Cyber Security Intelligence

Twitter< Follow on Twitter>

April Newsletter #3 2015

Snowden's HBO Interview: Has He Actually Read The NSA Documents He Leaked?

CIA whistleblower Edward Snowden who leaked thousands of classified documents has recently been interviewed a number of times and recently he confessed that he hadn't thoroughly looked at the sensitive information before leaking them for publication despite knowing they were "harmful".

Snowden was backed into a corner by the British host of Last Week Tonight John Oliver, who flew to Moscow to interview the ex-CIA systems administrator. Edward Snowden and an unlikely interviewer have squared-off on HBO over the leaks that exposed the National Security Agency's extensive surveillance programs.

Snowden, the former NSA contractor who has released thousands of classified documents since 2013 and has been charged with espionage by the US government, has lived in Russia for the past one and a half years to avoid prosecution.

Oliver, like his former boss Jon Stewart, has a knack for using comedy to transform complicated issues, such as Net neutrality and now the NSA's spying, into easier-to-grasp subjects. While much of Snowden interview focused on Oliver's typical comical take on politics, things did turn contentious at one point when the HBO host challenged Snowden on whether he read all of the documents he handed over to journalists.

"I have evaluated all of the documents that are in the archive," Snowden said in response to Oliver asking him how many of the thousands of NSA documents he had read. After Oliver pushed him on whether he actually read each document, Snowden provided a non-answer, saying that he does "understand" what he handed over.

Oliver pounced, saying there's a "difference between understanding what's in the documents and reading what's in the documents." He went on to argue that actually reading the documents is important, given the significance of the material that Snowden leaked.

"Well, in my defense, I'm not handling anything anymore," Snowden argued. Oliver pressed on, saying that Snowden should take responsibility for handing over any documents "that could be harmful."

Snowden did acknowledge that the release of information can be harmful "if people act in bad faith" or if the information is handled -- as Oliver described it -- with "incompetence." Oliver specifically pointed to an improperly redacted document published by The New York Times that allowed anyone to see how the US government was combating al-Qaeda operatives in Mosul, Iraq. Snowden acknowledged that the redaction issue was a "problem."

The interview has taken some by surprise, considering Oliver, a former writer and guest host for the comedy news series "The Daily Show," has used his HBO show to take a comical stance on real-world politics. However, he often includes commentaries that, while still comedic, take a strong stance on topics.

After making Snowden squirm for five minutes or so, Oliver retreated back to his comedic side. He showed Snowden videos of people on the streets who were asked if they knew who Edward Snowden was. Nearly all of them guessed incorrectly, with some identifying him as the man behind Julian Assange's WikiLeaks.

In typical fashion, Oliver was able to illustrate a point through his comedy. He argued that Americans generally don't care as much about NSA surveillance -- especially foreign spying -- as Snowden would like.

Oliver turned his attention to the difference in interest between the Snowden leaks and last year's leak of nude celebrity pictures caused by an apparent hack of Apple iCloud accounts. Nude images of celebrities hit the Web, causing a frenzy. Oliver brought the issue full circle to Snowden, arguing that what Americans care most about -- indeed, more than how the NSA operates -- are "dick pics."

Oliver again showed Snowden a video featuring people on the streets who were interviewed on whether they would take issue with the NSA gaining access to private photos. Nearly all of them said they would have a problem with it.

With Snowden's help, Oliver went through the various NSA programs that have been leaked through his data dump, including Prism and Upstream, to see whether such pictures could be obtained and viewed by the NSA. In each case, Snowden explained how the programs could allow for such private pictures to be collected and viewed by NSA officials.

"Yeah, this is something where it's not actually seen as a big deal in the culture of NSA," Snowden said in response to a question on the collection and viewing of naked pictures of people within the government agency. "Because you see naked pictures all the time."

Oliver's intention was clear: to make the impact of Snowden's leaks easier for the average person to understand. Snowden agreed it takes real technical know-how to appreciate how the NSA collects information. Conveying that in short sound bites is nearly impossible, he said.

"When you send your junk through Gmail, that's stored on Google's servers," Snowden said, explaining one way in which a "pic" could find its way to the NSA through the government's Prism program. "Google moves data from data center to data center -- invisibly to you without your knowledge -- your data could be moved outside the borders of the United States, temporarily. When your junk was passed by Gmail, the NSA caught a copy of that."
The NSA did not immediately respond to a request for comment.


Interpol Cyber Research Identifies Malware Threat to Currencies

Interpol cyber threat researchers have identified a threat to the blockchain in virtual transactions, which could result in their being embedded with malware or other illegal data, including child abuse images.

Depending on the cryptocurrency and its protocols, there is a fixed open space on the blockchain – the public 'ledger' of transactions – where data can be stored, referenced or hosted within encrypted transactions and their records. It is this open space, which was identified as the potential target for malware by experts, an Interpol; officer and a seconded specialist from Kaspersky Lab, in the Research and Innovation unit at Interpol's Global Complex for Innovation (IGCI).

The design of the blockchain means there is the possibility of malware being injected and permanently hosted with no methods currently available to wipe this data. This could affect 'cyber hygiene' as well as the sharing of child sexual abuse images where the blockchain could become a safe haven for hosting such data.

It could also enable crime scenarios in the future such as the deployment of modular malware, a reshaping of the distribution of zero-day attacks, as well as the creation of illegal underground marketplaces dealing in private keys which would allow access to this data.

"To conduct this type of research and identify new cyberthreats were among the key aims behind the creation of the Interpol Global Complex for Innovation," said IGCI Executive Director Noboru Nakatani.

"Having identified this threat, it is now important for Interpol to spread awareness amongst the public and law enforcement, as well as encourage support from communities working in this field to find solutions for the potential blockchain 'abuse'.

The research was unveiled at the Black Hat Asia 2015 event in Singapore, just weeks before the official inauguration of the IGCI. Interpol's state-of-the-art complex will provide its 190 member countries with a cutting-edge research and development facility for the identification of crimes and criminals, innovative training, operational support and partnerships.

