16 August 2013

By Julie Beal

Activist Post

The NSA must be drooling with anticipation…. the NSTIC is in full swing, working hard to bring global ID to the world. All that lovely data, all linked together, just oozing with juicy details. Put it together with all the sensor readings and you find out so much!

Yes, the National Strategy for Trusted Identities in Cyberspace (NSTIC) has already begun pilots of the federated identity ecosystem, where corporations manage people’s online identities for them, i.e. they ‘look after’ your data, act as a go-between, so you can prove you are who you say you are, online. The US Strategy is intended to work globally, using international standards to exchange information, and most countries have managed to implement a smart ID program in some form or other, such as biometric passports.

The military use of online Identity Management (IdM) is being extended to all of us because we are all going to be forced into the matrix – the intention is to make all government and healthcare services online only, and to use these services, you have to use an Identity Provider (IdP) to validate your right of access. Many of these IdPs have been supplying the NSA (National Security Agency) with records used to identify us, to facilitate “pre-emptive surveillance” or predictive policing – using the data to look for patterns and ‘predict’ crime before it even has a chance to happen.

The Edward Snowden case has made access rights a hot topic and the response of the NSA has been to insist they are ‘only’ collecting metadata. However, metadata is so powerful, it can be used by IdPs to help validate identity! Metadata is also sold to help marketers and politicians ‘understand’ us.

The presence of General Keith Alexander at last month’s Black Hat Conference was an appeal to hackers to be on ‘the right side’, an appeal made all the more poignant for the loss of Barnaby Jack, the hacker, who, it is said, wore a white hat, unlike, say, Anonymous. He was a good hacker who should have been there – he was trying to help people, and the controversy over his death last month may be pure media hype, as this article will explain. The FDA had announced in June they could address the insecurity of medical devices by using IdM - allowing only authorised users to access the device, but this fails to fully address the problems highlighted by Jack, and other researchers.

The powers that be are bringing on the FINAL CRUNCH, the false dichotomy – now, they say, is the time to choose:

Are you a good guy, or a bad guy?

Are you with us, or against us?

Please identify.

Protecting a person’s privacy is also as critical to one’s safety, dignity and identity as is protecting a person’s property. With no privacy, one is de-humanized like an animal in a zoo and much more susceptible to the control of others. -- Scott Cleland (2013)

Hats and Hackers

Earlier this year, General Keith Alexander toured the National Cybersecurity Center of Excellence (NCCoE). Alexander is head of both U.S. Cyber Command and the National Security Agency (NSA) and has featured heavily in the press recently trying to defend the actions of the NSA in response to the ‘leaks’ by Edward Snowdon. U.S. Senator Barbara Mikulski helped set up the NCCoE, and was instrumental in establishing the NSTIC. She joined Alexander for the tour, exactly two years to the day of Obama’s announcement of the NSTIC. Mikulski made it clear at the time that identity management was about helping business, especially in protecting intellectual property, and the NCCoE is a a public-private partnership hosted by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST). Eleven companies have joined the partnership, including RSA, Intel, and Microsoft.

We’re standing up for the National Cybersecurity Center of Excellence to protect America’s ideas and innovations from cyber terrorists, spies and thieves,” Senator Mikulski said. “This center will unite the knowledge of the government with the know-how of the private sector to improve our nation’s cybersecurity and create jobs.”

NIST is responsible for implementing the NSTIC, and the tour of the NCCoE facilities included a demonstration of the NSTIC project that is now being piloted by Daon, Inc., supplying biometric identity management via smartphones. They also got to talk to company representatives, and to learn more about other NIST cybersecurity programs.

Cyber threats cut across networks, borders and sectors, and leaders in government and industry must work together to help protect the nation’s critical infrastructure and information,” said General Alexander.

No one organization can do the job alone. NSA supports NIST’s efforts to partner with industry to tackle cyber challenges. NIST has been a great partner to work with and we know they will be great partners on the National Cybersecurity Center of Excellence.

