NY Attorney General Proposes Not Terrible Cybersecurity Legislation

from the did-he-not-get-the-memo? dept

The state of New York wants to get in on all the cybersecurity fun the kids legislators and intelligence officials are talking about these days. New York Attorney General Eric T. Schneiderman has announced his plan to introduce cybersecurity legislation this year, putting the state in the position to regulate data security and its citizens' privacy.

Most legislation that includes the word "cyber" is nothing more than an excuse to give the government a larger piece of the action -- generally by redefining the term "information sharing" to mean a one-way street of data collection running from private companies (and their customers) to various law enforcement and security agencies.

Schneiderman's proposal seems to be more skewed towards actually increasing protections of companies and customers, rather than simply codifying additional government access. But before we start passing around high fives and popping champagne corks, it must be noted that not a single word of this has been put to paper yet (excluding the press release). At this point, it's just a proposal for legislation. There's no first draft to read and no indication what its interplay (amendments, etc.) with existing laws will entail.

That being said, most of what's delivered in Schneiderman's statement is mostly reasonable. Most of what's being asked for should have already been in place (including additional restrictions on the sharing of medical data). Many companies (coughSONYcough) seem to treat their customers' personal data as an afterthought -- something that only deserves attention after it's been Pastebinned for the world to see.

Expand Definition of Private Information- New York legislators should expand the definition of “private information” to include both the combination of an email address and password, and an email address in combination with a security question and answer, as California already has done. Additionally, the definition of private information should include medical information, including biometric information, and health insurance information.

Legislate Reasonable Data Security Requirement- All entities that collect and/or store private information should be required to have reasonable security measures to protect said information. These measures should include:

Administrative safeguards to assess risks, train employees and maintain safeguards.

Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures.

Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.

Certification- Entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.

Legislate a Safe Harbor to Provide an Incentive for a Heightened Level of Data Security– New York needs to incentive businesses to implement the most robust data security. To do so, New York should offer a safe harbor if a company adopts a heightened form of security. To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.

Overall, not terrible, with a couple of caveats. One: the government's ability to protect itself from cyberattacks and other hacking ranges from less-than-adequate to abysmal. Considering its lack of self-awareness, it seems presumptive to put itself in the position of setting standards for data security. Sure, it could bring in actual experts in the field to craft these, but once legislators have had their say, what's been recommended may only bear the faintest resemblance to what's actually implemented.

Two: while the proposal helpfully expands the definition of "private information," it fails to provide specifics about who can or can't access this information. Any company could route around these restrictions with some fine print in its Terms of Service. And there's nothing forbidding the acquisition of medical, biometric and insurance data by the state itself. In fact -- and here's where we head into the "fairly decent BUT" section" -- the proposal lays the groundwork for one-way information sharing in the final paragraph.

Protection for Sharing Forensic Data- Finally, in the event of a data breach, New York should incentivize companies to share forensic reports with law enforcement officials. One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection. This would allow companies to feel comfortable with the free sharing of information while giving authorities a better chance at catching those responsible.

This is more sensible than other proposals as it looks to limit sharing of data to forensic data only. Then again, this is a proposal and, while all intentions are pure, it's a long way from a finished product. When the bill finally hits the legislative floor, it's very likely that this restrictive sharing will be loosened. Considering the panic that surrounds all things cyber-related -- especially once some enterprising do-gooder tosses the word "cyberterrorism" into the mix -- it's going to take a very dedicated and obstinate person to shepherd this through with most of these protections still intact.

And someone's still going to need to sell this additional layer of regulation to the companies it will affect -- many of whom have some pull in the upper reaches of the government. They're not exactly going to welcome the additional expense of implementing solid data security, even if they should have been on top of this since day one. The litigation safe harbor should make the pitch a bit more appealing, but again, it will take someone dedicated and tenacious to ensure the requirements aren't watered down into uselessness on its way to the governor's desk.

Filed Under: cybersecurity, eric schneiderman, new york, security

Leaked Intelligence Document Calls For More, Not Less Encryption To Protect Companies And Citizens From Cybercriminals

from the and-yet,-everyone-seems-to-be-calling-for-less dept

Everyone from FBI Director James Comey to UK Prime Minister David Cameron is calling for an end to encryption. The FBI is afraid it won't be able to catch criminals if it can't immediately access content and communications. David Cameron is afraid it will be nothing but constant terrorist attacks from here on out if authorities don't have access to "every means of communication."

Considering many of these voices decrying encryption presumably have access to top secret briefings and documents otherwise unseen by the general public, it's rather surprising they've ignored previous advice from intelligence officials to the contrary.

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

[...]