SC Magazine:

Why IT Security Is Getting So Complicated

The proliferation and sophistication of hackers, combined with increased reliance on interconnected applications, devices and systems has created a security environment that's challenging for even the best prepared organizations, according to a new research study by IT industry association CompTIA.

The growing organization of hackers (cited by 54% of the 400 technology and business professionals surveyed online by CompTIA in January 2015), the sophistication of threats (52%) and the greater availability of hacking tools (48%) carry implications for business.
Just over half of those surveyed (52%) say greater interconnectivity has complicated their security efforts. As organizations have embraced cloud computing and mobile technology solutions, they've extended the security perimeter, creating new security considerations, the study notes. Legacy security systems and practices are often not sufficient to protect the expanded perimeter.

"It's not that businesses need to be convinced that security is important," Seth Robinson, senior director, technology analysis at CompTIA, said in a statement. "Instead, they need to be convinced of the ways that their current security approach is putting them at risk."

There are three areas where organizations are changing their security posture, Robinson says: technology, processes and personnel. Companies are bringing in new security technologies to go along with the new business technologies they're using.

Data loss prevention is one of the most common new tools, now in use by 58% of the organizations surveyed. Identity and access management and security information and event management both showed strong growth in adoption, at 57% and 49%, respectively.

Information- Management:

Is 'Off The Grid' A Thing Of The Past?

We live in a world where there are nearly as many cell phone subscriptions as people on Earth, where we can instantly see a real-time view of streets or buildings halfway across the planet, and where our TVs, homes and cars get smarter by the day. The level of connectivity that we currently enjoy could barely have been imagined even a decade ago, and yet the reality is that even today we are connected to less than one-quarter of the entire planet.

The satellites that we rely on today for data have an impact on everything from weather prediction to supply chain logistics to manufacturing and generally only collect information from major land mass. This leaves three-fourths of the planet, covered primarily by oceans and remote areas, as uncharted territory. What sort of unknown unknowns exist off the grid, just out of reach?

Most people would be shocked to know that when you travel farther than 50 miles from any coastline, you lose your connection to the modern world. Outside of this 50-mile range, no land-based signals can reach your devices due to the physical curvature of the Earth. Our current satellite systems cannot deliver reliable data on what's happening to the thousands of ships, planes and other objects traveling on or above the Earth's oceans. The implications for this lack of data are immense.

Sadly it took the tragedy of Malaysia Airlines Flight 370 and Air Asia 8501 to awaken the world to the reality of just how disconnected our planet is. These tragedies prove that even current airline-tracking technology, including radar and land-based receivers, are unreliable and outdated. In this case, financial ramifications were immediate and visible as travelers, unwilling to risk their lives for a cheaper plane ticket, canceled or switched travel plans to avoid these particular airlines.

Large and erratic gaps in data caused by our current satellite systems not only make it difficult to track airplanes filled with valuable lives and cargo, but actually make it easy for nefarious traffickers to move illegal shipments such as drugs or weapons past borders without any regulation. The maritime industry deals with this reality every day. The first thing that a modern pirate does upon boarding a ship is turn off all navigational systems and the Automatic Identification System (AIS) transmitter. Traditional satellite systems will then take hours or days to register a problem, if they register any problem at all. By the time authorities receive news about an attack, the pirates could have already fled with captives and stolen cargo.

In the last decade, piracy alone has cost the global economy almost $18 billion per year. According to the International Maritime Bureau, pirate attacks along the waters off Malaysia, Indonesia and Singapore have nearly doubled this year compared to two years ago. Armed gangs hijack small tankers; steal cargo; kidnap victims; and sometimes murder ships' crews. Without near real-time data, enforcing maritime security is incredibly difficult, and attacks will continue unabated.

The good news is that a change has begun. A number of advancements in hardware development and big data have inspired a small cadre of companies like Planet Labs and Skybox to reimagine the satellite and its uses. Arguably the largest and most important shift in reimagining the satellite is the move toward standard form-factor, shoebox-sized satellites called CubeSats.

The new approach to satellite development and data collection offer a means to answer many of these questions, and create measurable impact, providing both a financial and social safety net for the shipping and airline industries. Consider that port authorities and companies will not only know where their cargo is located, but increased access to data will lead to less congestion in ports and higher probability that cargo arrives on time.

Whether responding to suspicious activity or saving cargo and human lives during rescue operations, this level of data access also decreases illegal shipping activity and provides Coast Guard personnel with valuable time and intelligence. In the same vein, airline transport and travel will become safer and more reliable.

Insurance companies and the financial markets are among the most vulnerable. Maritime insurance providers have very limited insight into accidents at sea which cause collisions, oil spills, lost cargo due to weather, spoilage and more are all outside of the realm of current data collection. With increased access to real-time data, the likelihood of overpaying on claims dwindles tremendously.

For the first time in history, breakthroughs in satellite technology will provide us with global coverage and will do so in a surprisingly cost-effective manner. Ultimately, 2015 will be the year that we look back on and remember what it meant to be truly "off the grid." And we remember just how uncertain that feels.


Middle East: Cyberwar Heats Up

Two new malware campaigns have been spotted in the Middle East, according to reports released this week. One targeting energy companies and the other was going after political targets in Israel and Lebanon.

Symantec researchers observed a brand-new information-gathering tool, Trojan. Laziok, this January and February, targeting primarily oil, gas and helium companies in the Middle East. The United Arab Emirates saw 25 percent of the infections, with other Middle East countries adding up to 30 percent more. Pakistan had 10 percent, and the US and the UK had another 10 percent between them.

According to Symantec senior security response manager Satnam Narang, the infection begins with a phishing email that contains an infected attachment, typically, an Excel file. The attachment uses a known ActiveX exploit to get in, an exploit that has been patched in 2012.

According to Philip Lieberman, president at Los Angeles-based security vendor Lieberman Software Corp., the recent drop in oil prices has led to a decrease in IT security investment in the oil and gas industry.

"This attack exploits an apparently well-known lack of investment by the oil and gas industry in keeping their Microsoft Office software up to date," said Lieberman and he also said that his company has seen this first-hand.

