Michael Gove is reported to have been using his private email account and won’t reply to emails sent to his official address. There are so many reasons why this is a bad idea. Here is my (almost certainly incomplete) list just in case the Rt. Hon. Michael Gove happens to pass by:
- It’s not based in the UK. In fact, Google pride themselves in not telling you were the data is held (just try finding out);
- Google is a US-headquartered company. As per Microsoft’s announcement, the US PATRIOT Act seemingly trumps EU and UK data protection law, even if the data was in the EU;
- You can’t encrypt the emails at rest;
- There’s no guarantee that the data will be there tomorrow, as this example from Yahoo amply demonstrates;
- While Gmail allows you to turn on HTTPS and a form of two-factor authentication, these are optional and probably turned off;
- The foreign governments are alleged to have already hacked into Gmail;
- On occasion, email accounts have been mixed up, where one person reads someone else’s mail;
- These emails may not be retrievable under the Freedom of Information Act.
You only risk what you don’t value. If Mr. Gove believes the emails he receives and send to be of such low importance to put them at this sort of risk, is he the best person to be a cabinet minister?
The security systems at airports are an interesting example of security “theatre”, where much of what goes on is about re-assurance rather than being particularly effective. I’ve blogged before about this and had some interesting responses, especially around the intrusiveness of current processes versus their effectiveness and where vulnerabilities lie. For obvious reasons, I won’t go in to this.
However, the TSA in the United States is rolling out a new version of their full-body scanner, apparently in response to the criticism that the old-versions were a step too far: the TSA initially denied, for example, that pictures of people’s naked bodies could be stored until several incidents emerged of security staff doing exactly that. Apparently this will be available as a software upgrade. The question is, will the UK do the same?
The new scanner overlays identified potential threats from scans over a generic diagram representing the human form and so masking who the subject is. This has to be a good thing, but like I said in my earlier post, a reliance on technology rather than using intelligence-led investigations will always lead to vulnerabilities while inconveniencing that majority of people.
I’d rather the people who would do me harm never made it to the airport.
So far, this year, hundreds of millions of users of online services have had their accounts compromised or sites taken down. From Sony, Nintendo, the US Senate, SOCA, Gmail to the CIA, the FBI and the US version of X-Factor. Self-inflicted breaches have occurred at Google, DropBox and Facebook. Hackers have formed semi-organised super-groups, such as LulzSec and Anonymous. Are we at the point where information security professionals are starting to say, “I told you so”?
The telling thing about nearly all of these breaches is simple it would have been to limit the impact: passwords have been stored in the clear, known vulnerabilities not patched, corporate secrecy getting in the way of a good PR message and variable controls on sites of the same brand.
The media’s response is often “hire the hackers!”, an idea that is fundamentally flawed. Would you hire a bank robber to develop the security for a bank? No. The fact is that there are tens of thousands of information security professionals, many of whom are working in the organisations recently attacked, who know very well what needs to be done to fix many of the problems being exploited.
Many corporations have decided to prioritise functionality over security to the extent where even basic security fundamentals get lost. There needs to be a re-assessment of every organisation’s priorities as LulzSec and Anonymous will soon realise that there are juicy and easier pickings away from the large corporates and Government sites, who have had the foresight to invest in information security controls.
This may sadly be just the beginning.
While I am not a lawyer and others have said this before, notably Rob Carolina in his talk “The Cyberspace Frontier has Closed“, I thought it worth reviewing some recent developments that demonstrate the fact that the Internet is not lawless and behaviour online may well result in liabilities “in the real world”.
There still seems to be this perception that laws don’t apply to online activity. Take Joanne Fraill, the juror who was jailed for eight months for contempt of court by contacting one of the defendants in the trial she was on. She had received clear guidance from the Judge on the case, as had all of the other jurors, not to research the case online and definitely not to contact anyone related to the trial. I had exactly the same advice when I was a juror at the Old Bailey a couple of years ago.
