Insights For Success

Strategy, Innovation, Leadership and Security


Want to be a cyber super spy, try the Shin Bet intelligence challenge

GeneralEdward KiledjianComment

Shin Bet (also known as Shabak) is the Israeli Security Agency, and they are looking for technologically savvy intelligence agents. To discover these rough diamonds, they have created a new online challenge website called the "Shabak Challenge."

You can access this challenge website here. Visitors are challenged to identify a group of terrorists known as “White September”. The introduction on the page says

White September (WS) is a group of arch-terrorists. They are connected to the global Jihadist movement, and are funded by Iran and Hezbollah. Several weeks ago, they used the darknet to declare their intentions of carrying out a mega terror attack in Israel. They nicknamed the operation “Israeli September 11th”. These people are highly sophisticated and utterly merciless.

According to Channel 2, 150,000 would be analysts (from Russia, France, USA, the UK, Turkey, Iraq, etc) have already visited the site but only 2 have successfully completed the challenge. The challenge requires familiarity with advanced hardware and software technologies.

Here is a Youtube ad for the Security Service

Chinese developer charged with espionage

GeneralEdward KiledjianComment
Image by  Katy Levinson  used under Creative Commons License

Image by Katy Levinson used under Creative Commons License

American federal authorities have charged a Chinese developer (believed to be an ex-IBM employee) with stealing source code from big blue. The defendant, Xu Jianqiang was arrested by the FBI in December and since they have raised the indictment to 6 charges (from the original one):  3 x economic espionage and 3 x theft of trade secrets. 

The prosecutor claims the source code was stolen to benefit Chinese authorities and are "a product of decades of work". He was caught while trying to sell his stollen assets to 2 undercover law enforcement agents. The american claim is that he also intended to sell it to  the National Health and Planning Commission of the People's Republic of China.

If he is found guilty of all charges, he could end up in prison for 75 years. 

The internet's bad security is YOUR fault

technologyEdward KiledjianComment
Image by  Nick Carter  used under Creative Commons License

Image by Nick Carter used under Creative Commons License

As a security expert, my biggest security risk (in the corporate world) is people. I can buy the best technology and write the most efficient processes but if people get sloppy, everything falls apart.

Security and convenience (simplicity) are on opposing ends of the spectrum. Ultimate security means no convenience and ultimate convenience means no security. Did I mentioned that only through good security can you get good privacy?

We make decisions about relative importance of security over functionality everyday. If you use an Android smartphone and have enabled GoogleNOW, you understand how practical it can be for the Google hivemind to process everything about you and give you the information you need, when you need it, all without having to do anything. Go to the airport your boarding pass magically shows up on your lock screen or smart watch. Go to a foreign country, get the currency conversion. Go to a new city and see all of the important sights to visit right then and there. We love convenience.  

It is this convenience or simplicity that has caused the explosion of everything-must-connect-to-the-internet syndrome. When connecting to the internet meant you had to be a tech expert, buy $3000 of equipment, then setup complicated dialup services, only the brave wanted in. Now that all of the technical underpinnings are hidden, everyone wants to be on the net. 

But most users forget that the internet is not magic. There are companies and people working in the background to make all of this possible. None of these people or companies are non-profit charities. Our Internet Service Provider (ISP) sees all of our internet traffic. Our email provider knows who we message, why and how often. Our DNS provider knows what sites we visit and how often. SmugMug or Flickr see all of your photos. If you use a Chromebook (and I own one), you want someone to even manage your endpoint device.

Every Time you interact with an internet connected device, remember that it is logging and tracking almost everything you do. Some companies call it telemetry, usage information, meta-data but know it exists. They use it to improve their product and figure out whats popular and whats not. They want to know when something crashed, why and how. Often sending debug information along with the crash report, which could include personal data.

It is these companies, who have access to this treasure trove of personal and sometimes private information, that we are tasking with the  protection of our security and privacy. It is also failures in these companies that can lead to a violation of our privacy. Sometimes these violations are because of lax security controls inside the company. Sometimes these violations are performed by well funded, highly skilled, cyber-spies on behalf of national governments. Sometimes this information is stolen for fun and profit by "bad actors" (organized crime, competitors or the kid next-door).

