Feeds:
Posts
Comments

Archive for the ‘NSA’ Category

Cybersecurity experts will tell you there are two kinds of organizations: those that have been hit by cybercriminals, and those who do not know they have been hit. This is not a joke. Cyberattacks will continue to grow in volume and sophistication. Anyone or anything that is connected to the Internet is vulnerable. When your customers’ data is compromised, you are responsible. If your physical building is compromised or your IT infrastructure is destroyed, your company may be out of business. No masked man on a white horse nor the Seventh Calvary will come riding over the ridge to save you.

Why can’t the government do something about this? One would expect that the natural reaction of governments to national security, financial and privacy attacks would be to militarize cyberspace and police the Internet with centralized bureaucracies and secret agencies to protect us and themselves.

That won’t work, and we unfortunately have an example of this: the War on Terror. The United States government vowed in 2001 to destroy the responsible terrorist organization, long before it had a clue what the enemy really was. Other powerful nations have joined the fight. Where are we after more than a dozen years? We have proven that the most powerful military force in the world can clear out terrorists from a specific physical area at unreasonable cost in dollars and lives, only to have the terrorists return as soon as the US forces leave. But they cannot stop an attack in Europe, the Middle East, or the US.

The bottom line: governments have demonstrated that they cannot win the War on Terror. They cannot even define “winning.”

If the US, or UN, tried to apply the same logic to the Internet, they would of necessity fail, but as Keren Elazari’s TED talk and Scientific American article demonstrate, just trying could actually make things worse.

One of the problems with the War on Terror is that there is no single entity that controls “the other side.” There is no geographic definition of a “front line.” The terrorist organizations keep morphing, recombining and dividing, with new ones appearing in the news with disturbing frequency.

Wait, that sounds like the Internet. The Internet is not like a public highway, or even international waters or a wilderness area. It is not even a collection of territories that governments could control, or even locate. Most of the physical components of the Internet are owned and operated by hundreds of multinational for-profit companies. The number of components is growing at an incredible rate. Cisco systems forecasts that by 2020 over 50,000,000,000 devices will be connected to the Internet. Every one of those devices is a target, and many of these are part of industry, military, and utility operations. The more devices that are interconnected, the more ways there are to gain access. For example, in 2011 an employee at RSA’s parent company EMC opened an innocuous-looking Excel file in an email. The resulting malware compromised RSA systems, enabling hackers to steal Lockheed Martin’s security tokens, thus giving access to the defense contract’s data including highly sensitive product information. The hackers were part of the Chinese government. RSA has been in the encryption business since 1982, and was acquired by EMC Corporation in 2006. Since 1979, EMC has been a global leader in IT and business transformation. Both of these companies take security very seriously, yet still had a serious breach that impacted one of their customers and sensitive national security data.

Which brings up another reason why governments can’t fix the problem: they are conflicted on whether they should. Organizations like the Department of Homeland security have a real interest in protecting US companies and individuals from cyber attacks. That part of the government recognizes the serious national threat a successful attack against the electric grid or the financial infrastructure could be more disastrous than Pearl Harbor and the 9/11 attacks combined. No one on the attacking side even needs to be in he US.

However, other components of the US government, like the National Security Administration and certain other defense organizations, have a vested interest in using the Internet as a weapon, and invest millions of dollars in finding, managing, and perhaps creating flaws that they could use. Remember Stuxnnet, a deliberate and successful physical attack against Iran’s nuclear weapon program done entirely with malware? That was a government attack, probably with US assistance if not direction. Governments, including the US government, participate in the worldwide hacker market, buying and selling information about security flaws. Edward Snowden believes the NSA spends more money on offensive cyber research than on defensive cyber research.

To further complicate the problem, new vulnerabilities are introduced every day. Intense market pressures push technology companies to produce new products and new features at an increasing rate. As these products become more intertwined and interdependent, the probability of introducing flaws increases. “Time to market” pressures reduce the testing that companies feel they can afford to do. As one company executive told me, “that’s what beta testers are for.”

Cybersecurity is like public health. The Centers for Disease Control and Prevention have a very important role to play, but they cannot stop the spread the disease by themselves.

