Security


Zooming out for the whole image of cybersecurity

This year, consumers have felt the danger of security breaches. Traditionally, we’ve seen attacks on companies processing payment information, receiving payments, or allow payments – from consumer merchants to financial institutions. In the past twelve months, we’ve seen revelations about dangers involving complex design (Meltdown and Spectre) along with one of the largest behavioral data compromises in cybersecurity (Exactis). With the growing depth of attacks, what is the bigger picture we’re seeing in the cyber world? With this question in mind, we interviewed Milena Rodban about cybersecurity in the context of geopolitics, design complexity and business decisions that increase risks to help us see the bigger picture of the cyber attacks we’re witnessing.

About

Milena Rodban is a geopolitical risk consultant and interactive simulation designer. She advises private firms, with a particular emphasis on tech companies, to help them successfully navigate complex business and security environments. Milena designs and facilitates interactive simulations that are customized to allow clients to diagnose problems, analyze major decisions, and integrate more effective communication, collaboration, and crisis response protocols. Ms. Rodban received her MA in Security Studies at the School of Foreign Service at Georgetown University.

Discussion

In context of the United States and geopolitical risks in the cyber world, who do you see as our major challenges? How do you think we’re currently handling these challenges?

Put simply, the major challenge is complexity and the large numbers of actors looking to target our vulnerabilities, from state sponsored hackers, to intelligence agencies, criminals, and terrorists. We’re spending record sums on cybersecurity, but the breaches are still stunning. With each new development, even convenient ones like streamlined and simplified log-in APIs, we’re adding extra complexity to the situations we face in cyber space, and increasing the likelihood that a breach will have far-reaching and catastrophic consequences. Each new device adds new points of vulnerability, new ways to collect private information, and new ways for bad actors to hijack poorly secured devices to wreak havoc.

Furthermore, we are not prioritizing the need to understand likely immediate consequences, not to mention second and third order externalities. Some things that seem like they make our lives easier or simpler demand tremendous sacrifices in terms of privacy, security, and vulnerability. Tech companies need to be able to collect and sell data in order to be able to offer platforms or services to users for free, so it’s a stretch to imagine that you can have fully ethical firms that don’t charge high fees to make up for not being able to profit off data. The reason an ancestry kit is a bargain is because they then sell your data (anonymized, they claim) to drug companies to make new medicine. Either we pay a premium to keep our data safe or we acknowledge “free” isn’t really free- you and your data are the product.

Additionally, the rapid speed with which we update systems, unevenly adopt new tech, and specifically security measures, along with rampant tech illiteracy leave little time for people to consider the potential interactions and nefarious uses for the innumerable gadgets that we use on a daily basis. Look at the way wearable fitness trackers uncovered secret military bases- to me, as someone who works on helping clients explore their potential vulnerabilities and the actors likely to target them, the connection seems obvious. To the average person who wants to stay in shape in a stressful job, it may not be immediately obvious. The most important challenge is that most tech firms still do not appreciate the extent to which they are vulnerable to geopolitical developments and how they actively raise their exposure. There is someone, somewhere, looking to use every development for unintended or nefarious purposes- whether criminal, activist, terrorist, or state-sponsored hacker.

To the point on spending record sums but the breaches are getting worse – why aren’t we getting better results if we’re spending more money on cybersecurity?

Many of the things we’re spending money on are efforts to bypass humans – password generators, consultants, ways to automate cybersecurity so that we work around humans, because these are easier to find, buy, and implement. Yet the most successful breaches are ones that focus on bypassing those automations. For example, CEO fraud – sophisticated phishing attempts – has snared even sophisticated executives. Social engineering and physical penetration of facilities are also very effective. Personnel see someone with an ID card that looks right, and automate their thinking – letting them through instead of giving it some thought and really determining if someone belongs there. We need everyone to play an active role in cybersecurity, not abdicate responsibility to programs that promise to protect us and our data.

Some companies store data on their customers from private to behavioral data, but don’t see how there are any geopolitical risks involved with these data. Why is this assumption incorrect?

