Cyber Security Intelligence

Twitter< Follow on Twitter >

January Newsletter #4 2015

Snowden says US Creates a black market for Digital Weapons

James Bamford, a journalist, who is working with NOVA on a new film about cyber warfare that will air in 2015, last summer sat down with Snowden in a Moscow hotel room for a lengthy interview, which has now been released. In it, Snowden sheds light on the surprising frequency with which cyber attacks occur, their potential for destruction, and what, exactly, he believes is at stake as governments and rogue elements rush to exploit weaknesses found on the internet, one of the most complex systems ever built by humans.

Edward Snowden says, in the interview with NOVA Next, that the US government wrongly promotes cyber offense strategies at the expense of weakening the system and leaving it open to cyber attacks from the black market.

“We’re creating a class of Internet security researchers who research vulnerabilities, but then instead of disclosing them to the device manufacturers to get them fixed and to make us more secure, they sell them to secret agencies,” Snowden says. “They sell them on the black market to criminal groups to be able to exploit these to attack targets. And that leaves us much less secure, not just on an individual level, but on a broad social level; on a broad economic level. And beyond that, it creates a new black market for computer weapons, basically digital weapons.”

Snowden points out that the White House’s own independent review panels have shown that not a single program has stopped an imminent terrorist attack on the United States. He does not believe the public is aware of just how disastrous these policies could backfire and questions the value of such programs that leave our own information vulnerable.

Snowden also points out that other countries such as Iran are ahead of us in realizing the problem: “But it is important to highlight that we really started this trend in many ways when we launched the Stuxnet campaign against the Iranian nuclear program. It actually kicked off a response, sort of retaliatory action from Iran, where they realized they had been caught unprepared. They were far behind the technological curve as compared to the United States and most other countries. And this is happening across the world nowadays, where they realize that they’re caught out. They’re vulnerable. They have no capacity to retaliate to any sort of cyber campaign brought against them.”

We spend much more on research and development, compared to the rest of the world. So when it comes to our cyber security says Snowden, “We have more to lose than any other nation on Earth.”

Snowden said he didn’t want to overhype the problem, “Nobody’s going to press a key on their keyboard and bring down the government.” But he did emphasize that the threats from foreign governments were real and that we should be focusing more on the defense of our own information than focusing on others.

Snowden was interviewed for NOVA Next from Russia, where he has lived since releasing documents showing the US had been spying on citizens through several technology companies. He is wanted in the US on criminal charges for theft and misuse of classified information. Snowden dismissed former CIA director Michael Hayden’s predictions that he would wind up a sad and miserable drunk in Russia. Snowden said he only drinks water and that the country was actually great.

Critical Infrasctructure: UK and US Power Grids - Under Cyber Attack Every Minute

The UK government is one step ahead of hackers trying to turn off the country’s lights, for now. The prospect of cyber-attacks on the nation’s power network is a major threat to the country’s security, according to James Arbuthnot, a member of parliament who chaired the Defense Select Committee until last year. He plans to visit National Grid Plc. (NG/) next month to discuss the issue.

Britain’s electricity transmission network is constantly subject to cyber-attack and threats to infrastructure will remain high over the next few months, the nation’s Computer Emergency Response Team statistics show. More resources are being funneled towards combating the attempted intrusions: the Cabinet Office said on Dec. 12 it is increasing spending on its cyber-security program to 860 million pounds ($1.3 billion) from an original 650 million pounds planned over four years from 2011.

Cyber-attacks on critical infrastructure are an increasing threat across the globe, according to Moscow-based security firm Kaspersky Lab, which advises governments and businesses. Revelations of an oil pipeline explosion in Turkey orchestrated by computer in 2008 and the attack on Sony Pictures Entertainment demonstrate the increasing ability of hackers to penetrate IT systems. An attack on the grid would be uniquely destructive since the economy would cease to function without it, Arbuthnot said.

The US grid was successfully hacked in November by several foreign governments, likely Russia, Iran and China, leaving it vulnerable to physical damage, the National Security Agency said. A report by Mountain View, California-based cyber-security company SentinelOne predicts that such attacks will disrupt American electricity in 2015.

