Dirty rotten scoundrels

20150420-villains imageTo be remembered as a truly sinister villain it’s all in the marketing. A memorable name is a must; preferably ironic or cropped from the rarely frequented areas of the keyboard and even better when combined with the definite article or an umlaut. Angel Eyes, The Mekon and Keyser Söze all fit the bill nicely. Even Sauron has a nice ring to it.

So I was disappointed to read that the biggest zero-day villain in 2014 was called CVE-2013-7331. Hmmmm, can’t quite hear James Bond saying “that’s a Smith and Wesson, CVE-2013-7331, and you’ve had your six.”

Zero-day attacks are aimed at operating system or software vulnerabilities for which there is no remedy when they first strike; i.e. the community of internet security vendors has had ‘zero days’ to prepare a response. They have given rise to an alarmingly competitive culture among cybercriminals. For example, each month hackers race to be the first to compromise Microsoft’s regular security updates on Patch Tuesday (the second Tuesday in each month). Security experts have even coined the term ‘Zero-day Wednesday’ as a result, as this internet security company notes.

But in Symantec’s annual internet security report, released this month, 24 zero-day attacks made 2014 the worst year on record for internet vulnerability. (The chief villain named above had 2013 in the Common Vulnerabilities and Exposure designation as it was discovered in 2013 but not disclosed to the public until the following year.) In total, Symantec says the top five zero-day attacks took 295 days to patch, with the average being 59 days. That means a lot of systems were exposed for a very long time. The cat-and-mouse nature of Patch Tuesday and Zero-day Wednesday is, therefore, no laughing matter.

Possibly of greater concern though, is that many cybercriminals have seemingly adjusted their tactics in light of automated patch deployments. In keeping with these days of austerity, Symantec suggests hackers have gone back to basics: attacking networks not for immediate effect, but to gather intelligence for future exploitation. To do so they are increasingly looking for vulnerabilities in old software (that may have been reused in new applications) and at the very architecture of the internet itself.

What does the internet look like? Opinions vary, from President Obama’s recent description of “the wild, wild West” to the oft-mentioned ‘super highway’. But my favourite analogy comes from The Baffler which compares the internet to a hot tub: “A hot tub, after all, is shared with friends and strangers, whose warm water swirls around you, lulling you into complacency while silently transmitting disease”.

So, not an impenetrable fortress then, where all one needs do is occasionally replace a few bricks and keep the drawbridge in the upright position. Many like to think of the internet as a coherent and secure entity. Look at how we talk of ‘downloading’ from or ‘uploading’ to the internet, as if it hovers over us like an omnipotent safety blanket. But the reality is different.

Craig Rice, Head of Security at the Payments Council, which represents the payments industry in the UK, sees the internet as an architectural hodge-podge. He describes an ecosystem growing incrementally with no overall design, control or predictable direction. Rather than bricks, it is better to think of it as having been made from wool he says, and therefore very easy for malicious actors to find ways through and around patches. As Tim Gallo of Symantec says: “We need to better understand that the fabric of the internet is riddled with holes.”

Game over? Not quite. All the villains listed above eventually came a cropper, even the nattily titled CVE-2013-7331 was patched after 204 days. There are some easily implemented measures to prepare for and mitigate attacks. For example, the United States Cyber Consequences Unit offers some simple advice on laptop security when travelling abroad, so as to minimise exposure overseas and lessen the risk of bringing home a nasty.

The starting point is to consider our own exposure. What does our network look like? How big is the fixed infrastructure, let alone mobile devices? Are we using software that is no longer supported? How will we know when we’ve been breached and who should we then call? The governments of the United States and United Kingdom recently announced a series of cyber war games to test each other’s defences. Perhaps it’s better to hear the scary news from a friend before You Know Who comes calling.

