Blockchain: Erosion of the promise of trust

Blockchain is a promising technology that has made a lot of geeks rich in a short period of time. At the same time, the lack of regulations and knowledge surrounding blockchain-linked investment products means that scams abound. Is blockchain really what we think it is?

 

Origins

One of the key capabilities that the pseudonymous Satoshi Nakamoto introduced with his white paper on Bitcoin was the ability to conduct financial transactions in a network with no central authority where most of the participants were unknown to oneself (and therefore untrusted). He contended that the network consisting a “chain of blocks” (Satoshi did not coin the term “blockchain”) was trustworthy so long as the majority of the participants were non-malicious (more accurately, that the majority of computation power on the Bitcoin blockchain was controlled by non-malicious actors).

Why did it need to be so? The financial crisis was still ongoing in 2008. Major financial institutions had been entrusted with money and there was considerable discontent at the risks that they took to make money for themselves, as well as the fact that the public were faced with the bill for bailing them out. Trust in institutions was low in 2008. In addition, central banks had been printing money over decades, inflating the amount of currency in circulation while decreasing its value. (Note: This article does not provide an opinion on what is sound monetary policy.)

Satoshi published the whitepaper in 2008 and implemented Bitcoin in January 2009. If Bitcoin succeeded as a currency (i.e. something that could be exchanged for goods and services) one would no longer need to trust centralised institutions such as private banks, central banks or governments with money – well that is the dream of the libertarian-inspired “crypto-anarchists” who backed the cryptocurrency movement in its infancy. The individual, the ordinary man, would be in charge of his destiny. Satoshi believed, at the launch of the initial release of Bitcoin that technology such as Bitcoin could one day become as easy to use as SSL/TLS, the encryption technology used by the HTTPS protocol that secures most of our internet communication. That technology was widely adopted by technologists and put to the benefit of the public without the average person needing to know what it was or how it worked.

 

Investment

Understanding Bitcoin and blockchain technology requires a level of technological sophistication. It also requires an appreciation of the libertarian ethos and its distrust of human institutions. This may have been true of early adopters of cryptocurrencies. It is not true of the average investor today (one of my colleagues advises people that “invest” is not the right word). Today’s investors are out to make a quick buck, to sell the Bitcoin (or other currency or token) and convert it back to dollars when Bitcoin hits $20,000 (or $100,000 or $1,000,000 or <insert prediction of the day>).

While we can be quick to criticise new investors, early investors were not necessarily much better. Bitcoin is capped at 21 million – a number of tokens that will be arrived at in the year 2140. Early adopters could get Bitcoins cheaply at at minimal effort. Late adopters would need to spend orders of magnitude greater hashing power (or fiat currency) to get their Bitcoin. The currency is designed to be deflationary. We have observed the natural consequence – large numbers of people who believe in HODLing (a corruption of HOLD that made it into cryptocurrency popular culture). For a currency to be useful, people need to transact with it, not cling to it for dear life. This provides another avenue for doubt: did Satoshi really create Bitcoin to benefit people or just to build something that could potentially make himself very rich? Assuming a valuation of $15,000 per bitcoin (the value has been fluctuating drastically at the time of writing) Satoshi’s bitcoins would be worth approximately $15 billion. Satoshi disappeared from the forums where he made contact with others in December 2010 (the last post from 2014 is widely believed to be a forum administrator’s). People who have been suggested of being Satoshi have either denied it or been unable to prove they were indeed him. Any movement of Satoshi’s coins in this situation could cause a panic in the market.

A similar situation presented itself recently. Charlie Lee, the creator of Litecoin, announced in December 2017 that he had sold or donated all his coins recently. Litecoin is billed as the silver to Bitcoin’s gold. It makes transactions more effectively than Bitcoin does. Lee stated that he sold his coins in order to stop being accused of making statements to manipulate Litecoin’s price given his standing. However, Lee is not an academic or journalist. His writing and commentary are less important than the leadership he provides to the Litecoin community and the community benefits from him having a vested interest in its success, not the other way round. Lee’s Twitter handle, “@satoshilite” gives away his own idea of his role and standing (prior to the sale).

The question now is whether a number of whales (people with significant holdings of cryptocurrencies with the buying / selling power to influence the markets) sell off their crypto-assets as they determine that the prices have peaked and exit the market.  In the months leading to December 2017, the charts displaying the “market cap” (USD valuation of a cryptocurrency expressed as the number of tokens times the value of one token) and prices of a number of these currencies rose dramatically. While some people understand the tokens as having some value, the prices have clearly been driven up by speculation with wild swings of 20% and more seen in a single day, with surprising frequency. This lack of stability undermines trust in the tokens even if their underlying technology was sound, primarily by making it too risky for new entrants to try buying in, entering the market and transacting with the newly bought tokens. A further complication is brought about by pump and dump schemes, which are common in the unregulated cryptocurrency world.

 

Centralisation in cryptocurrencies

Cryptocurrency exchanges further complicate the situation. The first exchanges were (and most exchanges still are) designed as centralised locations where users can exchange between fiat currencies and cryptocurrencies and between different cryptocurrencies. The most notorious was Magic: The Gathering Online Exchange (better known as “Mt. Gox”). This was cobbled together by a teenager named Jed McCaleb who used the same domain as his website for a card game (Magic the Gathering). Eventually he realized the amount of money people were putting into the exchange was a risk to himself and he sold it. The buyer, Mark Karpeles, has little website maintenance skills himself and allowed it to deteriorate. Mt. Gox was hacked in 2011 leading it to declare bankruptcy in 2014. In 2015 and in 2016, the exchange Bitfinex announced that it was hacked and that a number of Bitcoins were stolen. Bitfinex “socialised” the losses amongst its user base for the 2016 hack. Other exchanges and marketplaces have also claimed to be hacked, losing their users’ cryptocurrencies. The exchanges’ handling of cryptocurrencies is not regulated. They need not submit to audit procedures. In some cases, it is questionable as to whether the site was hacked at all.

What goes missing from the conversation about the hacking of these sites is the motivation of the people who keep their money in these exchanges. Why would people who distrust centralisation keep their money on a centralised exchange? In the case of a bank or otherwise regulated financial institution, customers would have legal recourse in the event of malpractice. The lack of regulatory oversight of cryptocurrencies means that users need to actually trust the integrity of the employees and owners of the exchanges to do the right thing. This goes fundamentally against the ethos that gave birth to blockchain technology in the first place.

 

Scams

That is not the end of it. Scammers have found rich pickings in cryptocurrency. I personally came across two instances of Bitcoin-related scams. An obvious pyramid scheme named USI Tech promises 35% referral commissions over 12 levels. I met two men at a cryptocurrency event in Hong Kong who scoped out the attendees and attempted to induct participants into the scheme. One of them admitted that it was a pyramid scheme when confronted with the fact.

Hashflare is slightly more sophisticated. It purports to be a “cloud mining service” which starts mining “immediately after confirmed payment”. Nevertheless the websites (they have separate sites with .com, .in and .eu domains) are light on technical details. It is clear enough that there will be no purchase of hardware after a customer buys in. As per the description, the hardware appears to be already in place and mining for the company. Why then would they need customers to distribute their earnings from the mining operations? My research into this company revealed that most “reviews” of the product on third-party sites were sponsored reviews or reviews that contained referral links to Hashflare. Even posts on seemingly neutral sites that headlined with the question about whether cloud mining was a ponzi scheme completely ignored the headline and promoted the product.

