UK close to banning the use of WhatsApp, iMessage and SnapChat to protect National Security.

whatsappbanwhatsappbanned

Applications that provide an encrypted messaging platform, like WhatsApp, are under threat by countries that are increasingly reliant on snooping as part of their National Security strategy. The UK is proposing a new law as part of their “Snoopers Charter”, also known as Draft Communication Bill, to enforce a ban on applications like WhatsApp, iMessage and SnapChat that use encrypted messages. Under this new proposed bill, Internet Service Providers must monitor the online activity of customers and keep logs of their activities for 12 months.

This isn’t a surprise though, as the use of mass surveillance to protect national security and counter terrorism is widely used and increasing around the world. The five most controversial ones include:

China – 1998 the Great Firewall of China

ChinaFirewall This is a censorship and surveillance program designed by the Chinese government to filter and control the content that is accessed by the public. This program also prohibits individuals from using the internet to harm national security, spread false rumors or encourage socially undesirable behavior like gambling, violence or murder. This is an extremely controversial program that China has been widely criticized for by human rights and civil liberties groups.
USA – 2001 Patriot Act
USA This was introduced following the September 11 and anthrax attacks. This was an extremely controversial bill which many felt was an over-extension of the US government’s surveillance powers. Some of the most controversial parts allowed government agencies to:
  • Confiscate the property of foreigners who are believed to have aided in a war or an attack on the USA.
  • Authorize the roving surveillance of any individuals under investigation (using any means available to intercept a person’s communications. An extension of wire-tapping)
  • Authorize the use of National Security Letters to demand a release of information about individuals without them knowing.
  • Detain terrorism suspects without providing them with access to lawyers and without hearings or formal charges

This law was controversial as it reversed many of the civil liberties that were guaranteed under the US Constitution e.g. right to privacy and freedom from unreasonable searches and seizures.

Originally introduced by the Bush administration, subsequent US administrations have tried to remove it but the US has grown too reliant on this as an Anti-Terrorism measure. The original bill which expired in 2011, has been renewed two times since (including in 2015) and will be up for renewal again in 2019.

France – 2015 Patriot Act
france Following the Charlie Hebdo attacks, France passed their own version of the Patriot Act in June this year. Despite opposition from civil liberties groups, the bill was passed by the Senate on June 9 2015 with overwhelming support. This gives French government agencies the authorization to conduct mass surveillance over all communications without judicial approval and deploy new infrastructure to sniff all electronic communications. The new law also requires Internet Service providers to be able to crawl through internet traffic to identify terrorist activities.
Australia – 2015 Data Retention laws
fiveeyes Australia has been wire-tapping phones for years and this has increased year-on-year. The government has also requested ISP’s and search engines (like Google) to provide private information on web browsing histories and private user information. And transparency reports have shown that this activity is increasing. As of August 2014, government agencies can obtain this information without a warrant or user disclosure. Recently, the government has passed a data retention bill that mandates ISP’s to store data on user activities for two years. Australia is also part of the Five Eyes alliance.
Russia – SORM (System of Operative Measures)
russia Russia is a surveillance state and their powers are extensive. This has even led to US issuing this travel warning ahead of tourists travelling to Sochi for the 2013 Winter Olympics.
“Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary” http://www.worldpolicy.org/journal/fall2013/Russia-surveillance
Advertisements

The new social. Will you thrive or get left behind?

social-media-logo

Social media is changing everything. It is changing the way we get jobs, run businesses and consume content. The changes are becoming as disruptive as the internet. So…how will this affect you? History tells us that those who ride the waves can thrive and even make millions out of thin air just by keeping abreast of the trends. For example, Kevin Ham, built a $300 Million Empire from just reserving domains before companies got to them. Just from reserving www.greeting.com, he made a cool $350K. We are on another cusp of great change, and we have been on this journey for a while now. So given the changes…

DWP

How we get a job
The typical cover letter and resume is becoming less relevant. Although it is still very much used during recruitment, employers and recruiters are increasingly turning to social media platforms like LinkedIn and Facebook to filter candidates. LinkedIn was recently valuated at $26.15 Billion dollars in July 2015, which is almost triple what LinkedIn was worth at the same time in 2012. According to experts, 98% of recruiters and 85% hiring managers use LinkedIn to find and scan candidates. Fashion models now require an active Instagram account with a strong follower base to be selected for campaigns.

