Month: September 2013

In response to the revelations about the breadth and scope of NSA surveillance and data collection, Brazilian President Dilma Roussef is taking measures to reduce the influence of US Internet services in the country, and examining ways to transport data so that it does not pass through the US and become subject to collection there. This development may herald a fear of many internet watchers as of late, that the great “open internet” of the past years may give way to increasingly segregated national intranets, with access controls, censorship, and protectionism stifling the development and innovation that a global net has enabled. That the impetus for movement towards a fractured internet has been the NSA’s behavior should give policy-makers of all stripes pause. It should also raise concerns for the predominantly US-based providers of Internet Services about their international business prospects now that their close cooperation with the surveillance regime has been documented in the PRISM revelations. Indeed, Mark Zuckerberg, Facebook’s CEO, who conducts polling of user trust for his company and other US based giants such as Google and Twitter reported that “the trust metrics for all of <us> went down” in response to the NSA leaks.

Dan Gifford – MCySec Media Manager

Four researchers from the United States, the Netherlands, Switzerland and Germany have published a paper establishing the feasibility of creating difficult to detect hardware trojans. The trojan is made during the manufacturing process by failing to properly dope a portion of the semiconductor chip used to generate random numbers for cryptography. Unlike previously understood hardware trojans, a practice known colloquially as “Chipping”, no extra hardware must be added to the computer chip in order for the exploit to work. This means that visual inspection of the chip will not be an effective countermeasure in these cases. Additionally, the chips that the researchers altered in this way still passed operational standards, meaning that detection of an affected system will be very difficult.

The result of the exploit is that the encryption codes generated by the hardware are trivially easy for an adversary to crack, potentially exposing sensitive data. This development poses major problems for organizations and nations that rely on distributed and international supply chains to construct their sensitive electronic devices. Much like Project BULLRUN this research demonstrates that the creation of sufficiently random numbers remains a central problem of encryption, and a major area of exposure to outside attack.

Dan Gifford- MCySec Media Manager

Ben Austen has written an excellent article for Wired talking about the ways social media has fueled violence in some neighborhoods of Chicago. It ably demonstrates that as electronic communication comes to mediate more and more parts of our lives; conflict, even violent conflict, also assumes a place in the ether of cyberspace.

The Chaos Computer Club (CCC) of Germany, founded in 1981 and one of the most visible global hacking collectives, has published the details of their successful hack of the new iPhone 5s biometric security fingerprint scanner (a system called TouchID). A member of the club’s biometric hacking team, nicknamed “Starbug”, documented the successful hack in a video posted to Youtube. The method used to conduct the hack is not apparently different than the method Starbug has used in the past to defeat fingerprint readers, except that cracking the TouchID system requires making a fake latex fingerprint of a higher resolution that that used with other systems (however, at 1200 dpi it is still well within the capabilities of a desktop printer). The ease of the method described by the CCC should put a pin in the claims of revolutionary technological developments made so breathlessly in the press in recent days in regard to Apple’s new TouchID feature.

Frank Reiger, spokesperson for the group, stated that: “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

In 2008, the CCC acquired and then published 4000 copies of German Interior Minister Wolfgang Schäuble’s fingerprint in an issue of their magazine. The fingerprint was included on a piece of film that would allow users to impersonate the Minister when using biometric devices. This was done in protest of the Minister’s public advocacy which led to the inclusion of fingerprint data on German passports.

Dan Gifford- MCySec Media Manager

Internet security researchers at Symantec have just published an analysis of one of the leading hacking groups that have been classified as “Advanced Persistent Threats”. The “Hidden Lynx” group has been credited with the mass break-in on tech companies such as Google and Adobe that occurred in 2009. Since 2011, the group has targeted hundreds of organizations, primarily in the United States, but with a significant fraction directed against organizations in Taiwan.

The Symantec report suggests that in contrast to such groups as the Comment Crew, also known as APT1 and as “Byzantine Candor” within the intelligence community (and widely suspected to be PLA Unit 61398, based in Shanghai, China) the Hidden Lynx teams are hackers for hire. Their primary target has been on the financial services industry, but they have devoted considerable attention to  government and military contractors. In their campaigns, the Hidden Lynx group has attacked so-called “Watering Holes”, which are often locally focused websites with weak security that may be used or visited by users from the organizations they are targeting. In their attack on bit9, they subverted the company’s trust based anti-virus model, signing their trojans with the company’s certificates to give them an edge against other targets who were relying on bit9 trust architecture for protection.

“Hidden Lynx” runs multiple attack campaigns at any given time, and their level of sophistication combined with the ability to construct and run their own tools against this many targets lead the Symantec researchers to assess that the group has at least 50-100 members.

