The Problem with the Universal Right to Online Privacy

privacy(As published on Norse on April 15, 2015)

A landmark decision by the UN Human Rights Council was made on March 26th to cover privacy issues arising from the pervasive monitoring by the UK and the US, in an attempt to establish that freedom from excessive (online) surveillance is a basic human right.

The resolution was spearheaded by Germany and Brazil, where public debate about online surveillance has been most intense. Naturally, German PM Angela Merkel has not yet forgotten the fact that her mobile phone was tapped, and event went as far as kicking out the CIA station chief in Berlin.

Brazil’s President Dilma Rousseff cancelled a trip to the US in protest of the surveillance on Brazil’s political leaders. Given that it is prime US policy to keep tabs (well, and taps) on all political leaders in the entire continent of South America, there is little doubt that the sentiment is shared amongst all South American nations.

It was expected that the resolution be blocked by the US and the UK, but it was adopted by consensus and the UN will be appointing a Rapporteur in June. This Rapporteur will have the authority to “remit to monitor, investigate and report on privacy issues and offer advice to governments about compliance. They will also look into alleged violations.”

The initiative, which contains the phrase, “the rapid pace of technological development enables individuals all over the world to use new information and communications technology and at the same time enhances the capacity of governments, companies and individuals to undertake surveillance, interception and data collection, which may violate or abuse human rights,” sounds very compelling and a worthy cause.

However, those who are skeptical of such an initiative have much reason to be.

To start, the UN has over the years steadily ignored both Article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights (where the Right to Privacy is mentioned).

This is hardly surprising since quite a number of UN member states have a rather uncomfortable record with Human Rights as a whole, and there has yet been little appetite for a clash on this subject.

Another major reason to remain skeptical is the equally uncomfortable fact that virtually 100% of all the UN member states are involved with pervasive online surveillance programs in one way or another.

In that respect there is plenty of negative sentiment to go around when it comes to online surveillance, and rightly not all of it is directed towards the US and the UK.

Even Germany, who is taking the lead in setting up this initiative, has been caught with its’ proverbial pants down when it was discovered that their own national security service BND was sharing data on German citizens with the NSA.

They are hardly alone in this: The number of European countries that hasn’t been subject to news in that area can be counted on one hand. To put forth an act that limits their own intelligence gathering operations seem counterproductive at best.

Lastly, it can be argued that the “Universal Right to Privacy” does not translate equally to “Universal Right to Online Privacy.”

However foolish it may seem, we have had a number of examples where such a translation proved much more difficult than it appeared. And these were not small topics: The laws surrounding warfare, for instance, or cybercrime.

Taking all these facts into account, it seems reasonable that this new initiative has some credibility issues. It will be very interesting to see if it develops some teeth moving forward.

Enterprise Security vs. Nation State Threat Actors

enterprisevnationThe recently published Snowden/NSA/GCHQ slides regarding the Gemalto hack have caused quite a stir amongst security practitioners, board members and politicians alike. But the uproar is minor when considering that it is now more than clear that not only non-allied nations such as China, Russia and Iran are attacking commercial entities. Nation states that we are on good terms with are apparently equally willing and able to attack their allies, just to get ahead in the Intelligence and Battlefield Preparation game. Good friend and excellent analyst Richard Stiennon already acknowledged (allied) nation states as a threat actor for the commercial industry in his article “NSA Surveillance Extends the Threat” in 2013. He asserted that the NSA was leading the threat hierarchy and was advocating a global re-evaluation of ones’ security stance. From what has been unveiled recently this is due for a revision yet again, as it is clear that British GCHQ is following the same playbook. Given both their membership in the “Five Eyes” community (of which all nations in the Five Eyes are core participants) it is increasingly safer to assume that Australia, Canada and New Zealand follow the same methodology, but that is beside the point of this article.

What does this mean?

When comparing the slides and modus operandi concerning Gemalto with what was disclosed about the Belgacom hack, useful observations can be made regarding the tactics employed by GCHQ and the NSA. And that MO demonstrates quite clearly what the real problems for commercial entities are when faced with a nation state as an adversary.

First off, they are difficult to expect. That’s right: Expect, not Detect (although that is probably equally true). Nation states have considerably different motives and these may not always be obvious. Gemalto and Belgacom were targeted because they were gatekeepers to communication networks; in this case telecommunications. They in turn contained what the NSA and GCHQ were actually after: the communications (potentially) running over those networks. It seems like arguing semantics when we differentiate between the targeting the communications networks and the communications themselves, but it is quite relevant: Both the NSA and GCHQ have other legal recourses to obtain the communications they are looking for, but are actively and purposely choosing other avenues. In short, it is not usually obvious what governments are interested in, and even if they have other (legal) means to obtain their target, they might still attack you if that proves to be more useful or less of a hassle.

Second, they are nearly impossible to deter. Cyber criminals generally tend to pick the low-hanging fruit. This will probably remain true as long as there remains so much of it available. The other major category popular with cyber criminals is the ‘big score’, where the spoils of a successful heist are so rich high that attackers consider their time and resources a good investment. Naturally this last group has more staying power than the first group, but both will eventually bug out if the operation is found to be too difficult or risky. Corporate espionage can potentially stay in the game where a cyber-criminal would have given up, but that is very dependent on the level of resources and risk that a firm is willing to commit.  You can deter them by securing your infrastructure to such a degree that the reward of breaking in is not worth the effort. Governments have deeper pockets and thus far seem to be more-or-less immune to criminal prosecution. This significantly alters the equation for such parties. The local social environment of the attacker also plays a role. Corporate spies or criminals basically get told[1] “Get in there if you can”, while soldiers get told “Get in there [period]”. Government operatives don’t get deterred by tedious work or lack of funds. To keep them out it has to be made impossible to break in and, provided it can be done, the task will be Herculean and costly.

