STE WILLIAMS

Guest post: Geoff White, Channel 4 News‘s Technology Journalist, has spent the past year digging into the background of Fancy Bear

2016 was the year espionage went public, and one name dominated the headlines: Fancy Bear.

The hacker group arguably helped lose the Democrats the US presidential election, and as revealed on Channel 4 News  they’ve been targeting UK companies, hacking into a British television station for more than a year.

US intelligence agencies and several security firms believe the group is a branch of the Russian government, but before considering those allegations, it’s worth asking why Fancy Bear became such a big story. What’s new here?

It’s no surprise when a nation state gets the inside track on an election and then attempts to sway the result. Intelligence agencies have been doing that for years. Neither is it new for leaks to be published to influence a vote. Journalists do it the world over.

What’s new is the confluence of those two phenomena. We’re seeing espionage coming out of the shadows and being used very publicly to influence world affairs. Why the change? Why would a nation state choose to publish its ill-gotten intelligence?

The short answer in this case is because it was effective. In the wake of the Democratic National Committee leak the top tier of the organisation was forced to quit. It’s hard to argue that it didn’t hamper the Democrats’ campaign, and therefore affect the final election result. So perhaps the more pertinent question is: why not? Why have intelligence agencies not previously published the results of their information operations?

Traditionally there have been good reasons for spies to keep their work secret. When British intelligence agencies hacked the Nazi’s Enigma code, they realised that publicising the fact too widely would lead to the Germans changing the code, and the British would be back where they started. The hack had to remain secret to be effective.

That wasn’t the case for Fancy Bear. For a start, the hacker group failed to keep their work covert; the Democrats called in security firm CrowdStrike in April last year and the hack was reported by the Washington Post in June.

The hackers knew they were busted so they had a choice: sit on the data and try to exploit it in more traditional ways (by leaking it to selected journalists, for example), or go public with the data. With the Democratic National Convention set for July, Fancy Bear opted for the latter.

Interestingly, they made strenuous but ultimately shoddy efforts to keep their name off the story. Responsibility for the hack was claimed by a “lone Romanian hacker” who seemed to struggle to speak Romanian, and leaks were published on an “American hacktivist” website that turned out to be registered with a Romanian ISP.

But the tight timeline might not have been the only factor influencing Fancy Bear’s decision to dump the data online.

The wider picture is that there has been a shift in who controls information. Journalists used to hold the keys to the expensive, time-consuming publication tools. If an intelligence agency wanted to use stolen information to sway an election, one of the best ways was to leak it to friendly journalists and stand well back.

That’s no longer the case. The web is a publishing tool, and journalists are only one conduit for leaked information. Time and again, mainstream media has been left bobbing in the wake as those with valuable data have taken it into their own hands to leak it: Anonymous, Lulzsec, Impact Team (who hacked Ashley Madison), Guardians of Peace (who hacked Sony), and of course Wikileaks.

Journalists no longer hold those keys, and it seems whoever carried out the DNC hack has faced up to that reality: why put up with journalists and their questions and opinions, when you can dump the files and manage your own information warfare campaign? It’s very likely we will see more such tactical political leaks in the future as spy agencies around the world absorb Fancy Bear’s lesson.

What’s troubling is that this kind of tactical leaking only works if you’re impervious (or feel impervious) to enforcement action from the country whose citizens’ data you hacked. Therefore public leaking of espionage info tends towards foreign interference. Put simply, a bear doesn’t dump on its own doorstep.

So did a foreign power direct Fancy Bear’s actions? Several US intelligence agencies and tech security companies have fingered Russia.

In terms of the publicly available evidence, there are two strands leading researchers to link the attacks to the Russian government (something strenuously denied by that country). The problem is, neither strand leads unequivocally to the Kremlin’s door.

First there’s the technical evidence: whoever broke into the DNC also used, among other things, two pieces of malicious software called X-Agent and X-Tunnel. The former is basically a Swiss Army knife of code that allows the hacker complete control of the machine. The latter, as its name suggests, opens up a permanent hidden link to the internet through which the stolen data can be spirited away.

These pieces of software connect back to a “mothership”, a command-and-control (or “C2”) server which issues instructions and harvests the leaked data.

CrowdStrike and others say they’ve not seen these software tools used by any group other than Fancy Bear. The address of the C2 server is written into the malware code, researchers have told me, so anyone who uses it will automatically send back stolen data to the Fancy Bear C2 server (not much use unless you’re a member of Fancy Bear).

