Tag: Cybersecurity

Categories
Links Writing

Another ‘Victory’ for the Internet of Things

Researchers have found, once again, that sensitive systems have been placed on the Internet without even the most basic of security precautions. The result?

Analyzing a database of a year’s worth of Internet scan results [H.D. Moore]’s assembled known as Critical.io, as well as other data from the 2012 Internet Census, Moore discovered that thousands of devices had no authentication, weak or no encryption, default passwords, or had no automatic “log-off” functionality, leaving them pre-authenticated and ready to access. Although he was careful not to actually tamper with any of the systems he connected to, Moore says he could have in some cases switched off the ability to monitor traffic lights, disabled trucking companies’ gas pumps or faked credentials to get free fuel, sent fake alerts over public safety system alert systems, and changed environmental settings in buildings to burn out equipment or turn off refrigeration, leaving food stores to rot.

Needless to say, Moore’s findings are telling insofar as they reveal that engineers responsible for maintaining our infrastructures are often unable to secure those infrastructures from third-parties. Fortunately, it doesn’t appear that a hostile third-party has significantly taken advantage of poorly-secured and Internet-connected equipment, but it’s really only a matter until someone does attack this infrastructure to advance their own interests, or simply to reap the lulz.

Findings like Moore’s are only going to be more commonly produced as more and more systems are integrated with the Internet as part of the ‘Internet of Things’. It remains to be seen whether vulnerabilities will routinely be promptly resolved, especially with legacy equipment that enjoys significant sunk costs and limited capital for ongoing maintenance. Given the cascading nature of failures in an interconnected and digitized world, failing to secure our infrastructure means that along with natural disasters we may get to ‘enjoy’ cyber disasters that are both harder to positively identify or subsequently remedy when/if appropriately identified.

Categories
Links Writing

Online Voting Continues to Rear Its Ugly Head

From an editorial in the Cape Breton Post:

Elections Nova Scotia also touts “a dozen ways to vote.” But that’s a little misleading. Nine of those “ways” involve a write-in ballot.

Conspicuously, none include electronic voting. The significance of Doiron’s claim that Elections Nova Scotia’s changes will make it easier for people to vote fizzles when we consider the fact that electronic voting allows people to vote from virtually anywhere.

The Cape Breton Regional Municipality successfully implemented e-voting during the last round of municipal elections in 2012, with 26,949 — or 32.8 per cent — of CBRM electors voting electronically.

And as Postmedia News recently reported, Elections Canada has been touting Internet voting since 2008, although budget cuts put the kibosh on plans to introduce online voting in byelections held this year. But at least Elections Canada acknowledges the potential value of e-voting.

So, what are the chances of an elector voting electronically in a provincial election anytime soon?

“The registration and voting and the security — maintaining the integrity of the election — is still a very tricky game,” Doiron told the Globe and Mail. “And that’s one of the reasons that no provincial or federal authority has online voting yet because it’s just not secure enough for the kind of integrity we have to deliver.”

The CBRM had e-voting success. And at the federal level, barriers to implementing electronic voting seem to be more fiscal in nature than about security.

I’m curious as to how the author of this opinion piece concludes that fiscal issues are more significant than security issues. I presume that they are referring to Elections Canada’s decision to scrap an e-vote test, but despite not running the test the federal agency recognized that security was an issue with online voting.

These security challenges have been highlighted repeatedly: a recent election in Nova Scotia used online voting, and officials cannot guarantee that votes were recorded properly based on significant technical deficits. Similarly, voting events during the NDP Leadership election in 2012 suffered from third-party interference, which ultimately caused people to not vote. Moreover, even if the servers that recorded votes in both situations were secured all of the intermediary systems were not; consequently it is functionally impossible to assert that the malware-ridden computers that people vote on or intermediary network points didn’t alter voting outcomes.[1] This isn’t to say that malware or intermediary interference did affect the outcomes, but that the authoritative conclusions of online votes are much, much weaker than those reliant on paper ballots.

Voting matters. A lot. And folks that insist that we can ignore the security and privacy issues either don’t care enough to learn the detailed problems of online voting, or don’t seem to care that most verifiable online voting mechanisms enable the tracking of how people vote. That kind of tracking is something that a large number of people fought hard to excise from our democratic electoral systems. We invite it back in at our peril.

For more on this point, see “Online Voting and Hostile Deployment Environments”  ↩

Categories
Quotations

2013.7.9

Canadian carriers detect over 125 million attacks per hour on Canadians, comprising 80,000 new zero-day exploits identified every day. The vast majority of attacks are undetectable by traditional security software/hardware.

From “The Canadian Cyber Security Situation in 2011
Categories
Aside Links

Don’t Use Linksys Routers

cleverhacks:

multiple remote root exploits for some of Cisco’s latest consumer-grade gear – and remember, if your router is pwned, it doesn’t matter if all your computers are patched and ultra-secure; your traffic can still be silently MITM’d and your connection hijacked for nefarious purposes.

Ah…another set of router exploits. At least all the major routers that run traffic in the core of the networks are secure from these kinds of vulnerabilities because of high degrees of security-first coding, right?

Categories
Aside Quotations

2013.3.30

The determination by Congress and President Barack Obama’s administration to protect networks of critical U.S. industries from hackers and cyberspies is creating an explosive growth opportunity – for lobbyists.

