Cyber Cease-Fire: US v. China

100615-640x400

As published on Norse on October 6th, 2015

Interesting times indeed, now that the outcome of Chinese president Xi Jinping’s two-day visit to the White House last week has been made public. According to the White House press release, this is what was agreed:

  • The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.  Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.  Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.
  • The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
  • Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community.  The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace.  The two sides also agree to create a senior experts group for further discussions on this topic.
  • The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.  China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue.  The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States.  This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side.  As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests.  Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.

 

Second-guessing

At first glance this sounds wonderful, but it didn’t take long before the second-guessing started. With Barack Obama making statements such as “What I’ve said to President Xi, and what I say to the American people, [is] the question now is: ‘Are words followed by actions?’”.

It’s important to look at this meeting in the context in which it was held. As most people are aware, the US has been experiencing cyber-attacks almost non-stop for years now, on multiple fronts. The US criticizes China for attacking not only US government infrastructure, but commercial enterprises are suffering massive theft of intellectual property in almost every industry as well. The widely publicized OPM hackwas only the most recent event that made the American cup ‘runneth over’.

But the US is hardly the innocent victim that it portraits itself to be. Well-known whistleblower Edward Snowden revealed that the US has actively been attacking Chinese infrastructure as well, in order to ‘prepare the battlefield’ for any potential physical conflict. They have admitted doing so, but claim that no intelligence from the large cyber intelligence gathering ‘driftnet’ known mostly by its moniker PRISM is fed to American enterprises for their commercial benefit. Whether that is true, of course, remains to be seen. After all, accusations of unfair commercial advantages through government espionage have been shown to contain some substance in the past.

 

Limiting cyber-attacks

In this regard, it is not surprising that it is the US calling for an agreement on limiting the cyber-attacks between the two nations. When taking the theft of intellectual property into account, the US simply has more to lose. It should also not be forgotten that not long ago China signed a treaty with Russia that, among other things, contained a pledge that they would not hack each other. This same treaty also further solidified their efforts to influence global internet governance, about which I commented in an earlier article, giving the US all the more reason to try to calm the waters with China.

 

So what does this treaty mean?

Of the four points covered under Cybersecurity, only the first two are points with some meat to it. As also mentioned in my previous article, the Chinese are very unlikely to sign any treaty on internet norms of behavior that include a reference to the UN’s definition on human rights. The entire bullet point might as well not have been there. It is window dressing and was probably only agreed upon because it shows a willingness to ‘get along’, whether real or imagined. The last point about the ‘cyber hotline’ doesn’t actually say a whole lot at all, so let’s move on to the more salient points.

It should be noted that the US is trying to stop the attacks against American businesses while trying to keep the option of ‘battlefield preparation’ on the table. This isn’t guesswork, its public record; just look atwhat American politicians are saying on the subject. In other words, both countries now seemingly agree that attacks on government networks are more-or-less allowed, but commercial enterprises are considered off-limits. In the unlikely event that both parties actually honor the agreement, this would be a clear win for the US.

 

An unlikely agreement

And that the agreement will be honored does seem very unlikely. For one, the Chinese government has never acknowledged that it has any involvement in cyber-attacks against commercial enterprises, and it is highly unlikely that they ever will. If those attacks would now suddenly cease, it would be a tacit admission that it had such control in the first place and put the lie to every official statement the Chinese government has ever issued on this topic. Another important factor is the simple question of “Cui Bono?”. Who benefits? The Chinese would lose a very effective method for national advancement in many areas, and the only cost thus far has been (relatively light) international criticism. They would gain nothing, whereas the US would gain a stopgap in the massive IP drain.

In short: The agreement seems a bit one-sided and that does not bode well. It may well be that China agreed only to stave off the sanctions that the US has been casually dropping to the press recently. Whether China takes these sanctions seriously is debatable, because China still remains the greatest holder of US debt, which means it can give a considerable pushback. Then again, China not honoring the agreement is probably expected. Despite what some critics may say, the people involved in drafting this treaty are not fools. With this agreement on the table it makes the American case much stronger if Chinadoes violate it, as Jason Healey points out.

As always, time will tell.

 

Missing in Action: Cyber Dictionary?

092215-640x400

As published on Norse on September 22nd, 2015.

I recently stumbled over an old issue that has shown no signs of being resolved: the lack of a normalized lexicon on Cyber Security. We can’t seem to start agreeing on terminology, even though the cyber security industry is rapidly professionalizing globally and the need for a universally understood set of concepts is beginning to show. The best example of this problem is that there are at this moment roughly 28 definitions for the concept we know as “cyberspace”, with the most recent draft definition apparently being:

Cyberspace defined

Cyberspace is a global and dynamic domain (subject to constant change) characterized by the combined use of electrons and electromagnetic spectrum, whose purpose is to create, store, modify, exchange, share and extract, use, eliminate information and disrupt physical resources. Cyberspace includes: a) physical infrastructures and telecommunications devices that allow for the connection of technological and communication system networks, understood in the broadest sense (SCADA devices, smartphones/tablets, computers, servers, etc.); b) computer systems (see point a) and the related (sometimes embedded) software that guarantee the domain’s basic operational functioning and connectivity; c) networks between computer systems; d) networks of networks that connect computer systems (the distinction between networks and networks of networks is mainly organizational);e) the access nodes of users and intermediaries routing nodes; f) constituent data (or resident data).Often, in common parlance, and sometimes in commercial language, networks of networks are called Internet (with a lowercase i), while networks between computers are called intranet. Internet (with a capital I, in journalistic language sometimes called the Net) can be considered a part of the system a). A distinctive and constitutive feature of cyberspace is that no central entity exercises control over all the networks that make up this new domain. – Mayer, Martino, Mazurier & Tzvetkova (2014)

This is a considerable problem for the eventual advancement of the practice, because ‘cyberspace’ isthe root term from which the entire “cyber-everything!” craze stems, and we can’t even seem to agree on what that is, exactly. How can we properly define derivative terms from a core concept that we don’t universally agree on? What is Cyber Security if nobody agrees on what Cyber is?

