Tag Archives: Infosec

“A Song for the Deaf” (and the Blind)

Songs for the Deaf, released on August 27 2002, was the third studio album by Queens of the Stone Age. There is a track on there called “A Song for the Deaf” with a line in the lyrics:

No talk will cure what’s lost, or save what’s left

That line does just fine at summing up my attitude to the long term prospects for the privacy of our data and our privacy rights as individuals. The multiplicity of additional data points that will become available with the mainstream adoption of wearables, AR, and VR squares the circle by adding kinematic fingerprinting and emotion detection to the digital surveillance arsenal.

The concerted effort by “authority” to normalise the invasion of our privacy as citizens of democracies will succeed. It is worth noting at this point that the historic permission to look at our (non-US citizens) data is for the most part secretively mandated or just plain illegal.

In the interim I simply see it as my hobby to be a contrarian and frankly I do not give one iota what that looks like to prospective employers, clients, or colleagues. Too many people look at you sideways these days when you seek to insist that we are throwing away our rights in favour of some US manufactured bogey-man fear figure.

But despite the ever increasing powers granted there are far too many people gainfully employed in law enforcement, the intelligence community, and the cottage industries and corporates that serve them to hope that one day their combined efforts might actually result in an improvement in the threat landscape.

Narrowing the Debate

One of the methods often used to divert attention from the overall issues that present themselves with respect to mass surveillance is to seek to narrow the debate. Some people will say that debating each element in isolation is enough. It is not.

The police-intelcom barrier or rather the lack of a barrier between police organizations and intelligence organizations or the illegal overriding of such barriers is one of the reasons why. Too many blurred lines exist. Mass surveillance data acquired for national security purposes now routinely ends up in the hands of local law enforcement investigating matters unrelated to national security.

The opacity of US laws and SIGINT collection methods is potentially an abuse of the rights of every defendant that comes in front of their Courts. Increasingly, that is just about anybody that they can lay their hands on, from anywhere. The US position on most of these matters is ephemeral. [Max Schrems maintains the main protections provided by the US for data privacy rights of EU citizens have no statutory basis and “could be altered tomorrow”]

To suggest that one can compartmentalise each different element of the mass surveillance equation and debate each piece of legislation on its own merits, to the exclusion of the others, is a fallacy.

They all add up to the same thing in the hands of the governments or organisations that possess the resources, access, and “authority” (normally self granted) to mine the data.

This post was prompted by Chris Gebhardt‍ and the article he penned on Peerlyst‍ titled “The US Government Should Have Access to All Encrypted Devices of US Citizens“.

I commented “I utterly disagree with your thesis on every level. I disagree with you on the basis that I do not accept your segmentation of rights and protections in statute that govern legacy personal freedoms, due process, habeas corpus, et al. and the stratagem that you have employed to roll them up into an argument for weakened privacy (encryption). I believe that your reliance on these legacy instruments makes the flawed assumption that they were correct. In my view, they were not.

Chris was keen to keep the debate focussed on the US. So I asked:

Maybe we can circumvent the specifics of either geography and focus the discussion on a universal question which is capable of also addressing the specifics of your argument. The US does not respect digital borders and engages in frequent – and as policyillegal searches and seizures in a clandestine manner for non natsec matters and “ordinary” criminal matters. Now the US having weathered the outrage storm is legislating vigourously for the normalisation of these abnormalities which were in fact illegal under traditional law also.

The debate between us therefore could be something like – to date have existing laws and the application and oversight of the powers granted by those laws served us well and if so are they also suited for export to the digital domain. If not, then why should those who currently enjoy freedoms in the digital domain subject themselves to laws that they disagreed with in the real world context or were shown to have been widely abused, and more specifically how can a body of agencies who gladly engaged in widespread illegal activities expect people to surrender to their request?

Chris replied:

That is fine but I believe it is a separate post. Perhaps you should start one. I started this one to specifically target the US privacy issue under Constitutional authority. International expectations are a completely different matter.

So here it is.

Image: Screen grab from the QOTSA video “Go With The Flow

ENDS

PODCAST Panel #1: PeerTalk™ Privacy -vs- National Security

 

Since mid December 2017 our panel was preparing for this first in the series of discussions regarding Privacy -vs- National Security hosted by and drawn from Peerlystcommunity members.

The panel was drawn from a range of disciplines and interests but what united all of the participants was that we are people who are passionate about infosec, civil liberties, and the rule of law.

This series is primarily concerned with how we might align the privacy rights of citizens with the imperatives of predicting, preventing, and reacting to internal & external national security threats.

