Cyber Security Intelligence

Twitter< Follow on Twitter>

April Newsletter #2 2015

MI6 is in a Technology Race with Terrorists and Criminals

Britain's intelligence agencies are engaged in a "technology arms race" with terrorists, cybercriminals and other "malicious actors" bent on causing the country harm, the head of MI6 has warned.

Alex Younger said the agencies were facing opponents "unconstrained by consideration of ethics and law" who were exploiting Internet technology to put lives at risk.


In his first public comments since taking over last year as chief of the Secret Intelligence Service (SIS) – as MI6 is more properly known – Younger said traditional human espionage was becoming increasing intertwined with "technical operations".

Speaking to an invited audience in London, he said that using the Internet and big data had enabled the agencies to "sharpen some very human characteristics" of their work.

"Using data appropriately and proportionately offers us a priceless opportunity to be even more deliberate and targeted in what we do, and so to be better at protecting our agents and this country," he said.

However he said that technology had also created new vulnerabilities, which enemies could exploit. "The bad news is the same technology in opposition hands, an opposition often unconstrained by consideration of ethics and law, allows them to see what we are doing and to put our people and agents at risk," he said. "So we find ourselves in a technology arms race. Contrary to myth, human intelligence operations are not an alternative to technical operations – the two are interdependent and set to become more so."

Younger described the threat faced by agencies as the "dark side of globalisation" – including "terrorists, malicious actors in cyberspace and criminals" as he paid tribute to the bravery of his officers.

"As I speak there are SIS officers serving in some of the most dangerous and forbidding places on the planet," he said. "Others are operating under deep cover, unable to reveal the real nature of their work, or sometimes even their identity. This takes a particular type of bravery and resilience." He added: "I am particularly proud of the way in which our work with the military developed in Iraq and Afghanistan. Put bluntly, work done by SIS and GCHQ saved many British and coalition lives."

"The guiding principle is clear – we cannot protect the values this country represents if we undermine them in the process. And we cannot hope to hold the public's trust unless they know this principle is effectively overseen."


Will New US Cybersecurity Laws Actually Improve Security?

The US House and Senate Intelligence Committee just passed a Cybersecurity Bill that critics argue it is not likely to improve cybersecurity. In fact, because it undermines the privacy of electronic communications by encouraging companies to broadly share private data with the government and each other, it may actually damage cybersecurity.

For anyone who follows intelligence policy, this shouldn't be a surprise. The intelligence community all too often launches grand new programs without conducting the appropriate research and evaluations to determine whether they will work, or simply create new harms.
The examples are numerous and it is a problem identified long ago by Clark Kent Ervin, the Department of Homeland Security's first inspector general.

As Ervin suggests, when intelligence agencies fail to evaluate their programs, a network of inspectors general, congressional auditors and outside watchdogs often fill the gap. But even when these oversight mechanisms identify an ineffective and wasteful security program, it's all but impossible to end.

The FBI and National Security Agency had long told Congress and the Foreign Intelligence Surveillance Court that the bulk collection of all domestic telephony metadata was "vital" to its counterterrorism efforts. But once Edward Snowden leaked the program to journalists, these claims crumbled under public scrutiny. The government now admits it didn't help interdict any terrorist attacks, a conclusion backed by a group of experts the President charged with reviewing it. Yet a bill that would not even have ended the program, but merely narrowed the government's use of the data, failed last year.

The Cybersecurity Information Sharing Act passed by Senate Intelligence Committee is yet another example of this phenomenon. Experts agree that the bill would do little, if anything, to reduce the large data breaches we've seen in recent years, which have been caused by bad cyber security practices rather than a lack of information about threats. If passed by the full Congress, it would further weaken electronic privacy laws and ultimately put our data at greater risk. The bill would add another layer of government surveillance on a US tech industry that is already facing financial losses estimated at $180 billion as a result of the exposure of NSA's aggressive collection programs.

Intelligence agencies should be in the habit of evaluating all the possible consequences of an activity undertaken in the name of security before it is implemented. As Sen. Ron Wyden, D-Ore., the Intelligence Committee's lone dissenting vote against the bill, argued, "If information-sharing legislation does not include adequate privacy protections then that's not a cyber security bill – it's a surveillance bill by another name."

