State of Security January 2017

Hoping to catch questions for DeVos, the billionaire nominee from my home state of Michigan for Education Secretary, who has no experience as an educator, I forget about Trump’s much anticipated news conference until I turn on the TV.  There he is, in the middle of some histrionics with CNN, refusing them the chance to ask a question because they are fake news.

“Don’t be rude!  Don’t be rude! Don’t be rude!”  Ferret faced, he yells down from his podium at a reporter who’s only trying to do his job.

Like many, I give a sigh of relief to finally hear him say Russia may have hacked information disclosed in the election.  But I may be the only person in the world who listens carefully to his generalized comments about hacking.  “And they tried to hack the Republican National Committee and they were unable to break through.”

Wait!  No!  That’s not what the FBI…  Don’t let him distract you.

I listen to him talk about how this is a problem, hacking, cybersecurity.  I think of past speeches where he’s blamed the current administration.  Past speeches where he said nobody really understands computers, what they are doing.

I work hard to follow his thoughts as he wanders off into a strange soliloquy.  He mentions “22 million names and everything else that was hacked recently… something that was extraordinary. That was probably China.”

I think how huge disclosures of people’s personal information have been happening, not recently, but for decades.  They are no longer extraordinary.

He comes back to how he’s going to fix this.  “And one of the things we’re gonna do, we have some of the greatest computer minds anywhere in the world that we’ve assembled. You saw just a sample of it two weeks ago up here where we had the six top people in the world … And we’re gonna put those minds together and we’re going to form a defense.”  All said with a face of great sincerity.

I think how those great minds earned vast fortunes – holdings larger than some small countries – selling vulnerable software, systems and devices that organizations and armies of security people, are powerless to secure.

I think how many breaches are caused by a built-in reliance on human beings to know the unknowable: what websites are safe to look at, what e-mail attachments can be safely opened, who really sent the e-mail that looks like it came from Aunt Sue?

I wonder how he thinks, especially with his promise to wipe out regulation, this can be so easily solved.

I think lots of luck Mr. Soon-to-be-President and I turn off the TV.

I’m at my desk when the phone rings.  I screen my calls, so I check the readout.  Big Insurance Company it says.  My health insurance company!  I’m not expecting a call.  Did I miss a payment?  I take the call. “This is Big Insurance Company.”  A pleasant woman’s computerized voice says. “We would like to speak to Esther Czekalski.  If you are Esther Czekalski, please press one.  If you are not, please press two.”

I do not give out my name to a caller unless I know who they are and caller IDs can be spoofed so I press the off button to hang up the call.  Pulling up my recent payment details, I call the customer support number on the bill.

After six menus, providing lots and lots more personal information – I did call the number on my monthly bill – and two sales pitches, I finally talk to a representative.  Nothing is said about a late payment.

“I got this computerized call that says it was from you and the first thing it asked me to do is provide personal information. I never, ever do that.  Are you trying to contact me for some reason?”

“Can you see the number who called you?”

“Well, yes, my phone shows me that information but I can’t look while I’m talking to you.”

She puts me on hold and then comes back to explain that Fastscripts, one of their third party partners is making calls to sell mail order prescriptions.  I hate sales calls and tell her so.  They are technically legal from my insurance company, with whom I have a business relationship, but not customer friendly.  My opinion.  She is kind and understanding, says I’m not the only customer she’s heard from today about this, and gives me the number that should have shown for the call. I say, “I’ll call you back if it doesn’t match.”

Formalities completed, she’s very polite, well trained to make sure that she’s dealt with my issue, so after we do some verbal bowing and hand-shaking, I hang up and check the number.  It doesn’t match.

I call back again.  Another trip through the menu system, another representative who has to research the issue again, she assures me it’s the Fastscripts campaign. I explain again that I was given the number and it didn’t match.  She gives me the number again, the one that should have been displayed.  “Yes, that’s the one I was given on the first call.” Again, I give her the number that shows on my phone.  It clearly doesn’t match.  She politely apologizes for taking my time, especially since I’ve had to call more than once and assures me that this was an authorized call.  She says she just wants me to feel safe.

