China Telecom has been using poisoned internet routes to suck up massive amounts of US and Canadian internet traffic

China Telecom has been using poisoned internet routes to suck up massive amounts of US and Canadian internet traffic:

In a new paper published in the journal Military Cyber Affairs researchers from the US Naval War College and Tel Aviv University document the use of BGP spoofing by China Telecom to redirect massive swathes of internet traffic through the company’s routers as part of state military and commercial espionage efforts.
BGP is a notoriously insecure protocol used to route internet traffic; by design it is dynamic and responsive, moving traffic away from congested routes and onto those with more capacity: this flexibility can be exploited to force traffic to route through surveillance chokepoints, as well as for censorship (publishing BGP routes to censorsed services that dead-end in nonexistent addresses are a common technique in repressive regimes).
The researchers logged global BGP route announcements and discovered China Telecom publishing bogus routes that sucked up massive amounts of Canadian and US traffic and pushed it through Chinese listening posts. Much of today’s internet traffic is still unencrypted, meaning that the entities monitoring these listening posts would have been able to read massive amounts of emails, instant messages and web-sessions.
China Telecom’s BGP attacks were also used to black-hole traffic in some instances (for example, traffic from an “Anglo-American bank’s” branch in Milan was diverted wholesale to China, never arriving at its intended destination).

(Via Boing Boing)
Back in my network manager days we monitored our BGP routes. We had our own ASNs and managed our own connectivity, so we could easily keep tabs when an errant telco would make a mistake. That solution, which I think was a perl script run in each of our regions, would have detected this kind of maliciousness as well.
However, in the current XaaS and cloud-based world we live in, it becomes incumbent upon the cloud and service providers as well as the few remaining Internet backbone providers to police this. How effective they will be is debatable. What punishment would work? No one in their right mind will stop peering with CT.

For the first time Japanese commission ordered Facebook to improve security

For the first time Japanese commission ordered Facebook to improve security:

The Japanese government ordered Facebook to improve the protection of users’ personal information following the recent data breaches that exposed data from millions of people.

… On Monday, Japan’s Personal Information Protection Commission ordered a further investigation of the data breach and asked the company to implement preventive security measures.
This is the first time that the commission has issued warnings to the social network giant after it has conducted an investigation along with British authorities.
According to government spokesman Yoshihide Suga, Facebook told Japanese authorities that the recent data breach also included Japanese users.
The commission also ordered the company to improve communication with users being more transparent of the way it manages their data and promptly responding to request for deleting accounts.
… “It is the first time that the commission, which investigated the data leak with British authorities, has issued warnings to Facebook,” an official told AFP.
Facebook added to be committed to “promptly inform users if the platform was inappropriately used and cooperate with the commission and other countries’ regulators” on its website.
Pierluigi Paganini
(Security Affairs – social network, cybersecurity)
The post For the first time Japanese commission ordered Facebook to improve security appeared first on Security Affairs.

(Via Security Affairs)
I wonder if this will translate into actual change.

The fix for IT supply chain attacks

The fix for IT supply chain attacks:

As I’ve written previously, I’m very skeptical of Bloomberg’s report about the Chinese placing hardware spy chips on server motherboards used by U.S. companies. China is actively spying on U.S. businesses all the time, I believe, and has already stolen most of the intellectual property secrets they are interested in. The Chinese are on their way to becoming the world’s leading economic power, and manufacturing computer chips is a big part of that equation. I don’t think they would jeopardize that business so blatantly.
If any good is to come out of the Bloomberg article, it is bringing the problem of the supply chain to the forefront. If nearly every computer device and chip is made by potential adversaries, how can you ever be assured that what you are buying doesn’t have intentional bugs or even spying chips?
The supply chain is the aggregation of all entities that provide the products and services needed for other entities to provide their products and services to their customers. Theoretically, any entity can knowingly or unknowingly introduce insecurity that impacts the final product. This is the exact issue that the Bloomberg authors and their anonymous sources allude to: that a spy chip can be placed on motherboards that eventually get placed into servers used by foreign companies.

IT supply chain risk has always existed

This is not a new issue. …

Keeping the supply chain status quo is not an option

So, one solution is no solution: Keep things as-is. As far as we know, incidents of nations using supply-chain malicious inducements are rare. If a nation-state compromised the supply chain too routinely, none of the other nations would buy its chips. It would be a self-solving solution. We’ve made it so far, so good, using this “strategy.”

When do you use a detect-and-regulate supply chain strategy?

… Well, for one, the military already has programs to prevent supply chain issues for its most critical infrastructure. Many levels of the U.S. government have programs that look for malicious supply chain issues. That’s precisely why I don’t believe that we have a widespread issue of Chinese spying chips all over the U.S.
The question is at what level of the supply chain do we start requiring stricter oversight and monitoring? …
The opposite school of thought to the “keep the status quo” argument is that we need to check all computer devices for spying hardware, software and firmware. This can be done by government or industry groups (like the Underwriter’s Laboratories [UL] or Consumer Reports). The problem is that all governments want to spy on people — its own people, and those in other countries. Asking the government to make sure everything is secure and not spying is asking for the fox to guard the henhouse. At the same time, I’m not sure we can do what needs to be done without governmental involvement.

