crowmoor.se

With the previous posts, I presented on a high level how fake news could be mitigated. However, there will always be some news that passes the filters, always some bully that has the technical skills to beat through. The mitigation for that is a reporting system. The architecture contains an automatic reporting component using text analysing to identify death threats, violence etc. that is punishable by law. With a fully authenticated user we can I real time collect as much information that is needed for the police to be able to start an investigation. This makes it possible for a user that receives such a comment to be able to quickly report it to authorities.

When it comes to fake news this is most often not illegal but should still be reported. Lets say that a major newspaper starts to report articles from Natural News, a well know source of fake news within alternative health care or Granskning Sverige, that has been exposed to be one of the largest troll factories geared at undermining Sweden. Most of the post under anonymous account and with few possibilities to follow-up on their articles. With authenticated users, I could disallow such articles to appear in my flow, and if they would appear I could easily send a notice to the publisher that this article by this users is possibly fake.

One of the core concepts of this architecture is the management of who is allowed to comment and who is not. Normally you put that in the hands of an administrator or allow anyone to comment but that opens up for trolls and bullies. What we need is the possibility for the single individual to decide if anonymous or identified persons should be allowed to comment. This will be implemented with a component that before allowing the website or social media system checks if the users wanting to comment is authenticated. If so, comments will be allowed. The writer will have the power to allow or disallow anonymous comments.

The simple scenario here is a child being abused by cyber bullies. By not allowing comments from unauthenticated users no comments will be allowed. This could be extended to disallowing comments on posts where the person has been tagged.

The other scenario that is applicable to this is of course fake news. One way to disallow fake news in your media flow is to only allow news that are from a legitimate source. This could be traced back to the source. If that is written by an anonymous user then it should not be possible to make it legitimate by reporting it under a authenticated account.

A challenge to manage is the identity repository. Everyone has an agenda. It´s as easy as that. That creates a problem on whom to trust. But as the solutions is built on putting the power to the receiver the problem with owning the repository is a bit smaller.

The central repository is actually just an identity administration point using a federation service where other identity repositories could connect. BankID would be one but any corporation or organisation could connect, as long as the identity process is vetted. Facebook would for example not be allowed as the identity is not vetted.

When it comes to fake news the common denominator is either a false identity or anonymous identity. To enable a solution for this you need to have a verified identity. No matter how you spell it, if you are going to lie and face the risk of being identified as a liar, you will stand down.

An added feature, that I will describe later, is an integration with the law enforcement and with a strong identity it will be possible to send the information to the law enforcement they need for conducting an investigating.

The verified identity should be as strong as any e-identity that is approved by government. In Sweden, we use BankID. At least it should be a vetted identity using multi factor authentication.

The last two years’ fake news have arisen as a problem in my world. Not only is it a problem within security but it is also a problem in many other areas like health (anti vaccine movement), political (US election) and food (anti GMO) to name a few. Common for everyone is that they either write under fake or anonymous accounts or build their case on unverified (often fraudulent sources).

The common problem is that we have freedom to express whatever we want on internet anonymously. I´m all for that as there is many cases where freedom of speech is very important and we should guard that.

So, I started to do some thinking how to solve this problem and have come up with an architecture for this: Fake news mitigation architecture.

This architecture contains a number of components:
1. Verified strong identity
2. Identity repository
3. Control who is allowed to comment or send you information
4. Automatic reporting of incidents

My following posts will dive deeper into each component.

None of you raises an eyebrow when I say that I work at Sogeti and as all other consulting firms together with my clients we struggle with finding the right people. Finding junior staff is rather easy, keeping them a bit more challenging as it should be. But the senior people, like me, are harder to move into the organisation. I got a question last night from another company how we managed to snatch a very senior consultant from them. Salary wise we were on par with them together with everything else like bonus, freebies etc.

So what do we have to offer that gave us the upper hand his time? I would love to say that it´s my winning personality but, alas, it was in spite of that. 😉 We offer a different way of working with our Security Office. Security Office is a new way of delivering security. Yes, it’s an outsourced security department but it’s even more than that. It gives senior consultants time to work with the hard and complex stuff while giving the junior consultants challenges, all packaged in a way that makes it a competitive offer compared to all other companies.
We also offer a lot of education and courses together with our partners meaning that the challenge is finding time rather than the cost of training.

I´m actually a bit proud to see that my work the last 10 years within the group and outside has grown to this.

One of my most interesting pass times is reading about hacks, especially deep analysis of them. Kaspersky Labs found Equation Group a year back and since then I have followed everything what they have written about this highly skilled group. I have to say that it is with a tiny bit of awe that I read what they do. I may have decided years back to stay on the good side but the technical skill they possess surpasses the skills of many people I have met in the industry. I doubt that NSA would have a position for an old security architect but as you are monitoring everything any way: Make me an offer and I´ll consider it. 😉

It´s not often that I conduct computer forensics anymore. There are others that do it a lot better than I do but sometimes my clients want me to have a look at something suspicious when they can´t make head or tail of it.

Yesterday was such a day. When driving home a got a call from a client. He described that they have found some strange programs during a routine cleanup of adware on a client. Beneath all the layers of ads they found a file that apparently did not belong to the original adware. I check it against know hashes but it came up empty as expected. A quick check at VirusTotal also came up empty so I decided to check its traffic. It turned out to be a very talkative little fellow. It acted as an FTP server and siphoned files from the network to an external spy. Sadly it went into a TOR-network making it really hard to follow. For now we closed the laptop and have sent a copy of the drive to my forensics team to find out what is actually happening. Still, information espionage is here to stay.

Last night when having a chat with a friend while flying back home we came to discuss a security dashboard and I gave him the general principles of my thoughts. From my point of view a security dashboard gives me the following:
1. Overview of my environment
2. Clearly marked where my crown jewels are (information)
3. My current patch level
4. The current attacks ongoing
5. The status on security testing
6. The status in possible vulnerabilities
7. The status of my security mechanisms

It´s as easy as that. No more and no less. After describing that I leaned back in my seat as the hour was rather late. Suddenly he said: ‘Have you ever seen one of those in reality?’. I would love to say: ‘Of course! Plenty!’ but the sad reality is that many companies decide that they want to have manual processes instead…or rather purchase the service from their outsourcing partner but refuses to pay more than minimum so the service they get is very seldom more than a simple log review.

Have you ever heard of immediate security? A colleague asked me of my views on it since he heard it at a webinar and that it would be impossible to reach. My simple answer is that rather the opposite is impossible. Impossible as in produces less security. Every single second I need to know if I´m secure or if I´m taking a risk. This cannot, of course, be reached with tools only but automation will still be an important tool.

A tool I often advice my clients to invest in is a security dashboard. A security dashboard is mainly a tool that collects all information needed and combine it with your risk analysis. From that you will get a better view of your current risk.