We are speaking in slow motion now.

“But. It. Is. Not. The. Number. You. Told. Me. It. Would. Be.” I wonder if I seem as dotty as they treat me.

I explain that this is what I do for a living and if I worked for them, I would check the number that was calling me; the number I’d given them, the number that didn’t match.  Other customers might want to verify it, too.  “Use your contacts at Fastscripts, find out if this is one of theirs.  I know it’s unlikely, but someone might be using your name to collect personal information from your customers.”

“Do you have a security person I can talk to?”  I know they must, by law.

Anne comes on the line, says she’s helping me now.  We go through the issue again and she says she’ll investigate and call me back.  An hour later she does.

With a smile in her voice she explains that this wasn’t Fastscripts after all.  This was another third party partner of theirs.  This third party partner is doing a survey of their Medicare patients to see if Big Insurance Company is providing the right services, I’d be asked things like whether I was afraid of falling, for example.

“So if I’d provided my name, I would have been asked for more personal information?  About how I feel?  My health status?  And you’re doing this without advance notice, without any way for me to verify who I’m talking to other than believe a voice on the phone?”  I’m speaking loudly now.

“I understand your concern and I’ve already raised it to management.”  She says.

“Well, tell them again and tell them I said it louder!”  I can’t stop now and I’m probably yelling.  “Just give me two seconds more to speak my mind.  Legitimate companies do things like this.  Then we wonder why someone would give their private, personal information to a complete stranger?

There, I’ve had my say.  If she is their security person, she probably even agrees.  Sadly, it’s unlikely that one security professional and one dotty customer will slow down Big Insurance Company’s quest for higher sales.  More formalities, she never loses the smile in her voice, and I’m done on the phone.

I say again.  Lots of luck Mr. Soon-to-be-President, lots of luck.

 

Since it was necessary to truncate multiple encounters with my insurance company to make this readable, I’ve changed names.  So this should be considered as a work of fiction.  A work of fiction where the author is trying to depict events as accurately as possible.

The Invisible Profession

Book Review:  The Industries of the Future by Alec Ross

A friend of mine suggested this book and I’m really glad she did.  I try to keep up on world events but I had no idea, for example, what Estonia was up to, becoming “one of the most innovative countries in the world today,” and how Estonia was doing it, “… as one of the world’s leading centers of innovation.”   This is just one example, I have a list of people and organizations to watch from this book that I’d never heard of before.

And it’s impossible for me, as a woman, to not appreciate Mr. Ross’s stand on repressive political systems, especially those that prevent women from taking their places as equals in the public domain.  He predicts that those countries will continue to fall behind economically.  (Although the toll this takes on human lives isn’t a comforting thought.)

But where I would most like to comment, and probably the only sector where I’m qualified to do so, is in his prognostication about cybersecurity.  In his Chapter, The Weaponization of Code, specifically in the section called, Clandestine Operations:  Even the Spooks are Scared, he quotes Jim Gosler.  After establishing Jim’s CIA credentials and listing his honors and medals, Alec quotes him as saying, “There are about one thousand security people in the US who have the specialized security skills to operate effectively in cyberspace.”

Whoah, what?

What about the tens of thousands of us who work in this industry now?  (Probably hundreds of thousands worldwide.)

Could cyberspace mean something different to them than what it means to me?  I check online definitions, and the common one seems to be what I know, the environment in which computers communicate with each other.  But isn’t protecting that what we’ve been doing since the day the first firewall was installed?  Over the years through my volunteer work in ISSA New England, it’s likely that I personally have known over one thousand people qualified to operate in cyberspace.  While Boston is an important part of the professional landscape, it’s still just one piece of a very large pie.