General Alexander has also been extending government outreach on cybersecurity issues from private partnerships to a new focus on the hacker community. He turned up to the Defcon conference in jeans and t-shirt last year, and appealed to the audience of around 15,000 ‘security specialists’ to help the NSA ‘defend’ the nation. The Washington Post reported, “The NSA needs cybersecurity experts to harden networks, defend them with updates, do “penetration testing” to find security holes and watch for signs of cyberattacks.” Whilst prosecutions of hackers and whistleblowers have soared, there has also been a recruiting drive for hackers that are left to join the NSA/government. In 2011, DOD, DHS, NASA, and NSA attended Defcon, all of them looking to hire tech-savvy young-bloods, as part of a long term strategy to increase the skill and knowledge levels of the feds in, “an environment where the hacker mind-set fits with “a critical mass of people that are just like them.”” The NSA puts its hackers into either‘red teams’ (the aggressor) or ‘blue teams’ (the defender).

They were welcomed to the event by Jeff Moss, who founded both Defcon and Black Hat and, said the Washington Post(2011), “is now a member of the Department of Homeland Security’s Advisory Council, which advises the government on cybersecurity.” Following the Snowdon ‘leaks’ this year, however, Moss suggested the NSA stay away from Defcon, but welcomed General Alexander to give a speech at Black Hat.

This time, Alexander went for a ‘dressed down’ military outfit – and a fatherly ‘I’m on your side’ speech. Once again, the hackers, any of whom could be of the black hat variety, gave the General several warm rounds of applause. A spot of heckling at the end was quickly dealt with. Apart from trying to defend the NSA, Alexander seemed to be warning the potential young recruits about the difference between good guys and bad guys, when he said:

Where do we go from here? – that’s where you come in. We need to hear from you, because the tools and the things we use are very much the same as the tools that many of you use, in securing networks. The difference, in part, is the oversight and the compliance that we have in these programs. That part is missing in much of the discussion. I believe it’s important for you to hear that.

This is part of the same old story he keeps on telling: that the NSA is just trying to protect everyone from, “those who walk among you who are trying to kill you”. This idea, that there is ‘evil amongst us’, is the key to instilling fear in the global community, and has always been so. It also implies the NSA wears a White Hat, when in fact much of its mission is blacker than black – the scope and aim of NSA surveillance amounts to an offensive attack on the people of the world.

For the hackers, the message seems to be, ‘choose now – cross over to our side, and we’ll pay you and call you heroes’.

Those that choose not to – they’ve been warned about their lack of ‘oversight’.

Who watches the watchers?

The prime example of this is Edward Snowden, who had been certified as an ‘ethical hacker’ - an EC-Council Network Security Administrator (E|NSA) - and the E|NSA course is CNSS4011 certified by the National Security Agency.

Fancy that, eh? Snowdon was trusted by Booz Allen Hamilton (his employer), and by the NSA itself. These closely linked organisations already use Identity Management, so just how much “god-like access” do these systems administrators actually get?

Most of the information gleaned by the NSA comes from predictive analytics employed to find patterns and meaning in the mass of data that comes through. Computers do most of the spying. But there will always be those with access, whether they are granted the privilege by the NSA, or they’ve hacked into the system. We are never going to be safe in the matrix.

The level of security at the NSA, including identity and access control, biometrics, and psychometric testing, either makes it highly unlikely Snowdon would have been able to leak the information without their knowledge, or he had their full blessing. After all,

These individuals hold the keys to the kingdom and are often in a position to undermine the integrity of systems and data, damage systems and, at the extreme, destroy systems and the data on which they operate.

So why has there been such a focus on the so-called ‘revelations’ by Snowden/Greenwald? It’s plastered all over the place – why? There have already been numerous reports of the shady tactics employed by the NSA over the years, such as by James Bamford, so it is only the focus of the mainstream media that has kept the story alive. Why all the hype now? Could it be this case is a standard- setter? It has achieved several things, from the NSA’s point of view: it has allowed them, and the media puppets, to twist the meaning of ‘whistleblower’ to ‘traitor’; it has triggered the meme of cybersecurity; and it has engaged the hacker community to “have the conversation” with the NSA. More importantly, it creates the idea in people’s minds that they have an online identity to protect. But it’s the NSA and their cronies that we need to be protected from!

The NSA wants to recruit ethical hackers to be trusted system administrators, but it doesn’t want them to be like Edward Snowdon. Like Manning and Assange, he now stands as an example of what happens to those who choose to honour the rights of the people instead of obeying the shameful directive of the i-Spy War Monster.

