Archive for the ‘Encryption’ Category

Last time I wrote about how the complexity of the presidential voting process in the US is an important defense against cyber-terrorism, and specifically the risk of a foreign power impacting or invalidating such an election. While security by obscurity is not usually a best practice, it has been successfully used in the past. If you make something complex enough, it becomes very difficult to break.

With each state or sometimes county determining the voting process using multiple vendors’ products, and almost all of it not connected to the Internet, it will be very difficult for a coordinated attack against an American presidential election. But the more than fifty different results of the votes across the country are not the final result.

The Electoral College provides another level of defense. While the ballot may indicate a specific candidate’s name, in a presidential election you are voting not for a candidate but for an elector who may promise to vote for that candidate when they “meet” in mid-December. (Today they don’t actually physically get together, but they vote on the Monday after the second Wednesday in December.) Maine and Nebraska apportion the electors based on the popular vote in the state; the other states are “winner-take-all.”

To win, a candidate must get a majority of the Electoral College votes cast, not the largest number of votes cast. Currently, that means that a candidate must have 270 votes to win. The president and vice president are voted on separately in the Electoral College. In case there is no candidate with a majority, the House of Representatives selects the president and the Senate selects the vice president.

The intent of the Electoral College was that the electors would discuss the various candidates and decide on a candidate, hopefully representing the views of the people who voted for the electors. Today, of course, the electors are expected to vote for the candidate they represented on the ballot. Twenty-four states have laws to punish an elector who does not vote for the candidate they represent, but there are no federal laws covering that situation. In 1952, the Supreme Court ruled that such state laws were constitutional and that each elector is a functionary of the state, not the federal government. In other words, Congress may not pass a law restricting what an elector can do.

In case of the death, serious illness, or withdrawal of a candidate who had a majority of the electors before the Electoral College meets, the electors could choose another candidate, probably of the same party.

If no candidate emerges from the Electoral College meeting with a majority, the House of Representatives goes into an immediate session. For this “election,” each state has one vote, and a candidate must receive 26 of the state votes. A minimum of 34 states must be represented in this vote, and only the top three candidates can be considered. The session continues until the house elects a president. The House has chosen the president in 1801 (Thomas Jefferson) and 1825 (John Quincy Adams).

Similarly, the Senate goes into session and chooses between the top two vote getters for vice president. Each Senator gets one vote, and at least 67 Senators must be present. A candidate must get at least 51 votes to win, and the sitting Vice President does not get a vote. The senate chose the vice president in 1837 (Richard Johnson, VP for Martin van Buren).

It is therefore possible to end up with a president from one party and the vice president from another party, especially if different parties control the House and Senate.

The last word:

The constitutional process for the election means that no third party candidate is likely to become president. If the third party candidate does not get a majority of the Electoral College votes, but gets enough to prevent any other candidate from getting a majority, the election goes to the House. The existing members in their lame duck session are not likely to choose someone who isn’t a member of one of the two major parties.

However, this year there is one realistically possible, although unlikely, scenario where a third party candidate wins. And it is not Gary Johnson; it is unlikely that Johnson can get any electoral votes even if he gets more than 10% of the popular vote. But Evan McMullin could. McMullin is a 40-year old ex-CIA overseas operator with Middle East experience, plus experience as an advisor to the House Committee on Foreign Affairs, was the chief policy director of the House Republican Conference and holds standard Republican Party views on most issues. He is a Mormon, is running for President as an independent in Utah, and is polling just 4 percentage points below Trump in this historically solid Republican state. If Mitt Romney, another Mormon, endorses McMullin, it could push him over the top. If McMullin wins in Utah, he gets six Electoral College votes, possibly enough to prevent Hilary Clinton from getting 270 Electoral College votes. He is also on the ballot in ten other states, but unlikely to win any of them. If so, the election goes to the House. The Republican Party controls 33 of the 50 state caucasus, so Clinton will not win. But Trump has burned enough bridges that he will likely get less than the 26 required state caucus votes. The House keeps voting, and must pick from the top three Electoral College vote getters: Clinton, Trump, or McMullin. At some point, the Republican leadership will realize that having someone with Republican views as President is better than having Trump as President.

The Senate gets to choose from the top two vice president candidates, Pence and Kaine. With 54 Republican Senators, Pence will most likely become the Vice President.

Comments solicited.

Keep your sense of humor.


Read Full Post »

With the news of targeted attacks against election systems, should the American voter be concerned that the upcoming presidential election could be manipulated or invalidated by a foreign government or cyber-terrorists?