So what does this mean for you and future you?
There is a growing trend of candidates being directly approached by recruiters through social media sites like LinkedIn and Twitter. So instead of employees approaching employers/recruiters about jobs, it has flipped. If this continues to increase, there will be less jobs advertised and obtained through traditional means. How do candidates stand out in this environment? Will it depend on how they market their skills or through their activity/influence on social media? Perhaps both?

o-JUSTIN-BIEBER-TWEETS-facebookHow we consume news
Before the internet, print was king as this was the only way to receive news. The printed press has been on a steady decline ever since. Nowadays, more news is consumed on Social Media than ever before as everyone is reading and sharing news content. Instead of visiting a news sites, news is shared on Twitter/LinkedIn and Facebook feeds. Consumers choose what they want to share and journalists/bloggers and businesses can reach their readers instantly. People are also able to provide feedback. There is nothing more gratifying than for a wronged consumer to write a very public customer complaint and to receive a few hundred likes and shares by other disgruntled consumers.

So what does this mean for you and the future you?
The scale of citizenship journalism today offers a freedom that no other generations have had in the past. Now anyone and everyone can create newsworthy content and influence public opinion on matters close to their heart. This presents an opportunity for everyone to participate in any discussion they like.

sainsbury

How we conduct business
The internet challenged many bricks and mortar businesses. There is an online countdown on the death of certain types of businesses, from music and record stores (e.g. Sanity) to book shops (e.g. Borders). Businesses learnt pretty quickly that the difference between sinking and swimming is to establish an online presence and have great SEO. However, consumers are now expecting to be able to establish an authentic connection with the brands they shop with. Recently, Forbes wrote an article about millennial consumer habits and discovered these insights:

  • 99% aren’t influenced at all by advertising
  • 43% value authenticity over content
  • 62% engage with brands on social network
  • 75% expect brands to give back to society

http://www.forbes.com/sites/danschawbel/2015/01/20/10-new-findings-about-the-millennial-consumer/

What does this mean for business today and in the future?
As people are spending more time on Social Media and connecting to businesses through these platforms, will the success of building an active and connected follower base become as important as SEO?

Cracking the Enigma: How Alan Turing was destroyed by the people he saved

alan-turing-s-100th-12-celebratory-images-from-across-the-web-f0424e174dDuring WW2, Germany coordinated their war strategy through a series of encrypted messages, passed from central command to their armed forces. German cryptologists used an Enigma machine to do this. Enigma used Symmetric Cryptography, meaning that the same key was used for both encryption and decryption. Each letter was sent through a series of circuits (consisting of a plug board and 3 rotating wheels) to create a highly randomized output.  The key is the Enigma set-up itself, which is the choice/order of the wheels, the ring setting and plug connections. Enigma configurations were changed daily. Every month, the Germans distributed a key sheet to Enigma operators. This contained a list of different configurations for each day of the month. This key sheet was critical to be able to decrypt the codes. As there were 159 million possible Enigma settings, the time taken to go through all the possible Enigma configurations to decrypt a message would not have been worth the effort.
2009-09-25_3946 The British needed a fast method to decrypt the codes. German troops were advancing fast and the Allied troops needed an advantage. They hired a team of mathematicians and problem solvers to create a decryption machine. Alan Turing lead efforts in Bletchley Park to create one he called The Bombe (not to be confused with another Polish machine of the same name). Exploiting a critical flaw in Enigma, the Bombe was able to decrypt Enigma messages in under 20 minutes. As the Enigma has a rule that a letter could not become itself, the Bombe worked backwards to deduce all the impossible rotor and plug board configurations that violated this rule. It was able to do this very quickly via electrical circuits.

