Category Archives: Opinion

Security News for the Week Ending April 29, 2022

Sungard Files for Chapter 11 Bankruptcy Protection – Again

Sungard, the king of disaster recovery and business continuity needs to figure out a new business. They previously filed for Chapter 11 in 2019 and shed $800 million in debt, but they have a fundamental problem. As businesses move from private data centers to the cloud and from offices to work-from-home, they just don’t need Sungard anymore. And, likely never will. They REALLY need to reinvent themselves. Credit: Tech Target

Any Sign of the Supply Chain Returning to ‘Normal’?

One of the lists I am on asked this question and the answer seems to still be no time soon. High end network and server gear still is between 6-12 months or ‘unknown’ out. Manufacturers are reducing their chip and system product range to focus limited supply on the more important products and some customers are getting priority based on performance penalties in long term contracts. The NY Times has an extensive piece on all of the problems, none of which are easy to fix in the short term. Credit: NY Times

AWS Locks Up NSA Cloud Deal

Years ago Amazon (AWS) locked up a deal worth up to $10 billion to provide a secure, classified cloud to the CIA. That was before the days of contract protests over the cloud. Years later, the DoD tried the same thing, called JEDI. It died due to contract protests. DoD is still trying to build a classified cloud, now called JWCC. However, now the NSA has joined the CIA and awarded AWS a $10 billion contract to build them a classified cloud. The rest of the DoD is still waiting. Credit: Meritalk

Brazil Senate Passes Bill to Regulate Cryptocurrency

The Brazilian Senate has passed a bill that regulates the cryptocurrency market in an effort to protect consumers. Crypto exchanges would fall under the regulation of Brazil’s Central Bank. As one of the leaders in the crypto market, Brazil is also set to release a cryptocurrency pegged to the real, Brazil’s currency. It is not clear to me what the value of any cryptocurrency pegged to any country’s currency, but the good news (bad news?) is that since it is based on software, all of these new cryptocurrencies will likely be hacked and the hackers will make billions. At least someone will get rich. Credit: ZDNet

China, Russia and India Do Not Agree Not to Undermine Future Elections Using Misinformation

The United States, European Union, United Kingdom and 32 other nations have committed to not interfere with future elections by running online misinformation campaigns or illegally spying on people. On the other hand, Russia, China and India, unlike these 60 other countries, did not agree to the declaration. Not really a big surprise. Credit: ZDNet

China Charts Plan for Tech Self-Sufficiency

China’s policymaking body, the Central Comprehensively Deepening Reforms Commission (I did not make up this name) approved a plan yesterday for developing home grown science and technology with an eye toward self-sufficiency.

According to a press release by the state run news agency, Xi said that while China has made substantial progress in trying to develop its science and technology sectors, they are still struggling. Which means that stealing intellectual property from the west is still critical.

And what are they trying to focus on?

Artificial intelligence and quantum computing.

This comes as Biden continues to tighten the screws on the Chinese tech sector, adding another dozen Chinese companies to the entities list, banning US companies from selling to them.

China’s vice premier wrote an article for the People’s Daily yesterday saying, using a lot of words, that innovation is critical and since Xi said that they were still challenged at doing that, it is pretty clear what the alternative is.

China, of course, is not pleased that more companies have been blacklisted, but my guess is that asking us to un-blacklist them will not produce results for them.

Based on this, expect more espionage – both by breaking into US company networks and by planting insiders inside targeted companies. Also expect them to continue to expand the Thousand Talents program.

All in all, this means that US companies with critical tech need to stay on their toes. If you think your tech is important, so does China and they are very motivated to steal it. Likely they will do it very quietly so that you don’t even know that you have been hacked.

Credit: The Record

US Wired Broadband Ranks Right Behind Moldova

I often say that the US Internet access ranks right up there with many third world countries. Now I have the data to prove it.

Ookla, the company that makes and runs the SPEEDTEST software, reports every month on Internet speed around the world.

