The Russia-linked election hack is a sign of things to come
A spear-phishing attack could change the course of the election
By Russell Brandom
Jul 25 2016
On Friday, WikiLeaks published a stolen archive of emails from the Democratic National Committee — and Washington spent the weekend trying to figure out if the dump was a normal political scandal or something far more sinister. The dump revealed a number of embarrassing facts, including a number of indications that the nominally neutral DNC had favored Clinton during the primary election — but as the story has progressed, those facts have proved less interesting than where they came from.
Over the weekend, a number of experts have raised suspicions that the email leak was carried out as part of an active campaign by Russian groups to sway the US election. The FBI is actively investigating the hack and the House Intelligence Committee has reportedly been briefed on it as well. If the reports are true, it would be a new level of involvement by a foreign power in a US election. And since the attack used many of the same tactics turned against Sony Pictures and Ashley Madison, it would also set a troubling precedent for how commonly available digital attacks could be used to subvert a national election.
“Attacks against electoral candidates … are likely to continue up until the election in November.”
The DNC was first compromised in May of this year, and while attribution is always tricky, there’s ample evidence linking that attack to Russia. In a blog post in June, the firm Crowdstrike linked the DNC compromise to two different groups, dubbed “Cozy Bear” and “Fancy Bear.” One had been linked to previous attacks on the State Department, and both were seen choosing targets “for the benefit of the government of the Russian federation,” Crowdstrike CTO Dmitri Alperovitch wrote. Two separate firms later confirmed the finding, and crucially, both assessments were made over a month ago, long before the emails themselves were released. The report closed with an ominous prediction: “Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November.”
In the month since, the connection to Russia has only strengthened. A figure came forward taking credit for the hack, claiming to be a Romanian civilian acting alone — but in a pivotal Motherboard interview, he proved unable to converse in Romanian, and metadata for his site showed it had been modified by Russian users. In the wake of the email dump, other experts have piled on the Russian connection, with longtime Russia analyst Thomas Rid describing the evidence as “very strong.”
At the same time, Russian state media has made no secret of its preference for Donald Trump. The state-run Russia Today channel has been notably enthusiastic about the Trump campaign, and the Republican frontrunner has largely reciprocated, showing an unprecedented lack of support for groups like NATO and the EU that have long served as a counterbalance to Russian influence in eastern Europe. Members of Trump’s campaign staff also have ties to Putin that predate the campaign. That doesn’t indicate any direct coordination, but it does suggest that if a Russian group chose to meddle in the US election, it would be in aid of Trump rather than Clinton.
Evolution Is Happening Faster Than We Thought
By MENNO SCHILTHUIZEN
Jul 23 2016
Amsterdam — A FRIEND recently invited me over to see the blackbird that had taken up residence in a potted plant on her balcony.
Serenely incubating eggs in the inner city, this bird had little in common with its shy, reclusive ancestors that nested in Europe’s forests. Early in the 19th century, probably in Germany, blackbirds began settling in cities. By the mid-20th century, they were hopping around on stoops all over Europe.
Many “wild” bird species — like the peregrine falcons, red-tailed hawks and laughing gulls of New York — have set up camp in cities. But the thing about Europe’s urban blackbirds (a relative of the American robin, not to be confused with North American blackbirds, which belong to a different family) is that they are very different from their forest-dwelling relatives. They have stockier bills, sing at a higher pitch (high enough to be heard over the din of traffic), are less likely to migrate (in cities there’s food and warmth year-round), and have less nervous personalities.
For many of these differences, genes are responsible. The birds’ DNA, after 200 years or less of adaptation, has diverged from that of their rural ancestors.
For a long time, biologists thought evolution was a very, very slow process, too tardy to be observed in a human lifetime. But recently, we have come to understand that evolution can happen very quickly, as long as natural selection — the relative benefit that a particular characteristic bestows on its bearer — is strong.
And where else to find such strong natural selection than in the heart of a big city? The urban environment is about as extreme as it gets. Temperatures in the city center can be more than 10 degrees higher than in the surrounding countryside. Traffic causes continuous background noise, a mist of fine dust particles and barriers to movement for any animal that cannot fly or burrow. Much of the city is clad in impervious surfaces of stone, glass, steel and tarmac. There is pollution of soil, water and air, mainly human-derived food sources, and an especially motley crew of local and invasive flora and fauna.
