The White House has suggested four possible options to fix the NSA spying issue according to an article in the Wall Street Journal on February 26. The options have been presented to the U.S. Intelligence Agencies and the Attorney General with a March 28 deadline. Three of the options deal involve restructuring the collection process and the fourth is a drastic move. The options involve:
Option 1: Require phone companies to retain the collected data.
Option 2: Require a government agency other than the NSA to retain the collected data.
Option 3: Require an organization other than phone companies or a government agency to retain the collected data.
Option 4: Scrap the entire NSA collection process and rely on other intelligence gathered to determine threat vectors.
I don't like any of the options myself. Option 1 is foolish. Why would valuable and potentially sensitive data be held by an entity outside the government. Does anyone think they would willingly deploy adequate security measures to protect this data? Does anyone think they have the funds to retain the volume of data? The next issue would involve the public accusing the phone companies of meddling with personal information.
Option 2 is better than option 1 but not very practical. The article suggests that the FBI or the Foreign Intelligence Surveillance Court retain the data. In theory this sounds good. The problem is the FBI would need to beef up staff, equipment and storage capacity. Sounds good on paper until you consider the issues I mentioned. Then there is the final issue... getting the data from the collection points to the FBI. I can't imagine how much bandwidth would be needed to transfer the data to a new collection site. It sounds like a bad idea. Next, considering the Foreign Intelligence Surveillance Court. Hmmm -- this where the judges sit. I would never suggest corruption against any federal judge - but I can see how this could occur when the data and the man with the stick are in the same area. The data and the ruler need to be separated to ensure that no corruption can take place.
Option 3. Nice try on this but this imagine the costs of implementing this solution. Someone (that means you and me) would have to pay for this middleman to coordinate data between the two entities. The number of processes would increase to accomplish the same task. This would involve more people as well. Adding more individuals working on the process. The end result would not be an increase of security. In fact, expecting the level of privacy to increase is like thinking that reducing the number of soldiers in the Army will improve our nations security.
Option 4. I don't know how viable an option this truly is. I have no idea how we are gathering intelligence. In theory, we are already doing this by utilizing the NSA intelligence with other information gathered by other sources to identify targets. It seems like we would be cutting intelligence sources from valuable data.
We must protect this country. I don't like the changes being suggested and implemented. Reducing the efficiency of the NSA and the Army are not wise. I would rather see citizens be asked to man up instead of leaning back and reducing our protection strategy.
This week marks my last week of my current class. I enjoyed another valuable semester of learning from my professor and fellow students.
Wednesday, February 26, 2014
Tuesday, February 11, 2014
Korea's Best of the Best Program
An RSA conference chair, Hugh Thompson described a program in Korea designed to create cyber warriors at the Korean Information Technology Research Institute (KITRI) in an article in SC Magazine. Note: the full article is available at: http://www.scmagazine.com//security-gangnam-style/article/332080/. KITRI is a government funded research institute that offers a program called the “Best of the Best” (also known as BoB) that allows the best and brightest students from local high schools and colleges to participate in this highly selective cyber security program to defend South Korea from cyber hackers and cyber threats.
South Korea has suffered from a growing number of cyber-attacks over the past few years. The combined number of cyber-attacks from domestic and foreign sources are up from 24,000 in 2008 to 40,000 cases in 2012 according to the Korean Internet Security Agency. One attack targeted financial institutions in South Korea that impacted millions of bank customers from using their credit cards or ATMs for more than a week. The increasing trend has increased the importance of protecting resources in Korea.
