News: 2016 Archives
On Tuesday, President-elect Donald Trump named cyber expert Tom Bossert as his homeland security adviser.
Bossert is currently a fellow at the Atlantic Council and was a former national security aide to President George W. Bush.
He says cybersecurity will be one a top priority in his new job.
And if the events of 2016 say anything, Bossert will likely have a lot on his plate.
"American Elections Will Be Hacked." That’s the title of a recent article in The New York Times by our next guest, the leading cybersecurity and privacy researcher Bruce Schneier. Schneier warns, "Our newly computerized voting systems are vulnerable to attack by both individual hackers and government-sponsored cyberwarriors. It is only a matter of time before such an attack happens."
As if I haven't said it a million times, IoT security is critical.
But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.
At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.
After watching it at least three times, I decided to share the main concepts with the readers of TechTalks.
During a House Committee hearing today, Bruce Schneier also asks for the establishment of a new government agency devoted to cybersecurity.
Security experts asked lawmakers for more action, today, during a Congressional hearing on IoT security. On their wishlist: consequences to manufacturers for delivering insecure products, a federally funded independent lab for pre-market cybersecurity testing, and an entirely new federal agency devoted to cybersecurity.
The hearing, "Understanding the Role of Connected Devices in Recent Attacks," was held by the US House Committee on Energy and Commerce, with expert witnesses Dale Drew, senior vice president and chief security officer of Level 3 Communications; Dr. Kevin Fu, CEO of Virta Labs and associated professor of electrical engineering and computer science at the University of Michigan; and Bruce Schneier, fellow of the Berkman Klein Center at Harvard University.
"We are in this sorry and deteriorating state because there is almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers," said Dr. Fu. He later added "also there's no benefit if they deploy something with good security."
"The market can't fix this," said Schneier, because "the buyer and seller don't care ...
Computer security experts on Wednesday pressed for comprehensive federal regulations mandating strong security protocols for the Internet of Things, saying it's not a matter of if but when rules are issued for connected devices.
"The Internet of Things affects the world in a directly physical manner—cars, appliances, thermostat, airplanes," said Bruce Schneier, a computer security expert at Harvard University, during testimony at a hearing held by two House Energy and Commerce subcommittees. "There's real risk to life and property. There's real, catastrophic risks."
With the increasing ubiquity and fundamental vulnerability of IoT technology, Schneier said it's a moot point to argue over whether the federal government will eventually regulate the industry.
The hacking of Democratic Party organizations has made internet security germane to the 2016 presidential election campaign. America's intelligence community has accused high-level Russian officials of backing these cyberattacks in an attempt to influence the election result. Such allegations have helped thrust relations between Washington and Moscow to their lowest point in decades.
Meanwhile, the integrity of America's internet infrastructure was tested on Oct. 21, 2016 with a distributed denial of service (DDoS) attack.
Bruce Schneier joined David Pakman to discuss computer security in relation to politics and election mechanics.
One of the most striking paradoxes of our time resides in our smartphones. Our everyday use of these iconic and progressively factotum apparatuses records at various levels every activity we do in space and time, with the unbelievable outcome that, on a mass scale, we're happy about that and willfully give up our intimate privacy to be allowed to continue using them. It's nothing new, but we're still turning our head to what is behind. There are battles going on to conquer the most strategic parts of the big data we produce, in the huge business called "DaaS" (data as a service).
Pour l'écrivain et expert en cybersécurité et en cryptographie Bruce Schneier, « quelqu'un est en train d'apprendre à détruire Internet », comme il le titre dans son dernier article de blog. L'actuel directeur de la technologie de Resilient, une société d'IBM, affirme que des attaques particulières visent des acteurs majeurs du web depuis déjà deux ans.
Bruce Schneier est une sommité en ce qui concerne la sécurité informatique. L'auteur du mythique livre « Applied Cryptograhy » tient depuis 2004 un blog très fréquenté dans lequel, ce mardi 13 septembre, il a publié un article au titre évocateur : « Quelqu'un est en train d'apprendre à détruire Internet » . Comme il l'affirme, depuis un ou deux ans, certaines compagnies majeures du web subissent des attaques particulières, précises et calibrées, dont le but est de tester les défenses et d'évaluer les meilleurs moyens de les faire tomber.
"I can't think of any other issue that moved people so quickly." By security expert Bruce Schneier's estimation, more than 700 million people worldwide changed their behavior on the Internet as a direct result of what Edward Snowden's NSA leak revealed about government surveillance. Even more amazing: they all did it within one year.
What motivated so many private citizens to take action? "They did that because of secrets.
Just before the start of the Democratic National Convention, top-secret emails from the Democratic National Committee were published on whistleblower website Wikileaks, in a major operation the FBI attributed to Russian hackers.