Cyber-anything

The result is that cyber-anything is, essentially, a rough approximation of what we mean to say. Developments in the industry haven’t yet reached the point where this is a problem for real scientific advance because there is still so much to discover. But in the long run, if the profession is to mature and be advanced beyond the point of the initial growth spurt we are currently experiencing, people will have to perform research. Thanks to that same ill-defined cyberspace, desktop research is often largely based on searching for keywords in existing research (thank you Google Scholar!). And herein lies the rub.

As said, it’s not just cyberspace that we can’t conceptually agree on. We also can’t seem to agree on the use of other terms. For instance, the terms ‘cyber security’, ‘information security’ and ‘cyber defense’ are used liberally, and are generally used to define the same set of concepts, but not always. The term ‘defense’ (singular), ‘security measure’ and ‘security control’ are all used to describe roughly the same concept as well.

Cybersecurity strategy

Give yourself the challenge to figure out what cyber security strategy means. Some quick research will show that some authors used this term in describing “security one-liners”, such as the security principle‘Reduce Attack Surface’, whereas others use the term to describe entire frameworks. There were also authors who did not use the term “strategy” where it might have made good sense to do so.

To answer any research questions on the subject of cyber security strategies, it is necessary to first be clear on which interpretation is used. We need to know where we are now to determine where we want to go. As an industry, we have an obligation to the rest of the world to be clear in what we mean by the words that we use. Many people complain about the use of the term ‘cyber warfare’. The most common heard complaint was that talk about war incites war, and that the resultant ‘militarization’ of the internet is an undesirable state. Whether the lack of a universal lexicon is to be blamed for this, is almost certainly overstating it, but it doesn’t help either. The press loves ‘sexy’ language, and military lingo sounds very impressive. It sells. It makes for bad reporting, but when considering that we, as an industry haven’t provided them with anything better to use, maybe they are not the only ones to blame here.

The future

If the Internet has proven anything, it is that there can be cooperation on a global scale. Perhaps one of the custodian organizations of the Internet, such as the IETF, can be used as a vehicle for the development of a universal set of concepts, who knows? But it certainly is high time we get started, before the future catches up with us.

 

The Right to Strike Back

pic3-640x400As published on Norse on June 26, 2015.

Last week, at the HiP Conference in Paris, there was a debate on whether or not it should be allowed to strike back when you are being hacked. Currently, criminal law in most countries does not allow it. But is this tenable in today’s’ highly digitized society rife with cybercrime?

My position in this matter is that we should create a legal recognition of the fact that we are in a social gray area where it concerns the Internet, even if it is only a temporary recognition, and allow for somecapability to strike back at cyber criminals. As I’ve said before, humanity is only now scratching the surface of what it means, socially and culturally, to have (largely) unrestricted access to the collective knowledge of Man at our fingertips, (almost) everywhere and (almost) anytime we desire.

In virtually every aspect of the human experience, it has made its’ impact felt. The number of human lives that remain completely unchanged through some kind of information technology is rapidly dwindling to zero as technology advances, and our adoption of them continues to rise.

Under the umbrella-term “Cyber”, that is similarly revered and reviled, we are inching our way through the various aspects of our daily lives to adapt our old notions of how we ‘did things’ to incorporate the new realities we face in the Information Age. Crime, international politics and armed conflicts are among the most hotly debated topics in this regard. What I am getting at, is that in a social and cultural sense, Cyberspace can (and in my opinion should) be considered terrain in the early stages of colonization. Think of it as the New Frontier or the Wild West, if you will.

We recognize that there is this huge new area that can be explored, colonized and exploited, but exactlybecause it is new and untamed, there should be only a limited expectation of Law and Order. Certainly, in most countries the national laws have been revised to incorporate the new realities of Cyberspace. But often these amendments or new laws are only rough first drafts because very few (if any) people understand exactly what Cyberspace means (culturally and socially).

What doesn’t help is the fact that as our technology continues to advance, our uses –and in turn the consequences- are changing with it. In other words: even if we manage to define proper laws for the circumstances right now, there is a good chance that they will be outdated due to technological advances in short order. But that is not really the core issue. Having properly defined, applicable and reasonable laws is only the first step. You have to be able to enforce a law if you expect people to follow it, otherwise it just becomes little more than an advisory note. A cute bauble that the criminally inclined can have a chuckle over while they continue making money off of these exact crimes you’re trying to prevent. And that, unfortunately, is largely where we are now.

Despite being a horrible analogy in every other sense, Cyberspace is the Wild West. Law and Order is reasonably established in some areas, but for the most part you can only depend on the occasional sheriff or Ranger. As was the case in the early years of the Wild West, there –on the whole- isn’t a whole lot of coordination between law enforcement, the government and the citizenry. This can be easily verified by looking at the figures. The number of successfully prosecuted cybercrime cases is very small indeed, when compared to the number of reported incidents. Also consider that we don’t see every incident, and even when incidentsare discovered, they are not always reported. Please don’t misunderstand what I am trying to say: This is not intended as a snipe against law enforcement or the government. They are trying to get a handle on these cases. But the fact of the matter is that we have a serious lack of expertise and experience across the board. There just aren’t enough people skilled and experienced enough to make a serious dent in the numbers. Or, for that matter, to faster develop an underlying framework that makes law enforcement of cybercrime any easier.

Frameworks containing (and hinging on) effective international agreements, laws and political policy to address cybercrime are also still being developed. The often-heard argument to forbid people from striking back at cyber criminals is that to do so is anoffensive act, and not a defensive one. In other words, striking back should be considered a weapon and not a shield. In the strictest sense of the definition this is indeed correct. However, just looking at the success rate of cyber-attacks alone will dissuade anyone from the notion that a “good defense” is enough to stave off a cyber-attacker.

