Sweeping the Net for… [take your pick]

From Ron Deibert:

The LGBTQ news website, “Gay Today,” is blocked in Bahrain; the website for Greenpeace International is blocked in the UAE; a matrimonial dating website is censored in Afghanistan; all of the World Health Organization’s website, including sub-pages about HIV/AIDS information, is blocked in Kuwait; an entire category of websites labeled “Sex Education,” are all censored in Sudan; in Yemen, an armed faction, the Houthis, orders the country’s main ISP to block regional and news websites.

What’s the common denominator linking these examples of Internet censorship? All of them were undertaken using technology provided by the Canadian company, Netsweeper, Inc.

In a new Citizen Lab report published today, entitled Planet Netsweeper, we map the global proliferation of Netsweeper’s Internet filtering technology to 30 countries. We then focus our analysis on 10 countries with significant human rights, insecurity, or public policy issues in which Netsweeper systems are deployed on large consumer ISPs: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, UAE, and Yemen. The research was done using a combination of network measurement and in-country testing methods. One method involved scanning every one of the billions of IP addresses on the Internet to search for signatures we have developed for Netsweeper installations (think of it like an x-ray of the Internet).

National-level Internet censorship is a growing norm worldwide. It is also a big business opportunity for companies like Netsweeper. Netsweeper’s Internet filtering service works by dynamically categorizing Internet content, and then providing customers with options to choose categories they wish to block (e.g., “Matrimonial” in Afghanistan and “Sex Education” in Sudan). Customers can also create their own custom lists or add websites to categories of their own choosing.

Netsweeper markets its services to a wide range of clients, from institutions like libraries to large ISPs that control national-level Internet connectivity. Our report highlights problems with the latter, and specifically the problems that arise when Internet filtering services are sold to ISPs in authoritarian regimes, or countries facing insecurity, conflict, human rights abuses, or corruption. In these cases, Netsweeper’s services can easily be abused to help facilitate draconian controls on the public sphere by stifling access to information and freedom of expression.

While there are a few categories that some might consider non-controversial—e.g., filtering of pornography and spam—there are others that definitely are not. For example, Netsweeper offers a filtering category called “Alternative Lifestyles,” in which it appears mostly legitimate LGBTQ content is targeted for convenient blocking. In our testing, we found this category was selected in the United Arab Emirates and was preventing Internet users from accessing the websites of the Gay & Lesbian Alliance Against Defamation (http://www.glaad.org) and the International Foundation for Gender Education (http://www.ifge.org), among many others. This kind of censorship, facilitated by Netsweeper technology, is part of a larger pattern of systemic discrimination, violence, and other human rights abuses against LGBTQ individuals in many parts of the world.

According to the United Nations Guiding Principles on Business and Human Rights, all companies have responsibilities to evaluate and take measures to mitigate the negative human rights impacts of their services on an ongoing basis. Despite many years of reporting and numerous questions from journalists and academics, Netsweeper still fails to take this obligation seriously.

The new normal: hardware vulnerabilities

From Bruce Schneier:

On January 3, the world learned about a series of major security vulnerabilities in modern microprocessors. Called Spectre and Meltdown, these vulnerabilities were discovered by several different researchers last summer, disclosed to the microprocessors’ manufacturers, and patched — at least to the extent possible.

This news isn’t really any different from the usual endless stream of security vulnerabilities and patches, but it’s also a harbinger of the sorts of security problems we’re going to be seeing in the coming years. These are vulnerabilities in computer hardware, not software. They affect virtually all high-end microprocessors produced in the last 20 years. Patching them requires large-scale coordination across the industry, and in some cases drastically affects the performance of the computers. And sometimes patching isn’t possible; the vulnerability will remain until the computer is discarded.

Spectre and Meltdown aren’t anomalies. They represent a new area to look for vulnerabilities and a new avenue of attack. They’re the future of security — and it doesn’t look good for the defenders.

Less haste, more security

This morning’s observer column:

I ran into my favourite technophobe the other day. “I see,” he chortled, “that your tech industry (he holds me responsible for everything that is wrong with the modern world) is in meltdown!” The annoying thing is that he was partly right. What has happened is that two major security vulnerabilities – one of them has been christened “Meltdown”, the other “Spectre” – have been discovered in the Central Processing Unit (CPU) chips that power most of the computers in the world.

