Tag Archives: CyberSecurity

“A Song for the Deaf” (and the Blind)

Songs for the Deaf, released on August 27 2002, was the third studio album by Queens of the Stone Age. There is a track on there called “A Song for the Deaf” with a line in the lyrics:

No talk will cure what’s lost, or save what’s left

That line does just fine at summing up my attitude to the long term prospects for the privacy of our data and our privacy rights as individuals. The multiplicity of additional data points that will become available with the mainstream adoption of wearables, AR, and VR squares the circle by adding kinematic fingerprinting and emotion detection to the digital surveillance arsenal.

The concerted effort by “authority” to normalise the invasion of our privacy as citizens of democracies will succeed. It is worth noting at this point that the historic permission to look at our (non-US citizens) data is for the most part secretively mandated or just plain illegal.

In the interim I simply see it as my hobby to be a contrarian and frankly I do not give one iota what that looks like to prospective employers, clients, or colleagues. Too many people look at you sideways these days when you seek to insist that we are throwing away our rights in favour of some US manufactured bogey-man fear figure.

But despite the ever increasing powers granted there are far too many people gainfully employed in law enforcement, the intelligence community, and the cottage industries and corporates that serve them to hope that one day their combined efforts might actually result in an improvement in the threat landscape.

Narrowing the Debate

One of the methods often used to divert attention from the overall issues that present themselves with respect to mass surveillance is to seek to narrow the debate. Some people will say that debating each element in isolation is enough. It is not.

The police-intelcom barrier or rather the lack of a barrier between police organizations and intelligence organizations or the illegal overriding of such barriers is one of the reasons why. Too many blurred lines exist. Mass surveillance data acquired for national security purposes now routinely ends up in the hands of local law enforcement investigating matters unrelated to national security.

The opacity of US laws and SIGINT collection methods is potentially an abuse of the rights of every defendant that comes in front of their Courts. Increasingly, that is just about anybody that they can lay their hands on, from anywhere. The US position on most of these matters is ephemeral. [Max Schrems maintains the main protections provided by the US for data privacy rights of EU citizens have no statutory basis and “could be altered tomorrow”]

To suggest that one can compartmentalise each different element of the mass surveillance equation and debate each piece of legislation on its own merits, to the exclusion of the others, is a fallacy.

They all add up to the same thing in the hands of the governments or organisations that possess the resources, access, and “authority” (normally self granted) to mine the data.

This post was prompted by Chris Gebhardt‍ and the article he penned on Peerlyst‍ titled “The US Government Should Have Access to All Encrypted Devices of US Citizens“.

I commented “I utterly disagree with your thesis on every level. I disagree with you on the basis that I do not accept your segmentation of rights and protections in statute that govern legacy personal freedoms, due process, habeas corpus, et al. and the stratagem that you have employed to roll them up into an argument for weakened privacy (encryption). I believe that your reliance on these legacy instruments makes the flawed assumption that they were correct. In my view, they were not.

Chris was keen to keep the debate focussed on the US. So I asked:

Maybe we can circumvent the specifics of either geography and focus the discussion on a universal question which is capable of also addressing the specifics of your argument. The US does not respect digital borders and engages in frequent – and as policyillegal searches and seizures in a clandestine manner for non natsec matters and “ordinary” criminal matters. Now the US having weathered the outrage storm is legislating vigourously for the normalisation of these abnormalities which were in fact illegal under traditional law also.

The debate between us therefore could be something like – to date have existing laws and the application and oversight of the powers granted by those laws served us well and if so are they also suited for export to the digital domain. If not, then why should those who currently enjoy freedoms in the digital domain subject themselves to laws that they disagreed with in the real world context or were shown to have been widely abused, and more specifically how can a body of agencies who gladly engaged in widespread illegal activities expect people to surrender to their request?

Chris replied:

That is fine but I believe it is a separate post. Perhaps you should start one. I started this one to specifically target the US privacy issue under Constitutional authority. International expectations are a completely different matter.

So here it is.

