The nefarious tactics being employed in the crypto universe are a useful study because they shed a light on the current state of risk and what needs to be improved in terms of trust. This write-up covers some recent security incidents, the analysis of root causes, and helps set the stage for an understanding of what’s to come in terms of the players involved and their future incentives.
The notion of how cyber security can contribute to the pandemic has been limited to the provinces of the reduction of technology risk and fraud against corporate institutions.
The past decade has shown how technology is able to disrupt other industry sectors, ex: Uber is a technology company that has disrupted the transportation sector; SpaceX is arguably as much a technology institution as it is a rocket company given the amount of computer sensors that have made it’s innovation possible; etc.
It’s the cross pollination and polymathic thinking that has allowed technology companies to innovate beyond operational computing support and upkeep. In the realm of cyber security, it’s precisely the lack of this type of polymathic thinking that is preventing us from contributing to solutions that reduce deaths from the impact of the virus.
In this document, we will explore actionable arenas where cyber security professionals can directly contribute to have a direct impact:
First, we lay the foundations of understanding basics in the field of genetics and the COVID19 virus by exploring viable analogies between computer science and genetics.
We then explore how the skillset of cyber security knowledge can be leveraged to promote solutions that find actionable insights from available COVID19 academic research and also develop the technology accelerators for genetic researchers.
Finally, we explore how security engineering must take the lead in developing source code and protocols that will be vital in achieving contact-tracing at a global scale so that citizens and governments can move forward in accelerating the course to normalcy without sacrificing many lives.
It’s been a decade since we’ve accepted the idea that the perimeter strategy to security is ineffective: The endpoints must strive to protect their own stack rather than rely on their network segment being completely trust worthy. However, this notion has mostly permeated the corporate space as an emergency. Even such, businesses are still struggling with implementing controls in this area given the legacy of flat networks and Operating System design.
When it comes to residences, the implicit notion is that controls beyond Network Address Translation (NAT) aren’t immediately necessary from the perspective of cost and complexity. The emergence of Internet of Things (IoT) is going to dramatically change this notion.
Figure 1: The Belkin WeMo Baby Monitor, the WeMo Switch, and the Wi-Fi NetCam
My point is illustrated in "Reconsidering the Perimeter Security [PDF]" where I take upon the security design of the Belkin WeMo baby monitor, WeMo wireless switch, and the Net-Cam Wi-Fi camera.
Figure 2: Lon J. Seidman's review of the WeMo baby monitor
In the case of the baby monitor, one glaring design issue was that anyone with one-time access to the local Wi-Fi where the monitor is installed can listen in without authentication and can continue to listen in remotely. This is also called out buy Amazon reviewer Lon J. Seidman in his review titled "Poor security, iOS background tasks not reliable enough for child safety":
"...But that's not the only issue plaguing this device. The other is a very poor security model that leaves the WeMo open to unwelcome monitoring. The WeMo allows any iOS device on your network to connect to it and listen in without a password. If that's not bad enough, when an iPhone has connected once on the local network it can later tune into the monitor from anywhere in the world".
Figure 3: Demonstration of WeMo baby app concern
I've demonstrated the issue Sediman points out in the video above. The paper goes into more technical details.
Figure 4: Demonstration of malware turning the WeMo switch off
In the case of the WeMo switch, it was found that any local device can turn it off without any additional authorization. In the paper, I describe how to write a script to do this.
Figure 5: Belkin NetCam sends credentials in clear-text to a remote server
The Belkin NetCam uses SSL and requires the user to log-in even if the user is on the local Wi-Fi. However, as shown in Figure 5, it does manage to send the credentials in clear to a remote server. This enables local malware or any server in the path via the ISP to capture the credentials and spy on the camera owners.
Given the upcoming revolution of automation in our homes, we are already seeing self-installable IoT devices such as the candidates discussed. As seen by the detailed illustrations in the above examples, we cannot secure our future by asserting that IoT devices and supporting applications have no responsibility to protecting the user’s privacy and security beyond requiring the user setup a strong WiFi password.