Our objective was to deliver an opening discussion on the subject matter that would compel further debate and interest, but also attempt to compartmentalise the discrete elements, for discussion on future panels , while at the same time demonstrating the scale of the issues involved with practical real world, non-theoretical examples.

Over the preparation period several pieces were authored on the subject of Privacy -vs- National Security. The links to these associated posts are:

  1. PeerTalk™ Privacy -vs- National Security: One Post To Rule Them All
  2. Video Introduction to Podcast #1 of the PeerTalk™ Privacy -v- National Security Podcast Panel Series
  3. PeerTalk™ Privacy -vs- National Security: Preserve Peace Through (Cyber & Intelligence) Strength
  4. PeerTalk™ Privacy -vs- National Security Sources: In Isolation & Where They Intersect
  5. PeerTalk™ Peerlyst Panel: Privacy vs National Security
  6. PeerTalk™ Privacy -vs- National Security: Gülen FETÖ/PDY, Millî İstihbarat Teşkilatı (MİT) & ByLock
  7. PeerTalk™ Privacy -vs- National Security: You (encryption advocates) are “jerks”, “evil geniuses”, and “pervert facilitators”
  8. PeerTalk™ Privacy -vs- National Security: The Rogues Gallery of Encryption Luddites (Updated 01.16.2018)
  9. Also included below were two essays from panel member Geordie B Stewart MSc CISSP
    1. Polluting the Privacy Debate
    2. Ethical Compromises in the Name of National Security

The questions to the panel in preparation for the discussion were these:

  1. Are recent actions by the Turkish intelligence community reasonable with the backdrop of an alleged serious threat to the security of the state?
  2. Could one ever imagine a similar scenario in the West and if so would it ever be justified?
  3. Does the panel think that while broad brush application of these types of tools and methods by law enforcement and the intelligence community does not happen in the West, does it happen on a case by case basis?
  4. If so, is protecting one person from a miscarriage of justice using illegally obtained surveillance data more important than allowing warrantless mass surveillance and trusting that the intelligence community and political / commercial interests will not abuse the knowledge yielded from the data and rather use it for the national interest?
  5. Finally, does the panel have faith in the oversight and governance mechanism looking to protect citizens of Western nations whose data is acquired by programs such as PRISM and queried using tools such as XKeyscore?”

The panellists were:

Graham Joseph Penrose‍ (Moderator), Interim Manager in a range of Startups, Privacy Advocate, Avid Blogger, and Homeless Activist. I began my career in IT 30 years ago in Banking and in the intervening period I have applied technology and in particular secure communications to assist me in various roles but most aggressively as the owner of a Private MilitarySecurity Company operating in High Risk Areas globally. I am apparently a Thought Leader and Authority in the Privacy space according to various independent third party research organisations and I am member of the IBM Systems Innovators Program.

Kim Crawley‍, Cybersecurity Journalist. A respected and valued contributor to Peerlyst and publications including Cylance,AlienVault, Tripwire, and Venafi.

Emily Crose‍, Network Security Researcher with 10 years experience in both offensive and defensive security roles, 7 of those years were spent in the service of the United States Intelligence Community. She is currently the director of the Nemesis projectand works for a cyber security startup in the Washington DC area.

Lewis De Payne‍, Board Member, Vice President & CTO/CISO of medical diagnostics company aiHEALTH, LLC. CTO/CIIO of a social commerce startup and a founding shareholder in Keynetics responsible for the patented online fraud control tools known as Kount. Lewis has had some adversarial contacts with the FBI that are documented in several of Kevin Mitnick’s (and other writers’) books. Lewis electronically wiretapped the FBI and other law enforcement bureaus, and recorded some of their activities (which included having informants perform illegal wiretaps, so they could gain probable cause to obtain search warrants). In his younger days, Lewis took the US government to court several times In one case his proceedings set legalprecedent when the 9th Circuit Court of Appeals heard his Jencks Action and ruled in his favour causing the FBI to have to return all seized property (and computers) to him, and others.

Geordie B Stewart MSc CISSP‍, Director at Risk Intelligence which company provides a range of specialist infosec services to organisations including risk analysis, policy development, security auditing and compliance, education, training, and continuity planning. Geordie writes and speaks frequently on the topics of Privacy, Ethics and National Security. Partly because he thinks they are important topics, but partly to increase his embarrassment when his web history eventually leaks. Geordie also writes the security awareness column for the ISSA Journal and works in senior security leadership roles for large organisations.

Dean Webb‍, Network Security Specialist. Dean has 12 years of experience in IT and IT Security, as well as over two decades as an instructor and journalist with particular focus on national security issues, espionage, and civil rights.

