The NSA’s “National Cryptographic School Television Catalogue” from 1991 lists about 600 COMSEC and SIGINT training videos.
There are a bunch explaining the operations of various cryptographic equipment, and a few code words I have never heard of before.
The “long lost lecture” by Adm. Grace Hopper has been published by the NSA. (Note that there are two parts.)
It’s a wonderful talk: funny, engaging, wise, prescient. Remember that talk was given in 1982, less than a year before the ARPANET switched to TCP/IP and the internet went operational. She was a remarkable person.
Listening to it, and thinking about the audience of NSA engineers, I wonder how much of what she’s talking about as the future of computing—miniaturization, parallelization—was being done in the present and in secret.
The latest in what will be a continuing arms race between creating and detecting videos:
The new tool the research project is unleashing on deepfakes, called “MISLnet”, evolved from years of data derived from detecting fake images and video with tools that spot changes made to digital video or images. These may include the addition or movement of pixels between frames, manipulation of the speed of the clip, or the removal of frames.
Such tools work because a digital camera’s algorithmic processing creates relationships between pixel color values. Those relationships between values are very different in user-generated or images edited with apps like Photoshop.
But because AI-generated videos aren’t produced by a camera capturing a real scene or image, they don’t contain those telltale disparities between pixel values.
The Drexel team’s tools, including MISLnet, learn using a method called a constrained neural network, which can differentiate between normal and unusual values at the sub-pixel level of images or video clips, rather than searching for the common indicators of image manipulation like those mentioned above.
Research paper.
I have spoken at several TED conferences over the years.
I’m putting this here because I want all three links in one place.
The Telegram messaging app has emerged as a hub for criminal activities, serving as a platform for data exchange among various illicit networks. Criminals, ranging from drug and child traffickers to cybercriminals, are increasingly utilizing Telegram to facilitate their nefarious operations.
One recent instance of cybercrime involves the distribution of hacked intimate CCTV videos, which are being sold on the platform. These videos, featuring content from bedrooms, are in high demand, with a dedicated Telegram channel named Vnexpress offering them for sale. The videos are priced at $3 per clip, and subscription options for quarterly, half-yearly, and annual plans are available at a cost-effective rate of $29.
Particularly disturbing is the demand for videos containing intimate moments from bedrooms, shedding light on the perverse interests of those purchasing such content. The Vnexpress channel, operating out of Russia, specializes in selling these compromising videos, exposing the private lives of families and businesses in Vietnam.
Notably, certain videos showcase bedroom footage of couples from countries like Canada, the United States, Australia, and Britain. The content is allegedly hacked from CCTV cameras installed in hotels and resorts, commanding prices ranging from $16 to $19 per clip.
Hackread.com, an online news resource, has highlighted that surveillance camera footage from homes in Vietnam is contributing to the content available to these criminal groups. The public is urged to refrain from installing CCTV cameras in sensitive areas like changing rooms, trial rooms, bedrooms, and bathrooms, as this footage becomes a valuable resource for criminals. Despite global prohibitions on the installation of cameras in such private spaces due to privacy concerns, it seems that individuals continue to neglect these regulations.
In light of these developments, there is a growing call for Telegram to implement stringent measures to monitor and control illicit activities on its platform. Major social media platforms such as Facebook, Twitter, and Google employ AI technology to combat the spread of various crimes, and it is hoped that Telegram will follow suit to effectively curb criminal activities within its user base.
The post Vietnam hacked CCTV videos selling like hotcakes on Telegram appeared first on Cybersecurity Insiders.
Russia’s asymmetrical cyber-attacks have been a well-documented, rising global concern for most of the 2000s.
Related: Cybersecurity takeaways of 2023
I recently visited with Mihoko Matsubara, Chief Cybersecurity Strategist at NTT to discuss why this worry has climbed steadily over the past few years – and is likely to intensify in 2024.
The wider context is all too easy to overlook. Infamous cyber opsattributed to Russia-backed hackers fall into a pattern that’s worth noting:
•Cyber attacks on Estonia (2007) Websites of Estonian banks, media outlets and government bodies get knocked down in a dispute over a Soviet-era war memorial.
