Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Tuesday, July 21, 2020

Computer security and defending against insider attacks

Twitter suffered a very public attack on Wednesday, apparently only for the purpose of a bitcoin scam. But the scope of the attack raises all sorts of security questions, including how to guard against insider attacks.

Here's the NY Times story:
A Brazen Online Attack Targets V.I.P. Twitter Users in a Bitcoin Scam
In a major show of force, hackers breached some of the site’s most prominent accounts, a Who’s Who of Americans in politics, entertainment and tech.
By Sheera Frenkel, Nathaniel Popper, Kate Conger and David E. Sanger

"Twitter’s investigation into the breach revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack,” a spokesman said, referring to attacks that trick people into giving up their credentials. The attackers then used Twitter’s internal systems to tweet from high-profile accounts like Mr. Biden’s."
************

Twitter tweeted the following:

Twitter Support
@TwitterSupport
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
7:38 PM · Jul 15, 2020·Twitter Web App
 *************
If there was ever a time in the past at which corporate computer security was merely a matter of building a wall between outsiders and inside information, that time is now well past.  This twitter attack was, at least in some respects, an insider attack, by someone with access to Twitter employees' access. Whether that access was obtained by fooling the employees, coercing them, or co-opting them is less important than the fact that, apparently, some (and perhaps many) twitter employees had access of a sort that let them do things that they would never have to do as part of their jobs.

(Here's an earlier post which includes a link to a story in which a twitter employee was apparently also working for Saudi intelligence: Saturday, March 14, 2020 Organizations' security policies in the news)

Regardless of how this recent attack was carried out, I'm sure that twitter is now looking hard at internal access and starting to think about how to avoid insider attacks by limiting the access of many employees.

As companies adopt "counterintelligence" security policies of this sort, there is a hidden cost, because openness promotes fruitful cooperation and problem solving, not just security vulnerabilities.

Monday, April 13, 2020

Teaching online: Singapore, NYC react to Zoombombing of online classes

Some of us are old enough to remember when email didn't come with security concerns.  Things are moving faster these days, so it's no surprise that there are Zoom trolls and scammers.  Singapore and NYC schools have decided not to use Zoom to conduct their online classes any more.

Here's the Singapore story from the Guardian:

Singapore bans teachers using Zoom after hackers post obscene images on screens
‘Very serious incidents’ have forced suspension from online schools as conferencing app faces renewed questions over security

"Singapore has suspended the use of video-conferencing tool Zoom by teachers after “very serious incidents” in the first week of a coronavirus lockdown that has seen schools move to home-based learning.

"One incident involved obscene images appearing on screens and male strangers making lewd comments during the streaming of a geography lesson with teenage girls, media reports said."
**********
Here's the NYC story from CNN:

New York City schools won't be using Zoom anymore because of security concerns
By Nicole Chavez and Sarah Jorgensen

"Schools in New York City are moving away from using the video conference app Zoom after a review of security concerns.
...
"The department does not have a central contract with Zoom, Filson said, and students and staff will be transitioning to Microsoft Teams, which has "the same capabilities with appropriate security measures in place."

"Earlier this week, federal officials began warning of a new potential privacy and security concern called "Zoombombing."
...
"Eric Yuan, the founder and CEO of Zoom, apologized to the video conferencing app's users for the privacy issues earlier this week, saying his team will stop adding new features for the next 90 days and instead focus solely on addressing privacy issues.
...
"Yuan said over 90,000 schools across 20 countries have been using the platform for online teaching since the company offered its services free of charge to schools because of the Covid-19 pandemic."

Saturday, March 14, 2020

Organizations' security policies in the news

Organizations that deal with large amounts of data have to consider issues of data security involving their own employees, and these issues sometimes conflict with issues of transparency and collegiality.  Here are a few stories about data, data leaks, and data policies.


The NY Times Magazine writes about Google:
The Great Google Revolt
Some of its employees tried to stop their company from doing work they saw as unethical. It blew up in their faces.

Buzzfeed news:
How Saudi Arabia Infiltrated Twitter

The Guardian:
Donald Trump 'offered Julian Assange a pardon if he denied Russia link to hack'
WikiLeaks published emails damaging to Hillary Clinton in 2016
Ex-congressman denies being middleman for US president

Friday, December 27, 2013

Topology lesson from the school of hard knocks (rhymes with bicycle locks)

I noticed this as I carefully locked up my bike the other day: all that remained of the bike next to mine was the connected component (the lock went through the spokes, but not even around the rim and tire of the front wheel).