We enjoyed a wide ranging and informative discussion over the course of the 90 minutes and while we were not in a position to cover all of the material it was a very acceptable starting point and a stake in the ground with respect to what the community can expect from this series of panels.

I opened the discussion with the question:

“Where do the panellists believe that the line should be drawn between what are personal privacy rights versus the needs of national security and do the panellists think that in recent years the public in an atmosphere of “fear” has too easily surrendered a range of privacy rights in favour of national security?”

Please enjoy the recording below which we hope you will find compelling enough to share with your community. We are looking forward to your feedback and we would be very pleased to have your comments, suggestions, and questions. (Don’t forget to subscribe to the Peerlyst YouTube channel so as not to miss the next in our series and also recordings of all of the other panels coming out of the PeerTalk™ initiative.)

ENDS

Top Cybersecurity Threats in Sport (2025)

On October 10th, 2017 at a panel discussion about “Cybersecurity of the Olympic Games” at the University Club, California Memorial Stadium – Missy Franklin, (five-time Olympic medalist) said “We constantly get new technology thrown at us. It’s crazy, but that’s where sports are going.”

Extract:Digital technologies pose an increasingly diverse set of threats to Olympic events, and the newer forms of threat are likely to have more serious consequences. While most hacks today focus on sports stadium IT systems and ticket operations, future risks will include hacks that cut to the integrity of the sporting event results, as well as to core stadiums operations.”

The study The Cybersecurity of Olympic Sports: New Opportunities, New Risks identifies eight key areas of risk for future sporting events:

  1. Stadium system hacks
  2. Scoring system hacks
  3. Photo and video replay hacks
  4. Athlete care hacks
  5. Entry manipulation
  6. Transportation hacks
  7. Hacks to facilitate terrorism or kidnapping
  8. Panic-inducing hacks

Key Olympic sports technology trends that represent several vectors of additional risk:

  1. Gymnastics
    1. Artificial intelligence in scoring
    2. Possible Surprises: Embedded tracking in gymnastics equipment
  2. Swimming
    1. Automated start/finish technology
    2. Possible Surprises: Biometrics in swimsuits
  3. Rowing
    1. Drones above race
    2. GPS tracking of boats
    3. Possible Surprises: Virtual reality real-time viewing
  4. Track & Field
    1. Automatic field event measurement
    2. Possible Surprises: 3D images for track finishes

Selected known cybersecurity incidents from the last three summer Olympic Games include:

BEIJING:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure

LONDON OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. False alarm threat to the electrical grid

RIO OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. Athlete data hack

END

The Holistic Z: Selective Encryption gives way to “At-Rest” & “In-Flight” Data Protection with Pervasive Encryption

IBM Z encryption moves the market from a selective encryption model to one that is pervasive. This represents a significant modification in the basic structure of computing and its effect on security will, in my opinion, have a major disruptive effect.

The overall concept is to not introduce a decision layer that says what will or will not be encrypted. Instead, it will be possible to have encryption be part of normal processing. The removal of the decision for selective encryption is a further saving in the overall cost and a reduction in the difficulty in using encryption in the current market.

The Holistic Z

The new IBM Z provides a bullet-proof platform for digital transformation, a base for strong cloud infrastructure (fortified clouds, which can be open, private, public, and hybrid), and allows back-end services to be securely exposed through secure APIs.

IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

The Z is arguably more powerful, more open, and more secure than any other commercial offering and makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain.

Positive Disruption with Pervasive Encryption 

But for me the focus of my interest comes back to Pervasive Encryption. The Z (“Zero Downtime“) appeals to many, on many different levels but for me it is Pervasive Encryption that piques my interest.

It is a seismic shift and legitimately makes the z14 the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot. The z14 mainframe has a tried-and-true architecture and excels with security features that are built into the hardware, firmware, and operating systems.

PervasiveEncryption3

True Cost & Performance Mitigation 

The largest barrier to doing full-scale encryption has been the cost of the encryption and the performance load that such activity puts on the computing platform.

Bolted-on solutions that are being deployed have caused system capacity to grow such that there are loads of up to 61% of the system load that is being consumed by security processes. This translates into significant infrastructure costs and performance drags.

Even without the newest advances the Z architecture delivered encryption (selective encryption) more efficiently and with a lower resource expenditure than other platforms.

It delivers over 8.5 times the security protection, at 93% less cost in overall expenditure, and with 81% less effort. The full impact of the faster encryption engine and the ability to encrypt information in bulk on the z14 creates a fully pervasive solution that runs more than 18.4 times faster and at only 5% of the cost of other solutions.

