechen terrorists in Russia have got backing from Saudi Arabia either directly or through religious cutouts.

For Americans the question is how to confront the problem. It is one thing to try and build community support against terrorism and racism, but at the end of the day there isn’t any empirical evidence that this is a sufficient strategy to combat such crimes. In fact it may act as a deterrent to hard headed preventive strategies that are badly needed. But there is one thing the community writ large can be encouraged to do: when they see a threat either because someone says something or writes something or threatens someone, people do need to respond and bring it to the attention of the larger community and make law enforcement aware. Here we can talk about the importance of social responsibility and the need to act against terrorists, racists and anti-Semites.

Most religious institutions in the United States are unprotected. The same is true in other countries. Their doors are open to terrorists and externally their perimeters are easily penetrated by bombers, either on foot or in vehicles. Few have active surveillance or even passive barriers to prevent such attacks.

There is no single technology that can guarantee complete protection against a fanatic or group of fanatics, and particularly against professional killers like the ones in Buenos Aires. Even so, protection helps reduce the frequency of successful attacks, helps to identify the perpetrators, and can save lives.

The most important first step is to understand the nature of the threat and to have critical intelligence if the risk level is high. More importantly, real time intelligence may help identify the person or persons who plan an attack.

It is no secret that a lot of this information can be found on social media. Dylann Roof, the 21-year-old man charged with the murders at the Emanuel A.M.E. Church in Charleston, had a Web page with his outrageous rantings posted since last February. No one paid any attention. Law enforcement can easily track social media, but they need to be more proactive and not only warn about risk but also confront those threatening the community. Had information on Dylann Roof been distributed to churches and synagogues (he hated Blacks and Jews and many others), they would have been on the lookout for him and maybe the tragedy could have been prevented. Just distributing his photos (from his web site) could have alerted the folks at the A.M.E. Church.

This is a far better strategy than opining about gun control. Gun control is not going to stop a fanatic any more than it is going to stop a determined criminal.

Once you have information that is useful, you must implement a proper organization to aid in protecting a religious institution. Technology can help, but without a good organization and equally vital good training, the risk remains.

While some synagogues have put in place perimeter protection because of their exposure to constant threats, and some have hired guards, there is not much in the way of organization or training of lay people. There is even less at churches.

The Department of Homeland Security has provided funds here and there to buy defensive equipment such as surveillance cameras or alarm systems, but the Department has not thought to provide organizational training. Some police departments do make an effort to help, but usually they have to be asked to do so and often they themselves are not trained to provide perimeter protection services.

Unfortunately the ball has mostly been dropped, which is why alleged terrorists like Dylann Roof can operate and why the greater threat of state sponsored terrorist attacks on religious institutions in the United States is not far from us.

Surely we can do better.

Tagged , , ,

Hillary’s Phone and the True Security Risk to the United States

By Stephen Bryen

Larry Klayman’s Judicial Watch has filed a lawsuit in the U.S. District Court for the District of Columbia to obtain the release of documents regarding Hillary Clinton’s efforts to gain approval for use of an iPhone or iPad to conduct official business while she was secretary of state (Judicial Watch, Inc. v. U.S. Department of State (No. 1:15-cv-00646)).  The notion is that no such documents exist –that is, during the time she was Secretary of State Ms. Clinton was allegedly using an iPhone, iPad or both and allegedly never asked for clearance.

Unfortunately there is widespread use of smartphones and tablets by US officials, mostly without permission.  While these are supposedly for private use and not official business (the latter would entail getting an approval), not much has been made of the use of these devices.  But the truth is they constitute a huge security risk for two important reasons: smartphones and tablets are unsafe; officials conduct business on them notwithstanding the risks and in spite of regulations that would require approval to use them.

While the practice no doubt has led to the compromise of sensitive information, most of the time we don’t hear about it.  A foreign intelligence service with access to a senior official’s phone would not want to disclose they were listening in, because that would give away an intelligence gold mine.  We do know, of course, following disclosures by Edward Snowden, that the US on its own and in cooperation with foreign intelligence services such as GCHQ in the United Kingdom and the BND in Germany, routinely spy on the smartphones and tablets of foreign officials.  Indeed, it appears the BND cooperated with NSA in spying even on Chancellor Merkel’s smartphones (over the years at least five of her smartphones were compromised in this way).  Even so, anxious not to come up against her own intelligence services or to lose American support on issues of paramount importance to Germany, Mrs. Merkel has defended the BND and tempered her anger over NSA-led spying in Germany aimed at German officials and corporations.

