Here’s an insight to one man at Google to keep tab on – see the article below.
New Google security chief looks for balance with privacy
By GLENN CHAPMAN, AFP April 19, 2015 4:55am
MOUNTAIN VIEW, United States – Google has a new sheriff keeping watch over the wilds of the Internet.
Austrian-born Gerhard Eschelbeck has ranged the British city of Oxford; cavorted at notorious Def Con hacker conclaves, wrangled a herd of startups, and camped out in Silicon Valley.
He now holds the reins of security and privacy for all-things Google.
In an exclusive interview with AFP, Eschelbeck spoke of using Google’s massive scope to protect users from cyber villains such as spammers and state-sponsored spies.
“The size of our computing infrastructure allows us to process, analyze, and research the changing threat landscape and look ahead to predict what is coming,” Eschelbeck said during his first one-on-one press interview in his new post.
“Security is obviously a constant race; the key is how far can you look ahead.”
Eschelbeck took charge of Google’s 500-strong security and privacy team early this year, returning to Silicon Valley after running engineering for a computer security company in Oxford for two years.
“It was a very natural move for me to join Google,” Eschelbeck said. “What really excited me was doing security at large scale.”
Google’s range of global services and products means there are many fronts for a security expert to defend. Google’s size also means there are arsenals of powerful computer servers for defenders to employ and large-scale data from which to discern cyber dangers.
Eschelbeck’s career in security stretches back two decades to a startup he built while a university student in Austria that was acquired by security company McAfee.
What started out as a six-month work stint in California where McAfee is based turned into a 15-year stay by Eschelbeck.
He created and advised an array of computer security startups before heading off to Oxford. Eschelbeck, has worked at computer technology titans such as Sophos and Qualys, and holds patents for network security technologies.
He was confident his team was up to the challenge of fending off cyber attacks, even from onslaughts of sophisticated operations run by the likes of the US National Security Agency or the Chinese military.
Eschelbeck vowed that he would “absolutely” find any hacker that came after his network.
“As a security guy, I am never comfortable,” he said. “But, I do have a very strong team…I have confidence we have the right reactive and proactive defense mechanisms as well.”
State-sponsored cyber attacks making news in the past year come on top of well-known trends of hacking expressly for fun or profit.
The sheer numbers of attack “vectors” has rocketed exponentially over time, with weapons targeting smartphones, applications, datacenters, operating systems and more.
“You can safely assume that every property on the Internet is continuously under attack,” Eschelbeck said.
“I feel really strong about our ability to identify them before they become a threat and the ability to block and prevent them from entering our environment.”
Eschelbeck is a backer of encrypting data, whether it be an email to a friend or photos stored in the cloud.
“I hope for a time when all the traffic on the Internet is encrypted,” he said.
“You’re not sending a letter to your friend in a transparent envelop, and that is why encryption in transport is so critical.”
He believes that within five years, accessing accounts with no more than passwords will be a thing of the past.
Google lets people require code numbers sent to phones be used along with passwords to access accounts in what is referred to as “two-factor” authentication.
The Internet titan also provides “safe browsing” technology that warns people when they are heading to websites rigged to attack visitors.
Google identifies about 50,000 malicious websites monthly, and another 90,000 phishing websites designed to trick people into giving up their passwords or other valuable personal information, Eschelbeck said.
“We have some really great visibility into the Web, as you can imagine,” he said.
“The time for us to recognize a bad site is incredibly short.”
Doubling-down on privacy
Eschelbeck saw the world of online security as fairly black and white, while the privacy side of his job required subjective interpretations.
Google works closely with data protection authorities in Europe and elsewhere to try and harmonize privacy protections with the standards in various countries.
“I really believe that with security and privacy, there is more overlap than there are differences,” he said.
“We have made a tremendous effort to focus and double-down on privacy issues.”
As have other large Internet companies, Google has routinely made public requests by government agencies for information about users.
Requests are carefully reviewed, and only about 65 percent of them satisfied, according to Google.
“Privacy, to me, is protecting and securing my activities; that they are personal to myself and not visible to the whole wide world,” Eschelbeck said. — Agence France-Presse
Was that a brainfart?
President Barack Obama signed an executive order Wednesday that permits the US to impose economic sanctions on individuals and entities anywhere in the world for destructive cyber-crimes and online corporate espionage – see the Bloomberg article below.
Now what’s this about? An all-out effort on cyber-criminals or just plain window dressing?
For all their abilities to trace the attacks right down to the identities of the hackers, have the US authorities been able to do anything? Recall the Mandiant Report two years ago that allegedly traced Chinese hackers down to the very unit of a military base in Shanghai?
Recall also the five Chinese military hackers (above) on the FBI wanted list last year? Where has that led to (see video clip below)? And what about the alleged North Korean hacks on Sony Pictures?