In my view, the short answer is “no.” The reason is that the US election system is so complex and distributed such that there is no single attack point.

Our founding fathers deliberately set up this complex system because of the reality of the late eighteenth century. At that point, the newly born United States with its thirteen states was larger than any country in Europe, spanning over 1,000 miles as the crow flies. Messages and people could only travel at the speed of a walking horse or a sailboat. Just getting from New York City to Philadelphia would usually take at least three days. A voter in Boston would know very little about a candidate from Virginia. With slow communications in mind, the Constitutional Convention made a series of compromises in the summer of 1787 to balance the rights of the individual states and the power the national government needed to make a strong country. One of those compromises gave us our House of Representatives, representing the people, and the Senate, representing the states. For the current topic, the two important compromises were the creation of the Electoral College and giving each individual states control over the election. The result is that each state is responsible for the number of precincts and the number of polling places in that state, and the manner in which votes are cast and collected. While various voting rights acts have impacted the way precincts and districts are defined, the states still retain control over the voting process. In many states, this responsibility is passed down to the individual counties, so that voters could be using multiple voting mechanisms within the same state. A few states, like Oregon, have switched or are in the process of switching to mail only voting.

In the 2004 election, according to Election Data Services, there were about 186,000 precincts. Each precinct represented between 436 and 2,703 registered voters, with an average of around 1,100 registered voters per precinct.

ABC News reported that Russian hackers have targeted more than twenty state voter registration systems and have been successful in hacking four (Illinois, Arizona, Florida, plus another that I have not be able to identify).   Of course, these are the states that have actually made the effort to determine if they had been hacked. How many others have been attacked?

The US Department of Homeland Security (DHS) has offered to help state election boards stay secure, but as of this posting only eighteen states have expressed any interest in that help. DHS has also offered a more comprehensive on-site risk assessment. While four states have expressed interest, DHS is offering this service so late that it will likely only be able to provide one state this service before Election Day. This is yet another example of how the US government is late and slow to respond to cyber security threats.

These attacks may be more about stealing personal information for future identity theft activities, but it is difficult to determine the real purpose of these attacks if they are from Russia.

The good news is that these voter registration systems are not integrated into the actual voting systems. Even if a registration system is damaged, each state has procedures for a “provisional ballot.” You submit a ballot on Election Day, usually on paper in a sealed envelope, and election officials have time to research and confirm or deny the ballot after Election Day but before the official results announcement. Provisional and absentee ballots are generally only counted if they could possibly make a difference for any ballot position or question. The insertion of the Electoral College process provides a significant time window to deal with absentee and provisional ballots.

We have more than fifty different voting systems from multiple vendors distributed across all fifty states, plus precincts in the District of Columbia, territories like Puerto Rico and foreign locations including some embassies and military bases. Since almost all of these voting systems are not connected to the Internet, it will be very difficult for hackers to make a successful attack that can impact an election.

The last word:

This does not mean that we will have a fraud-free election, but it means that we need to continue to be vigilant for the relatively few cases of voter fraud, voter intimidation by groups or individuals, or “lost” ballot boxes. If you are sleeping too much, search for “lost ballot box” on Google.

Comments solicited.

Keep your sense of humor.


Read Full Post »

This is the last of a series of four blogs about quantum computing. The first was a quick view into the weird world of quantum physics, followed by a look at was capabilities a quantum computer would have. Last time we looked at the significant implications a quantum computer will have on data security.

Here are some examples of where we are today:

  • MIT has created a five-qubit quantum computer (Science, March 2016).
  • D-WaveThe Canadian company D-Wave Systems shipped its first quantum computer in 2010 with 128 qubits. D-Wave has announced the availability of the D-Wave 2X system with more than 1,000 qubits. On the other hand, there are lots of skeptics about whether what D-Wave is creating is really a quantum computer. It clearly uses some quantum capabilities, but if I understand it correctly (a big “if”), it deliberately avoids using superposition and quantum entanglement. If so, it will limit their quantum computer capabilities. However, they are way ahead of anybody else in actually building a computer based on quantum concepts.
  • The Australian company Shoal created a quantum computer for the Australian Department of Defense in 2014, and then spun off QxBranch as a quantum computing software company working closely with D-Wave.
  • California-based Rigetti Computing is developing fault-tolerant gate-based solid state quantum processors that they claim is highly scalable and low cost.

The largest prime number successfully factored by a quantum computer is 56,153 (241 x 233). At this point, the time to factor that 16-bit number with a quantum computer is longer than the time to factor it on modern classical computer. Today’s modern encryption keys have up to 768 bits.

