Jacob Appelbaum, the Tor Project; Alec Muffett, Facebook software engineer and internet security evangelist
In the near future, professors, journalists, or anyone who wants or needs to remain anonymous on the internet should thank Jacob Appelbaum and Alec Muffett for protecting their privacy.
Only they’re not likely to have heard of the duo who were instrumental in carving out a private corner on the web by getting the Internet Engineering Task Force (IETF) to formally recognize .onion as a Special-use Domain Name.
It’s an accomplishment that Appelbaum, a security researcher and developer, privacy expert and a core member of the Tor Project called “a small and important landmark in the movement to build privacy into the structure of the internet.”
Appelbaum and Muffett, a Facebook software engineer and internet security evangelist, began working to keep .onion from becoming a Top Level Domain (TLD) in 2013, or as Appelbaum calls it, the “Summer of Snowden.”
As a TLD, the domain could have been sold by The Internet Corporation for Assigned Names and Numbers (ICANN).
“Losing control of .onion had the potential to create confusion for all hidden services, not just Facebook,” Muffett says. “This is really about securing the way people connect to Facebook. With our .onion site on the TOR network, people can confidently connect to Facebook knowing their link is genuine and end-to-end secure.”
And Appelbaum adds that “end users now have the security and privacy they thought they had.”
But the designation came after two years of dogged work by Muffet and Appelbaum, who both have more than a passing acquaintance with privacy issues. Appelbaum now resides in Berlin after his own privacy was compromised following the U.S. Justice Department’s push to obtain his email records from Google while investigating his work as a WikiLeaks volunteer. Google was slapped with a gag order forbidding the company from notifying Appelbaum of the government’s request and prompting a slow-burning legal battle when the search engine company refused to turn over the information. [[Alec quote tk]]
As for Muffett, he wasn’t long graduated from college when he wrote the first version of Crack, a Unix password-cracking program that helps systems administrators sniff out users’ weak passwords. While at a later stint at Sun Microsystems, he eventually became principal engineer for security where he collaborated on the successful factorization of RSA-155 and his work in pluggable crypt was eventually used in the Sun MD5 hash algorithm, which used Shakespeare’s “To be or not to be” soliloquy from Hamlet as its constant text. Muffett joked in a 2005 blog that using the soliloquy “ exposes more programmers to Shakespeare, which has got to be a good thing.”
The .onion success came after the Tor Project began working with members of the peer-to-peer community (led by Christian Grothoff) to register a number of Special-Use Domain names, Appelbaum said. “We were strongly encouraged to split out .onion from the other Peer to Peer Names draft.”
Following the same process as Apple used to register .local, the .onion proponents crafted a draft detailing security and privacy considerations, and the recent publication of the special-use domain name by the RFC Editor (as RFC 7686) was a move toward standards that would secure the internet.
“By recognizing .onion as a special use top level domain, IETF has made it easier for other organizations to provide more secure connections for people online,” says Muffett, who contends that “effective security encompasses privacy, integrity and availability.”
But the more secure alternative offered by .onion shouldn’t be readily apparent to the end user, nor should it be disruptive. “If we do this right, users won’t even know,” Appelbaum explains. – Teri Robinson
Joshua Drake, vice president of research, Zimperium Enterprise Mobile Security
In a time of incessant hacks and new vulnerabilities discovered daily, it’s difficult to make computer users more concerned about the security of their personal information. Yet, occasionally, new research stands out and creates an even greater degree of paranoia among technology users.
And so it was when Joshua Drake announced his discovery of Stagefright vulnerabilities.
Drake’s research led to the discovery that Android’s media playback tool could be exploited through a multimedia text message to provide attackers with elevated audio and camera privileges. This meant, effectively, that nearly every Android device was vulnerable to a spyware-infected RAT that allowed an attacker to listen to the conversations and watch the surroundings of victims’ devices.
In July, Drake told SC Magazine that the affected software runs with system privileges on some devices. Apart from these elevated privileges, remote arbitrary code execution allows sophisticated attackers to execute privilege escalation attacks, which would provide complete control of the device, he said.