With all good intent and seriousness to go on the offensive, Obama has yet to put his words into action on this front…
Hackers, Corporate Spies Targeted by Obama Sanctions Order
by Justin SinkChris Strohm
President Barack Obama signed an executive order Wednesday allowing the use of economic sanctions for the first time against perpetrators of destructive cyber-attacks and online corporate espionage.
That will let the Treasury Department freeze the assets of people, companies or other entities overseas identified as the source of cybercrimes. The federal government also will be able to bar U.S. citizens and companies from doing business with those targeted for sanctions.
“Cyberthreats pose one of the most serious economic and national security challenges to the United States,” Obama said in a statement. “As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies and our citizens.”
Under the order, sanctions only will be used if a cyber-attack threatens to harm U.S. national security, foreign policy or the broader economy. It’s aimed at cybercriminals who target critical infrastructure, disrupt major computer networks, or are involved in the “significant” theft of trade secrets or intellectual property for competitive advantage or private financial gain.
The administration is using the threat of sanctions to help prevent large-scale data theft after breaches at major U.S. corporations, including retailer Target Corp., health-insurer Anthem Inc. and home-improvement chain Home Depot Inc. It’s also a recognition that companies are facing increasingly destructive attacks, such as the hack against Sony Pictures Entertainment that crippled thousands of computers and delayed release of a comedy movie.
Sanctions imposed under the executive order will help disrupt the operations of hackers who may be in countries outside the reach of U.S. law enforcement, John Carlin, U.S. assistant attorney general for national security, said in a phone interview.
Banks and other companies connected to the U.S. financial system will be required to prohibit sanctioned hackers and entities from using their services, cutting them off from valuable resources, Carlin said.
“It’s a new powerful tool and we intend do to use it,” Carlin said. “It has the capability to significantly raise the cost for those who steal or benefit through cybercrime.”
The unique aspect of the executive order is that it allows the U.S. to impose sanctions on individuals or entities over hacking attacks regardless of where they are located, White House Cybersecurity Coordinator Michael Daniel told reporters on a conference call. While other sanctions are tied to a particular country or group of persons, hacking attacks transcend borders.
“What sets this executive order apart is that it is focused on malicious cyber-activity,” Daniel said. “What we’re trying to do is enable us to have a new way of both deterring and imposing costs on malicious cyber-actors wherever they may be.”
The order is a signal of the administration’s “clear intent to go on offense against the full range of very serious cyberthreats that are out there,” said Peter Harrell, the former principal deputy assistant secretary for sanctions at the State Department.
“This is a message that if folks around the world don’t cut out these activities, they’re going to find themselves cut off from the American banking system,” Harrell said in an interview.
Harrell said there are potential stumbling blocks to effective implementation. For one, hackers work hard to conceal their identity. Even though the U.S. and private companies have improved their ability to trace attacks, attribution can sometimes be difficult.
Daniel acknowledged that determining who is actually behind hacking attacks is still a challenge but said the U.S. is getting better at it.
In other cases, diplomatic considerations may be at play. The administration’s decision in 2014 to file criminal charges against five members of the Chinese military over their role in cyber-espionage strained relations with Beijing.
In January, Obama authorized economic sanctions against 10 North Korean officials and government entities in connection with the Sony attack. The North Korean government has denied any involvement in the Sony case.
Harrell said the use of sanctions can provide leverage as the U.S. registers complaints with governments overseas about cyber-attacks. Targeted use of the new sanctions powers also may help deter criminals.
“A number of these cyber-attacks are organized by fairly significant actors out there — large hacking collectives, or organized by foreign intelligence agencies,” Harrell said. “They all have real potential costs if they were put on sanctions lists.”
The Obama administration has been under pressure to take action to help companies protect their networks from cyber-attacks. In early March, Premera Blue Cross announced that hackers may have accessed 11 million records, including customer Social Security numbers, bank account data and medical information.
Home Depot in September said 56 million payment cards and 53 million e-mail addresses had been stolen by hackers. And just days earlier, JPMorgan Chase & Co. announced a data breach affecting 76 million households and 7 million small businesses.
The highest-profile breach, however, may have been the hacking of Sony Pictures. The U.S. government said North Korean hackers broke into the studio’s network and then exposed e-mails and private employment and salary records. U.S. authorities said it was in retaliation for plans to release “The Interview,” a satirical film depicting the assassination of leader Kim Jong Un.
Photo (above) credit: US-China Perception Monitor.
It’s not like the NSA has not been warned and China may just be the first of many to come.
The United States Is Angry That China Wants Crypto Backdoors, Too
February 27, 2015 // 03:44 PM EST
When the US demands technology companies install backdoors for law enforcement, it’s okay. But when China demands the same, it’s a whole different story.