It should also be pointed out that governmental espionage is not solely about national security. Many intelligence services are tasked not only with security, but also so-called ‘Economic Intelligence’. To put it bluntly, they are also looking for anything that might give their national corporations an edge against foreign competitors. The reason is simple: successful corporations are a boon to any nation. Not just for the additional tax income they generate, but also for the additional jobs and innovation power they bring. Some intelligence agencies focus more on this than the others, but most do it to some degree. We have seen evidence of this before, during the Echelon program. Several high stake deals were won by American firms due to the intelligence provided to them by the American intelligence apparatus. We can only guess at what intelligence the NSA is currently feeding to American firms. Perhaps the tech firms that are under the NSA yoke are being rewarded sub-rosa as compensation for the multi-billion dollar loss they have incurred (or will incur) over lost trust.

Third, they have capabilities unique to this category of attacker. When looking at the Belgacom and Gemalto hack, it is clear that one major new factor in their approach is Intelligence. Highly trained government intelligence agents are tasked with scoping out the target. They will find key target personnel in short order. It is their job to do so, and even in small nations these operatives are trained and experienced to a degree that will never be matched by a corporate entity. This might be the most effective tool in their arsenal, and next to impossible to defend against. The average person working for a corporate entity will be completely unarmed against people professionally trained in disciplines such as surveillance and interrogation. Would they spot a tail when walking or driving? Would they realize they are being interrogated during a seemingly innocuous conversation with a stranger? Would their family? What is worse, is that nothing private is off-limits when gathering intelligence. Private emails, browsing history, social media, cellphone conversations and text messages are all scrutinized in the hopes of finding a way inside the target organization. They are not above infecting a staff member with a piece of custom-made malware if it furthers their goal. The more staff a company has, the bigger this attack vector is. The problem is exacerbated when dealing with technologically advanced nations, due to higher degrees of technological refinement in their attacks.

Fourth, that we know of their operations does not mean they have stopped. It sounds strange, but for some reason many people seem to think the threat is over now that we are aware of it. It is stating the obvious, but that is not the case. All that has really changed is that we now have some measure of tangible proof to something that was strongly suspected for a long time. The repeated wake-up calls are working to force a long overdue focus on security, but it still has to be acted upon and followed through on. The security industry finally has the clout to address the serious issues, and it can be done without overhyping the matter. Throw away old disparaging sayings such as “if they want to get in, they’ll get in” and do what can be done.


Naturally there is more to this issue than the points described above. What is clear is that the corporate world is faced with a potential adversarial class that it is not equipped to deal with. In this regard the world is not that different from the Dutch Golden Age in the 17th century. The Dutch VOC company had a large fleet of merchant ships that were regularly attacked by foreign ships of war belonging to nations that the Netherlands was at war with at the time. The naval frigates outclassed the often cumbersome trading vessels, and defending themselves to a sufficient degree simply wasn’t economically feasible. This problem grew to such an extent that valuable VOC convoys eventually received Dutch naval escorts for protection, even though they did have to help pay for them. What is worth wondering about, is whether we can find a similar common ground with Government and truly co-defend in a meaningful manner.


[1] Or conceive the notion themselves, naturally.

Data Mining Protection: Taking A Privacy Roadtrip with IRMA

dataminingIf you have ever clicked “I Agree” on Facebook or an Apple device without really going through it, it might be worth your while to go back and read up. Do you know where your data is going?

A few months ago I went to get a haircut at my local barber shop. The work was done and I walked to the register to pay. The kind lady who had done my hair asked me something I had somehow never seen coming: “Would you like to fill out this customer loyalty card?”

My barbershop, a place that had always remained unchanging, the last bastion of complete digital disconnection, had entered the digital age of nonsensical data gathering and targeted marketing. I regretted it instantly.

A casual look at the contents of ones’ wallet now tells you exactly how far the broad-spectrum gathering has already gone. All the credit card-shaped slots in my wallet are full and I have a stack of at least 40 similar cards at home that I don’t use.

All those customer loyalty cards are there for one key reason: data mining. Many organizations are trying to get to know as much about you as they possibly can. Very often this includes things about you that they have no purpose for.

Whether they want to be better at targeting their sales efforts at you, or to resell that information to third parties, the endgame is almost always about profit.

And the reselling of such data doesn’t just happen occasionally – it’s big business. According to a McKinsey Global Institute study from 2012, Data is a $300 billion dollar a year business that employs 3 million people in the US alone.

You’ve probably never heard of companies like Acxiom, but you can be sure that they know all about you. Information that you gave one company is happily sold to another company without your knowledge and in most cases, with unknowing consent.

With the ever increasing digitalization of our society, it’s becoming more and more obvious that all that information gathering and sharing comes at a great cost: our privacy. Fortunately, there are some great initiatives on the horizon that help combat the broad-spectrum data mining that is going largely unchecked.

IRMA is one of those initiatives that can help a great deal. IRMA stands for I Reveal MAttributes, and essentially comprises a whole new way of approaching identity, authorization and authentication.

It is a project of the Privacy & Identity Lab, which is a collaborative union between research-oriented institutes in the Netherlands such as the Radbout University Nijmegen, the Tilburg Institute of Law, Technology and Society (TILT) and TNO.

Using the underlying technologies of Idemix (IBM) and U-Prove (now Microsoft), IRMA is essentially a new form of identity smartcard that can be ‘loaded’ with various sets of ‘credentials’ from different sources, such as the local authorities.