The document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

This document comes from The Guardian's stash of Snowden leaks. What it says runs completely contrary to the panicked assertions of officials. It even runs contrary to the NSA's own actions, like its active attempts to weaken NIST standards. The report recommends strong encryption, coupled with multi-factor authentication, which would make data and communications wholly inaccessible to the NSA (and GCHQ, its steady surveillance partner).

But this recommendation doesn't come from an outside source. It's an intelligence council that reports directly to the head of national intelligence. And yet, the word didn't spread very far. The NSA isn't thrilled with encryption because it keeps what it wants out of reach. Law enforcement has the same "problem." Both have actively worked to undermine encryption for their own aims and both are perfectly willing to open up citizens and companies to outside attacks in order to preserve the status quo.

And it's not just American agencies that have ignored these recommendations. The GCHQ is engaged in the same cognitive dissonance.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”....

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Again we see agencies charged with protecting nations walking away from this responsibility in order to pursue their own ends. Sure, some safety may have resulted from the collection of unencrypted communications, but both agencies are willing to compromise corporate hardware and consumer software in order to grab just a little more hay for the haystacks.

You can't make a nation safer by destroying its safety features. There's a bigger picture that these agencies refuse to see -- even when internal guidance puts it front and center. If you weaken protections, seek legislation to prevent encryption, collect and stash exploits and install backdoors in hardware and software, you make the nation's cybersecurity that much harder to maintain. The NSA and FBI both want a piece of the cyberwar action but they want to leave everyone that isn't them defenseless. Over on the other side of the pond, the GCHQ is doing the same thing and it has the support of a Prime Minister who feels no communication should be able to escape the agency's notice.

And behind it all, there are documents touting the protective powers of encryption. But that makes intelligence gathering and law enforcement too difficult, so I guess we'll all have to do without.

Filed Under: cybersecurity, encryption, fbi, gchq, nsa, privacy

The DHS Wants To Pitch In With The Cyberwar But Can't Even Be Bothered To Secure Its Own Backyard

from the safe-as-homelands dept

The US government has basically declared war over the Sony hacking, offering full-throated support for the beleaguered embarrassed company. Why this one -- rather than the countless hacks of corporate networks (including those where credit card data and personal information were compromised) -- remains a mystery.

The end result has been a call for more government intrusion and a reanimation of CISPA's lumbering corpse. "Share with us," says the government. "Gird yourself for the cyber Pearl Harbor," say its supporters. "Let us handle it," say those whose desire for expanded government power exceeds their crippling myopia.

Yeah, let's do that. Let's allow the government to set the rules on cybersecurity. Let's give agencies like the DHS -- which can't even be bothered to secure its own assets -- more leeway to investigate and react to cyberthreats. (h/t to NextGov)

DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk. The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the Department. For example, no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014.

That's the Government Accountability Office's assessment of the DHS's qualifications as a potential cybersecurity agency. [pdf link] This is the agency tasked with securing federal assets and ensuring the safety of not only government employees, but Americans in general. And it can't do it. In fact, it can't even begin to do it.

Despite being specifically directed by 2002's Federal Information Security Management Act (FIMSA) to periodically assess risks, report on them and DO SOMETHING ABOUT IT, the agency has managed to blunder into 2015 with no specific plan to tackle cyberthreats to the federal buildings under its protection.

And, while the President and those pushing the revived CISPA seem rather keen on "sharing info," it's a one-way street, apparently. The DHS can't even be bothered to share with other government agencies.

The Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report that identifies numerous undesirable events.

Whatever the DHS/ISC has managed to glean from situations like 2009's hacking of a Dallas hospital's HVAC system or 2006's hacking of Los Angeles traffic signals hasn't been passed on to other government agencies because the ISC believes "active shooters" and "workplace violence" are bigger threats. Maybe so, in terms of actual physical violence, but that's no excuse for ignoring something the government as a whole considers to be its next battlefield.

So, why is the DHS so bad at this? It would seem to be two things: the DHS is too big to move at the speed the threat mandates and it's always someone else's job. Because it has failed to take charge of the situation (despite a federal mandate and a 2013 presidential policy directive [p. 8-9]), no one seems to know what to do, how to do it or even who should do it.

[B]ecause DHS has not developed a strategy, several components within DHS have made different assertions about their roles and responsibilities. For example, FPS’s Deputy Director for Policy and Programs said that FPS’s authority includes cybersecurity. However, FPS is not assessing cyber risk because, according to this official, it does not have the expertise. Furthermore, although ICS-CERT has developed a tool to assess cyber risk, it also is not assessing cyber risk to building and access control systems at federal facilities. Moreover, NPPD’s Federal Network Resilience is to, among other things, identify common cybersecurity requirements across the federal government, but it also is not working on issues regarding the cyber risk of building and access control systems in the federal government.

