Week 5- a followup to last week's discussion

This is somewhat of a followup to last week's discussion about the hack of US government data.  My particular area of expertise is in global data privacy law.  I wrote my thesis on "The Right to be Forgotten" which is a developing concept in Europe that gives normal individuals the right to have data that's irrelevant or untimely removed from the Internet.  I found an article that discusses data privacy legislation in the US, especially in the wake of the US government hack.  (Wyden, 2015)  I wanted to discuss this article in terms of what it got right and wrong.

The article was written by Senator Ron Wyden, a democrat.  He claims that in response to the hack of the US government, Congress has proposed a bill called the Cybersecurity Information Sharing Act (CISA) that would allow the US government to get private information from private companies.  Later in the article, he concedes that the bill isn't meant to do that- it's simply too broadly worded and would allow the NSA to snoop at unprecedented levels.  On this measure, it's hard to tell whether Senator Wyden got it right.  Is the bill worded that broadly- probably.  That doesn't mean it will make it into law in that version.  Will the NSA use bill to collect private data?  I'd like to say no, but I'm not sure I believe that.  They probably would, given their recent history of going even farther.

But there's one issue in particular, near the end of the article, that is dead wrong.  Senator Wyden states that the bill shouldn't toss aside "long established protections for Americans' privacy."  When I initially read the article, I was unaware that it was written by a US Senator.  I believed it was a piece by a staff writer at The Guardian, a newspaper in the UK.  Much of Europe has the right to privacy.  If you think about their history, it makes sense.  Put modern digital privacy rights in the context of WW2 Germany.  When people ask and collect data about you, it hasn't turned out well for them.  Meanwhile, in the US, we strongly favor free speech.  This free speech isn't absolute, but it is extremely broad.  We call it the "marketplace of ideas" and we would rather have lots of information so that the citizens can make up their own mind about an issue.  This has caused great divergence in terms of online privacy rights.  In Europe, you can remove information about yourself.  In the US, once it's on the Internet, it's likely to stay there.  The difficulty is that it's hard to draw borders online.
So why does his statement bother me?  Because it's simply wrong.  There is no right to privacy in the US Constitution.  The Supreme Court has said that a right to privacy exists in the "penumbra" of the First Amendment.  In particular, it extends to a couple being allowed to keep private whether or not they are choosing to have a child.  Family matters, in other words.  Other information is sensitive and must be kept guarded such as health information.  The law governs who can legally access such information and what they can do with it.  But it is a complete overstatement to say that Americans have the right to privacy.  As a Senator, I wish Wyden knew this.  Furthermore, I wish he wasn't fueling an already stoked fire between the US and Europe by presenting false facts in major newspapers.

References:
Wyden, R. (2015, July 29). Congress' fix for high-profile hacks is yet another way to grab your private data. Retrieved September 29, 2015, from http://www.theguardian.com/commentisfree/2015/jul/29/congress-stop-high-profile-hacks-reduce-your-privacy

Week 4- the government hack

In July, there was a high profile hack of government employee data.  I chose to write about this for a couple of reasons.  First, a friend of mine was affected (more below).  Second, it's pretty gutsy to hack the US government.

The hack itself started in May with an attack on 100,000 IRS records.  The hackers were able to get social security numbers, birthdays, and addresses.  By July, it spread throughout much of the government and to 22.1 million people that were affected.  Official sources have claimed China is at least partially responsible for the attack.

My friend worked for the IRS.  He got a letter from them saying that his information was taken.  We briefly discussed it and wondered what he was supposed to do about it.  He said that he hasn't worked there in about 4-5 years, and was surprised that they still had information on file for him.  

But it's bigger than one individual.  It takes a lot of guts to hack into the US government.  And I have a suspicion that might amplify this- I suspect that the two attacks are connected and it wasn't dealt with quickly enough the first time to shut down any opportunity they had the second time.  It's not uncommon for an attack to go quite some time before it's discovered.  Meanwhile, information continues to leak out.  With the bureaucracy of the government, I would not be surprised to find out that they either didn't discover the breach quickly, or they didn't act quickly.

References:

Mindock, C. (2015, July 9). US Government Cyber-Attacks Were Biggest In History, Follows Several High-Profile Hacks; 22.1 Million Files Compromised. Retrieved September 21, 2015, from http://www.ibtimes.com/us-government-cyber-attacks-were-biggest-history-follows-several-high-profile-hacks-2002565 

Sony- Week 3

The Sony hack last year (and early into this year) was interesting in a few respects.  It seems to be a lot like Stuxnet in the sense that there's a lot of legend surrounding this particular hack, and it's hard to separate out the legend from the fact.  