Click here for more information about how Enigma worked and how it was finally broken: 
royal-navy3

As the British wanted to continue to spy on the German forces, the operation continued on in secret. This action resulted in the saving of countless lives and the allied success of key battles, including D-Day. After the war, Alan Turing went on to work for the National Physical Laboratory and published a paper on Artificial Intelligence in 1950 called “The Turing Test”.

Despite all his achievements, Alan Turing’s contributions to allied war victory went mostly unnoticed. He was disgraced and arrested for homosexuality in 1952. He was given a choice of imprisonment or hormone treatments to “cure” his homosexuality. He chose hormone treatments. This didn’t “cure” his homosexuality, instead it resulted in his suffering of emotional and physical scars during the ordeal, eventually culminating to his death at the young age of 41. It wasn’t until 2009 that Britain issued an official apology to Turing.

152074-apple-versus-samsung-sorry-seems-to-be-the-hardest-word1_4352093

Gordon Brown “He truly was one of those individuals we can point to whose unique contribution helped to turn the tide of war,” said Brown. “The debt of gratitude he is owed makes it all the more horrifying, therefore, that he was treated so inhumanely. … Alan and the many thousands of other gay men who were convicted as he was convicted, under homophobic laws, were treated terribly.”

http://www.findingdulcinea.com/news/on-this-day/March-April-08/On-this-Day–British-WWII-Code-Breaker-Goes-on-Trial-for-Homosexuality.html

images6D2USYA6

Alan Turing is now regarded as a father of Cryptography, Artificial Intelligence and the modern computer. In 2014, Benedict Cumberbatch starred as Alan Turing in The Imitation Game, which became the highest grossing independent film in the year. It was nominated in eight categories in the 87th Academy Awards and won the People’s Choice Award at the 39th Toronto International Film Festival. This film was also honored for bringing Turing’s legacy to the public. Alan Turing was also honored at the 2015 London Pride march as a Pride Hero for his contributions. His family represented him in the march. This also happened to coincide with a landmark USA Supreme Court ruling that gay marriage would be recognized under the US Constitution, making all marriages legal across America

Gay-Pride_2015

Why China is a parallel universe

shanghai

Visiting Shanghai this time felt like stepping into a parallel universe where things were similar but different. In a world where Apple, Twitter, Facebook, WhatsApp, Google or Youtube doesn’t exist, people connect through HuaWei, Weibo, WeChat, Baidu and Youku. In the West, where English is the predominant language of the Internet, the predominant language of the internet is Chinese (obviously). In both cases, there is a proliferation of cute cat videos. It is a world where Kim Kardashian doesn’t seem to exist whilst Hugh Jackman continues to be as popular there as he is everywhere (yay!).

Disconnection in a connected society

Even though I consider myself a fairly connected and active user of social media, I was almost invisible in China. My current follower base may be humble, but it is big enough for me to feel that I have a voice and am connected. In China, where people were sharing news and photos on their social networks, I was left feeling rather isolated. With one default Weibo follower (Expecting another one soon – I am waiting for a follow back from my cousin) and a handful of friends on WeChat, I am pretty much invisible in the Chinese online community. I also have limited things to share, as the content I consume is blocked in China.

A selfie of a selfie

You know in the past when it was considered polite to walk around someone taking a photo or wait for them to finish? Not possible. If I had to wait for someone to finish taking a selfie, I would never get anywhere! There were people even taking selfies of selfies. The dedication to the selfie has also resulted in the selfie stick, now sold everywhere in Shanghai. These selfie sticks are also like nothing I have ever seen. Multi-tiered and adjustable, these are the full works.

selfies

Another favourite memory is also one of a rainy visit to Yu Yuan market. The rain was so bad that whole crowds had gathered under covered roofs to wait for the downpour to stop before crossing over to the next covered roof. That didn’t stop the dedicated selfie takers from walking into the middle of the downpour to pose for their perfect selfie though!

