Investigatory Powers Act

‘The Investigatory Powers Act is world-leading legislation’
Amber Rudd (Home Secretary)

One might ask, what part of the world are we leading exactly:
North Korea, Cuba, China and Saudi Arabia?

Passed into UK law on 29th November 2016 with barely a whimper.
(Replaces the Data Retention and Investigatory Powers Act – DRIPA)

‘…it establishes a dangerous new norm, where surveillance of all citizens’ online activity is seen as the baseline for a peaceful society.

Collect evidence first, the government is saying, and find the criminals later.’
Jim Killock (Open Rights Group)

At a Glance:
Telecoms providers obligated to retain data on British Citizens web activity (ICR) for 12 months.

Legalises the surveillance and ‘Targeted Equipment Interference’ (hacking) activities undertaken over many years by GCHQ and other agencies, including the collection of metadata and hacking of individuals computers and phones. (As exposed by Edward Snowden in 2013)

Legalises the wider power of ‘Bulk Equipment Interference’ (Mass Hacking) into large groups of computers and mobile phones of citizens overseas.

Provides for access by 48 named groups to the stored data, and establishes a ‘Request Filter’ (Common Database) enabling access through a single source. (Still being defined by the Home Office)

Allows access to masses of stored personal data, even if the person under scrutiny is not suspected of any wrongdoing.

Police can request viewing journalists’ call and web records. (Seen as a potential death sentence for whistleblowing and investigative journalism).

Technology companies and service providers can be asked to remove encryption on a given user’s device or service, where ‘Practicable’.
However, unlike the Apple case in the US, it’s expected that any cases in the UK will take place in private.
‘Any warrants issued to a company to decrypt users’ data will come with a gagging order, forbidding the firm from discussing it. There wouldn’t be any public debate about it.’ Harmit Kambo (Privacy International)

Who can access our data?
Amongst the more obvious police, military, and security services are a few less obvious, including:

Food Standards Agency
Department for Work and Pensions
Department for Transport
Department of Health
Revenue and Customs
English Ambulance Trust
Scottish Ambulance Service
Welsh Ambulance Service
Health and Safety Executive
Fire and Rescue Authority
Competition and Markets Authority

Comments:

‘The UK now has a surveillance law that is more suited to a dictatorship than a democracy.’
Jim Killock (Open Rights Group)

‘We have created the tools for repression.’
Lord Strasburger

‘None of us online are now guaranteed the right to communicate privately and, most importantly, securely.’
Renate Samson (Big Brother Watch)

‘The UK … joining the likes of China and Russia in collecting everyone’s browsing habits.’
Anne Jellema, ( World Wide Web Foundation)

This snoopers charter ‘has no place in modern democracy. The bulk collection of everyone’s internet browsing data is disproportionate, creates a security nightmare for the ISPs who must store the data, and rides roughshod over our right to privacy.’
Sir Tim Berners-Lee Inventor of World Wide Web.

‘It’s sad that the Snowden revelations backfired so spectacularly here. Rather than rolling back powers, they’ve been used to legitimize these practices.’ Harmit Kambo (Privacy International)

‘The UK has just legalised the most extreme surveillance in the history of western democracy. It goes farther than many autocracies.’
Edward Snowden (NSA whistle blower)

Investigatory Powers Act 2016
Links to all 305 pages;

Click to access ukpga_20160025_en.pdf

http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted

I wonder how many of our MPs have read, and understood, this piece of art?

Other Sources:
http://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill
https://www.theguardian.com/world/2016/nov/19/extreme-surveillance-becomes-uk-law-with-barely-a-whimper
http://www.ibtimes.co.uk/governments-snoopers-charter-has-no-place-modern-democracy-says-inventor-world-wide-web-1594092
http://www.huffingtonpost.co.uk/entry/investigatory-powers-act-becomes-law-royal-assent_uk_583d91d8e4b072ec0d60680d
http://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill
http://arstechnica.co.uk/tech-policy/2016/11/investigatory-powers-act-imminent-peers-clear-path-for-uk-super-snoop-law/
http://www.jomec.co.uk/blog/how-the-uk-got-a-world-leading-surveillance-law/
https://www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-app-angry-birds-personal-data

Cyber War Pt 2: Unintended Consequences

This follow up to ‘Cyber War – Real Time View‘ delves slightly deeper, and examines the possibility of ‘unintended consequences’

Another view of attacks, again from security company Norse.

There are two important aspects regarding these images:

1. The people behind the attacks are not necessarily residing or even acting from the country the attacks appear to come from. As was noted last time, ‘this is a war without frontiers, uniforms, or even a clearly defined enemy’. Its important not to view this as one country versus another country type of war. It’s far more subtle than that.

2. The map mainly serves so show the scale and type of the attacks as monitored by Norse. It is not a complete picture of all worldwide threats. It under-reports because it doesn’t include attacks on sites that aren’t monitored by Norse. Other security companies will have similar maps that aren’t publicly available. Without access to that data, the real scale of intrusion attempts cannot be accurately assessed.

Many of these attacks are simply about theft. Data is money, and attackers are looking to steal private data to sell on to willing buyers.

The theft from ‘Target Stores’ in 2013 involved 40 million credit cards, and 70 million customer details. It was estimated that between 1 to 3 million card details were sold on by the thieves, netting around $54 million

Target aren’t alone, these have been subject to a large scale loss of data in 2014;
Staples – 1.16 million cards, Michaels (retail chain) – 2.6 million cards, Home Depot – 56 million cards and 53 million email addresses, Sony – Theft of 5 unreleased films, and 47k Social security numbers (including 15k staff) many will full personal details, JP Morgan Chase – 76 million households and 7 million small businesses data, and New York’s Attorney General advised that over 8 years, 22.8 million private records were exposed.

