IEEE Cipher --- Items from security-related news (E137)
News Bits
NewsBits, IEEE Cipher E137, E137.Mar-2017
Please note that the deadline for IEEE Security & Privacy magazine Editor in Chief applicants is 1 June 2017.
Prospective candidates are asked to provide a PDF file containing a complete curriculum vitae, a brief plan for the publication's future, and a letter of support from their institution or employer.
For complete information, please visit: https://www.computer.org/web/pressroom/eic-for-2018-2020.
Questions and submission materials can be sent to Christine Anthony (canthony@computer.org).
Summary:
The strange case of Harold Thomas Martin III has resulted in an indictment of
20 counts of "willful retention of national defense information," but not
the espionage charges that seemed a possibility when the case was first
revealed. Although Martin stole 50 terabytes of NSA information, he seems to
have been a compulsive "data hoarder" rather than a spy. He was a contractor
for Booz Allen Hamilton.
Summary:
NSO Group is a company with the motto "Make the World a Safer Place",
but activisits in Mexico have reason to doubt that their products do
that. The company sells cyberarms, and they assert that they sell
only to governments. Their spyware shows up in messages sent to the
phones of Mexican activists, those with the rather non-terroristic agenda of
increasing the tax on soft drinks. The spyware is capable of sending every
phone interaction to remote observers, and it is a very intrusive form
of surveillance. Apparently these tools are cats that just won't stay
in their bags.
Summary:
The Trojan Horse may well be a toy doll. A cute talking doll
manufactured by United States-based Genesis Toys and distributed by
the Vivid Toy group is real tattle-tale because it records ambient
voices and sends the voice prints of children to Nuance
Communications, a computer-software company. Germans have taken
a very dim view of the technology, calling the toy the "Stasi-Barbie".
With toys like this, who needs NSO software (see previous article)?
Summary:
Pity the poor software engineers at Cloudflare. They were simply
"changing over from older code to newer code" but didn't realize that
"Running both at the same time created an unforeseen issue that
... caused a data leak." Unfortunately, that data leak may have
exposed personal information, including passwords, for millions of
users who never heard of Cloudflare. Their technology is trusted by
banks, retailers, and messaging services, and the extent of the
exposure is unknown. Just to be safe, change your passwords. My
fingertips are calloused from following that kind of advice.
Summary:
Thirty businesses took one giant step for "smart contracts" with the
announcement of the Enterprise Ethereum Alliance. They will use
blockchain technology from Ethereum (https://www.ethereum.org) which
has "applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference" (you can watch
blockchain activity at https://etherscan.io/).
In doing so, they are adding to a handful of similar ventures all hoping to become the center of the distributed trust universe. Blockchain technology underlies the digital currency BitCoin, and Ethereum uses the same "mining" technology for adding transactions to a verifiable database. Ethereum allows transactions to include conditional payments of the form "if A then B pays C the amount M." By some estimates, large banks could save 30% of their infrastructures costs by using smart contracts.
Summary:
Is the CIA in your TV? According to documents released by WikiLeaks,
they could be lurking there, or in almost anything that connects to
the Internet. Security experts who have been looking at the documents
believe that someone with access to a Top Secret CIA development
system copied them about a year ago. There was no release of source
code, but the documents show how the CIA's internal organizations feed
their voracious appetite for compromising personal devices. Their
goal is often to conduct surveillance, but in one case, they
considered the possibility of assassination by invading the control
systems of cars. Some researchers have questioned the risk/benefit
trade-off of such tools, noting that they seem to inevitably, and
quickly, escape from "responsible" hands (see NSO software article
above).
Those who have read the WikiLeaks documents about CIA hacking have gleaned some major and minor insights into the secret digital hacking division known as the Directorate of Digital Innovation. With dozens of subordinate branches, it seems to be distributed around the world and covers all kinds of hacking and surveillance. Instructions to its youngest employees include advice on getting free alcohol from airlines and admonishments to have their cover stories well-rehearsed before entering airport security.
Although the disclosure of their activities may cause some targets to ditch their current smartphones or TVs (or even toys, see article above about the Stasi Barbie), security experts feel that the CIA will rebound quickly with new technology. The vulnerabilities that they depend on come and go, and they are always looking for the next security flaw, it's just business as usual.
Summary:
You might thinking that this is a political article and that "DNS" is
some kind of Democratic organization, but this is a network traffic
mystery involving the Internet's Domain Name System. This was first
reported last year (see this),
and although it was not much noted at the time, it seems that the FBI
has been looking into it. You cannot learn much from DNS traffic, and
that is the only thing underlying the original reports of peculiar
lookups. What is known is that a machine belonging to Alfa Bank in
Russia (suspected of having ties to the Russian government), made
thousands of DNS lookups to an obscure email server belonging to the
Trump organization. The question is "why?" and the answer is unknown.
Explanations range from "because some hacker issued fake queries in
order to implicate the Trump organization" to "because there was a
secret messaging application used to communicate between the two
camps." The DNS lookups themselves are not even a smoking gun, but the
investigation may (or may not) yield correlated information.
Summary:
If you ever met Becky Bace, you'd remember her vibrant personality,
and we are sad to report the passing of a longtime presence in the
intrusion detection profession. She was leader of the pioneering
Computer Misuse and Anomaly Detection (CMAD) Research Program at the
National Security Agency from 1989 to 1995. She went on to other
positions, including Los Alamos Labs, her own firm Infidel, Inc., and
was a consultant for Trident Capital.
An oral history from 2012 is here: http://conservancy.umn.edu/bitstream/handle/11299/144022/oh410rgb.pdf?sequence=1&isAllowed=y.
More information about remembrances can be found at http://infidel.net.