Bitconnect is probably the best-known of these dubious projects. It came close to breaking into the top 10 most valued “cryptocurrencies” at one point, reaching #12. Shortly after this post was drafted, Bitconnect shut down their platform, causing the value of their coin to plunge 90%. Why would a libertarian / crypto-anarchist who distrusts regulated institutions take the risk of trusting extremely untransparent institutions with their money? It could partly be explained by the ability to “invest” without letting the government know about these investments. Greed to make a quick buck is the more obvious answer. The hard-to-palate answer is that a lot of people recognise that some of the projects that they are investing in are outright scams but will invest in and promote them while they continue to make money.

 

Blockchain hype

Investment scams and greed notwithstanding, there is still need for caution. We come across lots of talk about blockchain technology being the equivalent of the internet 20 years ago. The comparison is not apples to apples; the blockchain is a technological development akin to relational databases in the 1970s. Relational databases benefited humanity, but the people who got excited about them (if any) were technologists. Their actual benefits were transparent to end users who had no need to see the underlying technology that powered the products they used. This is unlike the internet, with which users feel intimately familiar through their usage of the World Wide Web (note the “www” at the start of most webpages) and various apps connected to the internet.

It makes more sense that people be excited about the applications that improve their lives rather than the technology that powers these applications. You might have heard the wild stories of the companies that had their stock prices increased drastically by adding ‘blockchain’ to their name or getting started in a blockchain venture. The fact that something uses blockchain does not necessarily make it better. It will be better if the application uses the strengths of the blockchain (immutability of transactions, decentralised trust, etc.) and does not depend upon blockchain’s weaknesses (confidentiality, high volume of transactions, etc.). Valuations of blockchain companies and products based on the actual value they generate appears to be lacking from this narrative.

 

What were we saying about trust?

In this article about trust, we have covered a lot of reasons trust is weakened. We have also looked into the seeming irrationality of the cryptocurrency investment landscape. The technology and ethos that generated mathematically-secured transactions has been overwhelmed by hype and the pursuit of easy money. Tim Swanson provides a detailed analysis of problems with the cryptocurrency ecosystem as a whole.

 

Identifying the good stuff

Some wonderful technologies will ultimately emerge out of the blockchain revolution. A few questions will help to identify them: Do they solve real-world problems that benefit from the blockchain? Do they have a solid team of technically-inclined people (as contrasted with marketers) who update their code periodically? Review their chat pages and Github commits for frequent activity. Hype about valuation of coin prices (rather than about how the product will actually be of benefit) is generally a red flag.

This article is not meant to put you off blockchain. The technology is here to stay. I seek to put in perspective that the current mania is a distraction from the actual value of blockchain. We will realise this value over the coming decade, but there may be a lot of disappointed investors on the way to it.

 

References:

New York Times article on cryptocurrencies – “Everyone Is Getting Hilariously Rich and You’re Not”: https://www.nytimes.com/2018/01/13/style/bitcoin-millionaires.html

Announcement of Bitcoin P2P e-cash paper in 2008: https://www.mail-archive.com/cryptography@metzdowd.com/msg09959.html

The Bitcoin white paper by Satoshi Nakamoto –  “Bitcoin: A Peer-to-Peer Electronic Cash System”: https://bitcoin.org/bitcoin.pdf

Bitcoin implemented: https://www.mail-archive.com/cryptography@metzdowd.com/msg10142.html

Buying power of USD: http://money.visualcapitalist.com/buying-power-us-dollar-century/

Forum post announcing Bitcoin v0.1 release: http://p2pfoundation.ning.com/forum/topics/bitcoin-open-source

Article on SSL/TLS used in browsers – Secure browsing with Chrome and Firefox:  https://www.linkedin.com/pulse/secure-browsing-chrome-firefox-vijay-luiz

“Hold” gets corrupted – “I AM HODLING”: https://bitcointalk.org/index.php?topic=375643.0

All posts by Satoshi Nakamoto at P2P Foundation / BitcoinTalk: http://satoshi.nakamotoinstitute.org/posts/

Charlie Lee announces the sale of his Litecoin holdings – “Litecoin price, tweets, and conflict of interest”: https://www.reddit.com/r/litecoin/comments/7kzw6q/litecoin_price_tweets_and_conflict_of_interest/

“Market capitalisations” of cryptocurrencies: www.coinmarketcap.com

A nice explanation of how cryptocurrency pump an dump schemes work – “The Anatomy of a Pump & Dump Group”: https://bitfalls.com/2018/01/12/anatomy-pump-dump-group/

Mt. Gox hacked – “The Inside Story of Mt. Gox, Bitcoin’s $460 Million Disaster”: https://www.wired.com/2014/03/bitcoin-exchange/

Bitfinex gets hacked, socialises losses – “Bitfinex users to share 36% of bitcoin losses after hack”: http://www.bbc.com/news/technology-37009319

A review of BitConnect – “What is BitConnect? Legit or Scam?”: https://quickpenguin.net/bitconnect/

Another review of BitConnect – “Bitconnect Review: Is it Legit?”: https://99bitcoins.com/bitconnect-review-scam-legit/

BitConnect shuts down platform – “Bitconnect, which has been accused of running a Ponzi scheme, shuts down”: https://techcrunch.com/2018/01/16/bitconnect-which-has-been-accused-of-running-a-ponzi-scheme-shuts-down/

Kodak announces its own cryptocurrency and watches stock prices skyrocket – https://www.theverge.com/2018/1/9/16869998/kodak-kodakcoin-blockchain-platform-ethereum-ledger-stock-price

$24 million iced tea company says it’s pivoting to the blockchain, and its stock jumps 200% – https://www.cnbc.com/2017/12/21/long-island-iced-tea-micro-cap-adds-blockchain-to-name-and-stock-soars.html

Tim Swanson’s critical analysis of cryptocurrencies – “Eight Things Cryptocurrency Enthusiasts Probably Won’t Tell You” – http://www.ofnumbers.com/2017/09/21/eight-things-cryptocurrency-enthusiasts-probably-wont-tell-you/

Secure browsing with Chrome and Firefox

Google is leading the push to an encrypted and more secure internet. The Chrome browser’s security team is changing the way Google Chrome handles web pages, with Firefox playing catchup.

Have you noticed that little padlock icon that often appears on your browser’s address bar? Look at the left end of the navigation bar. What do you see?

On Chrome: 

On Firefox: 

On Internet Explorer (to the right): 

 

With the default HTTP protocol (the S stands for ‘secure’) all information is sent in plain text (unencrypted); any computer in between the sender and receiver can read the traffic. The padlock with the HTTPS means that the connection between your computer and the computer at the other end is secure, i.e. the traffic is encrypted and information cannot be snooped by a third party in transit. This is why people who build websites in a responsible fashion have at least ensured that their login pages and sensitive information (such as credit card information) is served over HTTPS instead of HTTP.