NSA Director on Sony Hack: ‘The Entire World is Watching’

Picture: Adm. Michael Rogers, commander of the U.S. Cyber Command and director of the National Security Agency, testifies during a hearing before the House Select Intelligence Committee on Capitol Hill in Washington, DC

National Security Agency Director Admiral Michael Rogers expressed support Thursday for the United States’ economic sanctions against North Korea in response to the hack on Sony Pictures Entertainment, and called the attack against the movie studio a “game changer” for cybersecurity.

“Sony is important to me because the entire world is watching how we as a nation are going to respond do this,” Rogers said Thursday at the International Conference on Cyber Security in New York. “If we don’t name names here, it will only encourage others to decide, ‘Well this must not be a red line for the United States.'”

After naming North Korea responsible for the attack against Sony, the U.S. announced sanctions last week against 10 individuals and three organizations in North Korea, including the state’s main intelligence agency and its primary arms exporter. The sanctions effectively denied them access to U.S. financial systems.

In his address at the conference, Rogers endorsed the U.S. response to the Sony attack, implying the U.S. government should have a key role in responding to some cyberattacks on private companies. “I don’t think it’s realistic” for private companies “to deal with [cyberattacks] totally by themselves,” he said.

Rogers that hacks against private companies may require economic sanctions. “Merely because something happens to us in the cyber arena, doesn’t mean that our response has to be focused in the cyber arena” he said. “I was very happy to see what we as a nation state decided to do,” referring to the response to North Korea.

He also expressed skepticism about so-called “hack backs” in which private companies strike back against hackers, saying they risk “fratricide” by escalating cyber attacks between nation states and institutions.

The NSA was asked to examine malware used in the Sony hack and played a supporting role in determining its origins, Rogers said. The November hack brought down the studio’s networks and resulted in the leaks of terabytes of files including unreleased films and employee Social Security numbers. President Obama said last month the U.S. would launch a proportional response to the attack.

Rogers said North Korea was responsible for the hack against Sony Pictures Entertainment, reaffirming government claims despite doubts among some cybersecurity experts. “I remain very confident: this was North Korea,” Rogers said.

The remarks come a day after FBI Director James Comey said North Korea was “sloppy” in concealing the attack and said he had “high confidence” the hermit state was responsible.
Some cybersecurity experts have argued that the evidence North Korea is behind the attack is inconclusive, noting that the hack may have been the work of disgruntled employees or criminals.

Rogers also urged Congress to pass legislation that would encourage information sharing between private companies and the government on cyber threats.

Macro-based malware is making a comeback

For the past several months, different groups of attackers have distributed malware through Microsoft Office documents that contain malicious macros, reviving a technique that has been out of style for more than a decade.

Macros are scripts that contain commands for automating tasks in various applications. Microsoft Office programs like Word and Excel support macros written in Visual Basic for Applications (VBA) and these can be used for malicious activities like installing malware.

To prevent abuse, starting with Office XP, released in 2001, users are asked for permission before executing unsigned macros embedded in files, this being the primary reason why attackers have stopped using macros in favor of other malware distribution methods.
However, it seems that when coupled with social engineering the technique can still be effective and some cybercriminal groups have recently started to exploit that.

"The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code," malware researchers from Microsoft said in a blog post last Friday.

Two such threats that primarily target users in the U.S. and U.K. and whose activity peaked in mid-December are called Adnel and Tarbir. Both are distributed through macros embedded in .doc and .xls documents that are delivered via spam emails and typically masquerade as receipts, invoices, wire transfer confirmations, bills and shipping notices.

When opened, the documents provide victims with step-by-step instructions on how to enable the untrusted macros to run, the Microsoft researchers said. "The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button."

Another malware program that's being distributed through macros is called Dridex and it targets online banking users. At their peak in November, the Dridex-related spam campaigns distributed up to 15,000 documents with malicious macros per day, according to researchers from security firm Trustwave.