How long will it take to have a quantum computer large enough to threaten today’s network security practices? It took 25 years from the first digital computer (Eniac, 1946) until computers were powerful enough and ubiquitous enough to create the first primitive networks (ARPANET, 1971). It took another 19 years until Tim Berners-Lee created the first web browser in 1990 and the formation of the Internet. It won’t take that long to get real quantum computers, maybe twenty years but more likely closer to ten.

The last word:

You don’t have to worry about a quantum computer cracking your network security and exposing all of your secrets. Yet. You do need to remain vigilant because sometime there will be such a quantum computer. You can bet the first such computers will be deep inside organizations like the US National Security Agency (NSA) and similar organizations in other countries.

For those of us who lived through or even participated in the space race, one of the significant differences between the US and the USSR was openness: the US did everything in public, the USSR did everything in secret and only revealed their successes after the fact. These days, the NSA acts much more like the Soviet model, keeping a tight rein on security products, and with the ability and inclination to prevent technologies from entering the marketplace until the NSA is ready.

Our first indication of the existence of a powerful quantum computer may be the successful attack on a nation’s political, military, financial or physical infrastructure.

Comments solicited.

Keep your sense of humor.


Read Full Post »

This is the third in my Quantum Computing series. Last time I indicated that the two main areas in which quantum computers will be very much faster than digital computers are searching and factoring. The average individual and almost every company will rarely need the incredible searching capabilities of a large quantum computer, and I suspect that specialized companies will be created in the next twenty years or so to handle the special cases that do come up.

But everyone should be concerned about a quantum computer’s capability to almost instantaneously factor large numbers. To understand why, we have to understand how encryption is actually done in our digital world. There are two main types of encryption: symmetric-key encryption and public-key encryption.

Symmetric-key encryption uses the same key for both encryption and decryption. Both parties must have the same key in order to communicate securely. We use symmetric-key encryption every day: whenever you see https:// (instead of just http://) in an Internet URL, you are using symmetric-key encryption. Symmetric-key encryption algorithms are subject to various attacks based on the process that generates the symmetric key, but the biggest issue is how to securely transmit the key between the two parties. That key sharing usually involves some form of public-key encryption.

Public-key encryption has two keys: a published key that anyone can use to encrypt messages and a private decryption key that only the receiver has. While the process to generate the pair of keys is mathematically amusing, the key component of the process is to multiply two very large prime numbers together. The public key is that product plus another calculated value based on the two primes that form the product. The security of public-key encryption is based on the time it takes with current digital technology to determine the two prime factors that are used to compute the public and private keys. This factoring time goes up exponentially as the key gets larger, so that today by the time some organization could break a code, the data would be of historical interest only.

However, Peter Shor at MIT has shown that a quantum computer could factor large numbers easily, meaning very quickly. Oops.

Quantum computers could end the predominance of public-key encryption algorithms, which would also seriously impact symmetric-key encryption.

The ideal cryptographic protocol is the “one-time pad,” first described in 1882. A one-time pad is a random secret key that is only used once. It was original an actual pad of paper that contained the key, or more likely a set of keys. The pads were then physically carried from one party to the other, often using clandestine methods. The KGB created one-time pads that could fit inside a walnut shell. Today, most symmetric-key algorithms create a one-time use key in real time for short-term use. For example, https security creates a new key for each communication session. If you are communicating with https to multiple sites at the same time from the same browser, each of those communications has a different symmetric key.

Quantum computing to the rescue: Quantum Key Distribution (QKD) allows for the distribution of completely random keys at a distance solving the biggest security problem with symmetric-key encryption. A key generator creates two entangled qubits (perhaps a photon), and sends one to each party. Each party looks at one attribute of the qubit (say polarity), and assigns a bit (0 or 1) based on the attribute value. Due to entanglement, both parties will get the same answer. Repeating this process can generate a symmetric key of any appropriate length, normally no larger than 256 bits.

More importantly, the parties can tell if anyone intercepted their qubit. If someone does intercept the qubit distribution, that interception will disturb the entanglement and the keys will no longer match. Problem solved.

The last word:

Perhaps one of the strangest potential uses of a quantum computer is to simulate quantum systems. This will allow scientists to understand what is really happen at the quantum level, and could perhaps lead to amazing new products in a variety of areas.

We have no idea what the quantum computer will eventually do. Howard Aiken was a pioneer computer engineer and the original conceptual designer behind the IBM Harvard Mark I computer in 1944. In 1952, he said, “Originally one thought that if there were a half dozen large computers in this country, hidden away in research laboratories, this would take care of all requirements we had throughout the country.”