Edward Snowden’s profile will now be studied by counter-intelligence officials looking for clues about how to hire skilled hackers without endangering government secrets.

The NSA recently announced it intends to implement the ‘two person rule’, i.e. systems administrators with privileged account access must verify each other’s movements. This seems unfeasible, given that the NSA are so desperate to recruit more staff, and the rule has already proved to be “too cumbersome" to implement. The Agency has also, “been busy in the open source world and contributed security-related code to Google's Android operating system. This is like a vampire donating to a blood bank.” It is even said the NSA is targeting people who use Tor networks, PGP and other encryption services.

The President of the EC-Council, Sanjay Bavisi, believes that ‘bad guys’ are like a disease or virus that needs to be weeded out of the system. At the Colloquium for Information Systems Security Education (led by Dr. William Maconachy, a former Director of the NSA) in June, Bavisi spoke to ‘thought-leaders’ from both the DHS and the NSA, and warned them they were facing a veritable cyber plague. His solution is to get more ethical hackers on board, to inject secure code into the system, just like a “cyber vaccine”.

Bavisi received the NSA 2013 Colloquium Industry Leadership Award for his work with the EC-Council, which works withScience Applications International Corporation (SAIC) to host the Global Cyberlympics, supported by the United Nations’International Telecommunications Union (ITU)

the Global CyberLympics …. is a series of ethical hacking games comprised of both offensive and defensive security challenges. Teams will vie for the regional championships, followed by a world finals round to determine the world’s best ethical hacking team. EC-Council is sponsoring over $400,000 worth of prizes at the CyberLympics.

 

…. the mission of the CyberLympics is to unify global cyber defense while raising awareness toward increased education and ethics in information security. SAIC says that the timing of the games could not be more critical, as global cyber threats are escalating, leaving organizations vulnerable to disastrous security breaches. According to the U.S. Cyber Consequences Unit, hacking results in an annual loss of $6 to $20 billion in intellectual property and investment opportunities.

 

….. The CyberLympics will include cyber defense, offense, and a forensics challenge. The initial qualification rounds of these games will be conducted via the Internet, testing the skills of hundreds of contestants from Africa, Asia, Australia, Europe, North and South America.

Other competitions are open to those who want to be an ethical hacker; the Air Force Association sponsors the ‘CyberPatriot’ contest, “which … has grown from eight high school squads in 2009 to more than 1,200 this year”, and the NSA has also announced it will sponsor the ‘Toaster Wars’. These contests help train the potential recruits, and to condition them to behave according to the guidelines of ethical hacking.

While the students are taught advanced computer skills, they also receive training in computer ethics …….. students interviewed at the contest say they know the fine line between white hat and black hat. [One of the students] said hacking and defending are two sides of the same coin and that the only way to make a proper defense is to understand your weaknesses.

 

"We are trained in offensive security, or ethical hacking, but we do know how to monitor a network like a school and watch all the traffic going through," Houck said."And if it’s encrypted, we do know how to break that." (my italics)

The contest is a gaming environment, and cheaters are disqualified and no doubt blacklisted as unethical.Understanding the hacker’s mind is one of the key aims of the recruitment of ethical hackers, or security specialists, all of whom are psychometrically tested/monitored. They are, after all, Masters of Identity Control.

Good Guy Barnaby Jack

Barnaby Jack was known to wear a White Hat. He worked for a computer security company called IOActive, and had also worked with federal agencies, and Intel. He was famous for showing how insecure ATMs are: at the 2010 Black Hat conference, he made them spew out money, remotely. In more recent years, Jack had spoken to the media about how he could hack implantable medical devices which use wireless radio communication – devices such as pacemakers, andimplantable cardioverter-defibrillators (ICDs), as well asimplanted insulin pumps, could be hacked from a distance to commit mass murder.

Most of these devices are connected to the Internet, and a number of articles have described how they are also highly vulnerable to malware, or viruses, as is much of the computerized equipment in hospitals.

the devices are easily tricked by a special command to give up their serial numbers and other info needed to authenticate into them and control those transmitters; and, worse, they often have backdoors that allow the wireless signals to be hijacked even without the credentials……….. around 4.6 million pacemakers and ICDs were sold between 2006 and 2011 in the US alone.