An official from the Office of the Under Secretary of NPPD acknowledged that NPPD has not yet determined roles and responsibilities, including what entity should conduct cyber risk assessments of FPS-protected facilities or what assessment tool should be used. This official said that the Department has not developed a strategy, in part, because cyber threats involving building and access control systems are an emerging issue.

Somehow, despite being well-financed and incredibly large, the DHS can't find the time to properly assess the facilities it's supposed to be "securing."

Moreover, GSA [General Services Administration -- reports to the DHS] has not conducted security control assessments for all of its systems that are in about 1,500 FPS- protected facilities. In November 2014, GSA information technology officials said that from 2009 to 2014, the agency conducted 110 security assessments of the building control systems that are in about 500 of its 1,500 facilities. GSA has not yet assessed the security of control systems with network or Internet connections in about 200 buildings. GSA officials stated that they plan to assess these systems during fiscal year 2015.

The GSA isn't just being outpaced by hackers. It's being outpaced by the government's own slow stagger into the connected future. 800 systems are expected to switch from "standalone" to networked in the near future. The GSA plans to re-assess these systems' security after the changeover, but it's still working its way through the last half-decade's backlog. With its parent agency unable to provide guidance and its other agencies unwilling to share information, the GSA becomes the third prong in this triumvirate of failure.

And what it does actually get around to assessing isn't much help, either. Being crossed off the GSA's to-do list means being no more safe than you were before the agency finally strolled through the door.

Further, our review of 20 of 110 of GSA’s security assessment reports (between 2010 and 2014) show that they were not comprehensive and not fully consistent with NIST guidelines. For example, in 5 of the 20 reports we reviewed, GSA assessed the building control device to determine if a user’s identity and password were required for login but did not assess the device to determine if password complexity rules were enforced. This could potentially lead to weak or insecure passwords being used to secure building control devices.

GSA also conducted its assessments of building control systems in a laboratory setting which allowed it to test components and to identify weaknesses in their default configuration. However, GSA does not conduct further assessments after installation when configuration settings may no longer reflect their default values. As a result, GSA has limited assurance that the configurations assessed reflect the configurations implemented in the facility, thereby increasing the risk that vulnerabilities in building control systems may not be detected.

This is the government that wants the nation's companies to "partner up" against cyberthreats and cyberterrorism: the same government that can't even ensure its own infrastructure is protected. And no one cares because compromising control systems doesn't make for very sexy copy or hawkish soundbites about being "tough on cybercrime."

If you need a solid argument against the government's desire to play the part of (cyber)security guard to the nation's companies, look no further than the GAO's list of "Related GAO Products" (p. 34) that follows this report.

Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity. GAO-14-459. Washington, D.C.: June 5, 2014.

Information Security: Agencies Need to Improve Cyber Incident Response Practices. GAO-14-354. Washington, D.C.: April 30, 2014.

Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness. GAO-13-776. Washington, D.C.: September 26, 2013.

Cybersecurity: National Strategy, Roles, and Responsibilities Need to BeBetter Defined and More Effectively Implemented. GAO-13-187. Washington, D.C.: February 14, 2013.

Cybersecurity: Threats Impacting the Nation. GAO-12-666T. April 24, 2012.

Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011.

Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008.

Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain. GAO-07-1036. Washington, D.C.: September 10, 2007.

The government doesn't have the skills necessary to ply its wares in the cybersecurity business. If it can't lock down its own assets -- despite seemingly limitless funding and manpower -- it has nothing to offer the private sector but intrusiveness and harmful regulation.

Now, if you're a fan of bad news, you're going to love the worse news. The fight over who should head up the government's War on All Things Cyber doesn't put the DHS at the front of the list -- but it's not because the agency clearly can't handle the job. It's because agencies that are even more intrusive than the DHS want a piece of the action, namely the FBI and the NSA. If either of these two end up in that position, expect to find domestic surveillance rules relaxed. The latter agency defines cybersecurity as "peeking in at everyone," which is at odds with those on the receiving end (US companies) who believe being secure means removing backdoors or otherwise locking everyone out, not just the "bad guys." That isn't going to sit well with the FBI and NSA -- one of which believes no one should be able to "lock out" law enforcement and one that intercepts hardware and inserts backdoors when not deploying malware for the same purpose. So, the DHS may be the lesser of three evils, if only because its incompetence exceeds its reach.

Filed Under: cispa, cybersecurity, dhs

President Obama's Plan For 'Securing Cyberspace' Has A Lot Of Problems

from the not-the-public's dept

On Monday, President Obama gave a speech kicking off his big push on cybersecurity, with many of the details being released on Tuesday, and they don't look very good. There are a lot of different pieces, but we'll just highlight the two that concern us the most.

