Feeds:
Posts
Comments

Archive for the ‘Cyberterrorists’ Category

Last time I wrote about how the complexity of the presidential voting process in the US is an important defense against cyber-terrorism, and specifically the risk of a foreign power impacting or invalidating such an election. While security by obscurity is not usually a best practice, it has been successfully used in the past. If you make something complex enough, it becomes very difficult to break.

With each state or sometimes county determining the voting process using multiple vendors’ products, and almost all of it not connected to the Internet, it will be very difficult for a coordinated attack against an American presidential election. But the more than fifty different results of the votes across the country are not the final result.

The Electoral College provides another level of defense. While the ballot may indicate a specific candidate’s name, in a presidential election you are voting not for a candidate but for an elector who may promise to vote for that candidate when they “meet” in mid-December. (Today they don’t actually physically get together, but they vote on the Monday after the second Wednesday in December.) Maine and Nebraska apportion the electors based on the popular vote in the state; the other states are “winner-take-all.”

To win, a candidate must get a majority of the Electoral College votes cast, not the largest number of votes cast. Currently, that means that a candidate must have 270 votes to win. The president and vice president are voted on separately in the Electoral College. In case there is no candidate with a majority, the House of Representatives selects the president and the Senate selects the vice president.

The intent of the Electoral College was that the electors would discuss the various candidates and decide on a candidate, hopefully representing the views of the people who voted for the electors. Today, of course, the electors are expected to vote for the candidate they represented on the ballot. Twenty-four states have laws to punish an elector who does not vote for the candidate they represent, but there are no federal laws covering that situation. In 1952, the Supreme Court ruled that such state laws were constitutional and that each elector is a functionary of the state, not the federal government. In other words, Congress may not pass a law restricting what an elector can do.

In case of the death, serious illness, or withdrawal of a candidate who had a majority of the electors before the Electoral College meets, the electors could choose another candidate, probably of the same party.

If no candidate emerges from the Electoral College meeting with a majority, the House of Representatives goes into an immediate session. For this “election,” each state has one vote, and a candidate must receive 26 of the state votes. A minimum of 34 states must be represented in this vote, and only the top three candidates can be considered. The session continues until the house elects a president. The House has chosen the president in 1801 (Thomas Jefferson) and 1825 (John Quincy Adams).

Similarly, the Senate goes into session and chooses between the top two vote getters for vice president. Each Senator gets one vote, and at least 67 Senators must be present. A candidate must get at least 51 votes to win, and the sitting Vice President does not get a vote. The senate chose the vice president in 1837 (Richard Johnson, VP for Martin van Buren).

It is therefore possible to end up with a president from one party and the vice president from another party, especially if different parties control the House and Senate.

The last word:

The constitutional process for the election means that no third party candidate is likely to become president. If the third party candidate does not get a majority of the Electoral College votes, but gets enough to prevent any other candidate from getting a majority, the election goes to the House. The existing members in their lame duck session are not likely to choose someone who isn’t a member of one of the two major parties.

However, this year there is one realistically possible, although unlikely, scenario where a third party candidate wins. And it is not Gary Johnson; it is unlikely that Johnson can get any electoral votes even if he gets more than 10% of the popular vote. But Evan McMullin could. McMullin is a 40-year old ex-CIA overseas operator with Middle East experience, plus experience as an advisor to the House Committee on Foreign Affairs, was the chief policy director of the House Republican Conference and holds standard Republican Party views on most issues. He is a Mormon, is running for President as an independent in Utah, and is polling just 4 percentage points below Trump in this historically solid Republican state. If Mitt Romney, another Mormon, endorses McMullin, it could push him over the top. If McMullin wins in Utah, he gets six Electoral College votes, possibly enough to prevent Hilary Clinton from getting 270 Electoral College votes. He is also on the ballot in ten other states, but unlikely to win any of them. If so, the election goes to the House. The Republican Party controls 33 of the 50 state caucasus, so Clinton will not win. But Trump has burned enough bridges that he will likely get less than the 26 required state caucus votes. The House keeps voting, and must pick from the top three Electoral College vote getters: Clinton, Trump, or McMullin. At some point, the Republican leadership will realize that having someone with Republican views as President is better than having Trump as President.

The Senate gets to choose from the top two vice president candidates, Pence and Kaine. With 54 Republican Senators, Pence will most likely become the Vice President.

Comments solicited.

Keep your sense of humor.

Walt.

Advertisements

Read Full Post »

With the news of targeted attacks against election systems, should the American voter be concerned that the upcoming presidential election could be manipulated or invalidated by a foreign government or cyber-terrorists?