Wednesday, September 19, 2012

The market for "zero day" software vulnerabilities

What can you do if you discover a brand new, never exploited ("zero day") vulnerability in a ubiquitous piece of software? Forbes is on the case: Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits

"A clever hacker today has to make tough choices. Find a previously unknown method for dismantling the defenses of a device like an iPhone or iPad, for instance, and you can report it to Apple and present it at a security conference to win fame and lucrative consulting gigs. Share it with HP’s Zero Day Initiative instead and earn as much as $10,000 for helping the firm shore up its security gear. Both options also allow Apple to fix its bugs and make the hundreds of millions of iPhone and iPad users more secure.

"But any hacker who happens to know one Bangkok-based security researcher who goes by the handle “the Grugq”–or someone like him–has a third option: arrange a deal through the pseudonymous exploit broker to hand the exploit information over to a government agency, don’t ask too many questions, and get paid a quarter of a million dollars–minus the Grugq’s 15% commission."
...
"The Grugq is hardly alone in his industry. Small firms like Vupen, Endgame and Netragard buy and sell exploits, as do major defense contractors like Northrop Grumman and Raytheon.

"Netragard’s founder Adriel Desautels says he’s been in the exploit-selling game for a decade, and describes how the market has “exploded” in just the last year.  He says there are now “more buyers, deeper pockets,” that the time for a purchase has accelerated from months to weeks, and he’s being approached by sellers with around 12 to 14 zero-day exploits every month compared to just four to six a few years ago."
***********

And here's a related article about a French firm, Vupen (which describes itself as follows: "As the leading source of advanced vulnerability research, VUPEN provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions using extremely sophisticated codes created in-house by VUPEN.).")

HT: Duncan Gilchrist

Sunday, October 3, 2010

Piracy watch: can security off the coast of Somalia be privatized?

Steve Leider writes:
Piracy season is resuming off the coast of Africa with the end of the monsoon season.  Several attacks have already been thwarted by ships newly equipped with safe rooms:

Over the weekend, pirates boarded the Greek-operated MV Lugela in the Indian Ocean but were frustrated to find the Ukrainian crew had locked itself in a safe room and disabled the engine.  Unable to hold the mariners' lives to ransom or steer the ship back to base, the pirates left the cargo.

Nick Davis, a piracy expert with the United Kingdom-based Merchant Maritime Warfare Centre, explained that such panic rooms were cheap and effective.  "You need a strong master, a well-stocked citadel, so you can sit there for up to five or seven days and wait for the cavalry," he said. "If the pirates have a dark ship and no crew, they'll just look for another."  But he stressed the importance of having functioning communications equipment in the citadel.

Earlier in September, pirates boarded a German-owned ship in the Gulf of Aden. Failing to find the crew, they even called the vessel's operator out of frustration, only to be told the ship was broken and the crew "on holiday".

Unfortunately only half of the ships active in the area are believed to have such a safe room.
A multi-national naval force is also currently patrolling the area, however it has yet to substantially reduce piracy.  A major UK insurer is suggesting the creation of a private navy to be placed under the command of existing international force to augment their activities:
A leading London insurer is pushing ahead with radical proposals to create a private fleet of about 20 patrol boats crewed by armed guards to bolster the international military presence off the Somali coast. They would act as escorts and fast-response vessels for shipping passing through the Suez Canal and the Indian Ocean.   Jardine Lloyd Thompson Group (JLT), which insures 14 per cent of the world’s commercial shipping fleet, said the unprecedented “private navy” would work under the direct control of the military with clear rules of engagement valid under international law …
Sean Woollerson, a senior partner with JLT, told The Independent: “We are looking at setting up a private navy to escort vessels through the danger zones. We would have armed personnel with fast boats escorting ships and make it very clear to any Somali vessels in the vicinity that they are entering a protected area.
“At the moment there is a disconnect between the private security sector and the international naval force. We think we can help remedy that and place this force under the control of the multi-national force. We look after about 5,000 ships and have had 10 vessels taken in total, including a seizure where one crew member was shot and killed. Piracy is a serious problem, these are criminals basically extorting funds, so why not do something more proactive?”
The force, which would have set-up costs of around £10m, would be funded by insurers and shipping companies in return for a reduction on the anti-piracy insurance premiums, which average around £50,000 per voyage and can reach £300,000 for a super-tanker. The maritime insurance industry, much of it based in London, has borne the brunt of the financial cost of the piracy problem, paying out $300m (£191m) in ransoms and associated costs in the last two years alone.
Major obstacles remain before the private navy can set sail, such as the legal status of a private force and it relationship with the Nato-controlled naval fleet. But major shipping companies and key insurers are keen to proceed with the plan. Although private contractors already offer armed teams on board vessels, the idea of a sizeable industry-funded naval force is a major departure and evidence of the strength of feeling there that more needs to be done to counter piracy.