Who can help? According to Ms. Elazari, hackers can help and have been helping. Back in 1995, Netscape Communications created a bug bounty program. It paid independent researches to report security vulnerabilities. If you are trying to remember why “Netscape” sounds familiar, it was the name of the web browser introduced in 1994 that was giving Microsoft’s Internet Explorer a real run for market share.

Largely spurred by significant leaks like those of Edward Snowden, the technology industry and the hacking community are actively working together. Hundreds of companies now have similar bug bounty programs, and are finding it to be a cost-effective way to reduce security vulnerabilities. In addition, private and public communities of security professionals now share information about malware, threats and vulnerabilities. The goal is to create a distributed immune system for the Internet.

What should you do?

  • Expect things to get worse over the next few years, with more targeted attacks, more breaches, and attacks that do physical damage initiated by other governments or terrorist groups.
  • Demand that companies make the software and hardware products your company depends on more secure. Yes, hardware products, too. There is more processing power in the average new car then in a multi-million dollar computer 20 years ago. As recently demonstrated, most if not all of these systems are vulnerable to cyber attack with the possibility of injury or death to the vehicle occupants and others nearby. I suspect a cyberterrorist attack that took over 100 cars scattered on LA freeways in rush hour would be interesting.
  • Demand that the penalties for failing to report a data breach involving personal or proprietary data are increased substantially, with jail time for executives who fail to consistently use best practices to secure that data.
  • Protect yourself and your company. Wash your hands and get vaccinated. If you don’t take care of yourself, you cannot expect anyone else to be able to help.

The last word:

My wife and I met Jim Murray and his wife on a dance floor in Valparaiso, Chile, in 2008. Since then we have managed to get together on a dance floor somewhere about once a year. Jim Murray writes a blog about the intersection of murder and medicine, which I have referenced before. He has just published Lethal Medicine, a thrilling tale of international intrigue, murder and deceit. The hero, Jon Masters, is a well-established pharmacist in San Antonio with a growing statewide company that provides medicinal injection services for people in their homes as they recover from illness or injury, or are under hospice care. When he discovers that the investigational drug study he is managing is a cleverly disguised scam, he finds himself in trouble with both local and federal authorities. One step ahead of the law, he races to Mexico and China to uncover the international conspiracy that threatens to destroy his business, his reputation, and his life.

Early on, Jim told us a scary story about one rainy night when he worked as the midnight shift pharmacist in a mid-city pharmacy. That story is now a short story “Cuffed” which is available in a collection of short stories Unforeseeable Consequences. The collection includes another story by Jim and a story Jim edited from each of five other authors.

I recommend both books, and they are available in Kindle editions on Amazon at the links with each book title above.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

This has been an interesting couple of weeks. The IRS admits to “loosing” millions of emails, coincidentally the subject of an on-going investigation. If your company tried that trick, several of your executives would be in jail and the company would have a huge fine. There are several federal and state laws that require retention of any information relevant to an ongoing investigation. In addition, there are even more stringent laws on data retention specifically for US government entities. In legal terms, “spoliation of evidence” is the intentional or negligent withholding, hiding, altering or destroying evidence relevant to a legal proceeding. This kind of activity, in addition to being illegal, usually leads to “spoliation inference.” That is when a party destroys evidence, it is reasonable to infer in a court that the evidence was damaging to the party.

On the flip side, the IRS has inappropriately released protected personal information to third parties. This includes information provided to Congress as part of their inquiry into the lost emails. In reality, it is illegal for Congress to even open the files provided from the IRS because Congress was told that those files contained protected information on individual taxpayers.

On top of this, and in spite of the assurances from NSA, NSA has been collecting the content of emails from US citizens who are not under any suspicion of any connection to terrorism.

The implications to your company’s ability to respond to Discovery Orders could be serious. Even if you have an excellent Life-Cycle Management policy which defines exactly how long you retain different categories of documents, the US government may be working to make those policies ineffective.

