IEEE Cipher --- Items from security-related news (E137)
NewsBits, IEEE Cipher E137, E137.Mar-2017
Please note that the deadline for IEEE Security & Privacy magazine Editor in Chief applicants is 1 June 2017.
Prospective candidates are asked to provide a PDF file containing a complete curriculum vitae, a brief plan for the publication's future, and a letter of support from their institution or employer.
For complete information, please visit: https://www.computer.org/web/pressroom/eic-for-2018-2020.
Questions and submission materials can be sent to Christine Anthony (firstname.lastname@example.org).
The strange case of Harold Thomas Martin III has resulted in an indictment of 20 counts of "willful retention of national defense information," but not the espionage charges that seemed a possibility when the case was first revealed. Although Martin stole 50 terabytes of NSA information, he seems to have been a compulsive "data hoarder" rather than a spy. He was a contractor for Booz Allen Hamilton.
NSO Group is a company with the motto "Make the World a Safer Place", but activisits in Mexico have reason to doubt that their products do that. The company sells cyberarms, and they assert that they sell only to governments. Their spyware shows up in messages sent to the phones of Mexican activists, those with the rather non-terroristic agenda of increasing the tax on soft drinks. The spyware is capable of sending every phone interaction to remote observers, and it is a very intrusive form of surveillance. Apparently these tools are cats that just won't stay in their bags.
The Trojan Horse may well be a toy doll. A cute talking doll manufactured by United States-based Genesis Toys and distributed by the Vivid Toy group is real tattle-tale because it records ambient voices and sends the voice prints of children to Nuance Communications, a computer-software company. Germans have taken a very dim view of the technology, calling the toy the "Stasi-Barbie". With toys like this, who needs NSO software (see previous article)?
Pity the poor software engineers at Cloudflare. They were simply "changing over from older code to newer code" but didn't realize that "Running both at the same time created an unforeseen issue that ... caused a data leak." Unfortunately, that data leak may have exposed personal information, including passwords, for millions of users who never heard of Cloudflare. Their technology is trusted by banks, retailers, and messaging services, and the extent of the exposure is unknown. Just to be safe, change your passwords. My fingertips are calloused from following that kind of advice.
Thirty businesses took one giant step for "smart contracts" with the announcement of the Enterprise Ethereum Alliance. They will use blockchain technology from Ethereum (https://www.ethereum.org) which has "applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference" (you can watch blockchain activity at https://etherscan.io/).
In doing so, they are adding to a handful of similar ventures all hoping to become the center of the distributed trust universe. Blockchain technology underlies the digital currency BitCoin, and Ethereum uses the same "mining" technology for adding transactions to a verifiable database. Ethereum allows transactions to include conditional payments of the form "if A then B pays C the amount M." By some estimates, large banks could save 30% of their infrastructures costs by using smart contracts.
Is the CIA in your TV? According to documents released by WikiLeaks, they could be lurking there, or in almost anything that connects to the Internet. Security experts who have been looking at the documents believe that someone with access to a Top Secret CIA development system copied them about a year ago. There was no release of source code, but the documents show how the CIA's internal organizations feed their voracious appetite for compromising personal devices. Their goal is often to conduct surveillance, but in one case, they considered the possibility of assassination by invading the control systems of cars. Some researchers have questioned the risk/benefit trade-off of such tools, noting that they seem to inevitably, and quickly, escape from "responsible" hands (see NSO software article above).
Those who have read the WikiLeaks documents about CIA hacking have gleaned some major and minor insights into the secret digital hacking division known as the Directorate of Digital Innovation. With dozens of subordinate branches, it seems to be distributed around the world and covers all kinds of hacking and surveillance. Instructions to its youngest employees include advice on getting free alcohol from airlines and admonishments to have their cover stories well-rehearsed before entering airport security.
Although the disclosure of their activities may cause some targets to ditch their current smartphones or TVs (or even toys, see article above about the Stasi Barbie), security experts feel that the CIA will rebound quickly with new technology. The vulnerabilities that they depend on come and go, and they are always looking for the next security flaw, it's just business as usual.
You might thinking that this is a political article and that "DNS" is some kind of Democratic organization, but this is a network traffic mystery involving the Internet's Domain Name System. This was first reported last year (see this), and although it was not much noted at the time, it seems that the FBI has been looking into it. You cannot learn much from DNS traffic, and that is the only thing underlying the original reports of peculiar lookups. What is known is that a machine belonging to Alfa Bank in Russia (suspected of having ties to the Russian government), made thousands of DNS lookups to an obscure email server belonging to the Trump organization. The question is "why?" and the answer is unknown. Explanations range from "because some hacker issued fake queries in order to implicate the Trump organization" to "because there was a secret messaging application used to communicate between the two camps." The DNS lookups themselves are not even a smoking gun, but the investigation may (or may not) yield correlated information.
If you ever met Becky Bace, you'd remember her vibrant personality, and we are sad to report the passing of a longtime presence in the intrusion detection profession. She was leader of the pioneering Computer Misuse and Anomaly Detection (CMAD) Research Program at the National Security Agency from 1989 to 1995. She went on to other positions, including Los Alamos Labs, her own firm Infidel, Inc., and was a consultant for Trident Capital.
An oral history from 2012 is here: http://conservancy.umn.edu/bitstream/handle/11299/144022/oh410rgb.pdf?sequence=1&isAllowed=y.
More information about remembrances can be found at http://infidel.net.