Ukraine under cyber attack once again by Russia

BBC reports that there has been a 48-hour denial of service (DoS) attack against the Ukranian mail service.



http://www.bbc.com/news/technology-40886418

There are further details on a Ukranian Facebook page.

https://www.facebook.com/ukrposhta/

Russian cyberattack disrupted N.C. election results

In a critical voting district, Russian cyber attacks caused great confusion at several polling places delaying and interfering with some voters.

The attack was on the voting rolls rather than the voting machines, making it appear that some people weren't qualified to vote.

Voters were going in and being told that they had already voted — and they hadn't," recalls Allison Riggs, an attorney with the Southern Coalition for Social Justice. (NPR report)

NSA report: http://www.npr.org/2017/06/06/531701318/intercept-article-reveals-nsa-report-on-russian-cyberattack

http://www.npr.org/2017/06/20/533637643/despite-nsa-claim-election-vendor-denies-system-was-compromised-in-hack-attempt

http://www.npr.org/2017/08/10/542634370/russian-cyberattack-targeted-elections-vendor-tied-to-voting-day-disruptions

Foundational Cybersecurity Research: Improving Science, Engineering, and Institutions (2017)

The National Academy of Science has published a new report on cybersecurity. It is sold in print for $47 but can be downloaded by anyone for free in pdf format.

https://www.nap.edu/login.php?record_id=24676&page=https%3A%2F%2Fwww.nap.edu%2Fdownload%2F24676

You have to register but that is simple, fast, and FREE.

OVERVIEW

Contributors

National Academies of Sciences, Engineering, and Medicine; Division on Engineering and Physical Sciences; Computer Science and Telecommunications Board; Lynette I. Millett, Baruch Fischhoff, and Peter J. Weinberger, Editors

Description

Attaining meaningful cybersecurity presents a broad societal challenge. Its complexity and the range of systems and sectors in which it is needed mean that successful approaches are necessarily multifaceted. Moreover, cybersecurity is a dynamic process involving human attackers who continue to adapt. Despite considerable investments of resources and intellect, cybersecurity continues to poses serious challenges to national security, business performance, and public well-being. Modern developments in computation, storage and connectivity to the Internet have brought into even sharper focus the need for a better understanding of the overall security of the systems we depend on.

[read full description]

Topics

• Computers and Information Technology — Information Security and Privacy
• Computers and Information Technology — Policy, Reviews and Evaluations
• Conflict and Security Issues — Prevention, Security and Response

Suggested Citation

National Academies of Sciences, Engineering, and Medicine. 2017. Foundational Cybersecurity Research: Improving Science, Engineering, and Institutions. Washington, DC: The National Academies Press. https://doi.org/10.17226/24676.

From the summary

Attaining meaningful cybersecurity presents a broad societal challenge. Its complexity and the range of systems and sectors in which it is needed mean that successful approaches are necessarily multifaceted. Moreover, cybersecurity is a dynamic process involving human attackers who continue to adapt. Despite considerable investments of resources and intellect, cybersecurity continues to pose serious challenges to national security, business performance, and public well-being. Modern developments in computation, storage, and connectivity to the Internet have brought into even sharper focus the need for a better understanding of the overall security of the systems we depend on.

The research cultures that have developed in the security community and in affiliated disciplines will increasingly need to incorporate lessons not just from a wider variety of disciplines, but also from practitioners, developers, and system administrators responsible for securing real-world operational systems. This report is aimed primarily at the cybersecurity research community, but takes a broad view that efforts to improve foundational cybersecurity research will need to include many disciplines working together to achieve common goals.

There have been many reports on cybersecurity research offering many recommendations. Rather than echo these reports and expand their lists of proposed projects, the committee has focused on foundational research strategies for organizing people, technologies, and governance. These strategies seek to ensure the sustained support needed to create an agile, effective research community, with collaborative links across disciplines and between research and practice.

Suggested Citation:"Summary." National Academies of Sciences, Engineering, and Medicine. 2017. Foundational Cybersecurity Research: Improving Science, Engineering, and Institutions. Washington, DC: The National Academies Press. doi: 10.17226/24676.

