Hack of the Week: FISA Section 702

This week's HotW comes to us courtesy of the US House of Representatives: FISA Section 702. This bill extends the US intelligence community's legal ability to collect, store, and search our internet activity and digital communications through 2024, all without any pesky warrants. Under this policy, anyone who connects to the internet is suspected of "cybercrime" by default.

Bleeping Computer shines a light on some of the troubling expansions in the bill:

Under the new bill, FISA Section 702 will now allow the NSA to collect electronic communications of US citizens if they mention certain terms, and not necessarily if they communicate with non-US citizens via email or an online chat.

Furthermore, even if the bill says the FBI must obtain a warrant before searching the NSA database for data on US citizens, a warrant is not necessary if the FBI brands the situation a national security emergency, a term considered too broad and easy to bypass by EFF and ACLU experts.

The "I-have-nothing-to-hide" camp will continue trying to defend this policy and rolling their eyes at the Fourth Amendment, but the chilling effect of mass surveillance like this has been quantified already.

This policy has the potential to be against a wide swath of society, the ACLU confirms:

If you are a journalist talking about North Korea, a businessman expressing thoughts about the global economy, or an ordinary person discussing the Trump border wall proposal, your conversation could be considered “foreign intelligence” under the law’s broad definition.

The broad scope of this bill combined with the chilling effect of mass surveillance yields a tools that could easily erode freedoms of both speech and press.

However, there is a confusing wrinkle: recent reports claim the intelligence community's efforts against cybercrime rings are trival compared to previous years. Either these surveillance powers go unused or recent targets don't fall under the "cybercrime ring" category.

Make no mistake, this broad surveillance policy will continue be used widely early and often. It is frustrating to have a single policy that undermines the entire security industry. This bill poses the greatest risk to digital rights since the Rule 41 renewal.

This disaster of a policy, now bill S 139, could go to a Senate vote as soon a Jan 16, a day after MLK Jr Day in the US -- ironic since Dr. King serves as a cautionary tale against unchecked surveillance.

Hack of the Week for Jan 1: Meltdown + Spectre

One of my new year’s resolutions is to produce more content on this blog. To that end, I’m introducing a new feature — Hack of the Week. No, not that new person you met who is full of themselves and bad at everything; rather, an exploit, vulnerability or breach that occurred recently. To kick it off, let’s start with a doozy — the two-headed beast known as Meltdown and Spectre, both cache side channel attacks. Both share their own website, a decent indicator of cybersecurity celebrity these days. There are many excellent accounts out there of these two hacks; the short version is that they both impact nearly every computer manufactured since the mid 90s — yes, including the one you’re using at them moment, most likely — and give an attacker access to data in memory. The good news is that there is a fix; the bad news is the trade-off is the fix may potentially slow down our devices.

Meltdown and Spectre were publicly disclosed on Jan 3. Although a few different research groups discovered the vulnerabilities at some point in the past year. If you are reading this, you’re almost guaranteed to be at risk. But since this is a hardware exploit, unless you gave someone else access to your device, either in person or through a file download, your device should be okay (unless you run Javascript willy-nilly, some advice on that here). Vendors have provided patches by now, so as always — patch early, patch often and update your browser and extensions. Now that you’ve taken steps to harden your device, the real risk is any website you visit and your data stored there.

The threat model is slightly different on the web. While various companies' websites have their own chunk of cyberspace, the servers that host these websites may live on the same hardware. A report last year by ZDNet cites a single cloud provider claimed roughly a third of the cloud market share, at the time. So while your banking website and healthcare provider probably don’t live on the same hardware and no doubt have strong security teams, it could be possible that one of their neighbors fell victim to Meltdown or Spectre. So, If your personal device is a stand alone-house, the websites you visit are different rooms in an apartment building… and who knows if there’s a creeper in one of those other units.

The good news is that cloud providers are incentivized to patch their systems to keep their systems updated, including patches for Meltdown and Spectre. And the major players are doing exactly that. The downside is slower machines, as ZDNet reports. The secret for cloud-hosted websites and services won’t slow down necessarily — companies running their websites on cloud providers have two options to mitigate performance loss: 1) host on faster (and more expensive) machines or 2) add additional machines. The question becomes who picks up the additional costs for those solutions.

Patching systems and provisioning heftier systems is short-term solution. Since these are hardware vulnerabilities, long term will require a complete processor chip redesign and physical system upgrade — by no means a quick turn or cheap solution.

An exciting start to 2018.

Industry standardization: the answer for IoT security

It’s been a busy week for IoT and security. Between the DDos on Krebs’ website and the subsequent release of alleged source code, to Yahoo’s unprecedented, full access custom-built NSA search tool, to the arrest of a purported “Second Snowden” (spoiler alert: not so much), there’s been plenty of news on the wire. But Bruce Schneier’s thoughts IoT security may be the most impactful for IoT security policy in the near future.

