The Challenge Between The Intelligence Community and Privacy

There is an interesting article on the World Economic Forum web site (link below) regarding mass data collection and the world wide intelligence community.  The article, while leaning in the direction of the intelligence community, does endeavor to point out some of the issues on the privacy side.

Very briefly, the intelligence community worldwide is charged with protecting us from bad stuff and that is not an easy task.  While having access to a lot of data does not solve the problem, not having access to data certainly does not help things.

The article points out that the intelligence community will always push at the boundaries and effective, competent oversight is required in  order to make sure that the pendulum doesn’t swing too much in either direction.

I think that most people want to feel safe.  I think fewer people think that massive data collection has significantly improved the odds – whether that is true or not.  Remember, perception is reality.

I also think that the public does not make much of a distinction between Google and Facebook collecting data and some intelligence agency collecting it.

I think the biggest challenge that the intelligence community worldwide faces is that *IF* people, which includes terrorists and sympathizers, think that their communications are not safe, they will go underground and that is a MUCH bigger problem.  Whether the NSA, GCHQ or some other agency can hack into TOR or not, it clearly is a much more time consuming effort to extract data from the dark web than it is from Facebook.  TOR is only one of a thousand different ways to hide relationships and communications.

One thing that works in the intelligence community’s favor is that the bad guys don’t understand this.  I am not sure how much longer that advantage will last.

What social media does for terrorists is give them a mass communication platform that they lose if they go to encrypted point to point traffic.

If the general perception is that governments have overstepped their laws, then people will endeavor to fight back.  Some will do this effectively, others not so much so.

Clearly, as the article does point out, the intelligence community needs to get the public on their side.  In those efforts, I think they score a ‘D’ at best.  For example, while there has been a little arm waving about how effective their current mass data collection has been, there is little substance.  And when there was substance, it has been about as solid as Jello.

For example, after the Snowden leak, President Obama said that we know of at least 50 threats that have been averted .. so lives have been saved.

Rep. Mike Rogers said that 54 times this and other programs stopped and thwarted terrorist attacks, saving lives.  I am sure that if you include “other programs”, there are likely hundreds of attacks, maybe thousands, in some state of viability or other, that have been stopped.  At least I certainly hope so.

When Gen. Alexander spoke at Black Hat last year, he talked about 54 terrorist-related activities, 42 of which were plots.

When Sen. Leahy questioned Gen. Alexander in the Senate Judiciary Committee hearings, Gen. Alexander said that only 13 of those incidents had “some nexus” to the United States.

If I take my privacy hat off and put my economics hat on for a moment, you are telling me that we spent billions, if not tens of billions, of dollars and what we got for that was thirteen incidents with some nexus to the United States.  Incident and some nexus were not defined.  That does not seem like a great return on investment.  Is there a better way to spend that money to keep us safe?

I would be the last person to say that I have the answer to the intelligence problem.  It is likely one of the most difficult problems facing us.  That being said, more discussion and more transparency is likely better than the alternative.  I think this is the “interesting times” that the old proverb talks about.

 

The WE Forum article can be found here.

Some information for this article came from the Huffington Post.

Chrysler Recalls 1.4 Million Cars After Researcher Hacks Jeep

Earlier this week, I wrote about a hack that two security researchers demonstrated for a Wired reporter.  The researchers were able to disable the brakes and the accelerator, along with turning on the radio, wipers and windshield washer, remotely, from miles away.

Chrysler’s response was to put an obscure  notice on their web site that there was a security upgrade for some vehicle owners.

Today, Chrysler issued a voluntary recall on 1.4 million vehicles.  The owners will be sent a flash drive with the patch on it.   For Chrysler, this is a whole lot cheaper than having 1.4 million cars in dealership service bays.

Exactly how owners will know that the flash drive they get in the mail really came from Chrysler and was not tampered with is unclear.