With urban environments expanding all over the world, wildlife and biologists alike are starting to treat the city as a true ecosystem. Many species’ original habitats are being squeezed into annihilation. For them, it’s adapt or die. And field biologists like me are following suit. As we have to travel ever farther to find untouched wilderness, we are beginning to realize that the expanding urban sprawl is perhaps not something to be depressed about, but rather something very exciting, as entirely novel forms of life are evolving right under our noses.
A Fordham University biologist, Jason Munshi-South, studies the populations of white-footed mice marooned in New York City parks. These native mice once lived all over the place. But as the city expanded, they became confined to the small pockets of forest left behind in parks. Thus isolated, the mice in each park began evolving a park-specific genetic blueprint. In some parks, Dr. Munshi-South found mice carrying genes for heavy metal tolerance, probably because soils there are contaminated with lead or chromium. In other parks, the animals have genes for increased immune response — maybe diseases spread more easily in some high-density populations.
The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters
By Bruce Schneier
Jul 25 2016
Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them.
Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.
So far, internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing, as in the theft of celebrity photos from Apple’s iCloud in 2014 or the Ashley Madison breach in 2015. They can be damaging, as when the government of North Korea stole tens of thousands of internal documents from Sony or when hackers stole data about 83 million customer accounts from JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office of Personnel Management data breach by—presumptively—China in 2015.
On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door—or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location.
With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.
Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.
The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn:
Software Control. The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the internet. That number is about to explode.
Joker in the Pack: If Financial Systems Were Hacked
Recent attacks give a glimpse of the sort of cyber-assault that could bring the world economy to a halt. Better defences are needed
Jun 16 2016
THIS May Anonymous, a network of activists, briefly hacked into Greece’s central bank and warned in a YouTube message that: “Olympus will fall…This marks the start of a 30-day campaign against central-bank sites across the world.” The warning struck a raw nerve.
The financial system is little more than a set of promises between people and institutions. If these are no longer believed the whole house of cards will collapse and people will take their money and run. That happened in 2008 because of bad credit decisions; but the same could unfold via a sophisticated cyber-attack. Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure. If such systemic institutions were compromised, a panic similar to those in 2008 could quickly spread.
Cyber-attacks are rapidly growing, and financial services are a favoured target of thieves and people intent on causing chaos. The rise in attacks on individual banks, mostly to steal money or information or to shut down the system for the hell of it (often using so-called denial-of-service attacks), is worrying enough. But two recent attacks signal a move from simple “Bonnie and Clyde” crimes to a new “Ocean’s Eleven” sophistication.
In 2013 a raid by the Carbanak gang, named after the malware it used, was discovered when its “mules” were seen picking up cash that was apparently being randomly dispensed by ATMs in Kiev (a ruse known as ATM jackpotting, whereby criminals hack into a bank’s PCs and then send direct commands to the ATMs). The extent of the assault only gradually became clear: the final bill could be high. The largest sums were stolen by hacking into bank systems and manipulating account balances. For example, an account with $1,000 would be credited with an extra $9,000, then $9,000 would swiftly be transferred to an offshore account; the account holder would still have $1,000, so was unlikely to notice or panic. This messing with the numbers showed a new ability and ambition among cyber-criminals.
The second attack unfolded over a few days in February, when hackers stole $81m from the Central Bank of Bangladesh’s account at the Federal Reserve in New York, in a shockingly ambitious heist. More worrying than its scale was the fact that the raiders hijacked bank personnel’s access to SWIFT, a highly secure (or so it was thought) messaging system that connects 11,000 financial institutions and sends around 25m messages a day, helping to settle billions of dollars-worth of transactions. They then sent 35 false payment orders from Bangladesh Bank, via SWIFT, to the central bank’s account at the Fed.
Experts think it likely that several more such efforts remain to be discovered. A similar, smaller, one has come to light in which hackers tried to take $1m from a bank in Vietnam, in December. Banks are now looking at limiting the number of people who can access SWIFT, and SWIFT itself has raised the possibility of suspending banks with weak security controls.