Even if someone else got a copy of the malware, they wouldn’t be able to make changes to it (such as changing the C2 server address) without the source code, which is only available to those who wrote the malware in the first place. (That said, one set of researchers claim to have got a copy of the source code). Therefore, CrowdStrike and others argue, wherever these two pieces of software are used, it means Fancy Bear is in operation.

But why does that convince them that Fancy Bear is a Russian government group? Here’s where it gets tricky. Microsoft spotted Fancy Bear’s activity (they called the group Strontium), but did not link it to Russia. Trend Micro also saw the group (they named it Pawn Storm) and noted the Russia-focused list of targets, but stopped short of pinning the group’s work to the Russian government.

Then there’s a series of companies who have been bolder in their attribution  – FireEye: “a government sponsor based in Moscow”; ThreatConnect: “Intelligence gained from this operation will likely prepare the Russian government”; SecureWorks: “moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government”.

There’s an obvious problem here: often new allegations of Russian government involvement rely on an assumption made by a previous research group, raising the risk of group-think confirmation. As far as I can see, there’s never been a “patient zero” hack that was definitively, irrefutably pinned on the Russian government. And for its part, Putin’s administration has consistently denied any involvement, and its responses are becoming ever more vehement.

But there is another strand of evidence which researchers claim puts the Kremlin in the frame: the hackers’ victims.

SecureWorks managed to expose the list of people being targeted by Fancy Bear. That list included not only dozens of DNC staff members and Hilary Clinton campaign workers, but also anti-Russian groups in Ukraine, anti-Putin campaigners in Russia, and embassies and diplomats across Europe. SecureWorks argues that this target list would be of more interest to the Russian government than any other country.

There is of course a counter-argument: the campaign could have been set up by someone other than the Russian government in order to mislead researchers (a so-called “false flag” campaign). But that would involve someone spending years creating bespoke viruses, using them to hack targets of interest to the Russian government, and then leaking the stolen data, all with the aim of incriminating Putin’s administration. While this is not unfeasible, it’s not clear who would do this, and why.

The simplest answer, say some security researchers, is that this hacking campaign was the work of Russia. The simple answer isn’t necessarily the right one, but those who reject it seem to lack a compelling alternative explanation. For its part, the Russian government continues to deny any involvement. Here’s the comment I received for my latest Channel 4 News story, from the Russian embassy in the UK:

Without any details and proof, available to experts for thorough examination, one cannot make a judgment on this allegation. It is for experts to comment on the basis of evidence available, not for the embassy. The quality of ‘proof’ produced in the notorious US intelligence report… leads one to conclude that no trustworthy evidence exists so far, that it is a murky business, sort of free-for-all in terms of politicization. Since real war is out of question, this issue seems to be used as a means of keeping afloat the Cold War politics, ie of containing Russia.

The reference to the Cold War may well be prophetic; new technology is being used to serve ends most of us thought we’d left in a previous century.

Follow @NakedSecurity
Follow @geoffwhite247

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8eyvGWJUPiM/

Your daily round-up of some of the other stories in the news

‘Fake news is killing people’s minds’ says Apple boss

Tim Cook, Apple’s chief executive, has added his voice to the growing clamour calling for steps to be taken to tackle “fake news“.

Speaking to the Daily Telegraph, he said that fake news “is killing people’s minds”, and called for “the modern version of a public-service announcement campaign” to help educate people on the problems caused by fabricated news stories.

Cook said that tech companies must be part of that campaign: “All of us technology companies need to create some tools that help diminish the volume of fake news,” he said, and added: “We must try to squeeze this without stepping on freedom of speech and of the press.”

Trump under fire for dining room security briefing

President Donald Trump, who has yet to publish his promised executive order on cybersecurity, was facing sharp criticism after taking a classified briefing about North Korea’s missile tests by phone in the middle of his Florida estate’s busy dining room on Saturday.

Trump and his guest, Japanese prime minister Shinzo Abe, discussed strategy in front of dozens of fellow diners, with at one point, according to reports, classified documents being illuminated in the candle-lit dining room by light from diners’ mobile phones. Observers noted that it would have been easy for someone to photograph those documents.

One diner posted details of what was unfolding in front of his eyes on his then publicly visible Facebook page, saying: “It was fascinating to watch the flurry of activity at dinner when the news came that North Korea had launched a missile in the direction of Japan. The prime minister Abe of Japan huddles with his staff and president is on the phone with Washington DC.”

