Why Theresa May’s Encryption Plans Are a Danger to Us All

houses of parliamentI realise it’s been a while since I posted something up here, so here’s an article I wrote recently for Top10VPN’s new Privacy Central site:

The UK has been unlucky enough to know terrorism for quite some time. Many will remember the IRA campaigns of the 1970s and ’80s. This was an era before smartphones and the internet, yet the Irish paramilitary group continued to wage a successful campaign of terror on the mainland.

It continued to recruit members and organise itself to good effect. Politicians of the modern era, led by Theresa May and various members of her government, would do well to remember this when they launch into yet another assault on Facebook, Google, and the technology platforms that are alleged to provide a “safe haven” for Islamic terrorists today.

Now she is calling for greater regulation of cyberspace, something the independent reviewer of terrorism legislation has openly criticised. Along with increasing moves across Europe and the world to undermine end-to-end encryption in our technology products, these are dangerously misguided policies which would make us all less safe, less secure and certainly less free.

Our “Sliding Doors” moment

Every time a terror attack hits, the government continues its war of words not simply against the perpetrators, but against the tech companies who are alleged to have provided a “safe haven” for them. After all, such rhetoric plays well with the right-wing print media, and large parts of the party.

“Safe haven” has become something of a mantra for the prime minister, alongside her other favorite; “strong and stable”. She argues that terrorists are hiding behind encrypted communications on platforms like Facebook’s WhatsApp and Apple’s iMessage, and are using social media platforms like YouTube to recruit members and distribute propaganda.

“We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet, and the big companies that provide internet-based services, provide,” May said after the London Bridge attacks. “We need to work with allied democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorism planning.”

Part of the regulation May wants to bring in could include fining tech companies that don’t take down terrorist propaganda quickly enough. Max Hill QC, independent reviewer of terror legislation, has rightly questioned this hard-line approach.

“I struggle to see how it would help if our parliament were to criminalize tech company bosses who ‘don’t do enough’. How do we measure ‘enough’? What is the appropriate sanction?” he said in a speech reported by The Times.

“We do not live in China, where the internet simply goes dark for millions when government so decides. Our democratic society cannot be treated that way.”

China is an interesting parallel to draw, because in many ways it offers a glimpse into an alternative future for the UK and Europe; one in which government has total control over the internet, where freedom of speech is suppressed and privacy is a luxury no individual can claim to have.

The problem is that no one sees authoritarianism coming, because it happens slowly, drip by drip. Regulating cyberspace would begin a slow slide into the kind of dystopic future we currently know only from sci-fi films. As Margaret Atwood’s heroine Offred says in her acclaimed novel The Handmaid’s Tale: “Nothing changes instantaneously: in a gradually heating bathtub you’d be boiled to death before you knew it.”

In many ways, we sit today at a Sliding Doors moment in history. Which future would you prefer?

The problem with backdoors

End-to-end encryption in platforms like WhatsApp and on our smartphones and tablets is something Western governments are increasingly keen to undermine, as part of this clamp down. It doesn’t seem to matter that this technology keeps the communications of consumers and countless businesses safe from the prying eyes of nation states and cybercriminals – it’s also been singled out as providing, you guessed it, a “safe space” for terrorists.

The Snoopers’ Charter already includes provisions for the government to force tech providers to effectively create backdoors in their products and services, breaking the encryption that keeps our comms secure. In fact, the government is trying to sneak through these provisionswithout adequate scrutiny or debate. They were leaked to the Open Rights Group and can be found here.

It remains to be seen whether the British government could actually make this happen. An outright ban is unworkable and the affected tech companies are based almost entirely in the US. But the signs aren’t good. Even the European Commission is being strong-armed into taking a stance against encryption by politicians keen to look tough on terror in a bid to appease voters and right-wing newspaper editors. Let’s hope MEPs stand up to such calls.

The problems with undermining encryption in this way are several-fold. It would give the state far too much power to pry into our personal lives, something the UK authorities can already do thanks to the Investigatory Powers Act (IPA), which has granted the government the most sweeping surveillance powers of any Western democracy. It would also embolden countries with poor human rights records to do the same.

Remember, encryption doesn’t just keep terrorist communications “safe” from our intelligence services, it protects journalists, human rights activists and many others in hostile states like those in the Middle East.

More importantly, it protects the communications of all those businesses we bank with, shop with, and give our medical and financial records to. The government can’t have its cake and eat it: recommending businesses secure their services with encryption on the one hand, but then undermining the very foundations on which our economy is built with the other.

Once a provider has been ordered to create a “backdoor” in their product or service, the countdown will begin to that code going public.

It’s inevitable.

Even the NSA and CIA can’t keep hold of their secrets: attackers have managed to steal and release top secret hacking tools developed by both. In the case of the former this led to the recent global ransomware epidemic dubbed “WannaCry”.

Why should we set such a dangerous precedent, putting our data and privacy at risk, while the real criminals simply migrate to platforms not covered by the backdoor program?

“For years, cryptologists and national security experts have been warning against weakening encryption,” Apple boss Tim Cook has said in the past. “Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”

In short, we need more police officers, constructive relationships with social media companies, and smarter ways of investigating terror suspects. Dragnet surveillance, encryption backdoors and more internet regulation is the quickest way to undermine all those democratic freedoms we hold so dear – and send us hurtling towards that dystopic authoritarian future.

Advertisements

One Year to GDPR Compliance Deadline: Time to Panic Yet?

european unionEurope’s new data protection laws might have been over a decade in the making but it would take about as long again to read every piece of advice that’s since been produced on how to comply. In search of some simple answers to a typically complex piece of European legislation, I asked a few legal experts on their thoughts.

With 13 months to go before the compliance deadline, organisations across the country will be scrabbling to ensure they’re not one of the unlucky ones caught out in the months following 25 May.

Start with the Data

Most experts I spoke to were in agreement that firms need to start by mapping their data – after all, you’ve got to know where it is and what you do with it first before working out how to keep it safe.

“For those that are compliant with existing laws, GDPR is going to be an evolution. For the others, it’s going to be a deep, radical change. In general, I think that every organisation should be working on assessing their current practices in light of GDPR,” Forrester analyst Enza Iannopollo told me.

“My advice is, regardless of the kind of support an organisation chooses, it must put together a team of internal people – hopefully the privacy team – and make sure that that team leads the work. Compliance with GDPR is not a one-off effort, but an ongoing process that has to be ingrained in firms’ business model,” she said.

Change the culture

That cultural change might be the hardest thing for organisations to achieve, although a good start is hiring a Data Protection Officer (DPO) – one of the key requirements of the GDPR. Another is the privacy impact assessment, which PwC’s US privacy lead, Jay Cline, recommends as a key stage once you’ve completed a data inventory.

“Data protection impact assessments (DPIAs) are the eyes and ears of the privacy office throughout the company,” he told me by email. “DPIAs are how chief privacy officers enlist the help of the whole company to keep their privacy controls current with all the change going on in the company.”

For Alexandra Leonidou, Senior Associate at Foot Anstey, there’ll be a key role for non-IT functions inside the organisation.

“Who needs to know about the GDPR? Who are the key stakeholders?  This isn’t just something for IT, information security teams or data officers. Boards should be aware of the risks, and HR teams need to think about employee data. Getting GDPR compliance right will be critical for marketing and communications teams’ activity,” she told me.

“You will need to engage key stakeholders and implement measures that leave you with an acceptable level of commercial risk.”

Leonidou was also keen to stress the need for independence in the DPO role.

“Guidance from Europe suggests that this role is likely to be incompatible with certain existing C-suite executives,” she explained. “The awareness-raising that follows on from the allocation of accountability will be an ongoing process.”

For those still in the dark, some useful free resources include the Article 29 Working Party and our very own Information Commissioner’s Office. It’s also expected that even post-May 25, the regulators will give firms a little bedding in time before they start going after some high profile offenders.


GDPR and Snoopers’ Charter: A Marriage Made in Hell

european unionAll over Europe organisations of all sizes are currently scrabbling desperately to get their house in order for 25 May 2018. What happens then? Only the biggest shake-up to Europe’s data protection laws in nearly a generation. The implications are immense, both in terms of the scope of the new regulation and the companies who will now be held liable.

There’s just one problem. The UK’s Snoopers’ Charter, or Investigatory Powers Act. Its enshrining into law of mass surveillance powers could create major problems down the line, possibly putting UK firms at a competitive disadvantage precisely at a time when they need the digital economy most.

What’s the problem?

Let’s start at the beginning. UK firms will have to comply with GDPR, even with Brexit looming. That’s because the extrication of the country from the EU will take at least two years from whenever Article 50 is triggered – presumably in March – and probably much, much longer. And even beyond that, the UK government has said in its Brexit white paper:

“The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.

As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.”

This implies that the UK will broadly speaking harmonise its laws with the GDPR. But the bulk data collection powers granted by the IPA mean the regime is certainly not equivocal to that in Europe. Emily Taylor, CEO of Oxford Innovation Labs and associate fellow of Chatham House, told me that the European Court of Justice (CJEU) shows no signs on shifting its stance on bulk data collection – having recently ruled against the forerunner to the Snoopers’ Charter, DRIPA.

“Other elements of the judgment are likely to cause problems with the Investigatory Powers Act: the CJEU says that targeted data retention may be allowable, but must be restricted solely to fighting serious crime; warrants must be signed off by a court, not a minister; and the data concerned must be retained within the EU.  All these will potentially conflict with core elements of the IP Act,” she told me.

If its kept as is, the Act could therefore impact the legality of data transfers between Europe and a newly independent UK, which will be bad news for most firms reliant on a thriving digital economy.

“The impact of conflicts between the GDPR and our Investigatory Powers Act may be to hamper the competitiveness of UK tech, particularly as the GDPR seeks to protect EU citizens’ data wherever it will be processed,” she argued.

Not great for America

This is a hot button issue for Europe In fact it’s the reason why data transfers to the US were put under threat after Safe Harbour was torn down because of fears of US authorities snooping on Europeans’ data. Despite a new agreement – Privacy Shield – being put in place, there could still be bumps in the road ahead.

“Transatlantic data flows will not be legal unless there is a robust framework in place to offer EU citizens’ data equivalent protection to what is enjoyed in the EU,” said Taylor.

“President Trump’s ‘America First’ policy is likely to renew tensions over Privacy Shield – a shaky compromise which was hurriedly reached following the CJEU’s obliteration of its predecessor ‘Safe Harbour’.”

KPMG’s globa privacy advisory lead, Mark Thompson, told me that firms outside of Europe that need to comply with the GDPR are better off keeping data on European citizens inside the EU so as not to fall foul of any changes to data transfer agreements.

“Despite the USA and EU having some cultural alignment, there is potential for significant culture clash between the EU’s view of a fundamental human right to privacy and the US view on what constitutes privacy, which is significantly different,” he added.

We’ll have to wait a while to see what the fallout of all this is. But with the UK government unlikely to countenance any changes to the IPA, there could be some potentially bad news for the country’s digital economy in the next few years if nothing changes.


Joining the Dots to a Connected Car Future

connected carI’ve been prepping a new feature on the future of the connected car industry and one thing is pretty clear: things are moving faster than you think.

We’re currently working our way through three of the four stages of industry evolution mapped out by Gartner. It claimed in a December report that efforts to integrate mobile and cloud-based apps into the car are almost complete – that’s one stage down. Then, up until 2024 it’ll be all about “digital lifestyle convergence”.

The report explained:

“This convergence means that consumers want to be able to communicate with friends and family members, remain productive to their workplace, and to be entertained with the content that they also access outside of the automobile. Users will also expect an automotive connectivity experience that is similar to other device experiences they are increasingly accustomed to, such as remote, over-the-air software updates and content/services upgrades.”

Microsoft has a good chance to capitalise on this shifting focus, with its new Connected Vehicle Platform. One of the five main pillars outlined by EVP of business development, Peggy Johnson, at CES, is “improved in-car productivity” via tools like Cortana, Dynamics, Office 365, Power BI and Skype for Business.

“For instance, imagine that Cortana seamlessly connects you whether you’re at home or in your car,” she explained. “Let’s say you’re on your phone at home and tell Cortana to set up a meeting for you and your colleague the next morning at a coffee shop. The next time you get in your car, Cortana reminds you of the morning meeting and starts navigation to get you to that coffee shop.”

With its heritage in the office productivity space, Microsoft obviously has an edge in these scenarios over connected car rivals like Apple, Google and Amazon, although its Azure-powered platform will also cover predictive maintenance, advanced navigation, customer insights and autonomous capabilities.

The platform’s open, partnership-based approach could also play well with consumers who are sick of many current systems, according to Quocirca analyst Clive Longbottom.

“Users are increasingly frustrated with in-car technology,” he told me. “Even new models tend to be based on old, proprietary technology; technology that is impossible to swap out and replace with something more up to date and flexible.”

The Redmond giant knows the industry better than most, continued IHS Markit principal analyst Egil Juliussen.

“The auto industry is among those global industries which adds numerous requirements for how connected cars are treated (i.e. privacy, data storage locations, etc.),” he told me via email. “All of these complexities make it expensive and time-consuming for any auto manufacturer (even the largest) to develop, update and maintain cloud and software platforms to manage their network of connected cars.”

Partners on board

And therein lies the opportunity for Microsoft and others. The firm has also announced partnerships with Volvo, Daimler, Nissan-Renault, BMW and Toyota which will see each use its cloud-based tech to create their own unique platforms. This ability to customise is another obvious benefit of its platform for carmakers.

So where are we headed? Well, autonomous vehicles of course. Gartner reckons that by 2030 self-driving tech might even have created a new car ownership model – where we simply “hire” on-demand driverless cars for our journeys rather than own a vehicle outright. Already a third of Americans the analyst surveyed said they’d forgo purchasing a new vehicle if they could pay for such a service.

Apple CarPlay and Google’s Android Auto are certainly major contenders for the connected car crown, especially in terms of integrating the car into the whole mobile experience. But Microsoft’s cloud-based approach, which is flexible enough to incorporate new technologies as it goes, has a decent chance of winning more carmaker minds and driver hearts.

 


As Black Friday Approaches, Retailers are Braced for a Fraud Deluge

fraudLooking forward to Christmas? Spare a thought for the nation’s retailers, who will be battling as many as one million fraud attempts each day in the period following Black Friday, according to new estimates.

They come from ThreatMetrix, a fraud prevention company with good industry insight thanks to its Digital Identity Network platform which analyses over 20 billion transactions globally each year.

It predicted a 60% increase in fraudulent e-commerce transactions in Q4 2016 compared to the last three months of 2015.

Product and data evangelist, Rebekah Moody, told me that this time of year usually sees an uptick in activity as dodgy transactions are less likely to be spotted, because retailers loosen fraud filters to let more transactions through.

“Transaction volumes are much higher – we saw huge daily peaks for some merchants in the same period last year. This means some merchants may choose to adjust their risk tolerance to ensure that more transactions can be processed with less friction,” she explained.

Cybercriminals also jump on the fact that average basket values are usually higher in the run up to Christmas.

“Fraudsters capitalise on this by trying to sneak through higher value transactions that are less likely to flag as unusual in amongst the sea of high value transactions,” said Moody. “Last year we saw the average basket value of rejected transactions was around 70% more than the overall average. We expect this trend to be mimicked this holiday season.”

The problem is compounded by current fraud prevention technologies, many of which have problems detecting some of the more advanced techniques used by the black hats, including device and IP spoofing and automated bots.

The latter threat is increasingly prominent to the point where, during attack spikes, bot traffic exceeds legitimate user traffic, according to the company’s latest Cybercrime Report for Q3.

It has the following:

“What might begin as a simple account validation using a basic bot evolves to using a complex bot to guess unknown passwords, to a bot that masquerades as genuine human traffic to trick unsuspecting businesses.”

Another tactic which makes fraud hard to spot is when the scammer manages to trick a victim into downloading malware onto their machine.

