Increasing Understanding of Technology and Communication

Investigation into “Open Secret SS7” Smartphone Hack

Investigation-into-Smartpho

US congressman calls for investigation into vulnerability that lets hackers spy on every phone.  Vulnerabilities within SS7 mobile phone network brokerage system allow attackers to listen to calls, read messages and track location using just a phone number.

A US congressman hacked as part of a demonstration showing that all you need is someone’s phone number to record their calls, texts and location, has called for an oversight committee investigation into the “significant vulnerability.”

The security flaws within the system that brokers connections, billing and transfers messages between phone networks – called Signaling System No 7 (SS7), also known as C7 in the UK or CCSS7 in the US – allow remote access to mobile phone users’ data anywhere in the world regardless of the security of their smartphone, using just their phone number.

The Californian congressman Ted Lieu said: “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials.”

While encrypted messaging services such as WhatsApp are unaffected, SMS messages and calls placed across the mobile phone network can be listened in to, read and recorded, while the location of the phone can be tracked using the mobile network’s location services independent of GPS or other location technologies on the phone.

Lieu said: “The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”

The hackers demonstrating the attack in 2014, and again for 60 Minutes, explained that it is an “open secret” that law enforcement and security services, including the US National Security Agency, were aware of and use it to spy on targets using just their phone number.

(Makes you wonder about the FBI claims about the San Bernardino case, doesn’t it?  Not to mention their continued assault on Apple.)

As the vulnerability is within the mobile phone network infrastructure, there is nothing users can do to protect themselves beyond switching off their phone.

Read Article (Samuel Gibbs | theguardian.com | 04/19/2016)

This should be an eye-opener!  The Europeans got it right in getting tougher on Internet data privacy for individuals with their recent legislation.  If you need to communicate private information, this is ANOTHER, example of why NOT to make it mobile.

There’s another practice the US should adopt from the EU and it’s that individuals (members of society) come before businesses.  The first concern after a data breach should always be the individual, businesses come second, and all press statements should reflect this order of precedence.

Master Level High-Tech Webinars

Internet Data Privacy: Europe Getting Tougher

Internet-Data-Privacy

‘Groundbreaking’ changes strengthen EU privacy protections, enshrine right to be forgotten and give regulators wide-reaching powers.  The European parliament has voted through tougher rules on data protection, aimed at boosting privacy and giving authorities greater powers to take action against companies that breach the rules.

The rules, including the much-needed General Data Protection Regulation (GDPR), were four years in the making and form the new backbone of laws for data regulators to pursue companies with heavy fines – as much as 4% of annual turnover for global companies – for incidents such as data breaches, which have become increasingly common.

Viviane Reding, MEP and former vice-president of the European commission who proposed the changes in 2012, said: “This is a historic day for Europe.  This reform will restore trust in digital services today, thereby reigniting the engine for growth tomorrow.

“There can be no freedom without security, and no security without freedom.  Today’s united adoption of these three legislations sends a strong signal that national security and data protection can and must go hand in hand.”

Replacing the patchwork of national rules

The new data privacy laws encompass the GDPR, which governs the use and privacy of EU citizens’ data, and the Data Protection Directive, which governs the use of EU citizens’ data by law enforcement.

Together they aim to create strong data protection law for Europe’s 500 million citizens; streamline legislation between the 28 member states pushing a digital single market and boost police and security cooperation.  It is due to replace the outdated patchwork of national rules that have only allowed for small fines in cases of violation.

Phil Lee, a data protection partner at Fieldfisher, said: “Is this law ground-breaking? Absolutely.  Europe has created the notions of a ‘right to be forgotten’ and of ‘data portability’, and created fines for data breaches that are on a scale equivalent to fines for antitrust violations.  No other region has done that before.  (And no other country.)

“Whatever else may be said about it, the simple fact is that the global standard for data protection will now be dictated by European rules.”

