A year in digital insecurity – nothing, and no one is safe

I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.

Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.

Credit: Andy Greenberg

In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team).  Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.

Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.

Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).

The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.

The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.

The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.

On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities.  Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.

Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June.  Tim CookWeakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”

So all the 2015 security news isn’t bad, after all.

Brazil Looks to Break from U.S.-Centric Internet

RIO DE JANEIRO (AP) — Brazil plans to divorce itself from the U.S.-centric Internet over Washington’s widespread online spying, a move that many experts fear will be a potentially dangerous first step toward fracturing a global network built with minimal interference by governments.

President Dilma Rousseff ordered a series of measures aimed at greater Brazilian online independence and security following revelations that the U.S. National Security Agency intercepted her communications, hacked into the state-owned Petrobras oil company’s network and spied on Brazilians who entrusted their personal data to U.S. tech companies such as Facebook and Google.

The leader is so angered by the espionage that on Tuesday she postponed next month’s scheduled trip to Washington, where she was to be honored with a state dinner.

Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.

Read full article on AP Big Story

Brazil’s about ready to poke out the “Five Eyes”

A Twitter wag asked today why Glenn Greenwald doesn’t just unload all his Snowden-endowed dirt on who is spying on Brazil in one article. I thought of the old journalistic saw: “Why to sell newspapers, of course.” Sounds quaint, eh?

The Canadians reportedly busted open encryption to have their way with Brazil’s mining ministry. We’d already heard that the NSA spied on Petrobras and President Rousseff’s inner circle. Still to come: Details on how Brazil spies on its citizens. Have patience. Brazilian colleagues are surely working it.

It will be time soon for an update on the divorce Rousseff is preparing from the U.S.-centric Internet. Plenty of experts think that’s a bad idea and will only encourage Balkanization by really nasty regimes already bent on inhibiting the free flow of  information.