Even the US military, with the highest defense budget in the world, can’t prevent some attacks from being successful. In very practical terms this tells us that we cannot count on being secure when we are only allowed to defend ourselves; something is clearly missing. Perhaps that missing element is the right to strike back. To stick to the earlier analogy of the Wild West, we are unarmed and criminals are not. Essentially we are telling people not to act when they are being attacked. To trust the Police to protect us against predators. To sit still and pray that the criminals don’t find the valuables we’ve buried in the proverbial shed. But clearly the Police are not capable of doing so right now, as can be easily deduced from the figures mentioned earlier.

In my opinion this is untenable, and quite frankly I find it unconscionable to leave the average citizen as such an easy prey. During the debate I therefore argued for at least a temporary recognition that allows for striking back at our assailants, with the express goal of halting an attack. It will be interesting to see how the other panelists view it, and I look forward to hearing if perhaps there is another solution to the problems we face today.

The Problem with the Universal Right to Online Privacy

privacy(As published on Norse on April 15, 2015)

A landmark decision by the UN Human Rights Council was made on March 26th to cover privacy issues arising from the pervasive monitoring by the UK and the US, in an attempt to establish that freedom from excessive (online) surveillance is a basic human right.

The resolution was spearheaded by Germany and Brazil, where public debate about online surveillance has been most intense. Naturally, German PM Angela Merkel has not yet forgotten the fact that her mobile phone was tapped, and event went as far as kicking out the CIA station chief in Berlin.

Brazil’s President Dilma Rousseff cancelled a trip to the US in protest of the surveillance on Brazil’s political leaders. Given that it is prime US policy to keep tabs (well, and taps) on all political leaders in the entire continent of South America, there is little doubt that the sentiment is shared amongst all South American nations.

It was expected that the resolution be blocked by the US and the UK, but it was adopted by consensus and the UN will be appointing a Rapporteur in June. This Rapporteur will have the authority to “remit to monitor, investigate and report on privacy issues and offer advice to governments about compliance. They will also look into alleged violations.”

The initiative, which contains the phrase, “the rapid pace of technological development enables individuals all over the world to use new information and communications technology and at the same time enhances the capacity of governments, companies and individuals to undertake surveillance, interception and data collection, which may violate or abuse human rights,” sounds very compelling and a worthy cause.

However, those who are skeptical of such an initiative have much reason to be.

To start, the UN has over the years steadily ignored both Article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights (where the Right to Privacy is mentioned).

This is hardly surprising since quite a number of UN member states have a rather uncomfortable record with Human Rights as a whole, and there has yet been little appetite for a clash on this subject.

Another major reason to remain skeptical is the equally uncomfortable fact that virtually 100% of all the UN member states are involved with pervasive online surveillance programs in one way or another.

In that respect there is plenty of negative sentiment to go around when it comes to online surveillance, and rightly not all of it is directed towards the US and the UK.

Even Germany, who is taking the lead in setting up this initiative, has been caught with its’ proverbial pants down when it was discovered that their own national security service BND was sharing data on German citizens with the NSA.

They are hardly alone in this: The number of European countries that hasn’t been subject to news in that area can be counted on one hand. To put forth an act that limits their own intelligence gathering operations seem counterproductive at best.

Lastly, it can be argued that the “Universal Right to Privacy” does not translate equally to “Universal Right to Online Privacy.”

However foolish it may seem, we have had a number of examples where such a translation proved much more difficult than it appeared. And these were not small topics: The laws surrounding warfare, for instance, or cybercrime.

Taking all these facts into account, it seems reasonable that this new initiative has some credibility issues. It will be very interesting to see if it develops some teeth moving forward.

Enterprise Security vs. Nation State Threat Actors

enterprisevnationThe recently published Snowden/NSA/GCHQ slides regarding the Gemalto hack have caused quite a stir amongst security practitioners, board members and politicians alike. But the uproar is minor when considering that it is now more than clear that not only non-allied nations such as China, Russia and Iran are attacking commercial entities. Nation states that we are on good terms with are apparently equally willing and able to attack their allies, just to get ahead in the Intelligence and Battlefield Preparation game. Good friend and excellent analyst Richard Stiennon already acknowledged (allied) nation states as a threat actor for the commercial industry in his article “NSA Surveillance Extends the Threat” in 2013. He asserted that the NSA was leading the threat hierarchy and was advocating a global re-evaluation of ones’ security stance. From what has been unveiled recently this is due for a revision yet again, as it is clear that British GCHQ is following the same playbook. Given both their membership in the “Five Eyes” community (of which all nations in the Five Eyes are core participants) it is increasingly safer to assume that Australia, Canada and New Zealand follow the same methodology, but that is beside the point of this article.

What does this mean?

When comparing the slides and modus operandi concerning Gemalto with what was disclosed about the Belgacom hack, useful observations can be made regarding the tactics employed by GCHQ and the NSA. And that MO demonstrates quite clearly what the real problems for commercial entities are when faced with a nation state as an adversary.

First off, they are difficult to expect. That’s right: Expect, not Detect (although that is probably equally true). Nation states have considerably different motives and these may not always be obvious. Gemalto and Belgacom were targeted because they were gatekeepers to communication networks; in this case telecommunications. They in turn contained what the NSA and GCHQ were actually after: the communications (potentially) running over those networks. It seems like arguing semantics when we differentiate between the targeting the communications networks and the communications themselves, but it is quite relevant: Both the NSA and GCHQ have other legal recourses to obtain the communications they are looking for, but are actively and purposely choosing other avenues. In short, it is not usually obvious what governments are interested in, and even if they have other (legal) means to obtain their target, they might still attack you if that proves to be more useful or less of a hassle.