These heists give a glimpse of what could lie ahead. Armageddon for banks could take the form of an attack prepared over several months and then carried out over a day or two of mayhem. In this scenario, the motive would be to cause maximum instability, something that worries regulators more than simple theft.
Cyberweapons Aren’t Like Nuclear Weapons
Officials around the world like to compare the two—but the metaphor is incorrect, and dangerous.
By Patrick Cirenza
Mar 15 2016
“If Internet security cannot be controlled, it’s not an exaggeration to say the effects could be no less than a nuclear bomb,” said Gen. Fang Fenghui, chief of general staff of the People’s Liberation Army of China, in April 2013. Fang is not alone in drawing comparisons between nuclear weapons and cyberweapons during the past few years. Secretary of State John Kerry responded to a cybersecurity question during his confirmation hearings in January 2013 by saying, “I guess I would call it the 21stcentury nuclear weapons equivalent.” That same year, Russian Deputy Prime Minister Dmitry Rogozin praised cyberweapons for their “first strike” capability. Since 2013, a number of leaders in the U.S. national security establishment—including former National Security Adviser Brent Scowcroft in January 2015, Adm. Michael Rogers of Cyber Command in March 2015, and Director of National Intelligence James Clapperin February of this year—have stated that the threat posed by cyberweapons is comparable to, or greater than, that of nuclear weapons. The list of high-ranking officials who have made an analogy between the fundamentally different nuclear and cyberweapons systems, and are using this flawed analogy as a basis for policy, is a long one.
On the surface, the analogy is compelling. Like nuclear weapons, the most powerful cyberweapons—malware capable of permanently damaging critical infrastructure and other key assets of society—are potentially catastrophically destructive, have short delivery times across vast distances, and are nearly impossible to defend against. Moreover, only the most technically competent of states appear capable of wielding cyberweapons to strategic effect right now, creating the temporary illusion of an exclusive cyber club. To some leaders who matured during the nuclear age, these tempting similarities and the pressing nature of the strategic cyberthreat provide firm justification to use nuclear deterrence strategies in cyberspace. Indeed, Cold War–style cyberdeterrence is one of the foundational cornerstones of the 2015 U.S. Department of Defense Cyber Strategy.
However, dive a little deeper and the analogy becomes decidedly less convincing. At the present time, strategic cyberweapons simply do not share the three main deterrent characteristics of nuclear weapons: the sheer destructiveness of a single weapon, the assuredness of that destruction, and a broad debate over the use of such weapons.
The development of fission and then fusion nuclear weapons made it possible to inflict truly unacceptable costs upon an adversary. The invention of delivery technologies—such as secure second-strike capabilities, intercontinental ballistic missiles, and nuclear payloads with multiple independently targetable re-entry vehicles—guaranteed the credibility of the threat. And finally, the vibrant and interconnected debates within government, academia, and think tanks about the use of nuclear weapons have guided policy and technology toward an outcome of stable deterrence. By contrast, strategic cyberweapons have not met these criteria.
Skype finalizes its move to the cloud, ignores the elephant in the room
The move away from peer-to-peer has its virtues, but much is left unanswered.
By PETER BRIGHT
Jul 20 2016
It has been a slow transition, but Skype is finalizing its move away from a peer-to-peer system to a cloud-based one.
When it was first created, the Skype network was built as a decentralized peer-to-peer system. PCs that had enough processing power and bandwidth would be elected as “supernodes” and used to coordinate connections between other machines on the network. Similarly, text, voice, and video traffic would flow between peers, directly when possible (when intervening firewalls and routers were cooperative) or indirectly through other systems on the network when required.
This peer-to-peer system was generally perceived as being relatively private; with no central servers the assumption was that there was no central ability to perform wiretaps or other forms of eavesdropping. This belief was in fact mistaken.
The peer-to-peer connectivity brought with it certain problems, too. When large numbers of peers went offline—as happened in 2011 when a software bug made clients crash en masse—the system collapsed, as there were too few active nodes to create a fully connected network. Peer-to-peer connectivity also has some privacy issues; the exposure of IP addresses to peers was abused to perform denial of service attacks against victims, a problem that became distressingly common in the world of e-sports.
