supply-chain attack

pages: 523 words: 154,042

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro

3D printing, 4chan, active measures, address space layout randomization, air gap, Airbnb, Alan Turing: On Computable Numbers, with an Application to the Entscheidungsproblem, availability heuristic, Bernie Sanders, bitcoin, blockchain, borderless world, Brian Krebs, business logic, call centre, carbon tax, Cass Sunstein, cellular automata, cloud computing, cognitive dissonance, commoditize, Compatible Time-Sharing System, Computing Machinery and Intelligence, coronavirus, COVID-19, CRISPR, cryptocurrency, cyber-physical system, Daniel Kahneman / Amos Tversky, Debian, Dennis Ritchie, disinformation, Donald Trump, double helix, Dr. Strangelove, dumpster diving, Edward Snowden, en.wikipedia.org, Evgeny Morozov, evil maid attack, facts on the ground, false flag, feminist movement, Gabriella Coleman, gig economy, Hacker News, independent contractor, information security, Internet Archive, Internet of things, invisible hand, John Markoff, John von Neumann, Julian Assange, Ken Thompson, Larry Ellison, Laura Poitras, Linda problem, loss aversion, macro virus, Marc Andreessen, Mark Zuckerberg, Menlo Park, meta-analysis, Minecraft, Morris worm, Multics, PalmPilot, Paul Graham, pirate software, pre–internet, QWERTY keyboard, Ralph Nader, RAND corporation, ransomware, Reflections on Trusting Trust, Richard Stallman, Richard Thaler, Ronald Reagan, Satoshi Nakamoto, security theater, Shoshana Zuboff, side hustle, Silicon Valley, Skype, SoftBank, SQL injection, Steve Ballmer, Steve Jobs, Steven Levy, Stuxnet, supply-chain attack, surveillance capitalism, systems thinking, TaskRabbit, tech billionaire, tech worker, technological solutionism, the Cathedral and the Bazaar, the new new thing, the payments system, Turing machine, Turing test, Unsafe at Any Speed, vertical integration, Von Neumann architecture, Wargames Reagan, WarGames: Global Thermonuclear War, Wayback Machine, web application, WikiLeaks, winner-take-all economy, young professional, zero day, éminence grise

Smith, David Lee Snoop Dogg Snowden, Edward: background of; citizen surveillance revelations of; on foreign cyberespionage tactics; public opinion of social inequities software development, see programming and software development SolarWinds supply-chain attack Solomon, Alan solutionism Spafford, Eugene speculative execution attacks SQL injections Stellarwind Sterritt, Aaron Stimson, Henry Stone, Roger stressor services Stuxnet Sudduth, Andy Sunstein, Cass supply-chain attacks surveillance; capitalism; government; see also cyberespionage; espionage Swimmer, Morton Tait, Matt Tamene, Yared TCP/IP protocols Telnet Terminator (movie) Thaler, Richard Thomas, Bob Thompson, Ken 3D printer metaphor Tilly, Charles time-sharing systems: CompuServe origins and; CTSS T-Mobile: hacking customer accounts; Hilton hack and; security vulnerabilities of; Sidekick cell phones Todorov, Todor (Commander Tosh) Tomlinson, Ray Totcheva, Katrin Trojan horse Trump, Donald; Access Hollywood scandal; China trade war under; DNC hack and; Russia and 2016 election of; WikiLeaks and Clinton campaign against Turing, Alan: discoveries of; on metacode limits; movie about; physicality principle and; proof Turing Test Tversky, Amos 2001: A Space Odyssey (movie) UC, see universal constructor Ukraine; phishing capitalizing on stereotype of; Russian cyberwarfare with; Russian kinetic war with United Nations Charter (on warfare) United States, cyberwarfare of universal constructor (UC) University of Utah University of California at Berkeley UNIX: Apple operating systems and; creation; development; DOS compared with; FOSS for; Morris, R., Sr., work on; Morris Worm and vulnerabilities of; security issues; SENDMAIL backdoor on; success; Thompson development of; vulnerabilities of upcode: criminal; cyber clubs of nation-states and; cybersecurity role of; cyberwarfare; definition of; downcode relation to; of espionage; evolution of; global; hackers; internet development and; legal; NSA; solutions; UNIX developers and; virus exploiting Usenet Vascina virus VAX VMM Security Kernel VDoS Verizon Vessey, John, Jr.

…

SolarWinds has a vast customer base of three hundred thousand private clients and thirty-two key U.S. government agencies, including the Pentagon, Cyber Command, FBI, Treasury, and the Departments of Homeland Security, Commerce, and Health and Human Services. In March 2020, SolarWinds had pushed a “patch” that was intended to fix security vulnerabilities but ultimately implanted malware on its clients. Known as a supply-chain attack, the hack infiltrated eighteen thousand networks. Not only were major agencies of the U.S. government compromised, including the Pentagon, the Department of Justice, and the Treasury Department, but SolarWinds’ global reach meant that NATO, the U.K. government, and the European Parliament were also affected.