If you click on the padlock, you might see some more information that helps verify that the site is indeed owned by those who claim to own it. Like so:

Nevertheless, few people actually watch out for the padlock to see whether the sites that they login to are secure. We need something simpler. This is what Chrome and Firefox have done: when a user goes to a page that requires sensitive information to be put in, it checks whether the connection is over HTTPS. If it is not, they warn the user that the page is not secure.

See what happens when I click the ‘login’ box for Qantas’ site.

Chrome:

Firefox:

What if a technically-informed user tries to force the website to use HTTPS, but the site tries to ‘downgrade’ to HTTP? See the example when I navigate to https://www.trivago.hk

On Chrome:

On Firefox:

Also notice how different these warnings are from equivalent warnings in Internet Explorer:

While it does look ugly and slightly menacing, we have come across them enough times, especially at our workplaces, that we have learned to click through the warning to reach the sites that we wish to reach. Chrome and Firefox makes the clicking a little bit more difficult in order to secure their users.

The major browsers, including Safari and IE/Edge have gone further for sites that they consider to be actually malicious. They block them to prevent the user from unintentionally accessing them.

The long-term goal from Google is to make all sites use HTTPS so that our browsing is generally more secure. Google will give HTTPS-using sites an advantage over sites that do not use it in their search results. The plan was announced in advance so that website owners would have the time to make the required changes. It has also given Mozilla time to catch up and join the plan.

 

What can you do to improve your browsing security?

  1. Use a modern browser such as Chrome or Firefox (stop using Internet Explorer) that puts in the effort to protect you.
  2. Use the ‘HTTPS Everywhere’ add-on from EFF (Electronic Frontier Foundation) to force sites to use HTTPS if there is an HTTPS version.
  3. Use an ad-blocker to prevent malicious advertisements from showing up.

Also see:

https://www.essaysonsecurity.com/2016/12/21/securing-yourself-online/

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

https://support.mozilla.org/t5/Protect-your-privacy/How-to-stay-safe-on-the-web/ta-p/26286

 

Online rental scam

I recently moved to Hong Kong and was the mark of a scammer who tried to cheat me of rental deposit. I lost no money, just a bit of time that I could have used to view other properties and get settled in earlier.

The scam is simple. The scammer shows the victim a rental unit that looks very attractive and good for the price. The victim is interested. The scammer explains that he/she wants someone of the right character to stay in the house. The victim has to write about himself/herself and gets more committed to getting the unit on the way. Once the “landlady” decides to go with this tenant, he asks for money to be wire-transferred because for some reason he is not on location and will fly over to meet the tenant and pass him the keys or mail the keys over. If the victim pays the money, the scam is successful. He finds out that the house is occupied.

I have often wondered how stupid a person has to be to lose money in this manner. I got my answer. The money is not brought up at the start. A number of messages are initially exchanged between scammer and mark making the mark more and more committed to the place. By the time the mark realises that the “landlady” is not in town and will not be able to open the door for him to view the place, he has already spent some effort to prove himself “worthy” of the unit and is committed to it. In the email exchanges, the scammer identifies minor problems with the house making the house seem all the more real. And the scammer sends a scan of his photo ID – that of a real person. It is all very convincing.

Being an information security professional helped me to not lose money in this case. I knew that a scan of the ID did not prove that the sender was the owner of that ID. My telephone company, bank and various other organisations probably have scans of my ID. I asked for a video chat over Whatsapp. This is harder to fake and I received no effective reply.

Edit (added 31 Jan 2017): The scam works for three reasons. It works because:
1) humans are inherently trustful,
2) the scammers are clever enough to make us commit our efforts to make us want it to be real &
3) we rationalise our suspicions with reasonable-sounding explanations and allow ourselves to be victimised.

How to not be scammed that easily:

  1. Be on the alert if it looks too good to be true.
  2. If you get suspicious, ask the internet and people who may have done the same thing before (e.g. people who looked for units to rent in Hong Kong).
  3. Do not send over money by bank transfer to anyone whom you have not seen. Online selling sites such as eBay use Paypal which provides the buyer with some protection.
  4. Note that a scan of an ID card (or even the ID card itself) is useless unless you can verify the picture against a live (not recorded!) video or against the actual person. ID cards can be faked or stolen. Lots of people can have scans.
  5. The scammer may get indignant (my scammer did) if asked for proof, but this is a ploy to bring down your defences. It is the obligation of the person at the other end to verify that he/she is who he/she claims to be. This is essential to establishing the trust that you need to conduct your transaction.
  6. In the event that you have seen the person online or in person, you still need to authenticate their identity with an ID card or have some address to lock them down to if you need to dispute something with them in court. Anyone can chat with you using a fake name. You might also need to consider whether the police has jurisdiction over them to redress any claims that you have against them. The Hong Kong cops probably can do little to someone in London.
  7. Edit (31 Jan 2017): You can reverse-lookup photos on Google Images (images.google.com) to see if they appear in any other websites (that depict rooms in other countries, for instance).

This is the gist of my experience. I have put things down in greater detail below for those who are interested:

 

=============

 

Note: I am going to name names. The names will be of real, likely innocent people. I put in the names in so that others who are in a similar situation to me may get a clue and stay away from the scammer. Also, as far as I know, the people who own the names and the people who may have falsely used them have not been convicted of crimes in any court of law.

I started my house-hunt a few days prior to arriving in Hong Kong. Hong Kong is one of the most (if not the most) expensive housing markets in the world. Many contacts and friends advised me to budget HKD 15,000 per month (~USD 1,930 at time of writing) for a room in the city. After browsing through a bunch of rental websites I was confident of finding something under HKD 10,000. I set my primary requirements as: must have an attached bathroom, enough space for a small table in the bedroom and close to the city centre. There were many lacklustre options but one stood out: a post on easyroommate.com.hk that displayed gleaming clean rooms with a massive bedroom that housed two beds and a fireplace for just HKD 6,500/month. The description stated that it was built with luxury in mind and that the owner wanted someone with whom she would get along nicely more than anything else. It looked too good to be true. I contacted the owner, Bianca, who responded the next day.

Here is her actual introduction: This is just to let you know few things about myself and the apartment.My name is Hais Bianca, I am 26 years of age,easy going, tidy and non smoker female.I am glad that you are interested in renting my apartment and I will be looking forward to having a wonderful stay with you should you succeed in reserving it for yourself.

I love meeting new people and also a like having a time-out with relatives and friends whenever I am less busy.My father and mother used to live in the apartment before my father’s demise which has led to my mother’s relocation.

Since I am currently on an internship attached to my late father’s company in the United Kingdom,I will be resuming for my masters in Hong Kong soonest once the internship program has been concluded but I will be available at anytime for you to move into the apartment on the specified date as long as I am sure of your interest.

The most important thing is that,I am looking for someone to share daily life and common value with. so the ideal person i will like to share my apartment with must be a neat, trust worthy person and the person must be capable of paying the rent on a consistent basis as long as he/she continues to stay in the apartment.

There are Three bedrooms in the apartment, One is for me, the room in the picture is about to be reserved for 1 person(which has it’s toilet and bath en-suite and the last one which is reserved for guests is also for rent as well,since my parents are no longer occupying the apartment(that is why it is no longer available for guest because they used to be my parent’s guest)may be the other person can manage this room(but it will have it’s toilet and bath shared).So the only thing we will have to share together in the apartment is the kitchen and the living room.