Flying car takes off … maybe

If you’re one of those people who have been waiting impatiently for a flying car ever since cartoons you watched as a kid whetted your appetite, your wait could be coming to an end – if you’ve got north of $400,000 to spend.

PAL-V, a Dutch company, says it’s now accepting pre-orders for its Liberty three-wheeled flying car, which sports a wind-powered rotor and is apparently fully compliant with existing regulations.

As well as that chunk of money, you’ll also need a pilot’s licence and somewhere suitable to take off and land: PAL-V says the car needs a maximum take-off roll of 180 metres. The company says it expects to deliver its first flying cars by the end of next year.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sGqrjk0sui4/

Microsoft’s pointed out that the United States’ National Security Agency has added some Surface devices to the nation’s okay-for-accessing-secure-information list.

That list’s proper name is the Commercial Solutions for Classified Program and was created because the US government used to spend years building a secure suite of products before releasing them to government users.

That approach would leave workers wielding out-of-date technology, which didn’t exactly help US government workers to become efficient.

The list therefore offers products that, when used in concert with others on the list, can be assembled into acceptably secure “capability packages”.

The NSA’s added the Surface Pro 3, Surface Pro 4 and Surface Book to the list, all running Windows 10. The Surface Pro also makes it when running Windows 8.1

Microsoft’s the only laptop and desktop OS vendor on the list, but is hardly alone on the list for mobile devices. Apple, LG and Samsung devices all make it, as do Blackberry OS 10.3 and the Boeing/Blackberry “Black” Android collaboration. The rest of the list covers all manner of enterprise hardware and software and offers a who’s-who of big-name tech vendors.

Microsoft’s singular inclusion for PCs is therefore good news for Surface and Windows 10, until President Trump worries about the price of either. And maybe it’s a warning, too, that it might not be a coincidence that you keep seeing a chap with a Surface in coffee shops, on the train, down at the supermarket … ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/surface_makes_nsa_secure_kit_list/

Google has been ordered to pay $20m damages after its Chrome browser was found to have infringed four anti-malware patents.

The verdict [PDF] was handed down on Friday after a jury trial in Marshall, Texas.

The patents – including this one – were awarded to former Lucent engineer Allen Rozman, who died aged 52 in 2012, and Alfonso J. Cioffi, both of Texas*, who filed suit [PDF] against Google in 2013.

In December 2014, however, a US District judge, Judge Gilstrap, dismissed the case, after the plaintiffs acknowledged that under the judge’s interpretation of the words “web browser process”, an infringement claim wouldn’t hold up.

Cioffi and the Rozman family appealed, and a Federal Court found Gilstrap had erred, both in his interpretation of “web browser process” and over another interpretation.

“We see nothing that indicates that Cioffi intended its invention to do anything other than protect ‘critical files’ as that concept is widely understood by those of skill in the art,” the Federal Circuit court wrote.

Google then appealed to the US Supreme Court to hear the case, but the Supes declined. Ultimately the patent could yield $60m for the surviving family of the inventor. Google has said it maintains its position that the patents are invalid. ®

*The case Cioffi et al. v. Google Inc., case number 2:13-cv-00103, took place in the U.S. District Court for the Eastern District of Texas.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/google_chrome_malware_patent_defeat/

Britain has been hit by 188 “high-level attacks” in the last three months.

Some of these attempts include Russian state-sponsored hackers trying to steal defence and foreign policy secrets, according to the UK’s newly appointed National Cyber Security Centre chief Ciaran Martin. Russian and Chinese attacks on defence and foreign policy servers are among those being investigated by the organisation.

Security vendors said that high-level malfeasance by foreign espionage agencies is an issue for Western businesses as well as governments.

Piers Wilson, head of product management at Huntsman Security, commented: “While we may be seeing a reported ‘step change’ in online attacks from Russia and other countries, there is little doubt that foreign powers who commit, or at least support, these attacks will see any element of the UK government and infrastructure as a legitimate target. Given the scale and complexity of the attacks, their attribution to a well-funded and skilled adversary is no surprise.

“Organisations should not consider these as a risk that is only targeted at high-profile networks and systems. Like any attacker, a state-sponsored actor will target any entity that it can find benefit from; this spans opposing nations, to their critical infrastructure, or just private businesses that can be sabotaged, disrupted or have valuable information stolen in the attacker national interest.”

Ross Brewer, VP and MD of EMEA at LogRhythm, said: “Organised and state-sponsored hackers have evidently stepped up their game and this could lead to many unpleasant scenarios – from ransomware to the theft of intellectual property to the complete shutdown of our critical national infrastructure.”

