Archive for the ‘cybersecurity’ Category

BTC –  NSTIC or the National Strategy for Trusted Identity in Cyberspace will be discussed at Stanford University this Friday.   The program will be crossing into considerations of the Department of Commerce.  Oversight and execution of the program’s cybersecurity and identity perameters is currently under the Department of Homeland Security.  The project is due to be signed by President Obama in the next few weeks.

One of the major security issues with the Web is the emphasis on anonymity in the original design, making it extremely difficult to verify a user’s real identity. The NSTIC calls for the creation of an “identity ecosystem,” where individuals and organizations can conduct online transactions confident in the real identities of each other and the security of the infrastructure the transactions run on.   

– Hillicon Valley,  Obama Administration officials to discuss trusted IDs online

Related News:  NSTIC amid Identity trends for 2011 


BTC – This blog’s hosting technology goes through Google. This lead came in from friend of the blog, JP of NCard who sends us stuff all the time. He’s a long time, sure footed opponent of the National ID card.

“The hackers got access to the coding in the password system that controls millions of users’ access to many Google services.”

A vast amount of info in one place

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in one place, a single breach can lead to disastrous losses.

The theft began with a single instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition he not be identified. ::: MORE HERE:::

c/o TechDirt , Mike Masnick

With health care reform out of the way, lots of politicians are pushing out new legislative ideas, hoping that Congress can now focus on other issues — so we’re seeing lots of bad legislation proposed. Let’s do a two for one post, highlighting two questionable bills that many of you have been submitting. The first, proposed by Senators Schumer and Graham, is technically about immigration reform, which is needed, but what’s scary is that the plan includes yet another plan for a national ID card. Didn’t we just go through this with Real ID, which was rejected by the states? Jim Harper, who follows this particular issue more than just about anyone, has an excellent breakdown of the proposal, questioning what good a national ID does, while also pointing to the potential harm of such a plan.

Then we have the big cybercrime bill put forth by.. Senators Rockefeller and Snowe (updated, since there are two separate cybersecurity bills, and its the Rockefeller/Snowe one that has people scared), that tries to deal with the “serious threat of cybercrime.” But, of course, it already has tech companies worried about the unintended consequences, especially when it requires complying with gov’t-issued security practices that likely won’t keep up with what’s actually needed:

“Despite all [the] best efforts, we do have concerns regarding whether government can rapidly recognize best practices without defaulting to a one-size-fits all approach,” they wrote.

“The NIST-based requirements framework in the bill, coupled with government procurement requirements, if not clarified, could have the unintended effect of hindering the development and use of cutting-edge technologies, products, and services, even for those that would protect our critical information infrastructure.”

They added the bill might impose a bureaucratic employee-certification program on companies or give the president the authority to mandate security practices.

This is one of those bills that sounds good for the headlines (cybercrime is bad, we need to stop it), but has the opposite effect in reality: setting up needless “standards” that actually prevent good security practices. It’s bills like both of these that remind us that technologically illiterate politicians making technology policy will do funky things, assuming that technology works with some sort of magic.

c/o HuffPo‘s Jay Stanley

So the U.S. security establishment is salivating at the prospect of a new cybersecurity “Cold War.” In an over-the-top op-ed in Tuesday’s Washington Post, Mike McConnell issues a declaration that we are “fighting a cyber war today” and compares it to the nuclear showdown with the Soviets. McConnell exemplifies the security establishment as much as anyone — former director of the National Security Agency (NSA), former Director of National Intelligence, and currently executive vice president at Booz Allen Hamilton, a private-sector refuge for former U.S. intelligence officials (and a company that stands to make large sums from consulting on cybersecurity).

The Cold War was, among many other things, a bonanza for the military and for security agencies from the NSA to the CIA to the FBI, which saw their budgets skyrocket and their power and reach expand in ways that were unprecedented in a country that had always held a deep suspicion of “standing armies” and government power. With the end of the Soviet Union and talk of a “peace dividend,” these institutions faced sharp cutbacks and a loss of mission. In the 1990s there was suddenly a lot of attention paid to China and the threat it was said to pose. Then came 9/11 and — although the nature of the threat was far, far different from the Soviet Union — the security establishment nevertheless had a new raison d’être, and a rationale for not only maintaining all the institutions it had built up against the Soviets, but expanding its powers. Proposals such as the Patriot Act, which Congress had rejected in the 1990s, now sailed through without any examination of whether they actually addressed any of the problems responsible for 9/11 (mostly they did not).