As we see with fitness data, and genetic (such as ancestry) testing data used or sold to for-profit firms or shared with law enforcement, any information – that can be obtained and stored – will be used. It will be sold to advertisers. Third party researchers might gain access. It’ll be used to raise the price of your life insurance premiums. Intelligence agencies will target health insurers used by government employees. If your device can be adapted by activists or terrorists to avoid law enforcement, it will be. There are companies that honestly believe the advanced communications tech they sell to mountain climbers to better stay in touch and practice safe climbing can’t be used by anyone else. They think criminals who want to communicate in remote areas with poor infrastructure or terrorists operating in rural areas won’t use them simply because the makers only market their products in mountain climbing magazines. These naive attitudes need to evolve. We- both in the tech community and the public at large- know the basics of what we need to anticipate, and recognize at least some of the dangers of using poorly secured devices that can be hijacked or poorly secured systems where data can be stolen with ransomware. We’ve all seen major cities and hospitals hit with ransomware attacked, and how internet-connected devices can be drafted into a malicious botnet.

Some developers have advised the approach of “move quickly and break things” – which may work safely in some development contexts if security isn’t important. In environments where cybersecurity is a very high concern, what do you think is a superior approach to development and why?

We can create controlled environments to experiment with things before they are launched in the real world. Then, many companies also launch in a small market, before expanding to major markets. These are good ways to work out the kinks, but there should be more emphasis on the security pieces alongside the fancy new features. Security is largely seen as limiting rather than empowering. Many people don’t realize that for many devices to work, they need a wealth of data. This is why tech firms don’t want opt-in data collection measures – they want to collect by default and let some people opt out if desired, though most don’t even know that’s an option. By choosing to keep data from a device or platform, the user experience changes substantially, rendering some features null.

We need to treat everything that captures and stores sensitive data like they are baby products. People want to know that baby products are made with good ingredients, tested extensively, and safe to use. No product can be released, without meeting certain tough requirements. And many companies even compete to surpass those basic criteria to meet even higher standards, believing this to be good for both babies and bottom lines, as demanding parents choose higher quality goods over basic options. With tech, the security and safety aspect is often advertised far less than splashy redesigns, sleek hardware, or cutesy features like Apple’s Memoji. The tech community must realize that they are on the front lines of securing users, who like babies, are often much less tech literate and lazy in terms of sticking to best practices. We need to acknowledge limitations and create ways for users to get more educated about how secure new tech is, and how users are becoming exposed to potential attacks and data breaches by using bad tech. We’ve known for years that Chinese firms must help Chinese intelligence agencies, and so all Chinese-made tech has backdoors and data goes to Chinese intel. It’s stunning that we had to wait many years for the US government to ban the use of Chinese made phones from Huawei and ZTE phones by government employees and contractors. This was an open secret: how much was compromised before the US government came to its senses?

For the few individuals who may value security over convenience (very rare at the moment), do you think it may be possible to convince companies to offer a choice?

For-profit companies don’t often voluntarily choose to give people choices that will drive them away from their business. This is where we need the government to come in and introduce smart regulations to protect consumers, privacy, data, etc. We’ve seen some popular efforts (like net neutrality) get overturned in the name of freedom, and we’ve seen some truly mind-boggling regulations introduced, like the EU’s GDPR, which is at best a knee-jerk reaction to address fringe problems with expansive, expensive, and likely ineffective compliance regimes. We need more tech literate legislators, and tech literate voters who can bring them to power, so we can protect users without stifling innovation.

I’ve met people who want to transition all we do into the digital world. From IoT devices to money, they envision a world where everything we do is tied to the digital world. Given your understanding of geopolitical risks, do you think this is a wise path to follow for our future – assuming it’s possible?