•Cyber attacks on Georgia (2008, 2019) Georgian government websites get defaced; thousands of government and private websites get blocked, including two major TV stations.
•Ukrainian power grid take downs (2015, 2016) The capitol city of Kyiv suffers widespread, extended outages.
•U.S. presidential election interference (2016) The personal accounts of Clinton staffers get hacked; disinformation supporting Trump gets widely disseminated via social media.
•French presidential election Interference (2017) Leaks and fake news is similarly spread in attempts to influence the presidential election.
•Solar Winds hack (2020) Supply chain connections for thousands of federal agencies and large enterprises get swiftly, deeply compromised.
-•MOVEit hack (2023) File sharing hook-ups for thousands of enterprises get compromised, triggering class action lawsuits.
It’s not just Russia. Other milestone nation-state cyber-attacks include Titan Rain (China 2003 – 2006,) Stuxnet (U.S and Israel, 2005 – 2010,) Operation Aurora (China, 2009,) the Sony Pictures hack (North Korea, 2015,) and WannaCry (North Korea, 2017.)
Matsubara
Matsubara is a former Japanese Ministry of Defense official who previously served as Palo Alto Networks’ VP and Public Sector Chief Security Officer for Asia-Pacific and, before that, as Intel’s Cyber Security Policy Director. We discussed how Russia in 2023 began synchronizing asymmetrical attacks with kinetic military operations — targeting Ukraine’s infrastructure with both missile strikes and advanced power grid hacks.
Matsubara warns that geopolitical tension often entails cyber espionage and disruption. Such a playbook could come into play in the Middle East and Taiwan as well.
For a full drill down, please view the accompanying videocast.
Looking ahead to 2024 and beyond, Matsubara observes that company leaders would do well look beyond basic cyber hygiene and adopt a more holistic approach to protecting their networks.
Given geopolitical conflicts of the moment, pressure from adversaries isexpected to intensify, going forward. Regulators are responding by implementing stricter data privacy and supply chain security standards. This means company leaders must do their due diligence.
The good news is that AI is coming into play across the board — in cybersecurity innovations to harden software code, manage cloud access and even make encryption more flexible and resilient. Company leaders can and should lean into AI as they select and implement leading-edge security tools and services, she says.
For small and medium-sized organizations that lack the resources of large enterprises, the challenge is acute, as their role in the supply chain makes them prime targets for strategic cyber disruptions. Matsubara sees managed security services as a lifeline enabling smaller companies to cost-effectively boost their cyber resiliency.
Company decision makers responsible for cybersecurity certainly have their plates full in the coming year. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
The ubiquity of smart surveillance systems has contributed greatly to public safety.
Related: Monetizing data lakes
Image capture devices embedded far and wide in public spaces help deter crime as well as aid first responders — but they also stir rising concerns about an individual’s right to privacy.
Enter attribute-based encryption (ABE) an advanced type of cryptography that’s now ready for prime time. I’ve had several discussions with scientists who’ve led the development of ABE over the past two decades.
Most recently, I had the chance to visit with Takashi Goto, Vice President, Strategy, and Fang Wu, Consultant, at NTT Research. We discussed how ABE is ready to help resolve some rather sticky privacy issues stemming from widespread digital surveillance – and also do much more.
For a full drill down on this leading-edge form of agile cryptography, please view the accompanying videocast. Here are my takeaways.
Customized decryption
ABE builds upon digital certificates and the Public Key Infrastructure (PKI) that underpins secure communications across the Internet. Traditionally, PKI issues a single key to decrypt a given digital asset, which is fine, if the correct person possesses the decryption key.
However, cybercriminals have perfected numerous ways to steal or subvert decryption keys. ABE makes it much more difficult to fraudulently decrypt an asset in its entirety; it does this by pulling user and data attributes into the encryption picture — in a way that allows decryption to be flexible.
For instance, ABE can correlate specific company attributes to certain user attributes. It can differentiate departments, such as HR, accounting or the executive suite, as well as keep track of user roles, such as manager, clerk or subcontractor. It can then apply policies so that only users with the proper attributes can decrypt certain assets and only in very specific ways.