IoT device manufacturers should lay the foundation for a strong security architecture that is usable as well as not easily susceptible to other devices on the network. In these times, a compromised device on a home network can lead to the loss of financial information and personal information. If IoT device vendors continue their approach of depending on the local home network and all other device being completely secure, we will live in a world where a compromised device can result in gross remote violation of privacy and physical security of it’s customers.
The question of how much phishing costs business in an important one. I am personally interested in it because I have recently been speaking of my research in phishing at various conferences and also because my clients often reach out to me for advise on the topic.
I concede that I have often leveraged the Gartner claim of $3.2 billion to make my case on why phishing is a major problem - it immediately gets the audience to understand and accept the fact that the phishing ecosystem is an incredible menace that must be dealt with.
In January 2009, Cormac Herley and Dinei Florencio of Microsoft Research published A Profitless Endeavor: Phishing as Tragedy of the Commons. In this paper, Herley and Florencio systematically and methodologically state the case for why they think the cost of phishing is not $3.2 billion annually as claimed by Gartner, but more around $61 million (section 4.4).
Even though I have leveraged the Gartner research in my presentations, I nodded in agreement as I read the hypothesis and the reasoning offered by Microsoft Research. I remembered going through the vast amount of underground message boards where phishers and scam-artists convene, noting how much of a constant struggle it was for the phishers to monetize (including cases where phishers attempted to scam other phishers), and wondering how it is that such a struggling system could correlate to a $3.2 billion loss.
The factor of difference between the Gartner and Microsoft Research numbers is x50. That's right: fifty.
It is important to understand that the claims by Gartner and Microsoft Research are scientific claims - they should be based upon reason and evidence. Even though it may not be possible to arrive at the hypothetical end-solution of an absolutely exact number, the goal of the exercise it to tend towards a reasonably accurate estimate.
My appreciation of the Microsoft Research publication stems from the scientific discourse utilized to make the arguments - reason and evidence, systematically presented. What did Gartner have to say in response? Here is a quote from a Dark Reading article:
Avivah Litan, vice president and distinguished analyst of information security and risk at Gartner, says the researchers' paper is more of an academic exercise than reality. "They are assuming their economic theories apply here -- there is no hard evidence that they do," Litan says.
I am extremely puzzled by this stance. Why wouldn't economic theories apply? After all, we are debating dollar figures here, aren't we? Herley and Florencio walk through well-reasoned arguments for their calculations. If Litan isn't in agreement, I feel she should be more specific on her stance - what exactly doesn't she agree with and why?
"It's very misleading for the authors only to look at the phishing industry without looking at the malware business," said Litan. "In fact, it renders their entire economic argument meaningless."
Even though Herley and Florencio do not specifically mention malware in their paper (except for once, in a different context, page 8), their hypothesis on the dismal economics of phishing still stands (I am assuming that Litan was referring to malware served by phishing sites).
The original Gartner press release makes extraordinary claims: $3.2 billion is not an estimate that should be taken lightly by anyone. Extraordinary claims require extraordinary evidence (quoting Carl Sagan). As I read through the Gartner press release, I felt that the claims were unsupported because, besides the fact that a survey was conducted, it does not reveal the methodology used to arrive at the specific claims (and then there's Herley and Florencio's bias argument, section 4.2.1).
The Gartner press release, seems in essence, to be based on authority: here are the facts and they are true because we are a reputable brand and because we say so. There are only a few people that can get away with forming arguments based on authority - one of them is pictured below.
In all seriousness, I am sincerely excited about the ongoing conversation on the real cost of phishing because it is something that advances our knowledge. The point is not for Gartner or Microsoft Research to have the final say - the goal is to have a conversation so we all arrive closer to what is true. Here is a quote from a Richard Dawkins' speech that illustrates my sentiment:
A formative influence on my undergraduate self was the response of a respected elder statesmen of the Oxford Zoology Department when an American visitor had just publicly disproved his favorite theory. The old man strode to the front of the lecture hall, shook the American warmly by the hand and declared in ringing, emotional tones: "My dear fellow, I wish to thank you. I have been wrong these fifteen years." And we clapped our hands red. Can you imagine a Government Minister being cheered in the House of Commons for a similar admission? "Resign, Resign" is a much more likely response!