-Dan Gifford MCySec Media Manager/ Graduate Research Assistant.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

Jeffrey Cooper’s 2009 “New Approaches to Cyber Deterrence: Initial Thoughts on a New Framework,” contract number N65236-08-D-6805, U.S. Under Secretary of Defense for Intelligence, presented to U.S. General Keith Alexander at Highlands Forum, “Cyber Commons, Engagement and Deterrence” moderated by Dr. Itamara Lochard, 10 February 2010 in a closed session at the Center for Strategic and International Studies.

Please also see The Bulletin of the Atomic Scientists.

The Bulletin of the Atomic Scientists has published a special Cyber Issue, concentrating specifically on cyber security challenges. In light of the recent governmental emphasis on the national security priorities of cyber security, this publication is quite timely.

All of the articles are relevant areas of discussion, though the article by Nazli Choucri and David Clark, “Who Controls Cyberspace?” is especially salient given its focus on incorporating the debate into existing international relations theory.

http://bos.sagepub.com/content/69/5

MIIS students and staff should be able to get access to the articles digitally through the library.

Please also see Jeffrey Cooper’s 2009 “New Approaches to Cyber Deterrence: Initial Thoughts on a New Framework,” contract number N65236-08-D-6805, U.S. Under Secretary of Defense for Intelligence, presented to U.S. General Keith Alexander at Highlands Forum, “Cyber Commons, Engagement and Deterrence” moderated by Dr. Itamara Lochard, 10 February 2010 in a closed session at the Center for Strategic and International Studies.

Recent documents released by NSA leaker Edward Snowden have revealed the existence of a classified NSA program, codenamed Bullrun, which purports to be be able to defeat the encryption standards, such as SSL, that underlie commerce and confidentiality on the world wide web. The exact methods of the program remain unclear, though there are tantalizing indicators that the root problems may lie with the methods used to generate random numbers for cryptographic keys; specifically an algorithm known as Dual_EC_DRBG which was inserted into the standard at the insistence of the NSA. Bullrun, and the related GCHQ program Edgehill, appear to have operated by ensuring through government pressure that vulnerabilities were inserted into the standards used to develop cryptographic systems.

Somewhat disturbingly, the programs are both named for the first battles in their respective nation’s civil wars. The irony here is that these programs have almost certainly permanently damaged the relationship between government security agencies and government and civilian groups responsible for creating technology standards. And while we are not yet at the point of brother fighting against brother, it is obvious that any future cyber-security recommendations made by the NSA will be regarded as highly suspect.

– Dan Gifford, MCySec Media Manager/ Graduate Research Assistant

http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html

http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/

A more technical analysis:

http://blog.cryptographyengineering.com/2013/09/on-nsa.html

Bruce Schneier’s advice on maintaining security in light of these developments:

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

http://www.cfr.org/cybersecurity/defending-open-global-secure-resilient-internet/p30836

“Defending an Open, Global, Secure, and Resilient Internet”, the June publication of an independent task force organized by the Council on Foreign Relations, is a compelling account of the current status of national and international policy within the field of Cyber Security.  The report spends a significant amount of time addressing the many urgent risks that the open internet currently faces. Chief among them is fragmentation into state-controlled intranets through censorship and firewalls as well as the proliferation in recent years of military- and government-designed cyber weapons alongside new postures towards cyber warfare as a form of state conflict.

Many of the recommendations are sound, such as pursuing more focused Cyber Security policies and laws that avoid the Intellectual Property focus which has led to the failure of a number of previous legislative efforts. Some other stances—such as discouraging aggressive export controls on software and hardware that can be used to monitor and stifle civic dissent online—seem less defensible. This is especially salient given the focus on the risks and costs of a more divided and censored global internet.

On the policy side a number of concerns are voiced about the future trajectory of the internet and who will ultimately be responsible for regulating it. In the debate between the Internet Corporation for Assigned Names and Numbers (ICANN) and the nascent International Telecommunications Union (ITU), this report comes down squarely on the side of ICANN and views the movement through the United Nations and the ITU to post ground rules on the internet as an attempt by authoritarian states to limit dissent.

The report is not all doom and gloom, however. One bright spot for potential job seekers is that “80 percent of the federal Cyber Security workforce is over 40 years old.” Impending retirements in the field lead the report to cite estimates that there will be “future shortfalls at between twenty and forty thousand people for many years out”. Cyber Security, at least, remains a seller’s market for professionals, who can expect stiff competition for their services.

by Dan Gifford, Media Manager/Graduate Research Assistant – MCySec