We already have many separate digital worlds, and we’ve seen the problems they cause, so we know a bit of what to expect as our lives get increasingly more digital. It is because of them, their poor protections and uneven security, that we’ve seen recent crackdowns on the digital realm, from GDPR in the EU, to a recent ruling about Aadhar, India’s massive biometric identity verification system. In China, every interaction, from a credit card swipe at a lingerie store to a message sent on Weibo, is used to calculate a person’s loyalty score, affecting their job prospects, chances of getting a loan, etc. As the digital world keeps encroaching on daily life, we’ve seen efforts to push back. In terms of GDPR, a largely tech-illiterate legislature passed sweeping measures that don’t reflect the reality of what protections are needed, what punitive actions are possible, and what is technically possible to do. If tech wants to prevent more such measures, which impose tremendous compliance costs on tech firms without actually making user privacy a priority, then they need to educate the voters who decide elections, and they need to educate the people who make the laws. The entire world won’t go digital at once, if ever. Just as industrialization did not happen overnight everywhere, so too will efforts to transition to a digital world come in a fits and starts- and many will work to combat its pervasiveness and limit its reach in terms of the way that it can be turned against private citizens- something we’ve already seen it used for in places like Xinjiang, China.

What is something that you believe that no one, or few people, agree with you on?

  1. I firmly believe in immersive and experiential learning. People learn best by doing, not by being lectured or punished, or given an employee handbook to (hopefully) read. To tackle many of these issues related to geopolitical risk, I believe that interactive simulations are the best tool. They can give people from across the company hierarchy a way to experience how they are affected by these issues, and show them how their actions can alleviate or exacerbate them. Many people argue that simulations take too long, and are too expensive, and they don’t have time for them. I tell these people that budgets for proactive measures are always small, and timelines tight, but after a crisis, company pay vast sums and feel the consequences for a long time. Simulations do not have to be complex or expensive, and good designers can create them in under 3 weeks. As investors/shareholders/VCs start to do better due diligence, pushing companies to avoid paying vast sums to ransom back their stolen and locked data, they’ll want to see more companies be proactive. Now is the time to stop pushing back and embrace the simulation model as a way to fix protocols and procedures now, and avoid major crises later.
  2. For companies to successfully navigate the geopolitical flux, every person at a company needs to see their role through the geopolitical lens, or in the very least in a broader sense. If only the risk manager sees her role that way, or only the chief security officer, the company will not be successful. A small change in a line of code can have vast implications- whether it creates a vulnerability through which data can be stolen, or it allows a company to collect data that’s lucrative for hackers or intelligence agencies to steal. More money is spent on cybersecurity than ever before, yet breaches are also bigger and broader. What we’re doing now isn’t working. We need to work around human laziness, budgetary constraints, and many other challenges; there is much more we can do to make security a priority.

Permissions Granted

Permission to re-post the interview granted to Maixin Research

Large companies want more user information.

Reports in some media outlets have asserted that Facebook and Google have attempted to (or accessed) users’ banking data. Upon research and discussion with people familiar with attempts, we have been able to discover some of the underlying requests (media articles may not be fully disclosing the full details). In general, banks want to increase their profits, so they will capitulate to these requests eventually provided they are able to increase profits. Financial institutions such as PayPal, Venmo and other major banks have been approached and this has not been isolated to US firms.

Social media organizations, along with other major tech companies, have also been working to obtain more information about users. In most cases, users provide their own information to these tech companies without any requests. We have discovered a few situations by major tech companies where more information was actively pursued on users. Hackers have already been able to compromise behavioral data (see Why People Are Freaking Out About the Exactis Breach).

Financial information can be used in some cases to verify identity. With companies like Google, Facebook and other tech companies gaining this type of access (or requesting it), users will have further identity information provided to these companies.

All social media companies are optional services. This is also true for tech companies that provide resources, such as information resources or search engines – all of which provide many routes to collect data. While we see outrage from users from time-to-time, these same users refuse to stop using services. We predict that many attacks will occur from these data and that the sophistication of these attacks will increase.

As a reminder to readers, FinTek Development has absolutely no social media presence. Anyone using our company name or pretending to be us on social media is fake. Due to security purposes, we refuse all social media. Our media department does work with select media outlets. Reuters source.

Rising trend in SIM-swapping.

Several years ago, one of our top security researchers spoke to three individuals deep in the cybersecurity community. Our researcher had discovered a dangerous trend of SIM-swapping, which had been underneath most people’s radar and his discussion confirmed this reality – none of these experts had discovered this. We immediately began to solve for this problem, as we predicted this would become common.