Nuland’s Phone

With Ukraine in an uproar in 2013, violent protests in the street, Victoria Nuland called Geoffrey Pyatt, the US Ambassador in Kiev. A full transcript of their conversation was leaked to the press.  Here is just one small part of what Nuland and Pyatt had to say:

“Voice thought to be Pyatt’s: I think we’re in play. The Klitschko [Vitaly Klitschko, one of three main opposition leaders] piece is obviously the complicated electron here. Especially the announcement of him as deputy prime minister and you’ve seen some of my notes on the troubles in the marriage right now so we’re trying to get a read really fast on where he is on this stuff. But I think your argument to him, which you’ll need to make, I think that’s the next phone call you want to set up, is exactly the one you made to Yats [Arseniy Yatseniuk, another opposition leader]. And I’m glad you sort of put him on the spot on where he fits in this scenario. And I’m very glad that he said what he said in response.

“Nuland: Good. I don’t think Klitsch should go into the government. I don’t think it’s necessary, I don’t think it’s a good idea.”[1]

Our two genius diplomats, working on an open line, spoke in uncomplimentary terms about Ukrainian leaders.  Nuland and Ambassador Pyatt made it even worse by acting as if they were the decision makers on who would take over leadership in the Ukraine.

It isn’t clear what type of phone, landline or cellular, Pyatt was using, but Nuland’s call seems to have been made on a mobile phone.  Had she called from her office and had Pyatt been in his, they would have used a secure telephone.

As for the wiretap, that was the easiest part.  The Ukrainian telephone system was put there by the Russians before Ukraine became independent.  Its trunk lines passes through Moscow.  While Nuland’s phone conversation call could have been leaked by anyone, the Moscow connection seems the most likely source.  The Russians would surely gain from embarrassing the United States.[2]

A Danger to State Department Employees

State Department officials posted overseas are at significant risk using commercial smartphones and tablets.  Most of the time they are on diplomatic assignments with their families, meaning that the already blurry line between “official” business and personal affairs dissolves into nothingness, especially if the host country is unwelcoming or dangerous.  Even assignments to posts in such “safe” places as European capitals is a risk, because there are moles in the local intelligence services and police and because terrorists today use sophisticated intercept tools as part of their arsenal of weapons to track targets. A good example is France where Islamic radicals exploited social media connections, especially Facebook, to identify targets in the Jewish community. When you think about the vulnerability of families of diplomats using smartphones equipped with accurate GPS the fact of their personal vulnerability is easy to understand.

Who is Responsible?

It is easy to say that public officials are responsible for their behavior, and if they are using smartphones and tablets without government approval, they create a security risk.  But what if they got approval to use these devices from their agency?  Does that make it acceptable?[3]

The truth is that using commercial smartphones by government officials is extraordinarily risky and dangerous.  It means, as already noted, that conversations can be intercepted, contacts identified, and locations pinpointed.

While convenient to say that officials are acting improperly, or agencies have given approval thoughtlessly, it is even more the case that proper security policy is lacking, not just in the State Department, but throughout the US government. The Pentagon, for example, or the military are no better than State, neither is the White House any safer than the Department of Homeland Security.

We are bombarded these days by different cyber plans concocted by the US government, most of which are unmitigated garbage that achieve nothing. If our government just got smart about smartphones it would be a significant achievement.  That our government security experts have failed, and failed dismally, should tell you more than you may want to know about our lack of security and preparedness.

________________________________________

1] http://www.bbc.com/news/world-europe-26079957

[2] Excerpted from my forthcoming book, Technology Security and National Power: Winners and Losers (Transaction Publishers, 2016).

[3] The Defense Department has recently “approved” three smartphones as “secure,” which is a reckless and unjustified step that enhances the danger of using smartphones and tablets in official business.

Tagged , , , ,

Is Hollywood Going Back to Flip Phones?

