Category Archives: Privacy

Governments Struggle to Deliver Secure Online Services to Citizens

As times change and as a function of the pandemic response, governments are trying to deliver more services online. Unfortunately, governments rarely get to hire the best or the brightest software developers or security architects because they cannot match what the private sector can offer.

Auth0 recently released the findings of its Public Sector Identity Index. Here are some of their findings.

The first question is how do citizens authenticate themselves to your digital services.

online citizen services

Not surprisingly, the overwhelming answer was userid and password, probably the least secure method possible other than no authentication at all.

While the report says that a little more than 60% use two factor authentication, it is less clear to me whether that means that the site OFFERS 2FA or the site REQUIRES 2FA. Google, for example, offers it but at the moment, for the most part, does not require it. The results include responses from not only U.S. IT and business leaders, but also those in the U.K., Australia and New Zealand. Different countries probably have different adoption rates.

So what are some of the key findings?

  1. Less than one in five are extremely confident in the security of their current authentication solution.
  2. Four in ten are building their own identity authentication solution. I am sure they will do that perfectly and securely. NOT!
  3. Most (75%) plan to expand their digital offerings over the next couple of years and almost the same number are concerned about citizens’ privacy as well.

If we just look at U.S. responses, ensuring that citizens trust their government’s digital services comes in at 71%, but only 56% of those same people have confidence in their ability to deliver it.

Forrester says that what the public sector does is hugely important because it makes up 30% of the global GDP. Credit: Helpnet Security

It’s To Protect The Children

Law enforcement has been trying since at least the 1990’s when they jailed and tried to convict Phil Zimmerman for creating an open source encryption program called PGP, to put the encryption genie back in the bottle.

The problem is that encryption is math and math doesn’t care about politics.

If some governments were to ban encryption, there would be other countries where people who really wanted encryption could get it. And, while the math is hard, there are enough books published, enough algorithms available, that smart hackers could write their own.

Governments have been trying for decades to get software developers to create new math – math that allows for strong encryption but also gives law enforcement a master key to look at whatever they want to look at.

After all, if the TSA can’t even secure the physical keys that they use to open people’s suitcases at the airport, how likely is it that they can secure a master encryption key or keys.

So the solution is to scare people – or at least try to scare them.

Fear is a common tactic. Car makers who don’t want people to be able to repair their own cars said that allowing people to do that would embolden sexual predators (Massachusetts, 2017).

They are counting on people being fearful and not knowledgeable. Occasionally it works.

Britain is trying to scare people into giving up their right to privacy. At this point, we do not know whether it will work or not.

Rolling Stone is reporting that the UK government, at taxpayer expense, has hired the world famous advertising agency M&C Saatchi to create a major scare campaign.

According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black.

The UK Home Office said that they hired Saatchi to bring together organizations that “share our concerns about the impact end-to-end encryption would have on our ability to keep children safe“.

It is fair to say that encryption does make bulk data surveillance harder, but there already is a lot of end-to-end encryption already in place. Open source software like Telegram and Signal and commercial software like Whatsapp are just a couple of examples.

The government says that the plan is to create this media blitz “to make the public uneasy”. In other words, scare them into accepting even more surveillance than they are already under.

One slide from a campaign deck says that most of the public has never heard of end-to-end encryption, adding that “this means that people can be easily swayed”.

They also said that the campaign must not start a privacy vs safety debate, but I don’t think that objective is possible.

The opening phase of the government’s scare campaign is expected to start within days.

However privacy advocates plan to start their own campaign too.

This battle is not going to end anytime soon, but the best defense is an educated public.

If you have questions, please reach out to us.

The Latest Supply Chain Risk – Your Desk Phone

Senator Chris Van Hollen (Maryland) wrote a letter to Commerce Secretary Raimondo asking what she planned to do about this security vulnerability – the first we are hearing about it. Raimondo could ban the equipment, just like equipment made by Huawai and others.

Chinese electronics maker Yealink is not a household word like Huawei, but it may soon be.

Yealink’s phones are, apparently, popular in the United States, including at government agencies – federal, state and local, but they might have just a few security concerns.

Van Hollen’s letter references a report by Virginia-based Chain Security that scopes out hardware risk for a living.

The report says that Yealink’s Device Management Platform or DMP is what allows users to make calls and administrators to manage the phones.

HOWEVER, it also allows Yealink to secretly record those calls and also, for computer based phones, to track which websites users are visiting.

Concerned yet?

It turns out that even if you are using a physical phone, if the computer gets to the network through the phone, the phone can still track what websites you are visiting. Actually not CAN track you; rather it should be IS tracking you.

While it is unknown, it is suspected that Yealink is a Sysadmin for the DMP, hence has to power to do anything that any other admin can do.

Yealink’s service agreement requires users (like US Government employees with one of their phones on his or her desk) to accept China’s laws, including a term that allows for the active monitoring of users when required by the ‘national interest’ of China.

The phone also does not digitally sign software updates, so if someone can convince the phone to accept an update, it has no way of knowing whether that update is legitimate or not.

Even scarier is Verizon’s response to this revelation: A Verizon spokesperson said Yealink’s DMP “has been built to meet the custom requirements of Verizon” and that the customization was related to “security; feature management exposure to the devices through the DMP; firmware management and remote diagnostics.”

Does that mean that Verizon is in cahoots with China?

If all of this wasn’t bad enough, the phone sends encrypted messages to China three times a day.

The Commerce Department responded to the Senator saying that they take this stuff seriously.

Whatever the hell that means.

My guess is that this is probably not a lot different than other tech that may be in your office or home – which means that you might want to be more aggressive in reviewing the security of those tech toys.

