Essays: 2014 Archives
Those of you unfamiliar with hacker culture might need an explanation of “doxing.”
The word refers to the practice of publishing personal information about people without their consent. Usually it’s things like an address and phone number, but it can also be credit card details, medical information, private e-mails—pretty much anything an assailant can get his hands on.
Doxing is not new; the term dates back to 2001 and the hacker group Anonymous. But it can be incredibly offensive. In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games.
It's too early to take the U.S. government at its word.
I am deeply skeptical of the FBI's announcement on Friday that North Korea was behind last month's Sony hack. The agency's evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the U.S. government would make the accusation this formally if officials didn't believe it.
A focused, skillful cyber attacker will always get in, warns a security expert.
Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment's computer systems and began revealing many of the Hollywood studio's best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama's presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of "The Interview," a satire targeting that country's dictator, after the hackers made some ridiculous threats about terrorist violence.
Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen.
First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar.
A warrantless FBI search in Las Vegas sets a troubling precedent.
The next time you call for assistance because the Internet service in your home is not working, the 'technician' who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and—when he shows up at your door, impersonating a technician—let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside.
German translation by Yuri Samoilov
There's a new international survey on Internet security and trust, of '23,376 Internet users in 24 countries,' including 'Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.' Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those 'have taken steps to protect their online privacy and security as a result of his revelations.'
The press is mostly spinning this as evidence that Snowden has not had an effect: 'merely 39%,' 'only 39%,' and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users—which is not everybody—who have heard of him. So it's much less than 39%.)
Even so, I disagree with the 'Edward Snowden Revelations Not Having Much Impact on Internet Users' headline.
The Intercept has published an article—based on the Snowden documents—about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a general communications infrastructure, looking for weaknesses and vulnerabilities that will allow it to spy on the bad guys at some later date.
In that way, AURORAGOLD is similar to the NSA's program to hack sysadmins around the world, just in case that access will be useful at some later date; and to the GCHQ's hacking of the Belgian phone company Belgacom.
Antivirus companies had tracked the sophisticated—and likely U.S.-backed—Regin malware for years. But they kept what they learned to themselves.
Last week we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It's more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there's substantial evidence that it was built and operated by the United States.
This isn't the first government malware discovered.
In the Internet age, we have no choice but to entrust our data with private companies: e-mail providers, service providers, retailers, and so on.
We realize that this data is at risk from hackers. But there's another risk as well: the employees of the companies who are holding our data for us.
In the early years of Facebook, employees had a master password that enabled them to view anything they wanted in any account.
Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.
From now on, all the phone's data is protected. It can no longer be accessed by criminals, governments, or rogue employees.
View or Download in Acrobat Format
Security is a combination of protection, detection, and response. It’s taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network.
Chinese hacking of American computer networks is old news. For years we've known about their attacks against U.S. government and corporate targets. We've seen detailed reports of how they hacked The New York Times.
There's a debate going on about whether the U.S. government—specifically, the NSA and United States Cyber Command—should stockpile Internet vulnerabilities or disclose and fix them. It's a complicated problem, and one that starkly illustrates the difficulty of separating attack and defense in cyberspace.
A software vulnerability is a programming mistake that allows an adversary access into that system.
The Heartbleed bug that was reported in April allowed hackers to steal private online information. Cyber-security analyst Bruce Schneier argues that such technical vulnerabilities always arise from human errors.
The announcement on April 7 was alarming. A new internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere.
According to NSA documents published in Glenn Greenwald's new book "No Place to Hide," we now know that the NSA spies on embassies and missions all over the world, including those of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam.
This will certainly strain international relations, as happened when it was revealed that the United States is eavesdropping on German Chancellor Angela Merkel's cell phone—but is anyone really surprised? Spying on foreign governments is what the NSA is supposed to do. Much more problematic, and dangerous, is that the NSA spies on entire populations.
In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back.
Trust is inherently social.
Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there's no record.
This notion is especially popular with young people, and these apps are an antidote to sites such as Facebook where everything you post lasts forever unless you take it down—and taking it down is no guarantee that it isn't still available.
Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong
And real corporate security is still impossible.
If you've been reading the news recently, you might think that corporate America is doing its best to thwart NSA surveillance.
Google just announced that it is encrypting Gmail when you access it from your computer or phone, and between data centers. Last week, Mark Zuckerberg personally called President Obama to complain about the NSA using Facebook as a means to hack computers, and Facebook's Chief Security Officer explained to reporters that the attack technique has not worked since last summer. Yahoo, Google, Microsoft, and others are now regularly publishing "transparency reports," listing approximately how many government data requests the companies have received and complied with.
Back when we first started getting reports of the Chinese breaking into U.S. computer networks for espionage purposes, we described it in some very strong language. We called the Chinese actions cyber-attacks. We sometimes even invoked the word cyberwar, and declared that a cyber-attack was an act of war.
Ever since reporters began publishing stories about NSA activities, based on documents provided by Edward Snowden, we've been repeatedly assured by government officials that it's "only metadata." This might fool the average person, but it shouldn't fool those of us in the security field. Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance.
An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on a subject.
Increasingly, we are watched not by people but by algorithms. Amazon and Netflix track the books we buy and the movies we stream, and suggest other books and movies based on our habits. Google and Facebook watch what we do and what we say, and show us advertisements based on our behavior. Google even modifies our web search results based on our previous behavior.
As insecure as passwords generally are, they're not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.
The best way to explain how to choose a good password is to explain how they're broken.
The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission—protecting the security of U.S. communications and eavesdropping on the communications of our enemies—has become unbalanced in the post-Cold War, all-terrorism-all-the-time era.
Putting the U.S.
Giving it to private companies will only make privacy intrusion worse.
One of the recommendations by the president's Review Group on Intelligence and Communications Technologies on reforming the National Security Agency—No. 5, if you're counting—is that the government should not collect and store telephone metadata. Instead, a private company—either the phone companies themselves or some other third party—should store the metadata and provide it to the government only upon a court order.
This isn't a new idea. Over the past decade, several countries have enacted mandatory data retention laws, in which companies are required to save Internet or telephony data about customers for a specified period of time, in case the government needs it for an investigation.
Glenn Greenwald is back reporting about the NSA, now with Pierre Omidyar's news organization FirstLook and its introductory publication, The Intercept. Writing with national security reporter Jeremy Scahill, his first article covers how the NSA helps target individuals for assassination by drone.
Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional information about how the agency's programs work. From this and other articles, we can now piece together how the NSA tracks individuals in the real world through their actions in cyberspace.
We're at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself—as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there's no good way to patch them.
It's not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching crisis levels. Software and operating systems were riddled with security vulnerabilities, and there was no good way to patch them.
Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President's Review Group has just released its report and recommendations.
With all this going on, it's easy to become inured to the breadth and depth of the NSA's activities.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.