Hollywood stars, producers and writers are so worried by hacks at Sony and the compromise of “selfie” nude photos, many are saying they are going back to Flip Phones to protect themselves.  Are Flip Phones safer than today’s smartphones?
 
A Flip Phone is called a “Feature Phone” in the trade.  It is not a “smart” phone, but it can do some of the things a smartphone can do.  For example a typical Flip Phone can receive email, SMS (text) messages, send photos, keep a calendar and use Bluetooth.  The big difference is in the Operating System and the fact that Feature Phones typically don’t use high speed data connections such as 3G or 4G or WiFi.
 
Feature Phones also don’t have operating systems like iPhone, Android or Windows, although some of them might have cut down versions of these systems. Mostly they have semi-programmable software sets that support the phone’s functions.  
 
But Flip Phones are certainly not “safer” than smartphones.
 
For example, Flip Phones have GPS chips and your location can be tracked on a Flip just as well as you can be tracked on a smartphone.
 
And SMS, Email and pictures can be easily intercepted by government organizations as well as by hackers.
 
There is even pretty good spyware that can be installed on some Flip Phones.
 
What Feature Phones or Flips generally don’t have is much access to social media such as Facebook which needs a data connection. Nor can you use programs like Skype for communications.  But you can access the Internet, although the connection is very slow.
 
If the Hollywood types can live without high quality nudie photos and the social media, maybe the Flip Phone will work for them. But it won’t make them much more secure.
 
Just like smartphones, communications on a Flip or Feature Phone are just as vulnerable to intercept as they are on a smartphone.  In fact, maybe even more so because you can’t put your own encryption on a Flip or Feature Phone and many Flip Phones have only rudimentary scrambling that can easily be turned off by any hacker.
 
The truth is there is neither much protection nor much future in Flip Phones, which is why they are increasingly losing market share.
 
The big problem for everyone is that as far as smartphones and Flip Phones are concerned is that we are living in the “wild West” in the sense that there are few security standards, lots of spaghetti code, too much foreign manufacturing and tampering, and a home government that exploits all these vulnerabilities meaning that our government is compromised and won’t do much to help the average citizen, or even the above average citizen (assuming such a citizen exists).  This leaves American business at risk and it violates most of the freedoms we are supposed to enjoy. Folks in Hollywood are rightfully offended, but the big picture is even more challenging.
Tagged , , , , , , , ,

Saving the Critical Infrastructure

by Stephen Bryen

founder and former head of the Defense Technology Security Administration

I have been writing about cyber security for many years.  I believe I have some credibility in this field.  I headed and ran the Defense Department’s program for technology security as the Director of the Defense Technology Security Administration and as a Deputy Under Secretary of Defense.  I also started and ran two cyber security companies, one in the 1990’s called SECOM which was the world’s first secure chat program, and currently Ziklag Systems which markets secure mobile smartphones.  Over the years I have been increasingly concerned about the vulnerability of our critical infrastructure and the risk to America.  My concern has escalated along with growing and successful cyber intrusions into our power, energy, transportation and government grids and networks.  And I have found it shocking that no one seems to  know what to do about the menace.

Somehow our leaders in the administration and Congress, even Admiral Mike Rogers who heads NSA and the US Cyber Command, all of whom clearly understand the threat and risk, seem clueless on how to fix the problem.

Meanwhile China, Russia, Iran, Syria and plenty of rogue operations are increasing the pressure on us by attacking our computer networks.  Nothing is safe.  Not our defense Command and Control systems, our missile defenses, our energy grid, our refineries, our nuclear power plants, not even our telecommunications, transportation, water supply or health care systems are secure.

The reason for that is easy to see.  All our computer networks rely on computer operating systems hardware and software that has been distributed all over the world.  Since almost everything about those systems is public, it is easy for attackers with sufficient resources to take them apart.  It should surprise no one that virtually all of our hardware is made in China, introducing a massive vulnerability into our critical infrastructure.