The from portion of the email said ‘bianca hais’ (uncapitalised first letters). I obviously had to do a good job to win this one. I put on my best interview face and wrote up a nice piece about how awesome a flatmate I was. At the very end I asked:

If this is an interview… what languages do you speak? 🙂

Bianca said that she was OK to be my roommate. She spoke German and English and was also learning Mandarin. She provided me with all the photos of the unit that I asked for and welcomed me to check out the locality myself. She had wasted a lot of time and money the last time, so she wanted me to reserve it before she came over. “That’s why it is so cheap – because people do not want to accept an apartment that they can’t see for real,” I told myself. I told B that I would confirm once I checked out the area. We sent each other a few more emails. I sent her one saying:

Und Ich spreche ein bißchen Deutsch. (translation: And I speak a little German.)  You could help me practise. 🙂

She did not reply to that one, but sent over the information that she required before she could come up with the lease document. I sent her over a scanned copy of my passport and details such as full name, age, occupation, moving-in date, how many months I wanted to stay, etc. I arrived in Hong Kong and saw the locality, a vibrant place with lots going on. There was a guard at the gate and I did not go in. I emailed B that I was OK to go ahead. She sent me the rental agreement and a scanned copy of her Hong Kong ID (HKID) card. It was a very nice looking tenancy agreement including the below generous clause:

(e) The tenant is privileged to get a refund of his/her money if he/she is not satisfied with the apartment after viewing it or should there be any contradiction from what was being displayed in the picture compared to what is seen on viewing.

At this point, the fact that she had mentioned that I had to reserve the room before she would come over had finally filtered into my consciousness. I had to pay this woman before I saw her? “But she has sent me a scan of her HKID, so I know that she is who she claims to be,” That’s when the security professional took over. The HKID scan only proved that she had a scan of Bianca Hais’ HKID; it did not prove that the person who sent it was indeed Bianca; it did not even prove that she had Bianca’s HKID card. I had not yet authenticated Bianca Hais.

I looked for the advertisement on easyroommate to see if I could find any more details. The ad had been removed. “She must have removed the ad when I expressed interest in it. There must be lots of people who want it at that price.” I looked through my emails. Why was the room that cheap? Bianca’s email mentioned no lift to the room. Could that be a reason? I shot her an email asking about it and about what happened that caused her to lose money the last time. I looked her up on social media. There was one LinkedIn profile that fitted. She looked slightly different from the HKID picture, but there was evidence of living in Germany, Hong Kong and China. That would explain the languages that she spoke. I could not send her a message, but I was able to send a connection invite with a short message about me being contacted by a Bianca Hais in Hong Kong, asking her to reply. Separately I asked her over email to connect with me over LinkedIn.

She had said nothing for two days and I wanted to be done with my househunt. I realised that asking to connect over LinkedIn was unnecessary: we could just do a video chat over Whatsapp and I could see her face. I sent a message suggesting that. Then I checked the building again and confirmed that there was indeed a lift. There was a lift, so I was not being given a cheap apartment on that account. There was no reply the next day, so I sent her the signed tenancy agreement. I could authenticate her later, before I sent the money, but I had to secure the room soon. When I scanned in the signed sheets, an error on my part had caused it to attempt to scan an extra page. The tenancy agreement that I sent had an extra blank page at the end, five pages instead of four. Also, it scanned the pages in sideways instead of straight.

Bianca finally replied, a bit annoyed that I had made it so confusing with all my requests. I apologised, but insisted that we have the Whatsapp video chat. I had sent her my phone numbers multiple times, but she had not yet used them. Her preferred mode of communication was email. Now I started to get suspicious. She sent me back the signed agreement on her part. This is where it got really funny. It still had the same number of pages that I scanned in – five pages. I would have expected one page less if she had printed it out, signed and scanned it. Most interesting, she had put her signature vertically. More likely, I realised, she had pasted in a digital copy of her signature over the existing document.

Last page of the rental agreement (signatures masked). Note the odd alignment.

I had a bad feeling in my gut all along about this place. Little pieces were falling together that suggested things were not as they appeared to be. I searched for “Hong Kong rental scams” and came across this site: https://xingledout.wordpress.com/2014/02/01/beware-the-rental-scams-in-hong-kong/

The writer had experienced something quite similar to what I was going through with Bianca. This was not good. Now I had to start looking at my backup options. I really wanted it to be real, but how do I get out of it? And what if B was indeed real?

The next day solved the problem for me. I had looked up other rooms in easyroommate. There was a fantastic looking studio right at Central going for just HKD 10,000. I had contacted the owner when my suspicions about B started growing. I got this message from her:

Thank you for taking the time to look at my property.

My name is Luzia and I am a civil engineer, originally from UK. I used to work in Hong Kong, but the problem is that I had to move with my job bak to London, UK, where I am now. During my stay in Hong Kong I bought this apartment but I don’t want to sell it, so that’s why I decided to rent it.

I am looking for a responsible person that can take a very good care of my apartment. I am not after the money for the rent but want it to be clean all the time and the possible tenant will see the apartment as his or her own and I hope that you can send me some personal information about yourself. The apartment is fully furnished with all necessary amenities (exactly like in the pictures). It has dishwasher, washing machine and clothes dryer. There is a storage unit where you can deposit my furniture (if you don’t like it and you want to use your furniture) and AC. Pets allowed. Cooking allowed. This is not a shared rental with the owner.

The monthly rent for the entire apartment is HKD$ 10,000 and also includes monthly utilities bill (electricity, water, heat, cable, gas, internet connection+wifi), so there is nothing else to be paid on top of that. I am looking for someone to rent anywhere from 1 month to 5 years or more. Also the apartment is available immediately!

Sadly I do not have anyone there, so the property is being managed by Airbnb (no agency fees) and they will handle the whole rental process. If you want to know more about the rental process please get back to me and I will send you the step by step procedure.

There was a pattern here. The name in her email said Leslie Andree, not Luzia. There were too many similarities with Bianca Hais. The London connection, the verbosity and the fact that all these people were willing to part with so much personal information about themselves, the fact that the place looked just too good to be true (HKD 10,000 for the kind of room Leslie/Luzia advertised was a steal) and that they would not be able to open the door for me themselves if I wanted to view the place. A normal person would use an agent.

I finally stopped wanting it to be real and went to the police. A nice gentleman named Toby listened to my story with interest, viewed the pictures and the emails and informed me that no crime had been committed. I had not lost any money to the scammers and while the places did look too good to be true (he was amazed at the fireplace in B’s master bedroom), I could not prove that they were indeed fake. I asked him if he could at least not check with the real Bianca whose HKID I had a scan of. She was probably a victim of identity theft. He said that he did not have the justification to look it up in his system. It was slightly disappointing but consistent with my experience with the police elsewhere in the world. At least he was very polite. Toby advised me to inform the website administrators. “They would know about the people who posted the rooms.” I laughed. Easyroommate.com.hk did not even secure their login page. They only require an email when registering as a client. It was then that I realised that easyroommate had done something. They had removed Bianca Hais’ post.