We don't need another surveillance program that doesn't improve our security.


Iran has built a Cyber Army faster than imagined!

Iran has increased its cybersecurity spending 12-fold since President Hassan Rouhani assumed office in 2013, according to a report released Monday by British technology research firm Small Media. Vowing to ramp up the country's cyber capabilities, Rouhani has given the Islamic Revolutionary Guard Corps (IRGC) an annual cybersecurity budget of roughly $19.8 million.

While Iran's initial cyber efforts were focused on countering internal dissidence, the government put its cyber experts on the offensive after an American computer worm, Stuxnet, infiltrated Iranian government servers and ruined almost one-fifth of the country's nuclear centrifuges in June 2010.

Iran's Supreme Leader Ayatollah Ali Khamenei speaks with Russia's President Vladimir Putin during an official meeting in Tehran

By November 2010, the Basij Cyber Council had trained 1,500 cyber-warriors who, according to IRGC commander Hossein Hamedani, "have assumed their duties and will in the future carry out many operations," according to a report released in 2013 by the Middle East Media Research Institute.

The US government is now at a severe disadvantage when it comes to protecting the country's critical infrastructure from foreign hackers, especially given the current global political climate. The US's ongoing nuclear talks with Iran and its frosty relationship with Russia, a major Iranian ally, have made conditions ripe for Iran to try and use its cyber capabilities as negotiating leverage.

A woman walks past an anti US mural at the former US embassy in Tehran

Colleges and universities in Iran also offer their students internships with notorious Iranian hacker groups, who they can then go on to work for after they graduate.

Business Insider

Israel Girds Itself for Cyber Warfare

The threat of cyber terrorism is not new, but it has become more sophisticated. What defines cyber 'terrorism' as opposed to warfare might also be legally disputed since there is no concrete definition of what is fair in the cyber world.

Netanyahu at the Cyber Conference

In recent years, Israel has been the target of hacking campaigns by various groups going by the moniker Anonymous, operating under campaigns like #OpIsrael or #OpGaza. It is not known if Israel's well-known enemies might be behind the latest threat.

The Institute for National Security Studies warned yesterday that a group called AnonGhost was planning an "Electronic Holocaust" on April 7th in cyber-attacks against the Jewish State. "It's very hard to prove, but we do see some kind with terrorist organizations as you mentioned as well as state sponsors of terror behind these events."

#OpGaza - named for the Twitter hashtag promoting the campaign – was a spontaneous campaign by hackers to retaliate against Operation Protective Edge. But #OpIsrael was planned in advance, with an unknown number of hackers taking part. Even if terrorist organizations or governments are involved, their successes have been miniscule thus far.

The real danger of hacking secure networks or interfaces belonging to any government ministries is minimized by government efforts to defend against such attacks. When asked if the decentralized nature of Israeli bureaucracy – where some ministries have their own networks not attached to those of other ministries – Cohen says that this was an issue in the past that has been ameliorated.

At this point, the threat is mostly to Israeli civilians, mainly soft targets who might be attached to larger companies. "Last week, the Israeli government announced the establishment of new cyber security authority that is supposed to protect the civilian side of the Internet. Until then, it is less protected."

When asked if the major threats included attacks against credit-card institutions, Cohen confirmed that was the main concern, but it is was not at all clear if attacks would be successful. "The last two attacks purported to have stolen credit card information and released it on the Internet. But it was recycled information. It was already publicly accessible."

Cohen asserts that the main benefit of cyber warfare with Israel that hackers can reasonably hope for is using psychological warfare, though its effects might feel devastating for those who experience or see the vandalism and hacking often associated with these attacks. Israel however is assumed to have a tremendous defensive and even offensive capability in cyber warfare. Cohen cites the joint American-Israeli operation that infected Iranian nuclear systems with the Stuxnet virus.

In terms of Israel's offensive capabilities otherwise, Cohen says that if a country is known to have a strong defense against these attacks, it is assumed to have a reciprocally good offense. But the power of Israel's counter-offensive power on the web might lie in the hands of its civilians, not its government.