…

Imposing financial penalties for data breaches is one way to ensure that companies do not furnish cybercriminals with the goods they need to run their businesses. B. CYBERESPIONAGE Recall the SolarWinds hack described in the introduction: Russian intelligence (most likely Cozy Bear) infiltrated eighteen thousand computer networks across the globe through a clever supply-chain attack. It compromised SolarWinds’ update servers and planted malware inside “patches.” When the company pushed an update in March 2020, Russian intelligence had access to the thousands of companies and government agencies who trusted SolarWinds. Given the enormity of the compromise, American politicians responded with fury.

pages: 306 words: 82,909

A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend Them Back by Bruce Schneier

4chan, Airbnb, airport security, algorithmic trading, Alignment Problem, AlphaGo, Automated Insights, banking crisis, Big Tech, bitcoin, blockchain, Boeing 737 MAX, Brian Krebs, Capital in the Twenty-First Century by Thomas Piketty, cloud computing, computerized trading, coronavirus, corporate personhood, COVID-19, cryptocurrency, dark pattern, deepfake, defense in depth, disinformation, Donald Trump, Double Irish / Dutch Sandwich, driverless car, Edward Thorp, Elon Musk, fake news, financial innovation, Financial Instability Hypothesis, first-past-the-post, Flash crash, full employment, gig economy, global pandemic, Goodhart's law, GPT-3, Greensill Capital, high net worth, Hyman Minsky, income inequality, independent contractor, index fund, information security, intangible asset, Internet of things, Isaac Newton, Jeff Bezos, job automation, late capitalism, lockdown, Lyft, Mark Zuckerberg, money market fund, moral hazard, move fast and break things, Nate Silver, offshore financial centre, OpenAI, payday loans, Peter Thiel, precautionary principle, Ralph Nader, recommendation engine, ride hailing / ride sharing, self-driving car, sentiment analysis, Skype, smart cities, SoftBank, supply chain finance, supply-chain attack, surveillance capitalism, systems thinking, TaskRabbit, technological determinism, TED Talk, The Wealth of Nations by Adam Smith, theory of mind, TikTok, too big to fail, Turing test, Uber and Lyft, uber lyft, ubercab, UNCLOS, union organizing, web application, WeWork, When a measure becomes a target, WikiLeaks, zero day

That’s a lot of vulnerable networks, and it’s inconceivable that the SVR would try to penetrate them all. Instead, it chose carefully from its cornucopia of vulnerable victims to find the most valuable prospects. This is known as a “supply chain attack,” because the SVR didn’t attack any of those networks directly. Instead, it attacked a software system that all of those networks used. Supply chain attacks are a clever way to attack systems, because they can affect thousands at once. Other examples of this kind of attack include hacking the Google Play store to include a fake app, or intercepting network equipment in the mail to install eavesdropping capabilities (the NSA has done that one).

…

See wealth/power private equity, 101–2 Protestant Reformation, 72 psychotherapy, 217 pump-and-dump, 80–81 Quibi, 100–101 ranked-choice voting, 171 real estate hacks, 86–88 reciprocation, 217 recommendation engines, 236 Reconstruction, 161–62 red-teaming, 56, 77, 126–27, 149 Redeemers, 161–62 regulation accountability and, 68 banking, 74 financial exchange hacks and, 84 governance systems, 245–48 market hacks and, 94 real estate hacks and, 87–88 See also regulation avoidance regulation avoidance, 123–27 financial exchange hacks and, 82 gig economy and, 123–25, 264n jurisdictional rules and, 131 regulatory capture, 75–77, 91, 116–18 ride-sharing apps and, 123–24, 264n “too big to fail” hack and, 97 wealth/power advantages and, 121 Regulation Q, 74, 75 regulatory capture, 75–77, 91, 116–18 religious hacks, 71–72, 73, 85, 111, 139–40, 260n resilience, 28, 67–68 responsible disclosure, 89–90 rewards, 184, 186, 231–35, 240 ride-sharing apps, 99, 100, 101, 116, 123–25, 264n Riegle-Neal Interstate Banking and Branching Efficiency Act (1994), 75 risk analysis, 195–96 robotics, 208, 217–19, 222–23 See also AI hacking; AI systems Rodriguez, Alex, 170 Rodríguez, Jose, 170 Roombas, 217 Rosenblum, Jeremy, 126–27 rules, 18–19, 25, 232 Russell, Stuart, 233 Sahu, Lakhan, 170–71 Saunders, Don, 31 script kiddies, 22 secure systems design, 59, 85 Securities Act (1933), 82 Securities Exchange Act (1934), 80 Sedol, Lee, 212 segmentation, 60 self-driving cars, 209–10 SGT STAR, 188 shoplifting, 63, 68 SIM swapping, 191 simplicity, 59, 80 Siri, 217 skimming, 33 Smith, Adam, 93 social engineering, 191–92, 216 social media, 184–85, 186–87 soft money, 169 SoftBank, 99 SolarWinds, 54–55, 60, 145 South Carolina v. Katzenbach, 164 spam, 46–47 spear phishing, 192 Spectre, 48 sponsored content, 194 spoofing, 81, 82 sports hacks, 41–44, 46, 103, 259n Summers, Larry, 97 sumptuary laws, 110 supply chain attacks, 145 Susskind, Jamie, 248 Suzuki, Daichi, 42 systems additional for hacking defense, 54, 60 biological, 19–20 defined, 17–18, 19 hierarchy and, 200 multiple levels of, 32 norms and, 66–67 resilience in, 152 rigidity of, 27 rules and, 18–19 thinking based on, 20 TaskRabbit, 124 Tata, Anthony, 160 tax code bugs in, 14–15 complexity of, 13–14 See also tax hacks Tax Cuts and Jobs Act (2017), 14, 15–16, 129, 146–47, 149 tax hacks architecture and, 109 creative hackers and, 22 cum-ex trading, 104–5 de minimis rule and, 249 defenses against, 15–16, 51, 61 jurisdictional rules and, 128–31 morality and, 263n wealth/power advantages and, 120 tax havens, 128–31 Tay (chatbot), 210 technological change, 251–52 telephone hacks, 26–27, 46 Terminator, 243 terrorism, 196 Tetzel, Johann, 72, 260n Theranos, 101 Thiel, Peter, 3, 4 threat modeling, 62–63, 64–65, 96 title-only bills, 154 “too big to fail” hack, 95–98 travel hacks, 179–80 trespass law, 135–36 tribal courts, 113 tribalism, 196–97 Troubled Asset Relief Program, 96 Trump, Donald banking hacks and, 77 cognitive hacks and, 182 destruction as result of hacking and, 173 legislative process hacks and, 147 norms and, 66–67 payday loans and, 126 social media and, 185 tax hacks and, 105 trust hacking, 27, 191–94, 218 TurboTax, 190 turducken, 110, 263n Turkle, Sherry, 218–19 Twenty-Fourth Amendment, 164 Twitter, 81 typos, 84–85 Uber, 99, 100, 101, 116, 123, 125, 264n unemployment insurance, 132–33 United Nations Convention on the Law of the Sea (1994), 130 user interface design, 189–90 Vacancies Reform Act (1998), 160 variable rewards, 186 venture capital (VC), 99–101, 125 Violence Against Women Act (2013), 114 voice assistants, 217 Volcker Rule, 77 Volkswagen, 234 Voltaire, 172 voter eligibility hacks, 161–63 voter ID laws, 164–65 Voting Rights Act (1965), 164 vulnerabilities acceptance of, 16 AI ability to find, 229–30, 238–39 ATM hacks and, 31, 33, 34 bugs as, 14–15 hacking as parasitical and, 48, 49 hacking hierarchy and, 201 hacking life cycle and, 21 identifying, 56–57, 77–78, 237–38 legislative process hacks and, 147–48, 267n of AI systems, 4, 209–11, 226–27 real estate hacks and, 86 responsible disclosure, 89–90 secure systems design and, 59 zero-day, 90 See also patching Walker, Scott, 166–67 WannaCry, 50 Warner, Mark, 190 Watts, Duncan, 97 wealth/power access and, 22 administrative burdens and, 134 democratic growth and, 250 election hacks and, 168–71 hacking advantages of, 103–4, 119–22 hacking governance systems and, 248 hacking normalization and, 73, 104, 119, 120, 122 impact on vulnerability patches and, 24 market hacks and, 97 trust breakdown and, 251 West, Kanye, 170 Westphal, Paul, 41 WeWork, 100 WikiLeaks, 191 Wilson, Edward O., 251 Winston, Patrick, 206 Women, Infants, and Children (WIC) program, 134 work-to-rule, 115–16, 121 YouTube, 185, 236 Zelenskyy, Volodymyr, 193 zero-day vulnerabilities, 90 Zone of Death jurisdictional loophole, 112–13 Zuckerberg, Mark, 94 Zuckerman, Ethan, 183 ALSO BY BRUCE SCHNEIER We Have Root Click Here to Kill Everybody Data and Goliath Carry On Liars and Outliers Cryptography Engineering Schneier on Security Practical Cryptography Beyond Fear Secrets and Lies The Twofish Encryption Algorithm The Electronic Privacy Papers E-Mail Security Protect Your Macintosh Applied Cryptography Copyright © 2023 by Bruce Schneier All rights reserved First Edition For information about permission to reproduce selections from this book, write to Permissions, W.