×

Save

Cancel

Part of the task of the Committee on Future Research Goals and Directions for Foundational Science in Cybersecurity was to consider gaps in the federal research program. In the committee’s view, the security community and funders understand the breadth of the challenge and the importance of emphasizing progress on all fronts—a diversity evident in the diverse approaches taken by the federal agencies supporting cybersecurity research. Instead of focusing on gaps, this report offers a framework that links research efforts. The strategy advocated below requires unusual collaborations among disciplines focused on technologies and those focused on the individuals and organizations that try to attack and protect them. Achieving those collaborations will require creating incentives that run counter to academic pressure for publications and user pressures for short-term results.

To this end, the committee’s analysis is organized under the four following broad aims for cybersecurity research:

• Support, develop, and improve security science—a long-term, inclusive, multidisciplinary approach to security science.
• Integrate the social, behavioral, and decision sciences into the security science research effort, since all cybersecurity challenges and mitigations involve people and organizations.
• Integrate engineering and operations for a life-cycle understanding of systems.
• Sustain long-term support for security science research providing institutional and community opportunities to support these approaches.

Not every research effort will or needs to address all four aims. However, articulating where each sits with respect to them is important to the coherence of the research program. These four aims are discussed below.

Hiding online, a primer for everyman

This is a reprint of my online security column as Science Editor of Perihelionsf.com

Internet Undercover

By John McCormick

OPEN THE POD BAY DOORS, HAL ... possibly the most famous fictional reference to one of the many minor computer problems that occur in endless ways in science fiction stories.

But you are unlikely to ever be in a situation similar to that of the unfortunate Dave Bowman trying to deal with a schizoid mainframe. Although a computer may never try to cut off your air, computers hackers using the Net and especially computer bots may cut off your access to credit or much worse, unless your computer is prepared to automatically defend you and you know enough to be able to defend yourself.

The warnings given by most computer security “experts” miss the point. They talk about how people need to be more careful with their critical data; in reality, if you make use of computers you will store important information on them and what you must do is equip your computer to defend itself. Although important, the first step isn’t to install security software but to be aware of where on the Web you should and shouldn’t be doing things you wouldn’t want made public.

There is a current example in today’s news—Hillary Clinton didn’t trust the State Department security with her important emails and rightly so since all, let me repeat that, all government computers are routinely compromised (trust me, for more than two decades I was a columnist for Government Computer News in Washington). While the Republicans are busily accusing her of some nefarious motive in installing an email server in her home, and some others say she was careless in doing so because of the risk of hackers, the truth is that while her server was already physically protected by the Secret Service, there is no suggestion that it was ever hacked. State Department computers are regularly hacked.

Back in the last century I remember there were two organizations in Washington that still used Wang computer systems (which had very poor security, having been designed in the ’60s and not really made any more secure in later decades as hacking threats became much more sophisticated). These were the State Department and the National Press Club.

I worked for Wang Computers at an IBM mainframe in the late ’60s and part of my job was security. Later I consulted for The National Press Club, which was still using Wang systems when I joined. To date things in a way that will make the situation a bit more clear, I was asked to investigate and approve or disapprove a proposal to put Press Club Luncheons on the then-fledgling Internet/World Wide Web, so you can see that I had intimate knowledge of just how poor the security was at some government agencies, not just the theoretical security knowledge of many so-called “experts.”

The Clintons took security into their own hands and because few people were in a position to compromise their security, it apparently was very secure indeed.

No matter how secure your system is, there will be passwords and user IDs, and the more people who need to know them to do their jobs, the more likely it is someone will tell the wrong person or fail to keep their access information hidden. Case in point—the infamous Sony hack was accomplished with social engineering, not hacking expertise. Someone either intentionally or accidentally disclosed their network access information to the wrong person.

Even at Government Computer News (GCN), which focused on sharing computer security information with the U.S. government, people would routinely click on email attachments that hid Trojans and other infections—needless to say, my computers were never connected to GCN systems.

Your home computer will be exposed to hackers if you have kids. At work, large organizations are vulnerable to social engineering hacks. When hundreds or thousands of people know passwords or have them stored on their office computers/laptops/smartphones/tablets, someone will always write down passwords where a “janitor” on the night shift can copy them down and access systems, or open that inviting email attachment that is carrying a virus or Trojan. In other instances, people will quit or get fired and may hold a grudge against the company.

As a sophisticated adult in today’s world, you are probably taking precautions against having your credit card numbers stolen or bank account information disclosed to strangers, but you probably give little thought to how you can live online safely.