Cybersecurity is many things. It is a genuine problem. It is a threat to civil liberties, especially online privacy and anonymity. And, it is also being pushed as the latest reason to keep shoveling new tax dollars and new powers to the NSA and other security agencies — sometimes with almost comical eagerness, as in McConnell’s piece. His op-ed is almost a perfect exhibit in leveraging current events as part of a security-bureaucracy bid for power:

Overdramatic description of the situation as a world-historic “war?” Check.

Focus on centralized, top-down, command-and-control solutions to a problem that is largely a matter of distributed rather than centralized vulnerabilities? Check.

Call for highly ambitious military “grand projects” of dubious attainability but no doubt never-ending budgets? Check. McConnell: “We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds.” A proposal to “monitor cyberspace” could mean different things, but when it comes from a former NSA director and intelligence chief, Americans should be afraid.

Ominous desire to gain some control over the Internet and erase Internet anonymity? Check. McConnell: “We need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable.”

The Internet has been an amazing engine of freedom, innovation and economic growth precisely because it is not under anyone’s control. Its radical decentralized design has permitted it to flourish through the actions of millions of people acting independently and not under anyone’s control.

But this kind of decentralized, out-of-control freedom could not be more at odds with the traditional, military, bureaucratic, control-everything security mindset. Sure enough, Mike McConnell, who seems to exemplify this mindset, wants to make “attribution” more “manageable” — seemingly an endorsement of radical calls to end the possibility of anonymity online in the name of cybersecurity. Anonymous speech is recognized as part of our First Amendment rights and is an old American tradition that goes back to the Federalist Papers, which were written anonymously by (we now know) James Madison, Alexander Hamilton, and John Jay. :::MORE HERE:::

BTC – Fox guarding henhouse? Sure thing. The corporations’ idea of regarding privacy looks and sounds like this.

c/o ABA Journal

As malicious cyber attacks apparently are occurring more frequently and with more sophistication than ever before, a search engine giant has turned to a United States spy agency for help in dealing with a major suspected China-based hacking effort in December.

But the move by Google Inc. to work with the National Security Agency to address the claimed intrusion into its computer network–as well as those of some 30 other companies–has raised concerns about unwanted government knowledge of individual users’ personal information, according to the New York Times.

“Google and NSA are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world,” says executive director Marc Rotenberg of the Electronic Privacy Information Center. His Washington-based policy group sued the NSA today, seeking information about the agency’s role in cybersecurity-related surveillance.

The pact between Google and NSA was earlier reported by the Washington Post. The Post says the agreement, which is still being negotiated, calls for the NSA to help analyze what happened with the goal of successfully defending against future cyber attacks.

Senior counsel Greg Nojeim of the Center for Democracy & Technology tells the Post there is statutory authority for companies to share information with the United States government in order to protect their property rights.

According to the Times, the cooperative research and development agreement between Google and the NSA is authorized by the Federal Technology Transfer Act of 1986. It permits the government to enter into a written agreement to work with a private company on a specific project intended to promote the commercialization of government-developed technology.

c/o Julian Sanchez for The Nation

In a major speech on Internet freedom last week, Secretary of State Hillary Clinton urged American tech companies to “take a proactive role in challenging foreign governments’ demands for censorship and surveillance.” Her call to action followed a series of dazzlingly sophisticated cyberattacks against online giant Google and more than thirty other major technology companies, believed to originate in the People’s Republic of China. Few observers have found the Chinese government’s staunch denials of involvement persuasive–but the attacks should also spur our own government to review the ways our burgeoning surveillance state has made us more vulnerable.