When you receive a court order asking for all of the documentation on a particular subject, you must deliver all and only the appropriate documents. These documents may include emails, text messages, tweets, and standard documents, spreadsheets and presentations. Most organizations don’t do a good job of responding to these court orders. The possibility, or in some industries, the high probability of receipt of a discovery order is one of the drivers to implementing a data life-cycle management system. Most organizations give far more than they should, and fail to give everything they must because they don’t know where all of the data is. Like data life-cycle management, if you have existing policies, systems and procedures in place, it is well worth the effort to make sure that your Cloud Service Provider can interface with them.

My recommendation is to make sure you have a well documented life-cycle management policy and that you carefully document a complete audit of those procedures at least once a year. The legality of the government introducing in a court case documents it has illegally obtained has not yet been tested. But if you can show that you made every effort to appropriately destroy information according to your reasonable data life-cycle management policy then the court may look favorably on your attorney’s objection to the introduction of government-obtained data.

Whatever you do, do not emulate the IRS. Do not destroy information after the issuance of a discovery order or the reasonable expectation that one may be issued. And do not include protected privacy information in response to any discovery order unless that information is specifically listed in the discovery order.

The last word:

The Philadelphia Inquirer reported Monday that the Veterans Administration Philadelphia Regional Office had once again demonstrated the importance of management bonuses over providing services to our veterans. In this case they changed the dates on hundreds of thousands of claims, some filed as early as 2011, so that they were no older than 125 days in order to meet guidelines.

The VA is a fine example of federal government bureaucracy, where management works very hard to destroy the reputation of the organization and the thousands of dedicated medical personnel who are working to protect and serve our veterans. What are the implications of Obamacare as it inexorably moves health care under the federal government bureaucracy?

But don’t worry, the IRS is watching over the implementation of the Affordable Care Act. The IRS is even working with the union of IRS employees to rewrite their agreement so that employees who have failed to pay their federal taxes will no longer get bonuses from the IRS. Not funny. Over 1,100 IRS employees received bonuses within a year of substantiated federal tax compliance infractions.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

In spite of the significant service and financial advantages of the Cloud, many companies and governments are increasingly reluctant to adopt it for their critical processing. This reluctance is not caused by security considerations regarding the basic technology of the Cloud; those issues have been largely resolved. Companies following best security practices with experienced Cloud Service Providers (CSPs) can have Cloud solutions with security matching or exceeding anything they could do internally.

What is causing this crisis of confidence is the US National Security Agency (NSA). We have seen almost weekly revelations about the unconstitutional collection of personal and corporate data by the NSA, accompanied by their lack of internal security that has allowed thousands of documents to be “lost,” including those released by Ed Snowden.

It is not just NSA. The British GCHQ (Government Communications Headquarters) is also tapping Internet communication. One British MP, Chi Onwurah, in “reluctantly and unhappily moving to the Cloud.” One reason is the US Patriot Act which essentially means that any data stored in the Cloud that ends up on American servers can be compromised by the US Government at any time without notice. Some countries have privacy laws requiring information be stored within the country. Companies in those countries have a problem with public cloud providers that have servers in multiple countries. That flexibility is great for reliability and business continuance, but a nightmare to establish and verify compliance.

All of this impacts revenue opportunities for American CSPs and the growth of the Cloud in general. But there is more.

from Glen Greenwald’s "No Place to Hide"

from Glen Greenwald’s “No Place to Hide”

In a letter on May 15, John Chambers, the CEO of Cisco Systems, asked President Obama to restrict the surveillance activities of the NSA. Cisco Systems is one of the major suppliers of the network hardware that creates and manages the infrastructure that is the Internet, with over 50% of the worldwide market by revenue. The cause of this letter was newly released revelations allegedly showing that NSA intercepted, en-route, equipment from Cisco and other manufacturers to their customers worldwide and installed NSA surveillance software. Mr. Chambers indicated that Cisco did not cooperate with NSA in this activity nor was Cisco aware of NSA interceptions.

If the allegation of NSA interference is true, or even believed to be true, it will impact the ability of Cisco and other US manufacturers to sell their equipment in the US or anywhere in the world.

NSA has been fairly consistent: anytime they have denied doing something it turns out later that they in fact were doing it. I’m not sure how President Obama can convince companies that he has “fixed the problem.”

