MI-6 Follows CIA, Just 22 Years Late

Why? Quantum Computing and Artificial Intelligence!

For those of you who are not familiar with MI-6, even via a somewhat romanticized version in James Bond movies, MI-6 is Britain’s spy agency. Working along MI-5 and GCHQ, their goal is to protect Britain from the bad guys. MI-6, similar to our NSA (often referred to as No Such Agency), prefers to stay in the shadows. The agency’s existence wasn’t even formally acknowledged until the 1990s.

However, now they are they are talking very publicly. Richard Moore (AKA “C” in MI-6 speak) talked publicly for the first time since taking over the role of Chief of MI-6. He said that developments in quantum computing and AI are good for society.

Speaking at the International Institute for Strategic Studies, Moore warned that China, Russia and Iran are a threat to the UK (and the rest of the world), who could exploit technology to meet their aims.

While human intelligence is important (and, I might add, becoming harder by the day because of the digital footprint that every human leaves behind – or if they are a spy, do not leave behind), technology is going to be critical to assessing that intelligence.

He warned that “our adversaries are pouring money and ambition into mastering artificial intelligence, quantum computing and synthetic biology because they know that mastering these technologies will give them leverage”.

However, “C” admitted that they (the UK) will lose the battle if they try to out-do big tech.

So, they are doing what the CIA started to do in 1999 and have started a venture capital fund called the National Security Strategic Investment Fund. The CIA calls theirs In-Q-Tel. While I don’t know NSSIF, I did pitch In-Q-Tel a few years ago. Some super smart people. Likely also true for NSSIF. Both are looking for smart people with even smarter ideas who need money. Of course, they want to use, partner, or own the tech that these investments produce. “C” said that this is a culture change for the organization that is going to be a sea-change. The CIA seems to have figured out how to do it. Perhaps the two organizations should chat. Or maybe they already are.

Key point is that Quantum computing and AI are going to be critical to national security and, my guess is, China and the others know that too (read my November 25th blog post if you doubt this). If they can’t develop it themselves, there are other alternatives that they seem to be pretty good at also. Credit: ZDNet

Booze Allen says that the Chinese are already planning for the day when powerful quantum computers are running inside their state run intelligence service. Booze says that Chinese hackers might soon start trying to steal encrypted data such as encrypted weapons design data, biometric data and spy agency human asset info, with the hope that, with quantum computing, they will be able to decrypt it in the future.

Booze writes:

In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations,” the analysts write in the report¬†Chinese Threats in the Quantum Era.¬†

Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts | ZDNet

We either need to protect our tech. Or learn Mandarin.

Interpol Arrests 1,000 Cyber Criminals

While arresting 1,000 people in a four month long operation is a significant feat, it is likely mostly very low level people that they caught.

They also recovered $27 million in proceeds. Given that the estimate is that Internet crime will cost us $10 trillion a year by 2025, recovering $27 million doesn’t seem like much.

The operation, code named HAECHI-II, involved law enforcement from 20 countries and allowed them to close over 1,600 cases. Again, not to diminish their work, but there are millions of cases every year.

Interpol’s Secretary General said that this operation showed that the surge in online financial crime during the Covid pandemic has not eased.

Not only did they arrest over a thousand crooks, but they also discovered ten new criminal techniques during the operation.

And the crooks are creative. In one attack the hackers got people to download an app based on the hit South Korean Netflix show Squid Game and that app had a trojan that subscribed the victims to paid premium services without their approval.

This is part of a three year anti-crime operation. Phase one, called HAECHI-I arrested about half as many people but recovered more than three times as much money.

While these efforts are useful, the only way to make a real dent in cybercrime is to get people to be more aware and take more responsibility for protecting themselves. This is hard because many of the attacks are very sophisticated and hard for people to understand. Part of the challenge is to get people to do things that they don’t want to do. Google, for example, says that only about 10 percent of its users have turned on two factor authentication, which makes compromising a user’s Google (or bank) account much harder. Google has decided to force the issue and is planning make two factor authentication mandatory on a hundred fifty million accounts this year in phase 1 of getting all accounts 2FA enabled. But other companies do not want to take the heat from unhappy consumers. For example, most banks do not require 2FA for online banking and consumers don’t care because the bank takes the loss from the fraud.