Comments solicited.

Keep your sense of humor.


Read Full Post »

If you want the full financial and operational value of Cloud Computing, then you want to use a public cloud. The advantages over private clouds include:

  • Low upfront costs.
  • Clear relationship between cost and benefit with pay-for-use model.
  • Easy to try new projects, easy to make change.
  • Flexible.
  • A wide choice of Service Level Agreement choices (SLAs).
  • Easy to provide a world-wide presence.

Of course, there are some public cloud disadvantages, the most critical being security, performance and availability. At this point in time, you can easily meet most performance and availability requirements from a variety of CSPs; security is more difficult. In a public cloud environment, you do not control physical access, and you have no control over who is sharing common infrastructure including networks, server hardware, and storage systems. But there is a way to secure your data both between your facility and your public cloud CSP and within the CSP’s infrastructure: combine Unisys Stealth with Amazon Web Services (AWS).

The basic principle behind Stealth is to only allow a device to communicate with another device if they share a Community of Interest, a COI.  A COI is nothing more than a group of people and servers.  Data can be shared freely within a COI, but must not be shared with any person or server not in the COI.  In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on.

If you are responsible for protecting your company’s proprietary information, your customers’ private information, or concerned with compliance you should at least look at Unisys Stealth. If you are responsible for a government database involving individuals’ information or classified data, you should also be looking at Unisys Stealth.

I have talked about Unisys Stealth before, Amazon Secure Storage Service (Amazon S3), and the combination in “Secure Public Cloud” back in 2013. What has changed are some significant “under the covers” enhancements to Unisys Stealth, the incorporation of Stealth into the AWS Marketplace, and additional operational facilities to enable you to easily extend your datacenter into the AWS cloud to handle expected, or unexpected, sudden increases in resource demand.

The combination protects communication between your AWS virtual servers even within the same physical server, encrypts all communication among the servers in your data center and the servers in the AWS cloud, and controls access based on roles. You control the security access policies that define who and what can communicate, allowing you to isolate applications within your environment for business or compliance reasons.

Stealth subscriptions are sold through the AWS Marketplace; you get one bill from Amazon for everything including Stealth. It is available in every AWS region. Suddenly you can open a presence anywhere quickly and inexpensively, and react to unexpected growth from anywhere.

One of the most important characteristics of Unisys Stealth and AWS is that there is no back door. Unisys, Amazon, and any network component between do not have your encryption keys. Your government cannot force Unisys or Amazon to provide access to your data; they do not have a way to break in. Even if you are OK with your government gaining access to your information at any time without providing notice to you, you should be very concerned. If your government can get in, then so can any other government, cybercriminal or cyberterrorist by using the same back door for access. Another important benefit of Stealth is that even if a cybercriminal as able to insert malware on one of your servers in the AWS cloud, that server would not be able to transmit anything back to the cybercriminals because Stealth will prevent your server from communicating to any device that is not part of a community of interest that you have defined.

The last word:

Unisys has been around since 1886, and is one of the few survivors of the initial computer revolution designing and building commercial and government computers since the 1940s, computer systems that continue to perform “bet the business” functions. Support is a key element of that environment, and no matter how big or small your company is, you still get that enterprise level support from Unisys. Sure, Unisys has the on-line self-help site with all of the technical documentation and discussion you might want, but you can always pick up the phone and talk to a real person who is knowledgeable on the product, and is probably located within one or two time zones of you.

Curious? Check it out with a Unisys AWS test drive.

Comments solicited.

Keep your sense of humor.


Read Full Post »

ransomwareRansomware is like the elementary school bully who steals your lunch and won’t give it back until you give him a quarter. Except in this case, it is all or most of the files on your computer’s hard drive, and the cost to restore your data is hundreds of dollars.

The first known ransomware attack was back in 1989. Widespread ransomware attacks started in Russia in 2005. By 2012 the attacks had spread outside of Russia, especially to Europe and North America. They work by either encrypting your files or locking access to your system via a variety means, from constantly putting pornographic pictures over everything on your screen to running a fake version of Windows that won’t do anything until you pay.

There are ransomware attacks for Windows, Mac OS, iOS, and Android systems.

Payment is almost always through some form of electronic currency like Bitcoin. These virtual monetary systems are anonymous and it is very difficult for authorities to track the destination of the payments. However, some ransom notes have you call a “toll-free” number to get a key to release your files or system, except the phone number is routed through a country with very high long-distance rates, and the operator “needs” to put you on hold for several minutes before giving you the code. You could end up with a several hundred dollar item on your next phone bill.