The exploit code in the attachment then installs the Trojan.Laziok, which collects information about the computer and sends it back to the attackers. That includes information about what kind of anti-virus is present.

Tools that enable malware to evade antivirus detection are easily available, confirmed Joe Barrett, senior security consultant at Lake Mary, Fla.-based Foreground Security. "It means that defense in-depth and the principle of 'least privileged' are more important than ever."
Network defenders should watch for malicious traffic and be ready to isolate machines suspected of being infected.

This malware can monitor audio by turning on the audio on the computer, or capture video using the webcam. It can also log keystrokes and install additional malware.

According to researchers at Check Point Software Technologies Ltd., who released the Volatile Cedar report this week, that campaign dates all the way back to 2012. It also uses a new, custom information-gathering Trojan, which Check Point named Explosive. But while the Trojan.Laziok attack started with phishing emails, the Volatile Cedar attack began with publicly-facing web servers.

In addition, Check Point traced back the source of the Volatile Cedar attack to actors in Lebanon, and their targets were narrowly targeted political organizations in Israel and Lebanon. The targeting of organizations in Lebanon could be related to espionage among rival political groups, researchers said.

One possible indication that the Trojan.Laziok is not politically motivated is that the malware, which is also known as the Kraken Remote Access Trojan, has been spotted stealing Bitcoin wallets.

"It is unknown who is actually behind the attacks using Kraken," said Jeremy Scott, senior research analyst at Omaha-based security firm Solutionary, Inc. "However... Kraken is far from an 'espionage' malware unless the attackers behind it are more sophisticated than researchers are aware of."

CSO Online:

Commando Bugs

A security source in the Gaza Strip told the Palestinians website Al Majed that "the purpose of these tiny aircraft is to trace missing IDF soldiers and track Hamas militants." The source further disclosed that these so called "electronic dragonflies" are also capable of opening fire against target and even blow themselves up over them.

According to this source, these tiny electronic airborne devices carry embedded images of missing soldiers for the purpose of search and identification. The source added these "electronic dragonflies" are in fact US-made espionage devices featuring GPS. They emit signals, which satellites then pick up. The tiny crafts, which are capable of penetrating buildings through tiny holes, "look like flies from afar, or even a small bird." It is believed they are controlled remotely. The source added that Hamas believes these "electronic dragonflies" are also designed to trace explosives and unveil their production sites.

Irrespective of this report, i-HLS has already exposed in the past that Israel Aerospace Industries (IAI) is developing a tiny unmanned aircraft featuring insect-like wings, complete with the akin flap mechanism, rendering them capable of flying like butterflies or insects. IAI is not the sole developer to be inspired by nature at large or even insects in particular, but of importance is the designated use of real live insects for intelligence and reconnaissance.

The US is already working on real live insects carrying imbedded tiny electronic systems. Defense Advanced Research Projects Agency (DARPA) is said to be developing a project harnessing bugs for military missions.

Ultimately, DARPA intends to have live insects implanted with electronics and mechanics rendering them controllable remotely and directed from afar, for the purpose of espionage of explosive detection missions. A radio signal will activate the implant, guiding the insect to a specified venue or location.

For the actual purpose of locating explosives, the bug will be fitted with a microscopic sensor, whereas 'espionage bugs' will feature tiny cameras or microphones. "Electronics and optics have reach such an ultra-advanced stage, that we can manufacture devices of practically any size," says one expert.

US scientists intend to implant these microscopic devices inside bugs' cocoons, during the pupal stage. Post metamorphosis, the bug develops normally to full size with the implant already imbedded. DARPA's teams are focusing their efforts on butterflies, moths and dragonflies. There is still a dispute between experts whether these insects can be guided and directed to perform military missions, but experiments are ongoing.

There have been past experiments to install various sensors on certain birds. Experts say the American effort is interesting." After all, DARPA is an official US government agency, and they must believe it's possible to achieve development of a remote controlled insect," one expert told i-HLS.

There is no doubt that in some places worldwide, there are current efforts to develop unmanned aerial vehicles (UAVs) capable of making their way into buildings and capture video, images and sound. Intelligence gathering is always moving forwards thanks to cutting-edge miniaturization. The question remains though, where does this leave our privacy, where do uninvolved civilians fit in. The problem persists, and it will worsen. It seems progress does not come without a price.


How Credible is the Anonymous Threat to Israel?

A warning has been issued for the state of Israel, allegedly from the hacking collective "Anonymous," in a new video in which they threaten to "erase the country from cyberspace."

Citing what the hackers called "continuous aggression, bombing, killing, and kidnapping of the Palestinian people," the group vowed to unleash cyber "squadrons" that will launch what the video referred to as a "cyber holocaust" that the speaker announces will occur in April. The attack is scheduled to occur before Israel's Holocaust remembrance day, known as Yom HaShoah, which takes place on April 16.

The volume of cyber attacks by hackers is on the rise in Israel – and surged during Operation Protective Edge (the 1.5 month-long Palestinian-Israeli conflict) last summer, when Isaac Ben-Israel of Tel Aviv University says cyber attacks grew by 900 percent. These attacks were attributed to anti-Israeli hackers among its Arab neighbors, operating under a hacking umbrella Israeli authorities referred to as Op-Israel – hackers who have been influenced by various Islamist organizations, according to the Times of Israel.

"Instead of the usual 100,000 attacks we get each day, we were now getting a million such attacks from all over the Arab and Muslim world," he told the Israeli news website.

It should be noted that Anonymous hackers receive marching orders from no single authority. Fellow "Anons" have to strike a balance between maintaining their web identities and cyber footprints anonymous to authorities online, all while communicating operational messages to other hackers, according to Wired. In this case, the likely Arab hackers, according to Daniel Cohen, a research associate at the Israel Institute for National Security Studies (INSS) Cyber Warfare program, have been identified by Israeli cyber defense teams as hacking on behalf of Islamist interests.

