Cyber Security Report Card

Cyber security

Cybersecurity was a major topic at the recent Canadian IT Law Association conference.  It can be a daunting subject to ponder when dealing with various types of services, cloud providers, and the methods, standards and assurances available to lower the risk of a security breach.  Cyber insurance to cover some of these risks is a growing field.

This Cyber Security Report Card (pdf) is a good high level summary of the things that businesses should think about when considering security issues for their organization.  It was provided by one of the luncheon speakers, John Millar of Digital Boundary Group, which is an IT security testing firm.

(For transparency, Digital Boundary Group is a client of mine.)

Cross posted to Slaw

James Bond, Spectre, and the Surveillance Society

SPECTRE-Film-Stills-08234I don’t normally do movie reviews, but Spectre, the latest James Bond Movie, has a cautionary tale about the surveillance society that is worth commenting on. It deals with the undemocratic / totalitarian / dystopian aspects of ubiquitous surveillance.

Some reviewers have been critical about the movie, but my view of Bond movies is that they are more about entertainment than plot and character development.

Some elements of the movie are uncomfortably real – like its spin on the five eyes network .  After I saw it I wondered what Ed Snowden would think. This is what Wikipedia has to say about Snowden’s thoughts about five eyes.

The former NSA contractor Edward Snowden described the Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”] Documents leaked by Snowden in 2013 revealed that the FVEY have been spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens.

The Intercept has a good article about the movie entitled Only Edward Snowden Can Save James Bond

From The Intercept article:

Knowing everything about everyone is actually of limited use to the good guys. But it’s hugely useful to the bad guys — be they extortionists, terrorists, or power-mad bureaucrats. And if it’s collected, somewhere, be assured the bad guys can get their hands on it.

While Bond is pursuing his super-villain, his boss M wages a losing bureaucratic war with C, who’s more of an NSA/GCHQ type. M inevitably describes the massive surveillance network that C is building as “George Orwell’s worst nightmare.” In response, C literally laughs at M’s devotion to the quaint notion of “democracy.” Subtle it ain’t, but the central point — that ubiquitous surveillance is an inevitably totalitarian tool, not just inappropriate for democratic society, but actively inimical to it — is often underappreciated in the current debate.

The movie also shows us what kind of hero we need to prevent such a dystopian future — and it isn’t Bond. It’s Q, who bears a striking resemblance to Edward Snowden.

When it comes to surveillance data, it’s hard to know who the bad guys really are. Depending on what it is used for, it can be those who should be protecting us.  And if you think this information can’t get into the wrong hands, take a look at this article about the lack of security in an FBI database.

Cross posted to Slaw

Internet of Things Security Standard Proposal

The Internet of Things (IoT) is surrounded by a lot of hype.  There is great promise to be able to do and know all sorts of things when all our stuff can communicate.  That could be almost anything, including thermostats, cars, garage door openers, baby monitors, appliances, fitness trackers, and the list goes on.  Cheap sensors and easy connectivity means that it is becoming trivial to measure everything and connect almost anything.

But with great promise comes great risk.  Our things will generate information about us – both direct and inferred.  There are security issues if these devices can be controlled by third parties or used as back doors to gain entry to other systems.  It may not be a big deal if someone finds out the temperature of your house – but it is a big deal if they can go through your thermostat and get into your home network.

These privacy and security issues must be dealt with up front and built into the devices and ecosystem.

The Online Trust Alliance (members include ADT, AVG Technologies, Microsoft, Symantec, TRUSTe, Verisign) just released a draft IoT Trust Framework to address this issue.  The draft is open for comments until September 14.

Cross-posted to Slaw

Crypto backdoors are a horrible idea

From time to time various law enforcement and government types whine that encryption is a bad thing because it allows criminals to hide from authorities.  That is usually followed by a call for security backdoors that allow government authorities to get around the security measures.

That’s a really bad idea – or as Cory Doctorow puts it in a post entitled Once Again: Crypto backdoors are an insane, dangerous idea: “Among cryptographers, the idea that you can make cryptosystems with deliberate weaknesses intended to allow third parties to bypass them is universally considered Just Plain Stupid.”

They build in a vulnerability to exploit – there are enough problems keeping things secure already.  And the thought that government authorities can be trusted to use that backdoor only for the “right” purposes, and to keep the backdoor out of the hands of others is wishful thinking.

Cross-posted to Slaw

Chatting in Secret

The Intercept has an article entitled Chatting in Secret While We’re All Being Watched that’s a good read for anyone interested in how to keep communications private.  It was written by Micah Lee, who works with Glenn Greenwald to ensure their communications with Edward Snowden are private.