Some U.S. officials have raised subsequent questions: Were the hackers deliberately attempting to influence the election in favor of Donald Trump? Did Trump have any influence?
Linda Gray, General Manager of the RSA Conference, speaks with Bruce Schneier on the topic of his keynote, "Security in the World-Sized Web," at RSA Conference 2016 Singapore.
Some people may think the upcoming US presidential election is a Kobayashi Maru, a lose-lose scenario no matter who wins, but which candidate would best deal with a cyberattack that caused people to die?
In an article about how hacking the Internet of Things will result in real world disasters, security guru Bruce Schneier —who is not known for spreading FUD (fear, uncertainty, doubt) —was not talking about hacks against banks or the smart grid that would cause general chaos; oh no, he was describing hacks against devices connected to the internet which would actually result in people dying.
Writing on Motherboard, Schneier suggested:
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.
IoT and cyber-physical systems, according to Schneier, have "given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete."
Indeed, there are plenty of scary possibilities which range from targeting one person to targeting hundreds of people at the same instant; hacking cars while they are driving down the highway; remotely assassinating a person by hacking their medical device, hacking a plane full of passengers, remotely taking control of weapon systems such as Patriot missile batteries, hacking a water treatment plant and tweaking the chemical mix; the nightmare scenario list of hacks that we all hope never happen goes on and on.
Bruce Schneier on How IoT Changes Everything in Security
Bruce Schneier, CTO at the security firm Resilient Systems, is busy examining how IoT - the name given to the computerization of everything in our lives - is changing the security world.
From sensors that collect data about our environment to databases in the cloud to analytics that help us make use of data, the Internet of Things is capable of changing our physical world.
"We're building an internet that senses, thinks and acts, but doesn't have a body, and that is the textbook definition of a robot," Schneier says. "What I want to propose is that we're building a world-sized robot, and we don't even realize it.
Adam is joined by Bruce Schneier to talk about current problems facing the TSA, gun control, and how data and security intersect.
One of the topics that resonated deeply with last season's Adam Ruins Everything viewers was Bruce Schneier's take on security and "security theater". So we had to bring Bruce on the podcast. Bruce is a brilliant cryptographer and security expert, who's written countless articles and academic papers and published 13 books, including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
Bruce Schneier and attorney David O'Brien discuss the new report issued by the Berkman Center for Internet & Society at Harvard University on the issue of “Going Dark,” and the role of law enforcement and privacy rights under scrutiny, revelations of government spying, and analysis of the Apple iPhone Encryption litigation and its progeny unfolding in the Federal Courts.
This year's Infosecurity Europe conference had so many great places to be and things to do that it was often hard to choose how best to spend one's limited time and harder still for many to identify a single highlight. For myself personally, however, it had to be the opportunity to hear one of my favourite writers for many years speaking on the keynote stage.
Whilst terms like "security guru" or even "thought leader" are often bandied around and diluted to the point of being meaningless, few of us mere security mortals can reasonably dispute the influence, credibility and respect that Bruce Scheiner holds as a writer, technologist, cryptographer and entrepreneur. You know that when he speaks at an event like this, it is not an opportunity you're going to get every day.
Governments have a crucial role to play in tackling what he sees as the next big security challenge, he told Infosecurity Europe 2016 in London.
One of the biggest challenges, according to Schneier, is that there is no good regulatory structure for IoT which connects finance, health, energy and transport information.
"We don't know how to do this, so we are going to need government solutions that are holistic that will deal with IoT devices no matter what they are doing," he said.
Systems "too critical to allow programmers to do as they want"
Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, according to security guru Bruce Schneier.
"Governments are going to get involved regardless because the risks are too great. When people start dying and property starts getting destroyed, governments are going to have to do something," Schneier said during a keynote speech at the Infosecurity Europe trade show in London.
The choice is between smart (well-informed) or stupid government regulations with the possibility of non-interference getting taken off the table.
"The Internet of Things (IoT) is our next big security challenge and I think it's the way we are going to be colliding with the real world in interesting ways."
Speaking at Infosecurity Europe 2016 Bruce Schneier said that securing the IoT is a lot about what we already know, and some of what we don't know.
"It's one big inter-connected system of systems with threats, attackers, effects; the IoT is everything we've seen now, just turned up to 11 and in a way we can't turn it off."
As the IoT becomes more connected it also becomes more physical, invading our lives on an unprecedented scale with more real-world consequences when a breach occurs, and it's something that we can't afford to fail to secure, Schneier explained.
"I think this is going to hit a tipping point. We're getting into the world of catastrophic risks as our computers become more physical.
Schneier also sees more government meddling in IoT security as ‘inevitable’
Schneier explained how IoT-connected devices such as medical devices, which are almost impossible to keep up to date with the latest security defenses, will go at odds against attackers who are continually improving their attack methods, with "catastrophic" consequences.