Maybe they mean that special skills are needed for the latest international threats?  That’s a security professional’s life.  Just when you get controls in place for one kind of problem, new technology introduces completely new risks.  (And, I might add, organizations like ISSA are where we keep up with these challenges.)

No, I think this is just the same lament that I’ve heard for a generation now, the need for information security professionals is never big enough to meet the demand.  They say.

It was this sentiment, the siren call that pulled me in – I could do that, I could be good at it – that started me studying for security certification, almost twenty years ago now.  Then, in spite of my years of responsibility for networks and network based applications like e-mail, the only job I could find was with a vendor, selling product, not as a practitioner.  It was a start.

Having had second thoughts myself through the years and having watched people join and then leave this profession, especially women who hover at only about ten percent of us, I do not think it’s a problem of enough minds or even a problem of enough trained minds. And it’s definitely not a problem with interest or motivation; many of the people who leave information security jobs still come to Association meetings, hoping to find their next one in the industry.

I suspect a bigger problem on the demand side.  We haven’t established the parameters for success.  The buyers, potential employers, want known quantities, formulaic talent to compensate for this.  We end up with an endless shuffling of discontent on both the buyer and seller sides that goes right up to the senior level of our industry.  You can check this by using any major search engine and terms like “CISO turnover”; we’ve been talking about this for years.

And an industry that cannot keep its most senior staff in place will always have problems building and maintaining the teams who support them.

I wish I could list, here and now, with simple coherence, the problems that my profession has to solve to be effective and to keep the people we’ve trained in jobs.  I can’t.  I do offer some thoughts in the fictional hacker novel that I’m writing.  If it ever makes it to publication, the readers can tell me if it’s on target.

So what would I tell Alec Ross?  Don’t rely on the word of spokesmen.  Talk to some of the failures, the people who moved on in frustration or who worked for companies who were hacked.  We are obviously and endlessly repeating failure, in people and in practice.  The headlines will tell you.  You may have to have your conversations off the record; most of us live under confidentiality agreements, present and past.  We care enough about our work to discuss problems only when it won’t hurt the people who employ us.

Alec Ross’s book makes thoughtful prophecies about future industries:  robotics, genetics, money, political systems, as well as big data and the weaponization of code.  It struck me that all of these industries have fundamental problems relating to our safety or our privacy that need to be dealt with as they evolve.   This is a thread that runs throughout his book.

They may be invisible, but the number of people with some skill and training in security is legion.  There is an even larger pool of people with interest, who could be quickly trained, or re-trained if their skills are rusty or focused in the wrong area.  Ruling that out as THE problem might help us figure out what’s really wrong and make it right.

Women in Security

Whenever I attend an information security association meeting or event, I estimate the number of women in the room, compared to men.  Rarely are women more than ten percent of the participants.

I know that extrapolating from my own experience is not statistically sound but many of the women I’ve tried to mentor had to move on to other kinds of jobs because that’s what they could get.  I don’t blame them.  But then I hear how there are so many information security jobs begging to be filled and it doesn’t make sense.

This has been true for a generation as far as I can tell.  What makes me speak of it today is a recent study, reported here by Tracy Lien in the LA Times.

Women in tech still earn far less than men, study finds 

“Significant gaps also existed in tech jobs such as video game artists (15.8%), information security specialists (14.7%) and front-end engineers (9.7%).”  (I added the emphasis.)

Tracy goes on to quote Andrew Chamberlain, chief economist at Glassdoor, “My view is that in heavily male-dominated fields, the people who are making the decisions about pay and promotion are disproportionately men, and that can play a role in why we’re seeing gaps in male and female pay,”

These same people make hiring decisions.

I’m just saying…

Taharrush Games

The tears started when Google automatically translated the second foreign word to “games”.  Did she want to search with her original spelling instead?

That made it all come back, as it had so many times since that joy sucking night.