Even if you are relatively sophisticated and keep a top anti-virus/general security program such as Kaspersky’s or AVG up to date, if you don’t know about TOR, the Silk Road, Bitcoin, and such, you have no real concept of how dangerous the Web can be.

There are hackers-for-hire out there ready to destroy you and your business for a few hundred Euros. Here is an actual ad (not a joke)—the grammar is indicative of a non-English speaker, not a lack of computer expertise.

The listing is as follows. Contact and payment information has been deleted to protect the innocent:

“rent-a-hacker, Min price 200 euros in bitcoin
What ill do:
Ill do anything for money, im not a pussy :) if you want me to destroy some bussiness or a persons life, ill do it!
Some examples:
Simply hacking something technically
Causing alot of technical trouble on websites / networks to disrupt their service with DDOS and other methods.
Economic espionage
Getting private information from someone
Ruining your opponents, bussiness or private persons you dont like, i can ruin them financially and or get them arrested, whatever you like.
If you want someone to get known as a child porn user, no problem.”

You can find such ads if you are using an Onion/TOR browser. TOR is a way to remain relatively hidden on the Web by making it appear your IP is located in another country and you can switch “locations” in less than a second with a single mouse click.

This can lead to some unusual search and browsing results; for instance, some sites think you speak German or French, which is simply a guarantee that your home IP isn’t being transmitted.

TOR is a non-profit corporation sponsored by some surprising groups, including:

• More than 4,300 personal donations from individuals like you (2006-present).
• Reddit (2015).
• Radio Free Asia (2012-2016).
• National Science Foundation joint with Georgia Tech and Princeton University    (2012-2016).
• National Science Foundation via University of Minnesota (2013-2017).
• Hivos/The Digital Defenders Partnership (2014-2015).
• SRI International (2011-2015).
• US Department of State Bureau of Democracy, Human Rights, and Labor (2013-
   2016).
• An anonymous North American ISP (2009-present).

Among the previous sponsors who helped TOR get up and operating were DARPA, the U.S. Navy, Google, and the National Science Foundation.

TOR can be a bit awkward to start up but it definitely works. If you want to even approach security, go to Tor to download and install a completely free, open source, secure browser for most operating systems.

Silk Road is an underground market for legal and illegal products, and activities run by Dread Pirate Robert. One alleged DPR was eventually arrested by the FBI, causing Bitcoin value quoted in some other currencies to plunge about 2,000 percent for nearly a half hour, after which it returned to nearly pre-arrest levels. (Bitcoin is an alternative currency that is accepted in many businesses and even countries.) There was a new Dread Pirate Robert online in a few hours.

TOR also offers the ability to open your own service or run your business with complete confidentially and, as long as you aren’t selling illegal drugs or pushing child porn, the FBI will leave you alone (although I would pay taxes on otherwise unreported income to avoid problems with the IRS).

This is called the TOR Hidden Services Protocol and there are perfectly legitimate reasons to use it. Perhaps you are running a side business that your employer would find objectionable. Or you may be running a business and want to keep your transactions and/or online planning sessions hidden from hackers. In this case, use the TOR hidden services to run your own IM server.

Back to Basics—be More Unsociable

The first place you need to look for security threats is in all those social media sites you and your kids frequent. Posting a note to your friends that you are going on a romantic weekend is the same thing as putting a sign on your front door announcing that you aren’t at home so this is a great time to break in.

Even something as seemingly innocent as posting a picture of that great new plasma TV you just put in the basement rec room is nothing less than taking out an ad in the local penny saver saying you have some brand new expensive electronics ready to jack and fence.

Military families in particular need to scrub their social media accounts of any reference to a military association because of ISIS threats, which have already been made using such information.

As an alternative, build a social media presence not using any specific location or name data, and be careful about posting photographs you take. Most people don’t realize that digital camera images include hidden metadata files and those carry GPS coordinate information or other data you don’t realize are being published, not just what lens and f-stop you used. While the data are “hidden” in the sense that they aren’t obvious, it may take as little as a mouse click to display that information.

What Can/Should You Do?

If you are sufficiently concerned by now, read on to learn how you can communicate securely, store information in the cloud, and even do business online safely without resorting to TOR.