In the SC Magazine article Mr Thompson described the KITRI program to be very thorough. “Walking around you quickly notice a large room in the corner that looks more like a television studio than a workspace for the cyber elite. There's a podium, television cameras and a press-conference-like arrangement of seats. “What's that?” I asked, after giving a lecture to the students, expecting to hear about some leasing arrangement they had with a local broadcaster. But instead, I learned that the Best of the Best are expected to be expert communicators as well as expert researchers. They are taught how to express their ideas in front of a crowd, how to handle media interviews and how to communicate the value of security to business and government leaders. Some of the participants are sent to international cyber security gatherings like RSA Conference to get a global perspective. KITRI is not only training the next generations of security leaders, its creating ambassadors for the field. KITRI's first crop of students are preparing to make their way into South Korean businesses and government agencies – the idea being that securing large South Korean businesses is critical to ensuring the growth and prosperity of the nation.”
The KITRI program might offer Universities in the United States other focus areas that cyber security professionals should be well versed in to deal with a rapidly changing environment. Let's make more BoBs in the United States!!
 |
| The Seoul South Korea skyline. Image credit: http://www.exploringkorea.com/population-of-south-korea/seoul-city-skyline/ |
Thursday, February 6, 2014
Good News on the Credit Card Front
Has the credit card fiasco recently made famous by Target, Nieman Marcus, Michaels and several hotel chains made you nervous about using the credit card in your wallet? It has certainly heightened my concern!
Probably the only good thing to come from the problem is that a credit card security improvement may come to the United States faster than originally expected. The technology is called EMV (EuroPay, MasterCard and
Visa). EMV is designed to improve the security of the credit card transaction. EVM
was designed in 1994 and implemented in Europe 2002. Currently more than 80 countries around the world use this technology to process credit cards securely. CNN announced
Tuesday, February 4, that Target's CFO announced that Target is investing $100 million to migrate to the chip technology. Target expects to implement the technology early in 2015 which is months before the mandated implementation (October 2015). Read the article at:
http://money.cnn.com/2014/02/04/technology/security/target-senate/index.html?iid=SF_T_River.
EVM is generally known as “chip and
PIN” or “chip and signature” by most people. This technology is credited
for reducing
payment card fraud losses to a 10-year low in the United Kingdom in 2011
according to a First Data Corporation white paper. Read the paper by browsing to: http://www.firstdata.com/downloads/thought-leadership/EMV-Encrypt-Tokenization-WP.PDF
Chip and PIN cards include an embedded microprocessor (or chip) inside
the
card. The consumer enters a PIN to authorize a purchase. In contrast, chip
and
signature cards uses the chip along with the
consumer’s
signature to authorize a purchase. An example of a credit card with the EVM chip is shown below:
 |
| Image credit: creditcards.com |
Are you wondering how the chip and PIN technology works behind the scenes? According
to a White Paper written by First Data, “A chip-based payment
transaction occurs when a microprocessor (smart chip) embedded in a plastic card
or a personal device such as a key fob or mobile phone connects to an
EMV-enabled POS terminal. …The smart chip in the payment instrument securely
stores information about the cardholder’s account and the issuer’s payment
application, and it performs cryptographic processing for validating the
integrity of the card number and certain static and dynamic data used in the
transaction. This provides a strong form of card authentication, validating the
legitimacy of the payment type being used”.
In essence, the chip cards encrypt data for each transaction which makes it almost impossible to use fraudulently.
Seems simple, doesn't it. You may be wondering why it the technology has not been implemented yet. First, it is expensive to implement. All retailers will need to purchase new card readers. According to an eWeek report, each new reader will cost a business between several hundred dollars to as much as two thousand dollars. That can add up quickly for a large organization. The eWeek article is available at: http://www.eweek.com/security/implementing-emv-chip-and-pin-cards-can-be-costly-but-not-difficult-2.html. Second, this will cost merchants a lot to implement this technology. Current credit card processes do not encrypt transactions. The US will benefit from the processes in place in other countries. There will be costs however. Finally, consumers will need to learn how to use the new cards. Merchants are concerned about the learning curve. Consumers in the United States average four to five cards. If a consumer enters the wrong PIN, the transaction will be rejected. It might be reasonable to conclude that some people will write their PIN on their card to keep from forgetting the information.
Subscribe to:
Posts (Atom)