"As we move to the Internet of Things, where things are less patchable and less high-end, we're going to have problems," said Schneier, addressing a keynote audience at InfoSec 2016 in London.
"Right now, how you patch your home router is to throw it away and buy a new one.
But government involvement in IoT policies is inevitable, says security expert
Governments lack the expertise to define security policy when it comes to the rapidly growing Internet of Things (IoT), according to Bruce Schneier, security technologist and a member of the Infosecurity Europe Hall of Fame.
Schneier explained that that governments approach topics such as the IoT and cyber security without the technical knowledge to understand the challenges.
"It's surprising how stark the lack of expertise in tech is in these debates," he said at Infosecurity Europe in London.
"Expertise in large correlation data bases, algorithmic decision making, IoT, cloud storage and computing, robotics, autonomous agents; these are all things that the government is going to run headlong into and needs to make decisions about.
The Internet of Things (IoT) is ushering in a new age of hyperconnectivity – and new cyber security challenges.
In this video, Resilient CTO Bruce Schneier explains how the Internet of Things raises the stakes in cyber security, and explores how organizations will need to battle these new challenges.
Security expert Bruce Schneier discusses security from the perspectives of both the National Security Agency and the National Institution of Standards and Technology.
Since the 1930s at Bletchley Park, there has been a continuous arms race to both improve and break cryptography. The files leaked by National Security Agency (NSA) contractor Edward Snowden made it clear that governments regularly gather data on average citizens, which makes us wonder if privacy is even possible. Do our carefully designed cryptographic systems protect our information as we expect them to, or are they just thin veils that can easily be pierced by the government? I posed these questions to leading security expert Bruce Schneier.
Threatpost Editor in Chief Mike Mimoso talks to crypto pioneer and security expert Bruce Schneier of Resilient Systems about the early days of the RSA Conference, the integration of privacy and security, and the current FBI-Apple debate over encryption and surveillance.
An IT security expert has some dire warnings about our brave new world
Either we start to disconnect our increasingly networked world or we risk daunting social, safety, security and privacy consequences, a leading computer security expert and author has warned.
In an expansive talk directly challenging widely held assumptions about the benefits of computing, networks and the internet, Bruce Schneier told a large audience at this year's RSA Security Conference in San Francisco that we were moving towards a networked world so complex that we would be unable to safely manage it or adequately grapple with inevitable disasters.
Schneier, who is always one of the most popular speakers at the event, which drew nearly 40,000 people this year, pinpoints what he calls vast "socio-technical systems" as the critical issue. He describes these as complex, interconnected social and technical systems.
"Companies go to the cloud not because the security person tells them to. They go to the cloud because the business person tells them to. Because the economics of doing it is so compelling and the security person has to manage," said Bruce Schneier (@schneierblog), CTO, Resilient Systems, in our conversation at the RSA 2016 Conference in San Francisco.
Computing is embedded in everything we do, such as cars and planes, said Schneier.
A shortage of skilled cyber security employees is one of the most significant challenges organizations face today.
In this video, Resilient CTO Bruce Schneier explains the cyber security skills gap, and outlines steps to help organizations overcome it.
It's going to get worse before it gets better
Security guru Bruce Schneier is a regular at shows like RSA and his talks are usually standing-room-only affairs.
Schneier has written some of the definitive texts for modern cryptography teaching and his current book, Data and Goliath, examines the perils and solutions to government and corporate surveillance of internet users. The Register sat down with him to talk over the news of the day, and to get an idea of where the security industry is going.
Q: First things first—you're the CTO of Resilient Systems, which IBM is in the process of buying.
Coders and tech bros playing chance with the future
Security guru Bruce Schneier has issued a stark warning to the RSA 2016 conference—get smart or face a whole world of trouble.
The level of interconnectedness of the world's technology is increasing daily, he said, and is becoming a world-sized web—which he acknowledged was a horrible term—made up of sensors, distributed computers, cloud systems, mobile, and autonomous data processing units. And no one is quite sure where it is all heading.
"The world-sized web will change everything," he said.
Bruce Schneier chats with SearchSecurity during lunch at RSAC about IBM's plans to acquire Resilient Systems to complete their security offering.
RSA Conference is a place to meet and greet anyone involved in security these days, proved by a chance encounter with Bruce Schneier during lunch on Tuesday in the press room. And few individuals had news as big as Schneier, with the announcement yesterday that IBM would acquire Resilient Systems, the company where he serves as CTO.
"For the company, it's fantastic; they have this whole big security strategy and you can see a big hole where we belong, and they see that," Schneier told SearchSecurity while we waited for lunch to be rolled out.
Business leaders and IT security professionals don't always see eye to eye—and that creates risk.