Drake, who joined Zimperium’s zLabs in April, says that the vulnerabilities are difficult to exploit. Previously, he was director of research science at Accuvant, where he headed up a team of elite vulnerability researchers. He also worked at Rapid7’s Metasploit and VeriSign’s iDefense and he is one of Metasploit’s top contributors. In 2013, he won Pwn2Own 2013 for his discovery of a zero-day exploit of Oracle’s JVM that allowed him to take control of a fully-patched Windows OS within 15 seconds. Previously, in 2010, he won DefCon 18 CTF with the ACME Pharm team.
Drake’s research changed much of the conversation about the devices that we use regularly – and about Android specifically. The Android platform has many complications, Drake said during his presentation at the Black Hat security conference. “Mobility – especially in the Android space – has gotten a bad rap from a lot of people,” he said. “When you start researching Android, you learn this very quickly.”
While Android security has for years been viewed as highly problematic, it was Drake’s discovery that brought this conversation to a more mainstream audience. It was Stagefright that finally convinced Lorenzo Franceschi-Bicchierai, a longtime Android fanboy and information security reporter at Motherboard, to switch to iPhone.
Drake, author of the Android Hacker’s Handbook (2014), has a collection of different Android devices and uses these for ongoing security research projects, calling the collection his “Droid Army.” In his Black Hat presentation, he said he is driven to improve the state of mobile security, increase the visibility of risky code in Android, and “put the Droid Army to good use!”
His discoveries gained enough attention among mainstream users to cause Google to rethink Android’s longtime open source strategy. Open source makes it difficult to ensure quality control since Google relies on device manufacturers to build security into its devices and telecommunications providers to provide timely patches.
Thanks to Drake, Google now wants to build its own chips as the first step toward offering devices that use solely in-house technology. This security-first approach is notable for a company that has long lagged in that area, and is due at least in part to the consumer fury that Stagefright unleashed.
Google’s security team, Project Zero, has focused more of its attention on mobile. In November, the team held a competition to find vulnerabilities on Samsung’s Galaxy 6S Edge. The team announced that it discovered 11 “high-impact security issues.”
Meanwhile, Drake continues to be a thorn in Google’s side. He has continued the original attack, says Samy Kamkar, a security researcher and CTO at Ctrl Me Robotics who discovered GM’s OnStar vulnerability. In August, Drake informed Kaspersky Lab’s Threatpost that a number of additional issues have arisen since he discovered the Stagefright vulnerability.
Further, Chris Wysopal, CTO and CISO of Veracode, says that Stagefright is “Heartbleed for mobile.”
“A lot of people realized that there needed an easier and more methodical approach to providing updates,” says Kamkar. He called Stagefright one of the most powerful attacks he has seen and said it demonstrates “a clear differentiation between Android and iOS.” – Jeremy Seth Davis
Rep. Ted Lieu (D-California)
“The OPM hack was a very large wake-up call to the federal government that it has to do a much better job protecting cyberspace,” says Rep. Ted Lieu, the California Democrat whose own alarm clock had been set for a little earlier.
Lieu has long been visible in the effort to bring cybersecurity to prominence on the legislative agenda – first in the California state legislature and then in the U.S. House of Representatives. In recent months, he’s called for the resignation of OPM Director Katherine Archuleta, petitioned Congress to remove the responsibility for security clearance data from OPM’s grasp (“you wouldn’t ask the Agriculture department to protect nuclear codes”), and traveled to China to discuss cybersecurity, among other issues.
In a Congress often criticized for its lack of technical prowess and inability to get things done, Lieu stands out not only for his efforts to bring cybersecurity front and center, but also his seemingly deep understanding of tech issues.