In my view, the short answer is “no.” The reason is that the US election system is so complex and distributed such that there is no single attack point.

Our founding fathers deliberately set up this complex system because of the reality of the late eighteenth century. At that point, the newly born United States with its thirteen states was larger than any country in Europe, spanning over 1,000 miles as the crow flies. Messages and people could only travel at the speed of a walking horse or a sailboat. Just getting from New York City to Philadelphia would usually take at least three days. A voter in Boston would know very little about a candidate from Virginia. With slow communications in mind, the Constitutional Convention made a series of compromises in the summer of 1787 to balance the rights of the individual states and the power the national government needed to make a strong country. One of those compromises gave us our House of Representatives, representing the people, and the Senate, representing the states. For the current topic, the two important compromises were the creation of the Electoral College and giving each individual states control over the election. The result is that each state is responsible for the number of precincts and the number of polling places in that state, and the manner in which votes are cast and collected. While various voting rights acts have impacted the way precincts and districts are defined, the states still retain control over the voting process. In many states, this responsibility is passed down to the individual counties, so that voters could be using multiple voting mechanisms within the same state. A few states, like Oregon, have switched or are in the process of switching to mail only voting.

In the 2004 election, according to Election Data Services, there were about 186,000 precincts. Each precinct represented between 436 and 2,703 registered voters, with an average of around 1,100 registered voters per precinct.

ABC News reported that Russian hackers have targeted more than twenty state voter registration systems and have been successful in hacking four (Illinois, Arizona, Florida, plus another that I have not be able to identify).   Of course, these are the states that have actually made the effort to determine if they had been hacked. How many others have been attacked?

The US Department of Homeland Security (DHS) has offered to help state election boards stay secure, but as of this posting only eighteen states have expressed any interest in that help. DHS has also offered a more comprehensive on-site risk assessment. While four states have expressed interest, DHS is offering this service so late that it will likely only be able to provide one state this service before Election Day. This is yet another example of how the US government is late and slow to respond to cyber security threats.

These attacks may be more about stealing personal information for future identity theft activities, but it is difficult to determine the real purpose of these attacks if they are from Russia.

The good news is that these voter registration systems are not integrated into the actual voting systems. Even if a registration system is damaged, each state has procedures for a “provisional ballot.” You submit a ballot on Election Day, usually on paper in a sealed envelope, and election officials have time to research and confirm or deny the ballot after Election Day but before the official results announcement. Provisional and absentee ballots are generally only counted if they could possibly make a difference for any ballot position or question. The insertion of the Electoral College process provides a significant time window to deal with absentee and provisional ballots.

We have more than fifty different voting systems from multiple vendors distributed across all fifty states, plus precincts in the District of Columbia, territories like Puerto Rico and foreign locations including some embassies and military bases. Since almost all of these voting systems are not connected to the Internet, it will be very difficult for hackers to make a successful attack that can impact an election.

The last word:

This does not mean that we will have a fraud-free election, but it means that we need to continue to be vigilant for the relatively few cases of voter fraud, voter intimidation by groups or individuals, or “lost” ballot boxes. If you are sleeping too much, search for “lost ballot box” on Google.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

This is the last of a series of four blogs about quantum computing. The first was a quick view into the weird world of quantum physics, followed by a look at was capabilities a quantum computer would have. Last time we looked at the significant implications a quantum computer will have on data security.

Here are some examples of where we are today:

  • MIT has created a five-qubit quantum computer (Science, March 2016).
  • D-WaveThe Canadian company D-Wave Systems shipped its first quantum computer in 2010 with 128 qubits. D-Wave has announced the availability of the D-Wave 2X system with more than 1,000 qubits. On the other hand, there are lots of skeptics about whether what D-Wave is creating is really a quantum computer. It clearly uses some quantum capabilities, but if I understand it correctly (a big “if”), it deliberately avoids using superposition and quantum entanglement. If so, it will limit their quantum computer capabilities. However, they are way ahead of anybody else in actually building a computer based on quantum concepts.
  • The Australian company Shoal created a quantum computer for the Australian Department of Defense in 2014, and then spun off QxBranch as a quantum computing software company working closely with D-Wave.
  • California-based Rigetti Computing is developing fault-tolerant gate-based solid state quantum processors that they claim is highly scalable and low cost.

The largest prime number successfully factored by a quantum computer is 56,153 (241 x 233). At this point, the time to factor that 16-bit number with a quantum computer is longer than the time to factor it on modern classical computer. Today’s modern encryption keys have up to 768 bits.

