Articles Featured
Looking Through the Smokescreen: Challenges of Domestic Terrorism in U.S.
December 27, 2018
0
, ,

Timothy McVeigh and Terry Nichols, men imbued in the conspiracy theories and anger of the American radical right, drove a 7,000 pound truck filled with ammonium nitrate fertilizer and nitromethane fuel, marked the opening shot in a new strain of terrorism, by blowing up the Alfred P. Murrah Federal Building in Oklahoma City at 9:02 a.m. on April 19, 1995.
The death toll was 168 including 19 children in a day-care center.
News media assumed that “Middle Eastern terrorists” must have executed the attack. By the end of the day it became clear that domestic, right-wing terrorists were responsible for the mass murder. Since 1995 white supremacists have carried out attacks killing innocent victims to make a political point.


America today faces several strains of extremism, from ISIS-inspired lone wolves to the digitally-organized alternative right, commonly known as the “alt-right.”

America today faces several strains of extremism, from ISIS-inspired lone wolves to the digitally-organized alternative right, commonly known as the “alt-right.”
According to Southern Poverty Law Center, a leading civil rights organization dedicated to fighting hate and bigotry; “After Oklahoma, it was no longer sufficient for many American right-wing terrorists to strike at a target of political significance — instead, they reached for higher and higher body counts, reasoning that they had to eclipse McVeigh’s attack to win attention.”
Fast forward to October 27, 2018, a 46-year-old white supremacist Robert Gregory Bowers entered the Tree of Life synagogue in Pittsburgh, Pennsylvania, with several semi-automatic weapons shouting “All Jews must die,” and killed 11 worshipers and injured another 6.



On Valentine’s Day this year, a 19-year-old Nikolas Jacob Cruz, armed with a semi-automatic rifle, entered Marjory Stoneman Douglas High School in Parkland, Florida, and killed 17 students and teachers. Cruz was described by media as expressing, “far-right, anti-Semitic, homophobic and xenophobic views in a private Instagram group chat.”
Investigators found “white supremacist material” in the bedroom of a 28-year-old Benjamin Morrow, who was killed while assembling a bomb at his Beaver Dam, Wisconsin, apartment on March 5, 2018. He had one gallon of acetone.
A 56-year-old man, Cesar Altieri Sayoc Jr., who worked as a pizza delivery driver and lived in a van plastered with pro-Trump decals, was arrested on October 26, 2018 for sending at least 13 bombs via postal mail to prominent Democrats, liberal figures and the cable news outlet CNN. According to Southern Poverty Law Center; “Sayoc’s online activity across Facebook, Twitter, and YouTube over several years reveal a descent into hyper-partisan and conspiratorial thinking, posting stories from far-right websites like Infowars and Breitbart and sharing photos of himself at Trump rallies. Sayoc had a criminal history including fraud, larceny and a 2002 charge for making a bomb threat against a Florida-based utility company.”

In 2018, so far eight attacks killing approximately 145 people have been recorded.
The Anti-Defamation League (ADL), an international Jewish non-governmental organization based in the United States warns of: “the serious threat of terror from right-wing extremist groups and individuals.” I recently interviewed Thomas J. Main, a professor at the Austin W. Marxe School of Public and International Affairs, City University of New York. The Brookings Institution recently published Main’s book, The Rise of the Alt-Right.
Professor Main says: “the alt-right is far more radical and dangerous than the right-wing extremism of past decades. For it is the underlying ideology of the alt-right, rather than its controversial policy positions, that merits concern.”

Professor Main points out that “Alt-Rightism is, in essence, a political ideology rather than a movement, constituency, or interest group opposed to free markets, neoliberalism, democracy, and egalitarianism.”
This assertion is validated by several alt-right publications as well. Extreme white nationalist sites like Counter Current and alt-right talk about “metapolitics,” a concept first coined by Alain de Benoist and Guillaume Faye. It is critical for these groups to change the way people think.