Maybe companies need to do what cyber insurance companies are starting to do. If you don’t have good cyber hygiene, they just won’t pay your claim – you are on your own, good luck.

Credit: The Hacker News

Security News for the Week Ending November 26, 2021

Tesla Locks Owners Out of Cars – On Accident

Hundreds of Tesla owners got locked out of their cars when a server that powers the Tesla app crashed due to load. Apparently those owners forgot there is such a thing as a car key. The outage lasted about 5 hours and Elon Musk later tweeted that they would work to avoid this in the future. This doesn’t happen often; just a reminder that no tech is perfect. Credit: The Guardian

The Zelle Fraud Scam – Don’t Fall Victim

The Zelle fraud scam starts with a fake text message that asks if you made a Zelle payment in the amount of $X. If you respond to the text with anything, you will get a call from the scammer pretending to be your bank. The scammer asks for your online banking USER NAME (not password) and the hacker then does a password reset, asking you for the PIN that your bank sends to do the password reset. And then empties your bank account. For more details, see the Brian Krebs account of the attack.

Microsoft Says Attackers Don’t Bother to Brute Force Long Passwords

A Microsoft engineer analyzed over 25 million password attempts against a honeypot of SSH servers and discovered that 77% of the attempts to brute force a password used passwords of 7 characters or less and only 6% used passwords of over 10 characters. Also, only 7% of the attempts used a special character. This gives users some parameters for constructing passwords. Credit: The Record

US Sanctions 28 Quantum Computing Companies in China, Russia, Pakistan and Japan

The US continues to work on protecting our technology from foreign bad actors. The Commerce Department added 28 companies in multiple countries as a risk to the US. These sanctions prohibit US companies from dealing with these organizations. Given that quantum computing is a strategic technology for everyone, we do not want to accidentally be helping the bad guys. For a list of these companies, check out this article.

Israel Bans Sales of Hacking Tools to 65 Countries

In the wake of all of the negative press that Israeli hacking tools company NSO Group is getting, including being banned in the US, Israel reduced the list of countries that companies like NSO can sell to from 102 to just 37 countries. See the list here.

India to Ban Almost All Private Crypocurrencies

India is about to ban almost all private cryptocurrencies. A new bill will create a framework for an official digital currency, to be issued by the Reserve Bank of India. Included in the ban would be Bitcoin and Ethereum. Effectively, if this bill becomes law non-fiat cryptocurrency would cease to exist in one of the world’s most populous countries. Credit: Euronews

China Charts Plan for Tech Self-Sufficiency

China’s policymaking body, the Central Comprehensively Deepening Reforms Commission (I did not make up this name) approved a plan yesterday for developing home grown science and technology with an eye toward self-sufficiency.

According to a press release by the state run news agency, Xi said that while China has made substantial progress in trying to develop its science and technology sectors, they are still struggling. Which means that stealing intellectual property from the west is still critical.

And what are they trying to focus on?

Artificial intelligence and quantum computing.

This comes as Biden continues to tighten the screws on the Chinese tech sector, adding another dozen Chinese companies to the entities list, banning US companies from selling to them.

China’s vice premier wrote an article for the People’s Daily yesterday saying, using a lot of words, that innovation is critical and since Xi said that they were still challenged at doing that, it is pretty clear what the alternative is.

China, of course, is not pleased that more companies have been blacklisted, but my guess is that asking us to un-blacklist them will not produce results for them.

Based on this, expect more espionage – both by breaking into US company networks and by planting insiders inside targeted companies. Also expect them to continue to expand the Thousand Talents program.

All in all, this means that US companies with critical tech need to stay on their toes. If you think your tech is important, so does China and they are very motivated to steal it. Likely they will do it very quietly so that you don’t even know that you have been hacked.