Add to this tremendous weakness the problem of SCADA systems.  SCADA is the supervisory control and data acquisition system used by nuclear and conventional power plants, heating and cooling systems, manufacturing centers, refineries and lots of other automated systems.  There are only two or three SCADA systems in the market with wide acceptance, and they are used worldwide.  Once again, both the hardware and software for SCADA is accessible to foreign regimes and terrorists as well as other rogue actors.  It is the SCADA that was the center of the attack on Iran’s uranium enrichment centrifuges where the US and Israel hoped to slow Iran’s acquisition of an atomic bomb.  What was done with the Stuxnet worm to damage Iran’s nuclear program likewise can happen to us.

Patching computer operating systems and fixing SCADA software won’t work.  This is proven empirically by the growing frequency of successful attacks on critical infrastructure systems,.  If patches worked, they would save us from attack.  But the plain fact is that they may help a little but not enough to stop a determined and resourceful adversary.

China, one of the countries known to be tampering with our critical infrastructure and helping to finance its growth by stealing defense designs and technology from our leading companies is already taking steps to keep us out of their networks by producing their own computer operating systems they won’t share with us.  We should take a clue from China. For critical infrastructure security we need secure operating systems and a new secure SCADA that replaces all the commercial equipment and software we have been using.

Changing over to a government proprietary secure system is a vital step in locking down our networks and management systems.  It requires a bold and determined initiative by the US government, and it needs to be accompanied by security measures that are well drawn and deeply monitored to provide an additional layer of protection.

Above all we need a policy based on “win win” not on hopes and fictions we can make what we have work. It is foolish to wait for the worst to happen, as it surely will.

Tagged , , , , ,

The “StealthGenie” Complaint May Not Accomplish Anything

[Update: It turns out that police departments around the country have been giving out software so parents can monitor their kids computers, tablets and phones. This controversial spyware distribution flies in the face of the Justice Department’s StealthGenie indictment –in fact it makes Justice likely to lose the case if it is ever adjudicated.  It is indeed strange that the DOJ failed to do its homework and seems to have taken a Don Quixote-like approach to the problem, leaving out most of the really bad stuff to go after one amateur.
See http://www.cnet.com/news/police-boosted-parental-control-app-is-a-privacy-mess-says-report/ for one report on the matter.]

Two US Assistant United States Attorneys, Kevin Mikolashek and Jay Prabhu have filed a civil Complaint (Civil No. 1:14-ev 1273) against Hammad Akbar for selling a spyware product called StealthGenie. StealthGenie is an APP that works on a variety of smartphones. The APP surreptitiously records incoming and outgoing phone calls, allows the purchaser to intercept calls in real time without the knowledge of the smartphone user; allows conversations in a boardroom or bedroom to be recorded without the knowledge of the smartphone user, allows incoming and outgoing email, SMS (text) messages and voicemail to be recorded and read; steals the user’s contact list, photos, videos and appointments.
 
StealthGenie works through a commercial server. StealthGenie used Amazon Web Services located in Ashburn, Virginia. All the intercepted information from StealthGenie is stored on Amazon’s server.
 
Hammad Akbar and his employees are Pakistani citizens and Akbar lives in Lahore. The chances of catching up with him are precisely zero. Amazon is not a defendant in the case, although clearly Amazon Web services facilitated StealthGenie operations.
 
The US government view is this kind of APP is an “interception device” under US Code and Federal Rules of Civil Procedure and the sale, marketing, advertising of mobile spying applications is illegal. The US Attorneys evinced specific concern that the spread of this kind of APP would help stalkers, although as the Complaint says, the product was advertised as a means of dealing with spousal cheating, which according to StealGenie’s owners, a company called InvoCode Pvt. Ltd., constituted 65% of the purchasers of the APP.
 
This is the first case brought in a Federal court against spyware APPS. It is unlikely to ever be successfully prosecuted, so the civil Complaint really amounts to a warning to others who make similar products.
 
Today there are hundreds of companies in all parts of the world producing products that resemble StealthGenie. These products are available on the Internet. Some of them are free; others can can be purchased. The simplest of them require physical access to the target’s phone to install the malicious APP. More sophisticated stealthy spyware can get downloaded on a phone without the need for physical access. One way is to embed the spyware into a legitimate product and offer it to the user. Another is to plant a Trojan or other bug in the hardware of the device. Recently some Chinese phones have been found to have built in spyware. There are plenty of other techniques available for professional spies. StealthGenie was meant for amateurs.
 