An article in The Intercept (link) talks about a Snowden leak that claim's GCHQ and NSA operatives stolle the SIM encryption keys from Gemalto. You've never heard of Gemalto but they probably made the SIM card sitting on your cell phone right now. It's moto is "Security to be free". 

Once you have the keys, decrypting traffic is trivial
— Christopher Soghoian, the principal technologist for the American Civil Liberties Union

So it is a bad thing. We didn't want to (or wouldn't) implement security ourselves on our devices so we expect our carrier to do it.  They did, using Gemalto and it is now claimed that the keys uses to protect billions of smartphones has been hacked by national intelligence agencies. 

Secure Instant messaging is a good example. I use the common tools (because everyone is on them) but when I try to convince people to adopt the more secure Threema, they refuse. They want the security but don't want to create and manage keys. Securely exchange keys with the other party, etc. They want someone else to handle everything for them.

In the corporate world we employ expensive highly skilled specialists to manage these security controls because we understand the risks of losing control over our protection mechanisms. We understand the value of what it is we are protecting, but do you? 

Every time you give up some privacy in exchange for convenience (or a free service), do it consciously . Ask yourself what’s in it for the other party and is the trade really worth it?
— Edward N Kiledjian

You are your own security's worst enemy.

The long term solution is

  • more stringent government regulation forcing clearer explanations of what data is collected, how, when, by whom and for what purpose. 
  • more intelligent consumers that are aware "nothing is free" and better equipped to make decisions regarding their personal privacy and security. 

Now go on about your day and be secure

Google's Project Zero wants to protect the internet from evil

technologyEdward KiledjianComment
Image by  Kris Krug  under creative commons license

Image by Kris Krug under creative commons license

Google has created a new initiative called Project Zero where it aims to hire superstar hackers and use them to improve intent security. Their goal will be to use their expertise and Google's resources to find security issues with foundational internet technologies.

Zero-day back market

Newly discovered security issues (bugs, vulnerabilities or anything exploitable) that have not yet been announced are called zero day vulnerabilities. there is a healthy black market buying and selling these vulnerabilities (typical buyers are organized crime, criminals or intelligence agencies). The fact that these are unknown by the manufacturers or general population is what makes these more easily exploitable vulnerabilities worth so much.

In the blog post announcing Project Zero, Google says

You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of “zero-day” vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.

Google is committed to responsible handling of discoveries which means they will first notify affected vendors, give them time to patch the security vulnerabilities before announcing it to the world. 

Google Blog post announcing Project Zero (link)

Database where vulnerabilities will be made public for the general public and academic research (link)

Chinese media demand sanctions against US tech companies

technologyEdward KiledjianComment
Photo by  Rene Mensen  under Creative Commons License

Photo by Rene Mensen under Creative Commons License

3 things we know governments will always do are:

  1. Tax
  2. Spend
  3. Spy

The last point, fueled by the Ed Snowden leaks, seems to be keeping the media busy. Now the China-run state-owned media is calling on the Chinese government to sanction the major US technology companies who are "pawns of the US Government".

China Daily and People's Daily have called upon their leaders to "severely punish" the companies mentioned in the Edward Snowden leaks.

U.S. companies including Apple, Microsoft, Google, Facebook, etc. are all coordinating with the PRISM program to monitor China,
— Peoples Daily Microblog site

Most companies have openly and vehemently denied working with the NSA. One such spokesperson is Google Chief Legal Officer David Drummond

We cannot say this more clearly - the (U.S.) government does not have access to Google servers - not directly, or via a back door, or a so-called drop box

I believe the next few month will be interesting. Let's see how (and if) China takes an official position. It is important to remember that Chinese telcom equipment manufacturers were disqualified from bidding on US government contracts because of concerns about spying. Now that the Snowden leaks show the US may be intercepting Cisco equipment to implant its own hidden tools, could other countries start boycotting US telecom equipment manufacturers?

Source : Reuters