American far-right extremists borrow heavily from the French right-wing academics. There are plenty of commonalities between American and European extremists; rejection of egalitarianism, democracy, and human equality.
French philosopher Alain de Benoist, leader of the metapolitical school of thought and mind behind the European ‘New Right,’ is frequently quoted by the American alt-right. He has written more than 50 books including The Problem of Democracy and Beyond Human Rights. French journalist and writer Guillaume Faye is also a rage among the American extremists. His books Archeofuturism: European Visions of the Post-catastrophic Age; Why We Fight: A Manifesto of the European Resistance; and Convergence of Catastrophes are top-rated among the alt-right.

However, unlike Europeans, the American far-right girdle religious ideology and fundamentalist interpretation of holy texts as justification for far extremism. For example, Aryan nations promote the idea of racial superiority through the lens of sacred text.  The group states; “God’s creation of Adam marked the placing of the White Race upon this earth. Not all races descend from Adam. Adam is the father of the White Race only… We believe that the true, literal children of the Bible are the twelve tribes of Israel, now scattered throughout the world and now known as the Anglo-Saxon, Germanic, Teutonic, Scandinavian, Celtic peoples.”
Investigative journalist David Neiwert, whose book, Alt-America: The Rise of the Radical Right, says that the ideology of the alt-right is mostly similar to those propagated by the Ku Klux Klan of the past, but agrees with Main that the new radical right-wing groups have benefited from the internet and social media.


American far-right extremists borrow heavily from the French right-wing academics. There are plenty of commonalities between American and European extremists; rejection of egalitarianism, democracy, and human equality.


Professor Main claims that “this new strain of reactionary thought goes beyond the garden-variety racial prejudice of yore – which certainly was bad enough – to a root-and-branch rejection of American political principles. The alt-right is a form of radical Gnosticism as fundamental in its rejection of the American democratic tradition as the Communist Party line of the 1930s and the most fevered effusions of New Left radicalism of the 1960s were.”

Arie Perliger, Associate Professor at the Department of Social Sciences, U.S. Military Academy at West Point has a different perspective. In his publication Challengers from the Sidelines: Understanding America’s Violent Far-Right, he concludes that “ideology and behavior are linked and nurture each other in the organizational frameworks of the American violent far right.”
From a theoretical perspective, this constitutes a further indication of the perception among some parts of the academic community that terrorism is an instrument of symbolic discourse which is shared by violent groups and their adversaries.


This article was published in Hilal Magazine

Articles Featured
Who is responsible for public cloud security?
November 26, 2018
0
, , , ,

I had an interesting conversation with a Cloud Architect of a global enterprise who was adamant that data in the public cloud is secured by the cloud provider. He rightly pointed that Amazon, Microsoft, and Google, have security capabilities and practices in place for protecting the availability and integrity of the services they offer.

Agreed!

I asked who is responsible for protecting the confidentiality of data as well as the availability and integrity of applications? Our conversation led to following threats: Data breaches, inadequately secured APIs, insufficient identity, credential, and access management, shared technology vulnerabilities, denial of service (DoS), malicious insiders among others. Integration among different public clouds is difficult.

Public cloud security doesn’t end with the cloud provider

The ever-expanding corporate attack surface reduces visibility into threats and vulnerabilities for both the IT team and its internal customers. And lack of integration leads to an unnecessarily large number of manual workflows, which presents resource challenges for security teams facing tight budgets and staffing. In addition, sharing of threat intelligence among solutions cannot be automated, so proactive risk management may be nearly impossible.

To overcome these challenges, the security (cloud) architects need a cloud-centric mindset and the help of cloud security technologies that integrate tightly and automate as many processes as possible.

Making a secure transition to the public cloud

Common problems when security of cloud-based applications is mismanaged include unsecured directories, deployment of insecure non-production applications in the same security environment as a production server, failure to patch known vulnerabilities, and miss-configured firewalls.

End-user credentialing and passwords also continue to cause headaches for security teams. Some employees use the same credentials for an assortment of applications. They may use the same password for critical internal applications, such as finance systems, for the software they access in the public cloud. This security practice means that if the public cloud is breached, the company would be vulnerable to direct attacks of internal systems or indirect attacks using social engineering. A recent study finds that 81% of hacking-related data breaches leveraged passwords that were either weak, stolen, or simply the software’s default.

Unlike providers of public cloud infrastructure, SaaS providers are responsible for securing both the application and infrastructure. Still, content permissions are the responsibility of application users.