The new laws have already proved controversial with companies wishing to operate with EU citizens’ data, placing an administrative burden on some, including those based outside of Europe. (Facebook)

William Long, a partner at Sidley Austin, said: “Organizations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the regulations.  Importantly, companies outside of Europe, such as those in the US who offer goods and services to Europeans, will fall under the scope of this legislation and will face the same penalties for non-compliance.”

ePrivacy Directive next

The next step in strengthening of data regulation across the EU is an overhaul of the ePrivacy Directive, which will now commence in earnest, to bring it in-line with the changes laid out in the GDPR.

The European parliament also voted through the EU Passenger Name Record (PNR), which aims to aid law enforcement in tracking people’s movement across Europe.

EC’s first vice-president Frans Timmermans, vice-president of the Digital Single Market Andrus Ansip, and commissioner for justice, consumers and gender equality Věra Jourová, said: “These new rules come at a time when improved cooperation in the fight against terrorism and other serious crime is more necessary than ever, as shown by the recent terrorist attacks in Paris and Brussels.”

Reding added: “Faced with the transnational nature of the digital revolution and the fight against terror, EU-wide rules are the only solution to our problems.

“PNR is an important tool to track terrorists flying in and out of Europe in a much wider toolkit, which should also include the systematic sharing of information in all EU databases.”

Read Article (Samuel Gibbs | theguardian.com | 04/14/2016)

There are normally two victims in the event of a data breach, the business and the consumer.  In the US, media and government agencies seem to treat business as the primary victim but in the EU, they definitely treat the consumer as the primary victim.

Which would you select as the primary victim in the event of a data breach, the business or the consumer?

Master Level High-Tech Webinars

Cyberwarfare is Anonymous and Here to Stay

Cyberwar-is-Here

Last week, The New York Times revealed that the Obama administration had prepared a cyberattack plan to be carried out against Iran in the event diplomatic negotiations failed to limit that country’s nuclear weapons development.

The plan, code-named Nitro-Zeus, was said to be capable of disabling Iran’s air defenses, communications system and parts of its electrical grid.  An option was also included, to introduce a computer worm into the Iranian uranium enrichment facility at Fordow, to disrupt the creation of nuclear weapons.  In anticipation of the need, U.S. Cyber Command placed hidden computer code in Iranian computer networks.  According to The New York Times, President Obama saw Nitro Zeus as an option for confronting Iran that was “short of a full-scale war.”

The report, if true (unconfirmed), reflects a growing trend in the use of computers and networks to conduct military activity.

The United States is of course, not the only practitioner of this digital methodology.  One notable example from recent history involves the apparent Russian assault on the transportation and electrical grid in Ukraine.  That attack, which appended late in 2015, was a “first of its kind” cyber-assault that severely disrupted Ukraine’s power system, affecting many innocent Ukrainian civilians.  It bears noting that vulnerabilities in Ukraine’s power system is not unique – they exist in power grids across the globe, including the U.S. and other major industrial countries.

Built-in vulnerabilities

The vulnerabilities of digital networks are, in many ways, an inevitable consequence of how the Internet was built.  As then-Deputy Secretary of Defense William Lynn put it in a 2011 speech announcing our military strategy for operating in cyberspace: “The Internet was designed to be open, transparent and interoperable.  Security and identity management were secondary objectives in system design.  This lower emphasis on security … gives attackers a built-in advantage.”

Among these factors, two in particular contribute to the growing sense of unease.

One is the problem of anonymity.  Those who seed to do harm can easily do so at a distance, cloaked in the veil of anonymity behind false or shielded identities in the vastness of the web.  With no built-in identity verification, pretending to be someone else is as easy as getting a new email address or registering a pseudonymous Facebook account.

Unmasking attackers is possible, but requires a significant investment of time and resources.  It also often requires the “good guys” to use “bad guy” techniques to track the wrongdoers, because they need to hack the hackers to find out who they are.  It took a Canadian company, using hacker techniques, more than a year to find out who hacked the Dalai Lama’s official computers – it was the Chinese.