Years later, we’re seeing major growth in this area of compromising a person’s private security – a prediction we made at the time. Unfortunately SIM-swapping caught many people off guard and its effects are incredibly costly. These compromises will only grow and some countries have passed favorable laws benefiting hackers by allowing it to be easy to swap user data. First, let’s look at what a SIM-swap is.

What Is SIM-Swapping?

In some countries, cell phones have the ability to have their user profile transferred to a new phone – the data being stored in the global system for mobile, which connects to a mobile network and obtains information about the user. These data can be incredibly valuable depending on how the phone is being used. These data will often also include behavioral data, which is even more valuable (similar to the data compromised in the Exactis hack. Once a hacker determines a target, he will use his target’s information to compromise the phone by swapping the user information onto a new phone’s SIM. The phone now belongs to him, meaning that all communication goes to the hacker’s phone – from text messages, to calls, to information being sent to apps. At this point, the original phone owner has no access to their digital makeup of their phone, even if they own the physical phone.

Hackers know that phone use makes SIM-swapping a valuable technique. We also successfully predicted that SIM-swapping’s ultimate goal is further compromise and similar to the Exactis breach, behavioral data becomes a target along with validations. We continue to predict that SIM-swapping will grow.

Why Is It Growing?

In general, people do not consider security in their behavior – from social media to cell phone use. Also, as we learned when discussing with experts in the cybersecurity community, many security experts did not see this trend early when it was beginning. Since there weren’t many cases and these cases were misunderstood, this allowed hackers to continue working on techniques for compromise, while experts were focusing on other problems. We now see the results of this: SIM-swapping has continued to grow and hackers have learned techniques that have allowed them to compromise phone security even faster.

Prevention Is Cheaper Than Cure

In one of the worst SIM-swapping cases, over 1.1 million USD was compromised before the person was able to stop the hacker from compromising more funds. Unfortunately, for this person, he could not revert the funds in anyway and received no support from his financial institution, as he used questionable security techniques. Most people do the same and they think nothing of this until something horrendous happens.

People should take steps to prevent SIM-swapping and they must consider the possible costs of this breach, along with other possible dangerous breaches. As we warn, SIM-swapping is only part of a tool that hackers can use to compromise a person’s information and people must take steps to prevent it along with other related compromises. We predict that we will see growth in SIM-swapping and expect further surprise as people learn how susceptible their mobile phones are to security breaches.

Can we trust tech companies?

As if consumers needed more reasons to distrust tech firms in the United States, firms have reacted slowly to various breaches this year among other discovered vulnerabilities. Two of the worst security issues this year involved Meltdown and Spectre – a security flaw which had existed for over five years. According to Reuters, when discovered, Intel did not reach out to security agencies until the breach had been made public. If this is true, this means that the compromise affecting companies and agencies may go deeper than what we believe. In a similar manner, many firms have paid little attention to the DHS warnings about mobile platforms.

In two recent examples, security was ignored as a top concern for the year even though the two companies business involved high-level security. Both of these companies focused their energy on expansion of business ideas that would require additional security measures, yet the latter was overlooked. When investigating other firms where this applies, employees involved in security mentioned this was true with their firms, as the business growth and expansion redirected focus off of security. Between companies not informing appropriate officials when security flaws are discovered and firms not assessing risk accurately based on findings from security research, will the public continue trusting tech companies?

Reuters source.

Did China compromise the physical security of electronic equipment?

We use “China” in the following article to refer to the People’s Republic of China.

As China demonstrated in a conflict with Japan a few years back, China first serves its own interests and this should surprise no one. A recent article by Bloomberg discusses a hardware compromise that was inserted into hardware used by some companies in the United States. This hardware compromise allowed data to be transmitted, undermining the physical security of the equipment. We have a few contrarian thoughts on this compromise.