The nature of "Anonymous" as a brand means that those hackers using the name vary widely in terms of their goals, targets, and location. David Kushner of the New Yorker wrote in his profile of the Anonymous, "There was no membership fee or initiation. Anyone who wanted to be a part of Anonymous—an Anon—could simply claim allegiance."

And the relative unity the group enjoyed in the past may be fracturing. As The Christian Science Monitor reported:

There's now a growing divide between various partisans that claim the Anonymous moniker: The North American contingent is increasingly isolated by the rest of the community as Anonymous gains more traction in Europe, Asia, and Latin America.

This fissure, or lack of control over the movement, has been a few years in the making, but was most apparent after the Charlie Hebdo killings in Paris. In the wake of the January terrorist attack, European members of Anonymous pushed for online revenge attacks on Islamic militant website under the hashtag #OpCharlieHebdo....

Established North American Anonymous accounts ignored, criticized, or mocked #OpCharlieHebdo and #OpISIS. Other American mouthpieces dismissed it as a "false flag," meaning it was orchestrated by the CIA or some other government to distract from more important issues, damage Anonymous' reputation or to instigate unrest for political purposes. ...
This loss of influence over the collective is reflective of how global politics are playing out within the darker corners of the Internet where Anonymous and likeminded hackers spend time. The Edward Snowden leaks that revealed pervasive National Security Agency monitoring of the Internet has led to a deep distrust of American Anonymous members.

"The 'anti-American' sentiments have become more and more a part of our conversations," said Raymond Johansen, a global privacy activist on the FreeAnons Advisory board dedicated to freeing imprisoned Anonymous hacktivists. Anonymous was thought to be compromised in 2011 when the American government arrested Hector Xavier Monsegur, known as Sabu, and he began to informing on other Anonymous hackers, according to Wired. Sabu's arrest disrupted a successful string of hacks between 2008 and 2012, according to Business Insider. These attacks included taking down the Westboro Baptist Church's website. During this time period, Anonymous also launched Operation DarkNet, the group's anti-child pornography campaign.

"It's not like you throw them in jail and they disappear," Mark Rasch a former federal cybercrimes prosecutor, told Wired. "It's sort of like squeezing Jell-O. It just moves somewhere else."

So, does the "Anonymous" faction threatening Israel pose a credible risk?

"For the most part, this is posturing. This is actually the fourth year that Anonymous has carried out this Op Israel attack and called on their supporters to erase Israel from the internet," Benjamin T. Decker, an intelligence analyst at the Tel Aviv-based consultancy the Levantine Group, told Newsweek. "As the years have progressed we have seen that, despite their increasing sophistication in hacking techniques, we have seen less damage against Israeli cyber infrastructures, largely due to Israel's pioneering of most cyber warfare tactics, both offensive and defensive."

One such attack occurred in 2013, launched by Op_Israel in which supposed Arab hackers, under the Anonymous rubric, claimed to cause some $3 billion in damage, Haaretz reported. The hack targeted more than 100,000 websites, 40,000 Facebook pages, 5,000 Twitter accounts and 30,000 Israeli bank accounts, according to the report.

The government claimed no major disruptions occurred, but the hack resulted in some websites being blocked and a handful of officials' contact information and other personal data posted online, according to Haaretz.

Ein News:

Snowden Explains Exactly How the US Government Can Get Hold of their Private Images

The former NSA contractor whistleblower Edward Snowden speaking to John Oliver on Last Week Tonight, said that the American public don't understand what 'bulk government surveillance' actually means – or how it could affect them in their daily lives.

The files Snowden exposed, some of which it has now become clear he had not read completely, revealed mass US government surveillance programs, and meant he had to flee the country to seek refuge in Russia to avoid being prosecuted.

So Last Week Tonight host John Oliver asked his special guest, Snowden, to explain it to them using a metaphor they'd all understand – the concept that intelligence officers could be intercepting private naked images taken on their phones, or "dick pics", as they're more widely known.

"The good news is that there's no program named the 'dick pic' program. The bad news... they are still collecting everybody's information, including your dick pics," Snowden said. "If you have your email somewhere like Gmail hosted on a server overseas or transferred overseas or anytime it crosses outside the borders of the United States, your junk ends up in the database."
He went on to discuss the PRISM program, which is how the government "pull your junk out of Google, without Google's involvement". It also collects data from Facebook, Apple and other big companies.

However, Snowden was adamant that Americans shouldn't stop sharing private information "because of a government agency somewhere that's doing the wrong thing". "If you sacrifice your values because you're afraid, you don't care about those values very much."

Snowden's smashed laptop goes on show in London

And recently the laptop used to store top-secret documents leaked by National Security Agency (NSA) whistleblower Edward Snowden has gone on display at the Victoria and Albert Museum in London.

The device was smashed apart under the instructions of British intelligence officials. It is part of a wider exhibit exploring freedom of speech and Internet security.


Report Claims Huawei Don't Pose a Risk to UK Security

Huawei is one of the UK's largest providers of telecoms equipment, with deals in place to provide critical national infrastructure as well as the technology behind services from companies such as BT, EE, Virgin Media, O2 and Sky.

However, concerns have been raised in countries such as the US and Australia about potential links to the Chinese government and the People's Liberation Army in spite of strong denials from the group.

A cyber security evaluation centre in Banbury UK was established in 2010 by Huawei to take apart the physical equipment and software used in the UK to mitigate risks to national security. In the report for the national security adviser, the centre's oversight board said the "technical assurance" provided by Banbury was of "sufficient scope and quality to meet its obligations". Huawei has also pledged further funds to expand the centre.

A management audit by Ernst & Young showed the centre was sufficiently independent from Huawei, which will address concerns about the centre and its staff being fully funded by the Chinese group. Three concerns were identified by the report, although these were rated as "low risk". They included difficulties in recruiting staff owing to a lack of cyber security skills as well as the reluctance of potential new recruits to complete security clearance. Ernst & Young also found some staff working at the centre without developed vetting clearance, the most comprehensive type of security vetting, although this has now been reduced to just two.