This year, in the wired category (the kind you likely have at home and in the office) we rank 14th, right behind Moldova. And behind Hungary. And behind Romania.

By the way, I had to look up Moldova. It is between Romania and Ukraine.

In the mobile wireless category (like you get on your phone), we are curiously also ranked 14th. That puts us behind countries like Bulgaria and Cyprus.

Contrary to those commercials that you see on TV, our average speed was wireless 91 megabits. That is a little different from those gigabit speeds that they claim on TV ads.

On the wired side, our average speed was 195 megabits, or about double the wireless speed.

For the US, we haven’t invested much in fixed broadband infrastructure which is why we rank behind Moldova. It also is because we have very little competition for Internet service, which means providers don’t have to invest in improving service. After decades of being asleep at the wheel, the FCC is starting to wake up about regulating telecom, but you have to remember that the last FCC chairman used to be a lobbyist for one of the large telecoms (the one that starts with a V).

Likely, these numbers are going to get worse.

Overall, the global mobile download speed jumped 60% since last year and the fixed download speed jumped 32%. Did your Internet speed increase by 1/3 or 2/3 last year? Mine did not jump by anything.

We say that we want to compete with countries like China, but China ranked #4 in wireless speed. Their push is all wireless; their wired speed was #17.

I am fine if the US wants to push wireless but that is going to take a huge investment. It probably makes sense for the US to have a hybrid approach where we mix wired and wireless.

Millions of Americans have no access to broadband Internet. I live just outside of Denver and the fastest Internet that is available to me just barely qualifies as broadband Internet under the FCC definition and if they raise the standard then I will have no access to broadband.

83 million Americans have only a single option such as Comcast.

Still millions more only have access to slow DSL-based Internet.

Carriers such as AT&T are abandoning their DSL based Internet service and not replacing it with anything, leaving those users, usually in poor neighborhoods, without Internet.

How does that work in a world of remote learning and work from home?

It is possible that people are not buying the fastest service the carriers offer and that is affecting the result, but that brings us to price where the US is really expensive compared to the rest of the world.

If you really want to get depressed, the US ranked 21st out of 26 countries tracked BY THE FCC in both standalone fixed broadband price and in mobile broadband price. That is, apparently, normal for us. Credit: Vice

DoD Contractor Hit by Ransomware Infection

Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack.  The tagline on the homepage of their website says that they are enabling a more secure future.

A Google search last week for the company brought up these results:

ewa-ransomware.png

The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc,  EWA Technologies Inc. , Simplickey and Homeland Protection Institute.

EWA has not made any public announcement of the issue.  As I write this, the EWATech web site does not respond.

The current information suggests this is the Ryuk ransomware.  It is used for high value targets and is known to exfiltrate data.  Exfiltrate is a big word for steal.  Source: ZDNet

One more thing we know.  When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.

So what might we speculate?

You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018.  Were the Chinese looking for more EW data?  Certainly could be.  That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).

The Navy went crazy after the Seadragon breach.  This makes them look even more incompetent.

DoD contractors are required to notify the Pentagon within 72 hours of a breach.  Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.

Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later.  Which COULD mean that whoever hacked them was after high value, not-yet classified information.

All of this is speculation, but reasonable speculation.

Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC.  Would a certifier have discovered a problem which allowed this to happen?   Assuming the Pentagon is in the middle of this investigation, we may never hear.  But I bet folks are looking at the forensics right now.

But this certainly bolsters the logic behind the CMMC certification requirement.  And it is on track for starting later this year.

For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.

And more ammunition for Katie Arrington (who runs the CMMC project).

Oh.  One last thing.

The spokesperson who hung up on the media.  That is a GREAT way to get even more media attention on the worst day of your career.

There is something called an Incident Response Plan.  Part of an IRP is a Crisis Communications Plan.

Perhaps they should think about writing one.  And training people.

PS – It is probably required by CMMC.