First up: information sharing/"cybersecurity." The key issue here: is it the return of CISPA? CISPA, of course, is the cybersecurity "information sharing" bill that is introduced each year, but which is really about giving the NSA a tool to pressure companies into sharing their information (by granting immunity from liability to those companies). In 2012, President Obama rejected the CISPA approach as not having enough protections for privacy and civil liberties. And, indeed, contrary to what some have said, the official proposal is not "endorsing CISPA." The approach is definitely more limited and the most major concern is addressed. Rather than giving the information to the NSA (or the FBI), Homeland Security gets it. DHS isn't wonderful, but it's better than the other two alternatives. Companies can still give the info to the NSA or FBI (or others), but won't get full immunity from lawsuits if they do.

But, where the new proposal falls woefully short is in its lack of privacy protections. It basically handwaves its way through the privacy question, saying there will be guidelines, but the guidelines aren't written yet, and they're fairly important here. Instead, there's just a plan to make them:

The Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the Department of Homeland Security and Department of Justice, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, the heads of sector-specific agencies and other appropriate agencies, and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review policies and procedures governing the receipt, retention, use, and disclosure of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.

Yes, it promises that those guidelines will limit the "acquisition, interception, retention, use and disclosure" of information, but it's still not entirely clear what the final guidelines will be. The second problem, still not addressed in all of this, is explaining why this is needed. People keep saying that we need "information sharing" because of "cyberthreats," but no one argues why that information sharing can't happen today, or points out what regulations today get in the way. That's because they don't. Companies can share information today, but the focus of this bill is to try to grant them broad immunity in case they share the wrong (private) info and it gets out.

The second concerning proposal is with the update to the CFAA (the Computer Fraud and Abuse Act). The CFAA, of course, is the widely misused "anti-hacking" law that has been stretched and twisted by law enforcement and prosecutors over time to argue that merely disobeying a terms of service could be seen as "hacking." While some courts have limited that ridiculous interpretation, the changes here seem fairly messy and could bring back that possibility. The language involves a lot of careful picking through to interpret it, and it appears that it may fix some small issues with the CFAA, but opens up other massive holes that are seriously problematic. The White House claims this fix would "enhance [the CFAA's] effectiveness against attacks on computers and computer networks."

But that's not the problem with the CFAA. The problem is that it's already seriously overbroad and used in dangerous ways. That's barely addressed. The main "fix" is that if you "intentionally exceed authorized access," there are conditions necessary to meet to trip the CFAA wire -- and a key one is that the value of the information obtained must "exceed $5,000." But, of course, with the way the gov't inflates the value of information... that seems like a pretty small hurdle. The really big problem, though, comes in section (e)(6) which adds in a troubling definitional change to "exceeds authorized access." This is the whole bit that's been used as evidence of "terms of service" violations. The key case that rejected this theory is the Nosal case and that seems to be completely wiped out with this little addition to exceeding authorized access:

for a purpose that the accesser knows is not authorized by the computer owner;

This is likely to be interpreted to mean that if a terms of service bans a certain type of use, they have "knowledge" and thus violating that kind of use is back to being a problem under the CFAA. As Orrin Kerr argues, this could be read to mean that if your employer says you can only use a computer for work reasons, and you surf for personal reasons, you've broken the law. It is also possible to read this section to mean that using someone else's Netflix or HBO GO password... could violate the law. Yikes!

Of course, one hopes that law enforcement wouldn't go after those types of violations, but a more serious concern may be the impact on security research. Finding a hole in a website online, allowing you to access data that was publicly exposed could be seen as exceeding access, on the basis that whoever finds it "knows [it] is not authorized by the computer owner." Basically, it requires the government to argue that whoever they're going after should have known that the computer owner "wouldn't like" it. That... opens up a big can of worms that the DOJ will abuse like crazy.

The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it's an "organized crime group." It also ups the penalties for things that might be considered "actual hacking" (i.e., getting around technological barriers to access a computer) -- making it automatically a felony with up to 10 years in jail (rather than the existing law, under which it could be a misdemeanor or a felony and the limit is 5 years in jail). And, of course, it expands civil forfeiture procedures so that law enforcement can seize (and likely keep) all your computer equipment if it thinks you're violating the CFAA. Looks like law enforcement can now go "shopping" for computers.

Once again, we seem to be facing a situation where the administration is more focused on what law enforcement wants, while paying lip service to the protections of the public from likely law enforcement and intelligence community abuse.

That's really unfortunate. A massive missed opportunity to actually do something productive here.