Such is the new world that we are getting into.  Our parents did not have to worry about hackers disabling their brakes on their cars or manufacturers releasing unsecured patches for those hacks.

The interesting part of the news release is that Chrysler has worked with Sprint, the vendor who Chrysler uses for their UConnect system, to block the traffic that allows the hack to work over the Internet.  The researchers tested that and found that it did effectively block the attack.  This is a much better solution because it is effective immediately and is not dependent on almost 1.5 million people not throwing a flash drive that they got in the mail into the junk pile.

As Chrysler tried to spin the story, they said that, to their knowledge, the attack was never used outside the Wired demonstration.  While it is likely true that they are unaware, I am not sure how they would know if the attack had been tried – successfully or not.

Chrysler also said that no defect was found.  I am not sure what you would call something that allows an unauthorized user to disable your brakes from miles away.  Maybe that is a feature?

In any case, I am quite certain that because of the attention the Wired article and TV coverage of that article got, Chrysler actually paid attention to this problem.

What we don’t know is how many more of these non-defects exist in other connected vehicles.

The earlier post can be found here.

Information for this article came from Wired.

Shorts: Neiman Marcus, UCLA Healthcare, OPM, USPS Breach, National Breach Law

The Seventh Circuit Appeals Court, normally pro-business, has reversed a lower court ruling and said that the class action lawsuit against Neiman Marcus can go forward.  Often, these suits are dismissed saying that plaintiffs haven’t experienced any harm since fraudulent credit card charges have been removed.   This decision means that businesses hopes that class action suits will get dismissed as long as they reverse customer’s fraudulent charges is an argument that is holding less weight.  One interesting point that came out was that even though Neimans discovered the breach during the Christmas shopping season, they waiting until after New Years to disclose it so as to not hurt Christmas sales.  The court did not rule on the merits of the case, so stay tuned.

Source: IAPP

 

A UCLA Healthcare patient has filed a class action lawsuit against the hospital system in light of their recently announced breach.  While this is not a surprise, they are suing under the concept of breach of contract.  Part of the reasoning is that medical ID theft, unlike credit card theft, cannot be resolved by issuing a new piece of plastic, but instead can last for decades.  On the black market, a credit card might sell for $5, while a medical file might sell for $60+ based on that theory.

Under California law, patients could be awarded  up to $1,000 in statutory damages and $3,000 in punitive dames for each violation.  If each record is a violation, 4.5 million records could generate a large invoice.

Source: Consumer Affairs

 

The Senate appropriations committee voted to fund at least 10 years of credit monitoring plus a $5 million fund for reparations for the 22 million victims of the OPM breach, but no funding of OPM itself.

This ensures that the lax security and antiquated software will continue to run the country’s largest personnel department, leaving it vulnerable to the next group of hackers.  I have no question that Congress was and continues to be responsible for the OPM breach.

Source: Rollcall

 

The Postal Service Inspector General released a report blaming the USPS breach last year on poor training (their fault), lack of accountability for risk acceptance decisions (shared fault) and continued use of antiquated, unsupported systems (Congress’ fault).

The IG said that the Postal Service cannot attract qualified cyber security personal because they offer salaries of about HALF of what industry offers.  The blame for this lies with Congress, who sets government salaries.

As a result of this and other reasons, the IG says that the Postal Service was unable to prevent, detect or respond to threats.

Until Congress decides that cyber security is important government wide and passes laws that force agencies to treat cyber security seriously, we will continue to see more government breaches.  Given that Federal, state and local governments are not treating cyber security with any urgency, they are likely to be a popular target for years.

Source: Fierce Government IT

 

Just in case you have any doubt that I totally blame Congress for this cyber security mess….

It appears that hopes for any kind of national cyber breach bill are pretty dim after Republicans watered down the bills in committee to to pointing of meaningless to attempt to get something passed, which the Democrats rebelled against.

