Tag Archive for Cybersecurity

| September 11, 2012
Comments Off on ITU Regs Bad for Cybersecurity

ITU Regs Bad for Cybersecurity

ITU Regs Bad for CybersecurityEmma Llansó at the Center for Democracy & Technology writes that the International Telecommunication Union is ill-suited to regulate cybersecurity. The United Nations-backed ITU will meet in December to try to expand its control over the Internet. The CDT believes that the issue of cybersecurity perfectly illustrates why the ITU should not be given expanded regulatory authority to include matters of Internet governance.

Center for Democracy & TechnologyThe UN body is holding the World Conference on International Telecommunications (WCIT) this December in Dubai, UAE to renegotiate the International Telecommunication Regulations (ITRs), the UN’s core telecommunications treaty. The ITRs were in 1988 and sets forth general principles for the operation of international telephony systems. The CDT reports that some Member States of the ITU want to use the WCIT to expand these regulations to Internet matters by amending the ITRs. The CDT and others have warned of the risks to online freedom and innovation if the UN is allowed to regulate the Internet. The CDT has released a paper (PDF) that examines in detail some of the proposals pending before the ITU relating to cybercrime and cybersecurity.

The CDT states that cybersecurity is undeniably a critical issue for the future of telecommunications and indeed for global commerce, development, and human rights. On the other hand, it is ill-suited to the kind of centralized, government-dominated policy-making that the ITU represents.

ITU logoCybersecurity requires agility: Given the pace of technological change, governmental bodies are not likely to be the source of effective technical solutions. The CDT predicts those solutions will emerge from multi-stakeholder efforts, involving ICT companies, technologists, academics, and civil society advocates, as well as governments.

Moreover, the cybersecurity issue inevitably leads straight into questions of human rights and governmental power: surveillance, privacy, and free expression. None of these are issues the ITU has any expertise in or any ability to assess and balance. The CDT suggests, rather than adopting vague wording that could be used by governments as justification for repressive measures, the ITU should endorse existing standards initiatives such as those underway at the IETF and continue to serve as one forum among many for the development of consensus-based, private sector-led efforts.

According to the CDT briefing, the Arab States regional group has offered a proposal to amend the ITRs to require Member States to “undertake appropriate measures” to address issues relating to “Confidence and Security of telecommunications/ICTs,” including “… online crime; controlling and countering unsolicited electronic communication (e.g Spam); and protection of information and personal data (e.g. phishing).” The governments of the middle-east have a history of manipulating the Internet to silence dissent.

Another example of why the UN should not control the Internet comes from the African Member States cybersecurity proposal which deals with data retention. The CDT reports the requirement will force communications companies to retain data about customers and communications for the benefit of the government rather than for business purposes.

UN against U.S. ConstitutionAnalysis by CDT says that this requirement goes against American criminal laws. This data retention law turns the presumption of innocence on its head since these cybersecurity data retention laws apply to every citizen regardless of whether they have committed a crime. Further, because data retention laws require service providers to store information that identifies people online, they threaten anonymity online, implicating the rights to both privacy and free expression.

The CDT writes that several cybersecurity proposals to amend the ITRs refer to the routing of communications. One proposal from the Arab States regional group would amend the ITRs to specify that “A Member State has the right to know how its traffic is routed.”

national securityThe proposal is justified on the grounds of security, according to the CDT which some Member States clearly interpret to mean national security. In its comments, Egypt argued, “…  Member States must be able to know the routes used … to maintain national security. If the [Member State] does [not] have the right to know or select the route in certain circumstances (e.g. for Security reasons), then the only alternative left is to block traffic from such destinations…”

The brief explains that Internet protocol (IP) networks transmit communications and interconnect entirely differently than traditional telephone networks; in that context the Arab States proposal to “know how traffic is routed” simply would not work and could fundamentally disrupt the operation of the Internet. If the Arab States proposal were applied to all Internet communications, the requirement that countries be able to “know” how every IP packet is routed to its destination would necessitate extensive network engineering changes, not only creating huge new costs but also threatening the performance benefits and network efficiency of the current system.

The brief goes on to explain that the Arab States proposal could also serve to legitimize governmental efforts to set up controls on the Internet traffic, by enshrining in an international treaty. Changes to IP routing rules to carry out the Arab States’ cybersecurity proposal could give the Member States more technical tools to use to block traffic to and from certain websites or nations. The regulations on routing that the Arab States proposal condones could take a variety of forms, from prohibiting certain IP addresses from being received inside a country to tracking users by IP addresses and blocking specific individuals from sending or receiving certain communications. “Knowledge” of IP routing could also encompass countries keeping track of what websites their citizens visit or with whom they email – all in the name of national security.