Alternatively, the digital asset itself — such as an image or even a video stream — can be assigned detailed attributes, with each attribute assigned a separate decryption key. A user can decrypt specific parts of an image or video stream, but only if he or she has the correct key enabling that particular access.
“ABE enables fine-grained access control and policy setting at the data layer, so you can actually blur faces or any text shown in the image,” Goto says. “You can still get useful information from the image, but if you don’t have the correct key, you won’t be able to decrypt certain attributes, such as a face or a license plate number.”
Versatile benefits
It’s taken a while to get here. ABE has undergone significant theoretical advancements since 2005. But it has only been in the past couple of years that proof-of-concept projects have gotten underway. Today, Goto says, ABE is fully ready to validate in real world deployments.
NTT is partnering with the University of Technology Sydney to introduce an ABE service that fits with existing IT infrastructure, including cloud computing, healthcare, IoT and secure data sharing. This comes after the partners have spent the past couple of years fine tuning an architectural design that’s compatible with existing IT systems, he says.
Wu observes that ABE’s fine-grained access control capability could enhance any of the major areas of digital services that exists today, while also being future-proofed. We should soon begin to see examples of ABE being implemented in virtual computing and cloud storage scenarios — to help ensure that decryption happens only when the correct combination of attributes presents itself.
And when it comes to cloud collaboration, ABE holds promise to help improve both security and operational efficiencies — in everything from rapid software development to global supply chains to remote work scenarios.
“Attribute-based encryption can be utilized to do a number of things,” Wu noted. “It’s an advanced way to partition sensitive data into different groups and then allow the user to access only what he or she needs to access; this can play a vital role in helping to avoid large-scale data breaches.”
With ABE, encryption happens once, while decryption attributes can be amended, as needed. This adds complexity and computational overhead. But those are solvable challenges. There’s a clear path forward for ABE to improve security and help preserve privacy. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
New government rules coupled with industry standards meant to give formal shape to the Internet of Things (IoT) are rapidly quickening around the globe.
Related: The need for supply chain security
This is to be expected. After all, government mandates combined with industry standards are the twin towers of public safety. Without them the integrity of our food supplies, the efficacy of our transportation systems and reliability of our utilities would not be what they are.
When it comes to IoT, we must arrive at specific rules of the road if we are to tap into the full potential of smart cities, autonomous transportation and advanced healthcare.
In the absence of robust, universally implemented rules of the road, cybercriminals will continue to have the upper hand and wreak even more havoc than they now do. Threat actors all-too-readily compromise, disrupt and maliciously manipulate the comparatively simple IoT systems we havein operation today.
I had an eye-opening conversation about all of this with Steve Hanna, distinguished engineer at Infineon Technologies, a global semiconductor manufacturer based in Neubiberg, Germany. We went over how governments around the world are stepping up their efforts to impose IoT security legislation and regulations designed to keep users safe.
This is happening at the same time as tech industry consortiums are hashing out standards to universally embed security deep inside next-gen IoT systems, down to the chip level. There’s a lot going on behind the scenes. For a full drill down on my discussion with Hanna, please view the accompanying videocast. Here are a few takeaways:
Minimum requirements
A few years back, a spate of seminal IoT hacks grabbed the full attention of governments worldwide. The Mirai botnet, initially discovered in October 2016, infected Internet-connected routers, cameras and digital video recorders at scale. Mirai then carried out a massive distributed denial-of-service (DDoS) attacks that knocked down Twitter, Netflix, PayPal and other major web properties.
Then in 2017, clever attackers managed to compromise a smart thermometer in a fish tank, thereby gaining access to the high-roller database of a North American casino. Soon thereafter, white hat researchers discovered and disclosed pervasive vulnerabilities in hundreds of millions of smart home devices such as cameras, thermostats and door locks.
