Cyber Security Intelligence

Twitter< Follow on Twitter >

April Newsletter #3 2014


In the last couple of weeks there have been severe security issues at the center of the Internet. Heartbleed is the software bug, which has been found to be corrupting OpenSSL allowing hackers to read the memory of your server via access to your secure keys.

The attacks were dubbed Heartbleed because it affects an extension to SSL (Secure Sockets Layer) which IT engineers named Heartbeat.

The Heartbleed logo. Photograph: /Codenomicon

Heartbleed allows a reading of the web server's memory, and allows attackers access to sensitive data and the potential to compromise your server and its use. It is thought the software has been in existence for about 2 years.  It allows a hacker to get access to passwords, usernames, private information, and encryption keys.  The bug allows the hacker to do this with a significantly reduced risk of being detected.

Over 18% or half a million of the Internet's secure web servers certified by trusted authorities are believed to have been vulnerable to attack.

Forbes CyberSecurity columnist, Joseph Steinberg, described the bug as potentially "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."

Heartbleed is one of the most widely used encryption tools on the Internet, and is used by sixty percent of all websites. If you have padlock symbol in your browser then you are probably operating SSL.

The attacking bug can cause other leaks of information stored on the server, which is normally not accessible and this has become apparent with Yahoo leaking user credentials due to the bug.

For users, the simplest thing to do may be to refrain from engaging in sensitive activities on the Internet for a few days. Typical responses to security breaches, such as changing passwords may even serve to exacerbate the problem. While there are tests which will show whether a particular website is vulnerable, checking every site is cumbersome, and the most popular web-based test is suffering under heavy load.

You should not rush to change your codes or passwords, as the servers may not have yet been up-dated to fix the problem. You should check with your provider before acting is the more reliable advice we have received for users to listen to.

However, now there is a virus test that can help users detect whether a specific website has updated itself to eliminate the bug, and if so users would have the green light to change their passwords and update their security measures.

Hackers are increasingly infiltrating service providers as a way into their victim’s accounts

The Heartbleed story also reflects a growing concern that hackers are increasing their use of outsourced service providers as a means of gaining access to individuals and organisations.

In 2012 US companies spent over $134 billion on business outsourcing. Everything from services to accounting and finance and the estimates are that these amounts will increase to over $250 billion when this is reckoned for 2013.

A Report by Mandiant says that in 2012 14% of Energy, Oil and Gas, 8% of computer hardware and software, 7% of Media, 4% of Pharmaceuticals, 17% of Aerospace and Defense, 11% of Finance, 7% of Legal and Consulting, 6% of Telecoms and 25% of Other companies were victims of hack attacks.

‘In other cases, we have seen examples where contracted service providers have been the primary target. For example, during one of our investigations we found evidence that attackers gained access to a large defence contractor who, as part of their services portfolio, provided support and managed services for a number of smaller defence contractors. We found these attackers accessed the networks of the smaller companies through the connections they shared with the vendor. Meanwhile, other divisions of the service provider produced products and performed services, which were of interest to the attackers who stole email and other files related to these products and services’.

Mandiant visit

Cognitive bias risk inside your Organisation

Risks to organisation come not only from the outside but also, from a variety of inside employees. This can happen from internal mistakes by staff and teams or from insiders with a purpose like Snowden. Most organisations do not want to believe that they have an internal problem and the best way to deal with this is to make random occasional checks using different internal and some external teams.

Why are UK Police Forces Cyber Plans so Inadequate?

Only three forces out of the forty-three police forces in England and Wales have a comprehensive plan to deal with a large-scale cyber-attack, a report has found. It also found only 2% of police staff across 37 forces had been trained on investigating cybercrime.

"The capacity and capability of the police to respond to national threats is stronger in some areas than others - with the police response to the cyber-threat being the least well developed," HMIC's Stephen Otter said.

The HMIC UK Government Report on Policing April 2014 states:


“We expected to find police forces had sought to understand the threat and their role in tackling it. But HMIC found that only three forces (Derbyshire, Lincolnshire and West Midlands) had developed comprehensive cybercrime strategies or plans and only fifteen forces had considered cybercrime threats in their STRAs.”