This post was commissioned by XQ Digital Resilience

The art of political collaboration

20150408-tracyeminSome time ago I visited the Tate Britain gallery in London with my family. Finding the lift out of order, a gallery assistant kindly offered the use of the staff lift which is not usually available to the public.  She led us through the areas that were setting up for the Turner Prize.  Variously described as “a barometer for the mood of the nation” or “cold, mechanical, conceptual bullshit” (the latter by the British Culture Minister in 2002) the annual award for British visual artists often draws much criticism for the esoteric and unconventional nature of many entries. (‘My Bed‘, a 1999 entry by Tracy Emin purportedly showing her dishevelled bed within which she contemplated suicide, sold at auction last year for £2.5 million.)

One section we passed through was entirely empty, save for four men in identical blue coveralls advancing across the room side-by-side, sweeping the floor in near-perfect harmony. A flickering strip light lent the scene a post-apocalyptic feel.  I asked the gallery assistant if we were being treated to a private view of one of the Turner Prize entries.  She looked confused, intrigued and a little nervous, before answering no, they were just brushing the floor.  I have named this work of art (the look on her face, not the blokes sweeping the room) ‘Delusion, Confusion’ and, although only witnessed by my eye-rolling wife, am waiting for the call from the prize committee.

The assistant may not have demonstrated the ability to spot emerging British artistic talent. But by not screaming “stop being an arse you utter buffoon!” she did show she possessed the enviable qualities of tolerance, inclusion and patience. I have thought often of her good manners as the British General Election on May 7th approaches.

Any sensible analysis of voting intentions suggests a hung parliament, with no party achieving the 326 seats needed for an outright majority. But it’s not quite that straightforward. 650 seats (hence the 326 figure) with the speaker and three deputy speakers excluded brings the target to 324. However, as Sinn Fein refuse to sit in the House of Commons they are also not counted. In the 2010 election Sinn Fein won five seats.  If that were repeated in May the total for a majority would be reduced to 321. A poll for BBC’s Newsnight programme on April 7th had the state of the parties as this:

The resultant horse-trading will test to the limit the parties’ abilities to demonstrate the same qualities as the gallery assistant when negotiating potential coalitions. Conservative+Lib Dem+UKIP+DUP? Or Labour+SNP+Green+Plaid Cymru? Or a mishmash of something else? Small parties will likely hold the balance of power in the forthcoming election to an unprecedented degree. So how many single-issue solutions will be demanded by the tiny king-makers? How much ‘togetherness’ will actually be displayed? How will the demands for different types of ‘togetherness’ be reconciled?

Different types? Absolutely. Take the recent referendum on Scottish independence. The Scottish National Party (SNP – the leading voice of the failed ‘Yes’ campaign and likely dominant political force in an independent Scotland) wanted to leave the United Kingdom. But it also pledged the new country of Scotland would be an enthusiastic partner in the European Union (EU), a political club committed to “ever closer union”. Labour and the Liberal Democrats are also fans of staying in the EU, and pundits reckon David Cameron thinks likewise.  So on the one hand the SNP want to break away from the United Kingdom and on the other join a supra-national club of which the main parties of the UK are also supportive. It suggests that, unusually, togetherness could be an easier sell at regional rather than local level. Will the minor parties take such a strategic view?

But two recent political accommodations in British history give me cause for optimism that a home-grown ‘rainbow coalition’ could work.  First, the current Conservative-Liberal Democrat government, which seems to have made a good fist of sticking together, or at least not collapsing in acrimony as was widely predicted. Second, the power-sharing arrangement in place in Northern Ireland between the Democratic Unionist Party and Sinn Fein since 2007 shows how former bitter enemies can work together when required. And in the recent Sky News/Channel 4 leader interviews, Miliband praised Cameron’s commitment to gay marriage and overseas aid spending and was complimented in return for his support of the Prime Minister’s position over Da’esh.

This acknowledgement that political opponents may, on occasion, hold virtuous views has been lacking in recent political discourse. Of course such laudable qualities, it must be noted, only got an airing when the individuals were asked directly on a nationally-televised interview in an election year. Nevertheless, it is a welcome sight and far removed from the current partisan politics practised in America, where attack adverts and polarisation are very much in vogue, as this article in the New York Times Magazine attests.

