Saturday, August 31, 2013

More on private encryption keys; are fears of a cyberwar from Syria ovetblown?

Electronic Frontier Foundation has an important statement about service provider private encryption keys, link here

An important subset of this discussion is Perfect Forward Security (PFS). That facility prevents “retrospective” attacks that might even get through https. EFF is mainly concerned about this possibility from government snooping itself, the NSA.

There is discussion today about whether the US infrastructure could come under cyberattack from the Syrian or Iranian forces, particularly if the Obama administration launches air strikes against chemical weapons sites. 
A deliberate attack could make financial processing as we know it now very difficult.

As for the power grid, military systems, or other critical infrastructure systems (like oil pipelines), I would wonder why it is even possible, from the point of view of topology or graph theory, to reach a power grid computer (especially at a nuclear power plant) from my own computer that I type on.  I don’t think it should be (nor should this be possible from a computer in Tehran, Damascus, or Moscow).   But if I can log on to Dominion Power during a storm when the power is out (through wireless cellphone) and look at the status of my outage, there may exist such a direct connection.  Nobody has explained this yet. 

I thought that the Stuxnet virus was implemented through a flash drive.  Of course, utilities and all other infrastructure have to use security with respect to other “objects” brought into the workplace to be loaded onto their systems.  To that end, telecommuting or use of employee owned laptops (I owned most of what I connected to work with from home during my career) becomes a security issue.  Two-step verification is predicated on a level of physical world security.

Jordan Robertson talks to Bloomberg News about what a cyber war could be like. 

Robertson also says that the domain name attack on the New York Times could have been prevented by a “registry lock”, which Twitter had.

No comments: