Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

Yet another mainstream tech reporter has decided to draft up an alarmist piece about the hacking of the US election based on a flawed understanding of both how our elections are conducted and the reporting of other related news. CNet’s Edward Moyer threw out this misleading story over the weekend:

“Don’t blame me, I voted for the other candidate (but hackers stole my ballot).”

You might chuckle, but apparently that’s a bumper sticker we could soon encounter for real — if election officials aren’t careful.

The US Department of Homeland Security issued a statement Saturday saying hackers have been casing state voting systems, and it offered its cybersecurity assistance to any states that request it. (emphasis mine)

That link in the last line is the critical piece. It leads to a DHS bulletin in reference to the agency’s offer of help to states looking to secure systems in it, they note:

In a few cases, we have determined that malicious actors gained access to state voting-related systems. However, we are not aware at this time of any manipulation of data. (emphasis mine)

You will notice the difference between the two passages in bold above. It may seem overly pedantic or a minor semantic distinction, but it really isn’t. A “voting system” would refer to the system by which America votes. A “voting-related system” would be a supplementary system that aids in that process, but is not actually part of the voting system. In other words, as I have commented previously, the actual conduct of elections and the storage of voter information are not one and the same. Your voter registration is not tied to the machine on which you vote. The city/county/state registration databases exist separate and apart from the machines you will use to actually cast your ballot.

This is critically important for reporters covering the concern over election manipulation to get right, and yet they rarely do. Instead, like Moyer, they write these sensationalist pieces that mislead the public into conflating the illegal access of voter data with the manipulation of their sacred vote. It’s unfortunate that writers like Moyer don’t bother to actually talk to people who have spent a lifetime in elections to get the story right.

I have seen a lot of posts on various tech blogs about the Yahoo! data breach announced last week and many of them make the same tired jokes about the fact that the 500 million compromised accounts were likely last used in 2003. One meme that circulated today noted that Yahoo!’s traffic was up substantially as everyone logged into their account for the first time in years – only to change their password and log out again. A good friend last week asked why this was making news, despite the fact that Yahoo! is a shadow of its former self.

To understand why the breach is a big deal – beyond the simply unimaginable scale – you have to understand how hackers are using this data. Once you grasp that, you should come away with two things, an abiding fear of your own security and a desire to correct its deficiency.

Large scale data breaches are problematic primarily because the average user somewhere between one and a small handful of passwords they reuse across many sites. You may have accounts on dozens or hundreds of sites, but precious little differentiation between the passwords. So when a large scale hack happens – especially when passwords are compromised – those records can be used to subsequently test the same login credentials on another site.

So here is what that looks like in practice. If the hacker has your Yahoo! address and password, they can script an attack on Facebook or LinkedIn to use that as your login. If they find the combo works, great!  If they also get a secondary/recovery email address, they now may have the same password you use on Gmail, or Hotmail. A quick filter of the compromised data by domain and suddenly they can script hundreds of additional attacks on other sites.

So what can you do about that? The answer is pretty simple – STOP USING THE SAME PASSWORD ON EVERY SITE.  Every site you visit should have a unique password, and ideally that password should be REALLY hard to break manually. Here is a good example:

Az\K:]<xm\,@5a4D!Z6&fn>BP

That hot mess was automatically generated by the password keeper I use, KeePassX. There are others out there, like LastPass. The point is, there are solutions for the fact that people are incapable of memorizing hundreds of unique passwords, and you should look into one – REALLY soon.

These breaches are going to continue, and as long as you are using P4$$word! as your login for every account you have, you’re going to fall victim to them – if you haven’t already.

The breach of 500 million Yahoo! accounts matters, even though Yahoo! doesn’t, because it adds fuel and armament to the tank that hackers are driving through the Internet. As it cruises along, their ability to snarf up more and more of your accounts gets better an better. And as long as you are still using the same password on every site, you are doing precious little to stop it.

It’s a good thing someone in our government is actually informed about elections. A report out yesterday afternoon noted the head of the NSA, during an Armed Services Committee weighed in on the possibility of US elections being hacked (and here).

During a Senate Armed Services Committee, Sen. John McCain, R-Ariz., asked about the possibility that Russia “could somehow harm the electoral process” in his state and “disrupt the voting results in the upcoming election.”

Admiral Mike Rogers, head of the NSA and U.S. Cyber Command, spoke about the disparate structure with some states voting manually and others electronically.

“But is it a concern?” McCain asked.

“Oh, yes sir,” Rogers responded.

Fortunately, elsewhere in government, another top official knows how things actually work.

 “The beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck,’’ said [FBI Director] Comey. “A lot of people have found that challenging over the years, but the beauty of that is it’s not exactly a swift part of the internet of things, and so it is hard for an actor to reach our voting process.’’