pages: 448 words: 117,325

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World by Bruce Schneier

23andMe, 3D printing, air gap, algorithmic bias, autonomous vehicles, barriers to entry, Big Tech, bitcoin, blockchain, Brian Krebs, business process, Citizen Lab, cloud computing, cognitive bias, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Heinemeier Hansson, disinformation, Donald Trump, driverless car, drone strike, Edward Snowden, Elon Musk, end-to-end encryption, fault tolerance, Firefox, Flash crash, George Akerlof, incognito mode, industrial robot, information asymmetry, information security, Internet of things, invention of radio, job automation, job satisfaction, John Gilmore, John Markoff, Kevin Kelly, license plate recognition, loose coupling, market design, medical malpractice, Minecraft, MITM: man-in-the-middle, move fast and break things, national security letter, Network effects, Nick Bostrom, NSO Group, pattern recognition, precautionary principle, printed gun, profit maximization, Ralph Nader, RAND corporation, ransomware, real-name policy, Rodney Brooks, Ross Ulbricht, security theater, self-driving car, Seymour Hersh, Shoshana Zuboff, Silicon Valley, smart cities, smart transportation, Snapchat, sparse data, Stanislav Petrov, Stephen Hawking, Stuxnet, supply-chain attack, surveillance capitalism, The Market for Lemons, Timothy McVeigh, too big to fail, Uber for X, Unsafe at Any Speed, uranium enrichment, Valery Gerasimov, Wayback Machine, web application, WikiLeaks, Yochai Benkler, zero day

Before that the quite annoying machines. And before them the arrogant unpleasant machines.” I think we’ll see any new security risks coming long before they get here. OUR SUPPLY CHAINS ARE INCREASINGLY VULNERABLE There’s another class of attacks that we have addressed only peripherally, and that’s supply-chain attacks. These are attacks that target the production, distribution, and maintenance of computers, software, networking equipment, and so on—everything that makes up the Internet+, which means everything. For example, there is widespread suspicion that networking products made by the Chinese company Huawei contain government-controlled backdoors, and that computer security products from Kaspersky Lab are compromised by the Russian government.