Image: Screen grab from the QOTSA video “Go With The Flow

ENDS

PODCAST Panel #1: PeerTalk™ Privacy -vs- National Security

 

Since mid December 2017 our panel was preparing for this first in the series of discussions regarding Privacy -vs- National Security hosted by and drawn from Peerlystcommunity members.

The panel was drawn from a range of disciplines and interests but what united all of the participants was that we are people who are passionate about infosec, civil liberties, and the rule of law.

This series is primarily concerned with how we might align the privacy rights of citizens with the imperatives of predicting, preventing, and reacting to internal & external national security threats.

Our objective was to deliver an opening discussion on the subject matter that would compel further debate and interest, but also attempt to compartmentalise the discrete elements, for discussion on future panels , while at the same time demonstrating the scale of the issues involved with practical real world, non-theoretical examples.

Over the preparation period several pieces were authored on the subject of Privacy -vs- National Security. The links to these associated posts are:

  1. PeerTalk™ Privacy -vs- National Security: One Post To Rule Them All
  2. Video Introduction to Podcast #1 of the PeerTalk™ Privacy -v- National Security Podcast Panel Series
  3. PeerTalk™ Privacy -vs- National Security: Preserve Peace Through (Cyber & Intelligence) Strength
  4. PeerTalk™ Privacy -vs- National Security Sources: In Isolation & Where They Intersect
  5. PeerTalk™ Peerlyst Panel: Privacy vs National Security
  6. PeerTalk™ Privacy -vs- National Security: Gülen FETÖ/PDY, Millî İstihbarat Teşkilatı (MİT) & ByLock
  7. PeerTalk™ Privacy -vs- National Security: You (encryption advocates) are “jerks”, “evil geniuses”, and “pervert facilitators”
  8. PeerTalk™ Privacy -vs- National Security: The Rogues Gallery of Encryption Luddites (Updated 01.16.2018)
  9. Also included below were two essays from panel member Geordie B Stewart MSc CISSP
    1. Polluting the Privacy Debate
    2. Ethical Compromises in the Name of National Security

The questions to the panel in preparation for the discussion were these:

  1. Are recent actions by the Turkish intelligence community reasonable with the backdrop of an alleged serious threat to the security of the state?
  2. Could one ever imagine a similar scenario in the West and if so would it ever be justified?
  3. Does the panel think that while broad brush application of these types of tools and methods by law enforcement and the intelligence community does not happen in the West, does it happen on a case by case basis?
  4. If so, is protecting one person from a miscarriage of justice using illegally obtained surveillance data more important than allowing warrantless mass surveillance and trusting that the intelligence community and political / commercial interests will not abuse the knowledge yielded from the data and rather use it for the national interest?
  5. Finally, does the panel have faith in the oversight and governance mechanism looking to protect citizens of Western nations whose data is acquired by programs such as PRISM and queried using tools such as XKeyscore?”

The panellists were:

Graham Joseph Penrose‍ (Moderator), Interim Manager in a range of Startups, Privacy Advocate, Avid Blogger, and Homeless Activist. I began my career in IT 30 years ago in Banking and in the intervening period I have applied technology and in particular secure communications to assist me in various roles but most aggressively as the owner of a Private MilitarySecurity Company operating in High Risk Areas globally. I am apparently a Thought Leader and Authority in the Privacy space according to various independent third party research organisations and I am member of the IBM Systems Innovators Program.

Kim Crawley‍, Cybersecurity Journalist. A respected and valued contributor to Peerlyst and publications including Cylance,AlienVault, Tripwire, and Venafi.

Emily Crose‍, Network Security Researcher with 10 years experience in both offensive and defensive security roles, 7 of those years were spent in the service of the United States Intelligence Community. She is currently the director of the Nemesis projectand works for a cyber security startup in the Washington DC area.