I started evaluating the damage to me. I lost a lot of time that I could have used to productively house-hunt. I had some suspicions and I did not want to put all my eggs in one basket, so I had viewed a few units. Worse was the fact that the scammer now had a copy of my passport and a nice little piece that I wrote myself about my character. They could try to use that to spoof my identity for the same purposes.

I sent B an email saying that her post for the rental unit was very similar to many rental scams taking place in Hong Kong and that I was not proceeding with it. “Good bye.” I then told an agent for another room I’d viewed that I was willing to take a room of his that I’d viewed. He asked me for one crucial detail that B had not asked for: my employment contract, to ensure that I could pay for the room.

I was thinking that this business was settled when I got some Whatsapp messages from a London number. It had Bianca’s picture, as seen in her LinkedIn profile. “What is your problem? I have not started living with you and you have been making everything complicated. Do you think everyone will think the way you think? Now it is a crime for me to rent out my apartment because I needed a flatmate. If you have trust issues you can as well buy your own house. Stop disrespecting people. My apartment is not a scam and I owe you no explanation.

I was in shock for a minute and almost sent a message of apology. Then I got over it. The picture was publicly available. In the extremely unlikely event that I had been communicating with the real Bianca, she would have to be quite stupid to not simply use an agent to hand over the keys. Who wants to fly all the way from London to Hong Kong just to hand someone their keys? I doubted that a real Bianca would want to live with me at this point or would give me her phone number after I had called her a scammer. I asked B for a video chat. There has been no more contact since.

I wrote to easyroommate. They got back to me stating that both posts (Bianca’s and Leslie’s) had already been taken down by their moderators. That had not helped the people whom the scammers had already contacted, had it? I advised them to make it a policy to inform all people who had been in touch with the scammers (or who had contacted the scammers) so that the users who had been reached before the posts were taken down would also benefit. Easyroommate said they would consider my suggestions. Hopefully they will implement them.

Edit (31 Jan 2017): I eventually learned that the pictures were from apartments in France by reverse-looking them in Google Images.

Review: The Cuckoo’s Egg by Cliff Stoll

The Cuckoo’s Egg (1989) is probably THE classic true computer security incident response story. Cliff Stoll, a man with a doctorate in astronomy, gets a job maintaining the computer systems at an astronomy lab. He is charged with explaining a 75-cent discrepancy in the accounts and finds that someone has broken into the network. The intruder jumps from the lab computer to military computers around the United States and turns out to be a foreign spy.

The year was 1986. Computer firewalls had not yet been invented. Laws barely existed that covered computer crime. People who hacked unauthorised into computer networks had been charged with “stealing electricity”. The three-letter agencies in the United States had not yet figured out the scale of computer insecurity or the possibilities and were not interested to investigate cases. This backdrop makes The Cuckoo’s Egg fascinating.

If the book were written today, it would not be called The Cuckoo’s Egg. Today we would just call it a backdoor into the system. Information security was such a new discipline in the ’80s that Cliff got to invent his own phrase to describe what is standard terminology known to the layman today. (Unfortunately we do not use Cliff’s choice of words today.)

Cliff painstakingly sets up a monitoring mechanism to detect the intruder and track his activities in a manner that the intruder will not recognise. The intruder uses dictionary words such as “Hunter” and “Hedges” for his passwords. Cliff’s monitoring system calls him at all sorts of hours to watch the intruder in action. Cliff makes contact with people all over the US to trace the intruder. Only after months of monitoring and meetings with the agencies do they finally get around to moving to catch the perpetrator.

Throughout, Cliff struggles with his politics. As a long-haired hippie, he probably has more in common with the hacker than with the suited g-men of the agencies. Cliff’s interaction with the spooks and character such as Robert “Bob” Morris of the cybersecurity command make for good reading. Along with his investigation, he finds that his politics also change as he realises that the intruder is destroying the trust needed for the internet to be the medium for sharing information that he expects it to be. An astronomer, Cliff is an unlikely person to be considered a computer expert. He was in the right place at the right time and he made the most of his opportunity, leading to arrests in an international investigation. A bonus is thrown in at the end: Cliff is one of the experts called in to deal with the Morris Worm – a computer worm that brought down a large number of internet-connected UNIX servers.

The book is written with a great sense of humour. Cliff, despite being a PhD, successfully plays the ‘little guy’ making his little dent in the information security universe, in fact making it profoundly better. It is a nice read for the layman about information security (or cybersecurity) as a discipline finding its feet and making baby steps. We all use computers and we need to know what can be done with them. Importantly, the book describes the ‘security guys’ as ordinary, relatable human beings with ordinary lives and ordinary motivations.

The Cuckoo’s Egg is a must read for information security practitioners, especially incident responders. The trade craft and dedication shown by Cliff and the initially surprising revelation about the hacker being a spy should motivate incident responders and other security professionals in their jobs.

Securing yourself online

My blog has been slightly inactive on account of my travels. Here is a little Christmas gift. This article contains points that I have distilled from a presentation that I have made for the same purpose, i.e. educating people about what they can do to make their online lives more secure.

There are a number of things that we can do to keep our valuable data private and available to us when we need it. Here are a bunch of them that I apply in my personal life. They start from the simple and free and go towards the technically complex and paid. Note that I have avoided putting in details on how to do each item as the article is already long. Doing a search on Google (or DuckDuckGo) with the heading should provide you with more details on each item.

Caveat: none of the advice below guarantees your security. If the NSA wants to see what you’re doing, they probably will. Security requires ‘defence in depth’. If one measure is surmountable, it helps to have another measure to back you up. If a malicious entity somehow breaks the security of your VPN, they may be set back by your HTTPS connections; if they sniff/steal your password, they may be set back by your 2FA token. Those of us in the information security industry hope for (and work toward) a future where the layman does not need to have sophisticated IT knowledge in order to secure their lives. Read on!

Backups
Some stuff is too valuable to have only one copy of. In the event that a hard disk fails, you will want to have a backup in another hard disk or on the cloud. Every article that I write is initially typed up on my computer / online storage before it is copied into my website. Additional hard disks for storing large volumes of photos and videos is now cheap.

Password locking & password managers
If your computer connects to the internet, it can be easily accessed remotely and it needs a password. Make it at least 15 characters and do not reuse the same password anywhere else. Read this series of posts aboutpassword management and stop trying to memorise all your passwords. Get a password manager to remember passwords for you. Make your passwords totally random, long, distinct (do not use the same one in two places) and unmemorable. One password for your computer, one for your phone and one for the password manager should be all you need to remember. I have also come across recommendations (there is no consensus) to not use  security questions that allow you to recover your account if you should forget your password. They fill the security question field with gibberish. Security questions to help reset passwords are a weakness that allows people to access accounts without cracking their passwords.

Windows update (and other autoupdates)
This is a critical and fundamental security measure. Ensure that automatic updates are turned on by default for your Windows and other software on your computer. The browsers that you use and MS Office are critical. Java and Flash are notorious for their vulnerabilities and need frequent updates. Any time a vulnerability is found, there is a race between manufacturers trying to push updates to users and malicious actors attempting to exploit the vulnerability. Enabling auto updates keeps you on the safer side of the curve.

Windows firewall
The default firewall on your computer should be enabled. More precisely, do not disable it.