Israeli hackers humiliated several anonymous hackers whose IP addresses made them traceable, letting hackers use applications like Skype to hack computer cameras. The Israeli hackers subsequently took photos of the #OpGaza hackers, broadcasting them across the web. Given the nascent nature of cyber warfare, Cohen says there is no definition of a "war crime" in cyberspace, though it has been debated.

Israel National News

China Finally Admits to Having Cyber Warfare Units

China has finally admitted that it has cyber warfare units and plenty of hackers attached with them.

According to, the Chinese government has previously denied having made any organized cyber warfare efforts, despite investigations pinning blame for hacking attacks on the US on the People's Liberation Army.

China broke from its tradition of denying everything related to digital spying and network attack capabilities and explicitly revealed that it has specialized units devoted to using computers as weapons, reports

This explicit reveal could change the often-tense dynamic between Beijing and Washington, since it makes China's usual tactic of denying every-thing way less effective.

Ein News

Building a Cyber Security Team from Within

While building an in-house cyber security operations center can be resource-intensive, it can safeguard your data.

Hijacking technology used to be the favorite hobby of benign oddballs. The Max Headroom incident was inexplicable, but harmless. Gary McKinnon may have hacked the Pentagon, but he was hunting for evidence of UFOs. That's sadly not the case anymore: cyberattacks can and do inflict real damage.

Sony Corporation has become a famous example. In the last few years, it's suffered no fewer than three high-profile security breaches. The latest, a DDoS attack around Christmas, was an inconvenience, the fallout being five days of network outage and a few irate gamers. The 2011 PlayStation Network hack, however, resulted in a mass data harvest and a $15 million settlement for those affected.

Hacking is an attack weapon, which has become a business-critical issue costing companies millions, which very much puts it in the domain of the CFO.

The argument from some quarters is that outsourcing your protection is the way forward. For CFOs, it's easy to see the appeal of making the process of protecting your infrastructure another number on a balance sheet. Unfortunately, while it's simpler in the short-term, it's hard to know in advance that your managed service provider (MSP) will get cybersecurity right. With many data breaches occurring as a result of poor outsourcing decisions, it's a risk that many boards aren't prepared to take. We have also seen some situations in which a company has had to buy back its own data from a legacy MSP.

Building an in-house security operations center, or SOC as it's more commonly known, can be a resource-intensive process. But managed correctly, it can safeguard your business-critical data and your bottom line.

The first decision a CFO should make is whether or not in-house security should be integrated with the rest of the IT department. For smaller businesses, this might be unavoidable: for medium-to-large enterprises, however, it's worth thinking about.

A dedicated SOC has many benefits, chief among them that your business owns its data and knows what's happening with it. It gives you in-depth control over your IT security and enables your company to make the best use of its application performance.

The big challenge for CFOs is that security can be expensive. It's possible to spend a lot of money, and there's no guarantee you won't be breached. The most important thing is that CFOs realize the role of the CISO is now a strategic one. IT security should be a business enabler, and the role of the CISO should be less focused on the technical and more on strategy and stakeholder management. Understanding how security can help a business achieve its objectives and overcome organizational challenges is key to the CISO role.

5 Ways to Use Virtual Reality in the Enterprise

With the Microsoft's HoloLens headset, users can view virtual 3D images within the everyday real world.

For enterprises trying to differentiate themselves from their competitors, trying to connect with customers, trying to better show off their products and even make potential customers feel like they're trying out everything from a new car to a new iPhone before they buy it, virtual reality is likely to be a game changer for the enterprise.

Virtual reality is getting a lot of attention this week because the keynote during the second day of Facebook's annual F8 developer conference was largely focused on Oculus, a company that has built a virtual reality headset. Facebook bought Oculus in March 2014, and now the social network has big plans on developing not only virtual reality games, but ways for Facebook users to communicate and share experiences using virtual reality.

Facebook executives want users to even create virtual reality experiences for their online friends. Google is also known to be developing virtual reality products, though it hasn't specified exactly what it's doing.

If Facebook's vision becomes a reality, that will mean big things for gamers flying virtual fighter jets or fighting in medieval times.

What might it mean for the enterprise, though? Well, it should mean better communications with customers, a better way to show off new products and even a better way to work with employees.