The Chinese government is about to pass a new counter terrorism law that would require tech companies operating in the country to turn over encryption keys and include specially crafted code in their software and hardware so that chinese authorities can defeat security measures at will.
Technologists and cryptographers have long warned that you can’t design a secure system that will enable law enforcement—and only law enforcement—to bypass the encryption. The nature of a backdoor door is that it is also a vulnerability, and if discovered, hackers or foreign governments might be able to exploit it, too.
Yet, over the past few months, several US government officials, including the FBI director James Comey, outgoing US Attorney General Eric Holder, and NSA Director Mike Rogers, have all suggested that companies such as Apple and Google should give law enforcement agencies special access to their users’ encrypted data—while somehow offering strong encryption for their users at the same time.
“If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”
Their fear is that cops and feds will “go dark,” an FBI term for a potential scenario where encryption makes it impossible to intercept criminals’ communications.
But in light of China’s new proposals, some think the US’ own position is a little ironic.
“You can’t have it both ways,” Trevor Timm, the co-founder and the executive director of the Freedom of the Press Foundation, told Motherboard. “If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”
He’s not the only one to think the US government might end up regretting its stance.
Someday US officials will look back and realize how much global damage they’ve enabled with their silly requests for key escrow.
— Matthew Green (@matthew_d_green) February 27, 2015
Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.
Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.
Ironically, the US government sent a letter to China expressing concern about its new law. “The Administration is aggressively working to have China walk back from these troubling regulations,” US Trade Representative Michael Froman said in a statement.
A White House spokesperson did not respond to a request for comment from Motherboard.
“It’s stunningly shortsighted for the FBI and NSA not to realize this,” Timm added. “By demanding backdoors, these US government agencies are putting everyone’s cybersecurity at risk.”
In an oft-cited examples of “if you build it, they will come,” hackers exploited a system designed to let police tap phones to spy on more than a hundred Greek cellphones, including that of the prime minister.
At the time, Steven Bellovin, a computer science professor at Columbia University, wrote that this incident shows how “built-in wiretap facilities and the like are really dangerous, and are easily abused.”
That hasn’t stopped other from asking though. Several countries, including India, Kuwait and UAE, requested BlackBerry to include a backdoor in its devices so that authorities could access encrypted communications. And a leaked document in 2013 revealed that BlackBerry’s lawful interception system in India was “ready for use.”
From China with Love
It’s the one year anniversary of what is now known as the Snowden revelations, which appeared on June 5 and June 9 when The Guardian broke news of classified National Security Agency documents and Edward Snowden revealed himself in Hong Kong as the source of those leaks.
There is still much to decipher from the chronology of events in the aftermath and the sudden global awakening to the end of privacy. Among the impacts on the personal, business and political fronts, one interesting salient feature is the hypocritical rhetorical spats between the US and China in recent weeks, which could set the undertone for US-Sino relations for years to come.
Snowden said his biggest fear is that nothing would change following his bold decision a year ago.
You can find the entire column here.
Defense Secretary Hagel Faces a Tough Time Explaining This to China
US Defense Secretary Chuck Hagel announced at the National Security Agency headquarters last Friday that the Pentagon would triple its cyber security staff – to 6,000 – over the next few years to defend against computer-based attacks.
That’s great. I wonder how Hagel is going to face the music when he visits China later this week where he expects to be grilled on the latest NSA revelations and aggressive US cyber spying. Just last month, it was revealed that the NSA has for years assessed the networks of Chinese telecommunications company Huawei, which the US House of Representatives has long advocated that US companies should avoid on the grounds of national security.
Creating Giants to Battle Snoops by NSA and the Likes
Size matters in the covert wars of cyber espionage – even more so when two Herculean cyber warriors merge on Wall Street. US cyber-security firm FireEye Inc. announced the acquisition of Mandiant Corp. late last week in a deal worth more than US$1 billion, generating not just an immediate surge in FireEye’s share price but a Mexican wave across the world.
This merger and creation of a next-generation cyber-security firm – FireEye is a provider of security software for detecting cyber-attacks and Mandiant a specialist firm best known for emergency responses to computer network breaches – comes at a time when old-style anti-virus software took a dive, with governments, companies and private citizens across the globe hunting desperately for more effective defensive measures to fend off sophisticated hackers and state-sponsored cyber-attacks.
But the interesting and ironic twist to this FireEye and Mandiant deal is that many of Mandiant’s employees came from the US intelligence world and the Defense Department.
Or was Dick Cheney looking for a cheap excuse to play politics?
Edward Snowden with his sudden departure from Hong Kong for Moscow and eventually elsewhere, possibly a country hostile to the US, would reignite the question if he’s a spy or double agent.