Passing a useless bill would allow politicians to say “see how wonderful we are” while not requiring big campaign donors to do anything meaningful.  Credit card fraud is no longer the big problem as the banks, for the most part, are doing a much better job of catching it.  Unlike Congress, the banks are worried about losing their own money,  Below is an example of a text that I got from the bank the other day:

Chase

Source: Rollcall

Fallout From OPM Breach Continues

Not surprisingly, the fallout from the OPM breach continues.  Here are a few new items in the news after OPM Director Archuletta was basically fired.

  • The OPM has changed it’s privacy policy to allow investigators to probe it’s databases.  This happened after the discovery of “significant entryways” for hackers in at least 3 more databases.  The change allows external agencies, contractors and any “appropriate persons and entities” to access OPM systems.  This could be worse than the attack because I don’t have a lot of confidence that the OPM will manage this well.
  • While the OPM picked a contractor to help them manage the first breach in a day, under the table, with no bids (and took a lot of heat over it), they put out an RFI last week for this breach.  One of the potential bidders is LifeLock, although they may be low on the list due to their new problems with the FTC.  Preliminarily, they want to pick a vendor on August 14th, with notices going out starting the next week.  This points to how hard it is to get ahead of the breach steamroller if you did not plan ahead.
  • Lawmakers are asking the GAO to review how effective credit monitoring is in this situation.  Also, how adequate it is.  I have said before it is mostly useless and totally inadequate.  We will see what the GAO says.  Unfortunately, I am not aware of any product on the market that would work well in this case.  They are also asking if these services make you more vulnerable in the future (as I suggested yesterday with LifeLock).
  • Questions are being asked if the hackers might have been able to change security clearance information – either questionnaires or status.  The OPM would not say, meaning that they cannot assure us that the hackers could not do that.  If the integrity of that information is suspect, that is a BIG problem.
  • Valerie Plame, former CIA operative and now author, who herself was outed by President George Bush’s staff as retaliation for comments her husband Joe Wilson made, said that the attackers “are going to be able to exploit this information for decades.”.  Unfortunately, that is an understatement.
  • Some people have blasted the White House for not identifying the Chinese as the source.  Here is the reasoning.   The NSA does exactly the same thing.  Hopefully, they don’t get caught.  If we start indicting the Chinese for this, they will likely point out that we do it to – probably with some evidence.  We don’t want another Snowden.
  • Lastly, the OPM is telling agencies that they are going to share in the OPM’s pain.  In particular, they are going to pay for the cost of dealing with the breach.  Given this breach will likely cost the OPM hundreds of millions and the government does not buy insurance, someone has to pay for it.  The agencies are not happy, but also not surprised that they will have to write some big checks.

It’s gonna get even messier before we clean this stuff up.

 

 

 

Information for this post came from IAPP, the International Association Of Privacy Professionals.

FTC Takes Against Life Lock – Again

In documents filed in district court today, the FTC said that LifeLock failed to live up to it’s 2010 settlement with the FTC and asked the court to order full redress to all consumers affected.

The 2010 settlement stemmed from the FTC complaining that LifeLock used false claims to sell it’s services (remember when their CEO used to put his social security number on billboards?  Not any more).

Disclosure:  I am not a big fan of LifeLock and never have been.  In order to make the service work, you have to give them access to all your accounts.  That makes them a weak spot and a target for hackers.  The FTC claims, in this most recent court document that even though LifeLock was ordered in the 2010 settlement to create a comprehensive information security program, at least through March 2014 they did not have such a program.  It is not clear if they have one now.

The FTC also says that they falsely claim that they protected your information with the same high level safeguards as banks.  If that means that they use SSL on their web site, I would be concerned.

They also failed to meet the 2010 order’s requirement for record keeping.

Finally, the FTC said that LifeLock falsely claimed that it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem.

While the details of the FTC’s action were sealed, the vote against LifeLock was 4-1.  I am sure that LifeLock will say they did nothing wrong and more information will come out during court proceedings, so stay tuned.