The Google hackers appear to have been interested in, among other things, gathering information about Chinese dissidents and human rights activists–and they evidently succeeded in obtaining account information and e-mail subject lines for a number of Gmail users. While Google is understandably reluctant to go into detail about the mechanics of the breach, a source at the company told ComputerWorld “they apparently were able to access a system used to help Google comply with [US] search warrants by providing data on Google users.” In other words, a portal set up to help the American government catch criminals may have proved just as handy at helping the Chinese government find dissidents.
In a way, the hackers’ strategy makes perfect sense. Communications networks are generally designed to restrict outside access to their users’ private information. But the goal of government surveillance is to create a breach-by-design, a deliberate backdoor into otherwise carefully secured systems. The appeal to an intruder is obvious: Why waste time with retail hacking of many individual targets when you can break into the network itself and spy wholesale?

The Google hackers are scarcely the first to exploit such security holes. In the summer of 2004, unknown intruders managed to activate wiretapping software embedded in the systems of Greece’s largest cellular carrier. For ten months, the hackers eavesdropped on the cellphone calls of more than 100 prominent citizens–including the prime minister, opposition members of parliament, and high cabinet officials.

It’s hard to know just how many other such instances there are, because Google’s decision to go public is quite unusual: companies typically have no incentive to spook customers (or invite hackers) by announcing a security breach. But the little we know about the existing surveillance infrastructure does not inspire great confidence.

Consider the FBI’s Digital Collection System Network, or DCSNet. Via a set of dedicated, encrypted lines plugged directly into the nation’s telecom hubs, DCSNet is designed to allow authorized law enforcement agents to initiate a wiretap or gather information with point-and-click simplicity. Yet a 2003 internal audit, released several years later under a freedom-of-information request, found a slew of problems in the system’s setup that appalled security experts. Designed with external threats in mind, it had few safeguards against an attack assisted by a Robert Hanssen-style accomplice on the inside. We can hope those problems have been resolved by now. But if new vulnerabilities are routinely discovered in programs used by millions, there’s little reason to hope that bespoke spying software can be rendered airtight.

Of even greater concern, though, are the ways the government has encouraged myriad private telecoms and Internet providers to design for breach.

The most obvious means by which this is happening is direct legal pressure. State-sanctioned eavesdroppers have always been able to demand access to existing telecommunications infrastructure. But the Communications Assistance for Law Enforcement Act of 1994 went further, requiring telephone providers to begin building networks ready-made for easy and automatic wiretapping. Federal regulators recently expanded that requirement to cover broadband and many voice-over-Internet providers. The proposed SAFETY Act of 2009 would compound the security risk by requiring Internet providers to retain users’ traffic logs for at least two years, just in case law enforcement should need to browse through them.

A less obvious, but perhaps more serious factor is the sheer volume of surveillance the government now engages in. If government data caches contain vast quantities of information unrelated to narrow criminal investigations–routinely gathered in the early phases of an investigation to identify likely targets–attackers will have much greater incentive to expend time and resources on compromising them. The FBI’s database now contains billions of records from a plethora of public and private sources, much of it gathered in the course of broad, preliminary efforts to determine who merits further investigation. The sweeping, programmatic NSA surveillance authorized by the FISA Amendments Act of 2008 has reportedly captured e-mails from the likes of former President Bill Clinton.

The volume of requests from both federal and state law enforcement has also put pressure on telecoms to automate their processes for complying with government information requests. In a leaked recording from the secretive ISS World surveillance conference held back in October, Sprint/Nextel’s head of surveillance described how the company’s L-Site portal was making it possible to deal with the ballooning demand for information:

“My major concern is the volume of requests. We have a lot of things that are automated, but that’s just scratching the surface…. Like with our GPS tool. We turned it on–the web interface for law enforcement–about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the [L-Site portal] has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests…. They anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.”
Behold the vicious cycle. Weakened statutory standards have made it easier and more attractive for intelligence and law enforcement agencies to seek information from providers. On top of the thousands of wiretap and so-called “pen/trap” orders approved each year, there are tens of thousands of National Security Letters and subpoenas. At the ISS World conference, a representative of Cricket, one of the smaller wireless providers, estimated that her company gets 200 law enforcement requests per day, all told; giants like Verizon have said they receive “tens of thousands” annually. (Those represent distinct legal demands for information; Sprint’s “8 million” refers to individual electronic requests for updates on a target’s location.)