But this approach can open up the organization to new vulnerabilities. Line-of-business employees may set overly permissive read privileges and give the wrong people access to sensitive information. Dow Jones, as an example, lost millions of customer records last year due to poor permission management in the public cloud.17 Similarly, business users might fail to properly lock down write privileges, which can open the door to hackers changing corporate files.

How to manage cloud security when providers and customers share responsibility

Customers who run applications on Infrastructure-as-a-Service (IaaS) platforms are also taking on significant security responsibilities. While IaaS providers are responsible for keeping cloud services running, the customer is fully responsible for security of the operating systems and software running on the platform. This requires attention not only to upfront security settings, but also to ongoing patching and updates.

Articles Featured
Cyber Security: How America Prepared for Midterm Elections
November 22, 2018
0
, , , ,

Undoubtedly there are risks we take when we entrust our democracy to a system so essential to preserving our most basic rights and freedoms. The United States of America, as well as its encompassing state and local governments, have made election security a top priority given the ongoing efforts by foreign players to impact U.S. elections. Election systems in many jurisdictions face a significant risk of compromise because of inadequate funding for cybersecurity. Federal funding of $380 billion from the Help America Vote Act (HAVA) fills a portion of that gap, but state and local governments need to be strategic in how they manage this budget.

Secure voting requires reliable processes and secure frameworks that cut across the entire system. Cybersecurity in elections call for precise technical recommendations with robust risk-mitigation plans to guarantee safety.

Since August 2016, the strain on the electoral system has dramatically increased due to a series of cybersecurity related concerns. Foreign interference of midterm elections from external parties has become a reality.

The election system comprises voter registration databases, vote casting, and tallying among other crucial aspects of any election. Both internal and public communications are also essential. All these systems need a great deal of integrity. No element should be compromised and thus the need arises for proper security procedures to address outlined security breaches to any of the arrangements. Election integrity is at stake here. Challenges were evident in the 2016 election cycle, especially from the communications aspect. Information sharing proved critical even though no votes seemed to have been altered in 2016.

There is a consensus that the digital attack surface is larger than ever before, and is growing on an industrial scale. The complexity of managing security is difficult and becoming more challenging. Advanced threats continue to evolve and are harder to combat. But the responsibility of protecting democracy does not squarely rest on the government’s shoulder. “Social platforms have a responsibility to address misinformation as a systemic problem, instead of reacting to case after case,” writes The New York Times’ (NYT) editorial board.

“At this stage of the internet’s evolution,” writes NYT editorial board “content moderation can no longer be reduced to individual postings viewed in isolation and out of context. The problem is systemic, currently manifested in the form of coordinated campaigns both foreign and homegrown. While Facebook and Twitter have been making strides toward proactively staving off dubious influence campaigns, a tired old pattern is re-emerging — journalists and researchers find a problem, the platform reacts and the whole cycle begins anew. The merry-go-round spins yet again.”

Secretaries of State throughout United States, close to 40 of serving in the capacity of the state’s chief election officials, are on the forefront of safeguarding the entire election process and more specifically, the election platforms which can be compromised to alter the outcome of the elections. They have recruited information technology teams to design robust frameworks to help them address the information security concerns. Other sectors have also been brought in, among them the National Guard, private-sector security companies, universities, and even the federal government. However, the team that seems to be the strongest and more likely to bring in a more significant input is the Department of Homeland Security (DHS).

The decentralized system seems to be working, at least for now. It is the biggest protection of the American democracy. The best part is the fact that designation remains in place, thus allowing state and local election officials to work towards achieving an effective election. This will only be achieved through a seamless system of election. The best move is the fact that the local government has developed a more productive relationship with the DHS. This is a leap forward because the challenges of election security can be faced through a combined effort.

The standout aspect which renders the United States readier than ever is the immense support that they are bringing in the cybersecurity domain. There is a dire need for a comprehensive assessment of all the physical services that are going to be used during the elections. Information sharing is another building block of a midterm election, implying the need for robust frameworks, reliable platforms, and secure media which would translate to a credible election process. Other issues which can be tackled more effectively as a result of this relationship is the education aspect. Education opportunities ensure that those in charge have hands-on skills in minimizing chances of election tampering rendering it resilient to interference. From the education aspect, staff and all the key officials need to be enlightened on the need to have a secure system, for example, the fact that they do not have to share critical access codes to such systems.

