Distrustful U.S. allies force spy agency to back down in encryption fight

A report today from Reuters tells the story of how the NSA’s efforts to lead the way for international encryption standards were shut down by several other members in the international community.  The story explains how several other nations were distrustful of the standards proposed to the International Organization of Standards by the U.S. because of information Edward Snowden provided that says the U.S. was hoping to establish standards with back doors for its own use.  The report highlights how the U.S. has had suspect behavior in this realm before.  The full report can be read here.

My kneejerk reaction was that this was just another story highlighting how the Snowden leaks are still hurting the U.S. several years later. But after considering the narrative a little more, I realized that Snowden doesn’t matter for this scenario. Nation-states are always going to be skeptical of each other when this type of technology is on the line.  The U.S. certainly isn’t the only nation who would want to provide itself with an advantage when it comes to access to protected information.  If, for example, China proposed encryption techniques, the U.S. would be just as skeptical, even without a Snowden type leak to use as support for their thinking.

A tiger can’t change its stripes. International actors will never change their behavior and decide to put blind faith in other nations.  Even if there was a new, strong standard that was developed and agreed upon, any one actor that found a vulnerability would keep that information to itself.   As the article points out, the result of this is lower encryption standards.  These lower standards don’t really help anyone, but don’t expect it to change anytime soon.

Share:

Tags: , ,

Cyber Round Up: A Manhattan Project for Cybersecurity, EU Scales Up Cyber-Attack Responses, Senate Defense Bill Calls for Blockchain Cybersecurity Study

  • Time for the US to Develop a Manhattan Project in Cybersecurity (The Hill): Opinion contributor Greg Clark poses the question, “If cybersecurity is one the greatest challenges facing our nation today (and few would question that it is), why are we helping our adversary defeat billions of dollars in cyber defenses?” Clark discusses how the Freedom of Information Act allows anyone to ask the government what it’s purchasing, and proposes tactics for making cyber-defenses unknown to adversaries. Some suggestions Clark voices include next-generation security tools, and to cease purchasing “commercial-off-the-shelf” security tools. Read the full article here.
  • Cybersecurity: Commission Scales Up EU’s Response to Cyber-Attacks (European Commission): European Union President Jean-Claude Juncker’s State of the Union Address on Sept. 13, 2017, called for better equipping Europe for cyber-attacks. This included proposing an EU Cybersecurity Agency to assist EU Member States in combating cyber-attacks. This press release from the European Commission explains how the EU is building resilience, stepping up it’s cybersecurity capacity, and creating a criminal law response focused on detecting, tracing, and prosecuting cyber criminals.
  • $700 Billion Senate Defense Bill Calls for Blockchain Cybersecurity Study (CoinDesk): The Senate recently passed a bill that massively increases military spending. Included in the bill is a mandate for the Department of Defense to conduct a blockchain study. While the House of Representatives still needs to approve the bill, Ohio Senator Rob Portman included the amendment requiring the blockchain study. If the bill is passed into law, the study would follow six months later. Read the full article here.
Share:

Tags: , , , , , ,

Cyber Round Up: A Better Way to Teach Cybersecurity; Take Cybersecurity Away from Spies; EU-US Privacy Shield Review

  • A Better Way to Teach Cybersecurity to Workers (WSJ): Companies have found out that punishing employees for poor cyber hygiene is not effective, according a recent report in the Wall Street Journal.  The general consensus is that most people dread cyber security training.  Instead, companies are making progress when switching out the stick for the carrot, the article says.  Research has shown that companies using games, competitions, and the like have had better results when it comes to employees’ cyber habits.  The full article can be read here.
  • Take cybersecurity away from spies…for everyone’s sake (Wired): Commentary in an article last week addressed the inherent flaws and conflict of interests when intelligence agencies are the ones who find cyber vulnerabilities.  The post highlights statistics about the British signals intelligence agency, but also mentions the NSA.  For example, according the post, the core exploit in the WannaCry attack was engineered by the NSA. Instead of informing Microsoft of the vulnerability, the intelligence agency chose to hold on to the information for its own use.  The article discusses how these competing interests hinder cyber security.  The full post can be read here.
  • EU-U.S. data pact faces first major test of credibility (Reuters): The EU-U.S. Privacy Shield data pact is set to be reviewed this week after its first year in place, a report over the weekend said.  The deal was meant to provide greater privacy protections for Europeans whose data ends up on U.S. servers.  The big question, according to the article, is whether the U.S. is holding up its end of the deal.  While the deal was viewed as an improvement for privacy in some respects, it has also been challenged as not going far enough, the author reports.  The full post can be read here.