Telecoms respond to the crush of requests by building a faster, more seamless, more user-friendly process for dealing with those requests–further increasing the appeal of such tools to law enforcement. Unfortunately, insecurity loves company: more information flowing to more legitimate users is that much more difficult to lock down effectively. Later in his conference, the Sprint representative at ISS World speculated that someone who mocked up a phony legal request and faxed it to a random telecom would have a good chance of getting it answered. The recipients just can’t thoroughly vet every request they get.

We’ve gotten so used to the “privacy/security tradeoff” that it’s worth reminding ourselves, every now and again, that surrendering privacy does not automatically make us more secure–that systems of surveillance can themselves be a major source of insecurity. Hillary Clinton is absolutely right that tech companies seeking to protect Internet freedom should begin “challenging foreign governments’ demands for censorship and surveillance.” But her entreaty contains precisely one word too many.

About Julian Sanchez
Julian Sanchez is a research fellow at the Cato Institute and a contributing editor for Reason magazine.

c/o CNET

BTC – Jeff Moss. Defcon man gone HSGAC. PASS ID is still a Real ID. Someone tell Moss…

Q: So, how’s it going on the Homeland Security Advisory Council?

Moss: It’s going pretty well, it’s pretty exciting actually. Recently we did a recommendation, I’m sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we’ve only been to red once. But we’ve never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn’t work well at all.

Right. We don’t understand it. We’re like, what does it mean? Is it real?

Moss: How does it give us any actionable information? How should we change our behavior based on it? That’s what came out of the report was that it’s very hard for civilians to do anything with it and it causes confusion, and it’s the No. 1 source of ridicule. The system needs to stay because it’s valuable for the other two groups, but it needs to change was the conclusion of the report. So they had a couple of recommendations and one was to just get rid of the two lowest colors because honestly we’ve never been at them; make the new normal orange. Three levels is probably more realistic than having five. The U.K. doesn’t have five either, I think they have three.

The other big thing was if something is happening in New York, you don’t need to raise it for the whole country, so make them more applicable for a geographic location. Localize it more. And then some other recommendations I thought were reasonable were make it a default where the level is automatically lowered if nothing affirmative happens. So the onus is on the officials to constantly justify why it needs to stay at a higher level. They had some other really common-sensical recommendations. You should tell people without revealing any sensitive security information or sources why did it get raised? Why did it get lowered? Is the threat over or is this an ongoing threat that we just now think is less important?

Two (reports) before that we were dealing with the Real ID versus Pass ID debate. (The Bush administration was) trying to create basically a national identity card and when that didn’t happen they created this Real ID standard that would cause all the states to have standardized features on their driver’s licenses. That’s different from an enhanced driver’s license which is used in place of your passport when crossing into Canada or Mexico.They want make it all much more transparent to the public. So if they say we intercepted these people trying to board a plane with these liquids so we’re going to go got a higher level around airports…something like that, instead of a blanket generalization that’s applied to the whole country without explaining when the threat goes away or is mitigated. I know some members of Congress agreed with the report and it was generally really well received. Now the Advisory Council, we all unanimously agreed with it, and now it’s off to the secretary (of Homeland Security). I was expecting a lot more bureaucrat-ese but that report I couldn’t find anything to nitpick with because it make a lot of sense.

You need biometrics (and to) verify the information through approved two other sources. It’s an attempt by the feds to make sure information getting into the DMVs is actually valid and there’s a paper trail there and the information from one state can be easily shared with another state. It seemed fairly reasonable. But then you started looking at some of the provisions and it turns into another one of these giant unfunded mandates from the feds. A lot of the civil libertarians got up in arms over it and I’m not really pleased either. States started to rebel.

The DHS was saying if you don’t have one of these driver’s licenses that is approved you’re not going to be able to fly. So these governors got together and came up with an alternative plan called Pass ID. It removed it from being a state unfunded mandate, reduced the database requirements, reduced some of the ID requirements, made it much more feasible and reasonable, phased in on not such an immediate time table, didn’t seem to have Big Brother issues. DHS is not going to want to go to war with these states. I think there’s a realization you have to come to some compromise and Pass ID seems like a good compromise, but now you’ve got to convince Congress. ::: ENTIRE INTERVIEW HERE:::