Rogers clearly doesn’t understand how elections work. As I pointed out the other day, there is almost ZERO chance that the election could be “hacked” in any meaningful way. The FBI Director (who I rarely agree with on matters of security, privacy and surveillance) is spot on. Our election process is a giant, decentralized mess. It is largely impervious to hacking largely because it is not standardized, not centralized, and not connected. Comey gets this. That’s ultimately good because it would probably be up to the FBI/DOJ to enforce security over elections. If the NSA was in charge, we would be screwed.

 

Recent news reports that the election databases in Arizona and Illinois have a whole lot of people up in arms, and have caused numerous publications that have precious little understanding of election systems to proclaim that the US election in November could be hacked. For instance, there is this from the Daily Signal:

“If it’s an organized effort, and someone hacks into a system and falsely registers bogus voters, you could hire a crew of people to vote multiple times under different names,” von Spakovsky told The Daily Signal. “That’s a problem for states with no voter ID laws. There is no way to prevent that.”

Guess what, there is nothing that prevents that currently. You can fill in a ton of false registrations in a state and hire a crew of people to vote multiple times. Yet it doesn’t happen. Just about every major study of voter fraud has found that when it does occur, it is a) generally on a very small scale and b) frequently caught. Why? Several reasons:

  • The sudden appearance of a large number of extra voter registrations would be noticed. Most states publish the number of registered voters publicly and there are people who look at the numbers, literally, on a daily or weekly basis to see how they have changed, and how the change tracks against changes over time. A sudden shift in the number would stand out.
  • The size of the “crew” required to throw an election is significant. Few states decide Presidential or Congressional elections by a few votes and rigging them is VERY difficult. The Florida results in 2000 are the rare exception, not the rule in Presidential elections. To swing a state like Ohio in 2004, you would have needed 60,000 votes. The size of the crew that could pull that off is so large it is unlikely that somebody wouldn’t brag about it to a friend. Occasionally you have a down ballot race for something like dog catcher that is decided by a handful of votes. Those are frequently fixed and very frequently caught.
  • The decentralization of American election systems would make a large scale hack almost impossible. Typically each county in a state is responsible for providing their own election systems. You vote, the aggregate vote from your precinct/ward/division is sent to the county election official, who then sends it along to the state. To “hack” an election in a single state, you may have to compromise dozens or even hundreds of individual polling systems in a state, and quite frequently a mix of different systems is in use. So you may have to compromise dozens of different types of machines. You could possibly hack the secretary of state’s central computer, but all the counties have to reconcile their votes, then meet with the state election officials to certify that what the state shows is correct. So the hack at the state would eventually be revealed.

The biggest threat to our election systems is not the hacking of an election, but the workaday hacking of our personal information. That, however, is something that threatens every major database – be it commercial, private or government. In just the last few years, an alphabet soup of government agencies has been hacked. The IRS, NSA, and OPM, to name just a few, compromised the personal information of millions of citizens. Corporate hacks on everything from Target to porn sites have resulted in even more.

Election agencies maintain huge databases of information about voters. In many states the use of a voter ID number is prohibited, so they often use your Social Security Number to identify you. When the database gets hacked, the attackers will often get your name, address, date of birth, driver’s license number and SSN. That’s all the ingredients needed for identity theft. What’s worse, is the leak of that information happens all to frequently.

A lawsuit filed this week revealed what Kemp said his office learned on Friday — that Social Security numbers, dates of birth and driver’s license numbers for 6.1 million registered voters was included in a voter file provided last month to 12 organizations.

That’s among the largest breaches affecting states, if not the largest, according to a timeline kept since 2005 by the Privacy Rights Clearinghouse. South Carolina in 2012 discovered that unencrypted data from tax returns was hacked from its Department of Revenue, affecting 3.8 million adults, 1.9 million dependents and 700,000 businesses.

Despite that danger not only existing, but coming to fruition, Georgia’s elections director refused help in securing their systems, claiming a fear that the federal government was using it to get their nose under the tent to take over elections.

The reality is there is precious little chance that elections can be hacked, unless and until we centralize and standardize our election systems. While some have called for that as a way to provide better oversight and protection, it is actually quite likely that would create worse problems. Instead, the real election reform we need as voters is the creation of a national voter ID number that could keep track of voters without compromising their social security and drivers license information. Many on both the left and the right oppose a voter ID number though for different reasons. The left is generally opposed to voter IDs because they feel they suppress minority and low-income voters. The right fears them as a way for government to track individuals’. Both are likely justified in those complaints.

However, we already have ID numbers that are frequently surrendered on registering to vote, but those IDs are tied to everything else we do in life, and our system, currently, is ill-equipped to protect them.

So sleep well tonight knowing that our election systems will likely keep our democracy safe, but not your personal information.