The Threat Landscape & GDPR Compliance 

IBM Z pervasive encryption provides the comprehensive data protection that organizations, customers, and the threat landscape demand.

Here are some stats on that threat landscape:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source:https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

By placing the security controls on the data itself, the IBM solution creates an envelope of protection around the data on Z.

ENDS

Extracts, Source Material, References, & Acknowledgements to IBM Z Systems, IBM Security, IBM Systems, IBM Systems Social Program, and Solitaire Interglobal Limited.  

Cynic Modelling for Legacy Energy Infrastructure

A brief synopsis of my findings in “Legacy Energy Infrastructure Attack Surface Assessment, Threat Count, & Risk Profile” using my “cynic modeller”:

  1. Adversaries who are attracted to the contained assets: Everyone (hobbyists, criminals, state actors, your gran)
  2. Attack surface: As far as the eye can see
  3. Attackers who are capable of acquiring the assets starting from the attack surface: Lots
  4. Therefore the attacker population size is: Computer literate population of earth
  5. Threat count: Np-Complete;
  6. Emerging threats: IIoT and non-cybersec savvy devops rushing intodigital transformation projects
  7. Risk level: Orbital
  8. Impact of realized threat: Expansive (yes, expansive not expensive, but that too)

Assessment: Buy gas lamps, work on your natural night vision, learn to skin rabbits, move far far away from nuclear reactors, buy shares in candle companies.

ENDS

Boiling Privacy Frogs

I really wish that I understood more about psychology and the human condition. The behaviour that puzzles me over and over again and for which I have no explanation is our ability to observe something happening that is detrimental to us in every way and yet do nothing.

It is the “Boiling Frog Phenomenon” which was allegedly a 19th century science experiment where a frog was placed in a pan of boiling water, the frog quickly jumped out. However, when the frog was put in cold water and the water slowly boiled over time, the frog did not perceive the danger and just boiled to death. The hypothesis being that the change in temperature was so gradual that the frog did not realize it was boiling to death.

To demonstrate the same effect in terms of the privacy, surveillance, unwarranted government intrusion debate just trace the evolving public attitude to the J. Edgar Hoover’s Subversive Files, COINTELPRO, The Iraq WMD Lie, Snowden & PRISM, and WikiLeaks Vault 7.

I have come to the conclusion that in relation to our right to privacy that we are all frogs in tepid water, the temperature of which is starting to rise rapidly, and we have no intention of jumping out.

ENDS

People That Like To Throw Grenades Into Your Privacy

For good or for bad I have a tattoo that reads “Fidarsi è bene non fidarsi è meglio” which literally translated is “To trust is good but to not trust is better.” or colloquially “Better safe than sorry”. At least that’s what Google translate told me. I have to trust it. But Veritas Language Solutions have previously reported on the perils of foreign language tats. Like the man who wanted the Chinese symbols for “Live and let live” on his arm but ended up with the Mandarin for “Sweet and Sour Chicken”. I like sweet and sour chicken.

Your “Mass Surveillance” Reality 

In case you have forgotten the reality of the world that you live in right now (in terms of your Privacy), here is a reminder, before it gets exponentially worse:

“The attitude of these politicians (Trump, May, Valls & Co.) and their intelligence organisations and the new “laws” – in the form of the revised Patriot Act and the Investigatory Powers Act – means that’s the vast majority of the worlds English speaking population now live under governments who can – legally – invade their privacy at will – whether at home, at work or at leisure – store the information and use it for any purpose, at any time, at any point in the future – for any reason.”

But that is not good enough. Now they want all of your encrypted data too. Just in case.

Pop Quiz

With that as a backdrop here is a pop quiz and my answers to same (Note: I am a paranoid git, and grumpy):

  1. Do I trust Theresa May? – No;
  2. Do I trust Malcolm Turnbull – No;
  3. Do I trust Donald Trump – F**k No;
  4. Do I trust the Five Eyes Intelligence Alliance – No;
  5. Do I trust the Nine Eyes, the Fourteen Eyes, NSA, GCHQ, MI6, ASD, GCSB, CIA, or CSEC – No;
  6. Do I trust the government of the country of my birth or their national security credentials – No;
  7. Do I think that politicians are concerned with striking an appropriate balance between the right to privacy, freedom of speech, and the preservation of civil liberties with the need to maintain the rule of law – No;
  8. Do I trust any bugger who asks me to trust them with the infinite power to snoop on my personal, professional, online, offline, awake, asleep life – Eh, No.

Do you?

ENDS