In effect, this anonymity prevents targets from retaliating against attackers.  Though most observers think Russia is behind the Ukrainian assault, there is no truly conclusive proof.  It is very difficult to deter an unknown attacker.  In addition, international coordination to respond to attacks that threaten global stability can be stymied without solid proof of the source of an assault.

A new definition of war

Second, and perhaps more significant, the online world changes the boundaries of war. President Obama seems to think that cyberattacks are less than full-scale war (or so the Times reports).  Is that realistic?  Consider the following hypotheticals – all of which are reasonably plausible.

An adversary of the United States (known or unknown):

  • Disrupts the stock exchanges for two days, preventing any trading;
  • Uses a digital attack to take offline a radar system intended to provide early warning of an aerial attack on America;
  • Steals the plans to the F-35 fighter;
  • Disrupts the Pentagon’s communication system;
  • Introduces a latent piece of malware (a piece of malicious software that can be activated at a later date, sometimes called a “logic bomb”) into a radar station that can disable the station when triggered, but doesn’t trigger it just yet;
  • Makes a nuclear centrifuge run poorly in a nuclear production plant, eventually causing physical damage to the centrifuge; or
  • Implants a worm that slowly corrupts and degrades data on which certain military applications rely (such as GPS location data).

Some acts, like stealing plans for a new jet fighter, won’t be considered an act of war.  Others, like disrupting our military command and control systems, looks just like what has been thought of as an act of war.

Introducing uncertainty

But what about the middle ground?  Is leaving a logic bomb behind in a radar station like espionage, or is it similar to planting a mine in another country’s harbor as a preparation for war?  What about the computer code Nitro Zeus allegedly placed in the Iranian electric grid?  And what if that code is still there?

Those who want both ubiquity and security are asking to have their cake and eat it, too.  So long as this Internet is “The Internet,” vulnerability is here to stay.  It can be managed, but it can’t be eliminated.  And that means that those who bear responsibility for defending the network have a persistent challenge of great complexity.

Read Article (Paul Rosenzweig | theconversation.com | 02/24/2016)

The online world ‘does’ change the boundaries of war, at least to date, there hasn’t been the loss of life.  That’s realistic and why the president understands that cyberattacks are less than full-scale war, like most of us.

Also, today Nitro Zeus is not an option (whether it existed or not), otherwise we would not be reading about it.

Master Level High-Tech Webinars

Invitation to Legally Hack the U.S. Pentagon

Hacker-Invitation

Ok, everyone just calm-down, this is an invitation only event.  On Wednesday the Pentagon invited outside hackers, who have been vetted, to test the cyber security of some public U.S. Defense Department websites as part of a pilot project next month, the first such program ever by the federal government.

“Hack the Pentagon” is modeled after similar competitions known as “bug bounties” conducted by many large U.S. companies, including United Continental holdings Inc (UAL.N), to discover security gaps in their networks.

Such programs allow cyber experts to find and identify problems before malicious hackers can exploit them, saving money and time in the event of damaging network breaches.  “I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” said Defense Secretary Ash Carter in a statement unveiling the pilot program.

He told reporters it was time for the Pentagon to learn from best practices across industry, especially since the military was “not getting good grades across the enterprise” for its level of cyber security.

“We can’t just keep doing what we’re doing.  The world changes too fast; our competitors change too fast,” he said during a public discussion at the RSA conference.

DJ Patel, the White House’s chief data scientist and a former executive with eBay and LinkedIn, said bounties had become the fastest and most efficient way of securing networks at a time when software was becoming increasingly complex and more difficult to test.  He went on to say, other federal agencies were watching the Pentagon project and could follow suit, which would further enhance collaboration and result in greater economies of scale.

“When people hear ‘bug bounty,’ they think we are just opening ourselves to attack, but what people forget is, we are always under attack these days,” he said.  “By bringing crowds to the problem … you’re getting a jump on the curve.”

The Pentagon has long tested its own networks using internal “red teams,” but this initiative would open at least some of its vast network of computer systems to cyber challenges from across industry and academia.