Second, they are nearly impossible to deter. Cyber criminals generally tend to pick the low-hanging fruit. This will probably remain true as long as there remains so much of it available. The other major category popular with cyber criminals is the ‘big score’, where the spoils of a successful heist are so rich high that attackers consider their time and resources a good investment. Naturally this last group has more staying power than the first group, but both will eventually bug out if the operation is found to be too difficult or risky. Corporate espionage can potentially stay in the game where a cyber-criminal would have given up, but that is very dependent on the level of resources and risk that a firm is willing to commit.  You can deter them by securing your infrastructure to such a degree that the reward of breaking in is not worth the effort. Governments have deeper pockets and thus far seem to be more-or-less immune to criminal prosecution. This significantly alters the equation for such parties. The local social environment of the attacker also plays a role. Corporate spies or criminals basically get told[1] “Get in there if you can”, while soldiers get told “Get in there [period]”. Government operatives don’t get deterred by tedious work or lack of funds. To keep them out it has to be made impossible to break in and, provided it can be done, the task will be Herculean and costly.

It should also be pointed out that governmental espionage is not solely about national security. Many intelligence services are tasked not only with security, but also so-called ‘Economic Intelligence’. To put it bluntly, they are also looking for anything that might give their national corporations an edge against foreign competitors. The reason is simple: successful corporations are a boon to any nation. Not just for the additional tax income they generate, but also for the additional jobs and innovation power they bring. Some intelligence agencies focus more on this than the others, but most do it to some degree. We have seen evidence of this before, during the Echelon program. Several high stake deals were won by American firms due to the intelligence provided to them by the American intelligence apparatus. We can only guess at what intelligence the NSA is currently feeding to American firms. Perhaps the tech firms that are under the NSA yoke are being rewarded sub-rosa as compensation for the multi-billion dollar loss they have incurred (or will incur) over lost trust.

Third, they have capabilities unique to this category of attacker. When looking at the Belgacom and Gemalto hack, it is clear that one major new factor in their approach is Intelligence. Highly trained government intelligence agents are tasked with scoping out the target. They will find key target personnel in short order. It is their job to do so, and even in small nations these operatives are trained and experienced to a degree that will never be matched by a corporate entity. This might be the most effective tool in their arsenal, and next to impossible to defend against. The average person working for a corporate entity will be completely unarmed against people professionally trained in disciplines such as surveillance and interrogation. Would they spot a tail when walking or driving? Would they realize they are being interrogated during a seemingly innocuous conversation with a stranger? Would their family? What is worse, is that nothing private is off-limits when gathering intelligence. Private emails, browsing history, social media, cellphone conversations and text messages are all scrutinized in the hopes of finding a way inside the target organization. They are not above infecting a staff member with a piece of custom-made malware if it furthers their goal. The more staff a company has, the bigger this attack vector is. The problem is exacerbated when dealing with technologically advanced nations, due to higher degrees of technological refinement in their attacks.

Fourth, that we know of their operations does not mean they have stopped. It sounds strange, but for some reason many people seem to think the threat is over now that we are aware of it. It is stating the obvious, but that is not the case. All that has really changed is that we now have some measure of tangible proof to something that was strongly suspected for a long time. The repeated wake-up calls are working to force a long overdue focus on security, but it still has to be acted upon and followed through on. The security industry finally has the clout to address the serious issues, and it can be done without overhyping the matter. Throw away old disparaging sayings such as “if they want to get in, they’ll get in” and do what can be done.

 

Naturally there is more to this issue than the points described above. What is clear is that the corporate world is faced with a potential adversarial class that it is not equipped to deal with. In this regard the world is not that different from the Dutch Golden Age in the 17th century. The Dutch VOC company had a large fleet of merchant ships that were regularly attacked by foreign ships of war belonging to nations that the Netherlands was at war with at the time. The naval frigates outclassed the often cumbersome trading vessels, and defending themselves to a sufficient degree simply wasn’t economically feasible. This problem grew to such an extent that valuable VOC convoys eventually received Dutch naval escorts for protection, even though they did have to help pay for them. What is worth wondering about, is whether we can find a similar common ground with Government and truly co-defend in a meaningful manner.

 

[1] Or conceive the notion themselves, naturally.

Data Mining Protection: Taking A Privacy Roadtrip with IRMA

dataminingIf you have ever clicked “I Agree” on Facebook or an Apple device without really going through it, it might be worth your while to go back and read up. Do you know where your data is going?

A few months ago I went to get a haircut at my local barber shop. The work was done and I walked to the register to pay. The kind lady who had done my hair asked me something I had somehow never seen coming: “Would you like to fill out this customer loyalty card?”

My barbershop, a place that had always remained unchanging, the last bastion of complete digital disconnection, had entered the digital age of nonsensical data gathering and targeted marketing. I regretted it instantly.

A casual look at the contents of ones’ wallet now tells you exactly how far the broad-spectrum gathering has already gone. All the credit card-shaped slots in my wallet are full and I have a stack of at least 40 similar cards at home that I don’t use.

All those customer loyalty cards are there for one key reason: data mining. Many organizations are trying to get to know as much about you as they possibly can. Very often this includes things about you that they have no purpose for.

Whether they want to be better at targeting their sales efforts at you, or to resell that information to third parties, the endgame is almost always about profit.

And the reselling of such data doesn’t just happen occasionally – it’s big business. According to a McKinsey Global Institute study from 2012, Data is a $300 billion dollar a year business that employs 3 million people in the US alone.

You’ve probably never heard of companies like Acxiom, but you can be sure that they know all about you. Information that you gave one company is happily sold to another company without your knowledge and in most cases, with unknowing consent.

With the ever increasing digitalization of our society, it’s becoming more and more obvious that all that information gathering and sharing comes at a great cost: our privacy. Fortunately, there are some great initiatives on the horizon that help combat the broad-spectrum data mining that is going largely unchecked.

IRMA is one of those initiatives that can help a great deal. IRMA stands for I Reveal MAttributes, and essentially comprises a whole new way of approaching identity, authorization and authentication.

It is a project of the Privacy & Identity Lab, which is a collaborative union between research-oriented institutes in the Netherlands such as the Radbout University Nijmegen, the Tilburg Institute of Law, Technology and Society (TILT) and TNO.

