Thursday, 24 March 2016

A matter of privacy [Link - ITProPortal]

An article I wrote around the FBI trying to break into an Apple iPhone was published on ITProPortal: http://www.itproportal.com/2016/03/24/a-matter-of-privacy/

============================

When Apple recently refused to comply with a federal court order issued by the FBI to help it break into an iPhone 5c, belonging to one of the shooters in the San Bernardino incident, a US House Judiciary Committee hearing was held.

If a ruling is made in favour of the FBI, Apple will have to weaken the encryption of its iPhone operating system, allowing the FBI to gain access to data on any iPhone. Apple’s chief executive, Tim Cook described this as the “software equivalent of cancer.”

Detrimental to future security

Apple’s argument is that if it is forced to write such software, it would open the floodgates to constantly writing spy tools for law enforcement. Cook gave the example of being forced to write and install a program on a suspect’s phone that would help police turn on the iPhone’s video camera. It would also seriously undermine Apple’s business, which has been partly built on the security of its proprietary software.

Inevitably, the iPhone would be weakened, leading to an operating system that could be carved open by those with the means and the will. It would open the sluice gate for other parties to break into iPhones and we’re not just talking hackers and online crime outfits, but also foreign intelligence agencies.

Widespread support

In a measure of just how serious the issue is, over 40 organisations are backing Apple’s case, including many tech companies. In short, Silicon Valley is on Apple’s side. There are also many tech companies who are not throwing their weight into the case but are quietly in support of Apple.

Microsoft, Facebook, Google, Dropbox and Snapchat are expected to sign on to briefs in the case, in support of Apple. Although not directly involved in the case, concerned parties can add additional weight, context, and information to an argument via a legal vehicle known as an amicus brief. Even the United Nations High Commissioner for Human Rights, Zeid Ra’ad Al Hussein has weighed in on the side of Apple.

Generally, there is a widespread feeling that if the FBI won it would be disastrous for the tech industry and the overall freedom of citizens. In the wake of the Edward Snowden revelations, there is an informed and widespread understanding that this case isn’t about a single iPhone; it’s about the future and the protection of safety and privacy.

Of course, the Apple FBI case also foreshadows what could happen in the UK, should the draft Investigatory Powers Bill be approved in its current form. This bill also wants to compel technology companies to produce products that are capable of having their encryption bypassed.

Draconian powers

In the UK, like in the US, it’s not only civil rights groups who are concerned, it’s the tech community too. As it stands, if the bill is passed, it would mean that the UK has one of the most draconian surveillance laws of any democracy, via mass surveillance powers to monitor every citizen’s browsing history.

The government seems intent on rushing the bill through with home secretary Theresa May wanting the bill on the statute books by December 2016. Three parliamentary committees have already made many criticisms about the draft bill suggesting a large number of recommendations are required to safeguard privacy. The government responded by adding ‘privacy’ into the title of the first chapter and apparently leaving the text virtually unchanged.

Impossible data searches

There are also questions as to whether the bill in its current state is actually possible to implement. Part of the bill legally requires ISPs to archive connections a device makes to the Internet and hold that data for a minimum of a year. Nobody for certain can say how much data that is but one thing is for certain, it is an enormous amount. Just think of one single video on YouTube that gets 10 million hits in the UK. That’s just one Internet link.

How much untargeted data would be collected and how do you decide what is useful and not useful?

Undermining foundations

It seems that as dust of outrage settles post-Snowden, governments and law enforcement on both sides of the Atlantic are ramping up their ambition to collect as much data on every citizen as possible, without thinking through the implications.

It’s a dangerous situation and one that, not only potentially undermines consumer’s trust, but also the entire tech industry and the democratic freedom we are entitled to. Security agencies can still do their job without resorting to mass surveillance just as the FBI could access the data in the San Bernardino iPhone should it wish to do so.

Freedom of speech is a fundamental right in Western democracies, as well as privacy, but the desire to weaken encryption actually weakens the foundations on which our societies are built.

Tuesday, 8 March 2016

An Introduction to the CESG 10 Steps to Cyber Security

I was asked to give an education presentation at The e-Crime Congress in London today: http://www.e-crimecongress.org/event/congress/agenda-key-themes 

The description of my presentation was:

MTI- An Introduction to the CESG 10 Steps to Cyber Security

Andrew Tang, Service Director – Security, MTI

The BIS Information Security Breaches Survey reported that 81% of large organisations had experienced a security breach of some sort. This costs each organisation, on average, between £600,000 and £1.5 million. In response to the growing cyber security threat, CESG have launched a ‘10 step guide to Cyber Security’. Andrew Tang will explore these 10 steps with a focus on Managing user privileges and network security within the 10 steps.

What will attendees learn:
What the CESG 10 step Cyber Security framework means for their organisation
How to protect your networks against external and internal attacks
How to manage the network perimeter as well as filtering out unauthorised access and malicious content
How to limit user privileges and monitor user activity

Here is a copy of my presentation: https://drive.google.com/open?id=0B0zPUWiKiUjRLTZoQVlTSkZOeGM