Information such as Date of Birth, Nationality or Place of Residence can be stored on the card and you can use those attributes in transactions both online and offline in a variety of scenarios.

For instance, when voting on local elections: You must show that you are a resident and you currently have to show some proof of ID before you are allowed to vote. In theory, this means you are no longer anonymous.

With the IRMA card, this is a thing of the past. You’d simply present your card and they would only see that Yes, you are a resident of that town. They would also see who issued that credential to you (such as the government), but nothing that compromises your identity.

The same scenario plays out when purchasing liquor. In the Netherlands, the minimum age for purchasing alcohol is 18 and shop owners are legally required to ask for ID. What they really only need is to verify whether the buyer is over 18 or not.

This attribute is stored on the IRMA card, and that is all it will tell the store owner: “Yes this person is over 18”. Neither your age or your date of birth is transmitted, just the indicator of whether you are over 18 or not. Again, nothing but this attribute and the source of the attribute is shared.

The project is still under development, so it is hard to say exactly how it will eventually turn out. But the concept is very promising. If users are indeed capable of choosing additional attributes to store on the card, which is currently the direction it is heading, it can theoretically replace virtually every card in your wallet today.

Naturally users can only load attributes up to a point, some information must always come from highly trustworthy sources, but should be plenty of room for user freedom.

Imagine, just having to carry one single card. Driving license?  Passport? Customer Loyalty cards?

Every one of these items has attributes that are just as easily stored on an IRMA card. Provided the physical and cryptographic properties are secure enough, we may even be able to replace our bank cards with the same single IRMA card.

If you’d like to learn more, visit the project site. One of the lead scientists, professor Bart Jacobs, explains the whole project much more eloquently than I ever could. Find it here:

GCCS2015 Part II: Government Influence is the Key Issue

gccs2(As published on Norse: Feb 5th, 2015)

As we noted in Part I: GCCS2015: Battlefield for the Internets’ Multi-stakeholder Coup, the next iteration of the Global Conference on CyberSpace (GCCS2015) will be held on April 16th and 17th in The Hague, the Netherlands this year. It is the worlds’ premier political conference on Cyberspace.

The Internet was founded on, and has ever since been based on, the multi-stakeholder principle. That is to say: the Internet does not belong to any government, it belongs to everyone equally.

In fact, aside from lending material support, governments have had precious little to do with the development, implementation and administration of the Internet. The brunt of the work has been done by civilian institutions such as the IETF, ICANN, IANA and a whole slew of similar civilian non-profit organizations.

But as time progressed and the significance of the Internet grew, so too did the urge to control grow at the worlds’ governments.  This is signified most clearly by the continued attempts of the UN to move this piece of internet governance away from US-based ICANN to the International Telecoms Union (ITU).

At first glance, the ITU seems innocuous enough. It has a membership of over 193 countries and over 700 commercial entities such as Apple and Cisco. However, the ITU is an agency of the UN and therein lies the rub.

The ITU is ultimately subject to the will of the UN charter members. They will face considerable pressures by many UN nations such as Russia, China and Iran, who are staunch supporters of ‘cyber sovereignty’.

The ‘cyber sovereignty’ camp considers the current state of affairs to be directly threatening their national security primarily because they have no easy way to censure content. They will no doubt push for measures stifling internal dissent and perhaps even for measures to censure content disagreeable to them.

In fact, they’ve pretty much said so.

Several blows have already been dealt to advance the power shift towards the ITU during the 2012 World Conference on International Telecommunications (WCIT), as excellently commented on by Alexander Klimburg in his article “The Internet Yalta”.

In his article he describes how China and Russia managed to sway most of the developing nations to supporting ‘cyber sovereignty’, and the whole issue devolved into essentially a bipartisan issue in which the developing nations aim for governmental control of the Internet, and the Western nations prefer to keep the status quo.

There does not appear to be a middle ground. WCIT was, in this respect, a political cloak-and-dagger event of almost Machiavellian proportions.

It had it all: the polarization of the voters, sudden ‘midnight votes’ that most parties were left uninformed about, and attempts at tricking voters into voting on articles that were thought to contain something other than it did.

Both the ‘code of conduct’ and the battle for the internet’s multi-stakeholder principle shine through in the Seoul Framework for and Commitment to Open and Secure Cyberspace that was drafted for the 2013 conference in South Korea.

It is this framework that will be the key talking point in The Hague this year. The Netherlands has already stated that it would support further work on this framework, but given its democratic nature and strong culture of international trade, this is hardly surprising.

In an earlier published flyer the official statement was made that the ‘self-organization of the Internet should be supported and is preferred to regulation imposed by states’.

It can only be hoped that all sides remain cordial and that political sleight-of-hand doesn’t catch anyone off guard. The result of such an event could very well mean the end of the Internet as we know it.

Information Security, Post-Snowden

As published on Tripwire’s State of Security:

The revelations regarding the extensive digital intelligence gathering programs of the American National Security Agency by Edward Snowden won’t have escaped your notice. Since the first reports around June 5th of 2013, the hits have not stopped coming; each consecutive unveiling being of larger scale, depth and intensity than its predecessor.

It is interesting to note that Snowden was hardly the first whistleblower on the massive internet espionage operation by the US government. On January 20th 2006 an employee of AT&T approached the Electronic Frontier Foundation (EFF) with proof that AT&T was cooperating in an NSA intelligence program and on july 2nd 2012 three NSA employees shored up a lawsuit by that same organisation.