Sometimes the pop-up on your screen looks like it came from a law enforcement agency like the FBI in the US, Scotland Yard in the UK, or your local police agency. The notification page claims the agency locked your computer because they detected illegal files on your computer: usually porn or terrorism-related material. Once you get over the official looking notification with all the correct logos and badges and can read it calmly, it looks like a scam. Often the wording is awkward, and, really, is the FBI going to ignore your alleged terrorism-related activities if you Bitcoin them a few hundred dollars?

By the end of 2013, Security expert Symantec reported 600,000 ransomware attacks a month, and expects these attacks to increase substantially in 2016 across all platforms.

If you get a ransomware notification on your business or personal computer, tablet or smart phone, do not pay the ransom. They may give you the key, or they may not. These are cybercriminals, not necessarily known for their ethics. Once the malware is loaded, they can bully you again as often as they want until you clean it off of your system. Have a five-minute rant, calm down, reload a fresh copy of the OS and then restore your files from your latest backup.

The solution, of course, is not to be attacked by ransomware. While you can never be completely protected, here are four things that you should already be doing.

  1. Practice safe clicking. Always check the link in an email or on a website that you are not positive is friendly. Check out my last post for how to do that. Most ransomware comes in through a standard malware attack.
  2. Keep your software up-to-date. Cybercriminals and cyberterrorists are always looking for new vulnerabilities, and they are very good at it. Once they find one, they pass the information on to other cyber attackers. Fortunately, the good guys are also looking for vulnerabilities and making updates to their software to close vulnerabilities as they find them. But if you do not have the latest software, you still have those vulnerabilites.
  3. Use a good security software package that is more than just anti-virus.
  4. Often. No, even more often than that. Periodically, ask yourself when you or your automated backup mechanism made your last backup. Then ask how much grief it would be to redo everything you had done since then. Macintosh Time Machine and Windows 10 File History backup changed files every hour, but only if you have an external hard drive and the option turned on.

In one recent example, Hollywood Presbyterian Medical Center paid cyber-terrorists 40 bitcoins (about $17,000) to get the key to release the hospital’s data. I call this a cyber-terrorist attack because it put every patient in the hospital at risk of death or serious injury when doctors and nurses can no longer access the patients records or get access to diagnostic information from monitoring or diagnostic equipment. Hollywood Presbyterian Medical Center is a private hospital in Los Angeles with 434 beds. The hospital CEO, Allen Stefanek, said the paying the terrorists was the “quickest and most efficient way” to regain control of their data systems. The malware attack was first noticed on February 5, and was fully functioning until 10 days later. Clearly, this hospital IT department was not prepared for any kind of a disaster. I expect they will be attacked again, probably by the same terrorists.

The FBI is investigating, but I would not expect them to catch anybody.

The last word:

Packages like Time Machine and File History are great for automatically backing up in the background while you are working, and in general meaning you never have more than one hour’s worth of work to recover. They also make recovery easy, and can give you the file as it was yesterday or last week in case you really messed it up and do throw away the last change effort.

However, they are not very effective in two cases:

  1. If you have a building failure, they are likely to also get destroyed. A building failure is a case where you cannot get back into the building, perhaps because of a fire, earthquake, biological contamination, police or military action, or terrorist act.
  2. Some ransomware not only makes the files on your computer’s hard drive inaccessible, but will also destroy or encrypt the files on any attached hard drives, like your Time Machine or File History drive.

If you are paranoid, like me, you should also have an offsite backup. It is now fairly easy and inexpensive to do this with packages like Microsoft OneDrive, Apple iCloud, Carbonite, and a host of others.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Google has created contact lenses that can monitor your glucose levels for diabetes control. Fitbit and Jawbone’s Up monitor functions like heart rate, calorie intake and sleep patterns. MC10 created BioStamp, a digital tattoo to collect data on body temperature, hydration levels, UV exposure and more. Proteus has developed a pill with sensors that work with a patch on the skin to measure a range of bodily functions. Or it can tell your doctor that you forgot to take your medicine.

All of this data can be uploaded, hopefully only to someplace you trust.

RFID-chip The next obvious step is already in use in Sweden: a chip implanted under your skin to allow you access to your office building, a cup of coffee, or the copier. Wave a hand to get entry, pick up your phone or tablet to unlock it, wave at your bicycle to unlock it, and soon pay for lunch in the cafeteria.

The implant is an RFID chip the size of a grain of rice. The chip has no battery: it is powered by the radio energy transmitted by the reader. All it contains is a unique number. The building’s servers are told which chips are allowed to open each door, make a copy on a particular copier, or what checking account to debit for lunch.