…

., 190 wiretapping by, 168 FDA, 137, 145, 151 Federal Communications Commission (FCC), 149 FedRAMP, 123 Felten, Ed, 223 financial crisis (2008), 125–26 FinFisher, 64–65 FireEye, 42 flash crash, 85 Ford Foundation, 224 Fort Hood shooting (2009), 202 Freeh, Louis, 193 FTC, 148, 154 Gamma Group, 30, 65 Gartner tech analyst firm, 101 GDPR (General Data Protection Regulation) [EU], 151, 184–88 Geer, Dan, 163, 217 George, Richard, 170 Gerasimov Doctrine, 71 Germany, BSI and BND in, 173 GGE (Group of Governmental Experts), UN, 158 Gmail, 153 Goldsmith, Jack, 163 Google: Advanced Protection Program, 47 censorship by, 60 controls exerted by, 61, 62 and EU regulations, 185 identification systems in, 199 lobbying by, 154 state investigation of, 187 surveillance via, 58–59, 169, 196 governments, 144–59 asymmetry between, 91–92 censorship by, 60 and defense over offense, 160–79 functions of, 10 and industry, 176–79 information sharing by, 176 and infrastructure, 117 insecurity favored by, 57 international cooperation, 156–59 international espionage, 171–72 jurisdictional arbitrage, 156 and liability law, 128–33 lobbying of, 154–55 mistrust of, 208, 220 policy challenges in, 99, 100–101, 192–206 regulatory bodies, 121, 144, 150–52, 156–59, 192 and security standards, 167 supply-chain attacks on, 87–89 surveillance by, 64–68, 172, 195, 208 vulnerability disclosure by, 163 Greer, John, 126 GTT Communications, 115 Gutenberg, Johannes, 24 hacking: catastrophic, 9, 16, 217 class breaks, 33, 95 contests in, 85 costs of, 102–3 cyberweapons in, 73 increasing threat of, 79 international havens of, 156 through fish tank, 29 hacking back, 203–4 HackingTeam, 30, 45, 65 HAMAS, 93 Hancock Health, 74 harm, legal definition of, 130 Harris Corporation, 168 Hathaway, Melissa, 114 Hayden, Michael, 170 Healey, Jason, 158, 160 Heartbleed, 21, 114–15 Hello Barbie (doll), 106 Hilton Hotels, 185 Hizballah, 93 Honan, Mat, 29 Hotmail, 153 HP printers, 62 Huawai (Chinese company), 87 Human Rights Watch, 223 humans, as system component, 7 IBM, 33 iCloud, 7 hacking of, 78 and privacy, 190 quality standards for, 111, 123, 135 Idaho National Laboratory, 79, 90 identification, 51–55, 199–200 attribution, 52–55 breeder documents for, 51 impersonation of, 51, 75 identity, 44 identity theft, 50–51, 74–76, 106, 171 Ilves, Toomas Hendrik, 221 iMessage, 170 impersonation, 51, 75 IMSI (international mobile subscriber identity), 168–70 industry lobbying groups, 183 information asymmetries, 133–38 information security, 78 infrastructure: critical, use of term, 116 security of, 116–18 Inglis, Chris, 28 innovation, 155 insecurity, 56–77 cost of, 126 criminals’ benefit from, 74–77 and cyberwar, 68–74 insurance industry, 132–33 integrity, attacks on, 78–82 intellectual property theft, 66, 72–73, 75 interconnections, vulnerabilities in, 28–30, 90 International Organization for Standardization (ISO), 140 Internet: advertising model of, 57, 60 changing concepts of, 5, 218 connectivity of, 5, 91, 105–6 demilitarization of, 212–15 dependence on, 89–90 development phase of, 22–23, 157 explosive growth of, 5, 146 global, 7, 16, 161 governance model of, 157 government regulation of, 152–55 horizontal growth of, 146 industry standards for, 23, 122–23 lack of encryption on, 170–72 maintenance and upkeep of, 143 nonlinear system of, 211 private ownership of infrastructure, 126 resilience of, 210–12 as social equalizer, 214, 217 surveillance and control via, 64–68 viral dissident content on, 158 Internet+: authentication in, 49–51 coining of term, 8 cybersecurity safety board for, 177 risks and dangers of, 217–18 simultaneous vulnerabilities in, 94 Internet+ security: closing the skills gap, 141–42 correcting information asymmetries in, 133–38 correcting misaligned incentives in, 124–28 current state of, 9 defense in, see attack vs. defense enforcement of, 121 funding maintenance and upkeep in, 143 incentives and policy solutions for, 100–103, 120–43 increasing research in, 142–43 liabilities clarified for, 128–33 litigation for, 121 meanings of, 15–17 and privacy, 9 public education about, 138–41 public policies for, 120–21 standards for, 122–23, 140–41, 157–59 as wicked problem, 11, 99 Internet Engineering Task Force (IETF), 23, 167 Internet of Things (IoT), 5 as computerization of everything, 7 Cybersecurity Improvement Act, 180 in developmental stage, 8 patching of, 37–38 smartphone as controller hub for, 48 Internet Policy Research Initiative, MIT, 224 Investigatory Powers Act (UK), 195 iPhones, 3–4 encryption on, 174, 197 new versions of, 42–43 IPsec, 167 Iran: cyberattack by, 71, 116, 178 hackers in, 45 Stuxnet attack on, 79 Iraq, 212 ISIS, 69, 93 ISPs: connections via, 113–14 Tier 1 type, 115 ISS World (“Wiretappers’ Ball”), 65 jobs, in cybersecurity, 141–42 John Deere, 59–60, 62, 63 Joyce, Rob, 45, 53, 54, 164, 166 Kaplan, Fred, 73 Kaspersky Lab, 29, 74, 87 Kello, Lucas, 71 Kelly, John, 66 Keurig coffee makers, 62 key escrow, 194 KICTANet, Kenya, 214 labeling requirements, 134–35 LabMD, unfair practices of, 130–31 Landau, Susan, 175, 176, 223 Las Vegas shooting (2017), 202 Ledgett, Rick, 163–64, 166 lemons market, 134 Lenovo, 187 letters of marque, 204 Level 3 ISP, 115 liability law, 125, 128–33 Liars and Outliers (Schneier), 101, 209 Library of Congress, 42 license plate scanners, 201 linear systems, 210 Lloyd’s of London, 90 Lynn, William, 198 machine learning, 7, 82–87 adversarial, 84 algorithms beyond human comprehension, 111–12 autonomous, 82–83, 85 Maersk, 71, 94 malware, 26, 30, 196 man-in-the-middle attacks, 49, 169 market economics, and competition, 6 mass shootings, 202 May, Theresa, 197 McConnell, Mike, 198 McVeigh, Timothy, 202 medical devices: bugs in, 41 and government regulations, 151 hacking, 16 and privacy, 151 