What should you do? The Cloud still does provide significant value, but you need to control the security of your own data yourself. Use state-of-the-art encryption for both data-in-motion (data moving through the Internet) and data-at-rest (data stored in the Cloud), and make sure you control the encryption keys for the data-at-rest. I discuss one way to get a Secure Public Cloud in an earlier post.

The last word:

Depending on which version is more accurate, Abu Bakr al-Baghdadi was in US custody at Camp Bucca, a US-controlled detention facility in Iraq, for most of 2004 or from 2005-2009. In any case, he was given an “unconditional release” into Iraq under President George W. Bush. You may have recently heard of him: he is now the leader of ISIS, the Islamic State in Iraq and Syria, which is running rampant over northern Syria and threatening the existence of Iraq. In hindsight, it was probably a mistake to release him.

More recently, President Obama decided to release five senior Taliban commanders from Guantanamo prison to a life of luxury in Qatar, with full freedom of movement within the country, and able to go anywhere after one year. The manner of the release was in stark violation to a law President Obama signed requiring that he notify Congress at least 30 days prior to any such release; he notified a few members of Congress five hours before the transfer. Noorullah Noori, one of the five, has already vowed to continue fighting Americans.

In return, he obtained the release of Army Sergeant Bowe Bergdahl. As President Obama said, we do have an obligation to not leave our military personnel behind. The controversy, mostly in the press, that Sgt. Bergdahl may have deserted his post back in 2009 is irrelevant to the requirement to bring him home. If there is significant evidence, Sgt. Bergdahl will be court marshaled and, if found guilty, punished. That trial and punishment, if appropriate, must happen under US control, not Taliban control.

In a few years, will we wonder about the wisdom of President Obama’s method of getting Sgt. Bergdahl free?

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

The world is fair.  It is just not centered on you.  There are serious threats out there, many by governments.  I recently posted about deliberate US government malware, brought to you by the NSA.  But there are additional government attacks on your personal information and privacy.

If you want a reason why the government should not take over healthcare, consider the Obamacare website.  With more than three years to create it, the government sole-sources the development to a Canadian company, CGI Federal, coincidentally with a senior vice president who was Mrs. Obama’s classmate at Princeton.  The government continually provided changes in the requirements, and there seems to have been no one actually in charge.  There were about 55 subcontractors responsible for different pieces and interfaces, but no system testing.  That was left to the American people when the site went live in October.  OK, “live” is not the right word.  I’m guessing that no government official who was responsible for the system even tried to use the web site before thrusting it on the public.  The minor issue of accurately communicating the policy you bought to the insurance company was left for later, as was payment receipt and the ability to get an actual policy in either paper or electronic form.  People were forced to sign up for a policy without ever seeing the policy.

Had this been in the private sector, the web site would have been up in one year and would have performed under load.  There would probably have been some problems, but on day one you could have bought insurance and had confidence that the company whose insurance you bought actually knew that you had purchased a specific plan.  As of December, HHS Secretary Kathleen Sebelius was bragging that the site was up 90% of the time and would work for 80% of the people who signed on.  Those kinds of numbers in the private sector would cause a large number of heads to roll; there would certainly not be any celebrations.

Data security seems to be one of the things missing from Obamacare.  Back in November, Los Angeles-based security researcher Kristian Erik Hermansen found security flaws with the California site.  The California site has seen the most registrations for healthcare in the country.  Two months later the flaws still exist.  The latest admission from the government is that some of the Obamacare website developers were working for the Belarus government. US intelligence agencies advised the Obama administration to check the software for malware that could be used for cyber terrorism.  Considering that the Obamacare website connects to the IRS database plus more than 300 medical institutions and healthcare providers, this is a huge privacy issue.  Last year, Belarus controlled networks attacked the U.S., rerouting a massive amount of U.S. Internet traffic to Belarus.  Belarus is dictatorship located between Russia, Poland and the Ukraine, and not a friend of the U.S.  Last summer, Valery Tsepkalo, director of the Belarus government-backed High-Technology Park (HTP) in Minsk, bragged on Russian radio that the US HHS is one of their clients, and that “we are helping Obama complete his insurance reform.”

