Monday, March 31, 2025

Signal Gate

 I find that if one Googles SECOPS the "meaning" includes information technology.  I confess that in my course of information security management at the Naval Postgraduate School to O-3s and O-4s I did teach SECOPS.  However, the concept dates from when the only information technologies of interest were paper, telegraphy, telephone, and radio, long before we had invented the term "information technology."

In the first armed conflict of my life, known colloquially as WWII, we taught "Loose lips sink ships."  One does not repeat many things that one learns in the course of one's job.  

We taught not media but content.  What information did we want to keep secret; media was hardly even thought of.  Even  as I taught it, it was about what those who were to carry out the "operation" had to know about it and the potential for them to leak it.  At the O-4 level, it hardly occurred to us that the Secretary of Defense and his peers and colleagues were part of the operation and a potential source of a leak.

The association with IT deals with the porous nature of IT and the potential for adversaries to learn the content from our leaky media.  

Let us start from the non-IT meaning of SECOPS, any "information about a military operation is born classified as SECRET, regardless of whether or not it is ever recorded or shared.  At the "operational" level, O-3 and 0-4, your life may depend upon the continued secrecy of what you must know to carry out your mission.  Therefore, such information is born SECRET; one must share that information, by whatever means, only on a "need to know" basis.  Said another way, if the sharing is not essential to the success of the mission, then do not share.

Add modern recording and sharing technology to the equation; just think "chat" in its many forms.  Many implementations of chat, including iMessage, Signal, WhatsApp, and, more recently, RCS.  provide device to device encryption.  In the network, the traffic is encrypted.  However, it is in "clear text" on every device in the group.  The more participants, the greater the probability that the content will leak, or even that one or more of the devices in the group have been compromised.  

Most implementations of multi-party chat, like Signal, will enable any member of the group to see the identifier of the sender of any message.  However, the larger the group the less likely that every member will know, or even recognize, every other member (Oh!  That Jeffrey Archer).  Moreover because of the limits of the screen they may see the identities of all the members of the group only upon request rather than by default.  We call silent members lurkers. 

Said another way, multi-party chat is not considered to be sufficiently secure for SECRET data.

In the Second World War, the British were reluctant to share intelligence with us because they feared that we might leak.  Our Wave Bombe operators, who never told anyone what they had done during the war, were shocked, when after forty years the Brits began to talk about ULTRA.  9/11 happened in part because the CIA and the FBI did not trust the others security.  The consequences of Signal Gate will include a loss of trust and a reluctance to share vital intelligence.  

Most of those with any knowledge about a military mission will have been indoctrinated in operational security, both in training and experience.  Here we had a case of novices, those who did not have experience, who had not grown up in the tradition of SECOPS.






Monday, August 26, 2024

Recent Massive Data Breaches

 Given the recent breach of a data broker, the credit bureaus, and the Dark Web, everyone's personal data is available for a rapidly declining price.   We are all vulnerable but the bad guys cannot get to us all.  That said, the prudent will freeze their credit reports, use strong authentication, and maintain a vigilant posture.

I am not a big fan of data monitoring services; they are targets and increase one's personal attack surface.  However, we really need to monitor the social security numbers of children.  They are often used in synthetic identity applications.

Business should rely on full name and address or name and place and date of birth, not SSNs, as identifiers; no one else with my name lives where I live or was born at the same place and time.  SSNs were necessary when storage (in 80 column cards) was dear.  They are not even necessary in modern databases and cheap storage.  The last four or five digits of the SSN may be used for verification and as tie breakers in some applications.

Monday, May 20, 2024

"Securable" by Design

"Secure by Design" suggests that one can design an airplane that cannot run out of fuel or collide with terrain or another aircraft.  Rather, the goals should be "Securable by Design" and "Safe Out of the Box."  Such a design should begin with a  statement of ranked requirements in which security requirements are included with all others.  For example, things that the product must not do should be ranked  with things that it must do.  Failure modes must be explicitly identified along with the indicators of failure and the indicated corrective action.  Engineers have been doing this with hardware for millennia.


Complete requirements describe:

• The environment in which the system must operate (including natural and artificial hazards and threats)

• The market or market conditions

• The results that the system must produce (e.g., move passengers and freight, computing application, user programming)

• Performance (e.g., passenger load, range, speed, users, standard operations per unit time)

• How it must function

• Required/forbidden controls (e.g., over-ride of automated controls)

• The granularity of the controls (maximum rate of climb, number of named users or resources; controls must be sufficiently granular that one can implement the rule of least privilege.)

