Law enforcement versus Silicon Valley's idle problem children
From Ashley Madison to hackable Jeeps
Year in review Tensions have been building for a while on the back of revelations from NSA contractor turned whistleblower Edward Snowden but 2015 marked the outbreak of full-on hostilities between tech firms in Silicon Valley and Western governments.
Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was "going dark" (a phrase first used by FBI chief James Comey) as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.
The application of end-to-end encryption means that private encryption keys are held on devices and not by firms providing the services, so there is nothing for tech providers to hand over - even if they are served with a warrant.
Technologists such as Apple's Tim Cook and cryptographers argue that governments are trying to weaken encryption. Any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments' intelligence agencies as well as criminals.
The Obama administration was initially sympathetic to the position of Silicon Valley tech firms but this changed in the wake of the recent Paris terror attacks, with President Obama calling out encryption in his latest terror strategy speech.
The UK government under Prime Minister David Cameron has consistently taken a more aggressive line that law enforcement must be able to uncloak encrypted comms, subject to controls. This policy saw fruition in the form of the draft Investigatory Powers Bill.
The proposed law would consolidate and update existing investigatory powers, including bulk collection and equipment interference (ie, hacking) by GCHQ as well as compelling service to assist law enforcement in removing encryption. The IPB would require “CSPs [communications service providers] to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”
Despite what critics see as a push to weaken strong encryption, the UK’s Tory-led government is maintaining its ambition to make Britain among the best places in the world to do e-commerce.
Chancellor George Osborne recently announced that the UK government plans to double cyber security spending and establish a single National Cyber Centre. Cyber security spending will rise to £1.9bn by 2020 at a time of general budget cuts. The spending pledge followed a high-profile speech by GCHQ director Robert Hannigan criticising private industry for failing to do enough to improve cyber-security.
More honoured in the breach than in the observance
While the second crypto war formed the main story arc of the year in security, the narrative was punctuated by multiple incidents of serious security breaches.
A breach of the US government’s Office of Personnel Management in June exposed the personal details of multiple government employees. China was blamed for the hack but not heavily criticised. OPM was a US government system and therefore considered fair game for espionage. There was even a sort of grudging admiration towards Chinese for the hack’s audacity.
OPM admitted the attack had compromised the records of more than 21.5 million citizens, enabling attackers to gain access to highly personal information contained on background investigation applications.
In contrast, China’s alleged hacking of commercial firms to steal industrial secrets has provoked indignation and diplomatic protests for years. The US government claims it doesn’t engage in commercial espionage (the hack against Petrobras, Brazil in particular – exposed by Snowden – might suggest otherwise).
The dispute has rumbled on for years. However 2015 might yet prove to be something of a turning point, with the signature on a deal between China and the US that followed a state visit by Chinese President Xi Jinping. Similar loose agreements on industrial espioanage between China and the UK and Germany followed.
While the OPM breach was profoundly serious, it was nothing like as embarrassing or alarming as the breach on adulterer-hookup site Ashley Madison in July. The Impact Team hacking crew claimed to have accessed Ashley Madison’s user database, financial records and other proprietary information, including the personal data of 37 million users. The hackers threatened to dump this data online unless owners Avid Life Media closed Ashley Madison.
ALM refused to comply with this extortion, prompting Impact Team to release customer records for the adulturers' hookup site weeks later.
TalkTalk admitted that a breach on its systems may have exposed the personal details of customers. TalkTalk failed to encrypt all user data. Partial details of credit card numbers as well as names, addresses, dates of birth, phone numbers and email addresses were therefore exposed, leaving customers potentially more at risk from ID fraudsters.
Anthem admitted in February that it had been the victim of a data breach that resulted in the theft of approximately 78.8 million highly sensitive patient records. Anthem later said that the breach likely affected an additional 8.8 to 18.8 million non-patient records that included names, birth dates, Social Security numbers, addresses and employment data.
The attack on Anthem was the beginning of a series of US healthcare hacks this year, including assaults on Premera Blue Cross and Excellus BlueCross BlueShield.
Vulnerabilities of one type or another were also rife during 2015. The Stagefright vulnerability highlighted the patching shortcomings in Android. After years of downplaying or ignoring the problem, smartphone manufacturers are finally acting. For example, Google and Samsung have committed to shipping security updates every month.
2015 also marked the year when the IT world woke up to the realisation that cars had become computers on wheels, something that has made some models vulnerable to the types of exploits and vulnerabilities previously considered the stuff of science fiction.
Renowned car security researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee over a mobile network and gained control of critical systems after gaining entry through its connected infotainment system, Uconnect.
The duo previously hacked a Toyota Prius and a Ford Escape. But those hacks relied on taking over a vehicle's systems by plugging directly into a car's network via a port under the dashboard. The latest hack allowed the duo to take over a Jeep from 10 miles away and allowed them to turn on the AC, blast music, disable the transmission and even disable the brakes.
The researchers demonstrated how skilled hackers might be able to hack into vulnerable cars simply by knowing the car's IP address. ®