Share:

Tags: ,

Lessons Learned from Equifax

In the wake of the Equifax Data breach and the litany of issues regarding potential insider stock sales, insecure database applications, and finger-pointing between Apache and Equifax, there are some valuable lessons we should all take heed of.

  1. Trust no one, and no entity: I hate to sound overly dire but even the old “trust, but verify” adage is insufficient in the world of cyber.  One should assume that their information is insecure, that it has been breached, and mitigation then becomes the name of the game;
  2. data: both in-flight; and at-rest should be encrypted.  Seriously, who puts data on an accessible server and then leaves the data unencrypted.  While given enough time and resources encryption can (generally) be broken, companies should at least try to appear as though they are interested in making hackers earn their keep;
  3. humans continue to be one of the weakest links in any cybersecurity chain. Take a look at the Argentinian Equifax web portal connected to a RDBMS accessed using admin/admin credentials.  Seriously?
  4. with respect to point #3, above: companies really need to embrace the fact that IT and IS are equal, yet separate disciplines.  While one is focused on availability and uptime, the other is (should be) focused on protecting data and ensuring that proper access controls are implemented and continuously monitored;
  5. in the infantry the common mantra is “embrace the suck”.  In cyber, the mantra should be “embrace the SOC.”  Build one in-house, or use an outsourced Security Operations Center but please, please allocate the necessary resources to identify, assess, secure, and monitor your data and information flows.

 

For our continuing Equifax breach coverage, please check here.

Share:

Tags: ,

Cyber Round Up: Cybersecurity Market Projected to Reach New Highs; Law Firms Lacking Cybersecurity; The Equifax Hack’s Wide Reach

  • Growing Cybersecurity Threat Projected to Push Cybersecurity Market to New Highs (Business Insider): The cybersecurity market size is expected to reach $231.94 billion by 2022, an approximate 160% increase from its current size of $137.85 billion, according to a recent Business Insider article. The article summarizes a Markets and Markets research report, indicating security types most in focus. It also delves into recent cybersecurity advancements for companies such as FireEye Inc. and Symantec Corporation. The full article can be read here.
  • What You Need to Know About Law Firm Cybersecurity (Above the Law): Law firm in-house practices often include cybersecurity, but many don’t practice what they preach, leading to insecurities within the law firm’s own cybersecurity. A recent article looked at an ALM Legal Intelligence study which found, “22% of law firms did not have an organized plan in place to prepare for or respond to a data breach,” and “only 50% of law firms included in the study [had] cyber security teams in place” in the event of a data breach. The full piece can be found here.
  • Equifax Hack Likely Impacted All US Adults, Cybersecurity Expert Warns (Fox Business): The Equifax hack has left 143 million customers at risk of having their information stolen. However, Hiep Dang, director of Product Management at Cylance told Fox Business, “conservatively, maybe 75% [of us were affected], aggressively, probably all of us.” The article explains what makes this breach “particularly damaging.”
    You can also follow Crossroad’s Equifax hack coverage here.
Share:

Tags: ,

Cyber Round Up: Extortion is Hackers’ Latest Weapon; Kaspersky Making Changes in U.S.?; North Korea and Bitcoin

  • Hackers’ Latest Weapon: Cyber Extortion (WSJ):  Nefarious actors in cyber space have another tool in their toolbox. Hackers are not just stealing information or holding it ransom, an article in the Wall Street Journal says, but are now digging for sensitive information that could be used to extort companies and their executives.  The article explains that exposing intellectual property or embarrassing emails can be much more damaging than other forms of attacks.  Victims of extortion from hackers include HBO, Netflix, medical clinics, casinos, and energy companies. The full article can be read here.
  • Under scrutiny, Kaspersky Lab considers changes to U.S. subsidiary (Reuters):  The Russian company is considering making changes to its subsidiary in the United States after repeated allegations that it is subject to the influence of the Russian government.  A bill that the Senate is scheduled to vote on this week includes language that would ban U.S. government agencies from using Kaspersky software, the article said.  Conflicting reports have emerged as to whether the company will be expanding in North America or completely shutting down, the article points out.  The full report can be read here.
  • North Korea is trying to amass a bitcoin war chest (CNN):  North Korea is attempting to circumvent recently imposed sanctions by building up its stock of cryptocurrencies, recent reports suggest.   A CNN report quotes one FireEye officer who explains that “Attacks on cryptocurrency exchanges can be a great vehicle to obtain what is ultimately hard currency.”  FireEye, according to the article, has linked several attacks on cryptocurrency exchanges to North Korean hackers in the months since the U.S. announced it would be taking a stronger stance against the nation. The full article can be read here.
Share:

Tags: , ,

Equifax: Let the Blame Game Begin

Equifax Blames Apache –> Apache rebuts; in the end Consumers still Lose

Equifax appears to be blaming a vulnerability in the Apache Software Foundation’s Apache Struts Web Framework, according to a post on Apache.org.  The Apache Struts Project Management Committee’s post (PMC) goes on to say that the assumption that the Equifax breach may have relied on a vulnerability in the struts framework that was discovered on September 4, 2017. The post posits that this indicates that if the attackers relied on this vulnerability this would be a zero-day exploit since the issue was not detected until well after the attacks which took place starting in mid-May of 2017.  Furthermore, the PMC’s post asserts that this particular exploit outlined in CVE-2017-9805 may have existed for nine years, however, it was not a known issue during that timeframe and in fact the PMC asserts that as soon as Apache became aware of the issue a fix was developed and made available.

PMC’s post goes on to outline a few key steps that businesses and individuals using Apache struts (or any other supporting software) should implement:

  1. inventory the frameworks and libraries you are using in your software development and products and maintain visibility into new releases, patches, vulnerabilities, etc. for each of those;
  2. create and utilize a process to test and roll-out security fixes in shorter time-periods (e.g. days vs. weeks);
  3. don’t build your products on the assumption that the software you are using is flawless;
  4. create security layers — don’t create a situation where a breach from the presentation (e.g. webpage layer) can endanger underlying back-end data; and
  5. establish baselines to monitor for unusual traffic or data flows which will help to identify network anomalies and potential intrusions and exfiltrations.

 


<opinion>

Dear Equifax:

please wake up and realize that finger-pointing, trying to blame Apache or any other software products, in addition to the incredibly poor-timing of the executive stock option sales before this breach was made public are not going to help you in the court of public opinion, nor in any court of law where jurors may sit.

As a consumer, and a business professional it would have been reassuring to learn that the breach was only to grab encrypted records, since that is how you should be storing our data, or to learn that you were giving those executives the boot since the mere appearance of impropriety was tantamount to deceit and malfeasance.  However, you chose instead to state that the executives had no idea there had been a breach days after it was discovered (in spite of the fact that the breach had been underway since mid-May) and then to assert that it wasn’t really your fault since the attacker used an exploit to exfiltrate unencrypted records.  Furthermore, if Equifax had done input validation or sanitization then the vulnerability in struts could not have been exploited in the first place, see this post from Imperva.

Needless to say, at this early stage in the game, Equifax’s handling of this breach since it was discovered appears to be a case study in what not to do.  As Equifax’s shares continue their downward movement and as consumers and businesses alike start to realize the repercussions of this breach, it is unlikely that Equifax has issued a single statement or taken a single step to help themselves, or their consumers and users.

Several days after the breach was disclosed, some Equifax executives were able to sell their stock at $145-$146/share — today Equifax shares closed at $113.12  Meanwhile 143M of us are waiting to sign up for “free” credit monitoring so we can see when someone tries to use this data to steal our identities.  However, as the OPM breach taught us, data is worth so much more than just identify theft.  Once you get enough data points on a person the sky’s the limit.

In short, thanks for encrypting our precious data that would have cost you a little bit of money and would have slowed down some of your back-end processes but would have made the attackers work a whole lot harder to grab our data (in a readable and usable format).

Sincerely,

John Q. Public

 

We have covered this in a few other posts recently.Round Up (09/11); Equifax: Perception = Reality (09/08); Equifax: 143M Americans breached (09/07)

Share:

Tags:

Cyber Round Up: iOS11 May Complicate Border Searches; N. Korea Tests Public-Private Information Sharing; Equifax Breach Coverage

  • iOS11 May Complicate Border Searches (Lawfare): Apple’s focus on protecting customer data may have some serious implications for U.S. agents at the borders, a recent article says.  The post on Lawfare explains how the new software udpate, iOS11, has additional security updates that make accessing the contents of a phone or tablet more difficult.  The post notes that some of the features are more hype than substance, but features like requiring phones to “trust” a new computer have legitimate legal implications. The author suggests that the new feature will only allow a border agent to browse the contents of the device but not download them.  The full explanation can be read here. 
  • Tensions with North Korea present a test for key US cyber program (Washington Examiner): The potential for cyber aggression between the U.S. and North Korea may shed light on how well the U.S. is sharing information between the public and private sectors, according to an article over the weekend.  The article notes that the Cybersecurity Act of 2015 emphasized this infomratino sharing and placed the burden to do so on DHS.  In order to protect critical infrastructure, something North Korea may focus on in a cyber attack, the federal government will need to be passing important information to the private sector in a timely manner. The full analysis can be read here.
  • Equifax Breach Coverage:  You don’t need this blog to inform you of the Equifax data breach that occurred late last week.  The story has grabbed headlines everywhere.  Christopher Folk provides his thoughts on the breach on this blog over the weekend. Read those comments here. 
Share:

Tags:

Cybercrime Symposium: When Cybercrime Turns Violent and Abusive

The University of Maryland Francis King Carey School of Law will be hosting a symposium this Friday, September 15, 2017.  The event description is posted below and you can register here.

Brief description: The U.S. Department of Justice, Computer Crime and Intellectual Property Section, and the University of Maryland Francis King Carey School of Law invite you to attend the 2017 Cybercrime Symposium, “When Cybercrime Turns Violent and Abusive.” The Symposium will bring together multiple stakeholders to address the challenges in combating different kinds of online abuse and cyber exploitation, including cyber stalking, doxxing, non-consensual pornography, swatting, and sextortion.

Closing Keynote Address by Andrew McCabe, Deputy Director, Federal Bureau of Investigation

Additional keynote remarks by Kenneth A. Blanco, Assistant Attorney General (Acting), U.S. Department of Justice, and Annmarie Chiarini, Cyber Civil Rights Initiative

Panel 1: Holding Offenders Accountable

Carrie Goldberg, C.A. Goldberg, PLLC

Matthew O’Neil, United States Secret Service

Mona Sedky, United States Department of Justice

Benjamin Wittes, Brookings Institution

Panel 2: Balancing Free Speech Interests and Public Safety

Erwin Chemerinsky, University of California Berkeley School of Law

Danielle Citron, Francis King Carey School of Law

Brittan Heller, Anti-Defamation League

Panel 3: The Public Safety Role of Social Media and Technology Companies

Patricia Cartes, Twitter

Antigone Davis, Facebook

Mary Anne Franks, University of Miami School of Law

Panel 4: Anonymizing Technologies—Costs versus Benefits

Keith Becker, United States Department of Justice

Roger Dingledine, TOR Project

Susan Hennessey, Brookings Institution”

Share:

Tags:

Equifax: Where Perception = Reality, Timing is Everything

Equifax: Where Percepton = Reality, Timing is Everything

This is a follow up to a previous post. Paul Monica’s recent article in CNN:Money indicates that Officers in the Equifax Corporation sold stock shares in the days following Equifax’s data breach.  The article indicates that Equifax became aware of the breach on Saturday, July 29th and thereafter, on Tuesday, August 1st, and Wednesday, August 2nd, three Equifax officers sold shares of Equifax stock.  In looking at the U.S. Securities and Exchange EDGAR system, it seems that John Gamble, CVP & CFO; Joseph Loughran III, President USIS; and Ploder Rodolfo, President Workforce Solutions all sold stock worth nearly $1.9M the week after the breach was “discovered.”

John Gamble: SEC Form 4

Joseph Loughran, III: SEC Form 4

Ploder Rodolfo: SEC Form 4

The article states that Equifax told CNNMoney that the executives “had no knowledge that an intrusion had occurred when they made the sales.”

 


{OPINION}: Business 101: Perception is everything and this article raises a (minimally) two-fold question: (1) is Equifax so incredibly inept that a breach of epic proportions was discovered on Saturday, July 29, and yet on Tuesday, August 1st, key corporate officers still had not been made aware of this?; (2) why did Equifax even respond to the CNNMoney article if they were merely going to skirt the issue and then demonstrate their complete lack of an internal breach notification system?

The optics on this were bad already, a data breach was discovered on July 29th, the impact is upwards of 143M records and the news isn’t released until after the latest news cycle covering Irma was complete on a Thursday evening.  Now it seems Equifax executives had the uncanny good fortune to offload what is soon to be a plummeting stock and net hundreds of thousands of dollars in the process.

While it is true, that breaches happen even to the most secure systems, how breaches are handled once discovered can have a tremendous impact on consumer trust, goodwill, and ongoing business relationships.  Equifax is going to have to redouble its efforts and work on its PR if it wants to successfully weather this storm.

On the “adding insult to injury” track, below is a screenshot of the Equifax online verification screen to determine if you may have been compromised during their breach.

 

 

 

Share:

Tags: , ,

Next Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

is 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories