[Discussion] Cybersecurity

Hopefully this is suitable discussion fodder; please correct the thread if it's not. I figure this is a good discussion header to have around, since a number of current events hinge on cybersecurity topics (from Snowden and Wikileaks to the security of the Baltic states).

To kick it off, here's a brief but disturbing article from Bruce Schneier. He's been working with some major Internet companies and is seeing a disturbing trend in attacks. He believes a state actor is gathering data on cybersecurity responses from many tech companies and network infrastructure providers, and in the process acquiring the information necessary to literally take down the Internet.

Discuss.

Given the ubiquity of the internet in our daily lives, that is pretty terrifying. If the net went down today, I would not have access to most of my banking - since I'm with an online bank - or my main means of communication with my relatives and friends. Having lived in a time before the internet (hah!) I know it's easily possible, but it really is taking many, many steps back in our lives.

It really won't surprise me if it was more than one state actor that is doing this. The really scary thing is how few state actors are working on defense against these acts, they are either going with the first strike option or mutual assured destruction, thinking that they will be hurt less than their targets (which may or may not be the case).

Bruce Schneier wrote:

China and Russia would be my first guesses.

They wouldn't be mine. We know of one country, in particular, that has already deployed malware on an international scale with a specific political target, actively perpetrated attacks on specific internet infrastructure, and deliberately keeps zero-day exploits to itself in order to use them as weapons.

The Schneier article seems a bit like useless clickbait. 'Be afraid, the commies are coming in over the intartubes to get you!'.

He misuses the one bit of evidence he tries to provide.

Verisign is the registrar for many popular top-level Internet domains, like .com and .net.

This is not correct. Verisign is the registry for those TLD's. There are lots of registrar's for them, but you can't obtain a domain name through Verisign directly.

If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains.

No, there isn't. Verisign 'going down' (whatever that may mean) will not cause any sort of 'black-out' of .com/.net/etc websites. He could mean that if the DNS root-servers Verisign runs go down there will be problems ... but they only run 2 out of the 13. All 13 would need to be down for awhile (something like a couple of days) before wide-spread issues would be seen. Most (maybe all at this point) of the root-servers consist of a lot of geographically diverse servers and are not particularly easy to take down (though, it has happened a couple of times before).
It is also worth noting that the report from Verisign makes no mention of attacks directly against them, and is based on data from attacks on clients of their DDoS mitigation service. While the analysis of the data is interesting, its worth noting and remembering that the report's real focus is as a marketing and sales tool.

Every quarter, Verisign publishes a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex."

The blog makes a point of saying that someone is probing infrastructure at a greater rate ... but the report lists such attacks as the smallest that Verisign has to deal with. There is also actually a large drop-off in attacks on 'Telecommunications and Other' in the last quarter reported, and overall in attacks on 'Public Sector' from a year prior.

I found his article about Doxing and Disinformation to be much more interesting. Dan Carlin talked about "Muddying the Waters" of information disclosures on his recent podcast, too.

Essentially, it would be trivially easy to insert disinformation into the middle of one of these large leaks of e-mails or other internal communications. And then it becomes very hard to figure out what is or isn't true, and very easy to claim that none of it can be trusted.

...Washington may be behind other big cities in learning that lesson. Bankers on Wall Street have favored very brief emails since their conversations were splashed across front pages because of lawsuits filed after the financial crisis. In 2010, Goldman Sachs executives used the acronym “LDL,” for “let’s discuss live,” when a conversation turned at all sensitive.
 
Hank Paulson, a former Goldman Sachs chief executive, refuses to use email. Ben S. Bernanke, a former chairman of the Federal Reserve, once set up an email account under the pseudonym Edward Quince in the hopes of greater privacy.
 
Similar precautions have been common in Silicon Valley since a 2009 Chinese state cyberattack on servers at Google and other tech companies. In Hollywood, a breach at Sony Pictures in 2014 spilled out gossipy secrets and persuaded film crews, actors and executives alike to adopt security measures they once considered paranoid. Studios have turned to a new class of companies with names like WatchDox that wrap screenplays with encryption, passwords and monitoring systems that can track who has access to confidential files.

And still no one will use GPG.

You can't hide secrets from the future...

wordsmythe wrote:
...Washington may be behind other big cities in learning that lesson. Bankers on Wall Street have favored very brief emails since their conversations were splashed across front pages because of lawsuits filed after the financial crisis. In 2010, Goldman Sachs executives used the acronym “LDL,” for “let’s discuss live,” when a conversation turned at all sensitive.
 
Hank Paulson, a former Goldman Sachs chief executive, refuses to use email. Ben S. Bernanke, a former chairman of the Federal Reserve, once set up an email account under the pseudonym Edward Quince in the hopes of greater privacy.
 
Similar precautions have been common in Silicon Valley since a 2009 Chinese state cyberattack on servers at Google and other tech companies. In Hollywood, a breach at Sony Pictures in 2014 spilled out gossipy secrets and persuaded film crews, actors and executives alike to adopt security measures they once considered paranoid. Studios have turned to a new class of companies with names like WatchDox that wrap screenplays with encryption, passwords and monitoring systems that can track who has access to confidential files.

All my sensitive information will be processed on an old school mechanical typewriter in a windowless room protected by a Faraday cage!

This or something like it is being done today in parts of the Intel agencies of major countries, according to various news reports. Google "intel agencies typewriters".