The facts are hard to ignore: wiretapping heads of state[1], allied or not[2], hacking telecom corporations[3], large scale internet wiretapping[4] and forcing American technology firms to provide access to customer information[5] or worse: building a backdoor into their products[6]. Summing matters up sometimes stretches the bounds of credibility.

As Jacob Appelbaum put it during his talk at the German CCC conference late last year, the NSA´s operations have really only been limited by Time. Had Snowden waited another year, chances are that we would have seen even bigger programs come to the surface. And perhaps we still might; if Snowden is to be believed we haven’t seen the last of his work.

The impact on our online privacy is consistently mentioned by the various news media. Organisations of all sizes and nationalities are asking themselves just how safe their data is. Do they have unwanted American visitors on their network? How are they going to keep out the NSA? Or other intelligence agencies? Cán you keep them out at all?

In my opinion, these questions aren´t simply valid, but due to the immensity and depth of these intelligence gathering programs and the long list of involved corporations, a considerable bit of research should be more than warranted.

Thanks to Snowden´s revelations we have enough material to make three assumptions:

  • Virtually all the internet traffic is tapped. Because it’s not just the NSA spying on internet traffic but –to varying degree- almost every national intelligence agency on the planet, there is a reasonable degree of certainty that all of our traffic is intercepted and looked at, regardless of where it´s going or where its´ coming from. In case you´re wondering, this certainly includes smartphone traffic.
  • American and British hardware (laptops, desktops, servers, USB devices, mice, keyboards, smartphones et cetera) are very likely all compromised by a backdoor through which remote access can be obtained. If it hasn´t been built in during fabrication, it could still be inserted during transportation, with the aid of transportation firms[7]. For safety sake it is reasonable to assume that Canadian, Australian and New Zealand firms are performing such tasks for their respective intelligence agencies as well, given that these countries are also part of the Five Eyes intelligence gathering pact between the US, UK, Canada, Australia and New Zealand.
  • We cannot trust American technology firms. It is unfortunate for those that haven´t been compromised, but due to American anti-terrorism laws you simply cannot trust them you’re your data. Whether they are paid or forced to cooperate is, in the end, unimportant for you; they willprovide the NSA with intelligence or build those backdoors into their products that are so prevalent and so desired. Your data simply isn´t safe with American online service providers, and thanks to the PATRIOT act it doesn´t even matter if the data itself is on US soil or not. It also doesn´t matter if you are not American. Or if you´re a citizen of an allied country. The American justice system pretty much completely ignores non-citizens and as such, virtually everything done to your data is considered legal. Your data can be reached and inspected regardless of where it resides, and they do it on a shockingly large scale. Here too, it would be wise to lump British, Australian, New Zealand and Canadian firms in on this.

And its not just US firms that have been exploited in such a fashion. Among the firms on the list below you will also see enterprises that have a lot to lose if banned from the American technology market, such as Samsung. Lets put some names to faces. Do you have products in your network or at home that are made by these companies?

Then you almost certainly have a backdoor into your network through which the NSA can enter your network unseen. Perhaps more than one. And now that it is public knowledge that these backdoors exist, it is highly likely that they are exploitable by other parties as well.


The US is, thanks to strong representation in the Technology market, in a very comfortable position where gaining remote access is concerned. This doesn’t stop other nations from attempting the same level of access or intelligence, and quite successfully.

China, Russia and Iran also developed strong Cyber programs of which digital espionage is a substantial element. Closer to home the French DGSE was embarrassed by sudden publication of their own cyber espionage program, not a week after they publicly denounced such practices. Israel has also been known to have a very effective digital intelligence gathering program.

If you still have doubts about whether or not you might be compromised, the EFF has published an electronic file[8] containing exactly what vendors and their respective products give unwanted access to commercial networks. You will encounter the term “persistent backdoor” very often, which means that there is a built-in back door in the product through which unauthorised access to the network is easily attained.

They work virtually the same as the software companies install so that their employees can work from home, with the notable exception that your organisation doesn’t know, support or condone about this ‘feature’ of the products they installed and considered safe.

So why should companies care about this? You’ll often hear the argument that such programs revolve around national security, and is an affair between nation states, not commerce. And yet there have been several cases that show that this is certainly not always the case. Information obtained by national espionage programs can easily be used to great commercial advantage.

There are some prime examples in which national intelligence agencies provided firms with information that gave them a competitive advantage during critical moments while competing with foreign competitors, such as during the negotiations of lucrative contracts. On July 5th 2000 the European Parliament launched an investigation into contract negotiations taking place in Brasil in 1994.

In this case the French firm Thomson-CSF lost a contract to the American defence contractor Raytheon to a tune of $1.3 billion because Raytheon had received crucial information intercepted by an American intelligence agency. In 2000, aircraft manufacturer Airbus lost a Saudi contract worth $6 billion to American firms Boeing and McDonnell Douglas in equal fashion.

Both these incidents took place during the ECHELON program, an earlier iteration of the PRISM program that we have heard so much about in recent months. The amount of data that is being intercepted and monitored makes the ECHELON program pale in comparison.n

Whether you do business internationally or not, having intruders on your networks and mobile devices are almost certainly unwanted. There are ways to defend yourself, but depending on which hardware and software you are using, you may have to start looking for different vendors offering similar products.

This isn’t always practical. Imagine replacing Microsoft Windows with a Linux distribution on all of your systems. This may not be feasible due to lack of staff capable of supporting Linux. Replacing servers, desktops, laptops or networking equipment with equivalent products made by vendors of a different nationality can be difficult, but you could still take steps in the right direction.

For instance, if you are currently using remote access tokens by RSA[9], you may want to consider replacing them. By its very nature, remote access technology is an exceptionally critical service that can immediately defeat all of your network security measures. Whether you will be safe after a full overhaul of your network will likely always remain a mystery; Snowden or some other whistleblower might implicate yet more firms that are complicit with national intelligence agencies.