Banks Undermine Chip and PIN Security Because Profits Rise Faster than Fraud

The Chip and PIN card payment system has been mandatory in the UK since 2006, but only now is it being slowly introduced in the US. In Western Europe more than 96% of card transactions in the last quarter of 2014 used chipped credit or debit cards, compared to just 0.03% in the US.

Yet at the same time, in the UK and elsewhere a new generation of Chip and PIN cards have arrived that allow contactless payments – transactions that don't require a PIN code. Why would card issuers offer a means to circumvent the security Chip and PIN offers?

Chip and PIN is supposed to reduce two main types of fraud. Counterfeit fraud, where a fake card is manufactured based on stolen card data, cost the UK £47.8m in 2014 according to figures just released by Financial Fraud Action. The cryptographic key embedded in chip cards tackles counterfeit fraud by allowing the card to prove its identity. Extracting this key should be very difficult, while copying the details embedded in a card's magnetic stripe from one card to another is simple.

The second type of fraud is where a genuine card is used, but by the wrong person. Chip and PIN makes this more difficult by requiring users to enter a PIN code, one (hopefully) not known to the criminal who took the card. Financial Fraud Action separates this into those cards stolen before reaching their owner (at a cost of £10.1m in 2014) and after (£59.7m).

Unfortunately Chip and PIN doesn't work as well as was hoped. My research has shown how it's possible to trick cards into accepting the wrong PIN and to produce cloned cards that terminals won't detect as being faked. Nevertheless, the widespread introduction of Chip and PIN has succeeded in forcing criminals to change tactics – £331.5m of UK card fraud (69% of the total) in 2014 is now through telephone, Internet and mail order purchases (known as "cardholder not present" fraud) that don't involve the chip at all. That's why there's some surprise over the introduction of less secure contactless cards.

Not only do contactless cards allow some transactions without a PIN, but the data can be stolen from the card and, by extension, potentially money from any account linked to it, just by brushing past someone near enough to trigger the contactless chip into transmitting.

Figures for UK card fraud reveal the effect Chip and PIN has had of forcing criminals to change tactics. So why are some banks issuing chip cards which don't support PIN verification at all, leaving customers to sign for transactions instead? Why has the US been so slow to roll out Chip and PIN and why have UK banks actually decreased security for contactless cards? All three decisions are driven by, perhaps unsurprisingly, profit.

The share of transactions that card issuers take (the interchange fee) depends on the country and type of transaction. In the US, a lower fee is charged for PIN transactions than for those verified by signature. The fee are paid by the merchants to the card companies and banks and this explains why merchants upgraded their terminals to support Chip and PIN long before the US banks started issuing chip cards. Encouraging banks to start issuing cards is being handled the same way. And so from October 2015 if the merchant's terminal, which accepts a fraudulent payment, supports Chip and PIN, but the card doesn't, the card issuer pays for the cost of the fraud. If the merchant's terminal doesn't support Chip and PIN but the card does, the merchant pays.

Contactless cards are being promoted because it appears they cause customers to spend more. Some of this could be accounted for by a shift from cash to contactless, but some could also stem from a greater temptation to spend more due to the absence of tangible cash in a wallet as a means of budgeting.

Greater convenience leads to increased spending, which means more fees for the card issuers and more profit for the merchant – this is the real reason why the PIN check was dropped from contactless cards. The risk of fraud is mitigated to some degree by limiting transactions in the UK to £20 (rising to £30 in September), but it's been demonstrated that even these limits can be bypassed.

Card fraud involves a very large amount of money, £479m in 2014 in the UK, and it affect many millions of people. In a EU-wide survey, 17% of UK Internet users said they had been the victim of credit card or online banking fraud, which was the worst in the EU. Some of the costs of fraud are borne by the merchants. Others are passed to the victim because the Payment Services Directive allows banks to refuse to refund customers if they can't identify a more likely cause for the fraud than customer negligence.

However, even if all the costs of fraud was paid for by the card companies, the cost they would bear would only make up 0.075% of the value of card transactions. This sum they could comfortably pay for from the interchange fees they charge on these transactions, currently set at 0.7% of the transaction value – nearly ten times larger than the costs of fraud.

The conversation:

Seeing Your Business Through the Eyes of a Hacker

JP Morgan Chase. Target. Sony. Each has been part of the growing number of cyber-attacks against private companies around the world in recent years. In the latter two cases, CEOs were forced to resign in the wake of the breach. Attacks are growing more sophisticated and more damaging, targeting what companies value the most: their customer data, their intellectual property, and their reputations.

What these attacks, together with breaches to defense, law-enforcement, and military-contractor networks, reveal is that our cyber-security efforts over the last two decades have largely failed, and fixing this will require the attention not only of security officers and IT teams, but also of boards and CEOs.

Companies need to take a new approach. They can do so by looking at themselves through the eyes of their attackers. In the military this is called turning the map around. The point is to get inside the mind of the enemy, and to see the situation as they do, in order to anticipate and prepare for what's to come.

Unfortunately, this mindset is still too rare. Despite spending billions of dollars every year on the latest security products and hiring the best security engineers and analysts, companies are more vulnerable than they've ever been. Two trends account for this: the rapid convergence of enterprise IT architectures, and the proliferation of increasingly sophisticated adversaries.

Changes in enterprise IT over the past decade mean that every company is now a technology company. By the end of the decade, there will be 50 billion devices connected to the Internet, complicating networks and generating petabytes of data. To add to that, the cloud revolution has finally dissolved perimeters – companies enjoying the benefits of infrastructure as a service must depend upon the security of networks and systems beyond their direct control.

As mobility, the Internet of Things, and the cloud change enterprises, adversaries are also becoming more sophisticated. States and state-sponsored entities spy on and attack private companies, often using military-grade tactics and capabilities. They do this within a system where offense enjoys a structural advantage over defense because attribution is difficult, deterrence is uncertain, and attackers need to succeed only once, but defenders must succeed always.

Most companies try to deal with this chaos by parsing signal from noise. They build walled castles around their most precious assets, but perimeters don't matter when even the average college student owns seven IP-enabled devices. They rely on automated alerts to tell them when something malicious on their networks matches some previous bad event, but this approach overwhelms them with red flags while remaining blind to new and previously unknown threats.

