This is probably the best journalistic account of how current and past members of the Citizen Lab, in tandem with Lookout (a security company), identified the most significant vulnerability to ever target Apple devices.
Tag: Cyber Security
What’s the big deal about Hillary using her personal email at work?
Christopher Parsons, a Toronto-based cybersecurity expert with the think tank Citizen Lab, explained the security difference between a personal and official government email.
“The core security advantage is that the U.S. government will be attuned to the risk of her communications being deliberately targeted and, as such, would have a chance to maximize protections afforded to her communications,” Parsons said. “Moreover, data sent and received in U.S. government systems could be protected according to the sensitivity of the communications. So when sending classified or secret documents, a higher standard of care could have been provided.”
I would note that I don’t work at a think tank: I work at the University of Toronto, within the Munk School of Global Affairs.
Cyber-security in 2014: What we learned from the Heartbleed bug:
Parsons warned that the fallout from Heartbleed may not be over for web users.
We still don’t know just how much information was stolen or accessed as a result of the bug. Stolen login credentials and user information is likely to be leaked by hackers, putting users at risk for additional hacks.
The problem is hackers could leak this information at any time.
“If logins and passwords were successfully extracted – and I’m willing to say 99.9 per cent of people haven’t changed all of their passwords – people still could be affected,” he said.
…
“Always expect at some point, possibly through no fault of your own, you will be compromised,” Parsons warned.
“Then think, ‘What would I do if my personal information was leaked?’ Thinking before these things happen can help you come up with a recovery strategy.”
Categories
2014.11.26
The debate about cyber-security in political science and international relations has been very visible among policy elites. Policy-makers and their advisers read Foreign Affairs and Foreign Policy. However, political and social scientists often do not appreciate the technical details of network breaches, or security setups in critical infrastructure and industrial plants.
…
Most political scientists also lack the technical skills to call out poor- quality company reports or government documents. Instead, too many scholars seem happy to engage in self-referential theoretical debates of little relevance to anybody else – for instance, on the ‘securitisation’ of cyber-security.
Robert M. Lee and Thomas Rid. (2014). “OMG Cyber!: Thirteen Reasons Why Hype Makes for Bad Policy,” The RUSI Journal 169(5).
I cannot overstate how emphatically I agree with this general assessment of political science analyses of digital security issues.
Canada Bought $50 Million Worth of ‘Secure’ Phone Systems from the NSA:
Technically, the Canadian Prime Minister shouldn’t have to worry about being snooped on. Declassified information on the so-called Five Eyes partnership—an intelligence-sharing agreement between America, Canada, the United Kingdom, Australia, and New Zealand—supposedly forbids the five friendly governments from snooping on each other. But we don’t know what caveats exist in that agreement, because it’s kept top secret. We do know, however, that the NSA was operating in Toronto during the G8 and G20—and that CSE knew about it. That sort of cooperation, Parsons says, is to be expected by the Five Eyes partners.
“There is of course a concern that in the Five Eyes agreement there is an proviso that members of the Five Eyes network can engage in surveillance on other partners if it’s in their sovereign interest,” Parsons said.
It’s certainly interesting (and newsworthy) that Canada is buying cryptographically-secure systems from the NSA, though not necessarily surprising: the NSA is recognized as a leader in this technical space and has economies of scale that could reduce the cost of the equipment. These isn’t, however, any indication whether CSEC examines or tests the devices for backdoors. Presuming that the math hasn’t been compromised, and the phones and faxes aren’t being compromised by our close ally, then there are presumably (relatively) few worries with the Canadian procurement strategy and lots of benefits.
Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs, said that there has been an increased call for outside security audits for OpenSSL, the security system affected by Heartbleed.
“Researchers have been grumbling that OpenSSL and other highly-relied upon security libraries need to be subject to more ‘forensic audits’ by professionals to identify and patch flaws before they are exploited in the wild,” he said.
Heartbleed was discovered by ateam of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.
Missed this when it went up, but posting because I think it touches on something that is important to track as things move forward: despite experts inside and outside of industry recognizing the need for more audits of critical packages like OpenSSL, will resources actually be devoted to enable such work?
Source: Heartbleed may lead to more security audits, advanced security services
The security design of the system as implemented in tests so far will require a national certificate infrastructure much like that used for preventing domain spoofing and securing the Web. It will require a database of certificates—like the X.509 certificates used in public key infrastructure (PKI)—to verify that devices are legitimate and make it possible to rescind permissions to ensure that no one can send out spoofed messages. If a certificate were to become compromised or if a manufacturer misconfigured a batch of V2V systems, the certificate authority would be able to revoke the associated certificate. This prevents spoofing much in the way that DNS SEC prevents the “poisoning” of Internet domain address tables by a rogue Domain Name Service server.
The problem is that no one has ever developed a PKI system large enough to handle every vehicle in the United States—every car, truck, bus, and motorcycle. The revocation table for expired or compromised certificates would have to be distributed constantly to cars to make sure they weren’t victimized by recorded data attacks or other systems that used hacked hardware to spoof traffic.