“For example, a fraudster convinces a customer to download some remote access software after playing to their worst fears that their account is being hacked following a data breach. They pretend to be from the consumer’s bank, and reassure them that they will protect their account from the impending hack,” explained Moody.

“In actual fact they manage to take over the consumers account after the consumer has legitimately logged in.”

Because there are no unusual log-in patterns, strange locations or hacked devices to monitor, it might look like a legitimate transaction.

“The key here though is that the remote access software was suddenly enabled, and then the fraud occurred,” Moody told me. “It’s not the fact that there was remote access software installed; many consumers use this legitimately. It was the change in behaviour. Unless a fraud system is advanced enough to detect this, it could be easy to see how this technique could cause huge issues.”

The best systems work in the background, using contextual data and real-time behavioural analytics in a way that is invisible to the user. But unfortunately they’re still not the norm. According to Barclays, two thirds of retailers (64%) are confident that their digital infrastructure will cope well with the Christmas rush. But if they prioritise up-time and sales over fraud prevention, there could be some nasty surprises down the line.


Trump on Cybersecurity – Where’s the Beef?

trumpAs the dust settles on Donald Trump’s extraordinary ascent to the White House, what do we know of his plans for cybersecurity? I’ve been speaking to a variety of experts for an upcoming Infosecurity Magazine feature and, believe it or not, the majority are not particularly optimistic of the future.

His official website, outlining the Trump ‘vision’ for cybersecurity, focuses on some easy wins:

  • An immediate review of critical infrastructure and federal cyber “defences and vulnerabilities” by a Cyber Review Team comprised of members of the military, law enforcement and private sector
  • The same team to establish “protocols and mandatory awareness training” for all federal employees
  • DoJ to create Joint Task Forces to co-ordinate federal, state and local law enforcement cybersecurity responses
  • Defence secretary to make recommendations on enhancing US Cyber Command
  • Development of offensive cyber capabilities

Doug Henkin, litigation partner at Baker Botts, said the focus on awareness raising is a positive.

“This appears to be a good development for setting a positive tone to lead from above with respect to best practices for protecting against cybersecurity threats and is also essential for corporations seeking to ensure good cybersecurity preparedness,” he argued.

“It is essential to increase training as the new administration has recognised, while also remaining vigilant to how cyber attacks occur.”

That’s pretty much where the good news ends.

It might be too early to judge president-elect Trump on his cybersecurity credentials. But it must be remembered that, despite his bluster over ‘Crooked Hillary’ and her email blunder, his businesses were found to be a whole lot worse when it comes to security. Independent researcher Kevin Beaumont scanned publicly available records last month and found many of Trump organizations’ messaging servers are running the no-longer supported Windows Server 2003 and Internet Information Server (IIS) 6. He also found 2FA unsupported, meaning user accounts are vulnerable to password phishing or brute force attacks.

What’s more, as a briefing document from think tank the Information Technology and Innovation Foundation (ITIF) tells us, Trump has promised in the past to apply tariffs against China if it “fails to stop illegal activities” and to “adopt a zero tolerance policy on intellectual property theft.”

Given what we know about China, this is a dangerous game to play. Beijing will continue to pretend it is abiding by the agreement between presidents Obama and Xi to stop state-sponsored economic cybercrime.  And that could lead to heavy reciprocal penalties on US tech firms in China, such as Apple. The state-backed Global Times has already warned China will adopt a tit-for-tat approach if Trump plays it tough.

Silicon Valley scares

Trump’s election is also a disaster for Silicon Valley. The former reality TV star has expressed support in the past for the FBI’s stance in trying to force Apple into building a backdoor to unlock the San Bernardino shooter’s phone. He even called for a ban on Apple products in response to the firm’s refusal to do so. We can therefore expect more pressure on them to undermine encryption, which would be a disaster for businesses and consumers everywhere, as well as the American tech firms themselves.