But the allegations made last week by former US vice president Dick Cheney that the National Security Agency whistle-blower Edward Snowden could be a spy for China is off track, and he knows it, and are a deliberate public distraction as the Obama administration searches for scapegoats in the midst of defending the NSA surveillance programs with their one and only trump card.
Snowden left with his passport annulled, a warrant on his head plus criminal charges of espionage, theft and communicating classified intelligence to unauthorized persons.
But here is the dichotomy: While the corporate world is still coping with US regulations on better corporate governance practices, where does the notion of whistleblowing stand right now?
Please read the entire column here.
In Spies We Trust
The two-day private talks between the US and Chinese Presidents Barack Obama and Xi Jinping this weekend in Rancho Mirage, CA are expected to include, among other thorny issues, the dwindling trust between the two countries following the recent spate of cyber intrusions the US have repeatedly alleges to have originated from China.
In the first diplomatic efforts to defuse chronic tensions, the two have also agreed to launch regular, high-level talks next month on how to set standards of behavior for cyber security and commercial espionage. But don’t expect anything concrete from these meetings. The state of cyberspace diplomacy is heading only south.
Please read the full column here.
The Companies Ordinance review has been years in the making
A recent hotly debated topic in Hong Kong relates to the government’s attempt to rewrite the Companies Ordinance, spurred largely by the sudden public realization that the resulting new Companies Bill was already passed in the local legislature without much media attention and the rude awakening to the subsequent impacts.
Much of the current media focus and public debates have been placed on only one aspect of the many proposed changes: to withhold from the public parts of the identification numbers and details of the residential addresses of company directors found in the Hong Kong company registration records.
The lightning rod for public concern has struck many a wrong cord, including outcries about the suppression of transparency and apprehension over possible government submission to China’s will.
This column looks at the roots of the situation and puts the fuss in perspective.
Please read full article here.
Spying on Spies
The FBI probe into the scandal involving former CIA director David Petraeus and his mistress may have stolen global headlines the past week.
But there is something else the FBI knows that should warrant more attention. Something closer to those of us less exalted than the boss of the world’s most famous spy agency.
The FBI is known to have video footage, covertly taken in a hotel room somewhere in China, showing how Chinese agents broke in and swept through the belongings and laptop of an American businessman.
There were recent media reports of similar incidents. The FBI is now showing the clip as a warning to corporate security experts of major US companies.
The FBI also warned some months ago about the risks of using hotel wi-fi networks and recommended all government officials, businessmen and academic personnel take extra caution when traveling abroad.
Whilst the corporate world is often most at risks, the average citizens are also highly vulnerable, especially to electronic surveillance on home and foreign soil.
So what can one do to protect the personal data and business secrets on the computers, especially when traveling abroad?
In the increasingly pugnacious cyber espionage war, the US is not only admittedly losing out to countries like China and Russia but the real headline news is, the US is still at a loss on how to protect itself against the massive intellectual property threats on its very turf.
The chairman of the House Intelligence Committee Rep. Mike Rogers told audience at the Intelligence and National Security Alliance (INSA) cyber conference, held on 26 September in Washington DC, that the US is “running out of time” – US government officials have stated that no country engages in cyber espionage as systematically, thoroughly and broadly as China and the theft of critical intellectual property is billing up to US$1 trillion.
The Rogers-Ruppersberger Bill designed to stem the tide is facing resistance at the Senate.
This Bill proposed to offer business liability insurance cover to the business community. In return, the victimized companies would have to share their threat information with the government, who will in turn share that experience with the business world.
(What? Are you kidding me?! Okay, I hear you at the back row).
Need I say more? Find out more about it here.
Spies multiply like coathangers in China and the US
How many intelligence — okay honestly, spy — agencies does a country really need?
Anywhere between eight and 17 and possibly more if you’re referring to China and the United States. The US, in fact, recently established its newest spy agency, which is specifically targeted at China, among others (Read the entire column here, here and there).
Electronic gadgets are often fun but there is rarely one as useful as this: a new type of flash memory stick that can self- destruct by remote control.
I was immediately speculating the immense possibilities. James Bond or Ethan Hunt, anyone?
But the real implication is even more profound, given a recent US court ruling that dealt a blow to the fight against corporate espionage in saying the download of proprietary data does not amount to a criminal offense after all (Read the entire column here and there).
I love my MacBook, as well as my iPhone and iPod. But I now wonder if I will have the same personal struggle I had with Nike more than a decade ago.
Despite all the recent frenzy in the papers about the upcoming public listing of Facebook, Jeffrey Lin and “Lin- sanity” at the New York Knicks, Apple has continued to grab the headlines.
This is not only because its stock topped a record US$500 or chaos at Apple Stores in China when the iPhone4s first went on sale, but also due to the disclosure last week that working conditions at mainland plants making Apple products would be audited and the findings will be made public by an outside independent party.