Lewis De Payne‍, Board Member, Vice President & CTO/CISO of medical diagnostics company aiHEALTH, LLC. CTO/CIIO of a social commerce startup and a founding shareholder in Keynetics responsible for the patented online fraud control tools known as Kount. Lewis has had some adversarial contacts with the FBI that are documented in several of Kevin Mitnick’s (and other writers’) books. Lewis electronically wiretapped the FBI and other law enforcement bureaus, and recorded some of their activities (which included having informants perform illegal wiretaps, so they could gain probable cause to obtain search warrants). In his younger days, Lewis took the US government to court several times In one case his proceedings set legalprecedent when the 9th Circuit Court of Appeals heard his Jencks Action and ruled in his favour causing the FBI to have to return all seized property (and computers) to him, and others.

Geordie B Stewart MSc CISSP‍, Director at Risk Intelligence which company provides a range of specialist infosec services to organisations including risk analysis, policy development, security auditing and compliance, education, training, and continuity planning. Geordie writes and speaks frequently on the topics of Privacy, Ethics and National Security. Partly because he thinks they are important topics, but partly to increase his embarrassment when his web history eventually leaks. Geordie also writes the security awareness column for the ISSA Journal and works in senior security leadership roles for large organisations.

Dean Webb‍, Network Security Specialist. Dean has 12 years of experience in IT and IT Security, as well as over two decades as an instructor and journalist with particular focus on national security issues, espionage, and civil rights.

We enjoyed a wide ranging and informative discussion over the course of the 90 minutes and while we were not in a position to cover all of the material it was a very acceptable starting point and a stake in the ground with respect to what the community can expect from this series of panels.

I opened the discussion with the question:

“Where do the panellists believe that the line should be drawn between what are personal privacy rights versus the needs of national security and do the panellists think that in recent years the public in an atmosphere of “fear” has too easily surrendered a range of privacy rights in favour of national security?”

Please enjoy the recording below which we hope you will find compelling enough to share with your community. We are looking forward to your feedback and we would be very pleased to have your comments, suggestions, and questions. (Don’t forget to subscribe to the Peerlyst YouTube channel so as not to miss the next in our series and also recordings of all of the other panels coming out of the PeerTalk™ initiative.)

ENDS

Top Cybersecurity Threats in Sport (2025)

On October 10th, 2017 at a panel discussion about “Cybersecurity of the Olympic Games” at the University Club, California Memorial Stadium – Missy Franklin, (five-time Olympic medalist) said “We constantly get new technology thrown at us. It’s crazy, but that’s where sports are going.”

Extract:Digital technologies pose an increasingly diverse set of threats to Olympic events, and the newer forms of threat are likely to have more serious consequences. While most hacks today focus on sports stadium IT systems and ticket operations, future risks will include hacks that cut to the integrity of the sporting event results, as well as to core stadiums operations.”

The study The Cybersecurity of Olympic Sports: New Opportunities, New Risks identifies eight key areas of risk for future sporting events:

  1. Stadium system hacks
  2. Scoring system hacks
  3. Photo and video replay hacks
  4. Athlete care hacks
  5. Entry manipulation
  6. Transportation hacks
  7. Hacks to facilitate terrorism or kidnapping
  8. Panic-inducing hacks

Key Olympic sports technology trends that represent several vectors of additional risk:

  1. Gymnastics
    1. Artificial intelligence in scoring
    2. Possible Surprises: Embedded tracking in gymnastics equipment
  2. Swimming
    1. Automated start/finish technology
    2. Possible Surprises: Biometrics in swimsuits
  3. Rowing
    1. Drones above race
    2. GPS tracking of boats
    3. Possible Surprises: Virtual reality real-time viewing
  4. Track & Field
    1. Automatic field event measurement
    2. Possible Surprises: 3D images for track finishes

Selected known cybersecurity incidents from the last three summer Olympic Games include:

BEIJING:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure

LONDON OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. False alarm threat to the electrical grid

RIO OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. Athlete data hack

END

Focus on Kaspersky hides facts of another NSA contractor theft

The Wall Street Journal based their story on the fact that another NSA contractor took classified documents home with him. Yet another Russian intelligence operation stole copies of those documents. The twist this time is that the Russians identified the documents because the contractor had Kaspersky Labs anti-virus installed on his home computer.