So far, there hasn’t been any agreement yet on how this PKI would distribute its certificates. Proposals have included having roadside systems issue certificates as vehicles drive by and having certificates sent to vehicles out-of-band over cellular connections. The latter would mean that every car in the country would have to have its own integrated cellular phone or that drivers would have to connect their phones regularly to the systems to ensure they didn’t get shut out of the network.
Oh yes, please: let’s build a mass communications network dependent on a (largely) creaky Certificate system, deploy the devices to the attackers (i.e. car owners), and just trust that no one’s gonna hack a mass, nation-wide, Vehicle-to-Vehicle communications network.
Also: taking bets on it being an escrowed certificate system. For public safety and all that good stuff.
Researchers have found, once again, that sensitive systems have been placed on the Internet without even the most basic of security precautions. The result?
Analyzing a database of a year’s worth of Internet scan results [H.D. Moore]’s assembled known as Critical.io, as well as other data from the 2012 Internet Census, Moore discovered that thousands of devices had no authentication, weak or no encryption, default passwords, or had no automatic “log-off” functionality, leaving them pre-authenticated and ready to access. Although he was careful not to actually tamper with any of the systems he connected to, Moore says he could have in some cases switched off the ability to monitor traffic lights, disabled trucking companies’ gas pumps or faked credentials to get free fuel, sent fake alerts over public safety system alert systems, and changed environmental settings in buildings to burn out equipment or turn off refrigeration, leaving food stores to rot.
Needless to say, Moore’s findings are telling insofar as they reveal that engineers responsible for maintaining our infrastructures are often unable to secure those infrastructures from third-parties. Fortunately, it doesn’t appear that a hostile third-party has significantly taken advantage of poorly-secured and Internet-connected equipment, but it’s really only a matter until someone does attack this infrastructure to advance their own interests, or simply to reap the lulz.
Findings like Moore’s are only going to be more commonly produced as more and more systems are integrated with the Internet as part of the ‘Internet of Things’. It remains to be seen whether vulnerabilities will routinely be promptly resolved, especially with legacy equipment that enjoys significant sunk costs and limited capital for ongoing maintenance. Given the cascading nature of failures in an interconnected and digitized world, failing to secure our infrastructure means that along with natural disasters we may get to ‘enjoy’ cyber disasters that are both harder to positively identify or subsequently remedy when/if appropriately identified.
From an editorial in the Cape Breton Post:
Elections Nova Scotia also touts “a dozen ways to vote.” But that’s a little misleading. Nine of those “ways” involve a write-in ballot.
Conspicuously, none include electronic voting. The significance of Doiron’s claim that Elections Nova Scotia’s changes will make it easier for people to vote fizzles when we consider the fact that electronic voting allows people to vote from virtually anywhere.
The Cape Breton Regional Municipality successfully implemented e-voting during the last round of municipal elections in 2012, with 26,949 — or 32.8 per cent — of CBRM electors voting electronically.
And as Postmedia News recently reported, Elections Canada has been touting Internet voting since 2008, although budget cuts put the kibosh on plans to introduce online voting in byelections held this year. But at least Elections Canada acknowledges the potential value of e-voting.
So, what are the chances of an elector voting electronically in a provincial election anytime soon?
“The registration and voting and the security — maintaining the integrity of the election — is still a very tricky game,” Doiron told the Globe and Mail. “And that’s one of the reasons that no provincial or federal authority has online voting yet because it’s just not secure enough for the kind of integrity we have to deliver.”
The CBRM had e-voting success. And at the federal level, barriers to implementing electronic voting seem to be more fiscal in nature than about security.
I’m curious as to how the author of this opinion piece concludes that fiscal issues are more significant than security issues. I presume that they are referring to Elections Canada’s decision to scrap an e-vote test, but despite not running the test the federal agency recognized that security was an issue with online voting.
These security challenges have been highlighted repeatedly: a recent election in Nova Scotia used online voting, and officials cannot guarantee that votes were recorded properly based on significant technical deficits. Similarly, voting events during the NDP Leadership election in 2012 suffered from third-party interference, which ultimately caused people to not vote. Moreover, even if the servers that recorded votes in both situations were secured all of the intermediary systems were not; consequently it is functionally impossible to assert that the malware-ridden computers that people vote on or intermediary network points didn’t alter voting outcomes.[1] This isn’t to say that malware or intermediary interference did affect the outcomes, but that the authoritative conclusions of online votes are much, much weaker than those reliant on paper ballots.
Voting matters. A lot. And folks that insist that we can ignore the security and privacy issues either don’t care enough to learn the detailed problems of online voting, or don’t seem to care that most verifiable online voting mechanisms enable the tracking of how people vote. That kind of tracking is something that a large number of people fought hard to excise from our democratic electoral systems. We invite it back in at our peril.
For more on this point, see “Online Voting and Hostile Deployment Environments” ↩
Categories
2013.7.9
Canadian carriers detect over 125 million attacks per hour on Canadians, comprising 80,000 new zero-day exploits identified every day. The vast majority of attacks are undetectable by traditional security software/hardware.
From “The Canadian Cyber Security Situation in 2011”
Excited Pixels 