Credit: Defense One

Security News for the Week Ending December 24, 2021

Russian Hackers Make Millions by Stealing SEC Earning Reports

A Russian hacker working for a cybersecurity company has been extradited to the U.S. for hacking into the computer networks of two SEC filing agents used by multiple companies to file their quarterly and annual SEC reports. Using that insider information, the hacker traded stock in advance of the earnings being made public and earned millions. The hacker made the mistake of visiting Switzerland. I guess he figured that the U.S. did not know who he was. He was wrong. Credit: Bleeping Computer

Security Flaw Found in Popular Hotel Guest WiFi System

I always tell people not to use hotel guest WiFi systems because they are not secure. A researcher says that an Internet gateway used by hundreds of hotels for the guest WiFi are not secure and could put guest personal information at risk. The gateway, from Airangel, uses extremely easy to guess and hardcoded passwords. You can pretty much guess the rest. Credit: Tech Crunch

Feds Recover $154 Million in Bitcoin Stolen by Sony Employee

The U.S. has taken legal action to seize and recover $154 million stolen from Sony Life Insurance by an employee in a very basic business email compromise attack. The funds were supposed to be transferred between company accounts but were diverted. The hacker was not very smart, was in a country friendly to the U.S. (Japan), used a U.S. bank account and a Coinbase Bitcoin account, making it pretty easy to recover once found. The FBI managed, somehow, to obtain the private key for the hacker’s Bitcoin wallet, which made recovering the funds even easier. What the FBI has not disclosed is how they were able to recover the private key, probably because they do not want to disclose methods. Score one for the good guys. Credit: Bleeping Computer

Former Uber CSO Faces New Charges for Breach Cover-Up

Here is a tip about covering up a breach. Joe Sullivan, Uber’s Chief Security Officer between 2015 and 2017, faces more charges of covering up Uber’s breach. This time it is deliberately covering up a felony, which could bring him 8 years in prison and a $500,000 fine. Knowing Uber, they are probably not paying his legal costs. Moral: don’t lie. Credit: Data Breach Today

Russia Surging Both Tanks and Cyberattacks on Ukraine

In addition to moving 175,000 soldiers to the Ukraine border as Ukraine plans to join NATO, Russia is also stepping up cyberattacks on Ukraine’s financial system and critical infrastructure. In response, the US, UK and other friendly (NATO) countries have sent cyber experts to Ukraine to help defend their digital frontier. What war looks like now. Credit: Data Breach Today

The Information War Takes to the Air

The Chinese drone maker DJI controls nearly 70% of the commercial drone market (Credit: Hindustan Times). DroneXL says that the control 54% of the total drone market. DoneXL says that number is down 15% from last year (which could match the 70% number) . In any case, their next nearest competitor is Autel at 7% and Parrot at 3%.

As you can see, they are a major player, no matter the number.

In 2020 the Interior grounded its fleet of 800 DJI drones, except in cases of emergency.

Why? Because the government is concerned that DJI is routing information back to China. China is in the mode of collecting data now and figuring out how to use it later.

Most Americans don’t seem to care. After all, the drones work and they don’t understand national security – and that is someone else’s job, right?

If the data is going back to China, it is likely going back to the government – specifically the intelligence community.

Last week the feds blocked American investment in DJI. Last year the administration blocked US companies from selling it parts. There is a bill in the Congressional sausage maker that would ban the feds from buying DJI drones and the FCC wants it banned in the US period.

For a decade now, the occupants of the White House have been sounding the warning bell about China’s voracious appetite for US data, while stopping foreign companies from doing the same thing to Chinese citizens. That is why many US companies are leaving China. Some, like Apple, find the market too lucrative to leave. Instead give in to the Chinese government’s demands to give them access to all of their users’ data while coming up with a bogus spin story so that they can pretend that they care about user’s privacy. Other’s like Microsoft’s LinkedIn and Yahoo are telling the Chinese to get lost and are pulling out of the market.

Since everything from toilets to yoga mats are now transmitting data (and probably made in China) and no one really knows what data is being collected and for what purpose, some folks are getting nervous.

One possible use for all the data? As training material for artificial intelligence and machine learning.

Many countries are starting to think about protecting their citizens’ data. Not surprisingly, the US is far behind other countries because big tech lives on using your data. China on the other hand, just issued a new edict seriously locking down what big tech companies, especially US ones, can do with consumers’ data. They are also mandating government controlled cybersecurity reviews (AKA let me see and steal your source code) and China even mandated a review of the source code of Chinese companies that want to list their stock on foreign stock exchanges. This is just a not so covert way to get those Chinese companies to delist from foreign capital markets.

The former US administration attempted to ban TikTok (of all of the data sources, is this the most risky?) and also to get our allies to build a clean telecom network, free of Chinese gear. That went somewhere in the US, but did not catch on elsewhere.

The FCC says that DJI sells about 95% of the drones priced between $350 and $2,000. That is market dominance. If the FCC decides to ban DJI (by refusing the review the radio frequency emanations, making them illegal to sell here), it is likely that China would retaliate in some way. What way? Not clear. While China says it is unfair to block DJI here, they do their best to block US companies in China.

DJI has released versions of its drones that it claims allow users to control where the data goes. If you believe them.

Remember that Chinese companies are required to assist the Chinese government if asked and keep that fact quiet. Based on that, what foreign government is going to trust any privacy statements made by DJI.

All of this is affecting DJI’s share of the corporate market. After all, what publicly traded company wants to be known for buying Chinese drones. But DJI is trying to fight back by offering quality and features at a way below cost price. After all, the Chinese government will help them if needed.

Stay tuned to see what Congress and the FCC do. Credit: Yahoo

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today