There's just too much noise to contend with. Security analysts, for example, may see a thousand incidents in a given day, but only have the time and resources to investigate a fraction of them. This is why hackers were able to exfiltrate over 40 million credit-card numbers from Target, despite the fact that a peripheral network device had detected the malware. It's also the reason why Neiman Marcus was hacked after its system generated over 60-days' worth of malware alerts. And this is why Sony was hacked after its IT team knew the company had been under attack for two years.

By turning the map around, executive teams can learn a great deal about their own companies, and better prepare for the inevitable attacks. This is how most companies look from an attacker's perspective:

  1. Their security is overwhelmingly focused on generic malware detection and protection against automated threats that aren't being guided with precision.
  2. They don't have a full picture of what is on their networks, the cloud services they're using, the applications running on those services, and the security postures of their supply chains and partners.
  3. Their IT and security teams are peripheral concerns, costs to be managed rather than centers of excellence that support the core business.
  4. Overall, they are reactive, rather than proactive, in their approach to security.

Each bullet-point above is a weakness that attackers can exploit. This is why companies should learn from attackers in deciding how to defend themselves. Here's how.

1. Understand your major risks and how adversaries aim to exploit them. If security could be calculated, then adversaries would be the numerator. Companies must understand their unique threatscapes to the greatest possible extent, and generic data are insufficient. Effective security must integrate indicators of compromise (have we been attacked?), tactics, techniques and procedures (how are we being targeted?), identity intelligence (who would target us, and why?), vulnerability intelligence (what is being exploited in the wild?), and attack attribution (is this commodity or targeted?). Only with focused threat intelligence can analysts spend their precious and valuable time investigating the most important incidents, prioritizing those associated with your most formidable adversaries and your greatest business risks. You can go crazy (and broke) trying to play Whack-A-Mole in defense against them all. Instead, identify your most essential assets and focus scarce resources only on those threats that actually pose a risk to your company.

2. Take inventory of your assets and monitor them continuously. If security could be calculated, then inventory would be the denominator. At the simplest level, companies must identify and monitor all of their interconnected assets: is a developer spinning up a thousand virtual machines without your knowledge? What applications are running on the database servers holding your most valuable information? Did an employee connect a new device to your corporate network? Does one of your distant subsidiaries have a new partner? Does your HVAC system connect somehow with your Point of Sale? Periodic assessments, reports that take weeks to prepare, and conclusions that require complex interpretation contribute to gaps in security. Companies must maintain a dynamic, real-time inventory of assets, monitor those assets continuously, and render them visually in way that is simple and intuitive for security and operations teams.

3. Make security a part of your mission. The prevailing approach to security is compliance-focused, cost-constrained, peripheral to the core business, and delegable by C-suite leaders. Working on a team like that isn't fun inside any enterprise, and it loses against 21st-century adversaries who know that it's more fun to be a pirate than to join the Navy. Any defense is only as good as the people doing the defending. The new model of security needs to be about mission and leadership, ensuring that we have the best defenders up against the best attackers. Security is no longer delegable, and the mission of security teams must be synonymous with the mission of the company.

4. Be active, not passive, in hunting adversaries on your network and removing them. The term "active defense" has been tarred as a euphemism for "hacking back," and companies are ill-advised to go on the offensive: first, it's illegal to access others' networks without permission, even if you're acting in supposed self-defense; and second, it's just not smart to escalate unless you can dominate, and even the biggest companies will ultimately lose against state or state-sponsored adversaries. So while you cannot go attack the other team on their own turf, you can and increasingly must be active against adversaries inside your own networks. This means assuming not merely that you are under attack, but that your attacker is in, and so you must hunt for a stealthy, persistent human adversary in order to contain and remediate the risk before they can cause damage – dramatically cutting the time between breach and detection from its current average of more than 200 days.

It is easy during these days of frequent and devastating attacks to cry out that the sky is falling, and that the very future of the Internet as a trusted domain of commerce and communication is at stake. But it would be wrong to extrapolate the data points of recent years into a line leading to ruin. Too many of us have too much at stake here, and the combined forces of executives, entrepreneurs, software developers, security teams, and investors all turning the map around can equip us to defend against this next generation of adversaries.


Cyber Insurance: Worth the Money?

Cyber security concerns and massive data breaches are part of our daily news cycle. As a result, companies of every size and industry are carefully examining their cyber security preparedness, both as a matter of good business and because they are being forced to do so by regulators and their customer and client base. An integral part of that self-reflection process is (or at least should be) the availability of insurance coverage for the risks presented by security breaches.

Some companies have purchased "dedicated" cyber insurance policies that provide coverage for first-party and third-party risk exposures. Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them.

Are We Covered for That?

At present, the only meaningful generality that can be made about the scope of coverage available under a dedicated cyber policy is that there is no "standard" coverage available. Several different insurers are offering cyber liability coverage and the nature of what is covered versus what is not varies significantly.

In addition, many of these policies include a series of coverage enhancements that can be added to the policy, sometimes at no additional premium. But the policyholder must be a savvy consumer who makes the right "ask" and has a good handle on the risks that it is seeking to insure.

For example, some insurers are willing to provide coverage for PCI-DSS assessments while other insurers are not. Moreover, many insurers willing to provide coverage for this type of claim will not provide "full limit" coverage for the risk exposure and instead will place a "sub-limit" for such claims.

The insurer's willingness to provide this coverage, and the extent of limit available for it, will depend on the number of records handled, the strength of the insured's existing procedures to prevent security breaches, and the data breach claims history.

We are still in the very early stages of evaluating the claims history associated with cyber insurance policies. For the past several years, insurers have been grappling with how to underwrite the risks that will be insured, how to offer the "right" limits, and how to appropriately price the policies, both in terms of premiums and self-insured retentions.