My advice:  avoid healthcare.gov.  At most, click on the “See plans before I apply” button.  That information seems to not actually go anywhere while giving you the names of some providers in your area.  Then contact the healthcare providers directly.

If you do use the web site and then discover that you or the website made a mistake, you can’t fix it.  Roughly 22,000 people have filed appeals with the government to try to get mistakes corrected.  You can easily file the appeal.  However, the appeals get filed inside a government server.  No one is looking at them, because there is no software to process or even allow someone to look at the appeal information.  If you get frustrated and call the government health-care marketplace to speak to a person, nothing happens.  Federal workers can’t get into the enrollment records and change them – that part isn’t quite ready yet either.

Planning a trip to Sochi?  Do not turn on your laptop, tablet, or smart phone when you get there.  According to NBC, all visitors to the Olympics are immediately hacked by the Russian government.  The malware installed steals all of the information on your phone (contacts, calendar, documents, pictures, ….) and enables the hackers to tap and record all of your phone calls, even after you leave Russia.

When you come back into the US as a US citizen, the Department of Homeland Security (DHS) is quite willing to detain you, keep you in cold room for hours, no food, no water, confiscate your laptops, tablets and smart phone, and copy their contents. No warrant. No reason. Check out some recent NPR On the Media articles.  There is not much you can do, but do complain to your congressman.  You do have rights, but the DHS (which includes the TSA) are not concerned with those rights.  He or she probably won’t do anything, but if enough people contact them they may wake up to these violations of the Fourth Amendment.

The last word:

The trouble with political jokes is that they often get elected.  The current Obama administration has gone far beyond any previous administration in ignoring the Constitution in general and the Bill of Rights in particular.  In some cases it is due to incredible incompetence, but a lot of it seems to be quite deliberate.  Congress is powerless, ignorant, or just afraid to do anything.

There is a congressional election this year.  Contact your representative.  If one of your senators is up for reelection, also contact him or her.  Tell them that the Constitution and Bill of Rights are important to you, and that you vote.  Ask what they intend to do to reverse the abuses of power from the NSA, TSA, FBI, and EOP (Executive Office of the President which includes the cabinet officials).  Help make sure the Senate is not a rubber stamp for President Obama’s awful judicial appointments.

If you watched the January 28, 2014, State of the Union Address, you probably noticed that many members of the House and Senate were standing and applauding President Obama as he told them they were irrelevant and he was going to continue to go around or over them through executive orders.  I’m fairly sure there is no baby in the bath water of Congress.

Comments solicited.

Keep your sense of humor.

Walt.

//

Read Full Post »

The biggest lie in 2013 was not “If you like your health care plan, you can keep it.” This was just a politician telling a deliberate lie.  One that anyone who spent one minute contemplating the impact of a 2,700 page health care act on existing insurance policies would have instantly recognized as a lie.  In particular, the “grandfather clause” in the Affordable Care Act allowed existing policies to continue only if they followed all of the new rules.

No, the biggest lie was “No, sir.”  This was General James Clapper, director of National Intelligence, under oath to Congress, in response to a question from Senator Ron Wyden during a Senate Select Committee on Intelligence hearing.  The question:  “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”  The NSA is one of seventeen agencies and organizations under General Clapper’s command.

In reality, the NSA has the ability to record every phone call, text, email and US Postal Service message you send.  They have computer systems that analyze the content of those emails and texts, and probably can do the same with voice messages.  This applies to your company’s communication as well as your personal communication.

Internal NSA documents indicate that the NSA “sometimes” intercepts new computers purchased on-line and installs malware so they can completely monitor and control that computer.  In addition, documents leaked by Edward Snowden show that the NSA infected more than 50,000 computer networks worldwide with malware in 2012, and another NSA program gives the agency full control of Apple’s iPhone.

When asked, some antivirus companies have explicitly stated that they have not received a request from the NSA to “whitelist” (i.e., ignore) state-sponsored malware, and state that they would not comply.  California based Symatec and McAfee did not respond to the general question, but do detect and repair a number of specific malware products created or used by NSA and other countries.