The documents posed as invoices from software companies, online retailers, banking institutions and shipping companies and some of them had instructions on how to enable the macros to run, the Trustwave researchers said Tuesday via email.

It's not just cybercriminals who began using the macros technique again, but also state-sponsored attackers. Researchers Gadi Evron and Tillmann Werner recently presented their analysis of a cyber espionage operation dubbed Rocket Kitten at the Chaos Communication Congress in Hamburg. The attackers targeted government and academic organizations in Israel and Western Europe using spear-phishing emails that contained Excel files with malicious macros. When run, the macros installed a sophisticated backdoor.

Another cyber espionage campaign that used Word documents with malicious macros was CosmicDuke, which was uncovered in September and targeted at least one European Ministry of Foreign Affairs. "It's heartwarming to see how kind the attackers are: when you open the email attachment, the Word document helps you enable macros by instructing you to click 'Enable Content'," researchers from F-Secure said Wednesday in a blog post discussing connections between the CosmicDuke, MiniDuke and OnionDuke malware programs.

New institute to train cyber security talent

An institute for training network and information-security talent has been established at Xidian University in Xi'an, Shaanxi province, to bolster national security.

Chen Zhiya, Party secretary of Xidian University, said the institute, established on Dec 31, would focus on network and information security, which are key components of national security.

"The institute has two State-level professionals in information security and network engineering, and information-security disciplines for training doctoral and master's degree students," Chen said.

"We will train leading talent engineering and technical personnel in the field of network and information security to meet our country's strategic need to safeguard the development," he said.

The institute will enroll its first students in the summer, he said.

Xidian University is an important training base for cryptography and information-security research.

In recent years, attacks by hackers have targeted industrial control systems and various information service systems. Cases of online theft and fraud have increased sharply, causing serious harm to the interests of the State, business enterprises and citizens at all levels.

At present, more than 50 countries have devised a network security strategy. China also established its central network security and information technology group in February, with President Xi Jinping as its head, in order to respond to the challenges in the field of network and information security.

Plans to Conquer: Chinese Internet Giant Tencent targets Silicon Valley

Picture: Senior executive vice president of Tencent, SY Lau

Tencent is the Chinese Internet giant to rival Silicon Valley's titans. It not only owns China's most-used internet portal, but is the fifth biggest publicly traded internet company in the world on a revenue basis, behind Amazon, Google, eBay and Facebook.

Its most well known property in the West is probably WeChat, which is the most-used mobile app in China with more than 468 million users worldwide. The company's ascendancy since it first listed on the Hong Kong Stock Exchange in 2004 has also been driven by a diverse mix of other products, services and subsidiaries such as games portal QQ Games, search engine SOSO, micro blogging service Tencent Weibo and the TenPay online payment system.

Despite its gargantuan proportions, Tencent usually receives only moderate press coverage in the West. But the company is increasingly forging ties with Western brands, such as Burberry, Nike and the BBC, as Tencent looks to international shores to fuel its growth outside its native China.

Business Insider got the chance to throw some questions at SY Lau, the senior executive vice president of Tencent and president of its online media group, about what 2015 will look like for the company and what founding beliefs have set Tencent up for success.

“I think there is an awareness of Tencent, but not the understanding outside those that we work with. The number of Western brands that choose to partner with us around their international marketing and business expansions in China is great, companies like Burberry, Nike and Intel have chosen Tencent as their partner for social and mobile marketing.

“Where we see more opportunity is due to the growth of mobile Internet access across China. Tencent provides a portal for companies to reach and interact with their audiences. The biggest challenge in China has always been the size of the country, and traditional marketing approaches were beyond the reach of those businesses that are in rural locations. Today, companies can take advantage of online and mobile services to market themselves in smarter ways.

“This is not just marketing itself. I presented recently on how tea-producing companies in the Fujian region are now able to sell what they produce on a national or a global level, rather than just local. The impact of this was huge – the per capita income for the region went up. According to figures from the National Bureau of Statistics in China, one village took its per capita income up to 13,800 RMB. Compared to the national average of 8,896, this is a big increase. It puts the village alongside more affluent urban areas.

