Hack of the Week: FISA Section 702

This week's HotW comes to us courtesy of the US House of Representatives: FISA Section 702. This bill extends the US intelligence community's legal ability to collect, store, and search our internet activity and digital communications through 2024, all without any pesky warrants. Under this policy, anyone who connects to the internet is suspected of "cybercrime" by default.

Bleeping Computer shines a light on some of the troubling expansions in the bill:

Under the new bill, FISA Section 702 will now allow the NSA to collect electronic communications of US citizens if they mention certain terms, and not necessarily if they communicate with non-US citizens via email or an online chat.

Furthermore, even if the bill says the FBI must obtain a warrant before searching the NSA database for data on US citizens, a warrant is not necessary if the FBI brands the situation a national security emergency, a term considered too broad and easy to bypass by EFF and ACLU experts.

The "I-have-nothing-to-hide" camp will continue trying to defend this policy and rolling their eyes at the Fourth Amendment, but the chilling effect of mass surveillance like this has been quantified already.

This policy has the potential to be against a wide swath of society, the ACLU confirms:

If you are a journalist talking about North Korea, a businessman expressing thoughts about the global economy, or an ordinary person discussing the Trump border wall proposal, your conversation could be considered “foreign intelligence” under the law’s broad definition.

The broad scope of this bill combined with the chilling effect of mass surveillance yields a tools that could easily erode freedoms of both speech and press.

However, there is a confusing wrinkle: recent reports claim the intelligence community's efforts against cybercrime rings are trival compared to previous years. Either these surveillance powers go unused or recent targets don't fall under the "cybercrime ring" category.

Make no mistake, this broad surveillance policy will continue be used widely early and often. It is frustrating to have a single policy that undermines the entire security industry. This bill poses the greatest risk to digital rights since the Rule 41 renewal.

This disaster of a policy, now bill S 139, could go to a Senate vote as soon a Jan 16, a day after MLK Jr Day in the US -- ironic since Dr. King serves as a cautionary tale against unchecked surveillance.

Space Cadet Friday: seeing blackholes

Another feature that I'm rolling out in 2018 is Friday Space Cadet. Every Friday, instead of sharing thoughts on information security, I'll post about current events in astronomy and space, both live-long loves of mine. Let's get to it.

Later this year, the people of Earth will finally get a chance to directly 'see' a blackhole. This article does a great job of explaining blackholes, why they're cool, and the technology behind the radio telescopes used to sneak a celestial peek.

Read more about the Event Horizon Telescope here.

Hack of the Week for Jan 1: Meltdown + Spectre

One of my new year’s resolutions is to produce more content on this blog. To that end, I’m introducing a new feature — Hack of the Week. No, not that new person you met who is full of themselves and bad at everything; rather, an exploit, vulnerability or breach that occurred recently. To kick it off, let’s start with a doozy — the two-headed beast known as Meltdown and Spectre, both cache side channel attacks. Both share their own website, a decent indicator of cybersecurity celebrity these days. There are many excellent accounts out there of these two hacks; the short version is that they both impact nearly every computer manufactured since the mid 90s — yes, including the one you’re using at them moment, most likely — and give an attacker access to data in memory. The good news is that there is a fix; the bad news is the trade-off is the fix may potentially slow down our devices.

Meltdown and Spectre were publicly disclosed on Jan 3. Although a few different research groups discovered the vulnerabilities at some point in the past year. If you are reading this, you’re almost guaranteed to be at risk. But since this is a hardware exploit, unless you gave someone else access to your device, either in person or through a file download, your device should be okay (unless you run Javascript willy-nilly, some advice on that here). Vendors have provided patches by now, so as always — patch early, patch often and update your browser and extensions. Now that you’ve taken steps to harden your device, the real risk is any website you visit and your data stored there.

The threat model is slightly different on the web. While various companies' websites have their own chunk of cyberspace, the servers that host these websites may live on the same hardware. A report last year by ZDNet cites a single cloud provider claimed roughly a third of the cloud market share, at the time. So while your banking website and healthcare provider probably don’t live on the same hardware and no doubt have strong security teams, it could be possible that one of their neighbors fell victim to Meltdown or Spectre. So, If your personal device is a stand alone-house, the websites you visit are different rooms in an apartment building… and who knows if there’s a creeper in one of those other units.