The Swedish Biohacking Group BioHyfiken manages this particular experiment at the Epicenter building complex in Stockholm. They view this office building as the start of something big. As Hannes Sjoblad, Epicenter’s chief disruption officer and a member of BioHyfiken said, “We want to be able to understand this technology before big corporates and big government come to us and say everyone should get chipped — the tax authority chip, the Google or Facebook chip.”

The Epicenter systems require that the chip be virtually touching the reading device, which sometimes means getting your wrist twisted to just the correct angle. But the range of these passive RFID chips can be up to 12 meters (almost 40 feet). For practical access control and security reasons you probably want to only read chips that are very close to the reader in order to only open a door you are really going to enter, not just because you walk by down the center of the hall. These chips are very inexpensive, currently about US$0.15 each. Expect that price to drop by at least 50% over the next couple of years.

But RFID is the technology that works with E-ZPass, the northeast US gadget that lets you drive under a road sensor at 65 miles per hour to pay road tolls without stopping, or the more complicated transponders used for PrePass to allow trusted truckers to bypass the long lines at weigh stations.

The uses of this kind of technology are as wide as your imagination. I once worked on a school attendance recording and reporting system that had to keep track of student’s attendance down to the tenth of an hour. If each student had an implanted chip, we could have easily captured when he entered and left the room, eliminating a lot of manual and error-prone effort by the teachers or aides. It would also have been difficult for a student to cheat by having someone else attend in his place.

For health care, having an embedded chip would allow any health care provider to immediately access that individual’s health care data even if the patient had no identification and could not respond to questions. This could eliminate the check-in process, whether for a normal office visit or a ride in an ambulance, and help in correct administration of medicine and procedures.

US Passports, along with those of many other countries, now contain a chip that is really a computer with its own storage of biometric and other identification data. A chip-enhanced passport goes by many names, including “biometric passport”, “e-passport” and “digital passport”.

It is reasonable to assume a future where every child is implanted with a chip at birth, and that chip becomes the driver’s license, voter registration, credit card, and health record for the individual until they die.

What do you think of this future? Oh, and by the way that future is probably less than 10 years away.

The last word:

Security is a big issue, especially with simple RFID chips like those used in the Stockholm Epicenter building. It would be trivial to capture the id number from your chip with a reader hidden in the pocket of someone just walking by on the street. You would never know it happened, until the criminal created a duplicate chip and started using it. Suddenly, you can be placed at the scene of a crime when you were sleeping miles away, or have you bank account drained. It is possible to have fairly good security, comparable with what biometric passports have. But that comes at a higher price, and can still be compromised.

Speaking of passports, if you have a digital passport make sure you keep it in an RFID shielded sleeve except when actually in use. You are already doing that with any smart credit cards you have, right?

Comments solicited.

Keep your sense of humor.


Read Full Post »

Last time I wrote about The Websense 2015 Treat Report and my key takeaways. One of those takeaways was that cyber attacks are more focused. Attackers are moving from being focused on an industry, like health care, to focus on a specific company, like Anthem. We are starting to see attacks that are aimed specifically at one organization within a company, targeting the people in that organization who are likely to have access to something the cybercriminals want.

Here is one interesting example from last year involving hacktivists. Hacktivists are cyber-criminals who attack a company not to gain monetary value but to impair the operation of the company. In this case, their targets were the few people in the company that managed the building security and environmental controls. From far away, these hacktivists locked the doors to the main server room and disabled the emergency override controls, then turned off the air conditioning and turned up the heat. The end result was a room full of physically destroyed computers.

How is this kind of specific attack done? Websense describes the seven stages of advanced threats.

  • Stage 1: Recon
    The first step is to determine at least one individual who has the access to the information you want. They start by using professional websites (like LinkedIn) to determine who works at the company and might be in the area in which they are interested. Then, through the use of personal and social media sites, determine others who might have the information they seek. They are also looking for the kinds of lures that might work with these selected individuals.
  • Stage 2: Lure
    Using the recon information, the cybercriminals create lures that can fool users into clicking on a link. These lures are dangled in emails and social media posts that appear to be from trustworthy sources.
  • Stage 3: Redirect
    When the lure works and the user clicks on the link, they are redirected to sites with malicious content such as exploit kits.
  • Stage 4: Exploit Kit
    An Exploit Kit will scan the user’s workstation looking for vulnerabilities which allow the delivery of malware including key loggers or other tools to enable further infiltration of the network.
  • Stage 5: Dropper File
    Once the Exploit Kit has discovered a path to deliver malware, the cybercriminal delivers a “dropper file.” The dropper file contains software to start finding and extracting data, and often includes additional capabilities to deliver other malware in the future, even after the existing vulnerabilities have been fixed. The dropper file may remain dormant for a period of time to avoid detection.
  • Stage 6: Call Home
    Once the Dropper File has infected the target system, it “calls home” to the hacker’s command-and-control system. Now the dropper file can download additional programs and tools, and get instructions. Now there is a direct connection between the cybercriminal and the infected system.
  • Stage 7: Data Theft
    At this point, the cybercriminal begins to collect the data. The data could be anything: intellectual property, financial, health or other personally identifiable data, or data that will enable additional attacks.