I am excited that we are indulging in such important conversations in the information security, but I sincerely hope that we keep ourselves in check, and that we continue to press for critical thinking and encourage scientific discourse.
Getting back onto the original topic, it could very well be that the Microsoft Research paper includes errors, yet for now, I have not come across any well-reasoned counter-arguments that influence me otherwise. I would welcome any additional comments from Gartner - but be aware, they would have to qualify my "is this argument based on reason and evidence?" filter before being accepted.
In a previous article, Hacking the Psyche, I presented the security and privacy implications of capturing feelings of individuals using on-line mechanisms for good use as well as abuse and manipulation. Whenever controls around individual privacy are called into question, there is always, on the other side of the coin, a clear business opportunity.
Corporations often use indirect data such as demographic information and sales statistics to measure the health of their brand because the direct data, i.e how the public and their customers actually feel about their brand, is not available for capture. In this article, I want put forth a case study to demonstrate how capturing feelings on the social web can allow companies to measure the reputation of their brand.
In September 2008, Microsoft reportedly paid Jerry Seinfeld $10 Million dollars to star in it's recent TV commercial campaign. In this article I want to provide evidence to facilitate the hypothesis that Microsoft, in addition to paying Seinfeld, suffered the additional cost of damage to its brand from the commercials. On a positive note, the I'm a PC commercial that followed seems to have up for the damage.
Here are the TV advertisements:
September 4, 2008: Shoe Circus [starring Jerry Seinfeld and Bill Gates]
September 11, 2008: New Family [starring Jerry Seinfeld and Bill Gates]
September 18, 2008: I'm a PC [not starring Jerry Seinfeld]
Now, lets turn to Twitter to measure the feelings expressed towards these commercials during the month of September 2008. Using the Emotion Dashboard tool I presented in Hacking the Psyche, I was able to visualize how people on Twitter felt about these commercials. Here's a video of the tool in action:
Here is a screen-shot of the result including some annotations:
Most people disliked the first commercial (Red bar indicating overall negative feelings). The most common word used to express feelings towards the first commercial was "WTF" as indicated by the word cloud and the video demonstration.
Feelings on the Microsoft brand started to pick up to a positive state only to be re-plummet downwards once the second commercial was aired (Red bar).
The third commercial, I'm a PC, devoid of Seinfeld, was generally liked and appreciated, helping feelings towards the Microsoft brand return to a positive state (Yellow bar indicating 'happy' feelings).
There you have it: a powerful method to use feelings expressed in social media to measure a corporation's brand and marketing efforts.
Brand reconnaissance is not the only effort that can be leveraged from feelings on the social web. If you are interested in this topic, I invite you to consider my upcoming talk the O'Reilly Money Tech Conference titled Emotion Dashboard: Harvesting Feelings on the Social Web for Powerful Decisioning.
I think Tim did the right thing in putting up the blog entry about his endorsement for Obama. Even though Tim himself may see some justice in one reader's displeasure about the blog entry showing up in the News section - I don't see a problem with it. Tim is a well known technologist - his endorsement and, most importantly, his reasoning behind his endorsement is news to me and I want to read it.
I feel, as technologists and scientists, we have the right and the duty to take upon critical thought and express opinions on topics that are important to the world and to society; the job of information technology is a lot more than just discussing software and hardware for the sake of discussing software and hardware.
My enthusiasm for technology ultimately derives from my appreciation for the most well known method of evaluating and finding out what is true in the universe: Science. Therefore, I want to extend this issue beyond the O'Reilly case to point out two topics that are often labeled taboo and consequently banned from discussion on many intellectual forums and venues: politics and religion.
I feel the science community at large has played along with the taboo of approaching the matters of politics and religion with kid gloves for far too long. These are important topics that affect our lives today and the lives of future generations.
Politics is important. We need more scientists and technologists, not less, to get into the conversation and offer critical thought and reasoning towards important issues.