Over the last week there has been a lot of fretting about a decision by the US Court of Appeals for the Ninth Circuit regarding a case in which a former employee gained access to his former employer’s proprietary database using a current employee’s password. A veritable who’s who of tech blogs have been spun up claiming that the decision makes it illegal to share your Netflix password.

In his dissenting opinion, Judge Stephen Reinhardt pointed out the trouble of ambiguous phrases like “unauthorized access” is that it could be interpreted to criminalize the actions of millions of Americans who might share their Netflix passwords.

The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.

Simply put, this is nonsense. In the case, David Nosal, a headhunter, left his employer to start a new firm, and brought several other employee’s along for the ride. Together, they used the password of a current employee of their former employer to access sensitive and proprietary data belonging to their former firm. This is, quite simply, hacking. Had they used a brute force attack to compromise their former employer’s data, it would be no different. As former employees, they simply were not allowed to access the system. Period.

I have my issues with many of our cybercrime laws. For instance, the defacement of a website is essentially the equivalent of spray painting your name on a building wall. In many ways it is actually less serious as it can typically be undone with a backup restore, and has almost zero cost associated with it. Compare that to the cost of having to hire someone to paint over or sandblast your wall. Yet the defacement of a website is a serious crime and the punishment for physical vandalism is typically very minor.

In Nosal’s case, however, the comparison to the real-world equivalent of his crime is pretty spot on.

If Nosal had been employed by a department store, quit, then got his buddy the night-shift stock clerk to open the door so he could come in and steal all of their clothing to resell it, he still stole the clothing. It doesn’t matter that he had a friend on the inside. In fact, the friend on the inside should be charged as well for facilitating the burglary. The tech blogs, however, want to draw a different comparison. They want you to believe that his friend helping to steal from Target is the same as his friend simply lending Nosal the key to his house despite the fact that his roommate was home.

To be clear, nobody was charged with sharing a password. Nosal was charged with illegally accessing a proprietary database to steal something of value from a system he was not authorized to access. The facts of the case are not in dispute. The Computer Fraud and Abuse Act, under which Nosal was tried, was meant to handle exactly this sort of incident – an individual circumventing prohibitions on system access to steal something of great value.

The comparison to sharing a Netflix password, specifically, is completely ridiculous given that Netflix actively encourages you to share your account by allowing you to specify multiple account users. Nothing in this decision makes that illegal.

If the tech community wanted to make a sensationalist claim, a more apt comparison might be the sharing of an Amazon password to get a Prime discount tomorrow. Even that, however, is not an apt comparison as you are still paying for the goods, albeit at a savings. You are still paying the full price that any Prime member would pay. The CFAA does, however, give Amazon the legal authority to prosecute that if they would like to do so.

Despite the wishes of the “everything should be free” crowd, their is still a concept of ownership. The CFAA decision reinforces that concept and holds individuals (in this case Nosal) responsible for theft of goods owned by someone else. Despite the public outcry, this decision was rightly decided and is, in fact, a feature of the law, not a bug.

I’m just an average man, with an average life
I work from nine to five; hey hell, I pay the price
All I want is to be left alone in my average home
But why do I always feel like I’m in the Twilight Zone?

When I come home at night
I bolt the door real tight
People call me on the phone I’m trying to avoid
Well, can the people on TV see me
Or am I just paranoid?

Rockwell’s “Who’s Watching Me?” tells the story of a man who feels like he is under constant surveillance by some unknown entity. Two stories out of the world of tech privacy and surveillance today would likely make Rockwell think those lyrics didn’t go far enough. Or, as Max said in the cult classic movie Strange Days:

The issue’s not whether you’re paranoid, Lenny, I mean look at this shit, the issue is whether you’re paranoid enough.

It was revealed today that hacker-turned-Facebook-founder Mark Zuckerberg tapes over the camera on his laptop, as does FBI Director James Comey. That latter part is particularly ironic given that its quite likely the FBI that may be spying on you. As I mentioned yesterday, the FBI is already using software to scan almost a half billion images of Americans (despite few privacy protections). It’s also no secret that the FBI is pushing for massive new surveillance powers under the guise of “keeping us safe”.

It’s good, then that a coalition of internet companies have come together to create a public awareness and advocacy campaign. No Global Warrants is pushing to raise awareness and has a petition up to contact Congress to make your voice heard. While that is unlikely to prevent government from further suppressing your rights, it should, hopefully, make people aware of the issue and aware of how extensive the government’s expansion of its surveillance capability is.

In the meantime, there are some steps you can take to protect yourself. First, you can follow Zuckerberg’s lead and secure your cameras. Amazon sells these handy little slides for laptops and tablets that slide open and closed easily and avoid the tape residue. These cell phone camera covers are also handy and better looking than tape. You also might think twice about sharing a ton of photos of yourself. I realize that is probably unheard of in our selfie obsessed culture, but it makes facial recognition much more accurate if they have snaps of you from every angle.