And, yet, she still did it, no doubt believing that:
It wasn’t so bad, and;
She wouldn’t get caught anyway.
She was wrong. The trial collapsed.
This sort of thinking is rife online, which is exacerbated by the fact that any search will bring back results that confirm every point of view on every subject, thus not really being much help.
Other areas on the Internet that people should consider in terms of consequences, include:
Data protection issues
Some of these apply to corporate organisations in a different way to individuals. For example, a data protection breach has the potential to seriously damage an organisations reputation. Libel may get you a hefty fine.
Just because people have a romantic notion of the Internet where normal laws don’t apply, doesn’t make it reality.
The BBC have an interesting article, entitled “Is cyber-warfare a genuine threat?”, which poses several interesting questions. There is a general consensus that something needs to be done to allow for a consistent approach to
All this relates to the document entitled “[the] First Joint Russian-U.S. report on Cyber Conflict“, created by the EastWest Institute. Some of the things they looked at were:
- Just as a Red Cross designates a protected entity in the physical world, is it feasible to use special markers to designate protected zones in cyberspace?
- Should we reinterpret convention principles in light of the fact that cyber warriors are often non-state actors?
- Are certain cyber weapons analogous to weapons banned by the Geneva Protocol?
- Given the difficulties in coming up with an agreed definition for cyber war, should there be a third, “other-than-war” mode for cyberspace?
One of the things that comes out of this document is the need to provide real-world analogies for issues on the Internet in order to contextualise the issue and come up with an appropriate response. If you sit at a desktop PC as an end-user, you have absolutely no idea what’s going on on the Internet beyond what’s currently displayed on your screen. This opacity has a number of consequences:
- Most people take risks that they wouldn’t do if they understood the threat they faced;
- Hacktivists or casual hackers have no understanding of the damage that they do or the power that they wield, resulting in potentially catastrophic consequences.
In light of my previous post about Hacktivism, is there a danger that if the definition of cyberwar is too strict, that a teenager in his bedroom could start a global conflict? As one comment indicated, the power in the hands of an individual can far outweigh the power they would have in the real world and, therefore, to some extent, everyone is equal. Where are the boundaries? And what should be sacred? The document outlines some ideas about having an agreed set of “neutral” entities, like the Red Cross or Red Crescent, but who is entitled to agree on the list?
Traditionally, only militaries had the capability to wage war and, therefore, it was appropriate for their associated governments to sign treaties that governed the rules of war. Now, however, everyone has the same potential.
While you can control the substances needed to make bombs, you can’t control the creation of code.
This post prompted a lot of discussion offline, summarised thus:
- The biggest problem is determining accurately where an attack comes from in order to respond to it;
- Compromised machines will become the main launch-pad for attacks, as it allows for deniability on the part of the originator of an attack;
- The “super powers” will probably want to have the ability to respond conventionally to a cyber-attack, as online they don’t have the same overwhelming power as they do in the real world;
- “Protected organisations” will quickly find themselves exploited as launch-pads for attacks if their not very well defended.
I had an interesting conversation yesterday about the concept of eliminating risk completely. It seems that the population at large have been conditioned into thinking everything is safe, that nothing can befall them and, if it does, they should sue.
One great example of this is the anti-vaccine movement in the US. There’s a really interesting article in Wired about this. Essentially, a group of people including several well-known, high-profile people are trying to convince parents not to vaccinate their children against particular diseases, citing statistics that show that there is a (very low) risk of their children developing complications as a result. What they fail to understand is that the alternative represents a much higher risk of the same children having complications or dying from the disease they would otherwise be vaccinated against.
The conversation yesterday revolved around airports: as stated in previous posts, I believe that much of the security around airports is misplaced. An awful lot of money is spent on technology to detect very specific threats rather than taking a more holistic approach. The problem with having specific controls for specific threats are those threats you don’t have controls for. That’s not to say that threat-focused controls don’t have a place: of course they do.