Filed Under: cfaa, cispa, cybersecurity, obama administration

Hey Everyone, CISPA Is Back... Because Of The Sony Hack, Which It Wouldn't Have Prevented

from the because-bad-ideas-never-die dept

This isn't a huge surprise, but Rep. Dutch Ruppersberger, the NSA's personal Rep in Congress (NSA HQ is in his district), has announced that he's bringing back CISPA, the cybersecurity bill designed to make it easier for the NSA to access data from tech companies (that's not how the bill's supporters frame it, but that's the core issue in the bill). In the past, Ruppersberger had a teammate in this effort, Rep. Mike Rogers, but Rogers has moved onto his new career as a radio and TV pundit (CNN just proudly announced hiring him), so Ruppersberger is going it alone this time around.

Not surprisingly, he's using the Sony Hack as a reason for why this bill is needed:

“The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Rep. Dutch Ruppersberger... told The Hill in an interview, referring to the recent Sony hack, which the FBI blamed on North Korea.

Fair enough, then perhaps Ruppersberger could explain how CISPA would have prevented the Sony Hack? Of course, he can't, because it wouldn't have helped. CISPA is focused on getting companies to share more information with the government (including the NSA and DHS), but there's no indication that Sony would have actually opened up its network for the NSA to snoop through and find these hackers (wherever they might have come from). Even if Sony had opened up its system to the government, it seems unlikely that the NSA would have magically spotted this hack and done anything about it.

Instead, using the Sony Hack as a hook is a cynical political ploy for a losing idea that is designed to harm the public and take away their privacy.

Filed Under: cispa, cybersecurity, dutch ruppersberger, sony hack

James Clapper Claims That Sony Hack 'The Most Serious Cyberattack On The US Yet'; Which Suggests No Serious Cyberattacks

from the go-on-with-your-day dept

At a cybersecurity conference at Fordham university, Director of National Intelligence James Clapper apparently claimed that the Sony Hack was "the most serious cyberattack" made to date against the US. If that's true (and it's likely not), then that really kind of undermines all the claims about just how "serious" cyberattacks are to national security. Yes, the Sony Hack was incredibly embarrassing to Sony and some individuals and partners. Yes, it may cost Sony a significant amount of money in cleaning up the mess. But no one died. No serious long-term problems were created by it. No one has to "rebuild" a city. The actual impact of the hack on the day-to-day lives of most people is next to nothing. For years, people like Clapper have been warning of the pending "cyber Pearl Harbor," and if this is the best they've got so far... sorry, but that's just not that serious.

At the same event, Clapper apparently insisted not only that he was sure North Korea was behind the hack, but that he knew who ordered it. He also revealed some more info on the (little known) fact that he had traveled to North Korea two weeks before the hack, where he met with the guy he now says is responsible. Marcy Wheeler raises some questions about whether Clapper's trip had something to do with the hack (if it really was done by North Korea).

Speaking of which, at the very same event, FBI director James Comey, once again, insisted that North Korea was responsible and claimed that the hackers "got sloppy" and revealed their own IP addresses. It could be that. Or whoever did it could have been slightly more sophisticated, leaving false markers pointing to North Korea. But, as of right now the FBI is sure that sloppiness is a better excuse.

Either way, it still seems like much more is being made of the Sony Hack than it deserves. Yes, it was a big hack, and yes, it revealed a ton of private documents that clearly has embarrassed Sony quite a bit. But if the future of war involves embarrassing big companies, rather than killing thousands of people -- I think I'd make that trade off.

Filed Under: cybersecurity, james clapper, odni, sony hack
Companies: sony

Sharyl Attkisson Sues Justice Department For Hacking Her CBS Laptop Over Benghazi Reports Even Though That Didn't Happen

from the crazypants! dept

Let's dispense with the formalities and get right to the heart of this matter: Sharyl Attkisson, former CNN and CBS journalist, appears to be losing control. Sharyl, purportedly a human, thinking person, has filed a lawsuit against Eric Holder and the justice department for hacking into her computer a few years back, ostensibly because she was reporting on the Benghazi attacks.

Investigative Journalist Sharyl Attkisson has filed administrative claims under the Federal Tort Claims Act against the U.S. Department of Justice, the U.S. Postal Service, and certain unnamed employees and/or agents of the federal government. Attkisson has also filed a lawsuit in the District of Columbia alleging certain violations of her constitutional rights based on information implicating the federal government in illegal electronic monitoring and surveillance of her home and business computers and phones from 2011 to 2013.

Now, look, the United States government's horrific domestic surveillance policies have done it no favors in this instance. After all, the trust the average American places in our DC-based overlords has fallen measurably over the past few years. That said, the evidence Attkisson has been offering up these past several years, first in a book she wrote and now in a lawsuit, isn't so much evidence of government surveillance as it is jumping at technological shadows. First, the claims in her book make no sense. Robert Graham from Errata Security broke them down to demonstrate the problems:

Attkisson says "My television is misbehaving. It spontaneously jitters, mutes, and freeze-frames". This is not a symptom of hackers. Instead, it's a common consumer complaint caused by the fact that cables leading to homes (and inside the home) are often bad. My TV behaves like this on certain channels.