Using the underlying technologies of Idemix (IBM) and U-Prove (now Microsoft), IRMA is essentially a new form of identity smartcard that can be ‘loaded’ with various sets of ‘credentials’ from different sources, such as the local authorities.

Information such as Date of Birth, Nationality or Place of Residence can be stored on the card and you can use those attributes in transactions both online and offline in a variety of scenarios.

For instance, when voting on local elections: You must show that you are a resident and you currently have to show some proof of ID before you are allowed to vote. In theory, this means you are no longer anonymous.

With the IRMA card, this is a thing of the past. You’d simply present your card and they would only see that Yes, you are a resident of that town. They would also see who issued that credential to you (such as the government), but nothing that compromises your identity.

The same scenario plays out when purchasing liquor. In the Netherlands, the minimum age for purchasing alcohol is 18 and shop owners are legally required to ask for ID. What they really only need is to verify whether the buyer is over 18 or not.

This attribute is stored on the IRMA card, and that is all it will tell the store owner: “Yes this person is over 18”. Neither your age or your date of birth is transmitted, just the indicator of whether you are over 18 or not. Again, nothing but this attribute and the source of the attribute is shared.

The project is still under development, so it is hard to say exactly how it will eventually turn out. But the concept is very promising. If users are indeed capable of choosing additional attributes to store on the card, which is currently the direction it is heading, it can theoretically replace virtually every card in your wallet today.

Naturally users can only load attributes up to a point, some information must always come from highly trustworthy sources, but should be plenty of room for user freedom.

Imagine, just having to carry one single card. Driving license?  Passport? Customer Loyalty cards?

Every one of these items has attributes that are just as easily stored on an IRMA card. Provided the physical and cryptographic properties are secure enough, we may even be able to replace our bank cards with the same single IRMA card.

If you’d like to learn more, visit the project site. One of the lead scientists, professor Bart Jacobs, explains the whole project much more eloquently than I ever could. Find it here:

GCCS2015 Part II: Government Influence is the Key Issue

gccs2(As published on Norse: Feb 5th, 2015)

As we noted in Part I: GCCS2015: Battlefield for the Internets’ Multi-stakeholder Coup, the next iteration of the Global Conference on CyberSpace (GCCS2015) will be held on April 16th and 17th in The Hague, the Netherlands this year. It is the worlds’ premier political conference on Cyberspace.

The Internet was founded on, and has ever since been based on, the multi-stakeholder principle. That is to say: the Internet does not belong to any government, it belongs to everyone equally.

In fact, aside from lending material support, governments have had precious little to do with the development, implementation and administration of the Internet. The brunt of the work has been done by civilian institutions such as the IETF, ICANN, IANA and a whole slew of similar civilian non-profit organizations.

But as time progressed and the significance of the Internet grew, so too did the urge to control grow at the worlds’ governments.  This is signified most clearly by the continued attempts of the UN to move this piece of internet governance away from US-based ICANN to the International Telecoms Union (ITU).

At first glance, the ITU seems innocuous enough. It has a membership of over 193 countries and over 700 commercial entities such as Apple and Cisco. However, the ITU is an agency of the UN and therein lies the rub.

The ITU is ultimately subject to the will of the UN charter members. They will face considerable pressures by many UN nations such as Russia, China and Iran, who are staunch supporters of ‘cyber sovereignty’.

The ‘cyber sovereignty’ camp considers the current state of affairs to be directly threatening their national security primarily because they have no easy way to censure content. They will no doubt push for measures stifling internal dissent and perhaps even for measures to censure content disagreeable to them.

In fact, they’ve pretty much said so.

Several blows have already been dealt to advance the power shift towards the ITU during the 2012 World Conference on International Telecommunications (WCIT), as excellently commented on by Alexander Klimburg in his article “The Internet Yalta”.

In his article he describes how China and Russia managed to sway most of the developing nations to supporting ‘cyber sovereignty’, and the whole issue devolved into essentially a bipartisan issue in which the developing nations aim for governmental control of the Internet, and the Western nations prefer to keep the status quo.

There does not appear to be a middle ground. WCIT was, in this respect, a political cloak-and-dagger event of almost Machiavellian proportions.

It had it all: the polarization of the voters, sudden ‘midnight votes’ that most parties were left uninformed about, and attempts at tricking voters into voting on articles that were thought to contain something other than it did.

Both the ‘code of conduct’ and the battle for the internet’s multi-stakeholder principle shine through in the Seoul Framework for and Commitment to Open and Secure Cyberspace that was drafted for the 2013 conference in South Korea.

It is this framework that will be the key talking point in The Hague this year. The Netherlands has already stated that it would support further work on this framework, but given its democratic nature and strong culture of international trade, this is hardly surprising.

In an earlier published flyer the official statement was made that the ‘self-organization of the Internet should be supported and is preferred to regulation imposed by states’.

It can only be hoped that all sides remain cordial and that political sleight-of-hand doesn’t catch anyone off guard. The result of such an event could very well mean the end of the Internet as we know it.

GCCS 2015: Battlefield for the Internet’s Multi-Stakeholder Coup (Part I)

GSSC2015Published on Norse Corp on Jan 21st, 2015

As you may already be aware, the next iteration of the Global Conference on CyberSpace will be held on April 16th and 17th in The Hague, the Netherlands this year. It is the worlds’ premier political conference on Cyberspace and this is its’ fourth edition.

Earlier conferences took place in London (2011), Budapest (2012) and Seoul (2013). During these events the worlds’ political elite gathered to discuss pressing matters concerning cyberspace; a subject that inches ever higher on political agendas worldwide.

No countries are excluded by default, making it a truly global event aimed at creating dialogue between nations that are both like minded as well as political opposites.

One of the key goals is the creation of a globally accepted baseline of online behaviors. It’s a tough issue to crack because each nation has different notions on what constitutes undesired behavior online, and even more hotly debated is what each behavior warrants as a response.