One other significant recommendation is a proper preparation process of bringing in the Government Coordination Council (GCC), who make up one of the most essential stakeholders. They are concerned with information sharing, more specifically election data which determines the outcome of the election. They have the necessary expertise to secure the information infrastructure which would be used in the analysis and sharing of election data. The fact that they involved 50 states with over 1,000 local election offices as members creates a common hub that enhances the ability to share information among the election officials, increasing the data breach risk. However, such a risk can be mitigated with the presence of GCC which has hands-on experience on data security.

Allowing free flow of information among election officials on a secure, common platform eases the risk management practices. This is the best recommendation which would translate to a secure election framework cutting through all the processes. Such a recommendation can easily be amplified across the local regions. Having learned from the 2016 election cycle the need to be vigilant concerning threats that affect election infrastructure, elections’ risks are now well analyzed with proper mitigation plans. These plans enhance security, provide comprehensive training of election officials, and prioritize updated systems.

Having federal partners, those in the private sector and the state as parties in the election process ensure that there are strong cyber practices to counter information security threats. Other critical recommendations encompass comprehensive threats analysis which would eventually aid in coming up with water-tight risk management plans. Security has been given top priority, and elections are now taken seriously. Necessary information security defence mechanisms have to be put to practice. All these steps have covered the critical issues just as highlighted in the article. Advanced election systems with secure processes are mandatory and should be employed in the process of delivering credible midterm elections in the United States.

Election security is crucial to a functional democracy, and local elections administrators have a difficult and important job in ensuring that elections run smoothly and their results are reliable.  A comprehensive approach to network security that covers a jurisdiction’s entire infrastructure — from the data centre to multiple clouds, from voting machines to voter registration databases – is in place but requires constant updating.

With clear visibility and centralized control, administrators can avoid manual security processes and stop advanced threats before they cause a threat to democracy.


This article was first published in Hilal Monthly here


Articles Featured
Think about the United Nations!
October 18, 2018
0

If you are like the majority of my friends, you would have imagined UN Peacekeeping – Blue helmets, tanks, soldiers with their guns or refugee camps.

But if you were to ask Liberians like Sahr Sundu and Musa Karnley, you will get a different answer.

Liberia the first independent African Republic (established in 1847) has suffered two civil wars that claimed over 250,000 lives and ruined the social, cultural and economic structure. The UN Mission in

Liberia, or UNMIL, was deployed in October 2003. The Mission’s 14-plus years of operation was a success story. Relative peace and order were restored; however, the economy was in dire straits. The UN mission had a limited budget, and the iron-clad scope was restricting its activities. Staying within the mandate, UNMIL troops conducted several quick-impact projects (QIPs) to alleviate the suffering of the population.

The Pakistani Battalion in Liberia led a quick-impact project (QIP) to teach much-needed skills like how to repair electrical appliances, generators, and other equipment. The primary motivation of this project was to prevent internal-displacement and migration – if people in Tubmanburg got proper training they would not have to run to Monrovia (the capital).

“The Story of UNMIL,” a recent United Nations book cites an encounter of a UN observer with two Liberians who attended the training nine years ago:

“Mr. Sahr now owns God’s Time is the Best Workshop, which he says is the best in Tubmanburg and built most of the doors and windows in the town. He had been trained as a welder/ technician by the Pakistani engineers. He said that the training had helped him, his family and the immediate community.”

“Musa Karnley was also trained by the Pakistanis as a welder and a generator technician and is currently the manager of Nakar Garage in Tubmanburg, specializing in generator repair and welding. He said that the training gave him the knowledge and technical skills to do repairs, and had given him an edge over the competition, especially in getting new jobs. His income increased tremendously, he said.”

The United Nations Mission in Liberia (UNMIL) has come to a conclusion, mostly thanks to the Troop Contributing Countries. Pakistan’s two battalions went home leaving behind millions of happy Liberians.