So far, there is anecdotal evidence to support the proposition that some of the headline-grabbing data breaches involved recovery of at least some cyber insurance. But we have not yet seen the emergence of hotly contested coverage litigation associated with new cyber insurance policies. Rather, most court battles addressing security and data breaches continue to focus on the availability of coverage under "traditional" insurance policies.

In some instances, we have seen insurers pay a claim because there was an extremely low sub-limit and the insurer recognized that the scope of the loss far exceeded any coverage fight worth having. In other instances, we have seen policyholders manage the size and scope of the risk to a level that stays within the (often very high) self-insured retention such that the insurer is not required to pay.

But earlier this year, there was an interesting lawsuit filed that suggests insurers may be prepared to pay their insured's' claims and then pursue recovery from responsible third parties. In that case, Travelers Casualty and Surety Co. of America paid a claim submitted by its policyholder for a security breach that resulted from a hacking event.

The policyholder, Alpine Bank, had hired a professional designer to design the company's website and maintain the host server. Hackers accessed the website and gained entry to customer information. As a result, the policyholder was required to incur significant breach-notification costs.

Travelers paid the claim and then sued the designer, alleging that the designer failed to place basic anti-malware software on the server and failed to maintain adequate encryption controls over the customer data. It is premature to predict the outcome of the lawsuit. Nevertheless, it does offer some hope that insurers intend to stand by the coverage provided under cyber policies and then take up the fight to pursue responsible third parties for breach events.
There are two critically important steps that companies must take to maximize the likelihood and amount of their insurance recovery under cyber policies.

First, companies must take great care to conduct detailed and comprehensive due diligence during the application process of buying the cyber policies. Many insurers are requiring prospective insured's to supply a warranty letter along with a formal insurance application before issuing the cyber policy. Policyholders are well served to provide more information from the appropriate constituencies in connection with these requirements. Robust disclosure will reduce an insurer's attempt to cry "foul" after a loss has occurred.

Second, companies must understand the importance of providing timely written notice after a loss, even if the loss may not exceed the retention. The new cyber policies are written on a "claims-made" basis such that a delay in providing notice of the claim may result in complete forfeiture of coverage. Moreover, insurers will not give credit to dollar amounts spent against the retention unless and until they are on notice of a claim.


Proactive Cyber Security Strategies Improve Security Effectiveness

New research from Accenture and the Ponemon Institute sheds light on the success factors of companies that have improved their cyber security strategies, resulting in quantifiable business benefits. The research shows that proactive strategies can improve and expand on value delivered to the business.

Of the nearly 240 companies surveyed as part of the global research, those with a more proactive security stance saw their security effectiveness score improve by an average of 53 percent over a two-year period, while non-proactive companies only achieved a change of 2 percent. The report, "The Cyber Security Leap: From Laggard to Leader," looks at how companies can achieve better security performance while facing an ever-changing number of threats and is the result of a collaborative study conducted by Accenture and the Ponemon Institute.

The research focused on organizations that fit into one of two categories based on how they address security: 'Leapfrog' companies, which align security with business goals, focus on security innovation and proactively address potential cyber security threats; and 'Static' companies, which focus more on cyber security threat prevention and compliance.

For instance, 70 percent of Leapfrog companies have a company-sanctioned security strategy, compared with just 55 percent of Static companies. In addition, the report's probability estimates indicate that the perceived likelihood of material data breaches have decreased over time by 36 percent for Leapfrog companies but only by 5 percent for Static companies.

The research outlines how Leapfrog organizations are more effective than Static organizations at addressing security across three important areas:

Strategy: Leapfrog companies establish a security strategy that places a high value on innovation and is aligned with business requirements. These companies see innovation as an important driver in developing sustainable strategies that adapt to keep pace with evolving business requirements to deliver effective security measures at scale, anywhere. Additionally, 62 percent of Leapfrog companies outsource core security operations in order to gain access to advanced technology and experience resources, versus 47 percent of Static companies.

Technology: Leapfrog companies seek to develop security capabilities that enhance the user experience and productivity. To do this, they look at technology that can facilitate the organization's digital uptake and improve the ability to counter advanced threats. This consists of embracing disruptive technologies brought to light by business users, instead of restricting or locking down the use of newer technologies.

Governance: The report found that leapfrogging ahead in security effectiveness requires strong leadership and business alignment, with the correct governance measures in place. This may require that a company's Chief Information Security Officer (CISO) have the authority to define and manage the company's security strategy, with a direct communications channel to the CEO and the board. Nearly three-quarters (71 percent) of Leapfrog companies have a CISO tasked with defining security strategies and initiatives. Within Static organizations, governance and controls are less effective, and security is viewed as a trade-off with employee productivity.

"Our research shows that defending your business is a dynamic, strategic activity," said Mike Salvino, group chief executive – Accenture Operations. "To protect the business, security measures must be both proactive and adaptive, allowing your customers in, but keeping threats at bay. These findings underscore our commitment to helping companies move into the Leapfrog category by building a strong cyber security presence based on intelligent, insight-driven security efforts that increase confidence and trust, and improve business performance."

Larry Ponemon, CEO of the Ponemon Institute, said, "Companies looking to increase their security effectiveness can apply lessons learned from the Leapfrog companies to make a significant positive impact on their security. Starting with the C-suite, it's time to champion and achieve a strong stance on security–effectively communicating with all employees. By holding everyone accountable for achieving security objectives, you will eliminate security silos within your organization."


You Really Should be Spending More on Security

Many CIOs endanger their companies simply by not spending enough on security.
That may seem odd to posit, given that a recent Pricewaterhouse Coopers survey found that businesses now spend a higher percentage of their IT budgets on security than ever before. According to the survey, large organizations spend an average of 11 percent of their IT budgets on security while small businesses spend nearly 15 percent.

But if you consider the proportion of the overall IT budget that businesses allocate to security, you'll find a red herring. That's because the purpose of spending money on IT security — aside from ticking regulatory compliance boxes — is to reduce the risk of a security breach to an acceptable level. The amount of spending required to achieve this is not connected to overall IT spending in any way.