In 2018, UK regulators got the regulatory ball rolling taking steps that would eventually result in mandated minimum requirements for IoT data storage, communications and firmware update capabilities. The U.S., other European nations and Singapore soon began moving in this direction, as well. The U.S. National Institute of Standards and Technology (NIST,) for instance, has since developed a comprehensive set of recommended IoT security best practices.
In 2023, the U.S. announced a cybersecurity certification and labeling program to help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. The new “U.S. Cyber Trust Mark” program raises the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.
Guest expert: Steve Hanna, Distinguished Engineer, Infineon Technologies
“We’re moving to a world where IoT cybersecurity will be table stakes” Hanna told me. “It’s going to be required in every IoT product and governments will have their own checklist of IoT requirements, similar to what we have for electrical equipment.”
Harmonizing the baseline
The efforts by regulators and technologists to establish a baseline for IoT safety has, as might’ve been expected, given rise to conflicts and redundancies. “At the moment, we have a Tower of Babel situation where each nation has its own set of requirements and it’s a big challenge for a manufacturer how they get their product certified in multiple places,” Hanna says.
Harmonizing of different requirements across multiple nations needs to happen, Hanna argues, and this quest is made even more challenging because of the sprawling array of IoT device types. This is, in fact, precisely what a tech industry consortium, calling itself, the Connectivity Standards Alliance, has set out to tackle head on, he says.
“Basically, we’re creating, shall we say, one certification to rule them all,” Hanna told me. “We’re going to bring together all the requirements from these national and regional certifications and say if you get this one certification from CSA, then that indicates you’re compliant with all of the national or regional requirements, no matter where they might come from. And your product can then be sold in all of those different regions.”
The technologists are striving to resolve a profound pain point, in particular, for IoT device makers facing the prospect of needing to test and certify their IoT products in 50 different locales. “If I can test it once against a set of requirements that I understand, then that’s much less expensive,” Hanna says.
Safety labels
The give-and-take vetting of emerging standards that’s now unfolding reflects a tried-and-true dynamic; it’s how we arrived at having detailed food additive labels we can trust on every item on supermarket shelves and it’s why we can be sure no electrical appliance in our homes poses an egregious hazard.
The ramping up of IoT rulemaking and standards-building portends a day when we won’t have to worry as much as we now do about directly encountering badness on the Internet.
I asked Hanna about what individual citizens and small business owners can do, and he indicated that staying generally informed should be enough. He noted that the regulators and tech industry leaders are cognizant of the need to foster consumer awareness about the incremental steps forward. The push behind the new Matter home automation connectivity standard introduced in late 2022 being a case in point.
“We can’t expect the consumer to be an expert on IoT cybersecurity, that’s just not realistic,” he says. “What we can ask them to do is to look for these security labels coming soon to IoT products . . . you just can’t buy an unsafe extension cord anywhere today; only the ones with the proper safety inspections get sold. I hope the same will be true in five or 10 years for IoT products, that all of them are adequately secure and they all have that label.”
This is all part of a maturation process that must happen for digital systems to rise to the next level. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
To tap the full potential of massively interconnected, fully interoperable digital systems we must solve privacy and cybersecurity, to be sure.
Related: Using ‘Big Data’ to improve health and well-being
But there’s yet another towering technology mountain to climb: we must also overcome the limitations of Moore’s Law.
After 30 years, we’ve reached the end of Moore’s Law, which states that the number of transistors on a silicon-based semiconductor chip doubles approximately every 18 months. In short, the mighty integrated circuit is maxed out.
Last spring, I attended NTT Research’s Upgrade 2023 conference in San Francisco and heard presentations by scientists and innovators working on what’s coming next.
I learned how a who’s who list of big tech companies, academic institutions and government agencies are hustling to, in essence, revive Moore’s Law and this time around direct it at optical technology.
I had a wide-ranging conversation with NTT Research President & CEO Kazu Gomi about an ambitious initiative called Innovative Optical and Wireless Network (IOWN) that aims to develop next-generation networks and computations. IOWN is all about supporting increased bandwidth, capacity and energy efficiency.
What really struck me was that IOWN also seeks to foster an “affluent and diverse” global society. For a full drill down on our discussion, please watch the accompanying videocast. Here are my takeaways.