This is either an example of the Russians subverting a perfectly reasonable security feature in Kaspersky’s products, or Kaspersky adding a plausible feature at the request of Russian intelligence. In the latter case, it’s a nicely deniable Russian information operation. In either case, it’s an impressive Russian information operation.

This is a huge deal, both for the NSA and Kaspersky. The Wall Street Journal article contains no evidence, only unnamed sources. But I am having trouble seeing how the already embattled Kaspersky Labs survives this.

What’s getting a lot less press is yet another NSA contractor stealing top-secret cyberattack software. What is it with the NSA’s inability to keep anything secret anymore?

And it seems that Israeli intelligence penetrated the Kaspersky network and noticed the operation.

Full story on CRYPTO-GRAM October 15, 2017 by Bruce Schneier CTO, IBM Resilient schneier@schneier.com https://www.schneier.com

END

Does anyone have experience of “KAYMERA MOBILE THREAT DEFENSE SUITE”

We are looking at this platform in parallel with the SaltDNA app which I previously posted about.

Kaymera has a pre-installed secured Android OS with integrated high-end security components to detect, prevent and protect against all mobile security threats without compromising on functionality or usability. A contextual, risk-based app uses a range of indicators to identify a risk in real-time and apply the right security measure so mitigation is performed only when needed and appropriate. Their Cyber Command Centre framework manages and enforces organization-specific permissions, security protocols and device policies. Monitors risk level, threat activities and security posture per device and deploys countermeasures.

Any thoughts welcome.

ENDS.

Hacking EirGrid: NCSC MiA, GCHQ Inertia, US Data Centres, & Creating Backdoors to UK/EU Grid

This post was first published by me on Peerlyst on 7th August 2017.

This hack took place last April (2017) but the details are only emerging now. Hackers compromised EirGrid’s routers at Vodafone’s Direct Internet Access (DIA) service at Shotton, Wales. The MITM “virtual wire tap” then intercepted unencrypted messages between EirGrid and SONI (EirGrid NI). Firmware and files were copied from the compromised router devices but there is no estimate as to the scale of the breach or the magnitude of the data that was stolen.

The Role of NCSC & GCHQ

An informed source has confirmed to AirGap Anonymity Collective that this hack was going on for some time before it was “detected” and before EirGrid were informed – that was already reported.

However, the same source is also of the opinion that the UK’s National Cyber Security Centre – part of GCHQ – instructed Vodafone not to tell EirGrid of the breach – while they tried to ascertain who the perpetrators were (understandable) but that this was for an unreasonably extended period of time.

The source is not clear on what portion of the estimated nine weeks of the hack overlapped with GCHQ’s attempts to identify the hackers.

Where was Ireland’s National Cyber Security Centre while all of this was going on?

The Irish National Cyber Security Centre (NCSC) & Computer Security Incident Response Team (CSIRT)

Formally established in 2015. Together with the (CSIRT), they have responsibility for Ireland’s national cyber security defences. They say:

“The global cybersecurity threat landscape continues to pose an immense challenge. As part of wider efforts to address these security threats, the Directive on Security of Network and Information Systems (NIS Directive) was approved in July 2016. Member States have until May 2018 to implement the NIS Directive, with both the NCSC and CSIRT playing a critical role in this regard.”

Seán Kyne – Minister of State for Community Development, Natural Resources & Digital Development – discussed the NCSC’s objectives, and offered his thoughts on the nature of the digital security threat to the public and private sector alike in a press conference last month.

INCSC

EirGrid & UK Energy Policy

The UK has become increasingly reliant on off-shore wind farms and it’s power needs are augmented by the purchase of power generated in the Irish Midlands. Irish supplied power is key to the UK meeting its projected 2020 energy needs. The Irish supply is seeking to generate circa 3GW for the UK market.

The Irish national grid is managed by a company called EirGrid. They took over the Irish national grid in 2006 from ESB (the Electricity Supply Board). They own all of the physical electricity transmission assets in the country (about 7000kms of cable (fact check)).