China has risen to being the world power at this time. China will not differ from past world powers, such as the United States, England, Spain, etc, by placing its interest above other interests. Most countries do this anyway, provided they are in a position to do so. We do not feel surprised that China would seek to undermine hardware, if it had the chance. As countries seek to make more information digital, the country with the most dominant authority in the digital world has the most power. A country that can monitor digital systems, or possibly compromise them, has a ton of power over friends and enemies as long as both buy its equipment. China’s lead in 3D printing and artificial intelligence indicate that China has an edge over all countries. Some of this lead is due to an innovative mindset that encourages rapid growth, which is a contrast to a bureaucratic mindset which creates encumbrances to innovation. Some of this may be due to intellectual property theft (though in the case of 3D printing, China has always had an insight to what people wanted, giving it an edge). Remember, that China has been the world leader in production through manufacturing. Everyone wanted cheap goods, which gave China a major edge over the people who depended on it.

China has used and will continue to use its production to weaken competition or threats. China proved this with Japan. When Japan and China conflicted over the South Sea, China cut off Japan from rare Earth elements. Because China almost has an entire monopoly in this area (and the United States, Germany and Russia have done nothing to stop this), Japan suffered severe consequences. Japan also learned that the United States was not as close of an ally as it thought, as the United States allowed China to negatively hurt Japan without consequences. The bigger lesson here was that China will attack a country by using its dominant production position. To this day, the United States, Russia and Germany have done nothing about this and they are in no position to compete with China on rare Earths. It would take decades for any country to build a competing supply system that China has developed.

What we find fascinating about the reaction to this story is that many people negatively reacting to it find that monopolies are dangerous in business, yet they seem to be unaware of how China has a monopoly in many productive positions. We respect China’s desire to produce, but one country producing for the entire world without competition puts everyone in a bad position. Why doesn’t Germany compete? Why doesn’t the United States compete? Why doesn’t Russia compete? Without competition, we should not be surprised when countries cross boundaries because they can, as there’s no competition. Competition keeps producers honest. The desire for low wage labor has set many people into a position that is not sustainable or safe for anyone in the long run.

On a cybersecurity note, any backdoor that transmits data could be discovered by hackers and used for nefarious purposes that amplify a problem. Even though we understand why China may want this to compromise a target, it can introduce unintended consequences.

China Has Already Warned of This Threat

One humor in all of this is that China has warned it would use its productive position to undermine its enemies, as well as future threats. The PLA general, Qiao Liang, even hinted at this several times in a speech:

The Americans came up with a solution: issuing debt to bring the dollar back to the U.S. The Americans started to play a game of printing money with one hand and borrowing money with the other hand. Printing money can make money. Borrowing money can also make money. This financial economy (using money to make money) is much easier than the real (industry-based) economy. Why will it bother with manufacturing industries that have only low value-adding capabilities? […] Since August 15, 1971, the U.S. has gradually stopped its real economy and moved into a virtual economy. It has become an “empty” economy state. Today’s U.S. Gross Domestic Product (GDP) has reached US$18 trillion, but only $5 trillion is from the real economy.

But Liang understands something Americans don’t in this hint: like a virtual machine still requires hardware, a virtual economy still requires physical production and that physical production becomes a source of attack. He’s right that Americans were quick to send all the “hard-work” jobs to China, but in doing so, Americans became dependent on China.

Liang fundamentally knows that Americans won’t suddenly value these “hard work” jobs, giving China an edge. In addition, it would take decades for the United States to have the supply lines China has. A country doesn’t suddenly mine rare Earths or produce hardware in a week or year. Physical production costs – this was the very reason the United States outsourced this physical production to others! Liang knows this and grasps that China has already check-mated the United States (China is the world power, not the United States). Liang ends his speech with this prediction – and Americans ignored when he made it and continue to ignore to this day:

I talked about this issue last year at the Global Times annual meeting. I said that America chose a wrong opponent when it chose China as its opponent and pressured China. The real threat to the U.S. in the future is not China, but rather the U.S. itself. The U.S. will bury itself. That’s because it has not yet realized that a big era is coming and the financial capitalism that the U.S. represents will reach its peak and then start falling. On the one hand, the U.S. has already taken full advantage of benefits that capital generates. On the other hand, via the technological innovation that the U.S. leads, the U.S. pushes the Internet, big data, and cloud computing to an extreme. These tools will eventually become the forces that end financial capitalism.

