Page 393
In yet another example of what happens when you build an insecure communications infrastructure, fake cell phone towers have been found in Oslo. No one knows who has been using them to eavesdrop.
This is happening in the US, too. Remember the rule: we’re all using the same infrastructure, so we can either keep it insecure so we—and everyone else—can use it to spy, or we can secure it so that no one can use it to spy.
Matthew Green has a good primer.
There’s a new international survey on Internet security and trust, of “23,376 Internet users in 24 countries,” including “Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.” Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those “have taken steps to protect their online privacy and security as a result of his revelations.”
The press is mostly spinning this as evidence that Snowden has not had an effect: “merely 39%,” “only 39%,” and so on. (Note that these articles are completely misunderstanding the data. It’s not 39% of people who are taking steps to protect their privacy post-Snowden, it’s 39% of the 60% of Internet users—which is not everybody—who have heard of him. So it’s much less than 39%.)
Even so, I disagree with the “Edward Snowden Revelations Not Having Much Impact on Internet Users” headline. He’s having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)
Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that’s an additional 46 million people around the world.
It’s probably true that most of those people took steps that didn’t make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It’s probably even true that some of those people didn’t take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.
Name another news story that has caused over ten percent of the world’s population to change their behavior in the past year? Cory Doctorow is right: we have reached “peak indifference to surveillance.” From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.
Related: a recent Pew Research Internet Project survey on Americans’ perceptions of privacy, commented on by Ben Wittes.
This essay previously appeared on Lawfare.
EDITED TO ADD (12/15): Reddit thread.
EDITED TO ADD (12/16): Slashdot thread.
EDITED TO ADD (1/23): This essay has been translated into German.
There is year-round recreational squid fishing from the Strait of Juan de Fuca to south Puget Sound.
A nighttime sport that requires simple, inexpensive fishing tackle, squid fishing-or jigging-typically takes place on the many piers and docks throughout the Puget Sound region
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
On 12/18 I’ll be part of a Co3 webinar where we examine incident-response trends of 2014 and look ahead to 2015. I tend not to do these, but this is an exception. Please sign up if you’re interested.
Remember last winter when President Obama called for an end to the NSA’s telephone metadata collection program? He didn’t actually call for an end to it; he just wanted it moved from an NSA database to some commercial database. (I still think this is a bad idea, and that having the companies store it is worse than having the government store it.)
Anyway, the Director of National Intelligence solicited companies who might be interested and capable of storing all this data. Here’s the list of companies that expressed interest. Note that Oracle is on the list—the only company I’ve heard of. Also note that many of these companies are just intermediaries that register for all sorts of things.
I don’t have a lot to say about the Sony hack, which seems to still be ongoing. I want to highlight a few points, though.
The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins. It’s literally thousands of Social Security numbers laid bare. It’s even the harmless, mundane, trivial stuff that makes up any day’s email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.
These people didn’t have anything to hide. They aren’t public figures. Their details aren’t going to be news anywhere in the world. But their privacy has been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and read this stuff.
These are people who did nothing wrong. They didn’t click on phishing links, or use dumb passwords (or even if they did, they didn’t cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn’t have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we’ve become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.
Gizmodo got this 100% correct. And this is why privacy is so important for everyone.
I’m sure there’ll be more information as this continues to unfold.
EDITED TO ADD (12/12): There are two comment threads on this post: Reddit and Hacker News.
This article is reporting that the demand for Chief Information Security Officers far exceeds supply:
Sony and every other company that realizes the need for a strong, senior-level security officer are scrambling to find talent, said Kris Lovejoy, general manager of IBM’s security service and former IBM chief security officer.
CISOs are “almost impossible to find these days,” she said. “It’s a bit like musical chairs; there’s a finite number of CISOs and they tend to go from job to job in similar industries.”
I’m not surprised, really. This is a tough job: never enough budget, and you’re the one blamed when the inevitable attacks occur. And it’s a tough skill set: enough technical ability to understand cybersecurity, and sufficient management skill to navigate senior management. I would never want a job like that in a million years.
Here’s a tip: if you want to make your CISO happy, here’s her holiday wish list.
“My first wish is for companies to thoroughly test software releases before release to customers….”
Can we get that gift wrapped?
Interesting article: “How terrorism fears are transforming America’s public space.”
I am reminded of my essay from four years ago: “Close the Washington Monument.”