“Senior leaders across police forces were unsure of what constituted a large- scale cyber incident. We found that, where they existed, STRAs and plans were focused only on investigating cybercrime; they were silent about preventing it and protecting people from the harm it causes. The publication of the new Serious and Organised Crime Strategy in October 2013 provides an opportunity for police forces to incorporate all four themes of ‘pursue, prevent, protect and prepare’10 in future plans and STRAs.“


“The capabilities that we found in place for: counter-terrorism, public order, civil emergencies, and those being built in Regional Organised Crime Units for organised crime, were in stark contrast with the capabilities, largely absent in police forces, for cyber-related threats. It is now essential that police officers have the capability to deal confidently with the cyber element of crimes, as it is fast becoming a dominant method in the commission of crime. But more than that, it is becoming a part of everything that the police have to deal with because the Internet and digital technology are now part of most people’s lives. The police must very soon be able to operate just as well in cyberspace as they do currently on the street. “


“The Chief Constables’ Council and the Professional Committee need to play a much more prominent role in making sure that the police service has the capability to deal with cyber threats. This needs urgent attention as criminals are increasing their use of cyber methods to commit crimes at an increasingly rapid rate. “

Inspectors found the ability to deal with cyber-threats remains "largely absent" in some forces and that some senior officers across England and Wales are still "unsure of what constituted a large-scale cyber-incident".

The areas where work is being done is as follows:

In Scotland, police have tried to tackle cybercrime by forming a "cyber-resilience group" with industry experts and academics, which aims to spread awareness of cybercrime and help businesses protect themselves. Last year it was estimated cyber crime costs Scottish businesses over £5bn.

The Police Service of Northern Ireland has focused on protecting young people from the dangers of cybercrime aimed at individuals.

Five police forces across the southwest have started a partnership with Bournemouth University to develop a strategy to combat cyber-crime.

Representatives from Dorset, Wiltshire, Gloucestershire, Devon and Cornwall and Avon and Somerset forces attended workshops developed by the university at a recent conference there

Dorset Police and Crime Commissioner Martyn Underhill said: “It is crucial to raise greater awareness of cyber-crime. Wherever I go in Dorset, the public has made it quite clear that they are worried by cyber-crime and fraud. The government and the southwest region of police forces have identified that this is the most significant emerging threat to our residents.

Cyber-Space: Satellites and Cyber-Warfare

The proliferation of cyber threats to communication networks has presented satellite operators with new challenges in protecting customer data against threats.

According to Aviation Week security experts say advanced satellite technologies should help operators stay ahead of the rapidly evolving attack technology, even as hybrid systems that link traditional satellite networks and ground-based systems for end-to-end data delivery create new vulnerabilities.

“More and more it is hybrid networks that we are operating, and the services that we are selling use both terrestrial and space assets,” says Thierry Guillemin, executive vice president and chief technology officer at Intelsat. “Because of that we are also vulnerable to the threats you will find on terrestrial infrastructure in general, so we have to take care of the entire system.”

Satellite operators have long had techniques for protecting their signals from unintentional interference and deliberate jamming, and have generally turned a blind eye to government ground stations such as those in Sugar Grove, W.Va., that capture telecom signals flowing to nearby commercial satellite antennas.

Intelsat, which is more open, conducted the latest in a series of press briefings on the general subject at the Satellite 2014 trade show in Washington last week. While avoiding citing specifics of security techniques for obvious reasons, the company’s top officials outlined its general approach to protecting customer data.

Publicity about denial-of-service hacker attacks that attempt to overwhelm Internet circuits with terabytes of data, criminal enterprises that use fraud to scoop up electronic funds moving on the Internet, and state-sponsored entities that seek government and commercial intelligence via clandestine cyber eavesdropping have brought the issue into the open, they say.

Teaching Machines How to Spell Will Help Catch Terrorists

Russian authorities warned the FBI in 2011 about Tamerlan Tsarnaev, one of two Chechen brothers accused of carrying out last year's Boston Marathon bombings, but U.S. authorities missed chances to detain him.

Russian officials’ warnings to the FBI and CIA about Tamerlan Tsarnaev’s Islamic radicalization included a prediction that he would change his name, a Massachusetts lawmaker has said — but the alert apparently failed to raise alarms when Tsarnaev formally sought the name “Muaz,” an early Islamic scholar.

Tsarnaev tried to make the change as part of a federal citizenship application eight months before the Boston Marathon bombing.

Tsarnaev was supposed to be pulled aside for questioning at JFK airport because he was considered potentially armed and dangerous, but he slipped through undetected because someone had misspelled his last name in a security database.

However the Boston Marathon bomber Tamerlan Tsarnaev might have been caught before his attack if the keepers of one terrorism watch list had done just one thing differently: spelled his name right.

The Homeland House Government Boston Bombing Report states:

‘Specifically, Tamerlan Tsarnaev’s name spelling and date of birth were inaccurate and as a result there was not match through the TIDE (Terrorist Identities Datamart Environment). In TECS records provided to the Committee, an alert entered on October 20th, 2011 spells Tamerlan Tsarnaev’s surname “Tsarnayev” and lists his birthday in 1987 instead of 1986.’

