cybersecurity – Page 2 – Digital Dark Matter

January 29, 2018

Meet the plot to the next Speed sequel…..

With the Amazon Echo set to launch in Australia next month it is a good time to take stock of how much integration is really a good thing. The article doesn’t really provide any revelations that would surprise anyone familiar with cyber security, but a cyber attack while sitting at your desk will have a less kinetic effect than a cyber attack while you are travelling at 80km/h on a busy highway.

I don’t think that security should be a reason to never consider a technology, but a real security by design approach should always be the focus in today’s environment.

https://www.nytimes.com/2018/01/25/business/amazon-alexa-car.html

January 14, 2018January 15, 2018

The cost of security

An interesting article describing the direct (and not what you would necessarily expect) business cost of cyber security in relation to these new bugs.

Not sure if litigation is necessarily and answer that will help anyone with these problems.

https://www.economist.com/news/business/21734482-even-if-hackers-do-not-exploit-two-new-chip-flaws-there-will-be-economic-consequences-spectre

January 12, 2018

A master key for all

The topic of law enforcement access to encrypted devices has again reached the media (http://www.smh.com.au/world/fbi-chief-calls-phone-encryption-a-major-public-safety-issue-20180109-h0fwz1.html). Something that seems to appear with increasing regularity.

The ironic thing here is that if the various calls from different governments were successful in implementing some form of backdoor to encryption, they would be in just as much trouble as the public who are railing against such changes. Probably more. I am certain the inevitable vulnerabilities and flaws introduced by such changes would be targeted to government information with more devastating impact than that of the average Joe/Jane Citizen.

This is a complex issue and unfortunately one that gets sidelined by emotive arguments from both camps. The ‘for’ camp usually cite the issues of terrorism and child protection (the two most unassailable arguments and rarely addressed directly by opponents). The ‘against’ camp usually cite privacy and government overreach into the lives of its citizens (a valid argument of course, but not one that addresses the mains issues).

I don’t disagree that there realistically needs to be something done. Information is becoming predominately digital and law enforcement does have a job to do which at times is hindered by the ubiquity of strongly encrypted devices.

However, the calls to implement a form of backdoor into existing crypto technology will only weaken the foundation of strong and secure Internet communications and transactions. The very communications and transactions that underpin the function of a lot of contemporary society.

The creation of backdoors or ‘master keys’ will create a weakness that will need to be strongly controlled and highly protected. Any compromise of this mechanism would have the impact of potentially destroying the confidentiality of all data/devices/systems protected by that crypto system. As we have seen over recent years, the ability of organisations or governments to protect their most valuable information is never assured. All this approach would do is create a crown jewel target that would the sort after prize of cyber criminals and foreign intelligence services alike (if only we had some way to securely encrypt such a target…. oh wait!).

This current article raises some details trying to support its argument. The FBI was unable to gain access to the content of 7,775 devices in fiscal year 2017. This certainly represents an element of frustration I would suspect for investigators who are pursuing their cases. The article does fail to address a couple of points however.

Of those 7,775 devices that were inaccessible and their associated investigations, how many of those investigations failed due to that lack of ability to access the data. Namely, how many criminals avoided conviction because of the encryption on the devices? A device is an element of an investigation and I would suspect in very few cases the only avenue of approach to the investigation. While access to the data is likely critical in a number of those cases, the raw figure being presented as a ‘public safety issue’ is not really a valid argument.

Ever since encryption was first used by nation states for communications there has been attempts to break the various codes that have been used. Where it hasn’t been possible to read the information being transmitted there have been other methods developed to gain as much insight as possible. The analysis of signals transmission itself can elicit useful information. Basically, the presence of communication and the recipient can also be used to further the cause of an investigation without necessarily knowing the content of the message.

Moves by law enforcement and governments to state their case for this in an emotive and urgent nature will not lead to a rational discussion of viable solutions. There is risk here that in their pursuit of capability a great damage may be done to the underlying confidentiality mechanism that the world relies heavily on.

Certainly, I would agree there is a need for this capability, but it is not solely a technical discussion. It requires equal parts engagement of stakeholders involving strong legislative protections as well as support from relevant technology stakeholders.

There are solutions to this problem. And I do hope that we reach the one that is right for all.

January 8, 2018

Meet the new threat same as the old threat

One of the many prediction articles I suspect we will see in coming days.

http://www.smh.com.au/technology/innovation/swarm-cyber-attacks-crypto-currency-stealing-malware-predicted-for-2018-20180107-p4yyaz.html

The main message we can take away from this is that those wanting to attack systems will use new technology to help them do that, just as those that are wanting to defend systems from attack will use new technology to prevent those attacks. Nothing that startling revealed here, just the continuation of the arms race that has been going on for some years now.

Certainly a concerning future, but not a surprising one.

Original source for the article can be found here: https://blog.fortinet.com/2017/11/14/fortinet-fortiguard-2018-threat-landscape-predictions

January 8, 2018

More Regulation Please?

An interesting op-ed piece. While I wouldn’t necessarily say that regulation (government or otherwise) is always the answer (other than to bolster the compliance industry), there is a point to be made here.

Are we reaching a tipping point like that experienced after the Enron fallout where a more holistic and measure approach to this problem needs to be mandated?

A data breach today is less likely to be an annoyance and more likely to have potentially significant and devastating real world consequences. The hit list of recent events in this regard identified in the article clear demonstrates that the problem is just getting bigger.

https://www.nytimes.com/2018/01/08/opinion/cybersecurity-breach-spectre-meltdown.html

January 4, 2018

Happy New Year, Happy New Devastating Vulnerabilities

Another year and another critical vulnerability (ies) that impact the very infrastructure we live upon. Spectre and Meltdown have hit the press today . The NY Times has written a fairly well balanced article (https://www.nytimes.com/2018/01/03/business/computer-flaws.html) and hopefully other media will give it the same responsible attention, but somehow I doubt it.

Giving vulnerabilities catchy names and logos is a little bit of a double-edged sword I think. It certainly raises serious issues and gives them the attention they need, but it also creates a bit of link-bait fodder which doesn’t help things that much when the issue needs a serious and rational approach to a solution. But it is the world we live in I guess.

For those interested, the papers relating to the two vulnerabilities can be found under their own registered domain (!) https://meltdownattack.com/

December 23, 2017December 21, 2017

The New World Order of Privacy

I suspect we will be seeing more of these types of articles in coming months and years. This is essentially the same type of problem that impacts other areas of security from secure software development to encryption; we develop an assurance method and then research (legitimate or otherwise) finds the flaws. The problem I see is that unlike secure software development and encryption, de-identification methods don’t have the same level of maturity. With the current environment of data (especially personal data) being of high value, we are going to need to mature these methods very quickly

http://www.smh.com.au/technology/innovation/australians-health-records-unwittingly-exposed-20171218-p4yxt2.html

December 22, 2017December 21, 2017

The Infosec Hits of 2017

Looking back at the year that was. Certainly some things that I don’t think we would have conceived in 2016. Let’s see what surprises 2018 will bring. Fairly certain that things won’t necessarily improve!

https://www.wired.com/story/2017-biggest-hacks-so-far/