The supply chain security solution needs to be global

… Every nation needs a nationally created and funded regulatory group that can look for supply chain issues but isn’t directly governed by the government. It’s not perfect. It’s like asking the foxes to pay for the shepherds who protect the henhouse, but I don’t see any other realistic way for a supply chain security solution to actually work. Or we can keep the status quo and hope for the best.

(Via CSO Online)
I agree with the article in large part. I disagree that government action and international agreements are the way to address supply chain risks. It is vulnerable in a multitude of ways independent of hardware hacking like the Bloomberg report claims. Compromising hardware not only requires physical access but its own reliance on a supply chain.
I tend toward industry and market forces addressing all aspects of supply chain insecurity. Redundancy, resiliency, supplier diversity, quality assurance, and monitoring are best done by those with the most at risk. Governments are too mercurial, international agreements and treaties often are not worth the paper they are printed on, and special interests can introduce new risks into the equation through self interest and a lack of vision.


Japanese TV is too delightful. I am close to buckling. How crazy is it to get a set two years in?

Pentagon Defense Department travel records data breach

Pentagon – Defense Department travel records suffered a data breach that compromised the PI and credit card data of U.S. military and civilian personnel.
— Read on
Twenty some odd years ago I worked on a proposal team to win this very contract. As a security practitioner in the 90’s, the level of security that the DoD wanted was refreshing. This was the first example of a potential client understanding the risk of metadata – that someone could potentially deduce what the DoD planned by watching non-military travel records without necessarily having access to the detail.
No one was thinking specifically about payment or personal information. It was probably assumed that other threat scenarios would cover this data, but my recollection is hazy at best.
By the way, my employer and deal partners did not win the contract.

Pantsdrunk, the Finnish Art of Relaxation

You’ve likely heard of hygge, the Danish word for a special feeling of coziness that’s been productized on Instagram and elsewhere to within an inch of its charming life. The Finns have a slightly different take on the good life called kalsarikännit, which roughly translates to “pantsdrunk” in English. A promotional site from the Finnish government defines it as “the feeling when you are going to get drunk home alone in your underwear — with no intention of going out”. They made the emoji above to illustrate pantsdrunkenness.
Finnish journalist Miska Rantanen has written a book on kalsarikännit called Päntsdrunk (Kalsarikänni): The Finnish Path to Relaxation.
When it comes to happiness rankings, Finland always scores near the top. Many Finnish phenomena set the bar high: the best education system, gender equality, a flourishing welfare state, sisu or bull-headed pluck. Behind all of these accomplishments lies a Finnish ability to stay calm, healthy and content in a riptide of endless tasks and temptations. The ability comes from the practice of “kalsarikanni” translated as pantsdrunk.
Peel off your clothes down to your underwear. Place savory or sweet snacks within reach alongside your bed or sofa. Make sure your television remote control is nearby along with any and all devices to access social media. Open your preferred alcohol. Your journey toward inner strength, higher quality of life, and peace of mind has begun.
Kalsarikännit isn’t as photogenic as hygge but there is some evidence of it on Instagram. As Rantanen explains, this lack of performance is part of the point:
“Pantsdrunk” doesn’t demand that you deny yourself the little things that make you happy or that you spend a fortune on Instagrammable Scandi furniture and load your house with more altar candles than a Catholic church. Affordability is its hallmark, offering a realistic remedy to everyday stress. Which is why this lifestyle choice is the antithesis of posing and pretence: one does not post atmospheric images on Instagram whilst pantsdrunk. Pantsdrunk is real. It’s about letting go and being yourself, no affectation and no performance.
I have been off alcohol lately, but kalsarikännit is usually one of my favorite forms of relaxation, particularly after a hard week.
— Read on

Leave it to the Scandinavians to coin this phrase.
I wonder if there’s a Japanese analog …

National Park Service on the verge of blocking most White House protests: comments due by MONDAY! / Boing Boing

Monday is the end of the comment period for a sweeping National Park Service proposal that will have a dramatic effect on the ability of Americans to protest in sight of their government.
Under the proposed new rules, protests around the White House and the National Mall would require permits, protestors would be barred from the sidewalk north of the White House. The proposal also seeks public comment on charging protesters fees for permits to gather.
You can and should comment.
— Read on

I submitted my comment. It took about 5 minutes.
We should all vote, and we should provide candid feedback to government about things like this proposed rule change.
I don’t know or care about your politics. If your party or politicians you agree with are in power, just remember that someday they won’t be. Anyone trying to take your freedoms away should be a red flag to all.

Do Not Eat Here: Fatburger in Tokyo!

America’s Fatburger is now available in Japan! They are famous for their patties that are roughly double the size of ordinary Japanese burgers.
— Read on

This news saddens me deeply.
No one I know in the US would describe Fatburger’s food as fresh. Authentic? I have no metric. Tasty is a personal thing, but for me this is not. Well, more accurately, it can be tasty while eating it. It’s about 15 minutes after that you probably will realize that you’ve made a huge mistake.
Japan, and Tokyo specifically, have so many better local hamburger options than gorging themselves on this supersized cholesterol bomb.