Of course, with a degree in computer science from Stanford, Lieu has a leg up on his fellow lawmakers, some of whom brag that they don’t use email and only a handful of whom have similar degrees. From his perch within the House Committee on Oversight and Government Reform’s Information Technology Subcommittee, Lieu has kept alive the spark of his boyhood interest in technology. “I’ve always been fascinated with computers,” Lieu told SC Magazine when we caught up to him the week after his trip to China. “I had an Apple II and did some hacking as a kid.”
When he graduated from Stanford, he fully intended to put his computer science degree to work, but about four years in he “came to the conclusion that it was just too hard,” he says. “There were far too many far smarter than me in computer science.”
The un-ambiguity of code was a challenge. “Either the program works or it doesn’t,” says Lieu, who went on to obtain a law degree. “In law you get to make another argument.”
He’s found plenty of “shades of gray” to ply as a lawmaker, first in the California State Senate and now in the U.S. House where he has distinguished himself as a knowledgeable legislator dedicated to upping the country’s game when it comes to both security and privacy.
Even if Congress was more technically astute than many of its members claim, locking down cybersecurity would be no easy task. Lawmakers are challenged to craft meaningful legislation around technology that moves “at a lightning pace,” Lieu notes. “We are not nimble, we are not nuanced. By the time we craft a law that by definition is going to be broad, the technology likely would have changed.”
A law that is too narrow and too prescriptive would paint the country into a very small corner from which it would be difficult to emerge. “I would generally oppose very rigid standards that would have to have an act of Congress,” says Lieu, noting that regulators have an easier time because their policies and regulations can be reversed, changed and modified more quickly. We should have a light touch when it comes to tech legislation, he says.
The success of even sound cybersecurity policy lies far outside Congress’s reach and depends on reigning in (largely unreliable and unpredictable) humans. “Humans make mistakes,” Lieu says. Hackers are very good at getting people to give up information, noting that users aren’t keen on security measures that may seem inconvenient. There needs to be a whole cultural shift, he says, that convinces employees they’re “being bothered because this is important.”
The U.S.’s cybersecurity posture is also affected by outside forces, with nation-states keen on infiltrating public and private sector systems to snatch sensitive information. Lieu and the contingent of Democrats that visited China recently discussed just that shortly after the two countries inked a pact to hamper intellectual property theft. “China is a developed country in many parts and [its companies] have secrets to protect.
While the California congressman says the U.S. – with its recent Cyber Sprint and a new hire to head OPM – has made strides in cybersecurity, more needs to be done. In 2016, he says government must undergo a massive upgrade of cybersecurity, defining it across all agencies, create a new security clearance database outside the authority of the OPM, and implement a full culture shift that makes security a priority.
“There also needs to be a single person at a high level responsible for cybersecurity at agencies,” says Lieu. And, he adds, that person should be given the authority to issue mandates to agencies and review their reports to see if they follow through.
The government, too, has to tread carefully so that in its zeal to safeguard Americans from external and internal attacks, it doesn’t trample the Constitution. “If there is a program, no matter how good it is, if it’s not Constitutional, I won’t support it,” says Lieu. – Teri Robinson
Katie Moussouris, chief policy officer, HackerOne
Beginning as far back as the mid-90s, when she was managing data analysis and bioinformatics projects at MIT, through stints at Symantec and Microsoft, where she specialized in application security, enhanced risk assessments and in 2013 convinced the company to institute a “bug bounty” program to pay researchers for detecting security flaws in its software, Katie Moussouris has exercised leadership with a “pit bull persistence,” as one ally put it.
Formerly a hacker, Linux developer and self-professed persistent disruptor, Moussouris is currently chief policy officer at HackerOne, a San Francisco-based platform provider for coordinated vulnerability response and structured bounty programs. She oversees the company’s philosophy and approach to vulnerability disclosure, advises customers and researchers, and works to “help make the internet safer for everyone.” It’s been reported that her company has detected and mitigated more than 10,000 bugs, including flaws in the code of Twitter, Yahoo, WordPress and Dropbox.