What’s next: Internet of Everything
The world of the near future holds the promise of climate-restoring cities, autonomous transportation systems, incredible breakthroughs in healthcare and many more amazing services that could greatly benefit everyone on the planet.
However, the laws of physics dictate that silicon semiconductor chips simply won’t be able to support the massive data ingestion – and the colossal data crunching – that the Internet of Everything demands.
Fortunately, optical circuits are well suited to the task at hand. The Internet of Everything requires distributing billions more data capture sensors far and wide to form sprawling, interoperable digital shrouds overlapping one another. Each sensor in each shroud must be uniquely smart and use next to zero energy.
Working in concert, these sensor shrouds will very precisely and very securely move vast amounts of useful data very quickly to and from — in traffic grids, utilities, communication systems, buildings and our homes.
“Optical technology can enable us to control energy consumption so we can support increasing capacity and increasing bandwidth,” Gomi summarizes.
At NTT Research in Sunnyvale, Calif., scientists are working on basic research to develop optical technology that can overcome current challenges. Their work focuses on creating smaller laser oscillators, which produce the light necessary for optical circuits. Smaller oscillators create shorter pulses that can increase bandwidth exponentially.
The business case for optical
One of the key benefits of optical circuits, Gomi emphasized, is their lower energy consumption compared to traditional circuits. This is particularly important for AI engines, which currently require large GPU clusters that use integrated circuit chips and consume vast amounts of energy.
Optical circuits have the potential to replace these GPUs, offering faster computation and drastically reduced energy consumption, he says.
Energy-efficient AI technology would make it possible to move computation to sensors at the network edge where intelligent analytics can be done in much quicker response times, consuming much less energy.
NTT executives and scientists speak often about how advanced optical technology can benefit society as a whole. It’s notable that the IOWN
mission statement actually calls for fostering a rich global society, one that’s tolerant of diversity and respectful of individual privacy.
I asked Gomi about the business case for this. He argues that if drastic changes are not made to shift to optical technology, carbon footprint issues will become a significant concern. By embracing optical technology, industries can grow, and society can benefit from the development of smarter infrastructure.
Deploying AI ethically
Gomi also acknowledged the need to strike a balance between humans and AI and to consider the ethics of AI. The conversation around AI’s potential impact on society, culture, and economics is just beginning, he says, but it’s essential to ensure that AI is implemented responsibly to avoid unintended consequences.
“AI right now can be undisciplined and has the potential to behave badly,” Gomi told me. “Bad behavior is something that must be corrected and we need to do something to discipline AI, as needed, when needed.”
You just don’t hear that kind of perspective very much from Amazon, Microsoft or Google, and certainly not from Facebook or Twitter.
In preparing to attend Upgrade 2023, I ran across a transcript of a lecture introducing IOWN delivered in 2019 by Jun Sawada, former CEO of NTT, the parent company of NTT Research.
Sawada begins by pointing out Japan’s history as a supplier of silver pearls, sapphires and cinnabar. He draws a comparison between Europe and Japan during the Industrial Revolution (1750-1850) noting the opposing perspectives of centralization vs. decentralization.
Sawada
He suggests that Japan’s Edo city, with its population of one million, represented a recycling-oriented eco-metropolis, while European cities focused on centralization and energy-driven growth. Moving on to an assessment of modern society, Sawada posits that the divisions between nations we see today results from conflicts between socialism and capitalism.
Today, he observes, the flood of information, coupled with AI-driven filtering, has led to divisiveness based on biased preferences. He advocates reconciling the economic expansion of modern European societies with Edo’s recycling mindset — and developing a global society that recognizes diverse values.
Sawada’s larger point is that IOWN holds the potential to reset our communication systems with the intention of driving towards a much greater global good. IOWN quietly continues to gain traction. How far can it take us?
I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
Google has backtracked on its plan to delete inactive YouTube videos—at least for now. Of course, it could change its mind anytime it wants.
It would be nice if this would get people to think about the vulnerabilities inherent in letting a for-profit monopoly decide what of human creativity is worth saving.