Richard Henderson, global security strategist at endpoint security specialist Absolute, added: “The rising number of endpoints that are magnifying this threat. Whether it’s a mobile or wearable device, or even a seemingly innocent internet-connected fridge, cybercriminals have an almost infinite number of vectors to exploit when attempting to extract valuable data.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/uk_cybersec_sitrep/

HP has announced plans to integrate Bromium’s virtualization technology into a laptop as a defence against malware.

The soon-to-be-launched EliteBook x360 1030 G2 will feature virtualisation-based security built in to the hardware in the form of a feature called Sure Click, which will go on general availability in Spring. The tech was launched at RSA Conference.

Sure Click means that each tab launched in either Chrome or Internet Explorer will launch as its own, fully contained micro-VM. If a malicious site is visited, all users have to do is close the tab, destroying the virtual machine and the malware along with it. The technology is designed to prevent the malware escaping a micro-VM.

The technology is built in, so there are no add-ons to install or added costs. HP Sure Click will debut as a web download for the HP EliteBook x360 1030 G2 in Spring 2017 and will be available as a standard feature on Elite PC platforms launching in the second half of the year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/hp_bromium_virtualization/

Exclusive A 27-year-old man has been arrested in connection with the hacking of Sports Direct’s internal website for employees, The Register can reveal.

The man, who has not been identified, was cuffed on suspicion of computer misuse offences amid an investigation into the attack on the UK’s largest sports retail business last September.

After exploiting vulnerabilities affecting the unpatched version of the DNN platform that Sports Direct was using to run a staff portal, a hacker was able to steal the personal information of the retailer’s 30,000-strong workforce. An inside source with knowledge of the incident told The Register a phone number had been left on the site with a message encouraging Sports Direct’s bosses to make contact.

While Sports Direct’s internal systems detected the intrusion in September, the business claims it did not realise that staffers’ information had been stolen at that time. The company contacted the police. While investigating the breach, Sports Direct believed that the network intruder had also unsuccessfully attempted to compromise its systems in August.

Police confirmed today that a man from Shirebrook, England, was arrested in October on suspicion of computer hacking offences, and that his computer equipment was seized by the cops’ East Midlands Special Operations Unit.

It was only upon forensic examination of the fella’s equipment that officers were able to inform Sports Direct that a network security breach had taken place, as a copy of the staff database was found both on the machine and to have been uploaded to the man’s account on a cloud service which has been taken under police control, we understand.

Our source informed us that employees’ unencrypted data, including names, email and postal addresses, and telephone numbers, was stolen during the breach. A spokesperson for the Information Commissioner’s Office (ICO) told us it was “aware of an incident from 2016 involving Sports Direct” and would be “be making enquiries.”

A spokesperson for the East Midlands Special Operations Unit said “a 27-year-old man has been arrested on suspicion of computer misuse and bailed pending further enquiries.”

Despite ICO guidelines encouraging data controllers to inform individuals when their personal information was breached, sources confirmed to The Register that the company’s workforce had not been told of the loss of their details.

Sports Direct did not respond to The Register‘s enquiries regarding whether staff had been informed following our report last week.

At the time of the breach, Unite assistant general secretary Steve Turner told us: “Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren’t immediately informed about it by their employer. This is potentially sensitive and personal information.

“It’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet.

“We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again. In the meantime we would urge Sports Direct workers to check their financial records, change passwords and immediately report any suspicious activity.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/sports_direct_arrest/

GeekPwn bug bounty program aims to collect Internet of Things security vulnerabilities, and highlight mistakes to vendors.

The Internet of Things, like all new tech, drives security risk. Similar to the PC in its early stages, IoT faces two security challenges: large amounts of vulnerabilities, and major consequences.

“As an emerging technology, IoT is far from the maturity stage,” explain security researchers Huiming Liu and Yuhao Song, both with GeekPwn Lab. “The development of security always lags behind the corresponding industry.”

Vendors working on product development tend to place more emphasis on improving usability and user experience, and less on security. There is a lack of security sense, the researchers say; most vulnerabilities are obvious and can be easily avoided.

This is a key takeaway from the GeekPwn Contest, a security contest focused on IoT devices and other smart devices.

The duo founded GeekPwn in 2014 to broaden white hats’ research efforts to include IoT and help vendors strengthen product security. There are many contests and bug bounty programs focused on software security, they noticed, but nearly none geared towards IoT.