And her belief in the transparency on which her firm is based extends to her advocacy for the rights of security researchers in our new age where the rules are quickly changing. Nowhere is this more evident than in global treaties and best practices, including the Wassenaar Arrangement, a two-decade-old export control agreement among 41 countries — including Russia, E.U. members and the United States. The voluntary regime originally sought to share data on transfers of conventional weapons. But, legislators are currently proposing extending the language to include software and tools used by security researchers and penetration testers. The proposed amended controls, says Moussouris, would interfere with the export of security research and technologies. Indeed, other critics express dismay at the meddling of the U.S. Commerce Department’s Bureau of Industry and Security (BIS), saying the proposed changes would cripple – if not outright kill – the cybersecurity industry. In effect, if the proposals are accepted, a U.S. security researcher who discovers a bug in a foreign company’s software would be obliged to obtain a license before notifying the firm – a big roadblock for bug bounty hunters.
In the July 16 issue of Wired, Moussouris penned an article, “You Need to Speak Up For Internet Security. Right Now.,” in which she warned of the disaster to come – particularly to the security community – should the proposed changes take effect: “The entire Internet ecosystem and everyone who uses technology will suffer the chilling effect on research and advances in defense.” Rather, in a plea to rally support during a comment period for the proposed changes, she called for a letter writing campaign that would “support the innovations that built the internet, not stifle them by passing laws of noble intention but profoundly flawed implementation.”
“Security research and vulnerability disclosure is vital to keeping us all stay safe online and in our daily lives, as more devices and vehicles become connected to the internet,” Moussouris tells SC Magazine. “As long as humans write code, there will always be software vulnerabilities, and we need to draw from the global community when it comes to defense.”
It is key, she says, that organizations are prepared to work with researchers who discover vulnerabilities in their code or infrastructure, and that legislation provide a safe harbor for friendly hackers and encourage this vital security research. The recent exemption provisions in the Digital Millennium Copyright Act (DMCA) for security research and reverse engineering is a positive example of this type of positive legal change, she explains. Governments, she says, can help further by encouraging industries that it regulates to adopt ISO 29147 Vulnerability Disclosure and ISO 30111 Vulnerability handling processes.
These standards, she says, will help new and existing technology deal with vulnerabilities, as critical infrastructure, vehicles and medical devices add more software and connectivity to the internet.
“The FDA was introduced earlier this year to Katie Moussouris and to her extensive accomplishments in the field of vulnerability disclosure and vulnerability process handling,” says Suzanne Schwartz, director, emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health. “Her expertise and innate understanding of the challenges encountered within different communities and among diverse stakeholders with respect to vulnerability disclosure has been of great benefit to the FDA in further evolving our thinking and our approach to medical device cybersecurity within the healthcare and public health sector. We greatly appreciate the insights she has shared with us to date and indeed look forward to working together with her and other researchers as we continue our efforts.”
Michael Sulmeyer, director of the Belfer Center’s Cyber Security Project at the John F. Kennedy School of Government at Harvard University collaborated with Moussouris on a project he runs at the Belfer Center to reduce the national attack surface in cyberspace. “Katie has become the go-to expert for helping institutions work through the pain and promise of disclosing their vulnerabilities,” he says. “She takes her work seriously – but not herself – making her a fantastic colleague. If we listen to Katie, we should all be a little bit safer at the end of the day.”
And, as far as her advocacy to block the proposed changes to the Wassenaar Arrangement, Moussouris explains to SC that the proposed alterations add a broad class of technology to control the export of software that can be used in both lawful interception and in surveillance in order to achieve the stated goal of protecting human rights. “Unfortunately, it also included broad language that swept up tools and techniques that will hinder defenders, who use these tools and techniques to test the security of their systems.”
In particular, the focus on “intrusion software technology” is tackling the wrong end of the issue, she says, and is too broad to be effective without fundamentally hindering internet defense and vulnerability disclosure itself. “We will end up needing so many exceptions to the export rules, that the Wassenaar language will be unenforceable as written. We must review this language with experts in vulnerability disclosure and attack tools and techniques in order to correct this.”