 

An old virus from years ago, one that a modern operating system would flick away like an ant at a picnic, can cause real problems in some medical networks.

Barnaby Jack, at the age of just 35, was found dead in an apartment in San Francisco one week before he was due to demonstrate the ability to attack pacemakers, at the Black Hat Conference which was attended by General Alexander. This followed an interview about the devices with Reuters, and the subsequent media freeze, on information regarding his sudden death, has caused much speculation about a possible assassination. The media reports take the view that this was ‘new information’ which no-one wanted to be released; however, this is not the case at all, as the media has been reporting this information for several years. A security researcher called Kevin Fu has done extensive work on this topic and is on the Advisory Board for the National Institute of Standards and Technology (NIST) Information Security and Privacy Advisory Board (ISPAB). In 2008, he published a report,

…. describing laboratory experiments showing a Medtronic Inc. defibrillator could be turned off remotely by hackers. At a 2011 conference, a McAfee Inc. researcher showed he could remotely cause an insulin pump to deliver fatal doses.

 

In one recent experiment, Dr. Fu showed that commercially available devices called software radios, held close to a patient's chest—he used dummies—could induce defibrillators to deliver unneeded shocks.

 

"No one has figured out a way to defend against this type of interference," he said. But he said most companies are aware of such problems and he and fellow researchers "don't want to give anyone meat to make crazy claims," as his hacks so far amount to lab experiments.

While Fu has confined his experiments to the lab, kept a low media profile, and is working closely with the US government, Barnaby Jack had worked without any ‘oversight’, in a Black Hat kinda way, and, well …. maybe he just talked too much. Although device manufacturers such as Medtronic believe “the risk to an individual customer is low and the benefits of the therapy outweigh these risks", they aren’t keen to publicise the insecurities of their devices because of the burden of liability, and the claims that could be brought against them.

Security consultants who have worked for Medtronicand people familiar with the company's internal efforts say Medtronic has been developing cybersecurity features for its devices for more than a decade but has kept a low profile on the issue to avoid additional scrutiny or alarming patients. Security efforts have ramped up in recent years, they said.

The trouble is, hospitals do not want to report malfunctions, and the FDA rules deter hospitals from ‘patching’ the millions of devices already implanted in people around the world:

under current US law, software used to run medical devices in hospitals must remain static once approved. It’s not that manufacturers cannot install anti-virus software or provide updates to fix security flaws, it’s that they will not do so, in order to remain in compliance with the Food & drug Administration.

 

"I find this mind-boggling,” Kevin Fu…. told Technology Review. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.

Kevin Fu attended a meeting of the ISPAB, together with Medtronic, Google, Microsoft, the NSA, and other federal agencies, in October last year. The minutes of the meeting note that Vijay D’Souza, from the U.S. Government Accountability Office (GAO), “indicated that GAO had talked with some manufacturers about the patching issue and manufacturers indicated they did not want to patch devices to jeopardize their certification. Mr. D’Souza indicated that the general feedback was that the possible benefit of issuing a patch is far outweighed by the risk – the issue is one of liability.”

Fu had discussed this issue in an interview (which also featured Barnaby Jack) with Vanity Fair last year, where it was reported,

Medical manufacturers…. frequently will not allow hospitals to modify their software - even just to add anti-virus protection—because they fear that the changes would have to be reviewed by the U.S. Food and Drug Administration, a complex and expensive process. The fear is wholly justified; according to the F.D.A., most medical-device software problems are linked to updates, patches, and revisions.

 

Advertising about security can also be a matter of liability if the system is compromised.

One way to address the problem is to encrypt the information sent to the devices, but this is difficult due to their limited battery-life and Fu, et al, concluded several years ago,

The lesson learned is that encryption is not enough to protect the privacy of medical telemetry, and that reasonable assurance for security and privacy will require an energy budget. Future design of medical devices will have to make difficult tradeoffs between battery life versus security and privacy.

Without overcoming these hurdles, the plan is to use identity management to try to limit access to the devices; in June (2013), the FDA issued a Safety Communication, ‘Cybersecurity for Medical Devices and Hospital Networks’, which advises hospitals to:

Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.”