The Intercept has published an article—based on the Snowden documents—about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a general communications infrastructure, looking for weaknesses and vulnerabilities that will allow it to spy on the bad guys at some later date.
In that way, AURORAGOLD is similar to the NSA’s program to hack sysadmins around the world, just in case that access will be useful at some later date; and to the GCHQ’s hacking of the Belgian phone company Belgacom. In both cases, the NSA/GCHQ is finding general vulnerabilities in systems that are protecting many innocent people, and exploiting them instead of fixing them.
It is unclear from the documents exactly what cell phone vulnerabilities the NSA is exploiting. Remember that cell phone calls go through the regular phone network, and are as vulnerable there as non-cell calls. (GSM encryption only protects calls from the handset to the tower, not within the phone operators’ networks.) For the NSA to target cell phone networks particularly rather than phone networks in general means that it is interested in information specific to the cell phone network: location is the most obvious. We already know that the NSA can eavesdrop on most of the world’s cell phone networks, and that it tracks location data.
I’m not sure what to make of the NSA’s cryptanalysis efforts against GSM encryption. The GSM cellular network uses three different encryption schemes: A5/1, which has been badly broken in the academic world for over a decade (a previous Snowden document said the NSA could process A5/1 in real time—and so can everyone else); A5/2, which was designed deliberately weak and is even more easily broken; and A5/3 (aka KASUMI), which is generally believed to be secure. There are additional attacks against all A5 ciphers as they are used in the GSM system known in the academic world. Almost certainly the NSA has operationalized all of these attacks, and probably others as well. Two documents published by the Intercept mention attacks against A5/3—OPULENT PUP and WOLFRAMITE—although there is no detail, and thus no way to know how much of these attacks consist of cryptanalysis of A5/3, attacks against the GSM protocols, or attacks based on exfiltrating keys. For example, GSM carriers know their users’ A5 keys and store them in databases. It would be much easier for the NSA’s TAO group to steal those keys and use them for real-time decryption than it would be to apply mathematics and computing resources against the encrypted traffic.
The Intercept points to these documents as an example of the NSA deliberately introducing flaws into global communications standards, but I don’t really see the evidence here. Yes, the NSA is spying on industry organizations like the GSM Association in an effort to learn about new GSM standards as early as possible, but I don’t see evidence of it influencing those standards. The one relevant sentence is in a presentation about the “SIGINT Planning Cycle”: “How do we introduce vulnerabilities where they do not yet exist?” That’s pretty damning in general, but it feels more aspirational than a statement of practical intent. Already there are lots of pressures on the GSM Association to allow for “lawful surveillance” on users from countries around the world. That surveillance is generally with the assistance of the cell phone companies, which is why hacking them is such a priority. My guess is that the NSA just sits back and lets other countries weaken cell phone standards, then exploits those weaknesses.
Other countries do as well. There are many vulnerabilities in the cell phone system, and it’s folly to believe that only the NSA and GCHQ exploits them. And countries that can’t afford their own research and development organization can buy the capability from cyberweapons arms manufacturers. And remember that technology flows downhill: today’s top-secret NSA programs become tomorrow’s PhD theses and the next day’s hacker tools.
For example, the US company Verint sells cell phone tracking systems to both corporations and governments worldwide. The company’s website says that it’s “a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance,” with clients in “more than 10,000 organizations in over 180 countries.” The UK company Cobham sells a system that allows someone to send a “blind” call to a phone—one that doesn’t ring, and isn’t detectable. The blind call forces the phone to transmit on a certain frequency, allowing the sender to track that phone to within one meter. The company boasts government customers in Algeria, Brunei, Ghana, Pakistan, Saudi Arabia, Singapore, and the United States. Defentek, a company mysteriously registered in Panama, sells a system that can “locate and track any phone number in the world…undetected and unknown by the network, carrier, or the target.” It’s not an idle boast; telecommunications researcher Tobias Engel demonstrated the same capability at a hacker conference in 2008. Criminals can purchase illicit products to let them do the same today.
As I keep saying, we no longer live in a world where technology allows us to separate communications we want to protect from communications we want to exploit. Assume that anything we learn about what the NSA does today is a preview of what cybercriminals are going to do in six months to two years. That the NSA chooses to exploit the vulnerabilities it finds, rather than fix them, puts us all at risk.
This essay has previously appeared on the Lawfare blog.
Sidebar photo of Bruce Schneier by Joe MacInnis.