Here are a few examples of how the enterprise could use virtual reality in another five or 10 years.

1. Training

Trainers will use virtual reality extensively. Soldiers, for instance, would be able to train in a virtual middle-eastern village or in a snowy, remote environment without leaving their American base.

Financial managers would be able to train using a virtual office environment, so they could practice good communication and leadership skills.

2. Pulling in remote workers

Virtual reality also should make for better relationships between employees working remotely and their managers or working groups. Think about employees being able to work from home but at the same time, working from virtual offices, surrounded by their virtual peers. This could make the worker feel more like a part of the meeting or a part of the team, leading to possible productivity boosts.

Another plus if you are more tightly coupled, it can be instrumental to make your boss more confident that you actually are working and not just goofing off at home.

3. Less business travel

Today, when most workers need to attend an important meeting -- whether it's in another corporate location or at a client's office -- they head to the airport, work their way through security and endure a plain ride, sometimes squeezed in that dreaded middle seat.
Of course, some people use videoconferencing, but it's not widespread. And that experience still isn't quite like being in the same room and sitting down face-to-face with colleagues or clients.

A virtual reality meeting could make it seem like a manager is in an actual face-to-face meeting when he or she is actually alone in the office.

What companies will notice is a reduction in travel costs and in the administrative work it takes to make the travel arrangements and deal with the expenses. It also will reduce the amount of time workers are outside the office and unavailable.

4. Sales

If someone is interested in comparing two different types of smartphones before buying one, testing them both out via virtual reality would be the perfect solution.

Salespeople could help their potential customers to virtually try before they buy. Customers could feel like they're sitting in a car. They'd see how it would steer and feel on the road and how the interior looks up close. They could see how roomy it is -- all before taking the time to drive to a dealer to see it in person.

5. Order up!

Kagan said one of the first uses of virtual reality may be at restaurants to allow customers to make their to-go food orders instead of calling in or using the Web.


Cyber Insurance: Well Worth it but Beware of Exclusions

It's what all sensible people do to mitigate the risk of catastrophic financial damage: Buy insurance. There's not even a choice when it comes to auto and health risks – insurance is a legal mandate. And most people would agree that anyone with a house who does not carry homeowner's insurance is a fool or fabulously wealthy.

So, why not use cyber insurance? Indeed, the case for it is compelling. The costs of data breaches are in the millions and rising fast. As the Ponemon Institute put it in a synopsis of one of its recent reports on the issue, "data breaches have become as common as a cold, but far more expensive to treat."

In another report sponsored by HP Enterprise Security, Ponemon found that, "the average annualized cost of cyber crime incurred by a benchmark sample of U.S. organizations was $12.7 million," up 96% since five years ago. The average cost to resolve a single breach was $1.6 million.

Most policies are nowhere near inclusive of all cost associated with breaches. So, as Wendi Rafferty, vice president of services at CrowdStrike, put it to CSO in an earlier interview, part of any prudent organization's advance plan to respond to a data breach should include data breach insurance.

The biggest reason is that a general liability policy is no longer enough. It covers, "third-party claims of bodily injury or property damage, but the trend among insurance providers is to exclude electronic records and data," said Jared Kaplan, executive vice president and CFO of Insureon.

Getting effective cyber insurance is not simple, however. Data breaches, in addition to being expensive, are notoriously complicated. They require a host of costly responses, including forensic investigation, notification of first and third parties, fulfillment of legal and compliance obligations, possible litigation, working with law enforcement, public relations, credit monitoring fees, crisis management – the list goes on.

As technology risks continue to evolve, many carriers are starting to pull back on the types of industries and risks they will cover.

Also different industries have different kinds of risks, health care is not the same as retail, which is not the same as buying for Education.

That means simply buying a "cookie-cutter, off-the-shelf" policy is asking for trouble since it will likely have exclusions for significant expenses.

According to a recent post in Dark Reading, many such policies exclude coverage for:

Some damages, of course, cannot be measured exactly. But there are ways to close coverage gaps. One of the most obvious is to practice good security "hygiene," including end-to-end encryption of data and keeping software up to date with all recent patches.

Common exclusions in "off-the-shelf" cyber insurance policies:

In short, cyber insurance can ease the pain, but it won't eliminate it.