As if that weren’t enough, he’s also a big fan of the Patriot Act and will inherit a fearsome surveillance apparatus from Obama. The Democrat is already being blamed for failing to overhaul the huge encroachment on civil liberties enacted by the Bush administration. Writing in the Guardian, Freedom of the Press Foundation executive director, Trevor Timm, had this:

“What horrors are in store for us during the reign of President Trump is anyone’s guess, but he will have all the tools at his disposal to wreak havoc on our rights here at home and countless lives of those abroad. We should have seen this coming, and we should have put in place the safeguards to limit the damage.”

Let’s hope he surprises us all.

 


Internet of DDoS: IoT Botnets Lend Urgency to Anti-DDoS Measures

cyber attackThe past few days have once again pushed that cybersecurity staple the DDoS attack (yawn) into the spotlight. First Brian Krebs suffered what was widely trailed as the ‘biggest attack ever’, topping out around 620Gbps, and then a French hoster claimed it was submerged by an attack topping 1Tbps. The interesting point of the second attack is that it’s said to have been carried out by an IoT botnet.

What does this mean for organisations across the globe? You’d better start budgeting for extra spending on DDoS mitigation services. I spoke to Arbor Networks principal engineer, Roland Dobbins, to find out more.

IoT botnets are nothing new, he claimed. In fact, they’ve been used to launch not only DDoS but send spam, launch MitM attacks and more for several years. Even as recently as August, experts reported an IoT botnet used to try and take organisations affiliated with the Rio Olympics offline prior to the Summer Games. Other examples include cyber extortionists trying to take gaming networks offline.

So exactly why are these embedded computing devices so attractive to cybercriminals?

“Because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code,” Dobbins told me by email.

“A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all.”

Another problem is that IoT devices – which can range from webcams and DVRs to set-top boxes – aren’t typically things a user spends much time in front of, so it might not be obvious they’re being exploited, he said.

“There are tens of millions of vulnerable IoT devices, and their numbers are growing daily; they’re generally always turned on; they reside on networks which aren’t monitored for either incoming or outgoing attack traffic; and their networks where they’re deployed often are high-speed connections, which allows for a relatively high amount of DDoS attack traffic volume per compromised device,” explained Dobbins.

Fighting back

So what can be done to mitigate the risk to businesses?

Best practice includes hardening network infrastructure, improving visibility into traffic and having adequate DDoS mitigation capabilities – none of which is going to be cheap, unless you’re lucky like Krebs and get protected by Google’s Project Shield.

“In particular, ISP and MSSP network operators should ensure that they participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks, as well as request assistance as circumstances warrant,” Dobbins told me.

It’s also important for operators to measure DDoS attack volumes against their baseline for normal traffic so as not to over or underestimate attacks.

“This is vital when determining which DDoS defence mechanisms and methodologies to employ during a given attack, as well as in providing accurate information to other network operators in the global operational community,” he concluded.

Stopping the attacks as they are fired out is all very well, but how about trying to shore up those pesky IoT devices which have become such a boon to cybercriminals? A new architectural approach has been proposed by a non-profit group known as the prpl Foundation. It suggests that a hardware-led approach is key to securing embedded computing devices. Its guidance document is a must-read for anyone interested in IoT security.

It sets out four key elements that are needed to improve IoT security:

Open source software which will improve the quality of code and increase the likelihood of timely security updates.

Interoperable standards to help to drive up the quality of engineering, especially in the connectivity layer which has frequently been exposed by researchers such as Miller and Valasek.

Secure boot based on a root of trust anchored in the silicon to prevent hackers from reflashing the firmware. This could have helped prevent the Ukrainian power outages of 2015 and potentially also SYNful Knock.

SoC virtualisation to containerise each software element running on the chip, keeping critical components safe, secure and isolated from the rest.

The prpl Foundation has already released its own hypervisor and other elements to make its Security Framework proposal a reality. But will the industry go for it?

Up until now the common perception has been that users prioritise usability and low cost over security. But according to a new report on the smart home by prpl, this isn’t the case. It polled 1,200 consumers across the globe and found that 60% thought the user should take control of securing the smart home. What’s more, a plurality (42%) claimed they would pay a premium for more secure devices.

So there it is IoT industry. Over to you.