Since launching the contest, the team has collected more than 100 security vulnerabilities and exploit techniques for IoT products including smart home devices, wearables, routers, cameras, network protocols, and smart entertainment products. All were reported to their respective vendors following the contest.

They found IoT vendors, especially smaller businesses, are challenged to address the problems.

“When we collect vulnerabilities in GeekPwn and submit them to the vendors, some of the vendors don’t have a process of vulnerability response, some reject and deny any vulnerabilities, some even regard vulnerabilities as infringement of their reputation and threaten court against us,” the team says.

This issue has improved over time as vendors accept the responsibility of improving product security. After three years of GeekPwn, more are agreeing to “responsible disclosure” and welcome white hats’ efforts to hunt flaws in their products.

The two acknowledge additional challenges companies face with IoT security including a small talent pool and lack of systemic guidelines, solutions, and standards related to this new wave of technology.

Both Liu and Song will be at Black Hat Asia 2017 to discuss design misconceptions and implementation mistakes that developers may overlook in IoT devices. Their briefing is entitled “Daily-Life Peeper: Bug Hunting and Exploit Techniques in IoT.”

GeekPwn collected 32 router vulnerabilities. In their session, the duo will expand on one that exploits three vulnerabilities as a chain.

They also plan to discuss attack vectors and most vulnerable modules of IoT devices based on data collected in GeekPwn, and consequences these vulnerabilities could cause. Their idea is to help security researchers kick off their IoT security research.

“Based on our study and analysis, the current situation of IoT security is nearly catastrophic,” the team states.

Businesses’ lack of attention to IoT, implementation errors, and design flaws could have severe consequences and lead to damage to property or personal safety. Researchers cite last year’s massive DDoS attack, which took down several major websites, as an example.

Related Content:

• The Bug Bounty Model: 21 Years Counting
• Portrait Of A Bug Bounty Hacker
• A Bug Bounty Reality-Check

 

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/new-bug-bounty-program-targets-iot-security/d/d-id/1328127?_mc=RSS_DR_EDT

It will take much effort to fix the IT and cybersecurity talent crisis, but it is possible.

In 2015, 89% of cybersecurity job postings went unfilled due to the high standards that companies imposed for entry and midlevel positions, according to a CareerBuilder survey. Not enough job applicants had the necessary skills and/or certifications that hiring managers were looking for in potential new employees. The problem is perfect cybersecurity workers don’t exist — or if they do, they’re employed elsewhere.

When companies began outsourcing, there was a decrease in IT graduates because students feared going into the field without the promise of a career. Combine this lack of incentive with the relatively slow adaption of STEM (science, technology, engineering, and math) skills as a part of a revamped education curriculum, and it’s evident that young people aren’t introduced to IT opportunities until too late. Interest in other subjects and alternative career paths often occur during crucial development years. 

It’s frightening that this shortage of IT skills education coincides with the rapid evolution of the Internet of Things and connected devices — cue the onslaught of new cybersecurity threats. These threats have the potential to be more dangerous than ever. Not only can hackers gain access into consumers’ lives through personal computers and mobile phones, but thanks to the web-like nature of connected technology, they can now break into cars, homes, and all the way through to banks and traffic lights.

So, where do we turn from here? How can the industry begin to develop a workforce that is prepared to handle the fluidity and pace of today’s cybersecurity industry, closing the cybersecurity skills gap?

Encourage Career Growth Outside of Management
In today’s workplace, the path to both financial and career success often runs through management — this is especially true when it comes to small and medium-sized businesses and startups. An employee who is technically gifted at his or her craft often reaches a career “ceiling,” and the only way to break through and move up the ranks is to jump to the management side. To keep the brightest and most technically gifted IT workers in the trenches, where they’re often most effective, we need to give them incentives — whether financial, a change in title, or both.

Set Realistic Expectations at the Entry Level
Employers must be realistic about expectations for entry-level applicants because this can widen the candidate pool. In a field that evolves as rapidly as IT, many entry-level positions require industry certifications and training that a new employee might not necessarily have (especially those just out of school). Employers should consider applicants who may have some but not all the required skills, knowing that they will be fully trained during their employment. At these entry-level positions, employers should focus on other “big picture” qualities and soft skills that may make the candidate a good fit for the role and the company,  including communication skills, business knowledge, and working as part of a team.