Antivirus
This is something fundamental. It should not give you a sense of security, but having antivirus or antimalware software is a minimum security requirement. Plenty of free and paid antivirus software are available. The fact that you pay for it does not necessarily make it better.

Pirated software and jailbroken devices
Using pirated software is a good way to introduce malware into your computer yourself. The act of jailbreaking a device to give it features that the manufacturers did not intend it to have necessarily requires breaking the security of the device. Avoid doing these things. Get software that is free to use or buy commercial software.

Mobile phones
If your phone allows biometric authentication, enable it and use it. Your secondary authentication mechanism must be a long PIN / password (10+ characters minimum, 14+ optimal). The PIN might be slightly easier to use on account of the bigger size of the buttons. Drawing patterns and 6-digit PINs are easily observed by shoulder surfing and easily broken by technical means. Do not leave the phone where others can physically access it.

Laptops and other portables
These devices should not be left in places where other people can access them. It is possible for someone malicious to fry your computer by plugging something nasty into its USB drive in seconds (see USBKILL) and walk away. It is also possible for someone to gain control of a locked computer, again by sticking something into the USB port, in seconds. The cost of gaining access? A $5 device (see PoisonTap). The previously mentioned advice about HTTPS also helps with the last item.

Encrypt the hard disks of devices (including phones) to protect data from theft in the event that the device is physically taken. Encryption is not a panacea. It is effective if the device is switched off, but it might be possible for a skilled attacker to extract data from a powered – on device.

Connecting to WIFI
Never connect to free insecure WIFI is the general security advice. Some people go further, choosing to always carry their personal WIFI router with them when they travel. Having a VPN connection enabled by defaultmay be a mitigating measure to connect to insecure WIFI (see below).

Email
Avoid clicking on links on opening attachments sent to you by email. This is the easiest way people get hacked – not through fancy technical mumbo-jumbo, but though stuff sent to you by email. Avoid forwarding any email that asks you to forward it.

USB drives
USB is infamous for being fundamentally insecure. At a basic level, never plug in an unknown USB stick into your computer, especially if you find it in the car park or on your desk. This includes iPads and phones that need to be charged – i.e. anything that has a hard disk. Don’t do it as a favour to someone that you do not know (some of us would not do it as a favour to people whom we do know). Disable autorunning of USB devices. You can find a number of articles explaining how to do this for your operating system. Also recollect the two items (USBKill and PoisonTap) mentioned in the section about keeping portable devices physically secure.

Software and apps
In general, install software and apps only from trusted parties. Do not install mobile apps from outside the standard app stores. For mobile phones, be wary of apps that ask for many permissions to function. The newest versions of IOS and Android allow users to give the app permissions only when it actually needs them.

Browser & websites


Any site that you login to must use HTTPS. Do not enter credentials or personal information such as date of birth, credit card information or ID information into a site that has no HTTPS. Add on the HTTPS Everywhere free plugin to your browser to force all sites that have more secure encrypted versions to provide you with the encrypted version of the site. Using HTTPS does not ensure security (it requires a slightly technical and much longer article), but without it one can not expect web browsing security.

Automatically clear your cache when you close the browser. This may be hard to get used to, but it makes it significantly harder for third parties (and first party sites) to track you. This can prevent websites from showing you the inflated prices that they showed you the first time you visited – since they no longer know that you had already visited. Enable the do not track feature. Use an ad blocker to block advertisements. Advertisements are a way for malware to spread through web browsers and to slow down your browsing. The site owner usually has no control over what content is provided to you in advertisements. A year ago, Forbes spread malware to its readers through advertisements.

Use a different browser for stuff like your email and social media that require you to log in and another browser for all other browsing. This can prevent Facebook from knowing that you’re planning a vacation to Iceland and providing you with ads. It can also prevent a malicious site that you happen to be on from reading information that you provide another site.

Control what is on your social media
Periodically check privacy settings on social media to understand how the content that belongs to you is used by companies such as Facebook, LinkedIn and Twitter. Tagging your face on pictures makes it easy for software to identify your face resulting in consequences that may be positive or negative. In general, do not post things on social media that you may regret if someone reads it out of context. It is easy for someone to screenshot your post and paste it elsewhere, minus the context. Avoid giving out information such as your date of birth and family members as this information may be used by your bank or a government to authenticate you. (When was the last time you had to tell someone on the phone your birth date or your mother’s maiden name to convince them that you were you? It can’t have been very long ago.)

Home router
Critical: change the default username and password for the WIFI router. This is typically something like ‘admin’ for username and password. In many cases you can reach the settings page by typing in “192.168.0.1” or “192.168.1.1” into your browser. Change the SSID (i.e. the WIFI name) and if possible disable access point broadcasting. Default SSIDs make it trivial to find the kind of WIFI router and makes it that much easier to attack. I have known wireless printers to be unable to connect if you disable AP broadcasting, so it might not always be possible. Use WPA2-PSK security with a long password for connecting to the WIFI (note that this is different from the router admin password). Periodically update the router software (every half year is a good bet for the layman).

SMS and phone calls
Understand that the providers of your mobile connection have all information about the numbers that you dial and the contents of the SMSs that you send. They can also listen to your calls. If this concerns you, you might want to use encrypted messaging (see ‘different providers’ section) and encrypted calling services. They function in a foolproof manner only when both people use the service and the encryption is end to end, but encrypting content to the service provider gives some amount of privacy as well.

Use a VPN
Virtual private networks (VPNs) are commonly used to create an encrypted remote connection between a person and his office environment when he is not on site. This technology can be used to protect your internet browsing data as well. VPNs can be used to protect your browsing if you need to connect to weakly protected WIFI networks and to mask your location from thisa  parties. VPN software typically require payment, but can be cheap.

Edit 2 (31 Jan 2017): I have removed this recommendation altogether because using the wrong VPN provider can cause greater risk to the user than not using a VPN at all. Too high a proportion of VPNs are implemented insecurely / have a shady business model for this recommendation to stand [research paper].
Edit: VPN caveats: Not all VPNs are created equal. Understand their business model and whether they do actually value your privacy. Obviously, the VPN provider has the ability to read data when it enters and leaves the tunnel (prior to any VPN encryption) unless the traffic is encrypted even before it goes into the VPN (e.g. all your Facebook and Gmail traffic). If the VPN is available for free, ask why. Does their business model depend upon selling user information?

 

Use different providers altogether
Use providers of services who respect your privacy and do not use your information for their own benefit. Try DuckDuckGo for search instead of Google; secure email services instead of Gmail (which reads your mail) or Live mail / Outlook (which can read your mail). If you are still using Yahoo!, please stop now! (right now!) The same goes for messaging tools and VOIP. See the Electronic Frontier Foundation’s (EFF) secure messaging scorecard regarding security and privacy. You may be pleased to know that the most common messaging application, Whatsapp, is quite good at the moment.

Using the Gartner magic quadrant when buying security products

The Gartner magic quadrant is ubiquitous at security sales presentations. Being featured in the quadrant, the leaders quadrant in particular, is a part of the vendor pitch and the recognition that it provides may have an impact on the purchasing decision. Is it of such significance and should it impact your purchase decision?