For the uninitiated, Mr. Schneier is a world-renowned expert in computer security — he has authored numerous books on the subject in addition to contributing to several cryptographic algorithms. I was thrilled when he joined the board of directors at EFF, enjoy reading his blog, and consider his most recent publication one of the most important books on digital privacy. That said, Mr. Schneier’s solution for IoT security could not be more incorrect; to the point: 

     The IoT will remain insecure unless government steps in and fixes the problem.

This solution is not only the least desirable path, it could cripple innovation within the IoT industry. There is a lot wrong with this approach. Industry standardization, not government regulation, is the better solution:

  • First, government actors are not subject matter experts in either IoT nor security, and will never be held accountable for any failures of government regulation. When market fails, the industry is directly incentivized to repair the damage -- otherwise, they lose our business.
  • Government and market operate under a different set of incentives and measure success differently. We would expect the market to initiate some form of industry standardization — similar standardization generated the USB and Wifi protocols. Further, that the successes of this standardization would benefit both market and consumer; the same is not true of government regulation.
  • While the attack on Krebs was described as “simple and amateurish” (rightly so), there’s a reason why an attack like this would succeed so well at this point in time -- IoT is in the middle of a maturity curve!  No one expected a gigabit throughput on a dial-up modem
  • Most important, this is not a market failure; this is a demonstrated need for stronger security, realized through the test bed of the current state of IoT. Attacks like this are exactly what the field needs to harden IoT systems.

I’ve written before on the dynamics of IoT security — it is more complex than other products, specifically because bad security doesn’t immediately affect the end user. Similar to carbon emissions in cars — legislation there hasn’t filled roadways with a fleet of Priuses and bikes.

I will grant that at the moment, the typical IoT customer probably doesn’t care about the security of their system. But consider two different scenarios:

  1. An IoT attack targets a popular site. The general person’s reaction would be a lot different if NetFlix was targeted instead of Krebs.
  2. Security is a two-way street. If IoT devices are marketed as more secure (and are indeed more secure), its possible the average consumer would be willing to pay for that perceived utility

The economics of IoT doesn’t necessarily mean that exploitable devices will continue because no one cares. Certainly IoT companies are paying attention to event; hopefully this event will precipitate industry standardization of IoT security. I have stated that standardization would be necessary for the IoT security, but the time wasn’t right. Now is the time to reconsider that.

Security challenges of IoT

At a recent panel discussion, EFF hits the nail on the head with the IoT and security. A quote from EFF's Nate Cardozo:

“If the data is there you’re going to have to protect it. One way of protecting it, of course, is to not collect it in the first place... That’s a great way of keeping all of that content secure.”

Mr. Cardozo's further discusses the security issues of industries who have never had to deal with security in the past, namely the medical device industry. There's genuine concern over securing data for connected devices, but perhaps a more urgent concern — especially for the medical device industry —  is ransomware in IoT devices. It’s one thing to have your health data stolen, it’s another to have a connected pacemaker, for example, held for ransom.

Continuing with Mr. Cardozo’s comment on the benefits of a zero knowledge model, there are more than a few industries and devices that would benefit from non-connection solution until either 1) the industry becomes more security-savvy or 2) IoT security becomes standardized.

IoT fragmentation as a business model

Recently, Machina Research brings news that competition in the IoT market leads to waste for those funding IoT development. It's dangerous to frame competition vaguely as waste instead of incentive. IoT companies want that funding and will develop rapidly to gain it. From the article:

The world of IoT is currently characterized by competing technologies and platforms, further complicated by numerous standards development organizations, and this fragmentation is causing a delay in the widespread adoption of IoT.... We can’t hope to realize any smart city ambitions until all stakeholders can agree on a common set of IoT standards.

In terms of IoT security, I definitely agree with standardization. However, when considering IoT adoption and deployment, there are a few problems with trying to standardize now — the field is still too new:

  1. Standardization would hinder development at this point in the field. IoT is still a new and exciting space. Diverting effort away from development and towards standardization would negatively impact the young industry.
  2. Industry standards best come from industry experts. Most people would probably agree the USB connector is a great standard and has made connecting things easier than it was years prior. This is because it was designed by a group of industry experts from seven different companies in a mature space who needed a common solution.
  3. Opportunity and competition to become an expert drives the IoT industry at this point. The incentive and freedom to become an industry leader will have a greater impact on long-term IoT adoption and deployment. At this time, we’re all benefiting from IoT companies having the freedom to develop.

Your favorite technology/product/service was the result of a companies competing for your business. IoT is no different.