Religion shapes peoples lives and minds, yet it is deemed disrespectful to converse or, yet, even approach the topic in many forums with the superficial reasoning that religion and science do not intersect. I reject this stance for the following reason: A universe with supernatural mechanisms offered by most religions is likely to be a lot more different than a universe without supernatural mechanisms. Therefore, the topic is no longer devoid of Science, and as a scientist I am interested in it.
Venues such as O'Reilly are not likely to discuss politics or religion often. Yet, as scientists and technologists, when we do have something to say that addresses an important topic where we can offer reasoning and critical thought - lets not be shy about it. The illogical, taboo-based, and oft-counter-claim, mostly along the lines of "You are not supposed to talk about x? Why not? Because you are not" is dangerous because it shuts away Science from contributing much needed critical thought and reasoning to important topics that shape our world.
In this article, I want to persuade you of the real possibility and high probability that, in the very near future, remote entities will be able target people’s on-line presence to capture and leverage their emotional states and feelings. There are some very extreme implications of this from a security and privacy perspective, and this is the scope I will adhere to in this article. On the flip side, the ideas presented in this article can be leveraged to construct powerful business decisioning and measurement capabilities, a topic that deserves it’s own space - I will cover this subject in a separate article in the next few days.
Before I go any further, I want to stress that the purpose of this article is not to spread undue alarm, nor is the purpose to portray social online media as an evil. I personally utilize the many avenues of online communication and collaboration facilitated by the Generation Y culture. The purpose of this article, instead, is to share some of my initial thoughts on the possibilities of abuse, specific to the mapping of individual feelings online and possible implications.
In this talk, Jonathan describes his passion for making sense of the emotional world and his deep compassion for the human condition. Regardless of this particular article, Jonathan’s talk stands on it’s own. I think Jonathan’s ideas, projects, and aspirations are true works of art. His ideas are powerful enough to inspire a security professional such as me to look outside the oft-incestual world of information security, and to reach out and connect with other venues of Science and understanding. In a small way, the material presented in this article are my attempts to try and do just that.
I invite you to visit one of Jonathan’s projects that he co-founded with Sep Kamvar - We Feel Fine :
Since August 2005, We Feel Fine has been harvesting human feelings from a large number of weblogs. Every few minutes, the system searches the world's newly posted blog entries for occurrences of the phrases "I feel" and "I am feeling". When it finds such a phrase, it records the full sentence, up to the period, and identifies the "feeling" expressed in that sentence (e.g. sad, happy, depressed, etc.). Because blogs are structured in largely standard ways, the age, gender, and geographical location of the author can often be extracted and saved along with the sentence, as can the local weather conditions at the time the sentence was written. All of this information is saved.
The result is a database of several million human feelings, increasing by 15,000 - 20,000 new feelings per day. Using a series of playful interfaces, the feelings can be searched and sorted across a number of demographic slices, offering responses to specific questions like: do Europeans feel sad more often than Americans? Do women feel fat more often than men? Does rainy weather affect how we feel? What are the most representative feelings of female New Yorkers in their 20s? What do people feel right now in Baghdad? What were people feeling on Valentine's Day? Which are the happiest cities in the world? The saddest? And so on.
...
At its core, We Feel Fine is an artwork authored by everyone. It will grow and change as we grow and change, reflecting what's on our blogs, what's in our hearts, what's in our minds. We hope it makes the world seem a little smaller, and we hope it helps people see beauty in the everyday ups and downs of life.
Here is a video I uploaded to Youtube, demonstrating We Feel Fine’s interface, including the ability filter for specific targets (for example: feelings expressed by individuals in their 20s in Iraq):
Emotion Dashboard: Targeting Individuals. The We Feel Fine project does not target specific individuals. The creators of the project imply that doing so would violate an individual's privacy:
Privacy: We Feel Fine only collects and displays data that was already posted publicly on the World Wide Web? We Feel Fine never associates individual human names with the feelings it displays, though it always provides a link to the blog from which any displayed sentence or picture was collected....
We Feel Fine is a work of art designed by well meaning intellectuals. It doesn’t have the capability nor the intention of intruding on any one particular person’s privacy, yet the project raised my personal consciousness towards the security and privacy implications of capturing the feelings (past and present) of individuals.