Solar panels, electric cars? Old news

I was walking around the neighbourhood of ZhongShan, a wonderful part of Shanghai that is characterised by the famous ZhongShan Park which is filled with the old and the young keeping active with dance and Tai Chi. I walked past three electric cars. One was being charged, another drove past me and the third one was parked. On a separate day, I was walking in People’s Square when I also came across Solar Panels fitted on the roofs of random convenience shops. The realisation that China is using solar to power an ice-cream fridge, whilst we (in Australia) focus our efforts on trying to sell coal, is just a little bit scary. Candlesticks anybody?

solarpanels

QR Codes everywhere

Want to add a friend, search for a link or get information on anything? All you need is a mobile phone and a QR code. Every advertisement seems to have one that allows users to access the URL without having to type it in. It can also be used for website log in, payments, virtual stores (remember those?) and adding friends on WeChat. Whilst QR codes never really seemed take off in Australia, it has in China – big time.

Is cloud ever secure enough?

cloud

The simplest way to define cloud is to describe it as a shared service. Instead of individuals and businesses setting up their own software/platforms or infrastructure to manage their data, they can outsource this to a cloud provider. Cloud is seen as a cost effective and environmentally friendly solution. There are now many providers offering different cloud solutions including SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). But is cloud secure enough?

This is a big question to tackle and there is no right or wrong answer that can be applied en masse. Instead, deciding on whether adopting cloud will fulfil your business/individual requirements will need to be assessed on a case-by-case basis. To make this assessment, here are some of the key questions that may be considered.

1. How good is my local storage?

How good are you currently at protecting the availability, confidentiality, integrity and authenticity of your data?
If your data is stored on a hard-drive on a networked computer then chances are, you may not be applying best practice. However, if your data is stored encrypted & backed up on two or more file-servers, with good physical/logical access control and logging, then there may not be much to improve on than what you already do. These are two extremes and most likely, you will be sitting somewhere in between.

2. How much am I willing to invest?
To avoid spending too much on protecting data that is not really critical or too little where data needs be secured, you should assess the availability, confidentiality, authentication and integrity of your data against current local storage protections to see how it stacks up. This should help you identify whether you have been investing adequately in protecting your data or if it needs to be adjusted. Then, you will be able to determine whether going to a cloud provider will be a cost effective and secure solution for you.

3. How important is availability?
Despite whatever assurances cloud providers give about providing a highly-available solution, end-users will still need an active internet connection to access the data, which is not always guaranteed. This also makes it harder and more time consuming to detect connection problems should they arise. Additionally, there is also the added problem of network latency which can result in additional delay/drop-outs when connecting to the cloud provider. This will only get worse over the next few years with ever more connections choking up bandwidth and causing congestion/more drop-outs.

4. How important is confidentiality and trust?
Cloud offers new challenges for data confidentiality as the data needs to travel over the internet, is stored remotely and is administrated by somebody else. Even with cloud providers providing assurances that they apply best practices to secure your data at rest and in transit, there is still the danger that even given best intentions, their security controls may not be up to the mark. E.g. Adobe’s security breach leading to stolen logins and IDs. . Additionally, transport layer encryption may not always be that secure. I have described in previous blog posts, the security defects affecting SSL and weak TLS encryption.
The best way to guarantee confidentiality is to encrypt the data before sending it to the cloud and to keep the keys yourself!

What do you think of these questions and should there be more? Please add to the discussion below.

3 Training grounds to train the white-hacker in you

problem-solving

For those interested in learning about IT security or sharpening their skills, there are free websites that provide great resources and a safe training ground for new professional security professionals/ethical hackers. Even for veterans in the field, these sites can either help you confirm what you already know or broaden your knowledge. Before you start – Having a background in IT is recommended. While you don’t need to be an expert, having some knowledge will go a long way in being able to understand and complete some of the exercises.