Credit: The Record

Get Ready for NIST’s Software Supply Chain Security Guidance

As part of the Executive Order on Improving the Nation’s Cybersecurity (EO 14028), NIST is required to do several things. among those are guides and standards for improving supply chain security and they have already released a number of draft documents related to their tasks.

IF you sell to the executive branch, these will become mandatory. In some cases they can bypass the FAR process, although there will be some FARs created, and just implement the EO as directives to the branch agencies to do this or do that.

The first thing that they did is create a definition of what is critical software. You can see this document here. It provides both specific criteria for attributes of software that meet their definition and then it provides a list of software types (like, for example, endpoint security tools) that meet these definitions.

Earlier this month, NIST released preliminary guidelines for enhancing software supply chain security. This document, called NIST Special Publication 800-161 Rev 1 was released in draft form for comment. A light weight bedtime read of over 300 pages, it is open for comments until December 3rd. It provides a very rich cybersecurity supply chain risk management (C-SCRM) process and it will only get better with comments.

After releasing this, NIST held a workshop to go over the guidance, which is due to be finalized by February 6, 2022.

NIST has also created a new document titled Secure Software Development Framework Version 1.1, also known as NIST Special Publication 88-218, which is available here. Unlike SP 800-161, this one is only 31 pages.

Perhaps I don’t understand all of this, but here is my take.

IF you develop software you want it to be secure.

IF you sell software to the government, you will be required to follow this NIST process.

If you don’t sell to the government, but your customers sell to the government, you may be required to follow this process anyway.

So, you basically have three choices

  1. Do nothing and see what happens
  2. Create your own secure software development framework
  3. Leverage all the work that NIST has already done and will continue to do, follow their guidance, and improve your software’s security.

Which one do you think is the best strategy?

I thought so.

2020 Election Audits Costing Millions but Not in the Way You Think

Arizona’s Republican led state Senate hired Cyber Ninjas to review the election results for Maricopa County. Unfortunately, these ninjas had no experience doing election audits and, apparently, not much experience doing any kind of forensic investigating. They did not maintain custody of the equipment, they did not maintain surveillance on the equipment and they allowed unauthorized people to access the equipment.

The result? The state decertified the equipment which means that the County needs to replace all of it. Since it was leased, they have to buy out the lease from Dominion. And then destroy it. In a deal with the state, which threatened to withhold $700 million in state funding if the county didn’t turn over their routers, the state Senate agreed not to do that if the county agreed to pay the $3 million to replace the election equipment. Credit: AZCentral

In Pennsylvania, another fight broke out when the state started a similar audit. The Pennsylvania Department of State said that they would decertify all voting equipment in all 67 counties in the state if the chain of custody was broken. The state says that could cost up to $40 million. Credit: Reuters

The FBI is investigating a situation in Lake County, Ohio, where a private laptop was connected to the state network in the office of the Board of Commissioners Chairman John Hamercheck, allowing this person to capture network traffic. This is similar to the investigation going on in Mesa County, Colorado. Credit: Washington Post . This data was given to MyPillow guy and used at his August non-cyber-symposium event where he was supposed to show us how the election was hacked and did not.

As I reported the other day, in the Mesa County investigation, images of the hard drives of the county’s election counting equipment were uploaded to the Internet. Images of all of the counties passwords were also posted on the Internet.

The Wall Street Journal is reporting that Iranian Hackers breached the network of newspaper chain Lee Enterprises to test modifying and creating content in the chain’s newspapers. The Justice Department recently indicted these hackers.

All of these, along with other similar events, are costing governments across the country millions of dollars in investigation costs, added labor including overtime, additional security expenses, legal expenses, replaced equipment, downtime and other costs.

All of this money is coming out of taxpayers’ pockets.

While this may be justified, if this was done within channels – which the people wanting the audits don’t trust, the cost would dramatically less.

This is just the tip of the iceberg. All of the recounts, all of the audits, even if they are done within channels still cost tens of millions – probably hundreds of millions.

Of course there is no tally of all of these costs. But you and I get to pay for them.