To pursue discussion around the possibility and implications of capturing feelings projected by individuals online, I decided to develop a proof of concept visualization tool that I will call Emotion Dashboard. This is not a production-ready tool of any sort because I do not currently have the resources to develop such a thing. The goal of this tool (if you should even call it a tool) is to demonstrate my ideas and my vision on this particular topic to facilitate and encourage further discussion in the community. Here are the components of Emotion Dashboard:
RSS. It consumes an RSS feed as its source of input. This RSS feed can include more than one resource stitched together using a service such as Yahoo Pipes:
In other words, the targeted individual’s online presence may include his or her Facebook profile updates, Blogs, and Twitter messages. In this way, updates on all of the sources of a particular individual’s online presence can be coupled together in one RSS feed and then supplied to Emotion Dashboard which will scan the feed from the past to the present (older entries first).
Pulse. In order to visualize the emotional state of an individual from the past (older RSS entry) to the current, the tool includes a line graph at the top of the interface that tends upwards when a word that expresses a happy (positive) emotion is found, and downwards when a word that expresses a sad or angry (negative) emotion is located. To accomplish this feature, I was able to leverage the CSV file provided by the We Feel Fine project located here: http://www.wefeelfine.org/data/files/feelings.txt. This file includes a list of words that are commonly used to express feelings. I marked each word in this file against my judgment of it being a positive or negative sounding word. Occurrences of these words are plotted on the line graph, and can also be clicked on to spawn a new browser session targeting the relevant location of the word.
Immediately below the line graph is a solid bar that expresses the culmination of the individual’s overall mood. The color of this bar is either Yellow (happy), Blue (sad), or Red (angry). The hex code for these colors are also derived from the We Feel Fine CSV file listed above.
I concede that this technique of merely grepping for words lacks context and that is prone to an extremely high error rate. However, given the limited amount of resources I have at this point, my goal is not to provide something that readily usable for all cases, but to present a starting point of a possible approach and the probable implications should this be extended to apply intelligent grammar based contextual analysis. Do note that, even though I concede this is an approach vulnerable to a high error rate, the technique does, statistically speaking, get slightly more accurate the more words it consumes.
Word Cloud. Below the line graph is a simple word cloud containing words from the CSV list discussed above. As the RSS feed is analyzed from past to present, words in the word cloud grow in size as they re-occur.
The word cloud allows the user to analyze the words being used to express feelings as the Emotion Dashboard reads the RSS feed from past to present. The words in the cloud are colored based on the associated hex color codes present in the CSV file.
The following is a screen-shot demonstrates a sample output of an individual’s (who we will call “Jack Smith” for the purposes of this discussion) online presence:
Here are some observations and implications:
Jack’s initial online presence portrays his emotional state as positive (word-cloud: happy).
Jack’s blogs about his friend being laid-off from his job (word-cloud: layoff). This is a negative event.
Feelings expressed by Jack on venues (other than this blog) where he has online presence (example: Twitter), on the same day as his blog entry about his friend’s layoff, are extremely negative (word-cloud: handicapped, upset) even though Jack is discussing other topics. This can lead to the hypothesis that Jack’s overall mood is negative because he is influenced by his friend’s situation. This hypothesis, if true, may allow a malicious third party into manipulating Jack’s negative state to influence his actions. However, in order for such a tactic to succeed, the third party will need to understand Jack’s personality to understand how Jack behaves in moments of stress. It is possible for a third party to construct a personality profile on Jack by studying his authored content based on his on-line presence (blog, Twitter, Facebook, etc) and correlating it with known personality analysis methodologies, for example, the Big Five personality traits based tests:
Once enough information about Jack is collected to reasonably satisfy the personality test requirements, Jack’s personality patterns can be determined that may aid a malicious third party in exploiting Jack’s current emotional state. It is also plausible that this an be extended to automated and trigger based abilities. This is an extremely powerful idea - Jack may not be consciously aware of his negative mood, yet a third party may be able to analyze this remotely with some degree of probability. The following is a screen-shot of the results of a Big 5-like personality test (courtesy of Signal Patterns) :
Jack’s mood recovers to a positive state as time progresses, only to be briefly pulled down momentarily by his discussion of his friend’s layoff situation. This illustrates that the after-shocks of his friends situation are still negatively affecting him.