To have a realistic chance at securing your network, it must be capable of segmenting your various suppliers and vendors. Ideally your network architecture is designed in such a way that no single vendor or supplier can compromise the entire network by itself.

Outsourcing your data or network services to a cloud provider is equally a hazardous idea. You have to be absolutely assured that your provider does not store your data outside your nation’s borders, which would open up avenues for foreign entities to gain access. Most nations have laws in place for their intelligence and law enforcement agencies to obtaining access to systems within their sovereign territory with or without the consent of its owner.

If you have assured yourself that your cloud provider won’t suddenly change its policy. Be aware that most of the firms implicated by Snowden have kept -or have been forced to keep- silent about their assistance to the NSA. If your privacy has been violated, you may learn of it much too late or not at all.

Also, it is critical that you encrypt your data. This includes both data in transit and data at rest, so the smart move is to not leave any data unencrypted on online services such as Dropbox. Be sure to use encryption that is not commonly used on the Internet, or made by any of the implicated firms listed above.

The NSA, and more than likely many intelligence agencies with them, is especially capable of cracking the most used encryption methods such as SSL[10] (Secure HTTP, which ensures that well-known lock icon in front of a web address in your browser). Custom, strong and domestically made crypto technology is the best choice to protect both your network traffic as well as encrypting data storage devices[11].

Finally, it is important that you have a strong identity & access management program. None of the measures above amount to very much if an employee or supplier has access to your network and happily provides this access to a third party with bad intentions.

Protecting information today is more complex than before. To have a chance at keeping unwanted visitors off your network tomorrow, you must lay the foundation today. Although this can be a considerable undertaking, you can at least be assured that it will not get any easier. The time of leaning back casually without having to worry about security has certainly passed.

picAbout the Author:  Don Eijndhoven (@ArgentConsulting), Chief Executive Officer of Argent Consulting B.V, lead cyber security architect and guest lecturer Cyber Resillience at the Nyenrode Business University. Don can be reached at

Argent Consulting buys B-Able Argent Consulting


Monday, 26th May 2014. The Netherlands: Due to insurmountable differences among management, the joint effort between Argent Consulting and B-Able, dubbed “B-Able Argent Consulting” has been terminated. Argent Consulting has bought out the remaining shares and will fulfill existing contracts until their natural termination. The Argent Consulting brand will return to the field in full force; offering new and revised products and services in the global Cyber industry.

Argent Consulting’s CEO Don Eijndhoven had this to say: “The joint venture was entered into based on an estimation of overlap of skills and services between Cyber Security and the more established field of Information Security. We expected a much more receptive customer base but there wasn’t sufficient foundation to work on. In short, the alliance wasn’t as fruitful as we hoped it would be. While this is regrettable, there was also good news: In the Cyber realm we did, and continue to, perform excellently. Having landed several prestigious consultancy contracts with global NASDAQ-listed firms, our core business scores very well and we are going to keep advancing in this strategic direction under the Argent Consulting flag.”

PRISM: Tip of the Cyber Intel Iceberg

PRISM Slide 1When Edward Snowden published information on PRISM – a rather drastic intelligence gathering program in which several (assume All) government agencies such as the FBI and the NSA draw intelligence from major tech companies such as Microsoft, Skype and Facebook – he was immediately revered and reviled by the general populace. Especially within the US armed forces community, the general sentiment seems to be that he’s a traitor and someone needs to go fetch a rope. But really, how much of this is new or even unexpected?

Right after the 2nd World War in March of 1946, a multilateral agreement between the UK, the US, Canada, Australia and New Zealand was signed in which they agreed to cooperate and share intelligence. This was originally intended to be mostly Signals intelligence, but has long since been extended to include much more. This intelligence alliance between those five nations has become known as Five Eyes. It was a secret treaty (allegedly even kept from the Australian PM’s until ’73) but has been exposed for quite some time now. In fact, Canadian Brigadier-General James S. Cox (RET) wrote a rather salacious paper on this treaty, and to illustrate just how well this treaty is working out can be gleaned from the following paragraph in the executive summary of said paper (emphasis mine):

 “The Five Eyes intelligence community grew out of twentieth-century British-American intelligence cooperation. While not monolithic; the group is more cohesive than generally known. Rather than being centrally choreographed, the Five Eyes group is more of a cooperative, complex network of linked autonomous intelligence agencies, interacting with an affinity strengthened by a profound sense of confidence in each other and a degree of professional trust so strong as to be unique in the world.” – “Canada and the Five Eyes Intelligence Community” by Brig-Gen James S. Cox (RET).

This profound sense of confidence in each other likely stems from the fact that they’ve been doing this for over 60 years, and I would hazard that this partnership has had its strength tested a few times. Successfully, from the looks of it. Either way, I think it is a safe assumption that the UK, Canada, New Zealand and Australia are as much to blame for PRISM as the Americans. Funny how none of them have mentioned their unfettered access to this raw data, hmm?

What boggles my mind is how little people seem to care. Maybe the name ECHELON rings a bell? This was an expansion on collection and analysis in the 60’s to this same Five Eyes program. I should stress that the actual gathered (and shared) intelligence included much more than just signals intelligence. We’re talking raw internet data. Raw, meaning absolutely everything that passed through, without any kind of filter. If you said it through any kind of internet-connected medium, through any American provider, service or product, you have definitely been logged there. And even not using any of said American providers, services or products, your traffic could still have been routed through PRISM, depending on where you are, where the servers are that you connected with, or how traffic was routed. And that’s just assuming that this traffic was really only collected in the US, which may not be the case now that we’ve established that at least 4 other countries were actively in on this program.