Even if you don’t want to read the detailed technical instructions on how to go about it, at least read the first part of the article that explains at a high level how communications can be intercepted, and the steps needed to stop that risk.

Communicating in secret is not easy.  It takes effort to set it up, and it’s easy to slip up along the way.  As is usually the case in any kind of security – physical or electronic – its about raising the difficulty level for someone to breach the security.  The more efforts someone might take to try to intercept your communications, the more work it takes to keep it secret.  For example, you raise the sophistication level of the thief who might burglarize your house as you increase security – from locking your doors, to deadbolts, to break resistant glass, to alarms, etc.  It doesn’t take much extra security to make the thief go to another house, but it may take a lot more if a thief wants something specific in your house .

Edward Snowden’s communications, for example, require very diligent efforts, given the resources that various authorities might use to intercept those communications.

For the record, I think Snowden should be given a medal and a ticker tape parade, not jail time.  I recommend watching Citizenfour, the documentary about Snowden that won the Academy Award for Best Documentary Feature at the 2015 Oscars.  Also to read security expert Bruce Schneier’s book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.  Another book to put this into context in Canada (based on my read of the introduction – I haven’t made it farther than that yet) is Law, Privacy and Surveillance in Canada in the Post-Snowden Era, edited by Michael Geist.

I challenge anyone to watch/read those and not be creeped out.

Cross-posted to Slaw

Bill C-51 (Anti-Terrorist Act, 2015) passed by Senate despite massive opposition

Bill C-51 (Anti-Terrorist Act, 2015) has been passed by the Senate despite massive opposition against its privacy unfriendly invasive powers.  See, for example, commentary by the Canadian Civil Liberties Association, this article by security law professors entitled “Why Can’t Canada Get National Security Law Right“, and this post on .

Yet in the United States, the USA Freedom Act was just passed that pulled back a bit on the ability of the NSA to collect domestic data.

There seems to be no evidence that all this invasive spying and data collection actually reduces or prevents terrorism or crime.  The cost is enormous – both in terms of the direct cost of collecting, storing and analyzing it – and the costs to the economy.  A new report from the Information Technology and Innovation Foundation says that US companies will likely lose more than $35 billion in foreign business as a result of NSA operations.

And that’s not to mention the cost to civil liberties and privacy.  As many people have pointed out, 1984 was supposed to be a warning, not an instruction manual.

1984 warning

Cross-posted to Slaw

Happy World Backup Day

Today is world backup day, a reminder of how important it is to back up our data – and to do it daily.

(I have not been able to figure out the origins of this day – Wikipedia doesn’t even have an entry for it – but the sentiment is a good one.)

For just one example, if your defenses are down and you get hit with a Crypto Virus that locks up all your files, you can restore your files from yesterday’s backup, rather than paying the ransom.

For practical thoughts on some things to consider about how and why to back up all your data, take a look at this article by David Bilinsky.

Also take a look at this infographic by Cloudwards – a cloud storage promoter – that has some info about the causes of lost data, and issues to consider around backup solutions. – World Backup Day 2015
Courtesy of:

Russian hackers amass 1.2 billion username/password combinations

A New York Times story says that: “A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses…”.  This was discovered by a company called Hold Security, that so far has not named the sites.  I’m a bit skeptical of the news, however, when Hold Security has a paid service to find out if your site is affected by this.

This emphasizes yet again the importance of using proper passwords and taking advantage of multi-factor authentication wherever it is offered.

Since the only good password is one we can’t possible remember, and they should be different for each site, the best approach is to use a password manager.  Password managers both create strong unique passwords and save them for you.  Here’s a recent PC Mag article on The Best Password Managers.

Make sure your password to get into your password manager is a strong one, and take advantage of multifactor authentication for it.  Make sure you have a backup copy of those passwords.  And lets hope that the password manager sites have protected themselves strongly enough that they can’t be compromised.

Cross posted to Slaw

Are you vulnerable to Heartbleed?

A serious flaw has been discovered in OpenSSL – the browser encryption standard used by an estimated two-thirds of the servers on the internet.  This flaw has been there for a couple of years, and allows hackers to read data stored in memory.  That gives hackers access to anything in memory, including security keys, user names and passwords, emails and documents.  More detail is on Gigaom and Schneier on Security.

An update to OpenSSL fixes the flaw.  Anyone who has a website should ask their service provider if it affects their site, and have it updated immediately.

And for those of you still using Windows XP or Office 2003 – upgrade that immediately as well.  I was surprised to read this morning that as many as 30% of Windows based computers still use XP.  As of today, Microsoft is no longer supporting them.

[cross-posted on Slaw]