UK's Merseyside police plan biometric bail system

Police in the UK city of Liverpool are replacing a paper-based bail system with a biometric process, saying that biometrics will save money and cut breaches of bail condition.

The Merseyside Police scheme has been awarded funding of £360,000 (US$531,800) by the Home Office, from the £70 million Police Innovation Fund aimed at transforming policing through innovation.

Biometric technology and a digital records system will replace a current set-up, which requires suspects to attend a police station and sign a register in person. Instead, suspects will be able to answer bail using their thumbprints, which will be registered when their bail is imposed. They can then register their attendance in a digital kiosk at a time and location designated by their bail conditions. A photograph will also be taken to record any change of appearance.

Assistant Chief Constable Ian Pilling commented: "I am particularly pleased to see the roll-out of the paperless bail system for individuals post-charge in police stations." He added: "Not only will the implementation of this system allow us to save money and strengthen the partnerships we already have with our partner agencies but also will ensure we keep our communities safe and feeling safe."

If successful, the scheme could be extended to other areas, such as monitoring registered sex offenders and people subject to football banning orders.

Planet Biometrics

The Cyber Chicago Way
Opinion by Ronald Marks

In the movie The Untouchables an irascible long time Chicago cop played by Sean Connery explains to a naïve Elliot Ness how to get gangster Al Capone. The Sean Connery character says, "You wanna get Capone? Here's how you get him. He pulls a knife - you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue! That's the Chicago way, and that's how you get Capone!"

I was reminded of that speech the other day listening to Cyber Command head Mike Rogers testifying before the Senate Armed Service Committee. Rogers clearly wants to get tougher on cyber attacks. In fact, he wants vastly increased offensive capabilities – military jargon for hitting back at the attackers. Rogers made it clear, and Senate Armed Services Committee chair Senator John McCain agreed, that defensive toughness was simply not enough. We needed – in Untouchable's parlance – to send one of theirs to the morgue.

The anger and impatience is understandable. Cyber attacks have been building in number and intensity over the last few years – beyond DDOS attacks and stealing credit card information by organized crime. The Chinese have been stealing technical secrets with abandon. The Russians have been willing to use disruptive cyber techniques against Ukraine. Iran attacked Saudi computers and destroyed thousands. But, the final straw for America came with North Korea's shameless show of cyber bullying and attack against Sony Pictures. We did counterattack Pyongyang– or so it seemed. They were small. And it was easy work.

Still, you have to ask the question in the larger whole: what happens if one of the big guys attacks and we do send "one of theirs to the morgue." Are we prepared to deal with consequences of a massive counter attack against civilian targets? Do we have capability detection swift and detailed enough to know they are happening and from where?

We should boost our cyber offensive capabilities, no doubt. And, I think a preemptive strike or two might be a reminder of our strength. But, cyber world is not confined to nation state against nation state attack. We can barely manage the minimal of coordination between our government and the private sector in cyber world. It is not likely a large nation state like Iran would make any distinctions. In fact, they would sensibly seek out the greatest vulnerabilities. And, for us, that is in the private sector, where about 85 percent of our cyber infrastructure is located. So, I applaud Brother Rogers for his fortitude. We simply can't sit around and take it. But, before we send one to the morgue, let's make sure we can take care not to send one of ours as well.

Security Insights

Battle for African Internet Users Stirs Fears

Google and Facebook are at the forefront of a scramble to win over new African Internet users, offering freebies they say give a leg-up to the poor but which critics argue is a plan to lock in customers on a continent of 1 billion people.

Africa had 16 percent Internet penetration and 67 million smartphones in 2013. Africa's Internet penetration will reach 50 percent by 2025 and there are expected to be 360 million smartphones on the continent by then, roughly double the number in the United States currently, Mckinsey Consultants data shows.

This growth is attracting interest from Internet companies such as Google, Facebook and Wikipedia, which are striking deals with service providers such as Vodacom, MTN, Bharti Airtel and Safaricom to offer users free, or 'zero-rated' access to their sites and services.

Facebook, through its programme, offers a stripped-down version of its social network and some other sites for free in what it says is an exercise to connect the two thirds of the world that doesn't have Internet access.