Last year, Major General Saihu Zaway Uba, Force Commander of UNMIL expressed concern with the drawdown of the mission. He told the Security Council that his Mission’s 14-year presence had been reduced to just 434 troops on the ground and was expected to be fully liquidated in June 2018. He recommended “clear and flexible” planning considerations in the transition phase, and a graduated approach to drawdown, among other measures.

The UN Operation in Côte d’Ivoire (UNOCI) completed its mandate last year after more than thirteen years. In general, a drawdown of the troops is a good thing. However, if not done correctly, the risk of chaos and civil war looms high. A staggered drawdown of troops coupled with capacity building of local law enforcement mitigates the risk of a relapse into violence.

The UN Peacekeeping has been under significant pressure. The 2018/19 budget for thirteen peacekeeping operations and overhaul of secretariat management structure is $6.69 Billion. Down from approximately $7.5 Billion a year ago.

Historically, the United States has been a generous donor to the Peacekeeping operations. But the Trump administration introduced drastic cuts to the Contributions for International Peacekeeping Activities (CIPA) in 2019, budget slashing over $710 million for CIPA account, which includes UN Peacekeeping funding. CIPA dropped from $1.908 billion to $1.196 billion – a 37 percent cut from FY’17 enacted levels.

Trump administrations critics claim this move is unwise. The US Government Accountability Office (GAO) agrees. A recent GAO report states that supporting UN Peacekeeping operations is eight times cheaper than the U.S. going it alone.

Better World Campaign President Peter Yeo in a statement said: “supporting the UN is both in our (US) national security interests and a good deal for American taxpayers.”

Peacekeeping Organization has also been under tremendous scrutiny to show an outcome leading to management reforms.  After much debate among member nations, the Organization announced two new departments focused on political and peacebuilding affairs and four stand-alone divisions for Africa to “streamline the Organization’s operations.”

In recent years, the United Nations has been prioritizing African TCCs because of the lower cost of logistics. That doesn’t come without risk. Some recently added TCCs do not have the experience, mindset, training or equipment required to carry out the Peacekeeping charter.

Last December, fourteen UN peacekeepers were killed in the Democratic Republic of Congo. The peacekeeping officers were all Tanzanian. A month later, in January 2018, a Pakistani soldier lost his life in an ambush. Our peacekeepers immediately responded with appropriate force killing 11 members of attacking militia.

Since 1960, Pakistan has contributed troops in 46 Peacekeeping missions in 28 countries. In the last ten years, Pakistan has ranked number one among Troop Contributing Countries. Pakistan’s contribution has dropped this year following drawdowns of two battalions from Darfur and one from Congo. UN’s emphasis on recruiting African TCCs has also impacted Pakistan’s ranking.

Dr Maleeha Lodhi, Permanent Representative of Pakistan to United Nations reminds this scribe:

“For over five decades, Pakistan has been a leader in UN peacekeeping, both as a troop contributing country and as an important voice in normative and reform processes at the UN in this area. Pakistan is proud to have contributed to the success of several UN peacekeeping missions. Its role in this critical UN enterprise is one reflection of Pakistan’s commitment to upholding and preserving international peace and stability.”

There is a recognition at the UN headquarters that Pakistani troops are highly experienced in peacekeeping, well equipped and well poised. Sierra Leone’s Military Adviser Col Albert Jusu, in an encounter with his Pakistani counterpart, expressed gratitude saying: “We have left Pakistan’s flag on the schools that you guys built so that we always remember how Pakistan helped us rebuild our country. Pakistani soldiers have the kind of mindset that is needed to stabilize and rebuild.

Besides building schools and bridges, Pakistanis have also delivered healthcare. Major-General Salihu Zaway Uba, UNMIL Force Commander, told the Security Council: “The Pakistani Medical Unit has been providing medical level 2 services to all of the UN personnel and ensuring the stable health of UNMIL personnel.”

Living in New York, one of the most diverse cities in the world, I often run into Africans. Many of them know Pakistan because of its contribution to the peacekeeping mission.

The expertise Pakistan has gained serving in these missions culminated in the Centre for International Peace and Stability (CIPS) at the National University of Science and Technology (NUST). Secretary-General Ban Ki-Moon inaugurated CIPS in 2013. Recently Under-Secretary-General of Peacekeeping Operations, Jean Pierre Lacroix visited CIPS to pay tribute to sacrifices of Pakistani peacekeepers.