How long will it take to have a quantum computer large enough to threaten today’s network security practices? It took 25 years from the first digital computer (Eniac, 1946) until computers were powerful enough and ubiquitous enough to create the first primitive networks (ARPANET, 1971). It took another 19 years until Tim Berners-Lee created the first web browser in 1990 and the formation of the Internet. It won’t take that long to get real quantum computers, maybe twenty years but more likely closer to ten.

The last word:

You don’t have to worry about a quantum computer cracking your network security and exposing all of your secrets. Yet. You do need to remain vigilant because sometime there will be such a quantum computer. You can bet the first such computers will be deep inside organizations like the US National Security Agency (NSA) and similar organizations in other countries.

For those of us who lived through or even participated in the space race, one of the significant differences between the US and the USSR was openness: the US did everything in public, the USSR did everything in secret and only revealed their successes after the fact. These days, the NSA acts much more like the Soviet model, keeping a tight rein on security products, and with the ability and inclination to prevent technologies from entering the marketplace until the NSA is ready.

Our first indication of the existence of a powerful quantum computer may be the successful attack on a nation’s political, military, financial or physical infrastructure.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

This is the third in my Quantum Computing series. Last time I indicated that the two main areas in which quantum computers will be very much faster than digital computers are searching and factoring. The average individual and almost every company will rarely need the incredible searching capabilities of a large quantum computer, and I suspect that specialized companies will be created in the next twenty years or so to handle the special cases that do come up.

But everyone should be concerned about a quantum computer’s capability to almost instantaneously factor large numbers. To understand why, we have to understand how encryption is actually done in our digital world. There are two main types of encryption: symmetric-key encryption and public-key encryption.

Symmetric-key encryption uses the same key for both encryption and decryption. Both parties must have the same key in order to communicate securely. We use symmetric-key encryption every day: whenever you see https:// (instead of just http://) in an Internet URL, you are using symmetric-key encryption. Symmetric-key encryption algorithms are subject to various attacks based on the process that generates the symmetric key, but the biggest issue is how to securely transmit the key between the two parties. That key sharing usually involves some form of public-key encryption.

Public-key encryption has two keys: a published key that anyone can use to encrypt messages and a private decryption key that only the receiver has. While the process to generate the pair of keys is mathematically amusing, the key component of the process is to multiply two very large prime numbers together. The public key is that product plus another calculated value based on the two primes that form the product. The security of public-key encryption is based on the time it takes with current digital technology to determine the two prime factors that are used to compute the public and private keys. This factoring time goes up exponentially as the key gets larger, so that today by the time some organization could break a code, the data would be of historical interest only.

However, Peter Shor at MIT has shown that a quantum computer could factor large numbers easily, meaning very quickly. Oops.

Quantum computers could end the predominance of public-key encryption algorithms, which would also seriously impact symmetric-key encryption.

The ideal cryptographic protocol is the “one-time pad,” first described in 1882. A one-time pad is a random secret key that is only used once. It was original an actual pad of paper that contained the key, or more likely a set of keys. The pads were then physically carried from one party to the other, often using clandestine methods. The KGB created one-time pads that could fit inside a walnut shell. Today, most symmetric-key algorithms create a one-time use key in real time for short-term use. For example, https security creates a new key for each communication session. If you are communicating with https to multiple sites at the same time from the same browser, each of those communications has a different symmetric key.

Quantum computing to the rescue: Quantum Key Distribution (QKD) allows for the distribution of completely random keys at a distance solving the biggest security problem with symmetric-key encryption. A key generator creates two entangled qubits (perhaps a photon), and sends one to each party. Each party looks at one attribute of the qubit (say polarity), and assigns a bit (0 or 1) based on the attribute value. Due to entanglement, both parties will get the same answer. Repeating this process can generate a symmetric key of any appropriate length, normally no larger than 256 bits.

More importantly, the parties can tell if anyone intercepted their qubit. If someone does intercept the qubit distribution, that interception will disturb the entanglement and the keys will no longer match. Problem solved.

The last word:

Perhaps one of the strangest potential uses of a quantum computer is to simulate quantum systems. This will allow scientists to understand what is really happen at the quantum level, and could perhaps lead to amazing new products in a variety of areas.

We have no idea what the quantum computer will eventually do. Howard Aiken was a pioneer computer engineer and the original conceptual designer behind the IBM Harvard Mark I computer in 1944. In 1952, he said, “Originally one thought that if there were a half dozen large computers in this country, hidden away in research laboratories, this would take care of all requirements we had throughout the country.”

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

I feel a little lazy this week. We just got back from a very busy spring with two cruises: one from Vancouver around Hawaii and back to Vancouver on Holland America and the other from Amsterdam to Budapest on a Viking Longboat. I strongly recommend both cruises. Between the trips we attended a family wedding at the other end of the state.