Not every advanced threat uses all seven stages. These same stages are also used in more general, less focused attacks.

Each of these stages provides a place to stop the attack. A prepared company has a kill chain against these advanced attacks that monitor and defend at every stage.

These attacks may be directed at the victim’s personal accounts, accounts with less protection and where the victim tends to be less careful. Also a victim’s personal computer may be more vulnerable to attack than the IT-controlled office workstation, but that personal computer may be used by the victim for work-related activities and thus may contain information useful to breaking-in to the office network.

The last word:

Today, you have the ability to use your smart phone to control your home thermostat and lock or unlock your doors. Just like the hacktivist example above, somewhere there is a group of hackers attacking you and the company that manages the communications with these devices. That company might be your Internet Service Provider (Comcast or Verizon, for example), or your home alarm company. If not already available, it will soon be possible to buy the access codes to a house or company or more likely subscribe to a BIaaS (Break-in as a service). For $1,000 the hackers will turn off the alarm, disable the video cameras, and unlock the back door at 2AM, then relock the doors, enable the video cameras and turn on the alarm at 5AM. They will know that you are away that night because they hacked into your newspaper’s database and noted your stop delivery request on your daily newspaper.

Welcome to our brave new world.

Comments solicited.

Keep your sense of humor.


Read Full Post »

TargetEarlier this year I posted about the cyber attack in which Target allowed at least 40 million credit cards to be compromised, and watched as cyber criminals stole the personal information from about 110 million people. This breach occurred during the year’s biggest shopping season between Thanksgiving and Christmas in 2013.

Last month, Target agreed to a settlement: a maximum of $10 million, or $0.25 per compromised credit card. Individual victims may get up to $10,000 in damages.

This settlement requires final federal court approval, but is, in my view, a settlement favorable only to Target.

In order to claim any damages from Target, victims must prove:

  • That unauthorized charges were made to their credit card.
  • That they invested time in addressing the fraudulent charges.
  • That they incurred actual costs from correcting their credit report, paying higher interest or fees because of the impact to their credit rating, paid fees to replace identification cards, or hired identity protection companies or lawyers.
  • That the Target breach was responsible for their loss.

Matthew Esworthy, a litigation partner at Shapiro Sher Guinot and Sandler, said that many victims would have trouble proving that they lost money because of a specific data breach.

A friend had her purse stolen in a museum. She discovered the theft within a couple of minutes of its occurrence. By the time she got to a phone and called her debit card company, the thief had drained over $5,000 from her bank account, and that money was gone. That debit card was just one of the items in her purse. A maximum benefit of $10,000 may not cover an individual’s lost.

One reason that it took so long to get to this ridiculous settlement is that Target argued in court that consumers lacked standing to sue because they could not establish any injury.

If you have a problem, report it as soon as possible at the web site Target sent you.

Fortunately, this is not the only cost to Target. By the end of January, Target estimated that it had already accrued $252 million in expenses related to the breach, including this settlement. That will be partially offset by up to $90 million in insurance payments to Target. Target also faces claims from three of the four major credit card companies, and probably also from the fourth, as those companies try to recoup their loses due to this data breach. In addition, the Federal Trade Commission, the Securities and Exchange Commission, and several state attorneys general are also investigating and may impose fines.

Target was instrumental in this data breach. Target’s computer security systems alerted IT to suspicious activity after cybercriminals had infiltrated its networks, but Target decided to ignore the alert. The settlement also revealed that Target had no written information security program and no chief information security officer.

They also had a 46% drop in year-over-year profits for the quarter when the breach occurred.

Don’t let this happen to your company.