Pakistan is now at a point where it can train resources of other TCCs to replicate the success of Liberia, Darfur, Côte d’Ivoire, and Congo.

I know the lives of 156 Pakistani peacekeepers are not gone in vain because today, as a Sudanese friend tells me: “Pakistan knows Africa and Africans know Pakistan.”

This article was published by Hilal Magazine.

Articles Featured
Did LifeLock Security Bug Put you at Risk?
July 26, 2018
0
, , ,

https://krebsonsecurity.com/2018/07/lifelock-bug-exposed-millions-of-customer-email-addresses/

LifeLock, the identity theft protection company, has put millions of customer emails at risk for phishing and identity theft attacks, thanks to a bug on its website.

The bug enabled customer email addresses to be harvested by simply changing one number in the URL of a web page used by customers to unsubscribe from LifeLock communications.

It’s important to note that this is not a breach, but it is a vulnerability to pay attention to since ID thieves can use email addresses to steal other personal info.

How Symantec Resolved the Issue Involving the LifeLock Marketing Opt-Out Page

LifeLock claims:

Responsible stewardship of critical data is our central mission, and we take these matters very seriously. The issue was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. The issue was not with our main member portal or any other pages on LifeLock.com besides the marketing opt-out page.

Here is what you should do:

  1. Be skeptical of email communications urging you to take immediate action or claiming that they are privacy policy updates.
  2. Do not click on any suspicious-looking links in those messages and instead forward any suspicious email to the company itself. Call the company directly to confirm whether any such messaging is actually from them.
  3. Do not enter any personal info or credentials via links in emails. If you need to make updates, go directly to the company’s website to do so.

LifeLock monitors identity-related events, such as new account openings and credit-related applications. The company offers a $1 Million Service Guarantee. 

In late 2016, Symantec bought Lifelock for $2.3 billion. Shares of Symantec were up 0.4% at $20.77 on Thursday.

Articles Featured
Data Brokers Detest California’s Privacy Law
July 12, 2018
0
, , , ,

California’s consumer privacy law is expected to have a significant impact on companies that deal in personal data — and especially those operating in the digital space. The California Consumer Privacy Act, A.B. 375, affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.

The law stipulates that consumers have the right to request the deletion of their personal information, opt out of the sale of personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties without hindrance.

The law’s requirements could threaten established business models far beyond California and throughout the digital sector.

Much of the political impetus behind the law’s passage came from some major privacy scandals that have come to light in recent months, including the Cambridge Analytica incident involving Facebook user data. This and other news drove public support for a privacy ballot initiative that would have instituted an even stricter data protection regime on companies that deal in consumer data if the state’s residents voted to pass it in November. But after intense negotiation, especially from leading internet companies and internet service providers, the backers of the ballot initiative agreed to drop the initiative and instead support the passage of the law.

https://hbr.org/2018/07/what-you-need-to-know-about-californias-new-data-privacy-law

Data Privacy: California Leads the Way

The bill gives consumers the right to have their personal data deleted; the right to know the commercial purpose for collecting their data; and the categories of sources from which the data are collected. It also prohibits a business from selling the personal data of anybody under the age of 16 unless that child agrees.

The bill gives companies the ability to offer discounts to customers who allow their data to be sold and charge those who opt out a reasonable amount based on how much the company makes selling the information.

Lawmakers say they will likely make alterations to improve the policy before it takes effect. Some privacy advocates are worried that lobbyists for business and technology groups will use that time to water it down.

TechNet, a technology lobbying group, urged lawmakers to improve the law before it takes effect “so it provides meaningful privacy protections for Californians while also allowing all the benefits and opportunities consumers expect from U.S. technology to continue.”

Policymakers around the country looking at what California has done on this issue should understand that the California Legislature’s work is far from finished and that this law remains a work in progress.

The California law is not as expansive as Europe’s General Data Protection Regulation, or G.D.P.R., a new set of laws restricting how tech companies collect, store and use personal data.

Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the proposed ballot measure, and lobbyists had estimated that businesses would spend $100 million to campaign against it before the November election.