SSL and internet security news

Monthly Archive: August 2018

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

  • I’m giving a book talk on Click Here to Kill Everybody at the Ford Foundation in New York City, on September 5, 2018.

  • The Aspen Institute’s Cybersecurity & Technology Program is holding a book launch for Click Here to Kill Everybody on September 10, 2018 in Washington, DC.

  • I’m speaking about my book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World at the Harvard Book Store in Cambridge, Massachusetts on September 11, 2018.

  • I’m giving a keynote on supply chain security at Tehama’s “De-Risking Your Global Workforce” event in New York City on September 12, 2018.

  • I’ll be appearing at an Atlantic event on Protecting Privacy in Washington, DC on September 13, 2018.

  • I’ll be speaking at the 2018 TTI/Vanguard Conference in Washington, DC on September 13, 2018.

  • I’m giving a book talk at Fordham Law School in New York City on September 17, 2018.

  • I’m giving an InfoGuard Talk in Zug, Switzerland on September 19, 2018.

  • I’m speaking at the IBM Security Summit in Stockholm on September 20, 2018.

  • I’m giving a talk on “Securing a World of Physically Capable Computers” at the University of Rochester in Rochester, New York on October 5, 2018.

  • I’m keynoting at SpiceWorld in Austin, Texas on October 9, 2018.

  • I’m speaking at Cyber Security Nordic in Helsinki on October 10, 2018.

  • I’m speaking at the Cyber Security Summit in Minneapolis, Minnesota on October 24, 2018.

  • I’m speaking at ISF’s 29th Annual World Congress in Las Vegas, Nevada on October 30, 2018.

  • I’m speaking at Kiwicon in Wellington, New Zealand on November 16, 2018.

  • I’m speaking at the The Digital Society Conference 2018: Empowering Ecosystems on December 11, 2018.

  • I’m speaking at the Hyperledger Forum in Basel, Switzerland on December 13, 2018.

The list is maintained on this page.

Powered by WPeMatico

Cheating in Bird Racing

I’ve previously written about people cheating in marathon racing by driving — or otherwise getting near the end of the race by faster means than running. In China, two people were convicted of cheating in a pigeon race:

The essence of the plan involved training the pigeons to believe they had two homes. The birds had been secretly raised not just in Shanghai but also in Shangqiu.

When the race was held in the spring of last year, the Shanghai Pigeon Association took all the entrants from Shanghai to Shangqiu and released them. Most of the pigeons started flying back to Shanghai.

But the four specially raised pigeons flew instead to their second home in Shangqiu. According to the court, the two men caught the birds there and then carried them on a bullet train back to Shanghai, concealed in milk cartons. (China prohibits live animals on bullet trains.)

When the men arrived in Shanghai, they released the pigeons, which quickly fluttered to their Shanghai loft, seemingly winning the race.

Powered by WPeMatico

CIA Network Exposed through Insecure Communications System

Interesting story of a CIA intelligence network in China that was exposed partly because of a computer security failure:

Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected — and there would be no way to trace the communication back to the CIA. But the CIA’s interim system contained a technical error: It connected back architecturally to the CIA’s main covert communications platform. When the compromise was suspected, the FBI and NSA both ran “penetration tests” to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.

In the words of one of the former officials, the CIA had “fucked up the firewall” between the two systems.

U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one former official — links the Chinese agencies almost certainly found as well. These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. In fact, some of these links pointed back to parts of the CIA’s own website, according to the former official.

People died because of that mistake.

The moral — which is to go back to pre-computer systems in these high-risk sophisticated-adversary circumstances — is the right one, I think.

Powered by WPeMatico

Future Cyberwar

A report for the Center for Strategic and International Studies looks at surprise and war. One of the report’s cyberwar scenarios is particularly compelling. It doesn’t just map cyber onto today’s tactics, but completely reimagines future tactics that include a cyber component (quote starts on page 110).

The U.S. secretary of defense had wondered this past week when the other shoe would drop. Finally, it had, though the U.S. military would be unable to respond effectively for a while.

The scope and detail of the attack, not to mention its sheer audacity, had earned the grudging respect of the secretary. Years of worry about a possible Chinese “Assassin’s Mace” — a silver bullet super-weapon capable of disabling key parts of the American military — turned out to be focused on the wrong thing.

The cyber attacks varied. Sailors stationed at the 7th Fleet’ s homeport in Japan awoke one day to find their financial accounts, and those of their dependents, empty. Checking, savings, retirement funds: simply gone. The Marines based on Okinawa were under virtual siege by the populace, whose simmering resentment at their presence had boiled over after a YouTube video posted under the account of a Marine stationed there had gone viral. The video featured a dozen Marines drunkenly gang-raping two teenaged Okinawan girls. The video was vivid, the girls’ cries heart-wrenching the cheers of Marines sickening And all of it fake. The National Security Agency’s initial analysis of the video had uncovered digital fingerprints showing that it was a computer-assisted lie, and could prove that the Marine’s account under which it had been posted was hacked. But the damage had been done.

There was the commanding officer of Edwards Air Force Base whose Internet browser history had been posted on the squadron’s Facebook page. His command turned on him as a pervert; his weak protestations that he had not visited most of the posted links could not counter his admission that he had, in fact, trafficked some of them. Lies mixed with the truth. Soldiers at Fort Sill were at each other’s throats thanks to a series of text messages that allegedly unearthed an adultery ring on base.

The variations elsewhere were endless. Marines suddenly owed hundreds of thousands of dollars on credit lines they had never opened; sailors received death threats on their Twitter feeds; spouses and female service members had private pictures of themselves plastered across the Internet; older service members received notifications about cancerous conditions discovered in their latest physical.

Leadership was not exempt. Under the hashtag # PACOMMUSTGO a dozen women allegedly described harassment by the commander of Pacific command. Editorial writers demanded that, under the administration’s “zero tolerance” policy, he step aside while Congress held hearings.

There was not an American service member or dependent whose life had not been digitally turned upside down. In response, the secretary had declared “an operational pause,” directing units to stand down until things were sorted out.

Then, China had made its move, flooding the South China Sea with its conventional forces, enforcing a sea and air identification zone there, and blockading Taiwan. But the secretary could only respond weakly with a few air patrols and diversions of ships already at sea. Word was coming in through back channels that the Taiwanese government, suddenly stripped of its most ardent defender, was already considering capitulation.

I found this excerpt here. The author is Mark Cancian.

Powered by WPeMatico

John Mueller and Mark Stewart on the Risks of Terrorism

Another excellent paper by the Mueller/Stewart team: “Terrorism and Bathtubs: Comparing and Assessing the Risks“:

Abstract: The likelihood that anyone outside a war zone will be killed by an Islamist extremist terrorist is extremely small. In the United States, for example, some six people have perished each year since 9/11 at the hands of such terrorists — vastly smaller than the number of people who die in bathtub drownings. Some argue, however, that the incidence of terrorist destruction is low because counterterrorism measures are so effective. They also contend that terrorism may well become more frequent and destructive in the future as terrorists plot and plan and learn from experience, and that terrorism, unlike bathtubs, provides no benefit and exacts costs far beyond those in the event itself by damagingly sowing fear and anxiety and by requiring policy makers to adopt countermeasures that are costly and excessive. This paper finds these arguments to be wanting. In the process, it concludes that terrorism is rare outside war zones because, to a substantial degree, terrorists don’t exist there. In general, as with rare diseases that kill few, it makes more policy sense to expend limited funds on hazards that inflict far more damage. It also discusses the issue of risk communication for this hazard.

Powered by WPeMatico