Americans became dependent on the very technology that destroyed them because they refused to be producers.

Japan, Germany and Russia should take heed. Production is the highest calling in life. Without production, you must rely on someone. If you rely on an enemy (and consider China and the United States have never been friends), why be surprised when your enemy attacks? A country must put its own security and interests first, otherwise, what has happened should be expected. If you think China’s capabilities are only limited to tech companies, think again – US weapons are vulnerable to Chinese attacks as well. The United States has been defeated by a country it used for cheap labor without realizing that the country (China) became the leading producer that could use its production to undermine it.

Russia Gets the Bigger Picture

After the Bangladesh hack resulting in a loss of millions of Dollars for a central bank, security professionals immediately begin discussing the idea of a state-sponsored attack. This completely missed the bigger picture. If a central bank could be hacked and have money stolen, what security does anyone have? Does it matter who’s behind it when the attack means no digital money is secure?

Since 2014, Russia has been accumulating physical gold at a rapid pace, almost doubling its gold reserves since that time and with no indication that it will stop. At the height of the Soviet Union’s power, it owned less than 2800 metric tonnes of gold. Russia today has over 2000 metric tonnes, meaning that Russia is closing in on its Soviet Union record of gold ownership. We’ve seen numerous articles all over implying that this action by Russia is an attack on the US Dollar and the Western financial system. This may not be the only case, especially when we consider when Russia starting accumulating gold. Russia knows that gold cannot be hacked. Gold is completely immune to digital dangers. Gold is independent of your software, hardware, and the complexity among all the moving pieces. Every other alternative, from paper to digital money, requires digital systems.

Russia sees gold as the ultimate form of insurance. It may serve purposes of helping Russia gain independence, and when we consider cybersecurity, we see another reason Russia wants physical gold. This is important because people often miss the full reasons behind an action. As we continue warning people (and being validated by story after story), nothing digital will ever be secure. Think about that with your information and your money – if you are at the mercy of the digital world because you have nothing physical, you’re headed for a disaster. This will become more obvious in time.

China, like Russia, has been accumulating physical resources at a rapid pace since 2015. While China has other reasons, cybersecurity may be part of this as well. “You take the paper and digital and we’ll take the physical” they seem to be saying. Given what we know about the Chinese tactics per Qiao Liang, these actions insure both of these countries.

Danger of Breach

When a story with this magnitude drops, we find the reaction revealing. If a world power behaves like a world power, we do not find this surprising. China is the world power and like other world powers throughout history, it will enforce its power on other countries. This does not mean Bloomberg’s story is correct, but that it would not surprise us if it were correct.

What almost no one is talking about is a far greater concern. This article proves one of our major points: no matter how secure you are with software, it does not matter. Hardware is a major piece of security, yet most companies know little about their hardware. Even if someone thinks they have software and hardware covered, the combination invites the nightmare that complexity theorists would warn us about – too many moving pieces we don’t fully understand that open us to attack. Remember our discussion on Spectre and Meltdown? Those were hardware deficiencies that would have allowed many attacks. No matter how many in the open source community worked on solving issues, these went undetected for years:

To state this is one of the most dangerous compromises in tech history is an understatement. Not only have these existed for years without anyone catching them (and we’re not sure if advanced hackers did), consumers and businesses have been implementing solutions while a compromise lurked in all of their systems. This also raises concerns about the open source community as well – people assume that other people are investigating problems, but do they have any evidence of this? These compromises show the danger of the security community’s diffusion of responsibility in regards to open source tools – “everyone else is looking at the problem.”

One dirty secret of software developers is they know little, to nothing, about hardware. They often make assertions about security (“no one can hack it”), yet they’re only discussing software. Even if they’re assertions are correct about the software (unlikely), if the hardware is compromised, the strength of software is irrelevant.

Source

Bloomberg story. Apple, Amazon and Chinese authorities deny the store is true. Due to their business operations being in China, as well as the United States, we fully expected the companies to deny this. Multi-national companies cease to exist when the countries they service enter a conflict.

It is worth mentioning that in 2014, the FBI director said, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”