In this video, Resilient Systems CTO Bruce Schneier outlines ways for business and security leaders to build trust and create a security-focused organizational culture.
Without proper controls, minor—yet insecure—behaviors can become accepted habits at organizations. And that can lead to major security risks.
In this video, Resilient CTO Bruce Schneier explains how security leaders can spot insecure practices, and stop them from taking hold at their organization.
A new report shows that anti-crypto laws wouldn't change a thing, as criminals would simply look globally
In response to attempts to put restrictions on encryption technology, a new report surveys 546 encryption products in 54 countries outside the United States, out of 865 hardware and software products total.
The report demonstrates that encryption technology is very international in nature and that it is impossible for local regulations to have any effect on it, said Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard University,
"The cat is out of the bag," he said. "It is an international world. All the research is international and has been for decades.
Anyone seeking to keep their data hidden could use hundreds of encryption services offered by companies outside the US if Washington compels tech companies to decrypt communications.
If Washington forces American tech companies to give law enforcement access to encrypted communication, it might not provide the advantage investigators want when tracking terrorists or criminals.
Companies outside the US are responsible for nearly two-thirds of tech products that offer some form of encryption, according to a study released Thursday from renowned cryptographer Bruce Schneier. Because those firms are beyond the reach of US laws, he said, anyone who wants to avoid American intelligence agencies or police eavesdropping could simply switch to another secure platform.
"There's this weird belief that if the US law makes a change, that it affects things," said Schneier, chief technology officer of the security firm Resilient Systems and a fellow at Harvard University's Berkman Center for Internet and Society.
In recent months, the FBI has been pushing for stronger US restrictions on encryption — but a new report from Harvard's Berkman Center suggests such laws reach only a small portion of the relevant products. Taking a census of 865 different encryption products from around the world, the report finds that roughly two-thirds are produced and distributed overseas, outside the jurisdiction of US law. Germany was the biggest source of non-US crypto, with 112 separate products either for sale or available free. Just over a third of the foreign products make their code available as open source.
Just today, security technologist and author Bruce Schneier, along with Kathleen Seidel and Saranya Vijayakumar, unveiled a new international survey of encryption products compiled as part of his fellowship at the Berkman Center for Internet and Society at Harvard University. The survey found a total of 865 hardware or software products incorporating encryption from 55 different countries, 546 (around two-thirds) of which were from outside the US. The products included voice encryption, file encryption, email encryption, and text message encryption products, as well was 61 VPNs.
The worldwide survey shows that encryption products are widely available internationally, indicating that any US restrictions on unbreakable crypto are far less likely to thwart terrorists and criminals (who can switch to more secure foreign alternatives) as much as they will negatively impact US companies' bottom line and the safety and security of everyday internet users who typically don't spend a lot of time worrying about encryption.
Like playing a frustrating game of whack-a-mole
In 1999, when a fierce crypto war was raging between governments and developers, researchers undertook a global survey of available encryption products.
Now security guru Bruce Schneier and other experts have repeated the exercise, and it spells bad news for those demanding backdoors in today's cryptography.
The latest study analyzed 865 hardware and software products incorporating encryption from 55 countries, with a third of them coming from the US. That's up from 805 in 35 countries in 1999.
If the US government tries to strong-arm American companies into ending the sale of products or applications with unbreakable encryption, the technology won't disappear, a group of researchers conclude in a new report. It would still be widely available elsewhere.
Some US law enforcement officials argue that unbreakable encryption is interfering with legal surveillance of suspected criminals and terrorists. And some members of Congress are pushing for a nationwide requirement that encryption allow for law-enforcement access.
An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.
The report, prepared by researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials.
Findings point to negative impact on US Companies and Internet users
A newly completed international survey of encryption products found 546 different products from 54 different countries outside the US. This survey was headed by Bruce Schneier, as part of his Fellowship at the Berkman Center for Internet and Society at Harvard University.
The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access.
Organizations are overwhelmed with security alerts—far more than they can reasonably manage. Incident response orchestration and automation can go a long way in helping teams resolve security events faster and more effectively.
Networked technology increasingly touches all aspects of our lives. When essential systems are connected to a networked environment, it becomes important to make sure that they're protected from attack. We continue improving the mathematics and algorithms used to secure these systems, but attackers tend to exploit weaknesses in how the math-ematics and technologies are used.
As effective security becomes more vital, many computer science students are becoming interested in making security part of their education.
Bruce Schneier, the well-known cryptographer, author, and security expert, is today's guest on the On the Wire podcast. Dennis Fisher talks with Schneier about the pervasiveness of commercial and government surveillance and tracking, the emerging problem of IoT security, and what can be done to address the technical and policy issues all of this entails. They also discuss the ideas in Schneier's latest book, Data and Goliath, and what might be the theme for Schneier's next one.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.