A CPU is a device for performing billions of apparently trivial operations in sequences determined by whatever program is running: it fetches some data from memory, performs some operations on that data and then sends it back to memory; then fetches the next bit of data; and so on. Two decades ago some wizard had an idea for speeding up CPUs…

Read on

Meltdown and Spectre summarised

Lovely economical summary by the UK ICO’s Head of Technology Policy of the two vulnerabilities currently obsessing the CPU-design industry:

In essence, the vulnerabilities provide ways that an attacker could extract information from privileged memory locations that should be inaccessible and secure. The potential attacks are only limited by what is being stored in the privileged memory locations – depending on the specific circumstances an attacker could gain access to encryption keys, passwords for any service being run on the machine, or session cookies for active sessions within a browser. One variant of the attacks could allow for an administrative user in a guest virtual machine to read the host server’s kernel memory. This could include the memory assigned to other guest virtual machines.

WannaCry? Not really

If you’re overwhelmed by all the good, bad and simply awful reporting of the WannaCry ‘ransomware’ attack, here are links to two sane and well-informed pieces.

  • Ross Anderson’s post on Light Blue Touchpaper — “Bad Malware, Worse Reporting”.
  • Ben Thomson’s long and thoughtful post on his Strachery blog — “WANNACRY ABOUT BUSINESS MODELS”.

Also…

The Economist had a useful briefing a while back on the general topic of our chronic insecurity — “Computer security is broken from top to bottom”.

And of course it goes without saying that this whole debacle provides a salutary confirmation of the foolishness of demanding that there should be ‘backdoors’ in encryption ‘for government use only’. WannaCry was turbocharged by some software written by the NSA (which knew about the Windows XP vulnerability but didn’t tell Microsoft) to exploit it. The moral: if the government knows about a vulnerability, then other people will too. And some of them will be more even more unscrupulous.

And the USA’s greatest cybersecurity vulnerability is… its President

This morning’s Observer column:

My favourite image of the week was a picture of the Queen opening the National Cyber Security Centre in London. Her Majesty is looking bemusedly at a large display while a member of staff explains how hackers could target the nation’s electricity supply. The job of the centre’s director, Ciaran Martin, is to protect the nation from such dangers. It’s a heavy responsibility, but at least he doesn’t have to worry that his head of state is a cybersecurity liability.

His counterpart in the United States does not have that luxury…

Read on

So the government is serious about cybersecurity? Really?

This morning’s Observer column:

On Tuesday, the chancellor, Philip Hammond, announced that the government was “investing” £1.9bn in boosting the nation’s cybersecurity. “If we want Britain to be the best place in the world to be a tech business,” he said, “then it is also crucial that Britain is a safe place to do digital business… Just as technology presents huge opportunities for our economy – so to it poses a risk. Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”

Quite so; cybersecurity is clearly important. After all, in its 2015 strategic defence and security review, the government classified “cyber” as a “tier 1” threat. That’s the same level as international military conflict and terrorism. So let’s look at the numbers. The UK’s defence budget currently runs at £35.1bn, while the country’s expenditure on counterterrorism is now running at about £3bn a year. That puts Hammond’s £1.9bn (a commitment he inherited from George Osborne, by the way) into perspective. And the money is to be spent over five years, so an uncharitable reading of the chancellor’s announcement is that the government is actually investing just under £400m annually in combating this tier 1 threat.

All of which suggests that there’s a yawning chasm between Hammond’s stirring rhetoric about the cyber threat and his ability to muster the resources needed to combat it…

Read on

Brought down by a toaster?

As readers of my stuff will know (see here and here, for example), I’ve been going on about the existential risk pose by the ‘internet of things’ for a while, so I’m loath to keep on about it. But this nice encapsulation of the problem by Ben Evans seems well worth quoting:

A chunk of the internet went down this week, effectively, because someone did a massive distributed denial-of-service attack using a botnet of millions of hacked IoT devices – mostly, it seems, IP webcams from one Chinese company that don’t have decent security. This is an interesting structural problem – the devices once sold are either impossible or unlikely to be patched, the users probably don’t even know that their device is hacked, and the manufacturer has no motivation and probably few of the necessary skills to do anything about it. A network designed to withstand nuclear attack, brought down by toasters. More interesting/worrying – who is doing this, why, and what will they do next?

How your shower could participate in a DDOS attack

This morning’s Observer column:

My eye was caught by a Kickstarter campaign for a gizmo called a SWON, described as “a connected conservation device for your shower”. You unscrew the shower head, screw on the SWON and then screw the head back on to it. From then on, water goes through the SWON before it reaches you. The Kickstarter campaign needs $50,000 to be pledged before the product can be made. Last time I checked, it had 75 backers and had raised pledges of $4,798.

Before consigning it to the “leading-edge uselessness” bin, I clicked on the link…

Read on