For the most part, LifeLock does not do anything that you cannot do yourself, so your trade off is your time vs. $9 to $26 a month.  And if their security is not so good, that is a big problem.

Information for this post came from the FTC web site.

Jeep Hacked By Remote Control

The media has been reporting the demonstration done by two security researchers  and a Wired magazine reporter where they completely controlled a Jeep, including the brakes and accelerator.  To quote Wired:

I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

There have been a number of reports of hacking of cars through their online cellular connection, called telematics in the trade.

In this case, Chrysler’s UConnect is the culprit and it is pretty amazing what the hackers can do.

If they can find the IP address of the car,  through the UConnect cellular connection, they can completely control the car remotely from anywhere in the world.

In this case, they were able to disable both the brakes and the accelerator,  among a number of other things.

Due to a vulnerability, the hackers are able to rewrite the firmware in the car’s entertainment system.  From there, they are able to send commands on the CANBus and take over the car.

Part of the problem, as I have written before, is that the CANBus architecture has been described as the best car network we could design in 1980.  It has not changed much since.

Quietly, Chrysler has issued a patch – since the researchers are good guys and have been sharing their data with Chrysler for 9 months.  What if they were bad guys.  It is an interesting way for a nation state actor to kill people that they want to get rid of.  Likely, no accident investigator is going to examine the firmware in the car’s entertainment system for symptoms of an attack.

This is all due to the fact that cars are no  longer hardware.  True, there still is some metal and plastic in the frame and body, but more and more, cars are a rolling computer.  Or, more accurately, tens of computers.  High end cars might have 50 computers or more.  Those computers contain millions of lines of software.

And, just like your iPhone or Android phone, which you patch regularly, often behind the scenes, cars need to be patched too.  Unfortunately, for the most part, that does not happen unless researchers like these guys plan to make a big splash at the security convention Black Hat in Las Vegas next month.

Senator Markey, who has been a big critic of auto safety (see post), has introduced the SPY Car Act (Safety and Privacy in Your CAR).  The bill, which was just introduced this week aims to both set standards and rate cars numerically on their cyber security.  While no one knows how this legislative sausage will wind up, you can count on the fact that no car manufacturer wants their rating to be at the bottom of the heap.  Unfortunately, if it is anything like the government’s miles per gallon numbers, it may wind up being mostly a myth.  No matter what, it will likely take years.

Oh, I forgot, If you have a 2013-2015 Chrysler vehicle with UConnect, you should patch it.  You can do that via a USB stick with a patch downloaded from the Chrysler web site (details in the Wired article below) or take it to your dealer.

Unlike the BMW patch from a few months ago (see post) where they could patch it over the air (which adds even more security concerns), the Chrysler patch requires physical contact.

Earlier this month Range Rover issued a patch that allowed a hacker to unlock the car.

So now, just like with your phone and your laptop, you may need to plan on patching your car every month.  in car makers’ defense, their software has generally been pretty reliable.  In part this is due to the fact that unlike your iPhone, there are no standards when it comes to your car’s computers.  Not only won’t a hack designed for your 2013 Chrysler work on a 2013 Ford, it likely won’t work on your 2012 Chrysler.

Chrysler, while happy that the researchers told them about the problem, are unhappy that they told the world.  They would have been much happier if they could have quietly released a software update with no one the wiser.

Consumers, on the other hand, need to understand how much software exists in their car and the fact that likely it is no less buggy than any other software in the world.

As car manufacturers continue to add computers and software to new vehicles, this is likely to continue to be a problem.

And for those people who said, after the Toyota accelerator pedal crashes a few years ago “why didn’t they just turn off the car?”, in many cars turning off the key is just software and does not really turn off anything.  Unlike you old desktop computer, where unplugging it would really turn it off, you cannot do that in many cars any more.  A brave new world.

 

Information for this post came from Wired Magazine.