“This is the kind of market development that we make possible. As more people find out about this kind of story, they will be more interested in how Tencent makes this possible.

“Tencent is also an international company today and we see opportunity around the world, whether this is for our own apps like WeChat or for partnership and investment in Western businesses. I think WeChat is possibly the most recognizable brand for those in the US or UK.

“Tencent supports other famous brands around the world in markets like gaming and social. Companies like, Epic Games and Riot Games are owned by Tencent, while we have our own gaming IP that is successful in China.

“Tencent’s business approach is built on the philosophy of Sun Tzu, the great strategist and writer of “The Art of War”: Those who succeed always understand, and make the best use, of any situation.

“Disruption is inevitable and as such cannot be resisted. Rather it should be embraced and adaptation must follow. You can have the best idea in the world, but if the market is not ready then your innovation will fail.

“For Tencent as a company, we place trust in the judgment of our customers and adapt to them. To use an idiom, businesses must learn to roll with the punches. We always try to observe and understand the changes in digital and technological development first, and based on what we have learned, we adjust our direction to flow with it.

“The biggest shift here is how companies take advantage of the Internet to equalize supply and demand. Previously, companies would not have access to customers without spending heavily to market themselves. Similarly, customers might find it difficult to get information on what the new trends are that are taking place in the major cities. Now, both sides of the buyer-seller relationship can find it easier to find each other.

“We signed a partnership with BBC Worldwide two years ago to bring famous British brands like Sherlock to China. Now we have more US and UK-based productions companies added to our networks. We are investing in more of our own local content as well. Tencent is the exclusive online partner for a range of local TV brands in China, as well as creating our own programmes”.

How Fraud & Cyber Security Will Evolve in 2015

Banks need to implement new security measures and tactics, and fraudsters are sure to respond by changing their operations.

When news broke of the Target breach in December 2013, it was a fitting precursor for what was to come in 2014. A Ponemon Institute survey released in September found that 43% of US companies had experienced a security breach in the past year. Big names were impacted, including eBay, American Express, JPMorgan Chase, and the Home Depot. And with the big names came big headlines. The rhythm of breaches, headlines, and reactions was unrelenting.

So that was 2014. And 2015 will likely be more of the same. "It's hard to imagine that enough organizations will be able to fortify their defense over the next year to see a significant decrease in successful attacks," Colin McKinty, head of cyber security strategy at BAE Systems Applied Intelligence, told us.

The big question of 2015 isn't whether there will be just as many attacks, he said; it's whether organizations will start responding better. "Leadership teams at financial services organizations need to understand that today's approach for cyber security must be based on detection of attacks and preventing the criminals from leaving with key assets." That means investing in solutions that help detect and contain intrusions quickly. Last year, the mean time to detection for a data breach was eight months, Hewlett-Packard's security head Art Gilliland said in an interview with Fortune.

Ryan Wilk, director of customer success at NuData Security, has said that, in addition to having a containment plan in place for a breach incident, banks need to be better at monitoring vulnerable access points. "For instance, look at VPN. Companies can use thsat, but it can be vulnerable. You're just putting access out there on the Internet. You need intel from that kind of access point to get visibility into unusual behavior."

Companies should also try to move away from an active directory type of access model in their own networks, Wilk said. The Target hackers were famously able to gain access to customer data and credit card credentials by acquiring admin credentials to the network active directory, allowing them to bypass firewalls and other security measures.

Organisations also need to get better at identifying whether users logging in really are really who they say they are, Wilk said. That will require using multiple authentication methods and data points that can be applied depending on the risk involved in a certain login or activity.
Banks "need to use multiple inputs to get a deep view of who the user is," he said. "They need to know who comes in, and look them up and down, and pull together an ID based on behavioral analytics, device analytics, and biometrics."

That issue of knowing who is logging in extends beyond banks' networks to their customers' accounts. Wilk has predicted that customer account takeover-attacks will substantially increase in 2015, because fraudsters are getting so good at them. "They're very sophisticated around how they test accounts to get in, and you can buy pre-tested account usernames and passwords now."