Because there are so many underlying political motivations, nothing has thus far been universally agreed upon. Rumor has it that not even the fight against the utterly reprehensible crime of child pornography turned out to be common ground.

The reason for this was more political than emotional; some nations considered a global ban on these practices to set a precedent that would later back them into a corner. This illustrates a considerable amount of distrust, and underscores exactly how difficult it will be to reach any truly substantial agreement.

The difference in culture, political environment and -more to the point- the views on human rights in countries such as China, Russia and Iran when compared to western nations explains quite well why they would be opposed to any treaty that directly or indirectly influences (or condemns) practices that are commonplace there.

For instance, the right to uncensored internet access for citizens, that we take for granted in the Netherlands, is virtually unthinkable in China.

And that is hardly the only example. China and Russia both have a considerable history of co-opting or coercing ‘uncontrolled’ organizations such as organized crime to execute politically motivated attacks.

Totalitarian regimes generally have much greater control over their populace than democratic societies, and this also extends to criminal elements inside its borders. To co-opt or coerce them into performing tasks that a government cannot be seen doing has the benefit of plausible deniability.

After all, an entire nation cannot be held accountable for its’ rogue elements, can it?

But that is far from the only hot topic on the table. Perhaps the most critical issue discussed there is the ongoing struggle for high-level control of the Internet. From a technical standpoint, part of that control currently lies with ICANN, the nonprofit (civilian) organization responsible for the management of Assigned Names and Numbers (or rather: DNS and global Top Level Domains such as .org, .com and .gov).

ICANN also steers IANA, which is responsible for assigning numbers (IP addresses) to names (DNS). Both of these organizations are American, though not formally controlled by the US government. So far, and with a few notable exceptions, they have been doing their work seemingly without undue governmental influence.

But, no doubt due to political pressure on the subject, the US government has relinquished stewardship of ICANN. As of this year, another steward will take the wheel.

And Governmental Influence is exactly the key issue. More on that in the next installment…

Using the Cyber Kill Chain to Map Cyber Defenses with Practical Reality

Cyber Kill ChainIn an effort to better understand the structure and approach of “APT Attacks”, which was at the time virtually a euphemism for cyber-attacks coming from China, researchers investigated hundreds of successful incursions into networks.  The professional air to the attacks that was long suspected was confirmed, as all attacks followed the same 7-step procedure: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control and finally Actions on Objectives. It was dubbed the ‘Cyber Kill Chain’, and it has since been all the rage.

Cyber Kill Chain

Figure 1: The Cyber Kill Chain

As an interesting side-note: Defense contractor Lockheed Martin claims it as their own work, first presented in 2011, but this claim is demonstrably incorrect. Jeffrey Carr, well known for running OSINT project Grey Goose, which gathered intelligence on the cyber-attacks against Georgia in 2008 and provided strong evidence of Russian involvement, coined the phrase in that same year. I personally attended a lecture at Hacker Halted in Miami around that same time where the Cyber Kill Chain was explained in great detail. While the contact details of the speaker in question have sadly faded from my memory, I can in fact confirm that both the term and the content of that term existed well before 2011, as claimed by Lockheed Martin.

 

The 7 phases, or steps, cover the following procedures:

Reconnaissance
During the Reconnaissance phase, the attacker (or attacking team) collects as much information on the target as possible. Some of this gathering is passive, meaning the target defender cannot detect this collection of data, but some are active and may be detected by someone looking for such signs. Active gathering attempts include gathering any valid email address belonging to the targeted organization, looking up which IP address blocks are registered to the target, what domains are registered by the target, who works for the company (through social media such as LinkedIn) et cetera. Active reconnaissance may include exploring weaknesses in the public-facing websites such as SQL Injection, or port scanning various systems (very cautiously, so as not to trip sensors) to obtain banner information that gives away exactly what kind of system is answering.

 

Weaponization
In this stage the information that was gathered earlier is turned into specialized weaponry. Malware that is effective against the systems of the target is wrapped into files that are most likely to be opened by the unsuspecting target, such as PDF or Word files.

 

Delivery
The customized weaponry is then sent to the target by the most practical and effective means, which can include sending it by email, placing it on a USB stick which is then dropped near a target employee who is likely to insert it into his or her system, or target employees are lured to a specially prepared malicious website from where the target employee will be infected.

 

Exploitation
Once delivered and opened by the target victim, the malware is executed. This exploits one or more weaknesses in the user system. The ‘payload’ of the malware is then deployed onto the system through this weakness. Most commonly the exploit used will yield the attacker the highest privileges on the system (Administrator or Root access), and clear the way to install various malicious tools.

 

Installation
The malware ‘payload’ can consist of a variety of malicious applications. What is installed on the target system is at the discretion of the attacker. Most deployed is a variant of a Remote Administration Tool (RAT) that gives the attacker the opportunity to take complete control of the target system. Also popular are keyloggers to log everything the user types, and ‘downloaders’ that then go on to download more elaborate malware onto the target system. Almost all attackers make use of ‘rootkits’, which has the express task of permanently burrowing into the target system and hiding its presence for defensive applications such as antivirus products. Once this is done, it is especially difficult to discover whether a system has been compromised, and the only reliable way to ensure its removal is a complete re-install of the target system.

 

Command & Control
Once the foothold has been created in the target network via the initial attack, the attacker will use that system to further explore the network around the compromised system. Because the target system is generally assumed to be ‘trusted’, the defenses inside the network tend to be much less stringent, and such exploration can yield an incredible amount of information. The attacker carefully selects other systems to compromise and ‘pivots’ his way through the target network from one compromised system to the next, until a solid Command & Control network is established through which the attacker can enter the network at will.

 

Actions on Objectives
At this final stage, the attacker executes any action that is required to reach their objectives. This can be stealing of data, corrupting of systems or even the simple act of listening in on what is going on in the network. It is at the sole discretion of the attacker until the compromise is detected. In many registered cases this has been anywhere between 6 months to 1.5 years.