It really is easy to keep people from figuratively picking your electronic pocket if you take some sensible steps and make sure your family knows the importance of online security. (Teenagers won’t get it because the lack of a developed prefrontal lobe means their brains aren’t really capable of predicting the consequences of bad decisions—not their fault, just a physiological fact.)

If you know anyone who has had their identity stolen you may already know how important this is; if not, your friends are few and rare, or they are a bit ashamed and aren’t telling anyone about their problems.

“Hiding online” is my term for keeping your head down while not depriving yourself of the incredible benefits and possibilities provided by the Internet.

Security has long been a focus of my computer consulting and journalism career in part because I am a journalist and that can be a very dangerous profession if you do it right—not something that was obvious to most people outside the field until recent events in Paris and the Middle East.

The basics of cyber security are something I feel should be taught in every high school. Compared to diagramming sentences or learning how to sink a basketball from the foul line, learning to protect yourself and your family is an important topic that is not addressed in any K-12 school I’ve ever heard about.

I’ve found that many teachers are ignorant of the cyberworld and often fearful of it. I know some local teachers here in Punxsutawney who don’t even own computers or seem to think they are important.

So, do you give up the convenience of having a lively online life, or learn to protect yourself? This can be as simple as being discreet when discussing when and where your teenage daughter will be holding a party, or sharing your plans to start a company in competition with your current employer.

The first step to keeping safe online is free. Simply establish a ghost identity by opening an email account at one of the free sites and just entering a bit of misleading information.

I’ll give a quick example. Your birthdate is an important piece of data necessary to stealing your identity but almost no one pays any attention to concealing it and all social media from Facebook to the professional LinkedIn asks for the information.

The most recent New Year’s Day I got multiple birthday greetings from total strangers who had gotten my birthday from one of my accounts, either Facebook or LinkedIn. I know because January 1 is the date in my profiles on those services. On other services it is Bastille Day, July 4, etc. This practice not only conceals an important piece of personal information from total strangers, it gives me a way to trace where hackers might be getting my information.

Do I really need to point out that nowhere is my actual birth date, my mother’s maiden name, or other such information found on public sites? Some services acquire this information through data mining, but by having put out so much disinformation it turns out that my official data is also different on various sites, which is almost as good as having no information online.

Financial sites routinely set up “security” questions so you can verify your identity if you ever forget your password (or even change IP addresses). Why do they need to know your actual city of birth, or your father’s real middle name?

Of course, this is all just common sense (something I find not at all common); it is impossible to predict what the newest threat will be, so taking proactive steps is the only way to protect yourself and your loved ones.

Cryptography

If you want to keep a secret electronically, you don’t identify yourself correctly. You hide the information or you encode it. If it is really important you do both.

Encryption software from two decades ago used PGP or other basic algorithms, producing files that are now easy to crack. It was easy to implement, and even easier today. Codes that are more difficult to crack are more computationally intensive to implement and decrypt. That is why security consultants ask several questions about your data.

How secure does it need to be? You may not want your twelve-year-old to read the files, but what about the NSA?

Do you realize that the average twelve-year-old may have access to powerful cracking tools on TOR that go well beyond what even most police agencies have?

How long do the data need to be kept secure? Some encryption algorithms are so complex that it could take years to crack them. Others will be vulnerable to the next advance in CPU technology. But if your information only needs to be secret for a year, you don’t need much security.

The downside of really strong encryption is that it is expensive (in time, money, computation time, or all three) so you only use as much as you need in business—in other words, keep it cost-effective.

Whether you personally have ambitions to be a supervillain (or superhero) and are planning to take over the world (or save it), just want to share some questionable ideas with your attorney, or have a business with workers spread around the country/globe, many situations call for a way to communicate securely.

For secure online communications you have the option of using a program to encrypt your messages and then send it as an email attachment, or use a secure email service. Virtually no one takes the time to encrypt every attachment.

A major problem with any encryption system is making initial contact. How do you send an encrypted message to someone without any way to physically give them a password/encryption key?

There are ways to do this using public key systems, but I like to recommend software that takes care of all the details, requires no special knowledge of encryption, and is incredibly secure as long as you don’t give away your passwords.

There are a number of free email services available that provide ease of use and great security. This list of links provides solutions for sending secure email, secure one-time messages, secure instant messaging, and encrypting files to send through email. I would like to add Protonmail to this list.