Eventually, Jack recovers to his average positive state (word-cloud: nice).
Case Study: Criminal Investigation and Analysis. There are numerous security and privacy implications of the discussion at hand. I am unlikely to succeed in attempting to iterate them all. Instead, I want to present one particular case study that can further illustrate the impact of this topic.
Ex-con vents pain online, then kills OCEANA COUNTY -- Danlee Mead was apparently using his MySpace site to tell the world how unhappy and desperate he felt in the hours before he abducted and killed his wife, then turned a shotgun on himself.... Hours later, the depth of the ex-convict's anguish turned to violence.....
A cached copy of Danlee’s MySpace page suggests that he changed his profile (moments before he committed the violent act) to use more positive-sounding words, even though his overall thoughts remained negative. His prior profile, also consisted of negative feelings, yet the words used in the original profile were more negative-sounding. Here is a demonstration of what his profile looks like when run through an analysis over time:
A few observations:
Initially, Danlee’s Myspace profile frequents negative-feeling words (blue bar).
His profile remains consistently negative over time (blue bar).
The words used in his updated profile tip the mood bar to positive (yellow). This is when Danlee changed his profile right before committing the crime.
Following from the above observations, it is clear to see how this type of analysis can be used by investigators, admittedly after-the-fact, to get a glimpse into a suspect's state of mind over time.
It may not be possible to use data from online social media to proactively detect the future behavior of all individuals, yet in this situation, the criminal did indeed have prior history of crimes. Perhaps a proactive approach targeted towards known suspects’ online social presence can be used to detect certain deviance form tuned thresholds - possibly in an automatic fashion based on a set of defined triggers. Such an approach seems more tolerable for a set of individuals with known backgrounds because the elements in their history can aid in influencing the signal-to-noise ratio in favor of the signal.
Some Additional Thoughts. The prior case study was just one illustration of the many impacts of using social media to capture the psyche of individuals. Here are some additional thoughts:
There are positive and negative implications of targeting individuals (or groups). In the first situation, it is easy to see how Jack’s online activity was used to get a better understanding of his psychological state, in addition to the hypothesis on how something like this can be further extended to aid in malicious manipulation and influence by a malicious entity. In the second situation, it is clear to see how the visualization of expressed feelings online may aid investigators into obtaining further insight into a given case.
The victim is the volunteer. Individuals with social presence online willingly contribute and volunteer data that can facilitate the mapping of their psyche. This is in contrast to the Orwellian sense, where information is extracted from the victims in an intrusive way.
The data set is genuine. Most people do not over-edit their blog entries or Twitter messages to conceal emotions.
The study of an individual’s online presence and it’s correlation to emotion and personality analysis is most likely to remain probabilistic. This introduces the risk of unfair analysis. For example: What does it mean for an individual to be identified, and in turn judged, as someone with a 15% chance of being a psychopath?
(online) Social privacy is an oxymoron. Social applications are, by definition, mutually beneficial to users within the system. If you sign up on a social networking application as Mickey Mouse to protect your identity, your friends will not be able to find you, thereby decreasing the value of the system to you. The popular social networking sites often promise privacy by implementing controls on certain tuples, yet as a user, it is important to understand that there is implied and indirect information within the system (such as connections between networks and the cases presented in this article) that cannot be concealed without destroying the core use-cases of the social application.
To conclude, I sincerely hope this article facilitates further discussion around the topics presented. You may feel that the probability of fruition of some of my thoughts and ideas is low. Perhaps you may find them extremely fantastical, or perhaps you agree that the scenarios presented indeed have a high probability of being relevant in the near future. I am obviously intrigued by the topic and I’d be delighted to hear your thoughts.
The Reith Lectures were inaugurated in 1948 by the BBC to mark the historic contribution made to public service broadcasting by Sir John (later Lord) Reith, the corporation's first director-general.