• Things that it must not do (e.g., stall near cruise speed, leak information between users or compartments)

• Specific threats that it must resist (e.g., lightning, easily anticipated abuse and misuse, hostile use of controls) • Cost for overcoming resistance (e.g., cost of attack)

• Impermissible failure modes and their alternatives (e.g., halt before leaking)

• Reliability

• The availability of the system (mean-time before failure, mean-time to recovery)

• Efficiency

• Maintainability (“Function may not trump maintainability and reliability.”)

• Compatibility

• How it is to be demonstrated (e.g., testing, third-party evaluation)

• Other


Complete Specification

By habit and culture, engineers use a complete specification for a system. By contrast, IT developers often work from a specification that is less than complete. A complete specification includes an expression or description:

• Of how the system is to achieve the requirements

• What functions it will perform

• What it will look like

• What materials it will be built from

• What controls and interfaces it will present

• How it will fail (failure modes)

• Indications or evidence of failure

• A model or prototype

• Users or operators manual

• Assembly processes

• Testing or demonstration procedures

• Other

Thursday, March 7, 2024

Prefer eSIMs

The SIM (Subscriber Identity Module) is a finger nail sized integrated circuit (IC) that fits into a slot on your wireless phone.  It stores a number called the International Mobile Subscriber Identity (IMSI) and its related key.  

The IMSI is what associates your mobile phone with your telephone number and your mobile service provider.  It is "provisioned" by your service provider when you open your account and place it in your phone.  If you get a new phone all you need to do is move the SIM to the new phone in order for your number to ring on the new phone. Your number travels with the SIM.

Your phone also has a unique identifier, the International Mobile Equipment Identity, or IMEI.  When you make a call, the system sees both the SIM and the IMEI.

Your service provider also has an account number for you that they use to record all the information about your plan, your charges, payments, and balance or credits due.  This number is unique and binds you and your carrier.  It remains the same across phones, phone numbers, and SIMs.  

Many of us use our phones as evidence of our identity in systems of strong authentication (at least two kinds of evidence, at least one of which is resistant to replay).  This takes two forms.  We may have a "soft token" (e.g., Google Authenticator, Microsoft OKTA, Symantec VIP Access) on our phone. This is an app that generates a one time password every minute.  The app is synchronized with a server in the Internet.  Another app, for example for your bank account or other business application, may prompt for the OTP at logon time.  It will submit the number you supply to the server to ensure that you have the soft token.  Possession of the phone, "something you have" and can use, as one form of evidence in a system of strong authentication.

Alternatively, you may register your phone number with an application provider.  At logon time, the provider may send a OTP message (SMS) to your phone which you can copy and paste into a prompt at logon time.  Only someone receiving the text, that is can receive text at that phone number, can successfully logon to the application.  This is marginally more convenient than the soft token; it is also marginally less secure.  It depends upon the application provider having the right phone number associated with your account, and your wireless service provider having your phone number associated with your phone.  

Herein lies the limitation of this measure.  If an attacker can dupe your wireless service provider into re-assigning your number to his device, then he can receive the OTP message.  Because this attack usually involves the wireless service provider also giving the attacker a new SIM, this attack is known as "SIM swapping."  A similar attack involves duping the application provider into  changing the wireless phone number associated with your account to that of the attacker.  Both of these attacks require duping support personnel.  (See also "port-out" attacks.)

Note that support personnel are trained and motivated to be supportive.  If they think that they are talking to you, they will do whatever they are asked.  Of course, they are also trained and motivated to be sure its you but there are lots of them and their training may be spotty.

This is where the eSIM comes in.  Instead of storing the IMSI on an IC, in late model phones it can be stored in a High Security Module (HSM) on the phone.  Instead of being provisioned by support personnel at your wireless provider, it is provisioned by you either by running an app on your phone or scanning a QR code.  

The app comes from a network service provider (e.g., AT&T, Verizon, T-Mobile) or a contractor (e.g., Consumer Cellular, AARP, Mint Mobile, Nomad) with those that do.  It is to be hoped that you are a little more concerned with your identity than any of these service providers.  These contractor service providers, that do not operate their own networks, may compete on the basis of price, coverage, data plan, or a combination of these.  While some may provide a SIM card for old phones, for late model phones they use eSIMs.

In any event, if your phone suddenly stops working, you may be the victim of a SIM swap.  Contact your service provider immediately.  Do not hesitate.