There are steps you can take to secure your physical devices like ensuring your hard drive and all external storage are encrypted (I like VeraCrypt). Apple has encryption built in through FileVault, but you have to enable it through System Preferences -> Security & Privacy -> FileVault.

You should also, under NO circumstances, be using the same password on every website. I’ll be covering that soon, but there are a lot of password lockers that a) keep all of your passwords securely and b) make it so that you don’t need to remember passwords at all. They’re easy to setup, and enable you to have different, unique, and strong passwords for every site you visit. With free services like Dropbox to store the encrypted password files, you can also use them on every device.

While many of these steps will help protect you from hackers and identity thieves, the FBI has also been known to illegally hack computers. While much of the evidence stemming from that investigation has been tossed by several courts, the FBI is pushing to address that problem through these expanded powers. So you really want to get comfortable with protecting your information from actors both good and bad.

 

In case you are curious, Ledgett also answered why the NSA didn’t help the FBI crack the San Bernardino shooter’s iPhone. “We don’t do every phone, every variation of phone. If we don’t have a bad guy who’s using it, we don’t do that.”

If you look at the medical devices from the same point of view, you might only need to worry about remotely having your pacemaker, insulin pump or other wirelessly-enabled medical device hacked or monitored if you happen to have the same model as some NSA target.

This is a rather matter-of-fact and simultaneously VERY creepy thought. Assassinations are a rather convenient way to force regime change in hostile nations, and hacking medical equipment would certainly be an efficient way to carry that out. The US is already alleged to have developed things like the Stuxnet virus to very specifically target a single system in a single environment (in that case a Siemens system in an Iranian nuclear facility). If the government could legitimately develop methods of hacking medical devices ostensibly for investigatory purposes, how long would it be until they were developing them for covert assassinations?

It seems like the stuff of fictional thrillers. Something Jason Bourne would have employed, perhaps. But the reality is these things eventually go rogue. In just the last few weeks, viruses similar in design to Stuxnet have been found that target industrial control systems for nefarious purposes. Would it take long for an industrious hacker group to develop their own (assuming they aren’t already)?

The rise of ransomware attacks on hospitals has recently seen exponential growth. What if these hackers turned their attention to high net worth individuals and threatened their very lives by demanding ransom or their medical equipment would be compromised?

Report after report indicates that companies making so-called “Internet of Things” devices are often running fast and loose with our privacy and security. Everything from children’s toys to automobiles have been hacked, and now we have the US government admitting that it wants to hack medical devices. If you aren’t getting nervous about connecting your whole life to the Internet, you haven’t been paying attention.

Until we have better controls and more secure systems, putting your pacemaker online seems like a terrible idea.

It seems that almost every day there is another story of a company, website, or celebrity that has been hacked. Sensitive information – everything from banking details to naked selfies – gets posted online and embarrassment and financial devastation grows. Despite the constant flow of information about high-profile hacks and the commonplace occurrence of identity theft, people still don’t take basic precautions to protect themselves, and websites don’t take basic precautions to protect user data.

When a hacker breaches a site like MySpace, and compromise their user database, they can compromise your email/username and password combinations. If you reuse that same combination on other sites, it is very easy for hackers to write a script to compare those credentials against other popular sites, and identify which ones give them access. It is no surprise that the number of Twitter accounts hacked in the past few weeks is exploding, given that many or most of those people likely also had MySpace or LinkedIn accounts, and were likely using the same password on all of them.

Twitter acknowledged as much when discussing the announcement that 32 million user credentials were available on the dark web.

“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.”

Many websites are now informing you when a login is attempted on your account from a new location, but this is still neither common or foolproof. Some sites still store user credentials in plain text, though encryption of user credentials is more common than not, these days. The strength of that encryption varies, however.

If you are using the same password across many websites, it is just a matter of time before you will be hacked. You really should be using a better method to keep yourself secure. Password locker systems (KeePass or KeePassX, for instance) allow you to keep an unlimited number of passwords stored in a single location and allow you to simply click to copy the correct password and paste it into login forms. You don’t need to remember them all, and most of these systems have a mobile app version that keeps a synchronized copy for logging in via your devices.

Whatever system you choose, it is well past time when you should be taking your personal information security much more seriously. If you are using the same password for your Facebook account and your online banking, you are dancing in a virtual minefield and it’s just a matter of time before something blows up.

We’ve launched this blog to look at developments in the area of cybersecurity, privacy, encryption, and government surveillance, because their intersection is the epicenter of the digital world. Discussions of the balance between security and privacy will drive most tech discussions for the next ten years. Much of this starts with you being better informed and empowered to take an active role in securing your personal data.