Vulnerability coordination across multiple vendors on the internet, like the case of Heartbleed or Stagefright, is an area that requires more organizations to work together to share vulnerability information before attacks occur, she says, adding that coordinated deployment of patches and mitigations will become more important as complex integrated software, hardware and services are faced with the problem of not just fixing the vulnerability but testing and deploying updates.
“The Android ecosystem is an example, reminding me of the Windows ecosystem before Windows Update existed,” she says. “Business models that leave out how their products will be serviced for security updates after release are like people who go out to eat, but say they can’t afford the gratuity. Perhaps they should have stayed home. Security today has less of a zero-day problem and more of a patch deployment problem.” – Greg Masters
Jay Vijayan, CIO, Tesla Motors
While many in the automotive industry would probably like to forget 2015, one car maker stood out above the rest when it came to protecting its vehicles from cyberthreats, Tesla Motors.
Much of the credit for Tesla’s ability to ride out the wave of cyber problems that confronted car makers is rightly credited to the company’s chief information officer (CIO), Jay Vijayan.
The Palo Alta, Calif.-based auto maker’s test came in early August when researchers from the cybersecurity firms Lookout and Cloudflare found a flaw in the plug-in electric car Tesla Model S, enabling them to crack into the system and turn off and stop the car when it is driving at slow speed. What set Tesla off from the other car makers, who also found themselves on the receiving end of being hacked, was its amazingly quick response.
Under Vijayan’s direction, Tesla’s IT organization patched the hole so quickly that most news reports on the incident cited the flaw being found in the same sentence as the issue being repaired. Additionally, most of the initial report from the guys who were able to hack the Tesla, Kevin Mahaffey and Marc Rogers, focused on how hard it was to complete their task.
The fact that Vijayan’s crew was able to work so quickly should come as no surprise as he was the person who – during the company’s early period and rapid growth phase – laid the foundation systems architecture, called Warp, and built all the core corporate applications and systems infrastructure for Tesla.
“As a business, we had to move extremely fast and also be agile for catalyzing a fundamental change in the automotive industry,” Vijayan told CIOInsight.com, explaining how he decided to create from scratch Tesla’s in-house system. “IT function had the task to enable the business to be operating with the highest speed and agility. To do that, we needed a business operations software/ERP system that is simple, lightweight and flexible enough to satisfy our core business needs.
By having a tech suite tailored to the company, Tesla was able to avoid the medium-sized list of car makers that had their vehicle cybersecurity systems penetrated this summer by researchers. Leading the pack of hackable cars was Fiat Chrysler. A pair of researchers was able to exploit a zero-day vulnerability to remotely control the vehicle’s engine, transmission, wheels and brakes, among other systems, by attacking the vehicle through its infotainment system. The end result was a recall of 1.4 million Jeep Cherokees.
Another factor working in Tesla’s favor is its size and the fact that it has only one product to worry about.
“Tesla is smaller and has only one model so it was easier to make changes and it can make over-the-air [software] updates which the other manufactures can’t do,” says Ron Montoya, senior consumer advice editor at the car buying website Edmunds.com.
Warp enables the over-the-air updates and it can be used to cure any number of problems that arise with a vehicle. Vijayan even told the Wall Street Journal of an incident where a customer noted that his Model S rolled backward slightly when stopped on a hill after the accelerator was pressed. On Vijayan’s order, the patch fixing the issue was created and the tech team set it to be fed to all Tesla vehicles. The next day, the CIO saw the patch download on his own Tesla.
Vijayan, who graduated with a master of science from the University of Madras in India, has been Tesla’s CIO for just over three years. Prior to that, he was at the company for just under a year as vice president, IT and business applications. He began his path to Tesla in 2000, when he was brought on as senior manager, applications development – Fusion for Oracle in 2000 before moving on to VMware in 2007 where he was director of IT enterprise applications and then senior director for that division.
In 2015, Car and Driver magazine acclaimed the Model S as Car of the Century. – Doug Olenick