Whether the government’s legal argument is sound is less than clear. There are many cases where intercept software can be sold where its use is legal. Two examples come to mind: the sale of intercept software to law enforcement and government; the sale of intercept software to business. Business has a right to monitor its employees, and this right has been generally supported in US courts. This right extends to smartphones, computers and other electronics (such as GPS trackers). It would seem, therefore, that if StealthGenie advertised its APPS for certain business spying, there would not have been any grounds for an indictment.
 
Another use of spyware APPS is for parents monitoring children. The US Government Complaint does not address this point. But, again, if an APP is advertised for this purpose, is it legal?
 
Spyware is also extensively used by companies spying on their competitors. Certainly this is not legal, but the government has not bothered to act on such spying? Why?
 
One thing is certain, the government’s action, no matter how well-intentioned, misses the mark in important ways. The widespread spying going on in our society, some of it easily accomplished by monitoring social APPS like Facebook and Twitter, is a real scourge. So too is the monetization of personal information by many of the tech-giants, who are making a fortune exploiting our privacy. We have a very long way to go before any of this is brought to a halt.
Tagged , , , , , ,

Is China’s New Computer Operating System a Threat?

by Stephen Bryen and Rebecca Abrahams

Originally appeared in the Huffington Post at http://www.huffingtonpost.com/rebecca-abrahams/is-chinas-new-computer-op_b_5738068.html

China has announced it will introduce a new computer operating system in October to replace Windows. Already deeply embarrassed and unhappy over alleged spying on its computers by the US Government, China has vowed to take action.

2014-08-29-_77158751_7e1c290b038944588753fb1fda1d8075.jpg
Its first step was to stop government agencies from using Microsoft’s most recent Windows 8 on their machines. But its latest project, to replace Windows altogether puts China into a new category as challenging US dominance in the ultra-sensitive computer operating system league. Controlling computers today is part and parcel of political power, and China understands this. That’s why China is not only replacing Windows, but it wants to get rid of Apple’s iOS and Google’s Android too.

China has three related opportunities and can be expected to exploit all of them.
The first involves better controlling China’s domestic computers and mobile devices by regulating through the operating system what users can, or cannot, do. China is likely to achieve this through a strongly controlled computer software registration system managed not by Microsoft, Google or Apple but by the Chinese government.

China will gain many benefits. It will have tens of millions of users virtually on launch, and it will control all access by being able to directly regulate software and applications that run on its approved operating system. Likewise, China will likely build in some sort of encryption system linking computers to the Internet, which will create problems for any outside organization to penetrate. And China will stimulate development of domestic software alternatives to Western software products. China will also gain vast experience in how to manage an operating system evolution, how to fix vulnerabilities, how to add features, and how to support software in the field. This will grow a domestic industry that will rapidly mature and will benefit the Chinese state.

Beyond its domestic market, China will be able to look to introducing its software in the global market. China can find a number of opportunities to spread its operating system in many parts of the world. For example, it could potentially challenge both Microsoft and Android computer laptop platforms by offering a cheaper and stronger operating system to users. Price is a big factor in low end laptops and netbooks. China controls most computer manufacturing today. Put an operating system on top, especially one that is open enough to support popular software and social networking products and China could well have a winner. Of course, China’s commercial OS will be different from the one it promotes internally, but this can easily be handled especially if registration and OS downloads are managed by a location-sensitive server.

A third an even bigger opportunity for China is to team with a non-American foreign company to offer an “independent” operating system to customers. This may prove to be attractive to a European partner because the Europeans are quite unhappy with American spying, and they have far less concern, if any, about China than America has. There are plenty of large European companies who are, in the IT world, always playing second fiddle to the U.S. Here is a great chance for them to get ahead. And they can do it on the cheap, since the software investment will be heavily China’s operational and financial responsibility.

Where does this leave US companies? Certainly China will emerge as a heavy weight challenger to the likes of Microsoft, Google and Apple. But it is not just US companies that matter here. The loss of control over where operating systems come from could pose a security challenge for America’s intelligence agencies that will be formidable and hard to overcome. While that is still in the future, it would be foolish not to prepare ourselves for the problems on the road ahead.

Tagged , , , , , ,
Follow

Get every new post delivered to your Inbox.

Join 2,069 other followers