She’d had some book research to do in the old European city, planned for early in the year.  Why not fly in for New Year’s Eve?  In this, her first year of semi-retirement, she’d celebrated May Day in Budapest and watched SinterKlass arrive with the Dutch in Amsterdam.  It had been a great year.  What better way to celebrate its passing than another trip, another party?  Christmas with her son’s family over, kisses and hugs, a loving send-off for grandma at the airport and she was suddenly in Germany.

Even though it was New Year’s Eve, she hadn’t planned to stay out late.  She could always watch the fireworks at midnight from the hotel if she cared to stay up that long.   Near the hotel, the streets were warmly lit by the leftover Christmas lights, full of happy families, couples and party goers.  It was every bit the party that she’d expected.  She found it hard to leave, kept telling herself she’d stay out just a little bit longer before calling it a night.

She’d been watching one of the big screens in the square, cameras close up on a Euro-pop band that made up for its lack of skill with loud enthusiasm, or she might have noticed a change in the crowd.  Before she could react, the laughing, dark- bearded young man she’d seen in the corner of her eye moved in close.

Too close.

She took a step back.  There was someone behind her, too, holding her by the coat.  Her eyes were still on dark-beard’s face when he moved in.  “Oma,” he sneered.  She felt his hand between her legs.  Hard and rough.

“No!”  She cried out in fear and pain.

She pulled and twisted, finally creating some distance between herself and her attacker, losing her coat to the men holding her from behind.  More rough laughter, one more lunging advance. The attacker grabbed the neckline of her red silk holiday blouse, tearing it from neck to hem.

They ricocheted away, taking their own separate paths through the crowd, calling to each other like blackbirds in a field.

The crowd was looking at her now but she couldn’t read their faces.  She fought down shame.  Not just because of the brutal exposure of too much old skin, her underwear stark white in the night.   She’d suddenly realized that she’d fed her attackers with her fear.  She’d let it show.

Wrapping the shreds of her blouse around her, moving back toward her hotel, she found her coat on the ground.  Wet and muddied, it still covered a lot.

She stopped at the first policemen she saw.  “Ich…  Ich bin…”  She stopped.  She didn’t know the words in German to tell him what happened.  She didn’t know the words in any language.

He looked at her muddied coat, scraps of red silk hanging below it and pointed back over her shoulder.  His look had some kindness in it but even more, resignation, maybe some sorrow, too.  When she paused in confusion, he turned her ever so gently.  She’d walked right past a brightly lit police station, just fifty feet back.  Even from here she could see a dozen women inside talking to the officers on duty or waiting for their turn.  On her way to join them, she hesitated.  It was the woman bleeding into a wad of tissues from a streaming wound to the face that turned her again.

She wasn’t really hurt.  Her room and credit cards were still in her coat pocket, though they’d taken the twenty Euro bill.  That was nothing.

She’d slipped past the doorman to her room and finished the rest of the trip, a sort of automaton, taking her cues from the faces of people around her.  The attendants look relaxed; this flight won’t crash and burn.

There had been no one to talk to.  Her son would only worry more, she would travel again, and she didn’t have the words for it anyway.   When in Germany, she’d watched BBC and CNN compulsively, hoping that more information would help her make sense of it, but the arrests started only after she was home.  Everyone was having a hard time making sense of it.

Today, back at home and reading the latest news, she’d found the words.  Taharrush games, a sport of young men, observed in Muslim countries everywhere.

She would let herself cry now, cry more, as her world got smaller and harder to comprehend.

Social Engineering

The Microsoft Lounge at Black Hat Europe was easy to find.  Living the way I did on this and that, doing a lot of things to pick up a euro, I’d worked shows here before.  It had been a while.  I had new skills now.  The show floor setup at the Amsterdam RAI was typical, easy to figure out, areas for vendors’ presentations, demos and a centrally located lounge.  Central, to keep attendees in the hall.   Always sponsored by some company with deep pockets.