The proposed “private navy” would therefore act in a somewhat similar fashion to the private security contractors operating in Iraq.  It will be important to clarify whether the navy would qualify as a mercenary force.  While mercenaries have historically been an important part of warfare, modern international law discourages mercenaries by withholding from them the protections afforded other combatants.  Article 47, Protocol I of the Geneva Convention regulates mercenaries as follows:
1. A mercenary shall not have the right to be a combatant or a prisoner of war.
2. A mercenary is any person who:
(a) is specially recruited locally or abroad in order to fight in an armed conflict;
(b) does, in fact, take a direct part in the hostilities;
(c) is motivated to take part in the hostilities essentially by the desire for private gain and, in fact, is promised, by or on behalf of a Party to the conflict, material compensation substantially in excess of that promised or paid to combatants of similar ranks and functions in the armed forces of that Party;
(d) is neither a national of a Party to the conflict nor a resident of territory controlled by a Party to the conflict;
(e) is not a member of the armed forces of a Party to the conflict; and
(f) has not been sent by a State which is not a Party to the conflict on official duty as a member of its armed forces.

Wednesday, December 30, 2009

Airport security and privacy

Recent discussions of airport security in the post underpants-bomber era make it clear that privacy is a complex issue. For example, if an airport screener is going to see a digital image of what you look like under your clothes, is your privacy preserved better if the screener can't also see your face? If the screener is in a remote viewing room?

Debate Over Full-Body Scans vs. Invasion of Privacy Flares Anew After Incident
"The technology exists to reveal objects hidden under clothes at airport checkpoints, and many experts say it would have detected the explosive packet carried aboard the Detroit-bound flight last week. But it has been fought by privacy advocates who say it is too intrusive, leading to a newly intensified debate over the limits of security."
...
"But others say that the technology is no security panacea, and that its use should be carefully controlled because of the risks to privacy, including the potential for its ghostly naked images to show up on the Internet."
...
"“I’m on an airplane every three or four days; I want that plane to be as safe and secure as possible,” Mr. Chaffetz said. However, he added, “I don’t think anybody needs to see my 8-year-old naked in order to secure that airplane.” "
...
"Images produced by the machines in the days before privacy advocates began using phrases like “digital strip search” could be startlingly detailed. Machines used in airports today, however, protect privacy to a greater extent, said Kristin Lee, a spokeswoman for the T.S.A.
Depending on the specific technology used, faces might be obscured or bodies reduced to the equivalent of a chalk outline. Also, the person reviewing the images must be in a separate room and cannot see who is entering the scanner. The machines have been modified to make it impossible to store the images, Ms. Lee said, and the procedure “is always optional to all passengers.” Anyone who refuses to be scanned “will receive an equivalent screening”: a full pat-down."

Tuesday, September 1, 2009

"Girl taxi" and "Ladies Nights"

The WSJ reports 'Girl Taxi' Service Offers Haven to Beirut's Women .

"...these days the city's transport staple is facing some serious competition from a growing army of female taxi drivers, dressed in stiff-collared white shirts, dark shades, pink ties and small pink flowers tucked into their flawlessly coiffed hair.
All of them drive for Banet Taxi, or "girl taxi" in Arabic. It is Lebanon's first cab service for women, by women. You can't miss the company's signature candy-pink cars."
...
"The company is part of a regional trend. Entrepreneurs across the Middle East have recognized the business potential in offering secure transportation options for women. Banet Taxi follows on the heels of successful women-only transportation models in Dubai, Tehran and Cairo."

