Cyber Security Intelligence

Twitter< Follow on Twitter >

August Newsletter #3 2014

The CIA Fears the Internet of Things

The major themes defining geo-security for the coming decades were explored at a forum on “The Future of Warfare” at the Aspen Security Forum moderated by Defense One Executive Editor Kevin Baron.

Dawn Meyerriecks, the deputy director of the Central Intelligence Agency’s directorate of science and technology, said today’s concerns about cyber war don’t address the looming geo-security threats posed by the Internet of Things, the embedding of computers, sensors, and Internet capabilities into more and more physical objects.

“Smart refrigerators have been used in distributed denial of service attacks,” she said. At least one smart fridge played a role in a massive spam attack last year, involving more than 100,000 internet-connected devices and more than 750,000 spam emails. She also mentioned “smart fluorescent LEDs [that are] are communicating that they need to be replaced but are also being hijacked for other things.”

“The merger of physical and virtual is really where it’s at. If we don’t grok that then we’ve got huge problems,” she said. Grok, a reference to Robert A. Heinlein’s 1961 novel Stranger in a Strange Land, describes the telepathic communion of thoughts, feelings, and fears.  

Smart clothing, she said, could create security and access problems, specifically for the CIA. The same technologies that could allow millions to better monitor and manage their health could create a transparency and workplace problems that “I don’t want to have to deal with.”

It has a sort of science-fictional flare, but Meyerriecks says there’s no excuse for being caught off-guard by technological events, or “punctuating technological disruptions” that are clearly visible in trends today.

“The merger of biological and cyber, those will be viewed as disruptors although we all know they’ve been invested in for decades at this point. When someone finally figures out how to productize it in a way.” By way of an example, she brought up the cell phone, “When it goes from the brick to something I can’t leave my house without, then it’s disruptive.” 

In many ways that day has already arrived. Dick Cheney, former U.S. Vice President, told 60 Minutes that he had a wireless pacemaker installed in his chest in 2007 that would have allowed his doctor to monitor his heart, online.  He didn’t enable the BlueTooth broadcasting feature for fear of it being hacked. We have a hard enough time securing computers on desks. We may already face the risk of an entire generation of baby boomers becoming vulnerable to lethal cyber attacks because of Internet-enabled medical devices.

When asked if the United States was already engaged in an economic war, with intellectual property as the prize, Meyerriecks  responded that “Absolutely, this the case.” That’s evident in the fact that the U.S. is now suing five members of the Chinese military for what amounts to industrial espionage, stealing trade secrets for personal profit.  It’s a lawsuit against individuals, but the Chinese government, as a whole, took it personally and suspended participation in a joint China-U.S. cyber-security working group.

“On our best day we’re 20 years away,” Meyerriecks said of true quantum computing (defined roughly as computing that everyone in computing science can agree is actually quantum in nature, achieving entanglement.) “When it happens, we have a huge challenge. We are making significant investments and paying a lot of attention,”

Steve Chan, the director of the Network Science Research Center at IBM who joined Meyerriecks on stage in Aspen, said that the search for the quantum Holy Grail was not only confused but also largely unnecessary. Quantum is generally referred to as computation that takes advantage of the unique behaviors of quantum bits, or qubits, to represent information in multiple ways, as opposed to ones and zeros. “Nowadays,” he said “we can do custom chip design so we can use binary rules but three digit representations that get basically the same value, with fewer digits, which saves computational cycles.”

The threats and the opportunities technological acceleration occupy the same space.
When asked about the major investment areas of the future, Lynn Dugle, a vice president at military contractor Raytheon enthusiastically offered up big data and described the “opportunity to know things, through cyber-analytics, through personal analytics.” She cited a common industry forecast that more than 50 billion machine-to-machine connected devices would inhabit the globe by 2020 (according to figures from Cisco), versus approximately 13 billion today.

Calling Big Data a big opportunity has become almost “glib” according to Meyerriecks. But it’s an area where the CIA is also focusing its major investments and building the capability to do the sort of highly-targeted and individual specific data collection that would make today’s NSA activities look positively quant. It’s big data big data that “dwarfs today’s twitter feeds,” she said, and emphasized that is was data specific to an individual, not everyone, “that’s targeted collection. Not random collection.”

US military studied how to influence Twitter users in Darpa-funded research

The activities of users of Twitter and other social media services were recorded and analysed as part of a major project funded by the US military, in a program that covers ground similar to Facebook’s controversial experiment into how to control emotions by manipulating news feeds.