The Skype network was also designed for a world of permanently connected desktop PCs, with both bandwidth and processor power to spare. The growth of mobile computing and smartphones upset that assumption, adding a large number of Skype clients that were only intermittently connected and lacked the excessive bandwidth, processor power, and battery life to support acting as supernodes.
To help stabilize its network, Microsoft added dedicated supernodes in 2012 to ensure that there was a permanently available mesh of supernode systems regardless of the current client mix connected. However, it still used the peer-to-peer mesh of clients and supernodes.
Since then, Microsoft has developed a more conventional client-server network, with clients that act as pure clients and dedicated cloud servers. The company is starting to transition to this network exclusively. This transition means that old peer-to-peer Skype clients will cease to work. Clients for the new network will be available for Windows XP and up, OS X Yosemite and up, iOS 8 and up, and Android 4.03 and up. However, certain embedded clients—in particular, those integrated into smart TVs and available for the PlayStation 3—are being deprecated, with no replacement. Microsoft says that since those clients are little used and since almost every user of those platforms has other Skype-capable devices available, it is no longer worth continuing to support them.
As well as addressing certain constraints of the peer-to-peer network, the new cloud-based system is used to underpin various other Skype features. For example, on the peer-to-peer network file transfers required the recipient to be present and to accept the transfer (with the file subsequently transported directly between the clients). File transfers on the new network go via the cloud, allowing fire-and-forget transfers, even to recipients that are temporarily away. This also allows a file to be downloaded by multiple recipients, or by the same recipient on multiple systems, without needing it to be retransmitted from the sender each time. The new voice and video messaging capabilities operate similarly, using cloud storage to hold voice and video messages even when the receiving client isn’t available.
[Note: This item comes from friend Mike Cheponis. DLH]
Instead of asking, “are robots becoming more human?” we need to ask “are humans becoming more robotic?”
By Olivia Goldhill
Jul 23 2016
For more than 65 years, computer scientists have studied whether robots’ behavior could become indistinguishable from human intelligence. But while we’ve focused on machines, have we ignored changes to our own capabilities? In a book due to be published next year, Being Human in the 21st Century, a law professor and a philosopher argue that we’ve overlooked the equally important, inverse question: Are humans becoming more like robots?
In 1950, computer scientist Alan Turing put forward what’s now known as the “Turing Test.” Essentially, Turing proposed that a key test of machine thinking is whether someone asking the same questions to both a human and a robot could tell which is which. This has since become an important method to evaluate artificial intelligence, with regular Turing Test competitions to determine the extent of robots’ growing ability to mimic human behavior.
But Brett Frischmann, professor at Cardozo law school, and Evan Selinger, philosophy professor at Rochester Institute of Technology, argue that we need an inverse Turing Test to determine to what extent humans are becoming indistinguishable from machines. Frischmann, who has published a paper on the subject, says that changes in technology and our environment are slowly, but surely, making humans more machine-like.
You’ve probably heard people complain that technology is dehumanizing or that someone they know is acting “like a machine.” Earlier this year, US senator Marco Rubio was compared to a short-circuiting robot after he repeated the same scripted lines in a Republican debate. Frischmann also points out that it’s often hard to tell whether a call-center operator is human or robot at first, and Amazon warehouse employees have said that the degree of automated control involved in their work means, “We are machines, we are robots.”
These may seem like small examples, says Frischmann, but taken together they’re “meaningful.”
What does it mean to be human?
In order to test whether humans are becoming more machine-like, it’s important to define what makes us distinctively human. Philosophers have long considered this question, and often define human traits by comparing us to another category—typically, animals.
Frischmann and Selinger instead consider what distinguishes humans from machines. Several of these traits involve intelligence: common sense, rational thinking, and irrational thinking are all intrinsically human. Frischmann points out that, as humans, our emotions sometimes make us behave irrationally. “If we engineered an environment within which humans were always perfectly rational, then they’d behave like machines in a way we might be worried about,” he adds.