Monday, February 12, 2024

Surveillance, Legal and Otherwise

 A New Jersey Court recently held that a "communication data warrant" was insufficient to compel Facebook to hand over a user's posts.  Rather, under New Jersey's Wiretap and Electronic Surveillance Control Act, they would require a "wiretap" order.  While both orders are "warrants" as required by the Fourth Amendment to the US Constitution, under NJ law the standards and permissions are different for the two orders.  Said another way, it is the intention of the New Jersey legislature that surveillance in (near) real-time is more intrusive than a mere search warrant and must be more limited.  The intent of the law is to resist abuse, not only by NJ investigators but also by the federal government.

While the US Code contains no such explicit distinction, both law and precedent require that warrants be explicit as to what methods may be employed and what evidence is sought.  A warrant is not a carte blanche, a license to do anything the officer wants.  In practice judges expect law enforcement to use the "least intrusive means" to investigate.  

Governments around the globe, and law enforcement in particular, employ surveillance to detect and investigate communications that they wish to discourage.  Some, like ours, recognize the potential for abuse and seek to resist it.  None absolutely eschew its use. In some authoritarian states it is routine, a means of exercising power and control over the populous.  

The most frequent justifications for surveillance are crime, specifically CSAM and terrorism.  The rules are often "collect everything, forget nothing, admit nothing."  Data collected for legitimate purposes constitutes a temptation, not to say an invitation, to other uses.  

While the US Constitution requires probable cause for both searches and seizures, in practice seizures are routine and warrants are required only for searches.  While under the Constitution the test is "reasonableness," in practice and precedent the threshold for requiring a warrant has become whether or not the subject has an "expectation of privacy;" reasonableness is no longer even considered.  

In the US the requirement for a warrant is routinely bypassed by purchasing "surveillance as a service" in the open market.  Investigators simply pay a small fee to so called data brokers.  This is much more efficient than creating a government database.  

In summary the protection against unreasonable search and seizure guaranteed in the Fourth Amendment to the US Constitution have been whittled away.  While there is little evidence that the current administration is engaged in massive surveillance, it happened under the GWB administration.  There is little left to protect us against abuse by future administrations.   


The Role of the Chief Information Security Officer (CISO)

There is a great deal of discussion of late about the liability of the Chief Information Security Officer for security breaches.  Seems to me that the biggest problem with CISO is a misunderstanding of the role.  CISOs are staff, not line.  They are not responsible for security, line managers are.  They are not responsible for preventing breaches, line managers are.


They are responsible for recommending the expression of enterprise risk tolerance and security policy but not for setting them; that is a governance decision to be made by the board of directors.  They are responsible for articulating strategy but not for adopting or implementing it.  They are responsible for coordinating implementation of strategy across functions and departments. They are responsible for recommending essential and efficient security measures but not for implementing them.  They are responsible for recommending standards, for measuring against them and reporting on them but not for complying with them.  They are responsible for measuring enterprise IT risk and for reporting on it to general management. 

The wise CISO negotiates his success before taking the job.  When his recommendations are not adopted, he documents the risk, asks the responsible line manager to sign the risk acceptance document, records the risk acceptance, and asks that the decision be revisited annually or when there is a change in responsible management.  

Monday, November 6, 2023

Artificial Intelligence

Artificial intelligence, AI, is a new user interface to the computer.  Large language models (LLMs) make the computer easier to use.  They permit us to describe the result that we want in natural language. improving productivity and enabling new applications.  AI will improve intellectual productivity as much as the internal combustion did for manual productivity.  In response to internal combustion, and more specifically the tractor,  we shortened the work week from 72 hours to 44 and invented vacations and retirement.  In the process, we killed off two generations of young men and still suffered 25% unemployment.  Said another way, increases in productivity are disruptive.  

The computer, with or without AI, is a tool.  Tools vary in quality, utility, usability, and use.  The user is responsible for the selection of the tool, the purpose to which it is put, and for all the properties of the result.  This is true whether the user is an individual or a group.  An enterprise must be responsible and accountable for everything that results from its application of this powerful technology. We call this security and we forget any part of it at our peril. We must not impute authority or autonomy to the tool; we must not anthropomorphize the tool.  "The craftsman does not blame his tools."  We must hold people accountable for how we use this powerful new tool.  

In the near term we should focus on embedded application specific implementations of AI.  We should follow the example of IBM, a pioneer in the field.  IBM trains the engine, think Watson, on application specific curated data; they build in governance and transparency from the ground up.

Public policy must soften the impact of the disruption.  This will include shortening the work week to spread the work and the leisure.  It should include a guaranteed minimum income to ease transition from old jobs and skills to new ones.  Finally, it should include changes in tax policy from labor to capital, people to robots, and production to consumption, to more securely and equitably finance the social safety net.