The key points of the guidance are limiting access to “trusted users only” and attempting to “ensure trusted content” by using only id-verified software and firmware. As for encryption to protect the transfer of data to and from the device – the guidance simply states this should be used “when appropriate”. The probability of risk to patients from a security breach will be assessed to determine whether or not intervention is necessary.

But just how bad is this risk? There have been no recorded incidents of devices being attacked, though the storyline aired in an episode of ‘Homeland’ – the hitman targeted the Vice President by first getting the serial number for his pacemaker.After seeing the episode, Jack joked on IOActive’s blog, “My first thought after watching this episode was ‘TV is so ridiculous! You don’t need a serial number!”

The Vanity Fair article notes, “You don’t even have to know anything about medical devices’ software to attack them remotely, Fu says. You simply have to call them repeatedly, waking them up so many times that they exhaust their batteries.”

What Jack and Fu were trying to warn us of went way further than the insecurity of pacemakers and insulin pumps. The whole world is intended to be linked to the Internet. Every part of the Internet of Things and People is being linked together, communicating, SMART. And everything we do is recorded. Identifiable. Searchable.

This is not smart.

None of it is safe from the NSA.

NSA: “We’re just collecting metadata”

General Keith Alexander has tried to assure people who fear for their privacy, by telling them his agency is only collecting metadata; and they’re not listening to everyone’s phone calls because it’s just not possible. Of course he’s right about this, but, as he himself says, he’s not telling the whole story. It would not be possible for human beings to sit and listen to everyone’s phone calls, though it is possible to transcribe into text the speech of millions of peoples’ private calls, and search it for keywords.

In an interview at the Aspen Institute, Alexander described the breadth of the more targeted surveillance the NSA does when he talked about the number of ‘hops’ that are done (he says they can only do three). The first hop is 40 people (friends and associates), the second hop expands this to include all the people known by the original group, and works out to be (40 x 40) 1,600 people. The third hop would therefore be (40 x 40 x 40) 64,000 people under surveillance from just one original suspect. It’s hard to know how the FISA court could rubber-stamp each and every one.

And for Alexander to dismiss the collection of metadata as if this is no intrusion of privacy is outrageous – “connecting the dots” of petabytes of metadata reveals hugely private details of our lives by showing patterns, and allowing inferences to be made. This is the stuff of modern marketing, and predictive policing.

Defined as being ‘data about data’, metadata comes from the many ubiquitous sensors (such as RFID) all around us, and all the things we do electronically.

METADATA IS WHAT THE NSA NEEDS TO SPY ON US!

All of this is fully explained in an article at ITworld.com:

It's "data about data" -- or, more properly in this context, it's data about content. When you look at a Web page, a photo, or an e-mail message, what you see is the human-readable content. Hiding underneath that picture of a kitten, the ITworld Web page, or a note from your mom, is all kinds of data about what you see.

 

With a digital photograph, there can be dozens of data fields. There are multiple formats for this data. …. A photograph's metadata can record the camera that was used to take it, and the date and time it was taken -- along with the location, if the camera has a GPS. If you edit your photograph, the metadata can also be used to record what software and operating system you used. And with the right software…. you can read any image's metadata.

So metadata is what allows the NSA to keep tabs on us all, especially when it comes to phone records, where the metadata includes the identity of the SIM and the device it is installed in, who called/texted who, where, and how long for. We also generate metadata every time we surf the net, send an email, or post on a forum, and all of it is trawled by Internet service providers, for marketers and researchers. If you use a mobile, or the Internet, there are profiles of you gleaned from all this data. There’s so much of it, and it’s so useful, it’s worth a lot of money.

Metadata is gold-dust because it is a window to your soul.