Meltdown vulnerability, 21 Merkel, Angela, 66 metadata, 174 Microsoft, 57, 190 Microsoft Office, new versions of, 42, 43 military systems, autonomous, 86 Minecraft video game, 94 miniaturization, 7 Mirai botnet, 29, 37, 77, 94, 130 money laundering, 183 monocultures, vulnerabilities in, 31 Moonlight Maze, 66 “movie-plot threats,” 96 Mozilla, 163 Munich Security Conference, 70 My Friend Cayla (doll), 106 Nader, Ralph, Unsafe at Any Speed, 182 National Cyber Office (NCO), 146–50 National Cyber Security Centre (UK), 173 National Cybersecurity Safety Board (proposed), 177 National Institute of Standards and Technology (NIST), Cybersecurity Framework of, 123, 147 National Intelligence Council, 211–12 National Science Foundation (NSF), 147 National Security Council, 163 National Security Strategy, 117 National Transportation Safety Board, 177 Netflix, 148 net neutrality, 61, 119 network effect, 60 networks: “air gapped,” 118 collective action required of, 23–24 end-to-end model of, 23 firewalls for, 102 iCloud, 111 secure connections in, 113–14, 125 and spam, 100 telephone, 119 New America, 223 New York Cyber Task Force, 213 NOBUS (nobody but us), 164–65, 169, 170 norms, 157–59 North Korea: cyberattack by, 71 cybercrimes by, 76, 157 hacking by, 54, 71, 78 threats by, 70, 72 Norwegian Consumer Council, 105–6 NotPetya malware, 71, 77, 89, 94 NSA: attribution in, 53–55 BULLRUN program, 167–68 credential stealing by, 45 cyberattack tools of, 165–67 on cybersecurity, 86 cyberweapons stolen from, 73 disclosing and fixing vulnerabilities, 162–67 encryption circumvented by, 171, 193 intelligence-gathering hacks by, 116, 118 missions of, 160–61, 172 mistrust of, 208 reorganization (2016) in, 173 and security standards, 167–70 splitting into three organizations, 172–73 supply-chain attacks by, 87 surveillance by, 65, 66–67, 190, 202 NSO Group, 65 Nye, Joseph, 157 Obama, Barack, 66, 69, 92, 117, 163, 180, 208 Ochoa, Higinio O. III, 52 offense vs. defense, see attack vs. defense Office of Personnel Management, hacking of, 45, 79 Office of the Director of National Intelligence (ODNI), 146–47, 148 Oltsik, Jon, 141 One Percent Doctrine, 93–94 Onity, 32, 131 Open SSL, 114 Open Technology Institute, Ranking Digital Rights, 136 Open Web Fellowship program, 223 outcomes-based regulation, 122–23 Pandora Internet Radio, 58 Panetta, Leon, 53, 89 Paradigm Initiative, Nigeria, 214 password: authentication via, 45–46, 47 stealing, 171 password guessing, 33, 46 patching, 34–43 of cyberweapons, 72 inadequacy of, 42 installing patches, 36–38, 108–9 unreliability of, 38–39 of vulnerabilities, 35–36 writing and publishing patches, 38–40 PATRIOT Act, 192 Perrow, Charles, 80, 210 phishing attacks, 45, 46 Plan B: What’s Likely to Happen, 180–91 EU regulation, 184–88 opting out, 188 US inaction, 181–84 what we can do, 188–91 Podesta, John, 46 power stations: blackouts, 29, 90 cyberattacks on, 2, 72, 90, 116, 217 hacking of, 2, 16 on the Internet, 4–5 precautionary principle, 155 “preparing the battlefield,” 69 printers: biological, 95, 217 hacking of, 2–3, 24–25, 91 printing press, invention of, 24 Prisoner’s Dilemma, 124 privacy, and security, 9, 79, 190 privacy laws, 153–54, 185–86 product liability, 131–35 product rating systems, 135–36 professional certification, 140 Project Zero, 36 Proliferation Security Initiative (PSI), 158 protocols, standard, 108 public education, 137, 138–41 public-interest law, 224 Qatar, hacking into, 80 quality standards, 20–21, 34, 107–9 radio spectrum, regulation of, 204–5, 206 ransomware, 26, 74, 77 regulation: EU promotion of, 184–88 smart vs. stupid, 192 regulatory capture, 155 resilience, 210–12 Review Group on Intelligence and Communications Technology, 163 risks, 217–18 catastrophic, 78–96 increasing dependence on Internet, 89–96 integrity and availability attacks, 78–82 and liability law, 128–33 machine-learning algorithms, 82–87 and One Percent Doctrine, 93–94 supply chain vulnerability, 87–89 robocallers, 154 robots, 7, 86–87, 148, 149 Roff, Heather, 213 Rogers, Mike, 81, 86 Rosenstein, Rod, 194, 195, 196 Russia: and athletes’ drug tests, 80 cyber actors in, 81 and cybercrime law, 156 eavesdropping on communications, 195–96 power stations hacked by, 2, 69, 90, 116 and US election process (2016), 35, 40, 45, 71, 78, 80 and weapons of mass destruction, 158 Russian Federal Security Service, 30 Samsung, 135 San Bernardino shooting (2015), 202 Sarbanes-Oxley Act (2002), 128 Saudi Aramco, 116 Sawers, Sir John, 73 SCADA industrial-control systems, 79–82 Scherer, Matthew, 149 script kiddie, use of term, 30 security: in algorithms, 111–12, 148 alternative paradigm of, 34–35 as attacker/defender arms race, 10, 16, 26–28 collective payment for, 102 complexity as enemy of, 27 by design, 106–7, 167–70 encryption for, 171 home, 102 information, 78 of infrastructure, 116–18 military metaphors for, 213 and “movie-plot threats,” 96 no return on investment in, 134 of personal data, 109–11 and quality standards, 34, 107–9, 167 scarcity for, 204 trade-offs in, 19, 47 and transparency, 111 see also Internet+ security security clearances, 177 security dilemma, 73 self-regulation, 121, 136 September 11, 92–96, 147, 192 server-to-server combat, 203 Shackelford, Scott, 213 Signal (messaging app), 170, 196 skimmers, 17 Sklyarov, Dmitry, 41 smart billboards, 7 smart devices: competitive edge of, 5–6 connectivity of, 5, 19 embedded in our bodies, 4 encryption of, 171, 199 hacking of, 3–4 offline functionality of, 108–9 security hub in, 48, 50 security standards for, 107–9 sensors in, 58 surveillance cameras networked with, 4 your data collected and sold on, 57 smart homes, 4, 16 smart refrigerators, 29 smart thermostats, 15 SmartThings, 128–29 SMEX, Lebanon, 214 Smith, Brad, 158, 163 Snow, C.