The limits of togetherness and quite how alien the political parties are to one another will be tested after May 7th.  The need to identify common ground, display mutual respect and employ political give and take was demanded of the Conservatives and Liberal Democrats for the current government to work. Finding areas of similarity and agreement can only be a good thing for national politics. In contrast to the tub-thumping of the election trail as the main parties fight to secure a majority, come May 8th respectful pragmatism will be required across the board as the parties get into bed together. And if ever there was a reason for the doubters to vote, the potential power the minor parties are likely to hold after the election is surely it.

Exclusive offer to addingtonWord readers

Delusion, Confusion is still available for the discerning collector.  Obviously, now it is just an abstract concept; a memory of an idea.  Hence the exorbitant asking price. I’m waiting for your call.

The Litvinenko Inquiry – Reading the signals

Days 18 to 29 (end of public hearings) – up to March 30th

All good spy dramas end with an intriguing cliffhanger. In this regard, the open session of the Litvinenko Inquiry has not disappointed.

Late in proceedings the Chairman received notice supposedly from Dmitri Kovtun (one of the two alleged assassins) asking to present evidence to the Inquiry. The Chairman has provided a list of ground-rules for Mr Kovtun (see evidence from Day 29 here, starting on page 106) prior to receiving evidence on July 27th. Understandably, given the outstanding Metropolitan Police warrant for his arrest, Mr Kovtun will be appearing via video-link.  It is unlikely he will cough to the crime, although the weight of scientific evidence against him is damning. None the less his involvement has been welcomed and rounds off the public hearings nicely. The Inquiry has now adjourned for nearly four months.

It was not the only message passed to the Chairman from Russia. On March 9th, Andrei Lugovoy, the other alleged killer, received an honour for ‘Services to the Fatherland’; an act described as a “provocation” by the counsel to the Litvinenko family. It is unlikely to be coincidence. But in my view it is little more than mischief from Putin, given how little an outcome critical of him directly or Russia more widely is likely to hurt. But it is another example of how signs and statements have had to be interpreted throughout this Inquiry.

A fascinating day’s evidence was offered by Professor Robert Service, an expert in Russian history. He described how some academics and Russia-watchers are forced to interpret what is happening in Putin’s Russia by resurrecting the lost art of ‘Kremlinology’: keeping an eye on who is photographed next to Putin; who is left in Moscow when Putin goes on holiday (i.e. trusted not to launch a coup) and so on. Not since the dark days of the Cold War, before Gorbachev opened up the Soviet Union, have such methods been necessary. The openness and public discourse of the years up to the Putin-era was smothered by a “blanket of near secrecy” after the year 2000. “This did not happen accidentally or naturally” Professor Service said.

The Litvinenko Inquiry has, at times, sounded quite other-worldly. It is not everyday one hears of a videotape allegedly held by Roman Abramovich, the owner of Chelsea football club, purporting to show Putin in “compromising sexual circumstances of a homosexual nature”. Likewise, British courts do not often discuss nuclear-suitcase-bombs. There was barely concealed tittering when the manager of the Best Western hotel in Shaftesbury Avenue described Lugovoy and Kovtun as looking like “a donkey with a saddle” in ill-fitting and garishly coloured suits as they checked in to rooms subsequently discovered to have high doses of polonium-210.

But, ultimately, the story the Inquiry told was one of threats, bullies, murky deals and unexplained deaths. The polonium-210 used to murder Alexander Litvinenko could only have been produced in a state facility and there are few of these around the world. Many close to power in modern Russia (which, the Inquiry heard, includes organised criminal gangs) had a motive to kill Litvinenko. And, even if he neither ordered nor tacitly condoned the act, Vladimir Putin has ushered in an era of thuggish political patronage and a centralisation of unaccountable power in Russia which allows such killings to occur.

The Inquiry Chairman intends to produce his report before Christmas. Any ripples will likely be limited to the Western media and political establishments; the impact in Russia, I believe, will be negligible although it will be worth seeing if, and how, Russian media organs such as Russia Today react. As Professor Service said: “the Kremlin is much more of a closed castle in our century than it was in the last 15 years of the previous century.”

Some linked material reproduced here is courtesy of the Litvinenko Inquiry –www.litvinenkoinquiry.org.