The good news is that cloud providers are incentivized to patch their systems to keep their systems updated, including patches for Meltdown and Spectre. And the major players are doing exactly that. The downside is slower machines, as ZDNet reports. The secret for cloud-hosted websites and services won’t slow down necessarily — companies running their websites on cloud providers have two options to mitigate performance loss: 1) host on faster (and more expensive) machines or 2) add additional machines. The question becomes who picks up the additional costs for those solutions.

Patching systems and provisioning heftier systems is short-term solution. Since these are hardware vulnerabilities, long term will require a complete processor chip redesign and physical system upgrade — by no means a quick turn or cheap solution.

An exciting start to 2018.

VIZIO and big data abuse

The FTC has charged VIZIO under the FTC Act and New Jersey consumer protection laws for collecting data on 11 million VIZIO TVs without consent. VIZIO has agreed to settle out of court for $2.2mil USD.

The settlement has implications for your data and IoT — an internet-connected TV is certainly an IoT device. The scale of what was allegedly collected is staggering, to the tune of pixel matching down to the second. Before you can ask if this scale of data collection, analysis, and inference is possible, the answer is yes, thanks to big data. Check out my explainer on big data — in this case, this is not a big data application, but a big data abuse by snooping on your viewing habits. Since it is possible to collect that scale of data from an IoT TV, it is possible to collect a similar picture of other IoT devices, which typically have less data to transmit.

Unfortunately, a concurrent statement released by the chairman of the FTC telegraphs that they will back off on consumer privacy concerns. The chairman supplies a weak argument claiming it is unclear if anything “unfair” is going on (emphasis mine):

[The case] alleges that granular (household or individual) television viewing activity is sensitive information. And it states that sharing this viewing information without consent causes or is likely to cause a “substantial injury” under Section 5(n) of the FTC Act.…[U]nder our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.

The data collection in question is hard to avoid when the practice is hidden from customers. What’s hidden here is questioning the effect of correlated data. Let’s give VIZIO the benefit of the doubt and assume they scrubbed all personally identifying information (PII) from the collected data. Bruce Schneier explains why correlated data is just as sensitive as PII in Data Versus Goliath:

[B]eing identified by a unique number often doesn’t provide much protection. The data can still be collected and correlated and used, and eventually we do something to attach our name to that ‘anonymous’ data record.

In addition to being a practice hostile to consumers — one would assume that's what lead to the charge in question — it is unfair to the competition; by collecting data and generating a customer database without consent, VIZIO is able to sell that database to advertisers, providing VIZIO with revenue unfairly earned at the expense of consumers. This could have been avoided with an opt-in.

I’ve warned before on the risk of providing your data to a second party without knowing its final resting place — when taken without your consent, that risk becomes unimaginable. So hurry and get your very own tele screen while supplies last.

Big data in a nutshell

You’ve probably heard the term big data in the past several years. As the name might imply, it’s about analyzing a lot of data at once, like an entire laptop full of data, often much more. We’ve all trouble with a single file that refuses to open, is laggy, or the ultimate sin — crashes your computer before saving. So how in the world is anyone able to process data so much larger than that? The answer is software built for this specific task that leverages affordable hardware.

As the cost of both processing power and storage have dropped, big data applications — or abuses, in some cases — have become more feasible and potentially more profitable. In order to leverage these benefits, technologies like the open source Hadoop ecosystem and Spark allow you to connect a bunch of computers together (known as horizontal scaling) to work on a large task. A good indicator of a technology’s popularity is how many companies include them in their tech stack — for Hadoop, it’s a lot.

So instead of upgrading a single computer to something approaching a super computer (called vertical scaling, this time), companies can use software to connect cheap computers together. For some companies, it’s more cost effective to rent computer time and storage from Amazon Web Services (AWS), or other cloud providers. The cloud is a separate explainer, though.