Insights For Success

Strategy, Innovation, Leadership and Security

InfoSec

Is the Internet built for spying?

InfoSecEdward Kiledjian

The one and only internet

ISS_Flight_Control_Room_2006.jpg

Edward Snowden is the (now famous) NSA leaker that exposed many of the US intelligence community's most secretive tools to the world. As expected, the public reacted (some would say over-reacted).

 

 

There is one internet

I believe the Internet will be recorded in history as one of the great evolutionary drivers. With the global availability of human knowledge and the ability to create brand new beneficial services (like the Scanadu home health monitor).

Society has become so dependent on the fragile but powerful internet that it is inconceivable to cut oneself off from it completely (unless you want to live in a log cabin in the woods).

The Internet is a reflection of humanity

The internet is a mirror of our world. There are good people doing fantastic things with it to help every living being on our blue marbel. On the other extreme are the thiefs, scammers and "bad people". 

Just like the internet amplifies the good, it amplified the bad.

Is the internet a tool for spying?

A great many readers are upset about the scope of NSA spying revealed by Edward Snowden. Some say that you shouldn't worry is you have nothing to hide but I disagree. Whether you believe these leaks are good or bad, they are forcing us to have an educated dialog about what we think is acceptable and what isn't.

Everyone working in security always assumed that governments were conducting these kinds of activities and these revelations upset us less because we were mentally prepared for them.

There is no tools or technique to be 100% safe and spy-proof on the internet. Even encryption leaves powerful traces of activity we call meta data :

  • who you emailed
  • how often you emailed them
  • where your email originated from

Investigative journalists also discovered that the US Postal Service was also recording meta-data from letters (same as the above but for real-world physical letters and packages).

The internet amplified business and allowed companies like Amazon to create new consummer benefiting models. The internet amplifies espionage capabilities by allowing governments to slurp up an incredibly large amount of data quickly and easily.

The difference between government espionage and economic espionage

"But we stole stuff to keep you free and ... safe. We didn't steal stuff to make you rich, which is really the nub of the issue between ourselves and the Chinese." - Retired Gen. Michael Hayden, a former director of the Central Intelligence Agency the former head of the National Security Agency from CNBC

I think the more important question is related to economic espionage. Economic espionage means a foreign  country (other than the one that owns an innovation) will benefit from the hard work of another without having incurred the costs and risks of R&D. This could leads to an incredible strategic advantage that sometimes becomes irrecoverable (think of Nortel).

People are quick to point the finger at China but I want to burst your bubble and say we simply don't know. The intelligence communities around the world keep tabs on foreign espionage but the general public rarely gets unbiased information. 

As part of our national discussions about government espionage, we need to debate economic espionage policy and determine if this is something we (as the population) want our own countries doing. 

Spying for protection

The reality is that government espionage is used to keep the population safe by foiling terrorism plots early. This is a tool that we (the population) can't take away from our agencies since it benefits us (without the general population realizing).

I hope the debate also leads to discussions about how (and if) this information is used to ensure a level economic playing field between countries. I want to ensure that my government is helping to protect the economic values of the R&D performed by our companies. I want our G20 countries to adopt much clearer cooperation pacts to help protect from economic espionage and to provide helpful guidance to Chief Information Security Officers working on these targeted companies.

Discussions about "Should the government be doing this" aren't useful since that ship has sailed. Discuss how the information can be used and how it should be leveraged to protect the economic engine of our countries (company innovation).

 

Move your email service to Switzerland

InfoSecEdward Kiledjian
kolab_Swiss_Services_1.png

Since the PRISM revelations, we have seen a handful of "secure" email services shutter their doors or close their email services (Silent Circle, Lavabit, etc). Then came the shutdown of websites dependent on anonymity of sources (Groklaw).

With all the turmoil, you may be looking for an email service less likely to bend to the will of the NSA (or other national security agency). I can't think of a better country than Switzerland. The email service recommended by the founder of Groklaw is now offering a less expensive lite of its email service.

MyKolab's lite version offers a simple email service with no additional add-ons (calendar, tasks, etc) for $5.25US per month. The assumption is that a Swiss company can remain more independent and isn't subject to pressure from foreign intelligence agencies. 

This sounds great but remember that the US and UK are slurping up internet information at the carrier level so even if Kolab doesn't provide a backdoor, the agencies can still take-in the data as it makes its way through the internet. We also know that all encrypted emails are saved for later analysis and email leaves a trail of metadata (who you emailed, when and how many times).

I understand why people are upset but its important to remember that nothing revealed so far touches pre-crime and shouldn't cause a panic for the average user. I don't think using this type of service makes you more secure. If you want absolute security, nothing beats a secret face to face meeting.

 

TrueCaller database stollen (millions of telephone numbers)

InfoSecEdward Kiledjian

Another day brings news of another popular web service getting hacked and having its data stollen. The victim this time is a popular mobile app called TrueCaller. The Syrian Electronic Army claims to have breached TrueCaller's security by exploiting a WordPress flaw and stealing 7 databases. 

The Syrian Electronic Army claims to have gained access to 1 million social networking accounts (Facebook, LinkedIn, Twitter and Google) through this exploit. The company itself acknowledged the hack on its website but provided this clarification:

“Our investigation into the matter indicates the attackers were able to access ‘tokens’, which was immediately reset. Metaphorically speaking, a ‘token’ is a unique lock for each user, but what the attackers did not acquire is the needed key, which has also been reset,”

Unfortunatly the truth probably lies somewhere in between both extreme statements.

The SEA also provided this database screenshot as "proof":

After they had harvested the information they needed, they added salt to the injury by publishing the login credentials and database name:

The moral of the story? We need to start demanding better security from cloud services and we need to be more judicious about what we store in the cloud.

Washington Post claims Chinese access defense information

InfoSecEdward Kiledjian
The Washington Post claims to ahev gained access to classified documents stating that Chinese hackers compromised systems contrianing information about the USA's highly classified cutting edge defense products (like the F-35 and PAC3 PAtriot missiles).
The report goes on to list other critical defense systems like the Aegis ballistic-missile defense system, F/18, V22, etc. Could this report be the reason the US Government has started to take a much stronger and much more public stance against Chinese hackers?