Gartner does provide useful analysis of security products, their penetration into markets and their product maturity. I occasionally check out Anton Chuvakin’s blog on SIEM as I find it a useful resource in my own specialisation. Knowing the quality of the output (at least in the SIEM blog), I have some faith that the MQ delivers what it promises to deliver. This is what one needs to note: is the MQ’s judgement criteria relevant to your purchase decision?

In very few sales presentations that I have attended have I seen an actual quote from Gartner’s analysis provided by the vendor. They have contented themselves to put up the MQ itself to allow potential clients to assume that that means it is a fantastic product or, if the product is the highest and rightmost on the chart, the best product. The clients for their part appear to fall for the assumption. This is not what the MQ is meant for. While the MQ does say something about the market penetration, the vision and coverage of the product and vendor, it says very little about whether the product fits your business. Users look for products in the top-right quadrant, when in fact a product in the top-left may be a much better fit for your environment.

Gartner explains their methodology for the magic quadrants here.

Gartner is very open in stating that the quadrants talk about the capabilities of the technology providers in executing and envisioning the future for the type of product. It says nothing about the technology solution on offer and does not pretend to. Gartner’s critical capabilities articles are much more useful when considering products provided by the vendor. More importantly, use this as no more than as a starting point when considering dealing with a vendor / product. There might even be a chance that the best-fitting product is not there in the quadrant or that there is no quadrant for the kind of product that will fit your requirement.

Gartner’s analysis is inadequate to inform you as to whether the product will work for you. Get your vendors to come up with a proposal to fit your requirements and perform a proof of concept with a few vendors and with you security team to really understand the product for your decision making.

You might also find these articles interesting:
The horror of the security product presentation
Comparing SIEMs for your environment

I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html

SIEM: Comparing available SIEMs

This is an article of a series on a group of security products known as SIEM: security information and event management. This article introduces SIEM.

You have decided to get a SIEM since you need it in your environment. Vendors will soon present to you on the merits of their SIEM and how their product is superior to the competitions. How do you cut through the jargon and understand whether the product fits your needs? Here are some of the things that different SIEM products perform differently.

User-friendliness
This might be harder to measure than you think. Note that there are different types of users in every environment. “Using” the SIEM (i.e. running reports and searches and looking at dashboards requires one level of user). With some SIEMs, the user can simply type in a keyword or an IP address and instantly get query results from days of logs. With others, they may need to learn the syntax of a search query. In some cases the search query syntax can be learned in minutes. In other cases, a really good query may require knowledge of regular expressions which require analysts with technical talent.

Administering the SIEM and creating reports and rules typically requires users with a higher degree of technical knowledge. They also need to find the SIEM friendly to use. In some cases, it is very easy to extract out the results of a search as a report and save the format for later use. In others, it is more complex, with multiple modules needing to be created prior to arriving at the final output. Likewise some SIEMs allow correlation rules to be created with just a series of mouse-clicks from a search output. Some others may not have this functionality.

User-friendliness should be a key criteria when there are no dedicated personnel handling the SIEM. If you have a small security team (or worse, if you have no dedicated security team, this will be a significant criteria).

Setup time
Some vendors advertise ‘turn-key’ products that can get up and running in minutes. Always take with a pinch of salt any promise of instant security. What these provide are a check in the “do we have a SIEM?” checkbox for people with compliance requirements. Given that, setup time still varies among products. Some vendors will have multiple types of products with differing setup times that are worth considering.

Why do these setup times vary? Often the products may be a ‘starter pack’ with a small subset of features or they may turn out to be not very customisable or extensible. Consider whether the product will also fit your needs a few years on when purchasing something that has a short setup time.

Extensibility
Depending upon the environment and the your initial motivations behind getting a SIEM, your need for storage space may change slightly or drastically over the life of the product. Enterprise-grade products ought to be extensible, either by adding storage to the existing setup or by having another instance of the product software running that can be integrated into the current setup. In some architectures it is possible to run a search from one component on all components in the infrastructure. In some other architectures, a selection of events flow up to a higher level manager where these key events are analysed.

Customisability
Customisability, along with extensibility, are occasionally antithetical to user-friendliness and setup time. Some products come with a large number of use cases that are effective out of the box, but are not customisable or are hard to customise. Others are used best when they are heavily tailored to the environment and allow a great deal of customisability.

Environments with fewer analysts (or no analysts) may not need the customisability option so much. Security operation centres and large environments will work best when the use cases are tailored. These environments are also more likely to have dedicated personnel who can learn the SIEM thoroughly such that the user-friendliness and intuitiveness of the SIEM is less likely to be a problem.

The above four are criteria that help with evaluating traditional SIEM. The below capabilities are now becoming more relevant and useful in improving the effectiveness of SIEMs.

User behavior analytics
While dealing with ‘events’ generated by devices is key to SIEM functionality, attaching those events to actual flesh and blood users performing actions, legitimate and illegitimate, is of considerable value. Today’s SIEMs either have this capability built in or can add in this capability as an extra module. This should be a part of your consideration especially if you look into insider threat (you absolutely should)!

Artificial intelligence / machine learning / anomaly detection
Different companies will call it by different names. The crux is to go beyond pre-built rules to let the machine analyse normal patterns of behavior and inform the analyst of anomalies. The technology is not foolproof, but this is the future.

Get your vendors to do a proof of concept (POC) so that the SIEM demonstrates its value. Have your technical staff evaluate the product based on the criteria for your environment before you make your decision.

Also check out these resources:
My previous article introducing SIEM
Anton Chuvakin’s blog at Gartner is a great SIEM resource 

I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html

SIEM: Security information and event management

This is the first article of a series on a group of security products known as SIEM: security information and event management.

You are probably familiar with the fact that most computing devices log a number of events that happen on their systems, e.g. a user logs into Windows; an antivirus scanner detects a virus; a switch port is disabled; etc. As in a plane’s black box or a written log of events, the events happening inside computer systems have value: an administrator can understand what caused a user to get locked out of his computer; why the web server is no longer receiving traffic; where the origin of a worm is; etc. Since the logs are available, it will be of much more use if they can be readily accessed from a purpose-built system than if we had to go to each individual machine to retrieve them. Log management systems (LMS) were born out of this requirement.

A log management system collects logs in a central repository. This can be useful for after-the-fact reviews of incidents. What if you want to know in close to real-time what is going on in your computer infrastructure? This is where the SIEM comes in. SIEMs have considerably enhanced capabilities over LMS, but usually may not retain the logs for as long as purpose-built LMS.

SIEMs perform a few functions: they normalise, aggregate and correlate the logs. They present the logs in an easy to understand GUI. They are able to provide trending and analysis.

Normalisation: Logs come in various formats. It can require a bit of an effort to understand what logs from different products/manufacturers are trying to say. SIEMs simplify this by standardising the log content into fields that are common to the SIEM. The analyst has to understand the field within the SIEM. This is adequate to comprehend the logs.

Aggregation: There are some devices that send hundreds, perhaps thousands of similar events with just a few parameters including the timestamp differentiating between them. In the event that the distinctions are not relevant, a number of events within a short timeframe can be aggregated into one event, along with the total number of events represented in a field. This reduces the number of lines than an analyst has to look at.