..."It is the promise of a safe and uneventful ride that attracts a wide range of female passengers: older women who want a quiet drive, young women out partying until late at night, and even preschoolers put in the cars by their teachers.
Passengers' reasons for choosing Banet are based, in part, on their cultural and religious backgrounds. Beirut's population breaks down roughly into thirds, Christian, Sunni and Shiite. Conservative Muslim women might take Banet Taxi to accommodate rules against traveling with unknown men. Others just want to put comfort and safety first."

While single sex markets thrive in some venues, others use gender as a basis for discriminatory pricing, with different prices for men and women. Economists mostly don't find this malign in two-sided platforms like those that provide dating opportunities, since they need to attract both genders in comparable proportions. So, for example, some clubs have 'ladies nights,' in which women are admitted for free or at a lower cover charge.

One lawyer is very annoyed by this: N.Y. Lawsuit Calls 'Ladies' Night' Discriminatory . However Roy Den Hollander "ANTI-FEMINIST LAWYER"--N.Y. Times seems to be mostly losing these cases, and has drawn this unsympathetic portrait from the New Yorker: Hey, La-a-a-dies!

Wednesday, June 10, 2009

Theft and armed robbery

Theft is such a threat to civilization that it made it into the ten commandments. As an opportunistic act it must be as old as property, but it probably didn't become a profession until after markets allowed the development of concentrated and transportable forms of wealth. Even so, theft as a profession, and its close cousin, armed robbery, must be at least as old as agriculture.

So for a very long time, at least for some kinds of items, part of marketplace design includes ways to thwart thieves, or catch them. But security is costly in many ways, not least being that if you make your marketplace hard for thieves to enter, you may also discourage customers. So losses from theft (and payment of theft insurance premia) are often a cost of doing business, leading to the occasional story that could be a movie: Well-dressed thief steals €6 million worth of Chopard jewels in Paris.

"Suspicion has fallen on the Pink Panthers, the name given to a diffuse international gang with origins in the Balkans. French police describe the group’s crimes as lightning-fast hold-ups: daring, but planned down to smallest detail.
In December thieves staged a €74 million jewel theft at the Harry Winston boutique in the Avenue Montaigne, near the Place Vendôme, off the Champs-Elysees. Four robbers, two disguised as women, calmly emptied the store as staff and customers lay on the floor.
The Harry Winston raid came a year after the same store was attacked by robbers who forced staff to empty its safes, taking at least €10 million worth of jewels.
The Pink Panthers have accumulated loot worth up to €200 million in an estimated 120 attacks on stores in around 20 countries since their first robbery in Mayfair in London in 2003.
Two weeks ago Paris police arrested two Serbians, alleged to be Panthers, and charged them with carrying out armed raids on stores in Monaco, Switzerland and Germany.
Last Thursday a former soldier from Montenegro, also said to be a Panther, was sentenced to 15 years in jail for a 2005 jewel robbery in the Riviera resort of Saint-Tropez. The court in Draguignan also fined Dusko Martinovic €130,000 for the raid, which he carried out in 90 seconds with two accomplices who have not been caught. The trio escaped into the Mediterranean aboard a speed boat before the police reached the boutique that they had emptied.
The world record for a jewellery theft remains the $100 million (£62 million) robbery of diamonds in Antwerp, Belgium, in 2003. "

While diamonds can presumably be resold easily, some items, like an iconic artwork or a thoroughbred race horse are too identifiable. But that doesn't always protect them from theft: sometimes thieves steal them and try to ransom them back to the original owners, and sometimes they may be destined to be enjoyed privately by wealthy criminals in distant places. Here's one list of The 10 Most Infamous Heists, some of them still unsolved.

Update: The Times of London reports on a modern form of theft: Criminal gang bought own music on iTunes and Amazon using stolen cards.
A gang of criminal musicians bought their own music online with stolen credit cards, and received royalties...

Tuesday, June 2, 2009

Market for bodyguards

A big cost of having full time bodyguards is overtime pay, particularly for those who travel a lot, or have an active nightlife. So, in an economy move, Scotland Yard is increasing the number of protection officers assigned to protect the British Royals, whose younger members apparently need several shifts: Royal protection unit boosted by 150 extra armed protection officers .
"Metropolitan Police protection officers for the Royal family, diplomats and politicians work up to 70 hours a week, particularly on foreign trips, and receive overtime payments of up to £30,000 a year.
A decision to boost the 400-strong team by up to 150 officers is the result of a review that has also raised questions about the costs of looking after junior members of the Royal family."