These types of regulations, which could be legitimized if the Arab States proposal is adopted, could threaten user rights to privacy and freedom of expression on the Internet.

rb-

The UN must not be allowed to expand its control over the Internet.  ITU regulation will be bad for cybersecurity.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| April 19, 2012
Comments Off on The Connected Home

The Connected Home

Help – My Thermostat is Calling China!

The Connected HomePhil Neray of Q1 Labs, an IBM (IBM) company posted that in the recent Chinese hack of the U.S. Chamber of Commerce’s network. One attack vector was a thermostat. The thermostat at a Chamber townhouse on Capitol Hill was communicating with an Internet address in China. At the same time, a printer spontaneously started printing pages with Chinese characters (rb- I wrote about securing printers here).

The blog says that the hackers were in the network for more than a year before being detected is not unusual. He cites the 2011 Data Breach Investigations Report, more than 60% of breaches remain undiscovered for months or longer (versus days or weeks).

rb-

This is one of the risks of the Internet of Things. Security is in the era of IoT will have to use machines to monitor the machines.

CIA Chief: We’ll Spy on You Through Your Dishwasher

CIA Chief: We'll Spy on You Through Your Dishwasher Spencer Ackerman at Wired points out that more personal and household devices are connecting to the internet. They are no part of the Internet of Things. \U.S.CIA Director General David Petraeus cannot wait to use your appliances to spy on you through them.

General Petraeus recently spoke about the “Internet of Things” at a summit for In-Q-Tel, the CIA’s venture capital firm. “‘Transformational’ is an overused word, but I do believe it properly applies to these technologies particularly to their effect on clandestine tradecraft” the blog recounts.

Mr. Ackerman predicts that people will be sending tagged, geolocated data that a spy agency can intercept in real-time. This will happen when they open their Sears (SHLD) Craftsman garage door with an app on an Apple (AAPL) iPhone. “Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing.” Petraeus said, “the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.”

Wired says the CIA has a lot of legal restrictions against spying on American citizens. But collecting ambient geolocation data from devices is a grayer area. This espcially ture especially after the 2008 carve-outs to the Foreign Intelligence Surveillance Act. Hardware manufacturers, it turns out, store a trove of geolocation data; and some legislators have grown alarmed at how easy it is for the government to track you through your Apple iPhone or Sony (SNE) PlayStation.

rb-

The implications of the “Internet of Things” are profound when linked to the transformational nature of the connected home network. The CIA sees great opportunities in wired home devices. Any home gadget with RFID, sensor networks, embedded servers, or energy harvesters is ripe for interception by spy agencies.

Koubachi Wi-Fi Plant Sensor Gives Your Plant a Voice

Koubachi Wi-Fi Plant Sensor Gives Your Plant a Voiceat CeBIT 2012 in Hannover Koubachi, the Swiss start-up company behind the popular iPhone plant care assistant presented its newest innovation. It is called the Koubachi Wi-Fi Plant Sensor according to ITnewsLink. Building on the success of its popular interactive plant care assistant, the sensor integrates into the Koubachi system to literally gives your plant a voice.

The Wi-Fi Plant Sensor measures soil moisture, light intensity, and temperature. Using Wi-Fi, the data is sent to the Koubachi cloud. There it is analyzed by the Koubachi Plant Care Engine. The plant owner gets detailed care instructions on watering, fertilizing, misting, temperature and light through push notifications or email. “The Koubachi Wi-Fi Plant Sensor is the first device ever that enables real-time monitoring of the plant’s vitality,” says Philipp Bolliger, CEO of Koubachi. “It’s a truly unique product in the field of “Internet of Things” and bringing state-of-the-art technology to plant care.

Smart Gadgets are Like Sleeper Cells in Your Kitchen

Smart Gadgets are Like Sleeper Cells in Your KitchenManufacturers are “future-proofing” their appliances with “Internet of Things” capabilities that are latent for now. Christopher Mims at MIT’s Technology Review asserts that major appliances bought in the last three years probably contain a Zigbee capable wireless radio. The radio can send out information about a device’s status and energy use and receive commands that alter its behavior.

Many appliance makers don’t announce these capabilities. Mr. Mims interviewed Mike Beyerle, an engineer at GE (GE) about GE‘s Nucleus home energy management system. “We want to build up a base before we make a big deal out of it,” says Mr. Beyerle.

The author says that manufacturers aren’t telling consumers what their devices are capable of. They are reluctant to do so in part because the abilities are useless without an energy management hub like GE’s Nucleus or a utility company‘s smart meter. In both cases, smart appliances must be “bound” to a hub to communicate with the outside world.