pages: 214 words: 31,751

Software Engineering at Google: Lessons Learned From Programming Over Time by Titus Winters, Tom Manshreck, Hyrum Wright

anti-pattern, computer vision, continuous integration, defense in depth, en.wikipedia.org, functional programming, Jevons paradox, job automation, loss aversion, microservices, reproducible builds, supply-chain attack, transaction costs, Turing complete

The average tool had a satisfaction rating of 69%. 2 https://buck.build/ and https://www.pantsbuild.org/index.html 3 https://bazel.build 4 https://xkcd.com/1168/ 5 https://ant.apache.org/manual/using.html 6 Ant uses the word “target” to represent what we call a “task” in this chapter, and uses the word “task” to refer to what we’ll call “commands”. 7 https://docs.bazel.build/versions/master/toolchains.html 8 https://docs.bazel.build/versions/master/skylark/rules.html 9 https://blog.bazel.build/2017/08/25/introducing-sandboxfs.html 10 Such “software supply chain” attacks are becoming more common: https://blog.sonatype.com/2018-state-of-the-software-supply-chain-report 11 Go recently added preliminary support for modules using the exact same system: https://github.com/golang/go/wiki/Modules 12 https://docs.bazel.build/versions/master/remote-caching.html 13 https://research.google.com/archive/bigtable-osdi06.pdf 14 http://google-engtools.blogspot.com/2011/10/build-in-cloud-distributing-build.html 15 https://docs.google.com/presentation/d/1l6Xyt0DtH7OIp04tzM3WjzDTHt0cl_IbuGToBD_yPYM/edit#slide=id.g3a89e6b664_1_2027 16 https://www.pantsbuild.org/build_files.html 17 https://github.com/bazelbuild/bazel-gazelle 18 Of course, actually removing these dependencies was a whole separate process.

pages: 651 words: 186,130

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth

4chan, active measures, activist lawyer, air gap, Airbnb, Albert Einstein, Apollo 11, barriers to entry, Benchmark Capital, Bernie Sanders, Big Tech, bitcoin, Black Lives Matter, blood diamond, Boeing 737 MAX, Brexit referendum, Brian Krebs, Citizen Lab, cloud computing, commoditize, company town, coronavirus, COVID-19, crony capitalism, crowdsourcing, cryptocurrency, dark matter, David Vincenzetti, defense in depth, digital rights, disinformation, don't be evil, Donald Trump, driverless car, drone strike, dual-use technology, Edward Snowden, end-to-end encryption, failed state, fake news, false flag, Ferguson, Missouri, Firefox, gender pay gap, George Floyd, global pandemic, global supply chain, Hacker News, index card, information security, Internet of things, invisible hand, Jacob Appelbaum, Jeff Bezos, John Markoff, Ken Thompson, Kevin Roose, Laura Poitras, lockdown, Marc Andreessen, Mark Zuckerberg, mass immigration, Menlo Park, MITM: man-in-the-middle, moral hazard, Morris worm, move fast and break things, mutually assured destruction, natural language processing, NSO Group, off-the-grid, offshore financial centre, open borders, operational security, Parler "social media", pirate software, purchasing power parity, race to the bottom, RAND corporation, ransomware, Reflections on Trusting Trust, rolodex, Rubik’s Cube, Russian election interference, Sand Hill Road, Seymour Hersh, Sheryl Sandberg, side project, Silicon Valley, Skype, smart cities, smart grid, South China Sea, Steve Ballmer, Steve Bannon, Steve Jobs, Steven Levy, Stuxnet, supply-chain attack, TED Talk, the long tail, the scientific method, TikTok, Tim Cook: Apple, undersea cable, unit 8200, uranium enrichment, web application, WikiLeaks, zero day, Zimmermann PGP