There were 513 filings by consultants and companies to press Congress on cybersecurity by the end of 2012, up 85 percent from 2011 and almost three times as many as in 2010, according to U.S. Senate filings. Twelve firms have submitted new registrations this year on behalf of companies including Google Inc. (GOOG)’s Motorola Mobility unit, Symantec Corp. (SYMC), United Parcel Service Inc. (UPS) and Ericsson Inc., the U.S. subsidiary of Stockholm-based Telefonaktiebolaget LM Ericsson.

Eric Engleman & Jonathan D. Salant, “Cybersecurity Lobby Surges as Congress Considers New Laws

I’m sure the lobbyists are only there as good patriotic Americans, aiming to best ensure that Americans are kept safe and Congresspeople and Senators (and their associated staff) just get the best information possible. No way that, in the wake of US scaremongering, lobbyists are looking to massively expand ‘security’ projects to the detriment of Americans’ privacy and (almost comically) security interest. Right?

Categories
Quotations

2013.3.8

An often-overlooked dimension of cyber espionage is the targeting of civil society actors. NGOs, exile organizations, political movements, and other public interest coalitions have for many years encountered serious and persistent cyber assaults. Such threats — politically motivated and often with strong links to authoritarian regimes — include website defacements, denial-of-service attacks, targeted malware attacks, and cyber espionage. For every Fortune 500 company that’s breached, for every blueprint or confidential trade secret stolen, it’s a safe bet that at least one NGO or activist has been compromised in a similar fashion, with highly sensitive information such as networks of contacts exfiltrated. Yet civil society entities typically lack the resources of large industry players to defend against or mitigate such threats; you won’t see them hiring information security companies like Mandiant to conduct expensive investigations. Nor will you likely see Mandiant paying much attention to their concerns, either: if antivirus companies do encounter attacks related to civil society groups, they may simply discard that information as there is no revenue in it.

Rob Deibert and Sarah McKune, “Civil Society Hung Out To Dry in Global Cyber Espionage
Categories
Links

What Sophisticated Security Tests Should Look Like

Facebook and a few other large corporations understand just how serious contemporary data intrusions and exfiltrations are. They spend a lot of money preparing for attacks. Why, if private companies, are taking collected data so seriously do our governments seem to remain so cavalier with their data collection, retention, and security practices?

Categories
Links

Packets of Death

cleverhacks:

very nice detective work, in which we discover that a single ill-favored packet can completely kill certain Intel gigabit NICs (to the point that a power cycle is required to resurrect them). Excellent writeup (and I discovered a new tool: open source packet generation suite Ostinato, which aims to be “wireshark in reverse”).

The significance, via Slashdot: “With a modified HTTP server configured to generate the data at byte value (based on headers, host, etc) you could easily configure an HTTP 200 response to contain the packet of death and kill client machines behind firewalls!”

Categories
Quotations

2013.1.19

It’s not good to be on Power’s bad side, however. When you are on that side, Power piles on charges rather than shrugging off felonies as simple mistakes. Especially if what you do falls into the gray area of enforcing the letter as opposed to the principles of the law.

You can file all the petitions you like with the powers that be. You can try to make Power –whether in the form of wiretapping without warrants or violating international conventions against torture — follow its own laws. But Power is, as you might suspect, on the side of Power. Which is to say, Power never pleads guilty.

Ryan Singel, “Aaron Swartz and the Two Faces of Power
Categories
Writing

Could Email Undermine the 2012 American Election?

In the aftermath of Hurricane Sandy, some of the polling stations that would have been used by Americans to cast ballots are gone. Moreover, some citizens in New Jersey are unlikely to either find their new polling station or take the time to find a station and vote. Quite simply, they’re rebuilding their lives: presidential politics aren’t necessarily centre of mind at the moment.

In the wake of the disaster, New Jersey will let some voters cast their ballots by fax and email. One American expert has identified a range of possible attack vectors that could be used to compromise people’s votes. He’s quoted as saying,

Those are just some of the more obvious and potentially catastrophic ways a direct security failure could affect this election … The email voting scheme has so many ways it can fail or that doubt can be cast on the integrity of the results, that if a race somewhere in New Jersey is decided by email ballots, it seems almost guaranteed that we’re going to have a bunch of mini-2000-in-Floridas all over the state.

In addition to basic security concerns around voting, it’s critical to understand that voting by email (effectively) removes secrecy provisions. Messages will not have to be encrypted, meaning that if employees cast their ballots at work then their employer(s) could ascertain how their employees are voting. This is an incredibly serious issue.

In the best of worlds, the New Jersey elections won’t rely or depend on the emailed votes to determine a winner. This said, even if the votes don’t change the local results – if individuals win seats by sufficient margins that the emailed ‘ballots’ wouldn’t affect who won – the national vote could the endangered if the New Jersey voting system is connected to the national system. The risk, here, is that if an attacker could compromise the New Jersey voting infrastructure (perhaps by sending an infected attachment to an email message) then the rest of the infrastructure could also be compromised. Such an attack, were it to occur, could compromise not just the New Jersey results but, potentially, races across the United States.

While it’s evident why the government decided to let people vote by email – to ensure that Americans could cast their ballot despite the horrific natural disaster – these good intentions could result in very, very bad results. Worse, it could encourage trust and confidence in online voting systems more generally, systems that simply cannot be adequately secured (for more as to why, see this and this). While paper ballets are infuriating for many they remain an ideal means of confidently expressing voting intentions. While alternate approaches certainly need to be considered to let people vote, especially in times of crisis, voting by email is not an idea that should have been contemplated, let alone adopted, as a solution to the Sandy-related voting problems.