Fool me once, shame on you. Fool me twice – and I’ll take this satellite to Defcon. How the government is not taking any chances with encryption--especially after the recent leakage of the 2010 Russian breach, and would-be secure FBI communications falling victim to decryption. Not wanting to come up against crypto-shortage, Mastercard is emptying their wallet to bet on girls in STEM programs, and how bad actors leverage your hard-earned reputation and provide a “responsible” sell on the Dark Web, as we pick apart the headlines in this week’s Encryption Digest.
It seems like every day we hear an opinion about Russian involvement in the intimacies of American politics—voting, social media and relationships with elected officials. This latest news break just adds to the tensions.
The Russian diplomats ousted by the Obama Administration in 2016 may have been guilty of more than meddling in the 2016 election—recent reports reveal involvement in a nation-wide hacking circle, targeting US intelligence agents.
Government officials reported a marked increase in the Russians’ ability to “decrypt certain types of secure communications,” using the breached technology to track federal surveillance teams. The collateral exposure may have also included cracked computers not connected to the internet. All this with equipment that a former CIA official declared “a bit antiquated.”
As a result, the locations of FBI team members were compromised, as may have been the actual communications themselves. This hampered US efforts at a time when US-Moscow tensions were on the rise and put blind spots in homeland Russian surveillance.
“We were neither organized nor resourced to deal with counterintelligence in networks, technical networks, electronic networks” claims Joel Brenner, former head of U.S. counterintelligence and strategy from 2006 to 2009.
The sentiment was shared by Mike Rogers, who chaired the House Permanent Select Committee on Intelligence from 2011 to 2015. “Counterintelligence was always looked at as the crazy uncle at the party. I wanted to raise it up and give it a robust importance.”
As the US has come to acknowledge foreign powers as a formidable technical threat, encryption, cybersecurity and machine identity management move to become our most resourced tools in a cyberwar that is fought on all grounds.
Women in tech and cryptology related fields are outnumbered five to one. While some stigmas remain and allegations of harassment still surface, Mastercard is playing an assertive role in making the cybersecurity industry available to everyone.
In 2025, women are projected to make up 75% of the consumer market. “How can we possibly create products that are good for consumers if we don’t have representation of that gender in the decision-making and engineering processes?” queries Dana Lorberg, Executive Vice President of Operations and Technology at Mastercard.
To that end, their brainchild initiative Girls4Tech has reached nearly a half million girls in 26 different countries over five years. By 2025, they hope to have influenced one million.
What does a Girls4Tech outreach look like? STEM (science, technology, engineering and math) based classes are offered with a Mastercard touch – special focus in fraud detection, data analysis and encryption.
It seems to be taking effect as one middle schooler from New Jersey discovered a knack for sifting through large swaths of data, and another’s Girls4Tech journey lead her to computer classes and an Ivy League. It’s a start.
Will Mastercard's efforts be enough to balance the STEM workforce by 2025? Probably not. But one million more women in crypto will be one million more than we have now.
We associate the military with “top secret”. Only those with upper-echelon clearance can do this, or see that, or go there. So why is the Air Force allowing its multi-multimillion dollar satellite to be hacked in the middle of Vegas next year?
Because if Defcon doesn’t do it, someone else will.
Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics, explains the rules of the game: a camera on a live orbiting satellite will be open to harassment as teams of pre-selected hackers try to turn it towards the moon. They are to “take over the satellite by any means they find” according to Roper.
A notoriously hush-key agency, the Air Force is tiptoeing out of its black box to subject its private coding to public scrutiny. And not a moment too late—the Hack the Air Force initiative uncovered an eyewatering 120 flaws last December and this year’s friendly hacking of an F-15 “could have shut it down.”
They are now relying on the private sector to unleash its baddest—before the bad guys do.
A lot of the less mission-critical components come from smaller companies that don’t have the resources of a Northrop Grumman to put towards cybersecurity—an issue, Roper says, when facing a “peer competitor” like China. “There’s no reason not to do it other than the historical fear that we have [of] letting people external to the Air Force in.”
So what are your chances of hacking an Air Force issued satellite?
“We are still carrying cybersecurity procedures from the 1990s,” Roper drops.
You’ve got a real career if you’re a great actor. It all depends on your big break, and for these fraudsters, it just might have come.
Software companies are the “perfect victim” for these online impresarios, who study public records of company execs and then fake their identities to CAs in order to purchase legitimate code signing certificates. They go so far as to re-route company emails and set up fake domains.
Once in hand, the digital certificates are sold on the dark web. Their current buyers? Malware-spreading sites that are just looking for a little legitimacy.
“Certificates are valuable resources to threat actors, as their mere presence can reduce the chance of early malware detection,” explains Tomislav Pericin, chief architect and co-founder of ReversingLabs, the firm that discovered the operation. “This is particularly true for financially motivated actors.”
The threat actors in question make sure to do their due diligence before the re-sell. Putting the certificates through a public antivirus scanning service, they assure their nefarious clientele that the poached cert will boast a ‘clean bill of health’.
Is nothing sacred? With code signing certificates created to protect code, what will be created to protect code signing? Often those who are the best at managing their machine identities are the ones who are threatening ours.
If cancerous malware sites know enough to sign their code, do you?
Video: “What Would You Do?”
Eddie Glenn, Venafi code signing expert, asks us “If tomorrow a third party comes to you and says ‘We found malware on the internet and its signed with a legitimate code signing certificate from your company’ - what would you do to start tracking that down?”