As the recent report from the House Homeland Security Committee exposed a missed opportunity. Although Tsarnaev was on a watch list, he was not detained on his return to the United States from Dagestan because the list used a different spelling of his name: “Tsarnayev”. A human would have caught the error. But the growing number of requests like this that security professionals face means that we have to rely more and more on software.

Cognitive computing would be able to teach software to understand the nuances of names and speech is an enormous national security challenge but if it were used with human intervention it would work more effectively.

If security at JFK airport the day Tamerlan Tsaernaev came through had had a cognitive system that handled more spelling variation, they would have seen the “Tsaernayev” match but also some innocent results.

As the collaboration between the person and the computer becomes richer, each will want the ability to communicate their confidence about certain judgments to the other.

More from:

Skype leave witnesses but no evidence

There are a growing number of incidents witnessed on Skype but as there is no recording then it does not operate at evidence.

Currently there is a woman in custody in Norway accused of murdering her child while her boyfriend allegedly watched what went on Skype from the UK. One night in April last year 23-year-old Qian Liu, a university student in Canada, was Skyping when there was a knock on the door of her Toronto apartment and Liu went to open the door. Her friend watched as a man came through the door and began struggling her, seconds later the webcam link went dead. A few hours later Liu's body was found in her room on the campus of York University in Toronto. Brian Dickson was later arrested and faces trial later this year.

The case was the most graphic illustration of a recent phenomenon: horrific acts committed on what is known in the trade as voice over Internet protocol (VoIP).

It is by far the biggest and best-known of the VoIP providers, but there are others - Ooma, Viber, Viatalk, for example, and any number in China.

But while investigators may get witnesses thanks to Skype, they do not get footage.

Indian Hackers have defaced Tehreek, a Taliban Website

A day after Tehreek-e-Taliban launched – a website hosting videos, a magazine, and its leaders’ interviews and statements – it was hacked and taken down.

"All the latest videos, magazines, statements, announcements, statements of the chief spokesman, and poems" will be posted on Umar Media, according to an email sent to The Long War Journal on April 5 that announced the launch of the website.

"Any news and video attributed to [the Pakistani Taliban] should not be considered valid" unless it is published on the website, the email stated.

The infamous Indian hacker Godziila hacked down the web site.

Godzilla the hacker has been attacking high profile websites, including the official website of Pakistan army. Godziilla took down the TTP’s website last week. When asked about the method of taking down the TTP’s website, Godziilla said that: 

‘This website was hosted on a shared server, we found several security flaws and crushed down the website.’

Tehrik-i-Taliban Pakistan TTP (“Taliban Movement of Pakistan”), is an umbrella organization of various militant groups, banned by the government of Pakistan and listed as a terrorist organization.

The potent propaganda arm of the TTP is ‘Umar media’, the media production wing of the banned group which regularly releases videos, including on attacks they have carried out, on various websites linked with jihadi organizations.

A news release issued by the information and publication wing of the TTP said Umar Media, the “media wing” of the militant group, had sponsored the website. Deeper investigation into the domain’s registered records revealed that the website was hosted by a company from Punjab.

Speaking to a private TV channel anonymously, the owner of the company said he had no idea who the client was. “The domain was registered in November 2013, and until yesterday, we had no idea as to what the content on the website would be.”

“The order for the domain and the website were placed through an address from Karachi, and the client always used proxy servers to access the online administrative panel,” he said.

“The address was apparently fake.” The TTP has waged a seven-year bloody war against the Pakistani state and was declared a banned outfit in August 2008. Umar Media was launched a few years ago and has been disseminating the TTP-related information and videos since.

The website contained the TTP flag, verses from the holy Quran, statements and videos containing sectarian, hate and propaganda material, especially against security forces, a message of TTP deputy Shaikh Khalid Haqqani for the people of Balochistan.

‘Networked Society’ on the horizon

The vision of the ‘Networked Society’ is likely to be realised within the next few years, with more than 50 billion connected devices, of which more than 15 billion will be video-enabled, in use by 2020.

They will, according to Media Vision 2020, Ericsson’s strategic view of how the TV and media industry will evolve over the next six years, rely on mobile IP (internet protocol) networks dominated by video.

The Media Vision 2020 project is based on more than six months of research and brings together the concerted efforts of hundreds of people from across the global Ericsson organisation.

It includes statistical data, detailed surveys, and interviews with individuals, focus groups, industry participants and consumers.

Looking specifically at advanced markets such as Western Europe and the US, Ericsson foresees that the 15 billion video-enabled devices will transform the consumption experience of TV. At the same time, mobile broadband will be essential in all regions and fundamental in emerging regions.

It also says that bundling of content and services will remain the ultimate opportunity; delivery of OTT will become applicable to all TV service providers or content owners; On-demand will have risen to parity with live/linear; new entrants bring new investment; and market revenues will have risen from $530 billion in 2013 to $750 billion in 2020.