Research funded directly or indirectly by the US Department of Defense’s military research department, known as Darpa, has involved users of some of the internet’s largest destinations, including Facebook, Twitter, Pinterest and Kickstarter, for studies of social connections.

While some elements of the multi-million dollar project might raise a wry smile – research has included analysis of the tweets of celebrities such as Lady Gaga and Justin Bieber, in an attempt to understand influence on Twitter – others have resulted in the buildup of massive datasets of tweets and additional types social media posts.

Several of the DoD-funded studies went further than merely monitoring what users were communicating on their own, instead messaging unwitting participants in order to track and study how they responded.

Shortly before the Facebook controversy erupted, Darpa published a lengthy list of the projects funded under its Social Media in Strategic Communication (SMISC) program, including links to actual papers and abstracts.

Darpa, established in 1958, is responsible for technological research for the US military. Its notable successes have included no less than Arpanet, the precursor to today's Internet, and numerous other innovations, including onion routing, which powers anonymising technologies like Tor. However, thanks to some of its more esoteric projects, which have included thought-controlled robot arms, citywide surveillance programs and exo-skeletons, the agency has also become the subject of many conspiracy theories, and a staple in programmes like the X-Files.

Unveiled in 2011, the SMISC program was regarded as a bid by the US military to become better at both detecting and conducting propaganda campaigns on social media.

However, papers leaked by NSA whistleblower Edward Snowden indicate that US and British intelligence agencies have been deeply engaged in planning ways to covertly use social media for purposes of propaganda and deception.

Documents prepared by NSA and Britain's GCHQ (and previously published by the Intercept as well as NBC News) revealed aspects of some of these programs. They included a unit engaged in “discrediting” the agency’s enemies with false information spread online.

Earlier this year, the Associated Press also revealed the clandestine creation by US Aid of a Twitter-like, Cuban communications network to undermine the Havana government. The network, built with secret shell companies and financed through a foreign bank, lasted more than two years and drew tens of thousands of subscribers. It sought to evade Cuba's stranglehold on the Internet with a primitive social media platform.

Several studies related to the automatic assessment of how well different people in social networks knew one another, through analysing frequency, tone and type of interaction between different users. Such research could have applications in the automated analysis of bulk surveillance metadata, including the controversial collection of US citizens’ phone metadata revealed by Snowden.

Several of the DoD-funded projects went further than simple observation, instead engaging directly with social media users and analysing their responses.

What Your Boss Still Doesn’t Understand About Social Media

Social media has come to be an accepted part of business, but so many business executives still see it as a secondary part of day-to-day operations—something they know they need to do, but don’t really feel is important. Often, this is due to common misconceptions about social media that were either false from the get-go or have come to be false as these tools have evolved.

Lots of business leaders are becoming increasingly social media savvy, but in most companies, those higher on the corporate ladder have a lot to learn from the people working for them. Here are 5 things your boss still might not understand about social media, and how to counter these misconceptions.

As social networks are evolving with business in mind, they are identifying ways to make enterprises money. There’s a stigma about social media not actually driving any revenue to businesses, but more often than not this is related to a lack of understanding in how to track social media ROI.

To identify how social media is contributing to your bottom line, you need to tie it to existing business goals. Much in the same way as traditional advertising channels, social networks can drive sales and leads, increase exposure to marketing materials and signups, create brand advocates and so much more, often for cheaper than their traditional counterparts. Identify the metrics you want to track and then use analytics tools Hootsuite analytics, Google Analytics and Salesforce to track your progress. Adjust what isn’t working and improve what is, and repeat the process.

Print is losing it audience and television is rapidly being overtaken by social media as YouTube reaches more US adults aged 18-34 than any cable network. Social media is the new frontier for driving revenue to your business.

Even if this is how most social networks began, all major social networks have now built business applications and structures into their tools. This isn’t an exaggeration. We all know about LinkedIn’s professional uses and Facebook and Twitter ads, but even Instagram and Pinterest— secondary networks for most companies— are experimenting with advertising and targeting the enterprise with custom content.

Social media gets a bad rap because hackers like the Syrian Electronic Army intentionally making their attacks a matter of publicity. In most of the popular cases we read about in the news, like the hacking of the Onion Twitter account, the accounts were hacked using login information obtained through phishing emails, not through any security breach on the social networks themselves.