 

Survey Says: Americans Concerned About Data Collection Practices

Well maybe not concerned enough to change their practices, but concerned.

When asked if their data is more secure, less secure or about the same as compared to five years ago, 70 percent said their data was less secure.  6 percent said it was more secure.

On the side of “gee, you mean I have to do something about it?”, 97 percent say they are asked to approve privacy policy notices, but only 9 percent say that they always read it and another 13 percent say they often read it.  That means that three-quarters of the users don’t read what they are agreeing to.  38 percent say they sometimes read the polices and 36 percent say they never read them.

Of those people who say that they at least sometimes read the privacy policies, on 22 percent say they read it to the end.

On top of that 63 percent said that they know very little or nothing about the privacy laws that protect them.

When it comes to being tracked, 72 percent said that all, almost all, or most of what they do on their phone is being tracked with an additional 19% saying that some of what they do is being tracked.  That leaves 9 percent who think that they are not being tracked. Hmm?

47 percent think the government is tracking them.

69 percent feel that their offline behavior including where they are and whom they are talking with – OFFLINE – is being tracked by the government.

84 percent say that they feel that they have little to no control over the information that the government collects and 81 percent feel the same way about information companies collect about them.

81 percent of the people think that the risks of data collection about them outweigh the benefits and 66 percent say the same thing about government data collection.

72 percent say they personally benefit very little or none from the collection of their data by companies and even ore surprisingly, 76 percent say that they don’t get much benefit from government data collection.

Certainly an interesting set of information, which could explain why there was so much support for privacy legislation in a variety of states.

You can find more information about the Pew report here.

 

 

 

 

 

 

 

 

The Security Implications of the Federal Shutdown

O P I N I O N

The President says that the shutdown is about security and I think he is right, but not in the way he is thinking.

We have to take this agency by agency, but just look at the numbers.  The EPA, probably no one’s favorite agency for different reasons, says it is furloughing 13,000 out of its 14,000 employees.  Is it likely that some of those employees serve cybersecurity (or even physical security) functions?  Maybe the 1,000 people are all of the folks managing cybersecurity, but I doubt it.

TSA screeners are considered essential, so they are supposed to work even though they are not being paid.  Some number of them (TSA isn’t saying how many) have been calling in sick.  Given the horrible stats regarding TSA agents detecting contraband and the fact that TSA turnover is 80% or more a year in some cities, there is no way that this is not negatively impacting your security.  It is affecting my security less because I haven’t had to fly lately, but if I did, it would affect my security too.

Even if the TSA attrition rate is not climbing during the shutdown, they are not hiring anyone right now. That alone puts security at a disadvantage.  The TSA has 50,000 agents.  If you assume they have to replace only 25,000 every year, if the shutdown lasts a month and the stats don’t go up, they will have to replace about 2,000 people.  How easy will that be given that the government is/was shut down.  The TSA says that standards won’t suffer, but you can do your own math.

Many so called government employees are actually contractors.  It is possible that some companies are choosing to pay their employees to work at federal jobs even though they are not and likely will not be paid (historically, federal employees got back pay after they returned to work but contractors did not), but some companies do not have the resources to do that.  Combine that with the government issuing what they call “stop work” orders to contractors and you have to believe that there is an impact.  One stat I read tonight said that 40% of the federal labor force is contractors.  Assuming that is close to true, surely some of those people are not working as a result of the shutdown and probably some of them perform security functions.

Other parts of Homeland Security includes 187 departments and several hundred thousand employees.  At least some of them have been furloughed; others are working without pay, while others are looking for other jobs.

Who are the most likely to find other jobs?   Certainly it is not those with the least skills.  When it comes to cybersecurity, it is the ones with the most skills and likely, if they leave, they will get a pay raise.  And, they won’t come back.

So while the government will never admit how much the shutdown affected security, the longer it goes on, the greater the effect is.

Just my two cents.