Keep in mind that some of these government-generated and distributed malware products have flaws in them that enable other parties to piggyback on them, increasing the risk of exposing your corporate data to cybercriminals.

As part of the Patriot Act, the FBI is the police force for the NSA.  The new director, James B. Comey, plans to increase the bureau’s efforts in that area, harking back to the J. Edgar Hoover days.  Any of us around in the 1950s, 1960s or 1970s remembers the FBI’s heavy-handed treatment of protesters of any ilk, illegally monitoring thousands of people simply because they belonged to an organization or spoke out in public with the “wrong” view, in the opinion of Director Hoover.  Consider that the FBI has branded hip hop duo Insane Clown Posse’s entire fan club as gang members because of the unrelated actions of a few of the fan club’s members.  If this isn’t an example of police state activities, I don’t know what is.

With the “procedural changes” in the Senate, the President now has the ability to appoint federal judges that will let him do what he wants to.  The three-legged stool of American government has an ineffective congress and is on its way to a rubber-stamping judiciary.  We now live in a police state that would be the envy of Hitler, Stalin, Mao, or any other of your favorite despots.  The powers of the US government to determine what you or your company is doing or even thinking about are amazing, and the potential for abuse is unprecedented.

You may trust this administration, but will you trust the next one, or the one after that?  There are tens of thousands of employees and contractors with access to your and your company’s information.  I do not recommend trusting every one of them.  The government has a bad security record from individuals like Snowden and many others with less visible breaches, plus almost constant abuse by individuals for personal reasons.  According to the Ponemon Institute, each week over 10,000 laptops are reported lost at just 36 of the largest U.S. airports, and probably most of those are “found” by TSA personnel.

Expect some announcements this year of corporate secrets stolen by one of these employees or contractors for personal financial gain.  The real different between security at Target or Neiman Marcus is that the retailers are required by law to tell you when they abuse you.  The government has no requirement, and feels no obligation.

I hate to end on a sour note, but there are several reports that the Affordable Care Act web site is actually less secure today than it was in October.  All of the changes that were made to make it “work” were made without proper security design or testing.  A cybercriminal’s dream.

The last word:

What should you do?

  1. Read the Bill of Rights.  Read them again, and remember why they were written: to protect the citizens of the new United States from the government of the United States.  If you don’t believe this, go research that first session of the US Congress and why that was the most critical item on the agenda for most of those first representatives.
  2. There is a congressional election this year.  Contact your representative.  If one of your senators is up for reelection, also contact him or her.  Tell them that the Bill of Rights is important to you, and you vote.  Ask what they intend to do to reverse the abuses of power from the NSA, TSA, FBI, and EOP (Executive Office of the President which includes the cabinet officials).  Help make sure the Senate is not a rubber stamp for President Obama’s awful judicial appointments.
  3. Buy your laptops, tablets and smart phone from a brick and mortar store.  Make sure you get something that is in stock at the store, not has to be ordered.  At least until the NSA forces every manufacturer to build their malware into the delivered system, this will help protect your corporate secrets.
  4. Direct your IT security staff to monitor closely all outgoing traffic from your network, and block traffic to unknown sites.
  5. Keep your malware up-to-date on all of your computers.  Investigate the effort and cost necessary to switch to a non-US company’s malware solution.  I don’t think you need to do it now, but watch the news and be ready.  Even at this point, the Russian’s government malware is probably safer for your company than the US government’s malware.
  6. If you have really sensitive proprietary information to deliver to someone too far away to drive, use FedEx or UPS overnight delivery service.  At least so far, there is no report of NSA trying to intercept those, and no time when your package is not under the physical control of the delivery service.  If NSA were to try, I suspect there would be at least one UPS or FedEx employee brave enough to spill the beans.
  7. Reread George Orwell’s 1984.  Many government organization and most legislative bills have names that are examples of Newspeak, especially if “Security” or “Patriot” is part of their name.  Mr. Orwell badly underestimated the ability of our government to monitor and eventually control the people.
  8. Consider joining Rand Paul’s class-action lawsuit against the government’s warrantless searches and seizures.

Comments solicited.

Keep your sense of humor.

Walt.

//

Read Full Post »