In 2014, computer security software company McAfee predicted that mobile malware and mobile attacks would see the biggest growth, including attacks on mobile enterprise infrastructure where security technology is still “immature.” They also said attacks on PC operating systems and cloud-based software will greatly increase as well. And while McAfee expects social network attacks to rise too, the report is a clear illustration of how far behind Cybersecurity is on all fronts. Social media is no different than any other software when it comes to password security in that it requires the same degree of caution.

A study by Weber Shandwick found CEOs that engage on social media are 10 per cent more likely to be seen as open, honest and respectful, and 25 per cent more likely to be seen as friendly and people-focused. The same study found over 80% of respondents believe CEOs who engage in social media make better leaders, are more trustworthy and enhance the brand image.

And if you’re looking for more direct ROI, Netflix chief executive Reed Hastings notably caused Netflix shares to jump 6.2 per cent by writing on his personal Facebook account, which has 200,000 subscribers, that Netflix’s monthly online viewing had grown to over 1 billion hours.

Internet of Things will make software fastest-growing market in 2014

The IT market is booming, with spending on course to rise by 3.2 percent this year compared with 2013, reaching a total of $3.8tn worldwide, boosted in part by businesses' response to the Internet of Things.

The biggest growth will come in the enterprise software market, which analyst Gartner expects to leap by 6.9 percent. The firm predicts sales of $320bn for 2014, compared with $299bn in 2013.

Richard Gordon, managing vice president at Gartner, told V3 that software sales will receive a boost as firms transition to become digital businesses."The history of the internet has seen it going from being targeted at people, for example with email and file transfers, then to e-business and e-commerce via websites.

The next phase is digital business, the convergence of people and business and things," he explained."As we start to connect up the Internet of Things, there will be a lot more data around. As that data comes into the organisation, we're seeing spending on database management and data analytics as enterprises try to figure out the speed and complexity of the data and where it's coming from."According to Gartner, Microsoft will be the biggest earner in the software space this year, followed by Oracle.

The area of technology that will generate the most overall revenue is telecom services, which will be worth $1.655tn this year, up slightly by 1.3 percent compared with 2013. This encompasses fixed and mobile spending across businesses and consumers. IT services are the next most valuable, with Gartner predicting a total spend of $964bn in this area, up 4.6 percent year on year.  Gordon said the UK could see a boost in this area, as the government begins to focus less on cutting back its spending and more on investing in technology, after five years of austerity in the public sector.

Gartner's predictions show that there is still room for growth in the hardware market, with the device market due to rise 4.4 percent from $660bn in 2013 to $689bn in 2014. This growth will be aided by sales of mid-tier premium phones in mature countries, and low-end Android phones in developing markets. The predictions could be of concern for Apple, as Gartner has seen a slowdown in sales of high-end phones such as the iPhone, which it expects to continue. 

Firms are spending the smallest amount of their IT budgets on data centre systems, according to Gartner, although this market is still expected to be worth $143bn this year, up 2.3 percent. Gartner said virtualisation and cloud adoption are leading to a rise in sales of data centre Ethernet switches, while mobile endpoints are helping boost the wireless LAN equipment market.

If you do this - the NSA Will Spy on You

Worried about the NSA monitoring you? If you take certain steps to mask your identity online, such as using the encryption service TOR, or even investigating an alternative to the buggy Windows operating system, you’re all but asking for “deep” monitoring by the NSA.

TOR is an encryption network developed by the U.S. Naval Research Laboratory in the 1990s. The military’s hope was to enable government workers to search the web without exposing their locations and identities. The system today is widely available, runs on open source code and is popular among privacy advocates as a more secure alternative to open Internet surfing, particularly in countries with repressive regimes. It works by encrypting the user’s address and routing the traffic through servers that are located around the world (so-called “onion routing.”) How does the NSA access it? Through a computer system called XKeyscore, one of the various agency surveillance tools that NSA leaker Edward Snowden disclosed last summer.

According to a recent report from the German media outlet Tagesschau, a group of TOR affiliates working with Tagesschau looked into the source code for XKeyscore. They found that nine servers running TOR, including one at the MIT Computer Science and Artificial Intelligence Laboratory, were under constant NSA surveillance. The code also revealed some of the behaviors that users could undertake to immediately be tagged or “fingerprinted” for so-called deep packet inspection, an investigation into the content of data packages you send across the Internet, such as emails, web searches and browsing history.