 

Aside from being useful in gaining insight of how structured cyber-attacks generally work, it is also quite a useful tool for hammering patchwork security defenses into a sensible and practically effective whole. This becomes clear once we put the steps on a timeline, and show where the first point of active contact with the target network is; shown in Figure 2 as t0. Also shown is where defenders have reactive defenses, indicated by the marked area to the right.

Cyber Kill Chain Timeline internal-external

Figure 2: The Cyber Kill Chain on a timeline

 With this information we can map out what countermeasures are most effective against each of the 7 phases. Each phase can be taken as one layer of defenses. When done so, the countermeasures that are most effective against the actions undertaken by the attacker become part of a cohesive defensive strategy with very little overlap. It is also an excellent way to estimate whether a new defensive measure will add additional value to ones’ overall strategy. The strategy would then look like Figure 3 shown below.

Cyber Kill Chain versus Countermeasures

Figure 3 Defensive layers per phase

 Per phase in the Cyber Kill Chain the following defenses can be undertaken. Please note that this list is by no means exhaustive; the intent is to illustrate how countermeasures address the steps of the attack methodology.

Reconnaissance
Because this phase is all about gathering information about the target network, good countermeasures revolve around denying the attacker information, or to provide false information.

  • Applying “cyber hygiene” to websites (limit the amount of email addresses on external websites etc);
  • Obfuscating banner information of externally reachable servers and services so that attackers receive no –or false- information when probing;
  • ‘Anonymizing’ information on IP ranges owned by the company;
  • Running awareness programs to limit sensitive information posted on social media by the staff;
  • Request any running (or planned) penetration testing programs to scan especially for system-identifying information gained. The systems broadcasting this information can be modified to provide different (or no) information.

 

Weaponization
Large portions of this phase are passive, meaning they are executed on systems belonging to the attacker. This makes it difficult to directly influence, let alone counter-act. The countermeasures that are most effective for this phase are also part of the Delivery phase.

 

Delivery
Delivery is only successful when the recipient accepts. Successful countermeasures in this layer interrupt this process.

  • Security Awareness training for the staff focusing on not picking up USB devices they found, not blindly open any documents they did not expect or click links in emails or text messages (including WhatsApp or other mobile messaging);
  • Malware scanning on email;
  • Next-Generation Firewalls protecting the access to the network;
  • Use of security hardened applications for popular malware delivery vehicles such as the Fox-It Reader or, for internet browsing, secure browsers such as Google Chrome or its security-minded offspring Aviator;
  • Next-generation malware protection software;
  • Blocking the use of USB drives on user systems (physical, logical or both);
  • Proactive blocking user access to identified malicious URL’s.

 

Exploitation

  • Structural security updates and patch management to minimize attack surface;
  • System hardening in the area of reducing the number of running services, to reduce the attack surface;
  • Next-generation anti-virus or anti-malware software that runs applications in a secure sandbox before executing on the actual user system, such as Palo Alto Wildfire or FireEye;

 

Installation

  • System hardening in the area of privilege escalation prevention, which may include modifying settings in the system back-end infrastructure such as Microsoft Active Directory;
  • Specialized software to prevent further damage after malware infection such as Microsoft EMET;
  • System configuration detection mechanisms such as Tripwire;
  • Application whitelisting to block installation of non-approved software;
  • Removal of Local Administrator rights for the users.

 

Command & Control

Establishing Command & Control inside a network involves basic repeats of the previous steps until all useful systems are equally compromised and backdoor access can be guaranteed. This means that above countermeasures should be implemented across the board, not just at edge systems. On top of that, the following countermeasures provide additional value:

  • Internal network monitoring with anomaly detection or internal next-generation firewalls with DPI capability and a measure of network intelligence;
  • Network segmentation between security levels (VRF-like technology has preference over VLAN tagging);
  • 802.1x Network Access Control (preferably based on certificates) on all systems;
  • End-to-end encryption between all systems to prevent network sniffing (where feasible, with respect to performance).

 

Action on Objectives
Due to the fact that every foe has its own agenda, the countermeasures here must be especially tailored to the nature of the defending party. R&D-oriented firms generally focus on theft of intellectual property, where enterprises in the Critical Infrastructure sector tend to focus on service interruptions. Their countermeasures should be tuned to fit the defenders’ business concerns.

  • Scanning of outbound network traffic to detect data exfiltration and other anomalous traffic patterns;
  • Four-eyes principle programs embedded in critical operations;
  • Identity & Access management tooling with approval flows;
  • Data-at-rest encryption schemes;
  • Data Vaults for storing of critical data.

The list of countermeasures is already considerable in these examples, but many more can be found at each phase. Some are overlapping and some will provide added security to multiple phases; naturally it is up to the security strategist or architect to determine what set of security measures provides the most value to the organization.

Dutch Police Hacking Back – A Privacy Violation Waiting To Happen?

media_xl_1757672Here in the Netherlands, we’ve seen a proposal for new legislation regarding Cybercrime pop up occasionally for well over a year now. It is coming up for a formal vote by the Senate (Eerste Kamer) on October 7th and was topic for debate on the 24th of September.

The proposed law “Wet Computercriminaliteit III” in Dutch, which translates to the Law on Computercrime III, appears to have some kind of personal note for the Dutch Minister of Security & Justice Ivo Opstelten.

That is, if you take into consideration that many consider it to be an ill-defined law full of poorly understood ideas that can have severe unintended consequences (most notably violating the privacy of innocent civilians), which has been bashed by virtually all sides except Law Enforcement, but still keeps making its reappearance. Even though the general opinion was negative, it was amended slightly before stealthily being put up for a vote of Congress just before the summer recess this year.

This method is sometimes used by Dutch politicians when they wish to slip it in unnoticed. Whether that is the case here, or whether it has indeed worked towards easing the political path remains to be seen. Regardless, this topic has drawn much attention in the Netherlands.