On November 25, 2014, a group calling themselves the Guardians of Peace (GOP) put some unreleased Sony movies online.  Almost immediately, there was speculation that North Korea was responsible.  Mind you- not North Korean hackers, but North Korea itself.  So why did people think a government would hack a US movie studio?  At the time, Sony was about to release a movie called "The Interview".  This comedy was about two news reporters who get a chance to interview Kim Jong Un, and the CIA asks them to carry out an assassination.  North Korea said that if the movie was released, they would consider it an act of war.  In fact, North Korea complained to the United Nations about the film, without specifically naming it.  Given the name of the group- Guardians of Peace- this almost made sense.  

The problem is, just five days after Sony was ready to pin everything on North Korea, the FBI said they cannot attribute it to North Korea.  But, three days later, Mike Rogers, the chairman of the House Intelligence Committee said that North Korea was responsible.  So, the question becomes whether he was relying upon incorrect initial reports, or whether the government intelligence community thought North Korea was responsible, changed their minds, and then changed them back (in the span of eight days).  

Meanwhile, many movie chains refused to release The Interview, possibly out of fear of being hacked themselves.  The movie suddenly became a pop phenomenon, and many people went to see it specifically because of all the attention surrounding the film.  I will hazard a guess that this movie would have easily flopped if the hack hadn't occurred; and if I was a more cynical person, I would write a Hollywood blockbuster where a movie studio hacks themselves to build hype for a movie that's certain to flop.

That being said, it's unlikely here.  Not only did the movie get released online, but so did a lot of employee personal data and emails.  Several executives had a series of uncomfortable emails released where they trashed various celebrities.  It's hard to get your talent to work with you if you've said some nasty things behind their back.

So who was really responsible for the hack?  That depends on who you ask.  Some are still pointing to North Korea.  Others are saying this is an inside job.  I tend to hold with RiskBasedSecurity in their "Attribution Bingo". I wonder if we can expand on the idea and make it Attribution Clue: North Korea via an insider threat trojan.  

References: 

A Breakdown and Analysis of the December, 2014 Sony Hack. (2014, December 5). Retrieved September 14, 2015, from https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/ 

Stuxnet- Week Two

One of my favorite stories of cybersecurity gone wrong is the Stuxnet worm.  It's become the stuff of legend, and like a lot of legends, it has so many wild stories that it's hard to separate out what's true and what's fiction.

In early 2010, Iran is busy trying to enrich uranium for its nuclear facilities.  However, the centifuges keep failing at an unusual rate and nobody can quite figure out why.  Meanwhile, a computer security firm in Belarus finds that computers are rebooting for no known reason.  After some research, they discover that it's a computer worm. If you think about computer worms as being similar to "The Very Hungry Caterpillar," you're probably not too far off track.  They work their way through programs, eat everything in sight, and use all their newfound bulk to change or reproduce.

Some of the legends about Stuxnet are that it got into the Iranian nuclear facilities via a USB drive, and that it caused physical damage to the centrifuges, but told the scientists that everything is running fine.  Phrased differently, legend says that some idiot plugged in a thumb drive he shouldn't have, which put the virus onto the computers; and that once it was on the computers, a computer version of Ocean's 11 was being pulled off where things were blowing up in the lab while the scientists upstairs think everything is running fine.  This is a great story, it's just not entirely accurate.

There is evidence that the suppliers of key components were hacked- not a USB drive brought in.  I find this a much more likely scenario.  Say you want to break into the US government or a large, multinational corporation.  Those are big, difficult targets.  While it's hard to take them head-on, it's much easier to find a supplier that isn't doing things properly.  Attack the supplier, get access to the big target through them.

In addition, it's probably an overstatement to say that the Iranian scientists were completely unaware that there were problems.  As the article at Wired says, they noticed the centrifuges were failing at an unusual rate.  They just didn't know the cause of the failure.  That being said, it was unusual because it caused physical damage.  That's the part of Stuxnet that continues to fascinate me.  Most cyberattacks attack digital assets.  Those assets may have real world counterparts and cause damages because of the loss of value to the assets, but this is a computer worm that caused actual, physical damage.  By telling the centrifuges to spin at a different rate, they failed.  When the centrifuges fail, they cannot enrich uranium.  Without enriched uranium, the nuclear facilities were unable to function and it set it back years (or decades).

Recently, there have been reports that Stuxnet (or something very similar) was attempted against North Korea.  The fact that Stuxnet is still making news in 2015 is astounding to me.  While it's been discussed regularly, people are still trying to piece together the details of what happened (and continues to happen), and separate the facts from the myth.  While the myth is great and I'd love to imagine a story that's fit for a Hollywood blockbuster, the truth appears to be less complicated.  A supplier was attacked and it caused major problems.  When phrased like that, it's not too far removed from any other cyber attack.