If you are located outside of the U.S., Canada, the U.K. or one of the so-called Five Eyes countries partnering with the NSA in its surveillance efforts, then visiting the TOR website triggers an automatic fingerprinting. In other words, simply investigating privacy-enhancing methods from outside of the United States is an act worthy of scrutiny and surveillance according to rules that make XKeyscore run. Another infraction: hating Windows.

If you visit the forum page for the popular Linux Journal, dedicated to the open-source operating system Linux, you could be fingerprinted regardless of where you live because the XKeystore source code designates the Linux Journal as an “extremist forum.” Searching for the Tails, operating system, another Windows alternative popular among human rights watchers, will also land you on the deep-packet inspectee list.

Science fiction author Cory Doctorow, an editor at the popular technology blog Boing Boing, was quick to take exception to the findings, questioning not only the propriety of the tactics revealed in the researchers’ report but also their utility.

Tor and Tails have been part of the mainstream discussion of online security, surveillance and privacy for years. It’s nothing short of bizarre to place people under suspicion for searching for these terms.”

More importantly, this shows that the NSA uses ‘targeted surveillance’ in a way that beggars common sense. It’s a dead certainty that people who heard the NSA’s reassurances about ‘targeting’ its surveillance on people who were doing something suspicious didn’t understand that the NSA meant people who’d looked up technical details about systems that are routinely discussed on the front page of every newspaper in the world.

Doctorow goes on to speculate, with the help of an anonymous expert, that the NSA’s intention in marking the TOR-curious for monitoring was to “separate the sheep from the goats — to split the entire population of the Internet into ‘people who have the technical know-how to be private’ and ‘people who don’t’ and then capture all the communications from the first group.”

The better able you are at protecting your privacy online, the more suspicious you become.
How many sheep and how many goats are there? Not all of the XKeyscore fingerprinting triggers apply to U.S. citizens, as mentioned above, but some 14 percent of U.S. Internet users have taken some step to mask their identity online using encryption according to the PEW Internet and American Life survey from September of last year.

The revelations underscore the fact that in the post-Snowden environment, privacy is less of a given and more of a fast-paced cat and mouse game. An encryption network, developed by the military, gains popularity among a public increasingly worried about government surveillance. The network is then hacked by the government that created it. Of course, you don’t have to be the NSA to crack TO; you just need a bit of money. Two researchers, Alexander Volynkin and Michael McCord, will presenting at the popular Black Hat conference next month, a provocative session called “You Don’t Have To Be the NSA to Break TOR: Deanonymzing Users On a Budget.” They report that they can crack TOR and disclose a specific user’s identity for just $3000.

UK intelligence forced to reveal secret policy for mass surveillance of residents’ Facebook and Google use

Britain’s top counter-terrorism official has been forced to reveal a secret Government policy justifying the mass surveillance of every Facebook, Twitter, Youtube and Google user in the UK.

This disturbing policy was made public due to a legal challenge brought by Privacy International, Liberty, Amnesty International, the American Civil Liberties Union, Pakistani organisation Bytes for All, and five other national civil liberties organisations1

The statement, from Charles Farr, the Director General of the Office for Security and Counter Terrorism, claims that the indiscriminate interception of UK residents’ Facebook and Google communications would be permitted under law because they are defined as ‘external communications’.

Farr’s statement, published today by the rights organisations, is the first time the Government has openly commented on how it thinks it can use the UK’s vague surveillance legal framework to indiscriminately intercept communications through its mass interception programme, TEMPORA.

The secret policy outlined by Farr defines almost all communications via Facebook and other social networking sites, as well as webmail services Hotmail and Yahoo and web searches via Google, to be ‘external communications’ because they use web-based ‘platforms’ based in the US.

The distinction between ‘internal’ and ‘external’ communications is crucial. Under the Regulation of Investigatory Powers Act (‘RIPA’), which regulates the surveillance powers of public bodies, ‘internal’ communications may only be intercepted under a warrant which relates to a specific individual or address. These warrants should only be granted where there is some suspicion of unlawful activity. However, an individual’s ‘external communications’ may be intercepted indiscriminately, even where there are no grounds to suspect any wrongdoing.

By defining the use of ‘platforms’ such as Facebook, Twitter and Google as ‘external communications’, British residents are being deprived of the essential safeguards that would otherwise be applied to their communications - simply because they are using services that are based outside the UK.

Such an approach suggests that GCHQ believes it is entitled to indiscriminately intercept all communications in and out of the UK. The explanations given by Mr Farr suggest that:

The full web site is currently under development and will be available during 2014