Once a device is hooked up to an energy management system and becomes part of the IoT, it gets interesting. Mr. Mims says that users who signed up for a “demand response” program with their utility to get a lower bill, enable the utility to control their appliances. For example, a refrigerator’s icemaker’s defrost cycle or the elements in a clothes dryer can be manipulated to drive down power use during times of peak demand.

rb-

Most people do not realize that installing a new smart meter can activate a technological sleeper cell in their HDTV, kitchen, or laundry room. All of these “smart” devices will be part of the “Internet of Things.” They will have an IP address (probably an IPv6 address) and will be broadcast via a Zigbee wireless network. This is why the CIA says it can spy on people through their dishwasher.

Connected Kitchen

Connected KitchenEngadget says the Samsung RF3289 fridge is designed to let users access Pandora or tweet while grabbing a snack. Samsung touts it as the first to feature integrated WiFi. The Wi-Fi also offers the ability to view Google calendars, check the weather, download recipes from Epicurious, or leave digital notes

Engadet also reports LG’s Thinq line of connected appliances includes vacuum, oven, refrigerator, and washer/dryer. They support Wi-Fi and ZigBee to communicate with each other, the smart meter, smartphones, and tablets.  That’s a pretty strong foundation to build the Internet of Things especially if the home is already equipped with ZigBee devices. CNET says the line can be troubleshot remotely; tech support can log in to the device see what’s wrong and fix it. Kenmore has a similar product line.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| July 9, 2010
Comments Off on Internet Kill Switch in Place

Internet Kill Switch in Place

Internet Kill Switch in PlaceThere is a great hub-bub in the blog-o-sphere about the new “Internet Kill Switch.” If one reads the Protecting Cyberspace as a National Asset Act of 2010, (S. 3480) which the Senate Homeland Security and Governmental Affairs Committee unanimously approved which in part says:

If the President determines there is a credible threat to exploit cyber vulnerabilities of the covered critical infrastructure, the President may declare a national cyber emergency, with notification to Congress and owners and operators of affected covered critical infrastructure. The notification must include the nature of the threat, the reason existing security measures are deficient, and the proposed emergency measures needed to address the threat. If the President exercises this authority, the Director of the NCCC will issue emergency measures necessary to preserve the reliable operation of covered critical infrastructure. Any emergency measures issued under this section will expire after 30 days unless the Director of the NCCC or the President affirms in writing that the threat still exists or the measures are still needed.

Sponsor of the proposed Act Senator Joe Lieberman (I- CT) recently told CNN‘s Candy Crowley about whether the proposed Act was an “Internet Kill Switch”,

” … total misinformation.,,, We need the capacity for the president to say, Internet service provider, we’ve got to disconnect the American Internet from all traffic coming in from another foreign country …  This is a matter of national security. A cyber attack on America can do as much or more damage today by incapacitating our banks, our communications, our finance, our transportation, as a conventional war attack.  So I say to my friends on the Internet, relax… take a look at the bill. And this is something that we need to protect our country.”

Lieberman goes on to say that the U.S should do this because China does, “Right now, China, the government, can disconnect parts of its Internet in a case of war. We need to have that here, too.

If one takes a closer look at the existing laws, the President already has a kill switch. Section 706 of The Communications Act of 1934 (last amended in 1996) says in part,

Upon proclamation by the President that there exists a state or threat of war involving the United States, the President, if he deems it necessary in the interest of the national security …   may designate, (1) suspend or amend the rules and regulations applicable to any or all facilities or stations for wire communication within the jurisdiction of the United States as prescribed by the Commission, (2) cause the closing of any facility or station for wire communication and the removal therefrom of its apparatus and equipment, or (3) authorize the use or control of any such facility or station and its apparatus and equipment by any department of the Government under such regulations as he may prescribe, upon just compensation to the owners. (emphasis added)

Big tech firms support the proposed “Internet Kill Switch.”  McAfee’s vice president for government relations called the  Lieberman Bill a “very important piece of legislation.” Big tech firms get several benefits for their support of the bill which has language that will give them immunity from civil lawsuits and also reimburse them for any costs incurred if the Internet is shut down for a time. The legislation provides tech firms with new protections for their poor business practices. If a software company’s programming error costs customers billions, or a broadband provider intentionally cuts off its customers in response to a federal command, neither would be liable according to the bill.

Declan McCullagh at CNET writes that if there’s an “incident related to a cyber vulnerability” after the President has declared an emergency and the affected company has followed federal standards, plaintiffs’ lawyers cannot collect damages for economic harm. And if the harm is caused by an emergency order from the Feds, not only does the possibility of damages virtually disappear but the U.S. will even bail out the firms.

Rep. Jane Harman, (Dem – CA) has introduced a House version of the bill, H.R. 5548,, but it has not yet passed the committee.

rb-

There does not seem to be any language in the Lieberman bill to retract the Kill Switch in the Telecom Act, so Lieberman is right that his bill does bot include a “kill switch” because it has been in place for over 75 years. This is just another example of Washington’s double-talk.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
  Recent Entries »