Now that we’ve firmly established the “who” part of this whodunit –or at least establish who benefits-, its time to look a little closer at what happened.

So what happened with PRISM?
Simply put, since somewhere as early as 2007 the various US intelligence and Law Enforcement agencies used the law to gain access to information harvested by tech giants such as Microsoft, Google, Apple, Yahoo, Facebook, Skype and Youtube. This means that they had access to a multitude of heavily used social media sites such as Facebook, Skype, Twitter and Youtube, but also cloud services such as iCloud, Google Drive and Dropbox. This was all done legally under US laws. Their alleged goal was to monitor foreign communications that take place on US servers, but of course it couldn’t hurt that what they collected included everything under the virtual sun – including stuff on American citizens and US allies.

Edward Snowden brought to light just exactly what is going on, and how it’s done. For those of us who have an IT-technical background, it doesn’t take much imagination. It can be done easily, and not to my surprise, this is what they did. Snowden published a PowerPoint presentation containing 41 slides on this, but interestingly only 5 of those slides were published. The remaining slides are, apparently, so “hot” that nobody wants to burn themselves by publishing it. Both the Guardian’s Glenn Greenwald and the Post’s Barton Gellman have made it clear that the rest of the PowerPoint is dynamite stuff which we’re not going to be seeing any time soon. “If you saw all the slides you wouldn’t publish them,” wrote Gellman on Twitter, adding in a second tweet: “I know a few absolutists, but most people would want to defer judgment if they didn’t know the full contents.”. I think that I speak for most Europeans when I say that I disagree strongly with Gellman, and would very much like to see the remaining slides.

Although the slides that have been published can be easily found without my help, I would be remiss in not adding them here for your enjoyment. Much of the international outrage can be explained by these pictures. And by outrage, I mean by the people, not the other governments. Any outrage on their behalf is geopolitical theatre, because every government in the world is either doing this, or would very much like to. You only have to look at the recently unveiled DGSE (French secret service) surveillance program which operates in exactly the same vein as PRISM.

Without further ado, here are the slides that were published from Snowden’s originally 41 slides:

PRISM Slide 1


PRISM Slide 2


PRISM Slide 3


PRISM Slide 4


PRISM Slide 5


My apologies. Apparently I had missed the release of 4 more slides by Washington Post around July 1st. Unfortunately these slides don’t really do much but add to the confusion. Nevertheless I would like to share these with you too.

prism slide 6



prism slide 7


prism slide 8


prism slide 9

The Chilling State of Cyber Affairs

CWWith all the attention pointed towards PRISM, another interesting publication was virtually overlooked. Earlier last month, a taskforce belonging to the US DoD’s Defense Science Board (DSB) released a final report titled “Resilient Military Systems and the Advanced Cyber Threat” [PDF], that reports on the findings of an 18-month research project. The DSB is a committee of civilian experts that is to advise the US DoD on scientific and technical matters. I just threw that line in here to point out that this committee is staffed by individual civilians and not representatives of the industrial military complex. This is worth mentioning, because a good portion of the report is absolutely riveting in its description of how bad they think the situation is, and this is automatically bound to become a target for those people who still don’t believe in Cyber Warfare. The report starts off with a sentiment many of us will find reasonable, and applying to cyber security as a whole (as opposed to cyber warfare specifically):

Cyber is a complicated domain. There is no silver bullet that will eliminate the threats inherent to leveraging cyber as a force multiplier, and it is impossible to completely defend against the most sophisticated cyber attacks. However, solving this problem is analogous to complex national security and military strategy challenges of the past, such as the counter U-boat strategy in WWII and nuclear deterrence in the Cold War. The risks involved with these challenges were never driven to zero, but through broad systems engineering of a spectrum of techniques, the challenges were successfully contained and managed.”Mr. James R. Gosler & Mr. Lewis Von Thaer – Resilient Military Systems and the Advanced Cyber Threat.

In this same opening letter, some fairly damning statements are made. One of the most significant observations was that DoD Red Teams were defeating defending teams in exercises ‘with relative ease’ by hammering them with exploits and tools found on the internet. It also mentions that the DoD networks and systems have a weak cyber hygiene position, and even the Classified networks have experienced “staggering losses” in compromised data due to successful breaches (full quote to follow).

As an aside it is mentioned that in general, security practices have not kept up with adversarial tactics and capabilities. This statement is significant because of the context it is placed in. You see, the DoD security practices are fairly solid and, in general, followed quite well. These are the same (though possibly more stringent) security practices they teach infosec practitioners in certifications such as CISSP and apparently they don’t work anymore.

The report has a long list of very interesting little factoids, but the following list of bulletpoints is a direct quote from the report:

  • “The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
  • The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
  • Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
  • DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
  • U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
  • U.S. intelligence against peer threats targeting DoD systems is inadequate
  • With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
  • It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.” – Resilient Military Systems and the Advanced Cyber Threat.

One has to wonder how much of these observations are grounded in actual fact, and what is part of the disinformation operation that is almost certainly running in the background somewhere. Regardless, there has been sharp criticism about this level of public disclosure. Should the US be publishing this information so openly? Why and to what end? Truth be told, it is hard to argue that the experience of publication is merely a positive one. You can be certain that every other nation on the planet is carefully pouring over every word, analyzing if weaknesses can be discovered. If the following quote is to believed, the US found plenty on their own:

 The DoD, and its contractor base are high priority targets that have sustained staggering losses of system design information incorporating years of combat knowledge and experience. <…> Perhaps even more significant, they gained insight to operational concepts and system use (e.g., which processes are automated and which are person controlled) developed from decades of U.S. operational and developmental experience—the type of information that cannot simply be recreated in a laboratory or factory environment. Such information provides tremendous benefit to an adversary, shortening time for development of countermeasures by years.Resilient Military Systems and the Advanced Cyber Threat.