  1. OWASP (Open Web Application Security Project). This is a security community with a mission to keep users informed and kept up-to-date about critical application security flaws currently being exploited. This includes an annual list of Top 10 Most Critical Web Application Security Risks, describing what they are, example attacks and how to avoid them. Additionally, OWASP provides free resources (videos/guidelines) for developers to test and review their own code for vulnerabilities.
  1. asecuritysite.com. Not only does this site provide a great selection of theoretical reading, challenges and sample tests for certification exams (e.g. A+, CCNA, ethical hacker to name just a few) but it also teaches you the basics of Cryptography in simple/digestible language. There are also practical calculators to help you understand how Crypto mathematics works e.g. Simple RSA and DSA Calculators.
  2. hackthissite.org. This is a free training ground for white hackers of all levels. This takes a no-nonsense, learn-by-doing approach to teaching. Once you have signed up, you literally need to hack your way through all the basic levels until you “graduate” to the intermediate and hard levels. Each level provides a new lesson about insecure coding. Although it takes some patience and persistence to complete some of the exercises, the personal rewards are well worth it! Hacking websites is not legal and can lead to criminal charges so for those who have those intentions, this isn’t for you. However, for ethical hackers or site developers/administrators who are interested in developing safer sites and up for the challenge, then go for it!

Of-course, if you are still needing more information about anything, there is great community at http://security.stackexchange.com/!

How to deploy secure and convenient user authentication?

gattaca-valid1

When choosing between different authentication methods, businesses may have a myriad of choices, but striking the right balance between security, convenience and cost remains a fine art. As tempting as it may be to replace chunky passwords with a biometric option like fingerprints, it’s likely that this won’t provide the security and convenience expected.

Choosing an authentication method depends on the criticality of the information being protected and the expectations of users. As clunky as they are, passwords continue to remain  as the most feasible option when only single factor authentication is required. When this is not enough, hard tokens/biometrics offer additional layers of protection for businesses that require two-factor or multi-factor authentication.

The “Something you know” Factor: Passwords

Security: The security of the password can vary between different implementations. Businesses can enforce strong passwords that are securely stored as a hash with a random salt (e.g. BCRYPT/HMAC with random sha2 – 128 bit salt) or they can simply accept “admin123” stored with minimal/no hashing.
Convenience: The more complex the password requirement, the more this can cause user inconvenience. If it is too difficult, it may scare new/returning users away. If it is too lax, it may also scare users away. The trade-off may be worth it if it prevents a breach that costs more to fix. Whilst the choice depends on individual business requirements, if the information doesn’t require a strong password to protect, why bother with a password at all?
Cost: Cheapest to implement compared to other factors of authentication. Potential investment may include skills, platform updates (to support strong password hashing) and user security awareness education.

The “Something you are” factor: Biometric

Security: As biometric recognition e.g. fingerprint, iris, voice, face etc. relies upon something that you are, it is something you cannot change. If that information is lost, then the victim remains vulnerable for life. Security researchers have already discovered ways to lift fingerprints from touch screens (and even photos) to successfully authenticate as the victim. The security of biometrics decreases over time as it becomes more widely deployed.
Convenience: When it works, it is very convenient. However, this does not work all the time and can result in user frustration. Bad implementations or wet, dirty or damaged fingers may lock users out of systems relying on fingerprint authentication. Noise/disturbance may reduce the success of voice recognition.
Cost: Will require specialist security skills and experience to implement. May also require additional user experience testing to assess impact of privacy concerns/false positives.

The “Something you have” factor: Tokens (Hard/Soft)

Security: These rely on users having something (e.g. a dongle/client certificate) to authenticate. This can be something they carry or ingest. This is relatively secure as long as the user doesn’t lose the item or get it stolen.

Convenience: As users will need to carry the token to access the application, this can be rather inconvenient. This is why soft tokens on smartphones are increasing in popularity (which although are less secure than hard tokens, is better than nothing).

Cost: Tokens expire/get lost and will need to be frequently topped up/replaced. Therefore, token replacement is an ongoing investment for businesses. Let alone the set-up.