Category Archives: security policy

We must bridge the gap between technology and policymaking – Bruce Schneier

Abstract

Technologists and policymakers largely inhabit two separate worlds. It’s an old problem, one that the British scientist CP Snow identified in a 1959 essay entitled The Two Cultures. He called them sciences and humanities, and pointed to the split as a major hindrance to solving the world’s problems.

Today, it’s a crisis. Technology is now deeply intertwined with policy. We’re building complex socio-technical systems at all levels of our society. Software constrains behaviour with an efficiency that no law can match. It’s all changing fast; technology is literally creating the world we all live in, and policymakers can’t keep up. Getting it wrong has become increasingly catastrophic. Surviving the future depends in bringing technologists and policymakers together.

Listen to Sir Bruce Schneier

Reads more in

https://www.weforum.org/agenda/2019/11/we-must-bridge-the-gap-between-technology-and-policy-our-future-depends-on-it/

Australia Proposed Law: Social media execs may get Jail for violent crime streaming

Abstract

The proposed laws would cover “the playing or streaming of terrorism, murder, attempted murder, torture, rape and kidnapping on social media”, the government announced over the weekend. 

Social media platforms would also be required to notify the Australian Federal Police if they become aware that their site has been used to stream violent crimes. Should a notification fail to happen, fines of up to AU$840,000 for companies, and AU$168,000 for individuals, may be levied. 

Reference

https://www.zdnet.com/article/australia-to-rush-laws-on-jailing-social-media-execs-for-violent-crime-streaming/

IoTSecurity: IoT Code of Practice by UK Govt

The United Kingdom has been very pro-active in regulating the most important cybersecurity concerns. Bruce Schneier (Cyber Guru ) often suggests that it is time for the govt’s to act & regulate on the IoT devices. In recent times, U.K govt has done phenomenal job regulating following important security concerns.

Apart from regulations, The significant part is that UK govt partner with private companies to come up with solutions. Many govt’s hesitate to take other stakeholders onboard.

Who are the audiences of Code of Practice regulation?

  • Device Manufacturer
  • IoT Service Providers
  • Mobile Application Developers
  • Retailers

So, What are the security Concerns on IoT devices?

  • Consumer privacy: Many devices are more of spy devices & keep track of every user movement, private conversation, video recording etc. Experts tell us that Privacy isn’t a right anymore in today’s world & We should get over it. However, It can still be controlled with the right tools.
  • Consumer security: Biggest concern is that consumer security. The more you can connected the more you are vulnerable. Unlock home, remotely hacking home video, smart TV etc are normal nowadays.
  • Unsecured manufacturing & Retailing: Most of the IoT devices are unsecured. And, Organizations has huge controlled on it. A consumer does not have the authority to ask for more security. If someone can unlock the door because of misconfiguration, Manufacturer & service providers are not liable.
  • Used these unsecured devices in large hacking (i.e DDOS): You might be familiar with distributed denial of service. These IoT devices help to achieve that.

Code of Practice regulation applies in following types of devices

  • Connected children’s toys and baby monitors
  • Connected safety-relevant products such as smoke detectors and door locks
  • Smart cameras, TVs and speakers
  • Wearable health trackers
  • Connected home automation and alarm systems
  • Connected appliances (e.g. washing machines, fridges)
  • Smart home assistants

Code of Practice Guidelines

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Securely store credentials and security-sensitive data
  5. Communicate securely
  6. Minimize exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is protected
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

Reference

https://www.gov.uk/government/publications/secure-by-design/code-of-practice-for-consumer-iot-security

CyberSecurity: Security Importance of etc host file

You might be surprised to know how critical etc host file could be. I learned the importance of it and thought about sharing some of the details. 

Use of etc Host File

We all are familiar with host file & information in it. Most basic use of the etc host is to map to a hostname to IP (i.e 127.0.0.1 ) like localhost. There are other uses as well, let’s understand by an example.

Let’s see how things work when you type google.com in any web browser. 

Browser as a client would make a DNS request that is what we know. But, In reality, Operating System (OS) checks host file entry first before making a DNS request to resolve IP of the domain. If local DNS found in the local host file then OS picks the local DNS. Then OS uses ARP (Address Resolution Protocol ) to find out destination MAC (media access control) or Physical address.

Then OS handshake begins with destination host through TCP/IP Protocol & start sending the data. Will explain working knowledge of data packets & OSI model in some other posts. For now, just for host file.

Security Aspect of etc Host File

Used by Hackers: Hackers use this file when they wish to redirect traffic of the application to the proxy server. Hackers set up the proxy server before they modify host file. This technique called active network traffic capturing. Basically, Hackers get all the network traffic from your server or machine. It helps hackers to run an analysis & understand insights of application. Even they can decode the actual application logs. And, server network traffic helps hackers a lot in breaking the application further.

Used by Anti-virus & Security Products: Some antivirus & security products track changes to the system’s hosts because changes are a sign of malware. You might need to disable the product’s protection if you want to change the host file.

Note: A suggestion would be have proper privilege on host file.

CyberSecurity: How chatbots are a new threat to democracy?

Since social media has become a media platform & news streams, Crooks & Politician, criminals etc started to exploit that. Some people argue that main stream media is so unfair & biased and social media is a way to contact their followers.

To go with this logic, Crooks started to buying trolls & trollers. These trollers are the human & they create fake agenda. If you closely see how facebook, twitter etc are full of trolls & fake news or funny cartoons, vedios. In Reality, Crooks set the agenda whom they wish to target in social media today.  Political parties are having IT cell as department to spread their message whether that is true or false does not matter.

There are IT companies who have a department to serve these crooks & politicians. They create thousands of fake accounts & dominate the real conversation going between few people. These fake accounts are created smartly & have local language or message as well. And, They just flood the bunch of messages & confuse people on every topic. It is done by every political party in large nowadays. 

Buying trollers are costly & it is an ongoing investment for all the crooks & politicians. So, In the coming days, It would not be wrong to say that People would look for cheaper & effective options & that could be a Chatbots.

Read full opinion about Chatbots & how it could be a dangerous

Abstract

Chatbots are software programs that are capable of conversing with human beings on social media using natural language. Increasingly, they take the form of machine learning systems that are not painstakingly “taught” vocabulary, grammar and syntax but rather “learn” to respond appropriately using probabilistic inference from large datasets, together with some human guidance.

Most political bots these days are similarly crude, limited to the repetition of slogans like “#LockHerUp” or “#MAGA.” But a glance at recent political history suggests that chatbots have already begun to have an appreciable impact on political discourse. In the buildup to the midterms, for instance, an estimated 60 percent of the online chatter relating to “the caravan” of Central American migrants was initiated by chatbots.