“It’s hard to find one that’s been compromised,” he told me—albeit not impossible. The Gaucho had come across other hackers’ handiwork before. A major appliance maker—he wouldn’t tell me who—had hired him to investigate its appliances. Sure enough, he confirmed that someone had compromised its firmware in the most sophisticated supply-chain attack he had ever seen, the kind Gosler told me only Tier I nation-states were capable of. “This attack wasn’t the work of cybercriminals—you don’t want to mess with those guys,” the Gaucho said. “This was a nation-state.” That was about all he could share. But it seemed like a logical opening for my next by-now-standard question: “Have you ever sold exploits to brokers or governments?”

…

., here, here Stuxnet (Natanz worm) comparisons to, here introduction of, here learning from, here legacy, here, here, here, here, here, here, here, here, here, here, here, here a masterpiece, here media, here mentioned, here, here Microsoft Windows exploit, NSA use of, here, here, here, here overview, here retaliation for, here unveiling the plot behind, here Sulzberger, A. G., here Sulzberger, Arthur Jr., here, here, here, here, here Sun Microsystems, here, here Sun Tzu, here supply-chain attacks, here Surlyspawn (NSA), here surveillance resistance movement, here surveillance technology on cell phones, here, here, here, here China, here click-and-shoot, here corrupt use of, here elections interference, here foreign buyers and sellers, here, here foreign governments, here human rights abusers use of, here, here prices, here zero-click infection method, here Sutton, Willie, here SVR (Russia), here, here Sweet Tea (TAO), here Symantec, here, here, here, here Synack, here, here Tailored Access Operations (TAO) unit (NSA).

Four Battlegrounds by Paul Scharre

2021 United States Capitol attack, 3D printing, active measures, activist lawyer, AI winter, AlphaGo, amateurs talk tactics, professionals talk logistics, artificial general intelligence, ASML, augmented reality, Automated Insights, autonomous vehicles, barriers to entry, Berlin Wall, Big Tech, bitcoin, Black Lives Matter, Boeing 737 MAX, Boris Johnson, Brexit referendum, business continuity plan, business process, carbon footprint, chief data officer, Citizen Lab, clean water, cloud computing, commoditize, computer vision, coronavirus, COVID-19, crisis actor, crowdsourcing, DALL-E, data is not the new oil, data is the new oil, data science, deep learning, deepfake, DeepMind, Demis Hassabis, Deng Xiaoping, digital map, digital rights, disinformation, Donald Trump, drone strike, dual-use technology, Elon Musk, en.wikipedia.org, endowment effect, fake news, Francis Fukuyama: the end of history, future of journalism, future of work, game design, general purpose technology, Geoffrey Hinton, geopolitical risk, George Floyd, global supply chain, GPT-3, Great Leap Forward, hive mind, hustle culture, ImageNet competition, immigration reform, income per capita, interchangeable parts, Internet Archive, Internet of things, iterative process, Jeff Bezos, job automation, Kevin Kelly, Kevin Roose, large language model, lockdown, Mark Zuckerberg, military-industrial complex, move fast and break things, Nate Silver, natural language processing, new economy, Nick Bostrom, one-China policy, Open Library, OpenAI, PalmPilot, Parler "social media", pattern recognition, phenotype, post-truth, purchasing power parity, QAnon, QR code, race to the bottom, RAND corporation, recommendation engine, reshoring, ride hailing / ride sharing, robotic process automation, Rodney Brooks, Rubik’s Cube, self-driving car, Shoshana Zuboff, side project, Silicon Valley, slashdot, smart cities, smart meter, Snapchat, social software, sorting algorithm, South China Sea, sparse data, speech recognition, Steve Bannon, Steven Levy, Stuxnet, supply-chain attack, surveillance capitalism, systems thinking, tech worker, techlash, telemarketer, The Brussels Effect, The Signal and the Noise by Nate Silver, TikTok, trade route, TSMC

Defending against data poisoning attacks is, similar to adversarial attacks, an open area of active research. Other methods include supply chain attacks that target machine learning resources that are freely available online, such as datasets, pretrained models, and machine learning libraries. Shared resources and online repositories have been a tremendous boon to the machine learning community, allowing the community to rapidly grow and AI developers to piggyback off others. These resources also pose a vulnerability for supply chain attacks that manipulate these resources. Attackers could poison a publicly available pretrained model that other AI developers use.

pages: 363 words: 105,039

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg

"World Economic Forum" Davos, air freight, air gap, Airbnb, Bellingcat, Bernie Sanders, bitcoin, blockchain, call centre, Citizen Lab, clean water, data acquisition, disinformation, Donald Trump, Edward Snowden, false flag, global supply chain, Hacker News, hive mind, information security, Julian Assange, Just-in-time delivery, Kickstarter, machine readable, Mikhail Gorbachev, no-fly zone, open borders, pirate software, pre–internet, profit motive, ransomware, RFID, speech recognition, Steven Levy, Stuxnet, supply-chain attack, tech worker, undersea cable, unit 8200, uranium enrichment, Valery Gerasimov, WikiLeaks, zero day