As such, they run a monopoly and nearly all of the large independent generators (Airtricity, Synergen (70% EirGrid) Viridian and others) connect to the transmission system and utilise it to transport their power to all regions and abroad. They also operate the wholesale power market and operate (and own) the 500 MW East–West Interconnector, linking the Irish power system to Great Britain’s grid.

Last month the operator was awarded over €20 million by the EU to fund research into the deployment of renewable energy. Ireland’s own target, set out by the European Union, is to secure 40% of its electricity from renewable sources by 2020.

“We won’t have enough renewable energy left over to export to the UK without completing some specific projects, such as the proposed Midlands development,” according to Fintan Slye (EirGrid CEO). “There are sufficient renewable projects in train to meet the 2020 targets, but it’ll still be challenging. There are 2,000MW connected across the island – we need to get that to over 4,000MW by 2020.”

The EU is also funding a France-Ireland power link (that bypasses the UK) via an undersea cable as an “obvious solution” to Ireland’s energy reliance on a post-Brexit United Kingdom.

Motives – All Those Data Centres in Ireland & A BackDoor to the EU/UK Grids 

IE DCs

Extract from EirGrid Group All-Island Generation Capacity Statement 2016-2025:

“2.2(d) Data Centres in IrelandA key driver for electricity demand in Ireland for the next number of years is the connection of large data centres.Whether connecting directly to the transmission system or to the distribution network, there is presently about 250 MVA of installed data centres in Ireland. Furthermore, there are connection offers in place (or in the connection process) for approximately a further 600 MVA. At present, there are enquires for another 1,100 MVA. This possibility of an additional 1700 MVA of demand is significant in the context of a system with a peak demand in 2014/15 of about 4700 MW (where it would add 35%). In forecasting future demand, we need to appreciate that data centres normally have a flat demand profile.”

Culprits

Lots but the most likely candidate for this hack is Russia – why? Because I cast lots, sacrificed a chicken, and got my Tarot cards read. And also …

Irish energy networks being targeted by hackers – Hackers have targeted Irish energy networks amid warnings over the potential impact of intensifying cyber attacks on crucial infrastructure. Senior engineers at the Electricity Supply Board (ESB), which supplies both Northern Ireland and the Republic, were sent personalised emails containing malicious software by a group linked to Russia’s GRU intelligence agency, reported.
Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid – It was 3:30 p.m. last December 23, and residents of the Ivano-Frankivsk region of Western Ukraine were preparing to end their workday and head home through the cold winter streets. Inside the Prykarpattyaoblenergo control center, which distributes power to the region’s residents, operators too were nearing the end of their shift.
Ukraine power cut ‘was cyber-attack’ – BBC News – A power cut that hit part of the Ukrainian capital, Kiev, in December has been judged a cyber-attack by researchers investigating the incident. The blackout lasted just over an hour and started just before midnight on 17 December. The cyber-security company Information Systems Security Partners (ISSP) has linked the incident to a hack and blackout in 2015 that affected 225,000.
Hackers targeting UK energy grid, GCHQ warns – Hackers may have compromised Britain’s energy grid, GCHQ has said as it warned that cyber criminals are targeting the country’s energy sector. The security agency said industrial control systems may have already been the victim of attacks by nation state hackers.

 

ENDS

Cynic Modelling for Legacy Energy Infrastructure

A brief synopsis of my findings in “Legacy Energy Infrastructure Attack Surface Assessment, Threat Count, & Risk Profile” using my “cynic modeller”:

  1. Adversaries who are attracted to the contained assets: Everyone (hobbyists, criminals, state actors, your gran)
  2. Attack surface: As far as the eye can see
  3. Attackers who are capable of acquiring the assets starting from the attack surface: Lots
  4. Therefore the attacker population size is: Computer literate population of earth
  5. Threat count: Np-Complete;
  6. Emerging threats: IIoT and non-cybersec savvy devops rushing intodigital transformation projects
  7. Risk level: Orbital
  8. Impact of realized threat: Expansive (yes, expansive not expensive, but that too)

Assessment: Buy gas lamps, work on your natural night vision, learn to skin rabbits, move far far away from nuclear reactors, buy shares in candle companies.

ENDS