And of course, the US faces challenges in the Cyber arena that few other players will ever encounter because of the high costs associated with it. I am speaking, of course, of Supply Chain Security – also known as Hardware Hacking. In 2010, the 2nd International Conference on Information Engineering and Computer Science (ICIECS), published an article titled “Towards Hardware Trojan: Problem Analysis and Trojan Simulation” authored by members of the Zhengzhou Institute of Information Science and Technology in China, which outlined the technical approach elements for developing covertly modified hardware.

A successful corruption in an enemy’s supply chain which manages to insert malicious chips onto say, a desktop or server, would evade all security measures installed on said device. Only a particularly well tuned (and carefully looked at) network monitor would have a chance at picking up the phone-home signal or, in case of a successful intrusion, the data exfiltration itself. Given the costs associated with supply chain corruption, it would be a very safe bet that the utmost effort is done to hide any outbound traffic or to make it seem innocuous enough that you miss it when investigating. You would need a really excellent understanding of your network traffic to spot traffic that wants to stay hidden.

The entire DSB report contains so much interesting information that I couldn’t possibly put all of it in one article. One last tidbit that I would like to include here, is a quote that contains some of the ideas I wrote about in my very first article on Cyber Warfare (emphasis below is mine).

The benefits to an attacker using cyber exploits are potentially spectacular. Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. U.S. guns, missiles, and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces. Once lost, that trust is very difficult to regain.” 

The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio, or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods. If the attack’s effects were reversible, damage could be limited to an impact equivalent to a power outage lasting a few days. If an attack’s effects cause physical damage to control systems, pumps, engines, generators, controllers, etc., the unavailability of parts and manufacturing capacity could mean months to years are required to rebuild and reestablish basic infrastructure operation“. – Resilient Military Systems and the Advanced Cyber Threat.

There really isn’t more I could add to this. I have no doubt that development on offensive cyber capabilities will continue and the next decade will bring about possibilities we can only dream of now. With this build-up of virtual arms between the worlds’ largest nations, a comparison with the Cold War is hard to avoid. Lets just hope cooler heads will prevail again.

On Dutch Banking Woes and DDoS Attacks

DDOS-attackIf you don’t live in the Netherlands or don’t happen to have a Dutch bank account, you can certainly be forgiven for not having caught wind of the major banking woes that have been plaguing the Dutch. For weeks now, massive DDoS attacks (linked article in Dutch) have brought low the online services of several banks, interrupting mobile payments and slowing down overall online financial traffic. At the center of the digital storms is ING, which was hit first (Dutch) and is hit the most often (Dutch), but Rabobank, ABN AMRO and SNS Bank are also frequent targets. Dutch online payment system iDeal has also been attacked several times, impacting virtually all Dutch banks as well as the many online retailers that use it.

What the goal behind this wave of DDoS attacks is, is as yet unknown, but there are several possible motives at play. It could be simple vandalism, a rather hefty attempt at misdirection to cover up real hacking attempts, or it could have something to do with ING and ABN AMRO being implicated or involved with investigations into tax evasion through offshore banking by the ICIJ. The latter seems unlikely, as most of the DDoS traffic appears to be coming from Romania (according to hackers collective HacksIn – I had a link about that, but lost it somehow) and no motive has made itself known thus far. It was a matter of time until Anonymous came along to jump on the bandwagon, and indeed its Dutch chapter appears to have done so this week when someone posing as Anonymous posted a message on Pastebin. In it, they claim to know who is behind the DDoS attacks (a group of Muslim extremists called Izz al-Din al Qassam Cyber Fighters), and that the Dutch people should go out and collect their money from these banks because it is not safe there.

There are, however, some issues with this post on Pastebin. Firstly, the group they blame for the DDoS attacks is in fact the group responsible for attacks on US BANKS, and there is no discernible link between the US banks being hit or the Dutch banks currently under attack. The motive for the attack against US banks seems clear: Izz al-Din al Qassam demands the removal of the movie “Innocence of Muslims” from Youtube. Once the movie is removed the attacks will stop, they claim. To my knowledge, no such demands have been made here in the Netherlands.

The second issue is that the advice posed by Anonymous would, in fact, immediately collapse the Dutch financial market, as no Dutch bank is currently strong enough to survive such a proposed bank run. They simply don’t have sufficient cash in their vaults. In other words: this is a really bad idea.

So what now?
For starters, ING should hire someone who knows how to communicate during a crisis. Its obvious that they suck at it. They’ve finally stepped off their “Silence, Evade, Deny” strategy but its taken a while. All major companies should look into this, because they may very well be next. Second, major companies with a serious online presence should really start taking this stuff seriously. DDoS attacks are hardly new material to deal with, and proper impact negation tactics have been around for a while. If your income is dependant on online services and this income is significant, get a real ISP that understands this and has expertise in countering such digital vandalism such as Arbor Networks or Prolexic.