Google, in partnership with Kenyan mobile phone firm Safaricom, is rolling out its "free zone" in Kenya, where email and the Internet are available with no data charges, providing users stay within Google apps.

France's Orange is offering free access to a pared-down version of Wikipedia in some African countries, while South Africa's Cell-C gives its customers free use of WhatsApp, a messaging service owned by Facebook.

Critics, however, say big service providers and Internet companies are luring African users into using their services, giving them opportunities for greater advertising revenue.

Giving Africans free access to some Internet sites may also stunt innovation and limit the opportunities for African entrepreneurs, making online technology another industry on the continent dominated by big foreign companies.

Despite concerns about limited regulation and an uneven playing field, many experts argue that any improvement in Internet access in Africa should be welcomed, given it could improve education, grow businesses and alleviate poverty.

High-speed broadband costs up to 100 percent of average per capita income in Africa, compared to less than 1 percent in developed countries, according to WebIndex.


Smartphone Apps Covertly Report Your Location Data

Do you realize how often your smartphone is sharing your location data with various companies? It is more than 5000 times in just two weeks.

A recent study by the security researchers from Carnegie Mellon reveals that a number of smartphone applications collect your location-related data a lot more than you think.

The security researcher released a warning against the alarming approach: "Your location [data] has been shared 5,398 times with Facebook, GO Launcher EX, Groupon and seven other [applications] in the last 14 days."

During their study, researchers monitored 23 Android smartphone users for three weeks.

Researchers concluded: Some apps for Android are tracking user's movements every three minutes.

Some apps for Android are attempting to collect more data than it needed.

Groupon, a deal-of-the-day app, requested one participant's coordinates 1,062 times in two weeks.

Weather Channel, a weather report app, asked device location an average 2,000 times, or every 10 minutes.

The participants were unaware of how closely they are being tracked by different apps, and many were surprised by the end results.

"4,182 (times) – are you kidding me?" one of the participants asked. "It felt like I'm being followed by my own phone," adding "It was scary [that the] number is too high."

Another participant wrote, "The number (356 times) was huge, unexpected."

The research team found that privacy-managing software helped manage access to data. When the members granted access to App Ops, they collectively checked their App permissions 51 times and restricted 272 permissions on 76 different apps. Just one of the participants failed to review permissions.

As per users mentality, once the participants have made the changes to the app permission, they hardly looked at them after a few days.

"App permission managers are better than nothing, but by themselves they aren't sufficient," said Norman Sadeh, a professor at Carnegie Mellon. "Privacy nudges can play an important role in increasing awareness and in motivating people to review and adjust their privacy settings."

With the help of App Ops privacy app, in the span of eight days, the participants collectively reviewed app permissions 69 times, blocking 122 additional permissions on about 47 different apps.

Ultimately, the team believes that if a user began getting the privacy nudges on a daily basis, they'll definitely go back to their privacy settings and restrict apps that are tracking users more closely.

The Hacker News

Facebook successfully tests laser drones in UK skies

Social network prepares to use solar-powered drones with wingspan of a commercial airliner to beam Internet access to rural areas

Facebook has been testing large, solar-powered drones in the skies over the UK, chief executive Mark Zuckerberg has announced. The drones use lasers to beam Internet access down to the ground, designed to provide connections to rural and internet-free zones.

"As part of our effort to connect the world, we've designed unmanned aircraft that can beam Internet access down to people from the sky," said Zuckerberg in a blog post. "We've successfully completed our first test flight of these aircraft in the UK."

Developed by Ascenta, a Somerset-based designer of solar-powered drones bought by Facebook in March 2014, the drones will be able to fly at altitudes of 60,000 feet for months at a time on solar power. They will have wingspans greater than 29m, or that of a Boeing 737, but weigh less than a car.

The drones form part of Facebook's initiative that aims to connect the next billion people to the Internet, creating new markets for the social network, which already connects 1.39 billion monthly active users. Google is also planning to provide internet access to non-connected areas using both high altitude balloons and drones, buying American drone firm Titan Aerospace in April last year.

The two US technology firms are fighting it out to become the pipe and hub that serves both new users and an untapped resource for marketers.