The encryption level of these sites is extremely high, making them extremely secure even if you happen to have a supercomputer. Rumor has it that the NSA would need a good reason before devoting the time and effort necessary to crack a top-level encrypted message.

Protonmail, for example, features a two-password user authentication just to retrieve a message in plaintext: one password gets you into your account; a second one is required to encrypt or decrypt any message. And, get this, no record is kept of that second password. It can’t be sent to you if you forget it. Your files can’t be decrypted on these servers, even if laws change and they are ordered to provide access to their server. Protonmail is based in Switzerland.

The problem with domestic email services is that the government can force the server host to provide files and any passwords they have. Google, Microsoft, Yahoo and other providers have had subpoenas issued against them in the past, forcing them to give up personal data; in some cases, services simply give up personal information even without any legal requirement.

Online Searches—What Sort of Breadcrumb Trail Are You Leaving?

You hear in the news every day about what the Boston Bomber suspect or the German airline co-pilot searched for recently on the Web. These are, of course, high profile examples. Even doing something completely innocent, you may not want the NSA to see what you are researching. As a reporter/journalist/author and physicist, as well as an emergency management coordinator, I often have the need to look up lots of things that can appear a bit suspicious. Hiding my identity is simply prudent.

Some search engines such as Google won’t give you access if you use TOR to hide your identity. The reason is simple economics: Google makes money on those ads and to place them properly they need cookies that tell them who you are and what your interests are. But there are dozens of other search engines that will let you use TOR to conceal your activities.

Google tracks every search you undertake and associates it with your IP address or Google ID. Some search engines, such as Clusty, never track anything about you.

Security In Depth

If you want to send an encrypted message to someone new, give them a hint that lets them guess the password needed to open the message. For example, if I sent you an encrypted file and the password hint is “science fiction webzine,” how quickly would you guess the password? That is a reasonably secure initial contact; anyone trying to crack your files would have difficulty guessing which magazine was likely to be correct. That is exactly how Protonmail, and other secure email services, work.

Gmail is a great second choice and Google offers a lot of useful tools. Gmail is difficult for outsiders to trace; there is little information in the message headers. Gmail is also a gateway to many other services like free cloud software for calendars, spreadsheets, and documents that you can use for a group collaboration are automatic.

But what if you get Gmail accounts based on fake personal info? That can provide pretty decent security and is totally free. It is probably against some clause in the user agreement. However, deleting your account is the worst punishment for being caught. If you are careful, they’ll never know. I don’t have a fake Google identity because I use TOR and Protonmail for things I need to keep secure. I do have more than one Google ID, which can be confusing for anyone tracing my activity.

A Final Word on Personal Privacy

Have you ever built or contributed to a website you later decided was unneeded or that disclosed far too much information about you, your family, friends, or employer? You deleted all that information and even gave up the domain name, so your secret is easily kept, isn’t it? After all, it isn’t there any more. Or is it?

Have you ever heard of Internet Archive and its associated WayBack Machine search engine? The Archive is, simply enough, a website devoted to storing everything that was ever on the Web and could be located with a search.

If you use its WayBack Machine (thank you Mr. Peabody), you can look at older versions of most Web sites—all those sites that you thought were completely erased are still out there and most changes are recorded. Give it a try; they don’t have everything—only 456 billion pages as of my writing this sentence, but they keep adding more.

The Web Beyond Google

When you do a search on most major search sites you will probably see hundreds of thousands of possible “hits” (results). Some sites, such as the above mentioned Clusty, narrow this chaos for you by sorting the results into various categories. Other search engines offer different ways of weighting the results.

There are more than one hundred relatively popular search engines. It might surprise you to see how much information can be easily found. For example, using the WayBack Machine, you can see old contact information from previous versions of websites. Yet, approximately 90 percent of all the information available electronically is invisible to search engines. Why?

This isn’t because of a conspiracy; most of the hidden information consists of vast databases that can be searched if you know it is there. But search engines work by sending “bots” out to catalog information on websites; they don’t index all that data simply because it doesn’t exist as a web page until a search is conducted that brings specific data up and places it on a page visible to the user. Thus far, on the Internet, humans still hold the advantage. 

John McCormick is a trained physicist, science/technology journalist, and widely-published author with more than 17,000 bylines to his credit. He is a member of The National Press Club and the AAAS. His full bibliography can be accessed online.