., “A Rubicon,” National Security, Technology, and Law, Feb. 5, 2018, www.hoover.org. EPILOGUE Even so, less than half a mile: Lily Hyde, “A Bakery in a War Zone,” Roads and Kingdoms, Oct. 6, 2017, https://roadsandkingdoms.com. APPENDIX SANDWORM’S CONNECTION TO FRENCH ELECTION HACKING ESET had found: Anton Cherepanov, “TeleBots Are Back: Supply Chain Attacks Against Ukraine,” We Live Security (ESET blog), June 30, 2017, www.welivesecurity.com, archived at bit.ly/2UEDQEo. BIBLIOGRAPHY Applebaum, Anne. Red Famine. New York: Doubleday, 2017. Clarke, Richard, and Robert Knake. Cyber War. New York: HarperCollins, 2010. Hart, John Limond.

pages: 521 words: 118,183

The Wires of War: Technology and the Global Struggle for Power by Jacob Helberg

"World Economic Forum" Davos, 2021 United States Capitol attack, A Declaration of the Independence of Cyberspace, active measures, Affordable Care Act / Obamacare, air gap, Airbnb, algorithmic management, augmented reality, autonomous vehicles, Berlin Wall, Bernie Sanders, Big Tech, bike sharing, Black Lives Matter, blockchain, Boris Johnson, Brexit referendum, cable laying ship, call centre, Cambridge Analytica, Cass Sunstein, cloud computing, coronavirus, COVID-19, creative destruction, crisis actor, data is the new oil, data science, decentralized internet, deep learning, deepfake, deglobalization, deindustrialization, Deng Xiaoping, deplatforming, digital nomad, disinformation, don't be evil, Donald Trump, dual-use technology, Edward Snowden, Elon Musk, en.wikipedia.org, end-to-end encryption, fail fast, fake news, Filter Bubble, Francis Fukuyama: the end of history, geopolitical risk, glass ceiling, global pandemic, global supply chain, Google bus, Google Chrome, GPT-3, green new deal, information security, Internet of things, Jeff Bezos, Jeffrey Epstein, John Markoff, John Perry Barlow, knowledge economy, Larry Ellison, lockdown, Loma Prieta earthquake, low earth orbit, low skilled workers, Lyft, manufacturing employment, Marc Andreessen, Mark Zuckerberg, Mary Meeker, Mikhail Gorbachev, military-industrial complex, Mohammed Bouazizi, move fast and break things, Nate Silver, natural language processing, Network effects, new economy, one-China policy, open economy, OpenAI, Parler "social media", Peter Thiel, QAnon, QR code, race to the bottom, Ralph Nader, RAND corporation, reshoring, ride hailing / ride sharing, Ronald Reagan, Russian election interference, Salesforce, Sam Altman, satellite internet, self-driving car, Sheryl Sandberg, side project, Silicon Valley, Silicon Valley ideology, Silicon Valley startup, Skype, smart grid, SoftBank, Solyndra, South China Sea, SpaceX Starlink, Steve Jobs, Steven Levy, Stuxnet, supply-chain attack, Susan Wojcicki, tech worker, techlash, technoutopianism, TikTok, Tim Cook: Apple, trade route, TSMC, Twitter Arab Spring, uber lyft, undersea cable, Unsafe at Any Speed, Valery Gerasimov, vertical integration, Wargames Reagan, Westphalian system, white picket fence, WikiLeaks, Y Combinator, zero-sum game

After finding illicit implants in its own servers in China, Amazon ultimately sold off all its Chinese cloud assets, a move one insider described as a decision to “hack off the diseased limb.” Ostensibly, the Obama administration quietly warned key businesses away from Supermicro. The incident, if it indeed occurred, would have constituted “the most significant supply chain attack known to have been carried out against American companies.”57 This is the glaring vulnerability of basing critical supply chains within China’s borders. When the United States built its new embassy in Beijing, officials shipped entire sections of the facility from the States to make it difficult for Chinese operatives to plant bugs during the construction process.58 Yet there are thousands of contractors and subcontractors in China piecing together key equipment that millions of American businesses and consumers rely on every day.

Engineering Security by Peter Gutmann

active measures, address space layout randomization, air gap, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, cognitive load, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, Dr. Strangelove, Dunning–Kruger effect, en.wikipedia.org, endowment effect, false flag, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, Hacker News, information security, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Gilmore, John Markoff, John von Neumann, Ken Thompson, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Multics, Network effects, nocebo, operational security, Paradox of Choice, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, quantum cryptography, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, rolling blackouts, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, seminal paper, Skype, slashdot, smart meter, social intelligence, speech recognition, SQL injection, statistical model, Steve Jobs, Steven Pinker, Stuxnet, sunk-cost fallacy, supply-chain attack, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Tragedy of the Commons, Turing complete, Turing machine, Turing test, Wayback Machine, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP

If you use Ghost (or a thousand similar deployment tools) will everyone need to use the same key to access their data? How are software updates handled? Is it possible for an attacker to send out a bogus update that compromises the system’s security (for example by leaking the encryption key), a so-called supply-chain attack? How are the updates authenticated? Can the user install them or does it require intervention by an administrator? How much proof of authorisation does the person applying the update have to provide in order to install it? If it’s not user-installable, can it be pushed out via a mechanism like Microsoft’s Windows Server Update Services (WSUS)?

…

This works for things like VoIP boxes that are often owned by, or rented from, a service provider in preconfigured form but that contain user data that needs to be migrated across to any replacement devices (if you are going to do this and you’re worried about fairly dedicated opponents then you need to watch out for a supply-chain attack in which an attacker sends out trojaned hardware, although in the case of VoIP boxes there are far easier ways to get at someone’s voicemail than resorting to measures like this). Another thing that you can do is to opportunistically upgrade your encryption/hashing/digital signature algorithms and mechanisms if you know that the other side can handle the upgrade [707].