The bad news is that according to a recent Prolexic report, DDoS attacks are getting increasingly stronger. They have seen the first 130GB/s DDoS attack this year, and during the first quarter of this year the average attack bandwidth was 48.25GB/s, which signifies a whopping 718% increase over last year. The increase seems to come from a change of victims in the botnets (Dutch) they use. Apparently, they are now targeting web servers especially for their higher bandwidth capacity, which in turn increases overall attack bandwidth. On top of that, the DDoS attack seems to have regained its popularity because the targetlist is growing. Airlines such as KLM (Dutch) and Dutch authentication firm DigID (Dutch) have also recently been hit with massive attacks. In an effort to stave off this wave of disruptions, the Dutch National Cyber Security Center has been organising collective defense (Dutch) between Dutch banks, but it seems they may have to include firms from other walks of life as well. I think we can safely conclude that this avenue of attack is still very worthwhile and won’t be going away anytime soon.

In fact, things may get a lot worse if this newly discovered DDoS technique gets incorporated. Apparently Incapsula mitigated a small attack of 4GB/s recently, and they traced it back to a single source. Generating 8 million DNS queries per second, causing ALL of the 4 GB/s traffic by its lonesome, certainly qualifies it to be called a DDoS Cannon instead of a lowly bot. I don’t know if it is technically feasible, but imagine 100K+ systems doing this.

Wrapping up this piece, I would like to ask mainstream news reporters to please start learning some basic truths about information security. Stop referring to DDos attacks as “(sophisticated) cyber attacks”. They’re not. A DDoS attack is annoying, yes. But on the scale of sophistication they rate roughly as digital graffiti. Also, some major outages are caused by stupidity from the victim rather than an outside source. At least ONE major outage on april 4th of this year at ING was caused by someone messing up certain files that had to be read into a system. This caused a major outage and customers seeing the wrong amount on their bank accounts. This incident was also the most significant failure of ING’s webcare / crisis communication because they didn’t do anything until the problem was almost fixed (many hours later). Still, mainstream media fed the panic frenzy that it was an external “sophisticated cyber attack” until the absolute very end. Very poor reporting if you ask me. Proper reporting matters because your news is read by people who take it for immediate truth. You can, and do, cause panic and unrest when you blow things out of proportion, so please stop doing so. Thank you.

The Value of Secure Coding Procedures

MatrixDigitalRainI recently had a very interesting conversation with Dave Hyman of Checkmarx, who asked me how I saw the future of cyber security (or information security, take your pick). Now, as I’m sure you´ll agree with me, that’s a fairly abstract question that can go a lot of ways. My friends will confirm that I enjoy waxing philosophical discussions like that, but given what Checkmarx does with code security, that is the direction this talk went. And there really is a lot to say about secure coding practices that I feel doesn’t quite getting the limelight it deserves. Any Information Security course or lesson in Security certification will stress that security should be part of the code design practice rather than being tacked on at a later stage; I couldn´t agree more. Unfortunately, security precautions made in the coding process, which turns a design into a working product, are often overlooked and that is a mistake.

(Before I continue: I should note that I am NOT a professional coder; if I make a mistake in my reasoning, please let me know.) In a paper I once wrote I referred to “industry standard” with regards to the amount of bugs per line of code. The argument being that as long as humans would keep writing software, the ´human element´ guarantees that we will always remain vulnerable to exploitable bugs and errors in code. Of course not all bugs lead to exploitable vulnerabilities, but a percentage will and that is a problem and a great risk. I dug up my source, a book called Code Complete by Steve McDonnell. The book points out that the Industry Average is about 15 – 50 errors per 1000 lines of code (The book was published by Microsoft Press, I am sure you won´t find it surprising that they mention that Microsoft applications have an average of 10 – 20 defects per 1000 lines of code). To put that in larger application perspective, Microsoft´s Windows 7 is estimated to have roughly 50 million lines of code; this means that if they adhered to the industry average, there are between roughly 750,000 to 2,500,000 defects in Windows 7!

Even if Microsoft´s code quality is well reviewed and above standard, we can estimate between 500,000 to 1,000,000 code errors in Windows 7! Any one of these could be mistakes that allow remote code execution, which is considered the jackpot for anyone trying to hack their way into the system. Mind you, these are just mistakes and mistakes will happen no matter what you do. A good quality control program should be able to detect and reduce this number of detected errors. Some/ Many of these code errors will lead to heavy security risks in the application and to the user. These coding errors are due to careless coding practice and inability to detect vulnerabilities. The code may function, but the code will be insecure. An excellent example of this is SQL Injection. SQL Injection is the ´art´ of being able to run SQL statements directly to the database backend of a website, either by using a form field or the URL box in the browser. By doing so, you can ask questions of the database that you really shouldn´t be allowed to ask, such as asking it to tell you all the usernames and passwords in the database. Or more commonly: all the credit card information of every customer in the database. This has been around since 2002 and there are several solutions available that prevent SQL Injection attacks. The fact that this technique is still responsible for the majority of major successful data breaches tells us that not everyone is aware of how proper coding technique can prevent SQL Injection attacks.

Many buffer overflow or buffer underrun vulnerabilities are also caused by not properly setting boundaries, which can be easily prevented by developers being more aware of secure coding techniques. Review of these techniques and code review solutions are what you can expect to learn at “secure coding” courses. We should seriously consider making these courses part of the norm for hiring programmers or developing programming talent. Many people will groan and protest at that statement, because it’s another burden on an already stressed industry. I agree that it is not the easiest way forward but courses and code review solutions may very well be the cheapest method to getting more secure software applications.

A secure coding class is one-off and relatively inexpensive, it beats having to actively hunt for and patch insecure code. Such an effort for secure coding must come from the software development industry itself. The end customer won´t ask secure coding because most look only at software ability cost. The customer trusts us that product is secure, and we as an industry, should accept our responsibility and enforce higher security standards on our products. This starts at practicing secure programming. At the rate we are adopting technology into our daily lives, we should start sooner rather than later.