Companies like Facebook, Google and Microsoft pick up all of our digital breadcrumbs, and sell them. Known in the trade as ‘traffic analysis’, the data is retrievable for law enforcement, and auditing, at any time in the future. It is also used, in real-time, to try and predict crime. Computer programs analyse metadata looking for patterns, in an attempt to detect ‘pre-crime’. It is used to decide where to concentrate police powers, but the fetish of ‘detecting terrorism’ is a fearsome fetish indeed. After all, they presume any one of us could be a terrorist. Not so long ago, (sometimes violent) political activists were called ‘freedom fighters’ by the media. Now, even a person who questions the authority of the globalists can be deemed a potential terrorist. Perhaps you’ll be placed on ‘the list’ just for reading this article…. or perhaps, we are, already, all suspects. Trouble is, all of this big data the NSA are getting, “may mean more information, but it also means more false information.... If big data leads to more false correlations, then mass surveillance may lead to more false accusations of terrorism

One of the NSA’s research projects aim (sic) is to forecast, on the basis of telephone data and Twitter and Facebook posts, when uprisings, social protests and other events will occur. The agency is also researching new methods of analysis for surveillance videos with the hope of recognizing conspicuous behavior before terrorist attacks are committed.

 

….. Apparently the data is extracted, transferred and loaded into servers at the Utah Data Center in Bluffdale. According to Der Spiegel, there [is] enough capacity to store a Yottabyte of data…. Large enough to store all the electronic communications of all of humanity for the next 100 years……. Ira Hunt, CTO for the Central Intelligence Agency, said in a speech at the GigaOM Structure: Data conference that “The value of any piece of information is only known when you can connect it with something else that arrives at a future point in time.

This is why data is stored, and what Alexander meant when he said the NSA are “connecting the dots”. Patterns and meaning can be found in metadata from a whole range of sources.

Because smart meters register every tiny up and down in energy use, they are, in effect, monitoring every activity in the home. By studying three homes’ smart-meter records, researchers at the University of Massachusetts were able to deduce not only how many people were in each dwelling at any given time but also when they were using their computers, coffee machines, and toasters. Incredibly, Kohno’s group at the University of Washington was able to use tiny fluctuations in power usage to figure out exactly what movies people were watching on their TVs. (The play of imagery on the monitor creates a unique fingerprint of electromagnetic interference that can be matched to a database of such fingerprints.)

This has all gone way too far already. Mobile phones can be hacked so audio and video can be activated remotely. So can laptops (girl was watched in the bath!), and all else that’ssmart in some way. All of this is receiving a lot of attention in the media, and my bet is that we are about to be sold Identity Management, courtesy of the NSTIC, as a way to ‘protect ourselves’. Even if this does offer us one extra layer of security from some thieves, it still means granting control of our lives to a large corporation, and making surveillance far easier for the NSA, CIA, FBI, etc.

Obviously, the people behind NSTIC, or Identity Assurance in the UK, won’t sell it you this way, when it’s ready - they’ll want you to have forgotten about Edward Snowdon’s ‘revelations’ by then. After all, some of the very same telcos that hand over our details to the NSA will be playing the part of Internet gatekeepers in the global identity ecosystem.

You’ll be told it’s all for you. They say they just want to protect you from the big bad cyberbullies, and make your life easier by not having to remember lots of passwords. You’ll be told it’s voluntary, that you don’t have to sign up with an Identity Provider, but in fact, not joining will eventually prevent you from participating in society: in the near future, most health services, and all contact with the government, will be online only, but you have to use a third party to do so, i.e. register with an Identity Provider (IdP).

Not long after that, it will only be possible to pay for anything electronically, which of course you will need an IdP for. Your smart meter will also be part of the identity ecosystem. To gain entrance to public buildings, perhaps even your own house or car, you’ll have to use your smart card/phone to prove who you are. All devices and all people in the Internet of Things will have their own unique identity.

All brought to you by the Identity Providers – the creators of identity profiles for each and every one of us, stored digitally and wondrously accessible for law enforcement. Telcos such as AT&T and Microsoft have previously 'complained' that they have had to devote whole teams to the business of handing over information on citizens to the likes of the NSA. With Identity Management, all of the information is aggregated, and the problem of managing all that data is instead turned into a tidy profit for the telcos for delivering a ‘service’ to the people.

The details released by Edward Snowden have caused an uproar, even in the mainstream arena, showing how highly we all value our privacy. Nonetheless, the public anxiety created by the leaks could be manipulated to plead the case for Identity and Access Management – the very aim of the NSTIC.

Identity management is fundamental to the globalists’ plan to gain "maximum control of the entire electromagnetic spectrum".

Tell people this.