The last word:

How did the cybercriminals do? Pretty well, probably. Krebs on Security estimated that between one and three million credit cards stolen from Target were sold on the black market and successfully used for fraudulent purchases before the credit card companies managed to cancel the rest. That likely generated over $53 million of income to the cyber-criminals. That number is interestingly close to the $55 million that the ousted CEO Gregg Steinhafel will get in executive compensation and severance benefits from Target.

So the cybercriminals, lawyers, and the shamed CEO win. Meanwhile, Target as a company and millions of its customers lose.

Comments solicited.

Keep your sense of humor.


Read Full Post »

1000-year-old-recipeA writer friend posted a blog about Ancient Remedies Resurrected. He blogs mostly to help other writers use medicine correctly in their fictional murders. This particular post discusses the surprising success of a medieval recipe in killing specific troubling antibiotic resistant bacteria.

  • Who would suspect that a thousand-year-old Anglo-Saxon recipe to vanquish an infected eyelash follicle could do that?
  • Who even tried the recipe on something different than its original documented purpose?
  • Why was the recipe still around?
  • Who could read it?

Babylon-recipeThe first two questions are relatively easy. Some ancient remedies actually work. They were created over hundreds or even thousands of years of experimentation in the real world. Many experiments failed, with the expected unpleasantotherresults. Some worked and were passed down orally from “doctor” to “doctor,” often from parent to child. Often the “doctor” was closely associated with the local religion. One recipe for curing fever occurring in the brain is on an eight century BC tablet. The particular poultice is attributed to oral medical lore dating back to around 1860 BC. The tablet itself cites “mythological sages from before the Flood.” It is hard to argue with such authority. Enough of these old recipes work that it is well worth the effort to test them. Government agencies, pharmaceutical companies and universities all spend some effort searching ancient texts and experimenting. Looking at what the recipe does from a scientific viewpoint may point out some other possible uses of the drug.

The last two questions are the really important ones.

The survival of any particular ancient text is more due to luck than good data management. There is so much that can go wrong. The document first of all has to avoid being broken into a thousand pieces, sunk in the middle of the ocean, cleaned and reused, or being damaged by the ravages of nature with floods, fire, mold, or rot. But perhaps the most danger to old documents is man. Opened in the third century BC, the Library of Alexandria was one of the largest and most significant libraries in the world of its time. The library was destroyed, first by Julius Caesar when he conquered Egypt in 30 AD, and finally by Coptic Pope Theophilus in 391. Pope Theophilus was very thorough. Not only did he complete the destruction of the main library, but also a smaller version, the Serapeum, located elsewhere in Alexandria. Perhaps the first recorded case of a backup failure.

Maya-CodexMaybe as significant for the preservation of possible ancient medicinal cures was the destruction of all but four of the thousands of Maya codices by Spanish conquistadors and Catholic priests. Why were they destroyed? According to Bishop Diego de Landa in July 1562, because “they contained nothing but … superstition and lies of the devil.”

Unfortunately, this organized destruction of the past continues to this day as the result of conquest and religious fanaticism.

We recently visited one such ancient document, and it was only 800 years old. If was both surprisingly readable and very hard to read, and it was a language we had some rusty familiarity with. Image the difficulty of even deciphering an ancient text and then determining its meaning. We do not have a Rosetta Stone for most ancient languages. I am referring to the multi-language stone found in Egypt during Napoleon’s conquest, not the language instruction company – although the statement applies to both. Often even the structure of the language as well as the meaning of individual characters or symbols had to be coaxed out of many documents by many people over many years. Only after that can other researchers begin to search for specific snippets of interest, like medical recipes.

In trying to recreate the recipe that began this post, researchers had to figure out what the ingredients really were, and hope that modern garlic is similar enough to 1,000 year old garlic to actually work. In most cases an ancient text will not describe exactly how hot or long to cook something, or even how much of each component was to be used.

As a discussed earlier, it is perhaps as difficult to keep data for the long term in today’s electronic age as it was in ancient times.

The last word:

Save the data, especially if you have no idea what value it might have in the future. Pictures, movies, personal history stories whether written or currently only oral could be important. Talk to older relatives and friends and get their stories saved. Do it now while you still can.

If you save oral recordings, go back and make transcripts that can also be saved. A hundred years from now there may be no one who can understand what was said.

If your family knows a language that is little used, work to preserve it so its oral and written legacy can be saved.

Even mundane business records can have historical value in a distant future. Kyle Harper used ancient purchase records to reinterpret the end of Roman slavery by determining what slaves were eating in Rome around 300 AD. This kind of information can help fill in the gaps about a civilization and the well-being of its people, whether wealthy citizens or slaves.

As I have said before, keeping data on paper only is not the best idea.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Older Posts »