Bob Olson, vice president of global financial services at Unisys, said banks will have to leverage multiple authentication methods and data sources with customer logins, like they should with those logging into their own networks.

"If you look at the Internet of Things, more and more things will have access to the Internet and to financial services accounts and credentials," he said. "There will have to be a shift towards a 'Bring Your Own Identity' approach [with a profile] that leverages biometrics, IP addresses, and analytics on the backend."

The challenge for banks in implementing such an authentication approach will be in delivering it across different channels, Olson said. "Banks will have different vendors for authentication in different channels, but they need a framework that goes on top of that and can be dialed up or down when needed. And it will also need to incorporate device-specific authentication like GPS."

In the near future, he said, regulators will likely assign new customer authentication guidelines for banks. "One treasury management executive recently told me that his organization already has funds set aside for new authentication methods that regulators will require. They are going to mandate something imminently."

As new authentication methods are picked up by the industry and EMV is rolled out in the US ahead of the October liability shift, banks can expect fraudsters to look for new attack vectors and targets, according to Mary Ann Miller, senior director and fraud executive adviser for industry relations at NICE Actimize.

"When the US market matures [with EMV adoption], 85-90% of global card transactions will be chip-and-PIN," Miller said. "So fraud will transition as crooks look to replace that revenue. The more sophisticated ones will move to digital identity theft and account takeover. Those that are less so will move to check fraud."

As those fraud shifts take hold, banks should look to set up a central fraud observatory or hub that can track trends across channels and lines of business. This will enable institutions to track and react as fraudsters look for new vulnerabilities. "Banks should put together an integrated technology platform that looks at logins, changes in addresses and other customer information, and transactions," she said. "They need to start to look at customer protection holistically and whittle down silos for a centralized approach."

Fraudsters will also have to change targets as EMV rolls out and retail consumer cards stop being the easiest pickings, Miller said. First, fraudsters will look to take advantage of slow EMV adopters -- banks that haven't migrated their portfolios and merchants that haven't upgraded their point-of-sale terminals. "Then we will also see more attacks on private banking and commercial banking. That's where we see the large money movements, and that's what the fraudsters are after."

To better secure those large transactions, banks need to look at events leading up to the initiation of the transaction. "Was there a change in the beneficiary's info, for instance? Banks need to look at those precursor events and risk-score those to raise red flags before the money has moved."

Cybercrime? Blogger gets Flogged for ‘Insult to Islam’

A Saudi Arabian blogger has been publicly flogged after being convicted of cybercrime and insulting Islam, reports say.

Raif Badawi, who was sentenced to 1,000 lashes and 10 years in jail, was flogged 50 times. The flogging will be carried out weekly, campaigners say. Mr. Badawi, the co-founder of a now banned website called the Liberal Saudi Network, was arrested in 2012. Rights groups condemned his conviction and the US appealed for clemency. In addition to his sentence, Mr. Badawi was ordered to pay a fine of 1 million riyals ($266,000; £175,000). In 2013 he was cleared of apostasy, which could have carried a death sentence.

Last year Mr. Badawi's lawyer was sentenced to 15 years in prison after being found guilty of a range of offences in an anti-terrorism court, the Associated Press news agency reported.

The flogging took place outside a mosque in the Red Sea city of Jeddah after Friday prayers, witnesses said. AFP news agency, quoting people at the scene, said Mr. Badawi arrived at the mosque in a police car and had the charges read out to him in front of a crowd. He was then made to stand with his back to onlookers and whipped, though he remained silent, the witnesses said.

The sentence was widely condemned by human rights groups.

"It is horrifying to think that such a vicious and cruel punishment should be imposed on someone who is guilty of nothing more than daring to create a public forum for discussion and peacefully exercising the right to freedom of expression,'' Philip Luther of Amnesty International told AP.

Saudi Arabia enforces a strict version of Islamic law and does not tolerate political dissent. It has some of the highest social media usage rates in the region, and has cracked down on domestic online criticism, imposing harsh punishments.


The full web site is currently under development and will be available during 2015