Taking off my coat, I analyzed the seating in the lounge.  Most of the high tables were filled with solitary men, heads down, typing away on their laptops.  Across from the coffee counter and the line of men waiting for their afternoon caffeine fix, the section with living room seating was more sparsely occupied.

That informal setup suited my purpose better, anyway.  I chose one end of a black, leather-like couch across a granite colored coffee table from two matching chairs.  Two more chairs, one at either end of the table, completed the arrangement.  A woman with long white hair sat in one of the end chairs, at the far end of the table from me, looking intently at her Android phone, oblivious to her surroundings.

I should be engaged in some activity, too.  I pulled out the show brochure while I waited.

It didn’t take too long. A slender young man with thinning blond hair plopped his computer bag on the boulder-like table between us. Collapsing deeply into the chair across from me, he took out his handheld.

The show badges that everyone was wearing on wide ribbons around their necks were bigger than my purse so it was easy to see his name.  People were careful with personal information at Black Hat Europe, it catered to hackers, but everyone still had a name of some sort on their badge.

A bonus, his badge was color coded and if that wasn’t enough, SPEAKER was spelled out on a bright red ribbon hanging from it.  This was going very well.  I knew immediately what my next move would be.

“Excuse me,” I said, moving slightly forward on the couch, closing the distance between us but not too much, not too soon.  This request needed a modest smile.  “Is there any way you can get me into your session?”  I asked him. “I didn’t pay for a full pass.  See, I, I really don’t know much about this stuff.  I told this guy I know that I’d come to the conference and get the information for him.”

Still bending slightly over the table, I turned my face slightly to look up at him.  Fortunately, even with him sprawled in that low chair, I’m petite enough to pull it off.

He looked up from his handheld and faced my wide blue eyes. I tried to mirror what I saw.  An honest, open face, sincere.  A sap.  Don’t think that now.  You’ll blow it if it shows on your face.

He’s the most attractive man I’ve ever met and I’ll hold that thought.

“I’m sorry,” he said, “I’ve already finished my session.  Are you interested in cryptography?”

I blinked and turned my face away a bit, feigning slight shyness.  Too bad I couldn’t blush on cue.

“I really don’t know any of this stuff but this guy I know had to work, so…” If I could get him to finish that thought for me, I’d know we were making progress.

I paused, smoothing my blond hair back over my ear, showing the full line of my chin in three quarters.  One of my most attractive angles or so I’d been told.  Still trying to look as if he towered over me.  Skills I’d honed years ago set to a new purpose.

“Here’s my card.”  He said, pulling himself out of the depths of his chair, leaning forward over the table.  Crossing more distance between us.

Even better!  I hid my surprise.

First step accomplished.  I had a real name, his Company name and telephone number and he knew nothing about me.

Save our Encryption

“When guns are outlawed, only outlaws will have guns.”

This silly slogan runs through my mind as yet another headline screams that lawmakers want manufacturers to take encryption off of devices, mostly phones, to make it easier to prosecute criminals.

Unfortunately, strong opinions exist only in my mind, it seems.

Any dissension or uprising, any slogan, any Facebook meme however trite or oversimplified disputing this demand would make me feel better.  I would even settle for a statement of support if it would provoke a fraction of the populist debate that I see about guns.  People don’t seem to know or care that their right to privacy is under attack in this non-conversation.

Fine points mumbled over by the highest orders of technocratic gurus, surrounded in esoteric terms and higher math concepts, encryption tends to scare people off as a subject for dinner conversations.  Guns, well, people know guns, or think they do, at least enough to have an opinion.

Let me see if I can use this old saw to cut some new wood.  “When encryption is outlawed…”

Let’s start with the reality of outlawing encryption, something that’s been around longer than computers, simply by taking it off of them.  That can’t prevent its use.

Encryption is simple, really!

Let’s do this together, you and me.  I want to send you a message: Noon lunch at Joes.  To keep lunch just between the two of us, I’m cheap; I’m going to encrypt it.

To do this, first we need a process to transform the message. We’ll start by assigning a number to each letter in the alphabet.  A is one; b is two, and so on.

Then we need a secret, you and I.  There’s a book we both have.  We’ll agree that every message will be encrypted using a different page of our book, starting with page one for the first message.

We’ll have to make some other process decisions, like how to handle spaces, too.  Do we leave the same spaces between words when it’s encrypted?  (Bad idea as it provides clues about word length.)  Do we ignore them? Or give them a value, too?  Like the example, these decisions may influence the strength of our encryption but what’s most important is that both of us understand them the same way.

So I take our first message, “Noon lunch at Joes “and the first line from the first page in the book:  “In the beginning…”

Remember how we assigned numbers to letters?  If you numbered the same way as I did, we’ll get the value 14 for the first letter N, from the message.  Then add it to 9 for the letter I from the secret.  Then we convert that sum, 23, back to a letter, whatever letter has that number in our numbered alphabet.  It comes out as W, the 23rd letter of the alphabet.

I write down W; it’s the first letter in our coded message.

And I do it again, and again, for every letter in our message.  I bet you see why a computer could come in handy right now.  But the point is, it’s not necessary.

When you get the message, you reverse the process.  Subtract the value of I, first letter in the secret, from the first letter W, in our crypto text, write down the result, and so on.  You’re the only one who can decrypt, because you’re the only one who knows the secret.

See?  You can do encryption!

And don’t minimize what we just did.  This is a simple variation on an encryption algorithm known as the one time pad.  It was one of the hardest codes for code-breakers in World War II to crack.  So hard that it was easier to turn the enemy, to persuade someone to hand over the paper “pads” of random characters that were used – random making a stronger secret than our book— than to try to crack the coded messages.

Over the years, encryption has evolved to deal with some of the old weaknesses, among others, our wartime problem of how to share a secret with hundreds of people and still keep it secret.  (Not a problem between you and I.)  But it always has these two properties, a process to transform and a shared secret.  Simple, eh?

Computers have made it easier for us to use encryption, embedding it into apps or even into the computer’s hardware (firmware), making it faster, always ready.   Modern encryption also has stronger secrets; it’s harder to defeat.

So, while taking encryption off of our computers can’t really take away our ability to use it, it gets a lot harder for us to do well.  A lot harder for you and I to protect our information:  banking, healthcare, or anything else that’s personal to us, the kind of thing we only want to share with our select few.

Of course I can go out and buy encryption software, use it on those same devices.  But I guess they can make that illegal, too.  Which brings me back to our old saw, transformed, “… only outlaws will have encryption.”    As a friend pointed out with guns, then we know who the outlaws are.

But wait!!  When I’m a famous writer, if I use encryption to arrange a private rendezvous with my sweetheart, sans-paparazzi, will I be an outlaw?  Suspect?

Well, I guess it’s not all bad. Some people could profit from this.  Those hackers, er, software developers, in Russia who were put out of business by the pharma wars, when their spamming, illegal businesses imploded through bad leadership and the pressure of international law enforcement, those guys could use a new line of work.  A new product to sell, an international export!

Seriously, I could even see some compromise around my use of encryption if it were well defined, well protected.  For example, some kinds of encryption can be fitted with something like a master key.  This is used all of the time in big corporations so that encrypted company data won’t be lost if someone forgets their password.  It’s sometimes called a recovery key.

But who would protect that master key?  The Federal Government?  The government that seems to be telling me via the media as I write this, that I should get my tax return in early so they don’t accidently give money to a thief?

And would use of that key by law enforcement require my permission?  Notification?  A subpoena?  One that limited what information could be retrieved?

We don’t have a law in the US that defines our fundamental right to privacy, our right to protect it with tools of our choice, let alone one that covers these questions.  And sadly, I don’t hear voices demanding that we do that first, before they take away encryption, the tool that protects us from our own technology.

But, well, OK.  I DO have a constitutional right to own a gun.