Build “Corporate Universities”
This is an area already seeing growth as companies look for ways they can turn generalists into cybersecurity specialists. These corporate universities allow companies to hire less-qualified employees and train them for current tasks. When the tasks are complete, the employee goes back to the university to get training on the next project. This can be a two-way street for both the company and the employee. While the company gives employees access to the resources they need, an employee can request courses and educational tools to continue professional growth.

Promote STEM Boot Camps for Kids
Many organizations are creating STEM boot camps for kids, designed to get them involved at a younger age. These camps help students build a strong STEM foundation by teaching the basics of math, chemistry, and biology, among other subjects. In a time where the demand for cybersecurity professionals is rising as the candidate supply is falling, it’s imperative to invest in the future of the industry.

Make IT Fun
IT and cybersecurity are no laughing matter, but that doesn’t mean they can’t be fun. Organizations are beginning to host networking events and friendly competitions such as hackathons to allow cybersecurity professionals to network and meet industry peers, while sharpening their skills in the process. Not only are the outcomes and discussions from these events a positive step for the industry, but a little professional fun keeps morale high.

As threats continue to grow with the introduction of new innovations and technologies, cybersecurity and IT skills are more important than ever. Through early and continued education and exposure, as well as a few shifts to organizational structure and expectations, we can begin to get a handle on the skills gap, taking a giant step toward fill the growing number of empty cybersecurity positions.

Related Content:

• The 3 C’s Of Security Awareness
• How Artificial Intelligence Will Solve The Security Skills Shortage
• Real-World Fallout From The Cybersecurity Skills Gap

Jim Zimmermann is Skillsoft’s Solutions Principal for IT and Digital Skills Portfolios. He works with current and prospective customers to help them address their IT skills challenges through training. In 2016, Jim was awarded Skillsoft’s Outstanding Achievement Award for … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/you-cant-hire-your-way-out-of-a-skills-shortage--yet/a/d-id/1328113?_mc=RSS_DR_EDT

A little-known messaging app that automatically erases all conversations has reportedly taken off among “paranoid” US politicians, including members of the Trump administration.

The claim emerged from news gossip site Axios, which quoted an unnamed Republican who explained the simple appeal of Confide, an app for professionals launched three years ago by a New York-based startup of the same name: “For folks that are on the inside in this city, it provides some cover.”

Lending credibility to the story is a 2015 report that Australian prime minister Malcolm Turnbull has taken to using the same app.

Confide uses a proprietary version of the end-to-end encryption used by bigger rivals such as Signal, Telegram, WhatsApp, Facebook Messenger, as well as a growing list of others.

Why might politicos be drawn to Confide rather than better-known names? One attraction is the app’s promise that everything sent between contacts will “disappear without a trace when you’re done,” an off-the-record mode of communication that fits the low-trust zeitgeist.

Other apps such as Snapchat have similar features, but struggle to stop bypasses such as taking screenshots. Confide counters this by hiding messages until the receiver moves or “wands” their finger or cursor over each line of text.

After messages are read once, they disappear, or after 10 minutes if they aren’t, and messages can’t be forwarded or saved.

Perhaps its biggest draw could simply be that Confide has reached a critical threshold of users in this unusual community: the more DC insiders who use it, the more who want to use it.

There should be sectors where “disappearing” messaging and email won’t work, such as the financial sector and government, because of the need for an audit trail. And yet, despite the recent Clinton email server fracas, there are no fixed rules that government officials and politicians can’t communicate privately, as long as they use official servers for the day job.

It could be that the sudden rise of Confide is telling us that the rules of the game are changing in ways that compliance, regulations and basic politics have yet to catch up with.

As Confide’s founders say on their site:

We think the concept of the digital permanent record is crazy. Why should all of our online communication be around forever, with copies of things being spewed and stored in people’s inboxes and the Cloud?

They have a point: in an age where data is proving difficult to keep secure, it becomes rational to adopt a different approach. If that means throwing out message threads, then so be it.

When Naked Security contacted co-founder Jon Brod, he offered the following use cases:

Executive teams, lawyers, dealmakers, journalists, HR professionals, celebrities. Government operatives of all political affiliations certainly fit nicely into this category.

Confide is like an old-fashioned private face-to-face chat but conducted digitally, he said.

In today’s febrile Washington, it’s not hard to fathom why insiders might be flock to this model given the ever-present threat of hackers crawling into government and party servers looking for kompromat. In a world where off-the-cuff email banter can be “weaponized” by opponents at any moment, talk is no longer cheap and cheerful.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/e98d7ZD8CLI/