However, where there is money that can be spent on lowering the risk, spending it on devices like the 3D body scanner may not be the most useful (which, incidentally, apparently could raise the risk of you getting cancer more than it lowers the risk of you dying in a terrorist incident) but drawing a line and saving the money isn’t the solution either.
I truly believe that we have a responsibility for lowering the likelihood of incidents happening where we can, effectively and not intrusively. And this is the perennial security problem: where do you draw the line?
Like everyone else, I’ve been following the WikiLeaks story over the past few weeks, waiting for some juicy titbit to be revealed. I’ve also been wondering: whose fault is it?
This particular question seems to be at the heart of the frenzied arguments relating to Julian Assange: that he should be assassinated, hunted down like Osama Bin Laden, that he be tried for treason. But does the blame really lie with him?
WikiLeaks publishes content that it gets sent by third parties. In the case of the recent US diplomatic cables, these were apparently supplied by Private First Class Bradley E. Manning, who is currently awaiting trial.
This begs the question: how did a Private manage to get access to over a quarter of a million diplomatic cables, discussing issues as sensitive as various Middle Eastern countries’ attitudes towards Iran?
One of the most basic tenets of information security is that of compartmentalisation, i.e. the basis of “need to know”. It is incredible that any one person, at the level of a Private, could access all of this information.
I would suggest that Private Manning was naïve and broke the law if he did what he is accused of. It would be a gross misuse of trust. But it must be acknowledged that there are serious issues within the security framework of the US Government if this could happen at all.
As we know, the new 3D airport scanners in use across the United States and being introduced in the UK are designed to show reveal whether there are any concealed weapons on a person’s body. As discussed in an earlier post, the principle is somewhat flawed, as there are so many ways around this system, especially around the concept of a sterile airport environment, post-security. This is analogous to having a simple network-perimeter security model in an IT-context.
However, the other big problem is the fact that these things take pictures of people’s naked bodies and people are in charge of selecting passengers and reviewing the images. There’s a great article on Gizmodo entitled “TSA Says Body Scanners Saving Images ‘Impossible'” with a saved image from a body scanner in the article. The difficulty here is that this whole area is ripe for abuse.
I do want to make it clear that those performing security checks at airports are doing a decent job. As with any large group of people, especially with a certain level of temptation, there will be the odd bad apple. It needs to be made clear that leering at people is not appropriate and is not just “a bit of fun”. Take the case of Donna D’Errico, a former Baywatch star. She has been singled out numerous times for the 3D scanner treatment and she accuses the security personnel of voyeurism.
So, given that they can be easily circumvented, is it appropriate to put a system in that can so easily be abused, where there is little chance of redress? Many clubs and companies use x-ray scanners to scan personal possessions prior to entry: would we be happy for 3D scanners to be widely deployed in the same way?
One of the course books I had way back when I was doing my MSc in Information Security at Royal Holloway was entitled “Information Warfare and Security“, and written by Dorothy Denning. It was an interesting book and got me thinking about the use of the Internet for military purposes and how the pervasiveness of the Internet could impact society if it were to be attacked.
The book was written in 1998 and a lot has changed since then; I was still using a 28kbps dialup modem and the communications course on my Computer Science degree focused a lot on ATM packet transmission. But the fundamental issues were already there.
The film WarGames was the first that addressed the issue of the possibility of hacking military systems but the most vulnerable networks now are civilian, those run by organisations that provide utilities and services to the general population, power and water for example. Given that private companies generally don’t spend as much on information security as governments, there is a risk that they haven’t spent enough. And people are being targeted with sophisticated Trojans whose purpose is unclear.
So, as a country whose critical infrastructure is under attack, how do you:
- Determine where the attack is coming from
- Determine whether it is state-sponsored or the work of “hacktivists”
- Decide what to do in retaliation, if anything
At what point does a cyber-war escalate into a physical one?
I realise that there are plenty of studies around the globe looking at these issues. I am not sure that there has been any final agreement about the implications of declaring Internet war nor under what circumstances. I do know, however, that many countries are developing their cyber warfare capabilities.