But cyber attacks continue unabated. Some of the more recent “highlights:”

  • On top of the 191 million voter registration records stolen in December 2015, another 56 million records were captured and exposed, probably by a Christian right-wing organization. While a lot of information in your voter registration file is public, it does include name, address, birth date, and party affiliation. Organizations can use that information to correlate other non-public information including voting history, religious affiliation, charity donations, work place, income level, political leaning, and some really strange information like whether you like auto racing.
  • State Farm had information on 77,000 customers stolen by a hack into DAC Group, a large advertising agency in the US and Canada. While it currently seems that no financial information was stolen; it is likely that these customers had their email addresses stolen. What is instructive, however, is that this information was stolen from a development server at DAC. Security on development systems is often not as comprehensive as on a production system, and one of the reasons to have a development system is to confirm that any enhancements have not impacted data security before the software moves to the production environment. You should never use production data in a development environment. DAC should have known better.
  • A Japanese travel agency, JTB Corp, had personal information for almost 8 million people. One of JTB group companies experienced a targeted email attack, and an employee opened an attached file, which infected their server.
  • On the lighter side, the Cowboys Casino in Calgary, Canada, was attacked and personal information on less than 2,000 customers and staff were stolen. You parents told you not to gamble.

These are just a few of dozens of attacks in June 2016. If you are not having trouble sleeping, check out Norse real-time threat intelligence. This shows a small sub-set in real-time of network attacks based on their service and port. This does not include email or other application-level or OS-level attacks.

The last word:

For those of you in the United States, enjoy the Fourth of July and think about the freedoms we have here.

A number of people we met on the European cruise were from the UK, and this cruise was just before the BREXIT election. Most of them were concerned that the UK might vote to leave. From my perspective, it is past time for the UK to leave the EU. The EU bureaucrats control far too much of what each individual country and company must do, down to specifying the size and shape of wine bottles. These bureaucrats all seem to be socialists. As a result, the growth of the European economy is in last place compared to Africa, Asia, North and South America. However, the European economy is growing faster than the economy of Antarctica.

In 1992, “everyone” predicted dire consequences for the UK economy when it refused to abandon the Pound and move to the Euro. In 1990, the UK entered the European Exchange Rate Mechanism, a prerequisite for adopting the Euro. The UK spent over £6 billion pounds trying to keep its currency within the narrow limits prescribed by the EU, but, led by Prime Minister Tony Blair and his successor Gordon Brown, finally ruled out conversion to the Euro in 2007. One of the best moves in recent UK history.

Before the BREXIT vote, the UK was the fifth largest economy in the world. Do you really think a European company will cease to trade with a UK company because they are no longer in the EU?

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Over half of the emails I get are spam and potentially contain malware. A few CIO’s have told me that up to 80% of the email that is sent to their company’s email server is spam. Email is the most popular way for cybercriminals and cyber terrorists to get malware into your company’s IT infrastructure or your own personal computers.

MetLifeI recently received an email apparently from MetLife Insurance, complete with Snoopy and the same copyright notices and disclaimers that you would expect to see on a legitimate offer from the company. But it was from Romania.

How did I know it from Romania? The “from” field in the email said “MetLife – Life Insurance”, but when I checked, the actual email address ended in “.ro”, the Internet country code for Romania. Unless you know someone in Romania or do business in Romania, never open an email from there. Romania has many quaint villages and towns, among them Râmnicu Vâlcea. The economy of the 120,000 people who live there is centered around cybercrime, specializing in ecommerce scams (like this MetLife email) or malware attacks on businesses, like yours. The economy is good: lots of expensive BMWs, Audis, and Mercedes, new apartments buildings, gated bungalows, new nightclubs and shopping centers. The US Embassy in Bucharest estimates that Romanian cybercriminals steal US$1 billion from Americans each year.

emailaddressIt is easy to see the actual origin of an email. In most email programs, simply click on the “from” name. Usually to the right of the name will be a triangle symbol. Click on that and you should see something like this, showing the actual email address and giving you options like “Copy Address.” In this case, the email address belongs to linkedin.com so the probability of it being legit is very high. The Met-Life email I received ended with “.ro”.

Another automatically suspect country is The Netherlands (.nl). At least 75% of my spam emails come from either .ro or .nl. If you are curious about an Internet country code, just enter it with the leading period in Wikipedia (e.g., “.no”).

