Encryption , Privacy , Technology

House Committee Seeks Crypto Calm But Legislative Group Hug Won't Change Encryption Facts Mathew J. Schwartz (euroinfosec) • June 30, 2016    

Would access to better information pertaining to encryption help Congress pass good crypto-related laws?

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

That's the impetus behind the U.S. House of Representatives Homeland Security Committee this week releasing a new report, Going Dark, Going Forward: A Primer on the Encryption Debate. The report is based on more than 100 meetings and briefings that the committee has had over the past year "with key stakeholders" and is meant to represent all sides of the encryption debate.

The report springs from House Homeland Security Committee Chairman Michael McCaul, R-Texas, and Sen. Mark Warner, D-Va., a member of the Senate Intelligence Committee, advocating for a National Commission on Security and Technology Challenges (see Report: Apple Building iPhone It Can't Hack). This "Digital Security Commission" would "forge a general concurrence of opinions, informed by a common understanding of the underlying facts." The top-level goal, they say, is to educate Congress on the contentious - and complex - crypto debate.

Given the anti-intellectual ethos seemingly espoused by many legislators, and crypto's hot-button "law and order" crossover, that may be an overly optimistic goal.

Paris, San Bernardino: No Crypto

Regardless, the report includes factual errors in its first paragraph that inadvertently highlight common - but erroneous - "going dark" rhetoric:

In fact, all information released to date about the attacks suggests that attackers in Paris used disposable burner phones, not encryption. Likewise, the iPhone 5c issued to San Bernardino shooter Syed Rizwan Farook by his employer - San Bernardino County - was set to require a passcode to unlock the phone. Hence both attacks are notable in part because attackers did not use encryption.

Security vs. Security

Thereafter, however, the report makes some notable points, noting, for example, that this debate isn't about "security versus privacy," but rather "security versus security," meaning that weak crypto demanded by the "good guys" can be easily abused by the bad guys, be they criminals, unfriendly nation-states or unscrupulous competitors.

The report also surveys responses to the increased use of encryption in society, including at least 63 confirmed cases involving the Justice Department attempting to use the 1789 All Writs Act in court to force Google or Apple to provide it with access to data (see Apple Accuses DOJ of Constitutional, Technical Ignorance ).

The report also touches on crypto discussions underway in some other countries:

Britain: The draft Investigatory Powers bill currently being debated in Parliament would allow the government to compel any organization to decrypt data or build backdoors into their products. In the face of criticism, however, the House of Lords has included a provision saying such requests must be "technically feasible and not unduly expensive," although exact definitions continue to be debated. France: Legislators have been pursuing legislation that would punish any company that doesn't decrypt data when the government demands that it do so. Germany and the Netherlands: Both have promised to enshrine individuals' access to strong crypto.

Strong Crypto: Can't Stop It

When it comes to the Digital Security Commission being proposed by McCaul and Warner, they say it's got the backing of everyone from CIA Director John Brennan and Apple CEO Tim Cook to former House Speaker Newt Gingrich, R-Ga. and former House Intelligence Committee member Jane Harman, D-Calif.

Cook, for example, has said: "Our country has always been strongest when we come together. We feel the best way forward would be for the government to ... form a commission or other panel of experts on intelligence, technology and civil liberties to discuss the implications for law enforcement, national security, privacy and personal freedoms. Apple would gladly participate in such an effort."

By all means, dialog is good. But the result of any crypto fact-finding mission should already be clear: Anyone who wants to use crypto will be able to do so, and there's no law Congress can pass to magically change that reality (see Why 'Cryptophobia' Is Unjustified).

Beware Weak Crypto Prophets

Earlier this month, Brennan tried to claim otherwise to a Senate committee asking if mandatory crypto backdoors would hurt U.S. businesses by suggesting that strong crypto only exists in the United States. "U.S. companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said. "So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."

Brennan's statement was quickly dismantled by cryptography experts such as Bruce Schneier, who notes that "strong foreign cryptography hasn't been 'theoretical' for decades." Indeed, a report he co-authored, released earlier this year, counted 865 hardware or software products that use encryption, developed in 55 different countries. Two-thirds of those products hail from outside of the United States (see Crypto Review: Backdoors Won't Help).

Congress: Don't Change Now

When it comes to cybersecurity matters - such as a national data breach notification law - Congress has already carved out a niche: Do nothing (see Presidential Candidates All But Ignore Cybersecurity).

Where crypto is concerned, that's exactly what Congress should continue to do, lest legislators undermine our collective security by inflicting us with weak crypto.

Fraud , Insider Fraud , Insider Threat

Bank of the West's Pollino on Why Covert Monitoring Is the Wrong Approach Tracy Kitten (FraudBlogger) • July 5, 2016     David Pollino, deputy CISO, Bank of the West

Bank of the West's new approach to insider fraud deterrence is focused less on detection, more on keeping employees from committing fraud in the first place. Deputy CISO David Pollino says a "noisy" insider fraud program is actually more effective at reducing risk than covertly monitoring employee activity.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

"By people understanding that they're being watched, it sometimes changes their behavior - and it changes their behavior in a positive way," Pollino says. "And by changing the environment - creating an environment where there's more visible monitoring that's going on and employees know there's accountability for their actions - that can change behavior and can really help keep the good employees continue to be good employees, and not convert them into the accidental fraudster."