Participants must be U.S. citizens and will have to submit to a background check (and marijuana test) before being turned loose on a predetermined public-facing computer system. The Pentagon said other more sensitive networks or key weapons programs would not be included, at least initially.

The initiative is being led by the Pentagon’s defense Digital Service, set up last November to bring experts from the tech sector into the military for short stints.

Read Article (Andrea Shalal | huffingtonpost.com | 03/02/2016)

I truly hope the system enhancements are a success.  But enhancements to federal computer systems alone do not appear to be enough to meet the challenges of our world class competitors’ hackers.

The Digital Era is all pervasive; effecting Cultural, National & International laws as well as the General Public, Governments, Government Officials and even Law Enforcement.  It’s up to each individual to get a little Tech-savvy for their own wellbeing and that of their loved ones.

We provide assistance in this endeavor, but need your funding support to do so.

Master Level High-Tech Webinars

Public Supports Apple Over The FBI – or Does It?

Conflicting-Support-Polls

There were two polls released this week and they show different results!  Oh yes my friends, “the game is afoot”.  These findings reflect a divisive debate between Apple and the U.S. government over the iPhone 5c that belonged to one of the San Bernardino attackers.

Fifty-one percent of respondents to a Pew Research Center poll, released Monday, said Apple should unlock the iPhone in order to help the FBI.  Thirty-eight percent said Apple should not and 11% had no opinion.  The telephone survey of 1,002 adults conducted February 18-21 had a margin of error of plus-minus 3.7%. (Methodology here.)

The Pew report leads one to believe that a majority of the public – or close to it – wants Apple to unlock the phone – they agree with the FBI’s position.

But wait, according to the results of a national online poll released Wednesday by Reuters/Ipsos, forty-six percent said they agreed with Apple’s position, thirty-five percent said they disagreed, and 20% had no opinion.  The poll of 1,576 adults was conducted February 19-23, had a margin of error of 3.2%. (Methodology here.)

There was one notable difference between the two polls: wording of the question posed to the respondents.

Pew Research Center asked:

As you may know, [the FBI has said that accessing the iPhone is an important part of their ongoing investigation into the San Bernardino attacks] while [Apple has said that unlocking the iPhone could compromise the security of other users’ information] do you think Apple?

Should unlock the iPhone

Should NOT unlock the iPhone

Don’t know/Refused

The Reuters/Ipsos poll asked:

Apple is opposing a court order to unlock a smart phone that was used by one of the shooters in the San Bernardino attack. Apple is concerned that if it helps the FBI this time, it will be forced to help the government in future cases that may not be linked to national security, opening the door for hackers and potential future data breaches for smartphone users. Do you agree or disagree with Apple’s decision to oppose the court order?

The way in which a poll question is phrased is known to have a significant effect on polling results (similar to “leading the witness”).  The Pew question, which mentioned what the FBI wants and provided less information about Apple’s concerns, could have played a role in how respondents answered that question.

Responses to both polls differed broadly by age group and political affiliation.

The password on the phone in question, was accidentally reset soon after the government took possession of it, rendering its information inaccessible.  An auto-erase feature is enabled on iPhones if the password is incorrectly entered 10 times.  Apple says the FBI wants the ability to unlock the phone using multiple password attempts – a method known as brute-forcing.  And last week, a judge ordered Apple to cooperate with the FBI so they could gain access to Farook’s device.

James Comey, the FBI chief, wrote this week the litigation against Apple “is about victims and justice.”  He appeared to have support from the CIA.

Apple’s lawyers, who are expected to file the company’s formal response to the judge’s order by Friday, are reportedly considering using its First Amendment rights to decline cooperating with the FBI.

Read Article (Krishnadev Calamur | theatlantic.com | 02/24/2016)

It should be noted that public opinion should have no bearing on this case.  But it does provide interesting information for the curious. Also, poll questions should be clear, brief, complete and not (leading) in any way.  Pew should know better.

Master Level High-Tech Webinars

s2Member®
s2Member®