One country has legitimately cashed in on its country code. Tuvalu is a Polynesian island nation midway between Hawaii and Australia that gained independence from the United Kingdom in 1978.   It’s population is less than 11,000. It’s Internet country code is .TV. The domain is currently operated by dotTV, a subsidiary of Verisign. The Tuvalu government owns 20% of dotTV. The net result is that every quarter, the Tuvalu government receives US$1 million for use of the .tv domain. Verisign has been marketing the .tv top-level domain name for rich media content.

What does a very small relatively poor ($3,400 per capital GDP) country do with this predictable income? With its first quarterly payment, it paid the $100,000 it takes to join the United Nations.

But you can receive dangerous emails that look like they are from a friend and actually has your friend’s email address. If you get an email apparently from a friend that has just a link and something like “check this out” do not open it. Check first with your friend to verify that he or she really sent it.

If you are tired of receiving dozens of these emails every week, resist the temptation to respond or click on its “unsubscribe” link. If you respond you simply verify that your email address is valid, and the sender will give or sell that information to other cybercriminals. The “unsubscribe” link is likely to also be a malware installer, immediately infecting your computer. The only thing you should do with a suspect email is to delete it.

Be especially wary of business-like emails that come from generic email addresses like aol, Comcast, gmail, Verizon, or yahoo. For Verizon and Comcast, emails from the companies themselves come from Verizon.com and Comcast.com; emails from subscribers come from Verizon.net and Comcast.net.

If you get an unexpected email that seems to be from someone in your company or a partner that is asking for customer or employee personal information, financial information, or any proprietary information, verify who actually sent it. At a minimum, check the email address and make sure it came from a company email address. I recommend that you call or text the person to make sure the request is bona fide. No one will be unhappy that you “bothered” them to make sure you were not about to cause the company a serious and possibly very expensive problem.

The last word:

Remember that the IRS or Social Security will never ask you for any personal information in an email or over the phone. Unless you initiated the call, do not give Social Security numbers, account numbers, or any other personal or financially sensitive information over the phone. Never put them in an email. And never give passwords to anyone over the phone or in an email.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

The US Internal Revenue Service (IRS) is having a bad year. On top of a serious breach in 2015 that affected at least 330,000 and led to a class action lawsuit against the IRS, 2016 may turn out to be an even worse year for the agency. The lawsuit claims that the IRS knew its website was vulnerable to security breaches but did nothing to mitigate the problem. This is important, because the same systems are responsible for at least some of the 2016 breaches.

So far in 2016:

  • In January cybercriminals used malware to use 464,000 stolen Social Security Numbers to generate over 100,000 e-file personal identification numbers. These numbers along with your Social Security Number enable a cybercriminal to file a fraudulent tax form and generate a refund.
  • In early February, the IRS could not accept electronic filings (e-file) tax forms for at least one day. The IRS claims this failure was not related to the January attack.
  • In early March, the IRS revealed yet another problem: the system the IRS put in to protect those who were victims of the 2015 hack was itself hacked. What would be funny if this was some movie is that the same IRS online identity verification mechanism that was exploited in 2015 was used to verify the online identify of those who were supposedly protected by the new system. The IRS knew that this verification mechanism was the cause of the 2015 breach, and the pending class action suit alleges that the IRS knew of the problem even earlier. Yet, somehow, the IT security people at the IRS thought it would be a good idea to use it again. As of this writing, the IRS claims that this latest attack has resulted in less than 200 fraudulent filings.

If you are a victim of any of these cyber attacks do not expect a lot of help from the IRS. You should receive a letter in the mail indicating that you were potentially a victim. You might first find out when the IRS tells you that you have already filed your return. In any case, expect that it will delay any refund by weeks and will involve several phone calls with the IRS. It may even require that you go to an IRS office and file in person. If a fraudulent refund has already been sent out, the IRS is likely to claim they have already paid you.

The last word:

In fiscal year 2014 the IRS collected $3.1 trillion in revenue and processed 240 million tax returns. You should expect the IRS to be very careful with the information they keep on every taxpaying individual and corporation in the US. You will be very disappointed. The IRS used to take pride in its ability to protect taxpayer information, but that is clearly not even on their priority list. The 2015 hack enabled cybercriminals to steal $50 million of your tax dollars by using identity theft to file for bogus tax refunds. While $50 million is a very small percentage of $3.1 trillion, each fraudulent tax filing has a serious impact on an individual or company. Also, the stolen information can and has been used in other identity theft exploits.

Even if the IRS has not yet told you it has exposed your information, check your free credit reports periodically looking for new accounts or other fraudulent activity. You can check each of the three agencies (Equifax, Experian, and TransUnion) once a year for free. I recommend that you spread them out over the year, checking one every four months.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Older Posts »