Commenting on Media Vision 2020, Per Borgklint, senior VP and head of business unit support solutions, Ericsson, said: “The future is not certain, but the direction and trends are clear. The rules of TV are changing and it is essential for our customers to evaluate their strategies for success.

“The hope is that by sharing our Media Vision 2020 and the Game Changers, and offering our truly unique insights, capabilities and leadership that the media industry overall will achieve success and delight consumers well into the future. We have combined our broad understanding and expertise of the TV market, alongside extensive, quantifiable research to help our customers address the challenges and opportunities in this rapidly evolving ecosystem.”

Global Academics for Cybersecurity Education

Accredited academic institutions now have access to a compendium of information and software security topics from (ISC)2, the not-for-profit membership body of certified information and software security professionals.

The launch of the (ISC)2 Global Academic Program will make educational resources, updated regularly by members and industry luminaries, available to academia to help meet the global demand for more skilled CyberSecurity professionals. The growing skills gap in the information security industry has been tracked for ten years in the (ISC)2 Global Information Security Workforce Study.

The most recent report, released in February 2013 in association with Frost & Sullivan, forecasts an annual workforce growth rate of 11.3% by 2017, inadequate in response to the 35% of respondents looking to hire additional workers today.

“We believe it’s critical to recognise and support the role of the academic community in the development of much-needed CyberSecurity talent for now and in the future”, said executive director, (ISC)², W. Hord Tipton. “(ISC)2 is in a unique position to offer its educational content, which is regularly updated and vetted by experts, to colleges and universities around the world as part of this collaborative development effort required for our now digitally-dependent society.”

Carsten Maple, Vice Chair of the Council of Professors and Heads of Computing, an association representing computing in UK Higher Education, highlights the need for more security content, saying: "It appears that many Computing graduates are leaving university having studied little in the area of security. There is a varied approach to teaching security, but in a number of institutions there is only one module -approximately 5% of the total credits in a degree - dedicated to information security in their core 3-year Computer Science degree. Clearly with the growth in cyber attacks there is a need for graduates to be equipped with skills and knowledge of the threats and methods to overcome these. To do this and to give Computing students the best opportunity to succeed, we as an academic community are trying to better engage with industry representatives in fields such as information security."

The Global Academic Program, which is being launched as governments around the world seek to improve university curricula as part of their national CyberSecurity strategies, offers products and services for colleges and universities. The program is open to accredited institutions interested in enhancing cyber content within their security, computing, IT or other relevant course offerings.

“In addition to the resources we have to offer, this programme presents a real opportunity to become part of a global network of academic members interested in establishing a joint framework for delivering essential skills and supporting the growth of a qualified CyberSecurity workforce,” says Jo Portillo, Global Academic Program, (ISC)2.

Global universities now have access to the largest compendium of information and software security topics

Accredited academic institutions now have access to new resources and support from the world’s largest not-for-profit membership body of certified information and software security professionals with the launch of the (ISC)²® Global Academic Programme.

The 2011 report from Frost & Sullivan into the acute nature of the skills gap, forecasting an annual workforce growth rate of 11.3% by 2017, and pointing out that 35% of respondents looking to hire additional workers find it difficult to find qualified personnel today. Study_020811_MLW_Web.pdf

Clearly with the growth in cyber attacks there is a need for graduates to be equipped with skills and knowledge of the threats and methods to overcome these.

The Global Academic Programme, which is being launched as governments around the world seek to improve university curricula as part of their national CyberSecurity strategies, offers products and services for colleges and universities that can be tailored for both undergraduate and post-graduate requirements.

New Encryption to Defend Against U.S. Spying

The U.S. intelligence agencies’ activities are already infamous, although their depth and scope are not yet clear. According to a Microsoft researcher new encryption tools may force intelligence agencies to limit their monitoring activities – their databases and search tools will become more “polite”, so to speak.

Seni Kamara, a researcher for Microsoft’s research labs in Redmond, Washington, designed a new encryption tool called MetaCrypt. MetaCrypt will allow analysts to scan through telephony records while avoiding unnecessary leaks or breaches of privacy.

The new system is a series of encryption protocols capable of securing information in various databases. These protocols limit the options in which the data can be used, so that search results will include only information that is actually required by intelligence personnel, nothing more.

Agencies, for example, might look for a specific phone number the require for an investigation. In response to their query agency analysts will receive information on incoming and outgoing calls made – that information, protected by MetaCrypt, can’t be accessed by others who “happen” to intercept it.

According to experts from the U.S. intelligence community Kamara’s ideas are not likely to be received with open arms. It seems like American intelligence agents will never willingly limit themselves, despite the public outrage over their activities.

The full web site is currently under development and will be available soon!