She says "I call home from my mobile phone and it rings on my end, but not at the house", implying that her phone call is being redirected elsewhere. This is a common problem with VoIP technologies. Old analog phones echoed back the ring signal, so the other side had to actually ring for you to hear it. New VoIP technologies can't do that. The ringing is therefore simulated and has nothing to do with whether it's ringing on the other end. This is a common consumer complaint with VoIP systems, and is not a symptom of hacking.

It goes on like that. What most of this appears to amount to is the everyday technological hiccups that most of us recognize as "that machine acting funky, so I'll just reboot or try again", unless we're the type to don a hat made of stuff that is supposed to keep the meat fresh in the fridge. Like so many of these types of conspiracy claims, the entire thing rests on a logical criss-cross: the goverment is so all-powerful that they have managed to get into all my tech and are personally screwing with me because I'm so important, but they're also so completely terrible at it that I can see all the signs of their nefarious deeds around me. You can actually see this fallacy at work within her book, as she goes on to quote the "experts" she's "consulted" but won't name.

Attkisson quotes one expert as saying intrusions of this caliber are "far beyond the the abilities of even the best nongovernment hackers", while at the same time quoting another expert saying the "ISP address" is a smoking gun pointing to a government computer.

Both can't be true. Hiding ones IP address is the first step in any hack. You can't simultaneously believe that these are the most expert hackers ever for deleting log files, but that they make the rookie mistake of using their own IP address rather than anonymizing it through Tor or a VPN. It's almost always the other way around: everyone (except those like the Chinese who don't care) hides their IP address first, and some forget to delete the log files.

Notable as well are the lack of technical details within the book's claims. Also notable was the awesomeness of this video that Attkisson released. Oooooh, spooky! What could possibly explain this if not MiB h4x0rs?

Computer security experts who reviewed the video suggested to Media Matters that it seemed to show the results of a stuck backspace key rather than hacking, and said the government and other sophisticated hacking enterprises were unlikely to use such methods.

Matthew Brothers-McGrew, a senior specialist at Interhack Corp. in Columbus, Ohio, said that sometimes computers "malfunction, a key can get stuck, sometimes dirt can get under a keyboard and a key will inadvertently be held down." He explained that sometimes there can be software issues "where the computer will think a key is held down in fact it is not," and said that his firm tested holding down the backspace key on a computer in their offices, and found "if you have Word open it will continually backspace text at about the same rate we are seeing in the video."

Not that any of this has slowed Attkisson down, of course. She has since moved forward with her lawsuit against the government, in which she would like $35 million dollars, please. Most everyone covering the story are equally as unimpressed with the lawsuit as they were with the book. Here's one nice summary.

Let’s break this down. Attkisson supplied her laptop to an unnamed “government forensics computer expert in the intelligence community”—via an unnamed “contact”—who later asserted “clear evidence” of an “intrusion” from “sources” that appeared to be “state-supported” because of the “the nature of the technology used.” Later, Attkisson received her laptop and the expert’s report through another unnamed “intermediary.” Believing that any of this is true, or even slightly true, requires faith in the judgment and ability of three individuals that Attkisson refuses to name—one of whom she apparently has never met in person.

Seems legit. Actually, no, no it doesn't. What this seems like is a sensational lawsuit aimed at self-aggrandization. Now, I know what you're thinking: But, Tim, all this means is that you're part of the lizard-people Benghazi-death conspiracy, too! Maybe I am and maybe I ain't, but that doesn't change the fact that Sharyl Attkisson's lawsuit is a big bucket of unsubstantiated nonsense.

Filed Under: benghazi, cybersecurity, doj, eric holder, hacking, sharyl attkisson

FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks

from the dangerous-ideas dept

It's no secret that some in the computer security world like the idea of being able to "hack back" against online attacks. The simplest form of this idea is that if you're a company under a denial-of-service attack, should you be able to "hack" a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such "hack backs" because, among other things, CISPA would grant immunity to companies "for decisions made based on cyber threat information." Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.

A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back, and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:

In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.

The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it's a bad idea not just because it likely breaks the law, but because it's stupid and dangerous. First, accurately determining who is behind a hack is quite difficult -- as we're seeing lately with all the recent skepticism about the FBI's claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences -- even more so when those counterattacks might target actual nation states, rather than just a group of script kiddies.

On top of that, the article notes, the hack back attempt could make the situation even worse:

Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren’t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.

And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.

Finally, think through the obvious consequences of this. If you're a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm -- then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.

Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through -- and lawmakers prevent it from being protected by law.

Filed Under: cybersecurity, fbi, hack back, hackback, vigilantes
Companies: jp morgan

New Book Reveals Significant Cybersecurity Information Sharing Between Tech Companies And NSA; So Why Do We Need A New Law?

from the big-questions dept

Salon has published an excerpt from Shane Harris' new book (which looks excellent), @War: The Rise of the Military-Internet Complex. The specific excerpt is called: Google's secret NSA alliance: The terrifying deals between Silicon Valley and the security state, and it's an absolute must read. Frankly, Salon's title overstates the story. The article reveals more details about a ton of existing information sharing that goes on between the NSA and various tech companies to try to prevent malicious attacks from foreign threats (with the vast majority of them coming from China). The article focuses on some of the details behind Google's public admission that hackers in China had broken into Google's systems (as well as a number of other companies'). Harris' story reveals that Google's own tech team had effectively traced the hack back to some servers in Taiwan and had gotten into those servers themselves, discovering more information about what the Chinese hackers were up to (and that they'd hacked many other companies).

However, it also notes that this resulted in Google agreeing to work with the NSA on preventing such attacks in the future:

On the day that Google’s lawyer wrote the blog post, the NSA’s general counsel began drafting a “cooperative research and development agreement,” a legal pact that was originally devised under a 1980 law to speed up the commercial development of new technologies that are of mutual interest to companies and the government. The agreement’s purpose is to build something — a device or a technique, for instance. The participating company isn’t paid, but it can rely on the government to front the research and development costs, and it can use government personnel and facilities for the research. Each side gets to keep the products of the collaboration private until they choose to disclose them. In the end, the company has the exclusive patent rights to build whatever was designed, and the government can use any information that was generated during the collaboration.

It’s not clear what the NSA and Google built after the China hack. But a spokeswoman at the agency gave hints at the time the agreement was written. “As a general matter, as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers,” she said. It was the phrase “tailored solutions” that was so intriguing. That implied something custom built for the agency, so that it could perform its intelligence-gathering mission. According to officials who were privy to the details of Google’s arrangements with the NSA, the company agreed to provide information about traffic on its networks in exchange for intelligence from the NSA about what it knew of foreign hackers. It was a quid pro quo, information for information.

There's much more in there, including that this isn't a program, like PRISM, that gives the NSA access to emails or other such information, but rather is focused on helping detect potential holes and security risks within Google's hardware and software:

...it lets the NSA evaluate Google hardware and software for vulnerabilities that hackers might exploit. Considering that the NSA is the single biggest collector of zero day vulnerabilities, that information would help make Google more secure than others that don’t get access to such prized secrets. The agreement also lets the agency analyze intrusions that have already occurred, so it can help trace them back to their source.

As the article notes, this is a pretty big concern -- because of what else the NSA might eventually do with this information. It raises serious questions about the tradeoffs here. Yes, it's good if the NSA can better protect online services from foreign attacks, but many people certainly consider the NSA a big risk as well. As the article also makes clear, the NSA likes to hoard certain security holes for its own use -- and these kinds of information sharing arrangements are a pretty big concern on that front.

The NSA helps the companies find weaknesses in their products. But it also pays the companies not to fix some of them. Those weak spots give the agency an entry point for spying or attacking foreign governments that install the products in their intelligence agencies, their militaries, and their critical infrastructure. Microsoft, for instance, shares zero day vulnerabilities in its products with the NSA before releasing a public alert or a software patch, according to the company and U.S. officials. Cisco, one of the world’s top network equipment makers, leaves backdoors in its routers so they can be monitored by U.S. agencies, according to a cyber security professional who trains NSA employees in defensive techniques. And McAfee, the Internet security company, provides the NSA, the CIA, and the FBI with network traffic flows, analysis of malware, and information about hacking trends.

Companies that promise to disclose holes in their products only to the spy agencies are paid for their silence, say experts and officials who are familiar with the arrangements. To an extent, these openings for government surveillance are required by law. Telecommunications companies in particular must build their equipment in such a way that it can be tapped by a law enforcement agency presenting a court order, like for a wiretap. But when the NSA is gathering intelligence abroad, it is not bound by the same laws. Indeed, the surveillance it conducts via backdoors and secret flaws in hardware and software would be illegal in most of the countries where it occurs.

The excerpt notes, however, that the NSA has gotten really good at scaring the living daylights out of tech execs with special classified briefings, driving them into relationships with the NSA, separate from those kinds of paid relationships.

Starting in 2008, the agency began offering executives temporary security clearances, some good for only one day, so they could sit in on classified threat briefings.