The Computercrime law in question covers a relatively broad spectrum. In a few points the law enables Police to:

  • Remotely investigate computers belonging to criminals, allowing them to copy data or make it inaccessible;
  • Hack into a system if it is unknown where a targeted system is located, while taking notice of international law (please note that this is not the same as ADHERING to international law);
  • Tap or observe communications, but this requires a judge to sign off;
  • Listen in on Skype calls;
  • Prosecuting people for providing access to stolen data, equal to Fencing stolen property;
  • Force a suspect to decrypt encrypted data – refusal to decrypt can lead to a prison sentence of no more than 3 years.

While translated, these bullet points -in my opinion- reflect the way the proposal was worded. Immediately I had some questions. Here are a few:

  • Remotely investigate systems belonging to criminals – Does this mean that if you’ve ever been convicted, they can access your system whenever they like? Or do they mean SUSPECTS? Also, see my later point on having a judge signing off.
  • Hacking into systems of unknown location while taking notice of international law – Aren’t we required to ADHERE to international law instead of simply taking notice? I should try this excuse to get out of a speeding ticket!
  • Tap or observe communications – This is the only specific point that especially mentions it needs a judge to sign off on. That is strange. It seems to me that tapping and/or observing is, when compared to actually breaking and entering into a system, the lesser power.
    Why is it not stated that hacking into a system requires a judge to sign off? Given the generally careful wording of articles of law, I can only surmise that this absence means that the actual hacking into a system does NOT require a judge to sign off first.
  • Listen in on Skype calls – How about any other kind of sort-of-encrypted voice communication application? Skype is popular now, but which application will be popular in the future? This point seems to limit itself unnecessarily. Also, does this fall under tapping or observing communications, which means it requires a judge to sign off?
  • Equating fencing with providing access to stolen data – This might be (mis)used to criminally prosecute people who share ‘warez’ with their Torrent client. In the almost erratic behavior we have been seeing from BREIN (the Dutch equivalent of the RIAA / MPAA) and its head honcho Tim Kuik, we already know their lobbyists will be foaming at the mouth on this item.

    Bad news for the Warez community, to be sure. But with all the already controversial items, why was this put in? It would be nice if a plausible case (preferably more!) was given where this item is useful that is NOT linked to the Netherlands becoming a stooge for the (largely American) Music & Video industry.

  • Forcing suspects to decrypt encrypted data – This is in special response to several child pornography cases where suspects had strongly encrypted content on their systems that Law Enforcement officers could not break. Looking at it from that perspective, it is understandable that this is to be desired.

    However, child pornography is NOT the only reason why anyone would want an encrypted folder. I personally use encrypted containers to store my company’s valuable data in, and I would certainly recommend it for anyone. What are the environmentals of putting this item into practice? And by that, I mean I would appreciate a list of the type of cases where judges will be using this law.

    Most people will agree with using this in cases against child pornography, but it would be an entirely different matter in cases of, say, intellectual property rights of a company. In any case, I would bet that any really guilty child pornographer would prefer 3 years jail time over a full sentence for child pornography. Especially after the way these folks are (understandably) treated by the general populace once their identities are known. In other words: isn’t this item a bit useless to use against hardcore criminals?

Opstelten versus the Community
A few months ago I shared a stage at Nyenrode Business University with, among others, Wil van Gemert (the Dutch National Counterterrorism Coordinator at the NCTV) and Ronald Prins (Fox-IT). Mr van Gemert, who has long worked for the Dutch police before being promoted to his current position, was the only speaker who unequivocally supported this law. All the other speakers, stemming from industries such as Finance, Technology and Education, opposed for a variety of reasons.

We all understood perfectly well that times have changed, and that the police must be able to change with it if we expect them to protect us from criminal behavior. That is not the issue I have with these plans. The issue is how to prevent misuse of this power, and given the many examples we can cite from, this is not a minor consideration that is easily dismissed.

Police officers are human beings too, and they too will bring their personal lives to the job. What is to stop an officer from cracking open the mailbox of a loved one suspected of cheating? Why is it so unclear whether a judge is required to sign off on an action versus the police making a judgment call?

The questions are also of a practical nature: HOW are the police going to crack systems? What software will they use? Will they make use of the same vulnerabilities known to the criminal industry, or will they somehow develop their own backdoors? Will we ever know? If they discover new vulnerabilities, will they still inform us of their existence or keep them under wraps just to ensure their own capability of gaining access? Will they strike deals with software giants such as Microsoft to get a backdoor?

The most critical questions for me have everything to do with prevention of misuse. Who can perform what action, under what circumstances? And who will make sure they cannot do it under other circumstances?

Who will check whether the police have complied with the regulations and limitations we impose on this law? What will be the consequence for a police officer or official when he or she violates them? How plausible will enforcement and auditing still be if the only result is a minor slap on the wrist?

Bart Jacobs, a well known Dutch professor who teaches and researches information security at the Radbout University in the Netherlands, also made clear his reservations about this law. When asked, he had these questions:

How can I know the police didn’t change anything on my system if I am a suspect? Can I ever prove the police didn’t change anything? Or that they have? Can you EVER know?

Please note that I am translating and paraphrasing somewhat. Other observations he made were interesting to share: “When creating the law on tapping phones, the government promised it would be sparsely used. Now, we are one of the most-tapped nations in the world.”  And  “The police are acting like their backs are against the wall. They are framing the debate in a “poor me” fashion to garner sympathy.” It is clear from these remarks that Professor Jacobs is not a fan of this new law.

There are many questions that need to be answered before implementing such an article of law. Naturally I understand that the current wording and phrasing is not what will end up in Dutch law, but all above points should be given due consideration. Cyber crime has brought us considerable change with regards to criminal activity, and the laws we currently have may not be sufficient. But knee-jerk reactions make bad laws and if we are to really deal with cybercrime, we must have good and solid laws that ensure citizen safety (and privacy!) without compromising Justice.