Correlation: This is the key strength of the SIEM. Correlation is the ability to see relationships between distinct events that happen in the infrastructure. The events may originate from distinct products and can sometimes be separated by hours. If such relationships can be automatically found, it drastically reduces human effort in analysis. If a person’s remote login account is used and within a few minutes, their door card is used to access an office building, this might be something that security has an interest in. A SIEM can detect this sort of correlations.

Alerting:
The obvious next thing to do after detecting a correlation that is security-critical would be to notify the analysts of the event. This can be done via email, SMS, popups on their console, etc. SIEMs have the ability to send alerts close to real-time once an event or a correlation occurs.

Dashboards and reporting:
SIEMs come with nice interfaces that provide snapshots or current states of security in one’s environment. These may be snapshots in the form of reports, presented as charts, tables or a combination or they may be dashboards that show current states, maxima, minima, averages, etc.

 

SIEMs have evolved over the last decade and they now come with even more features. The ability to do user behavior analysis and integrate threat and network models are features that you will see in today’s SIEMs.

The ubiquitous Gartner magic quadrant for SIEM will give you an idea of the major players in the SIEM market as Gartner sees it. Take care to actually read their analysis and to look beyond the picture when you consider buying a SIEM for your organisation.

I will make a few more posts on SIEM in the next few weeks. I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html
 

Review: No place to hide – Edward Snowden, the NSA, and the US surveillance state

Glenn Greenwald is the reporter who, along with Laura Poitras, broke Edward Snowden’s leaks about the NSA’s mass-surveillance program in 2013. In “No place to hide” Greenwald tells the story of how the leak happened, from the first contacts with Snowden to the aftermath in the next year. Greenwald also devotes a chapter to explaining why the ordinary person should care about mass government surveillance.

The big story is about the content of Snowden’s leaks, but the reader also gets to understand and appreciate Edward Snowden. Snowden’s motivations for putting his entire future at risk is probably the significant reveal of the book. Snowden has no significant character flaws that suggest that he might want to bring down the establishment. He is a person who might be considered to have a “decent middle-class” upbringing and was working highly-paid jobs when he stole the classified documents. He even created a manifesto that includes “While I pray that public awareness and debate will lead to reform, bear in mind that the policies of men change in time, and even the Constitution is subverted when the appetites of power demand it. In words from history: Let us speak no more of faith in man, but bind him down from mischief by the chains of cryptography.” – paraphrasing Thomas Jefferson who said “In questions of power then, let no more be heard of confidence in man, but bind him down from mischief by the chains of the Constitution.”

Many pages of the book are spent on the details, the illegality, the implications and the lack of necessity of the bulk data collection of the NSA. This data is collected from and shared with the partners in the five eyes: UK, Australia, New Zealand and Canada. Greenwald argues that targeted data collection of specific individuals is adequate and effective and that bulk data collection has been useless in preventing terrorist attacks. Also, despite the stated goal being terrorism prevention, surveillance has been put to use for economic and diplomatic advantage of the United States. This is precisely what the US has hypocritically asked China to stop doing. And “who watches the watchers?” The FISA court, created to oversee covert operations, is nothing more than a rubber stamp that has not denied a single surveillance request.

Most people who are habituated to living in the society where they think allowing the government to read their emails (or pancake recipes) is harmless. “I am too boring to be worth surveillance.” Greenwald has a reply to people holding these attitudes. He explains that most people who would do nothing to challenge the establishment would not feel threatened, but when something that the establishment prefers to keep hidden is in one’s possession, one becomes a target. This has nothing to do with threats to national security; just having opinions or publishing facts that disagree with the establishment can cause a person under such a government much difficulty. In a democracy the ability to criticise the establishment is a freedom that we have that is being eroded by having your privacy taken away from us. A response for the “boring” people who will never criticise the establishment: they will be impelled to change their normal behaviour if they felt that they were being watched. Our conversations and whom we talk to are being recorded. Does that not affect what we write about? Also: one closes one’s doors before having sex. This has nothing to do with sex being illegal or immoral and everything to do with humans needing privacy for some activities. We should expect privacy in what we write about in private communications.

The book’s last chapter describes how the American news media have become pliant – willing allies serving the needs of the political establishment instead of the public’s. It is a fascinating read and enlightens the reader to be more politically aware and aware of how precious one’s privacy is.

This book informs us that we need to take conscious political choices in order to protect personal privacy as a fundamental right. Snowden and other whistleblowers before and after him have faced prosecution from the “liberal” administration of Obama. The choice is between a world where no one has privacy and one where the NSA can abuse their surveillance powers at will. It is a must-read to understand the political and technological abuses of power that go on in our modern world and why conscious usage of technology such as encryption can be a political statement and not just a privacy tool.

Review: Ghost in the wires

‘Ghost in the wires’ is the autobiography of Kevin Mitnick, the “world’s most wanted hacker”. The book came out in 2011. Mitnick now claims to be reformed and has his own security consulting company.

Kevin Mitnick, as a teenager, was curious about breaking into computer systems. He did so, explains in the book how broke in mainly by using social engineering methods, and eventually got caught and was sent to a juvenile correctional facility. With this began a cycle that would repeat itself many times over the book.

The book is best in the early parts when Kevin describes one of his hacks. He understood that any system has weaknesses, technical or human. He would find a weakness and exploit it. He would persist if initially unsuccessful. The hacker mindset on display as he attempts to break into something just for the fun of it is something that people would do well to understand. Also, the ease with which systems built by hundreds of people can be subverted using very low-tech methods is something to know about.

As a person with some technical knowledge, I was able to follow a great deal of the technical hacking described in the book. A lot of what is described (“getting root”, “exploit [noun]”, etc.) is incomprehensible for the layman – my father gave the book a try. Surprisingly, the book gets boring after a while. Within the first hundred pages, one learns everything there is to know about Kevin’s non-technical social engineering skills. What follows is a repetition of what already happened: Kevin decides to break into something; he calls someone pretending to be someone else, elicits and easily gets required information from them; he breaks in; he learns that law enforcement may have gotten wind of it; he tries to cover his tracks and breaks into something else to get more information. The cycle continues, occasionally punctuated by visits from the police.

The discussion regarding law enforcement becomes complicated by the fact that they (and criminal prosecution) do not appear to have a good grasp on what Kevin has actually done (according to him), accuse him of crimes that he did not commit (according to Kevin) and prosecute him for the same. This is another interesting thing about the book that everyone trying to stay on the right side of the law in a fully internet-connected world should appreciate.

A serious problem with the book is Kevin’s lack of contrition. He is repeatedly sorry for the harm he did to his loved ones, but has no feelings whatsoever for the companies that he broke into, their employees, or for the people whom he insults with snide remarks in his book. His language, as a man in his forties (when the book was written), shows an immaturity that should have ended with teenage. Kevin repeatedly refers to the man who caught him, Tsutomu Shimomura, as “Shimmy”; he calls people “bastards”; he unnecessarily names and shames a colleague who may have wanted to have sex with him; etc.

The casual reader would learn much about the vulnerability of the devices and infrastructure that we use from going through about 100 pages of the book. 300+ pages is way too much to read about one egoistic hacker who may not have learned his lessons.