“They indoctrinate someone for a day, and show them lots of juicy intelligence about threats facing businesses in the United States,” says a telecommunications company executive who has attended several of the briefings, which are held about three times a year. The CEOs are required to sign an agreement pledging not to disclose anything they learn in the briefings. “They tell them, in so many words, if you violate this agreement, you will be tried, convicted, and spend the rest of your life in prison,” says the executive.

[....]

But the NSA doesn’t have to threaten the executives to get their attention. The agency’s revelations about stolen data and hostile intrusions are frightening in their own right, and deliberately so. “We scare the bejeezus out of them,” a government official told National Public Radio in 2012. Some of those executives have stepped out of their threat briefings meeting feeling like the defense contractor CEOs who, back in the summer of 2007, left the Pentagon with “white hair.”

This, in turn, leads them to team up with various private security companies, leading to a rather "symbiotic" relationship:

Unsure how to protect themselves, some CEOs will call private security companies such as Mandiant. “I personally know of one CEO for whom [a private NSA threat briefing] was a life-changing experience,” Richard Bejtlich, Mandiant’s chief security officer, told NPR. “General Alexander sat him down and told him what was going on. This particular CEO, in my opinion, should have known about [threats to his company] but did not, and now it has colored everything about the way he thinks about this problem.”

The NSA and private security companies have a symbiotic relationship. The government scares the CEOs and they run for help to experts such as Mandiant. Those companies, in turn, share what they learn during their investigations with the government, as Mandiant did after the Google breach in 2010. The NSA has also used the classified threat briefings to spur companies to strengthen their defenses.

In one 2010 session, agency officials said they’d discovered a flaw in personal computer firmware — the onboard memory and codes that tell the machine how to work — that could allow a hacker to turn the computer “into a brick,” rendering it useless. The CEOs of computer manufacturers who attended the meeting, and who were previously aware of the design flaw, ordered it fixed.

That's an example where this kind of information sharing has been helpful in protecting the security of the public. And that's a good thing. But there are concerns about the costs on the other end, and really how trustworthy the NSA is on its end of these arrangements.

But reading this excerpt, I kept going back to a key point in the big debates over the various cybersecurity bills that Congress has put forth in the past couple of years, mainly CISPA and CISA. In both of those bills, the key point that supporters kept making is that such bills were needed to facilitate "voluntary information sharing" between tech companies involved in "critical infrastructure" and the government (including the NSA -- though some of the bills have put Homeland Security in place as a filter rather than having it go directly to the NSA).

But Harris' book seems to confirm exactly what many of us have been arguing for years: that there doesn't seem to be anything stopping companies from doing this sort of "voluntary" information sharing today, so why do they suddenly need new laws? The answer, of course, is one of liability. The new laws don't really knock down any regulatory barriers to sharing information: they just make sure that the companies can't be sued for those arrangements. Right now, it's not clear that companies would really be legally liable for these info sharing programs, but it can lead to lawsuits (and it wouldn't surprise me to see some class action suits being filed using Harris' book as evidence). The point of the cybersecurity bills is to put a blanket immunity on companies, which would then encourage them to do more of this kind of sharing, with the NSA providing "incentives" by scaring companies as described above.

As for the promise of supporters of these bills that it's only focused on "critical infrastructure" and not the rest of the web? Harris tackles that issue as well:

To obtain the information, a company must meet the government’s definition of a critical infrastructure: “assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” That may seem like a narrow definition, but the categories of critical infrastructure are numerous and vast, encompassing thousands of businesses. Officially, there are sixteen sectors: chemical; commercial facilities, to include shopping centers, sports venues, casinos, and theme parks; communications; critical manufacturing; dams; the defense industrial base; emergency services, such as first responders and search and rescue; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.

It’s inconceivable that every company on such a list could be considered “so vital to the United States” that its damage or loss would harm national security and public safety. And yet, in the years since the 9/11 attacks, the government has cast such a wide protective net that practically any company could claim to be a critical infrastructure.

There's a lot more in the excerpt, and I assume a lot more in the book itself, which seems worth reading. It delves deeply into these relationships and how the NSA gets access to lots of information from telcos and tech companies. Again, actually protecting US infrastructure seems like an important goal, but from all of this, it's not clear how clearly the tradeoffs are recognized. More specifically, it seems quite troubling that this is being done by the NSA.

It is abundantly clear that the dual functions of the NSA absolutely must be split. The "cyber" protections side and the surveillance side need to be separated. Having the online protection side is important in protecting infrastructure, but tying it to the same organization looking for holes to spy on others just makes us all less safe. Furthermore, it makes it abundantly clear that no new cybersecurity laws are needed, since these companies are already quite free to share information with the government for the sake of cybersecurity.

Filed Under: cisa, cispa, cybersecurity, information sharing, nsa, shane harris, surveillance
Companies: google