In the most basic terms, security risk is the product of the cost or financial impact of a security breach and the likelihood that a breach occurs. In other words, Risk = Cost x Likelihood.
It was using this equation that led Sony's senior vice president of information security, Jason Spaltro, to point out back in 2007 that "it's a valid business decision to accept the risk" of a security breach, adding, "I will not invest $10 million to avoid a possible $1 million loss."

Sony may have made some spectacular miscalculations in terms of cost and likelihood, but Spaltro's economic argument for allocating resources to security is sound: There is no point in making any investment — in security or anything else — if the greatest possible return is less than the amount invested.

But let's get back to the initial idea that companies don't spend enough on security. What the Sony security breach taught us is that most companies wildly underestimate the likelihood of a breach in their future.

Sony bases its estimates on events from the past; but in recent months, it's become evident that the security landscape has fundamentally changed.

In the past most security breaches were carried out by criminal hackers with limited resources and motivated by financial gain. This meant that their targets would yield financially valuable spoils such as credit card details, and if a target's defenses were too troublesome to overcome, the hackers would simply move on to another promising target with less-effective defenses.

In the same way that if you are being chased by a bear then it is only necessary to run faster than your buddy. Therefore having reasonable security measures in place was enough for many companies to ensure that hackers would move on and attack someone else.

The Sony attack was likely carried out by foreign-government-sponsored hackers or perhaps even military personnel. This is according to James Lewis, a security expert at the Center for Strategic and International Studies in Washington, D.C.

These types of attackers are highly skilled and have enough resources to breach any security defense they want to. And because it seems that they are motivated beyond money, such as the desire to cause financial or reputation damage, for example, there is no strong incentive for them to move on to the next target unless the defenses they encounter are high.

"Criminals are opportunistic. They just want to make money. But government-sponsored hackers will just keep trying and won't give up," Lewish says. "The Sony hackers were vindictive. This was not done for money—it was politically motivated, and there was no effort made to sell the data they stole."

If hackers can breach any company regardless of its current defenses and they're interested in getting their hands on everything—not just data they can sell—then the likelihood of a breach has gone up.

But it gets worse. The Sony hack has also taught us that the potential cost of a breach has risen. That's because government-backed hackers aren't looking to steal structured data, such as credit card information or social security numbers. The cost of losing this type of information is well known, and averages $201 per compromised record, according to the Ponemon Institute's 2014 Cost of Data Breach study.

Since hackers are often motivated by scoring political points, or causing a company embarrassment, these hackers look to steal and expose unstructured data, such as emails and other documents. Losing this type of data can lead to a drop businesses due to loss of reputation; senior executive resignations, as was the case in the Sony hack due to bad publicity; and legal headaches when confidential information is made public, such as pay differentials for male and female employees who do the same job.

"If you look at liability and the cost of lawsuits, this always turns out to be the most expensive part of a breach," Lewis says.

Because Risk = Cost x Likelihood, and since both the likelihood and cost terms have gone up, risk has increased on both fronts.

The purpose of investing in security measures is to manage security risk and ensure that it is reduced to an acceptable level. But what we've learned from the Sony hack is that the risk is actually higher than we previously believed. To reduce it to an acceptable level requires more investment in IT security.

"I think that most organizations should be spending more on security, but obviously the concern is that even if there is a 5 percent increase in the security budget, it doesn't mean it will be spent wisely," says Rick Holland, a security and risk management analyst at Forrester Research. "One of the biggest problems is chasing silver bullets—buying the soup du jour."

If government-sponsored hackers can break in to any company's IT infrastructure, then increasing spending on perimeter defenses may not be the right route. A more promising approach might be to invest in more effective intrusion detection systems to prevent hackers from exfiltrating data after they have broken in, according to Anton Chuvakin, research director at Gartner.

The good news is that there is new security technology on the horizon, and some of it looks like it will be a worthwhile investment. "Cutting-edge technologies show genuine promise and are already being used by enlightened companies," Chuvakin says. "Analytics may give a huge boost to defenders, as well as machine learning and threat intelligence. It's too early to say 'buy this and you'll win, but there is definitely light at the end of the tunnel."


US: Comcast Ultra-fast Internet by 2016

In a blog Comcast announced plans to offer US Internet speeds of up to 2 gigabits per second to the majority of its nearly 22 million subscribers by the end of the year. That's about twice as fast as the ultra-high-speed service Google is now offering in three US cities, and 80 times as fast as Comcast's standard broadband Internet plan.

"We'll first offer this service in Atlanta and roll it out in additional cities soon with the goal to have it available across the country and available to about 18 million homes by the end of the year," the blog post says.

Most remaining customers who aren't able to take advantage of the two-gigabit service will eventually be offered Google-like one-gigabit speeds over traditional coaxial cable, according to the post.

Google began rolling out its one-gigabit fiber service more than two years ago, saying it wanted to push other ISPs into offering faster internet speeds. And this is now happening, at least on some level. For Google and others, the hope is that faster speeds will not only improve the performance of today's Internet application, from Facebook to Netflix, but also engender a whole new wave of more advanced online applications.

The rub is that Comcast's offer may not result in widespread use of high-speed fiber. It must still lay fiber to individual homes, and customers may be asked to incur the cost, which something they may not be willing to do.

Comcast hasn't discussed pricing for its new service. The company's XFINITY Extreme 505 service costs $399.95 per month and offers speeds of about half a gigabit. However, competition from Google Fiber, which is planned to expand into Atlanta, may drive down prices in some areas. We've already seen this from AT&T, which offers gigabit fiber connections for $70 a month in Austin, Texas, where it competes with Google Fiber, but $110 in Cupertino, where it doesn't.

The real sticking point may the setup costs. Comcast already has fiber optic pipe running through much of the country, but providing links from these pipes into people's homes, so-called "last mile" connections, could be an expensive process. Google has largely defrayed these costs by focusing on rolling out the service one neighborhood at a time to areas in which many people have signed up in advance.

If Comcast is successful, it could be the first nationwide gigabit capable residential Internet provider. Google Fiber has been expanding into more cities but is still, at present, only available in three metro areas, and is only available in select neighborhoods in those cities.