However, its not always about theft.

Industrial espionage or malicious intent can be the motives, such as disrupting a company or organization’s operations, sometimes re-routing or delaying the logistics chain. There is also the example from 2013 where drug dealers hacked the Belgium Antwerp port computers, with the intent to smuggle drugs into the country.

Probably the most public malicious attack was the Stuxnet worm, (2008-2010). An infected USB stick delivered a payload intended to achieve a very specific result, and targeted only the Siemens devices that controlled the Iranian centrifuges used for uranium enrichment. It’s believed that 20% of the Iranian centrifuges were destroyed by Stuxnet.

The worm was later confirmed to be a joint USA / Israeli operation, and although achieving its objective, it wasn’t without problems. The worm was designed not to travel outside the the nuclear facility. However an error in the code allowed the worm to replicate and spread all over the internet. It was claimed that no ‘unintended consequences’ occurred as a result, but some reports suggest otherwise. The Russians claimed that their nuclear facility was infected with the worm and, in the UK, a French owned nuclear reactor unexpectedly shut down. EDF confirmed that the reactor also used Siemens controllers, but denied that the Stuxnet virus was involved. In a secret war, how would we ever know?

However, whatever the truth, it does appear that no catastrophic events occurred. Will we be so lucky the next time, when the people who design malicious code fail to grasp the significance of the unintended consequences of their work?

This attack highlighted how unprepared countries and organisations are to defend or respond to such action. It also showed how catastrophic unintended consequences might occur.

Most of all, it showed the potential of Cyber-warfare – the ability to collapse complex infrastructures.

Similar malware could cause havoc if allowed to infiltrate the computers in large corporations or infrastructure such as Power, Water or Communications.

This isn’t a war in which people are merely spectators. In many cases they are the players. Often the doors are left open by the users themselves.

A major retail chain suffered a crippling attack last December, during a peak trading period. Despite having invested in an extensive central security team, it transpired that a senior director had download porn onto his work computer and unwittingly introduced the malware into his business.

Many intrusions occur because an individual had a lapse with their own security. One intrusion technique is APT (Advanced Persistent Threats) where a specific individual is identified, and then repeatedly targeted with the expectation that eventually one intrusion will be successful.

‘Security should be viewed as a shared responsibility that reaches well beyond the traditional view of it residing in a single department.’ …Senior Director NTT Com Security

This should be the standard thinking, but it’s far from it.

Security is not ‘configure and forget’. It requires constant monitoring and user interventions. Often the simple solutions are most effective.

Around 60% of attacks on web applications in the UK are ‘SQL injection‘, typically exploiting known vulnerabilities in software. It’s not reported how many are successful, but since NTT Com Security research shows that 76% of known vulnerabilities identified in Businesses were over 2 years old, its not hard to see why they are so popular with attackers. The simple act of regularly updating operating systems and applications would block them.

Everyone has responsibility for computer security.

When the lights go out, or communications fail, or water fails to run out of the tap, it’s quite possible that someone, somewhere enabled the malware intrusion by downloading some forbidden file onto their PC without first considering the possible ‘unintended consequences’.

That might be all it takes.

 

 

Cyber War – Real Time View

The world has no shortage of war, so it’s no surprise to discover another one.
But this one is different in that it doesn’t involve all the traditional tools of war; armies, guns, tanks, missiles, drones, and country invasion. Although it does retain the ability to inflict pain, suffering and misery.

It has been fueled by the growth in technology, and thrives on the inability of individuals to consider the unintended consequences of their actions.
Like all modern wars, it can be viewed on a screen, just like a computer game.

Click the image to follow the action provided by security company Norse .

These are real time attacks from one computer to another, probing security systems, looking for a way in. But don’t be misled by the implication this is ‘China’ vs the ‘USA’, or any other country.

It’s way more subtle than that.

This is a war without frontiers, uniforms, or even a clearly defined enemy.
The attack location can be anywhere on the planet, as can the target.
Attackers can include small-time thieves, drug dealers, arms dealers, organized crime, commercial competition, activists, rogue states, secret states, and governments, to name just a few.

It’s under reported, so makes it difficult to know which activities are the result of cyber attacks and which aren’t. Quite often those that suffer the outages aren’t certain either.

On the 8th July this year, one day after the China stock market crash, several incidents happened on the same day in USA. Computer ‘glitches’ were blamed;

1. The NYC subway system left a few trains stuck in some stations for extended periods of time.
2. United Airlines’ computer system stopped working, forcing all flights from the airline to be grounded.
3. The New York Stock Exchange’s computerized trading system also stopped working, causing trading to be suspended, a big deal in one of, if not the, world’s largest trading market.
4. Following the New York Stock Exchange failure, the Wall Street Journal’s website also malfunctioned.
5. Over 2,500 residents in Washington, DC lost power.

Co-incidence?
Maybe, but the capacity of cyber-war to devastate Power, Water or Communications infrastructure is proven.

A recent internet outage lasting only 5 days provided a sharp and timely reminder to me of just how dependent we have become on technology, and how difficult life could be with sustained outages.

The mesmerisingly pretty graphics mask that reality.

 

(If time permits, I’ll post a more detailed perspective later).