According to recent research about insider fraud trends conducted by Bank of the West, 6 percent of insider fraud incidents are caught by accident, while only 1 to 2 percent are caught by behavioral monitoring.

So rather than hiding surveillance cameras or the installation of software designed to track an employee's behavior and movement on the network, install cameras in plain view and tell employees that their activity is being tracked, Pollino says.

Being "noisy" about the fraud program that has been implemented could deter an otherwise good employee from being tempted by a chance to steal from the organization or its customers. And that's the overall goal of any well thought-out insider threat program, he adds.

In this interview at ISMG's recent Chicago Fraud and Breach Prevention Summit, Pollino also discusses:

Why deterring employees from committing fraud much more effective than catching them in the act; How Bank of the West is approaching insider-risk mitigation; Why proactive prevention of fraud committed by so-called accidental fraudsters makes such a difference.

Pollino has been with Bank of the West since 2011. Previously, he served as manager of online fraud prevention strategy and analytics for Wells Fargo and was the online risk officer for Washington Mutual. Pollino conducts ongoing research on cybercrime techniques.

More than 200,000 Internet-connected systems remain vulnerable to the OpenSSL vulnerability known as Heartbleed bug, more than two years after the flaw was jointly discovered by security firm Codenomicon and Google, publicly detailed, and related patches released. And the greatest number of Heartbleed-vulnerable systems are in the United States, followed distantly by China and Germany.

Those findings come via a review of 50 million Internet-connected systems that are available to unauthenticated users, and which are running SSL/TLS, that was conducted by security researcher Billy Rios, using Internet scanning data recently gathered by the Censys project at the University of Michigan during the week of May 30. His research was sponsored by security firm Synopsis, which acquired Codenomicon in 2015.

The results are depressing, since scans in January 2015 suggested that 250,000 Internet-connected systems - down from an April 2014 high of 1.5 million - remained vulnerable to Heartbleed, which involves an SSL/TLS vulnerability in OpenSSL (see Heartbleed Alert: Vulnerability Persists).

Rios says that the greatest number of Heartbleed-vulnerable systems are infrastructure-related. "Given the fact that Heartbleed is probably one of the most well-known vulnerabilities ever ... I'm actually a little surprised that folks who own this infrastructure do not realize that they're running something on the Internet that's vulnerable to such a bug," Rios says, especially since Heartbleed received massive public exposure after it was revealed in 2014.

"There's hundreds of tools to detect whether or not you're vulnerable to Heartbleed, every vulnerability management software suite that I know of has a Heartbleed check; the patches are certainly available for download and installation," he says. "There's no excuse for not knowing that you're vulnerable to Heartbleed."

Heartbleed Findings

In this interview with Information Security Media Group conducted at the Infosecurity Europe Conference in London (see audio player below photo), Rios also details:

The of prevalence of Heartbleed-vulnerable network infrastructure - routers, gateways, switches - as well as Internet-connected printers. The surprising number of industrial control system and supervisory control and data acquisition - a.k.a. ICS and SCADA - systems that have Heartbleed flaws. Why the increasing number of Internet of Things devices being shipped to market could fuel an increase in Heartbleed infections.

Rios is the founder of information security research firm WhiteScope, based in Half Moon Bay, Calif., which in May received a $200,000 grant from the U.S. Department of Homeland Security's Science and Technology Directorate to build a secure wireless communications gateway - made specifically for Internet of Things devices - that is compliant with the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard. Previously, Rios' roles included being the director of vulnerability research and threat intelligence for Qualys, global managing director of professional services for Cylance, and as a "security ninja" for Google. He's also served as an officer in the U.S. Marines and worked as an information assurance analyst for the U.S. Defense Information Systems Agency.

Yet another bank has reported being the victim of hackers making fraudulent SWIFT transfers. This edition of the ISMG Security Report includes an analysis of a $10 million SWIFT heist from a Ukrainian bank, and the information security implications for all SWIFT-using banks.

You'll also hear (click on player beneath image to listen):

A report by Jeremy Kirk, ISMG managing editor for security and technology, about how hackers often use legitimate administrative tools to steal data while disguising their attack, and how information security professionals must respond. A discussion with Varun Haran, ISMG associate editor, about the growing use of honeypot-inspired deception technologies and strategies to help organizations better spot when they've suffered a hack attack. Why Microsoft was forced to pay $10,000 in compensation to a small business owner over a Windows 10 update.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our June 28 and July 1 reports, which respectively analyze the cybersecurity, cybercrime intelligence-sharing and privacy repercussions of Britain's "Brexit" from the European Union, and a hacker who calls himself "The Dark Overlord" has been stealing healthcare databases and then attempting to ransom them back to victim organizations in exchange for bitcoins. The next ISMG Security Report will be posted Friday, July 8.

Theme music for the ISMG Security Report by Ithaca Audio under Creative Commons license.