Cyber Security Intelligence

Twitter< Follow on Twitter >

August Newsletter #2 2014

Could MH17 sanctions push Russia to cyber warfare?

Following the Malaysia Airline MH17 airplane crash which saw 298 people lose their lives – believed to be at the hands of Russian separatists, Russian president Vladimir Putin has been the focal point of much media attention, with US President Barack Obama and UK Prime Minister David Cameron calling for deep sanctions against the country if it is shown to be behind the tragedy.

However, in a statement issued earlier today, one UK cyber security academic warned that any sanctions could see Russia retaliate with cyber warfare.

Professor Mike Jackson – computer security expert at Birmingham University– said that countries have typically responded to sanctions by preventing the supply of certain products (a possibility for Russia, which is a big provider of gas to European countries), but suggested that such actions could take place in the cyber world too.

“As EU governments discuss ways in which they can toughen up sanctions against Russia today, they need to be mindful of the ways in which Russia could retaliate,” Jackson said by email.

“Traditionally the response to sanctions has been the denial of essential supplies to those imposing the sanctions (for example ceasing to supply oil to Germany). In today's electronic age the response might be to electronically disrupt the workings of government and industry.

“Over the last few years a group of cyber spies has functioned in Eastern Europe. They are thought to be sponsored by the Russian Government, although this has not been definitely shown to be the case. The group has infiltrated computers in many western government departments and major defence companies such as BAE. It is thought that primarily they are fishing for secrets but there is no reason why their networks could not be used to disable IT operations and cripple government functions.

“If Russia is pushed too far will they choose to deploy cyber warfare?”

Quizzed by shortly afterwards, Jackson admitted that such claims would ‘probably not stand up in a court of law' but said that ‘digital fingerprints' left by the hackers would be enough for GCHQ, MI5 and other powers to investigate.

He said that the same group behind the BAE attack took an interest in Ukraine six months ago and warned that it could launch a large botnet attack against UK and European computer systems, particularly if they felt the sanctions proposed were too strong.

“That would certainly have an economic effect,” said Jackson of the potential attacks, pointing to Russia's alleged cyber-attack against the Estonian government in 2008 as evidence of cyber warfare.

He said, ultimately, that the ‘threat' of cyber warfare would carry a far bigger deterrent – much like nuclear weapons in the Cold War.

“The threat of it may be enough to shift opinion,” said Jackson, adding that Russia's cyber capabilities would be well noted and may be enough to loosen sanctions on the Russian government.

Dan Solomon, head of cyber risk and security services with Optimal Risk Management, added that Russia's cyber capabilities are well known but suggested that any cyber-attack in retaliation to any proposed sanctions could result in ‘unwanted escalation' on both sides.

“There is no doubt that this is a capability that Russia has, and it has shown repeatedly that it is prepared to use it. Against weaker countries there would be a higher probability that Russia could follow this route, but against larger countries, there is a much lower probability.”

“The concept of a UK cyber capability sufficient to deter Russian attack will not be convincing to Russia, and there is no clear understanding as to how a ‘counter-attack' would be launched and with what objectives.

“Russia knows that there is a very low likelihood that the UK or NATO would respond to such a cyber-attack with a cyber-attack, or anything ‘military' in nature. This is new ‘ground' as far as doctrine is concerned.”

But Jackson's comments were questioned by Thomas Rid, professor of security studies at King's College London, who said that there is a lot of ‘hype' on such claims, adding that there is no evidence of cyber warfare brewing.

“If anything, it is remarkable how little cyber-attack activity we have seen in Ukraine. I mean Russia is the El Dorado of cyber-crime. And they can't even pull off a cyber-attack worth mentioning?” Rid told SC.

“It's safe to say that there's significant frustration from inside the intelligence community because there is so much hype, and so many people overstating what's happening,” adding that there is money to be made by such hype.

Rid said that DDoS attacks and defaced websites have been the most popular type of attacks since the Crimea, and says that – bar the Stuxnet incident that saw Iranian centrifuges damaged – there haven't been any notable acts of cyber warfare since the US Air Force spoke on cyber threats in 2006.

Silicon Valley to host North Korea 'Hackathon'

A “hackathon” planned for August aims to harness the technical prowess of Silicon Valley in coming up with new ways to get information safely into North Korea.

“Hack North Korea” will take place in San Francisco and has been organized by The Human Rights Foundation; a New York-based group that earlier this year helped sent USB thumb drives loaded with Wikipedia across the inter-Korean border in balloons.

The event won’t be engaging in any computer hacking in the malicious sense. Rather, it will be hacking in the sense of coming up with new ways to “spark better ideas for getting information into the world’s most closed and isolated society,” HRF said.

Several prominent North Korean defectors will attend the event including pro-democracy activist Park Sang-hak, former North Korean child prisoner Kang Chol-hwan, media personality Park Yeon-mi and Kim Heung-Kwang, a former professor in computer studies in North Korea. They are expected to speak on the methods currently used to get information into the country, which include CDs and DVDs, USB sticks, shortwave radio, and leaflets dropped from balloons.

Organisers said they are not encouraging hacking in the sense of gaining unauthorised access to data, but is instead hoping to “spark better ideas for getting information into the world’s most closed and isolated society”.

Picture: North Korean defectors and South Korean activists release balloons carrying leaflets condemning Kim Jong-Il in 2010. Photograph: Kim Ju-sung/AP

“Participants will become familiar with the various ways that information and truth are smuggled into North Korea today, and gain an understanding of the technology landscape inside the country. Then, guided by our North Korean guests, attendees will break into teams to come up with new ways to help end the Kim dictatorship’s monopoly of information on the 25 million people living under its rule,” HRF said.
Information is strictly controlled in North Korea, which does not have a free press, and only allows Internet access to an elite few.

"The one-party regime owns all domestic news outlets, attempts to regulate all communication, and rigorously limits the ability of the North Korean people to access outside information," says Freedom House, which rates North Korea as one of the worst countries in the world for press freedom.
Earlier this year Freedom House helped HRF to launch balloons carrying USB flash drives loaded with Korean-language Wikipedia as well as pro-democracy materials and DVDs with South Korean dramas, so that they could float from the launch site in Paju, in South Korea, across the border into the North.

Park Sang-hak also visited Silicon Valley with HRF, to improve GPS tracking on the balloons, so that the group can try and follow what happens to the balloons once they cross the border.

The Internet of things: unlock the marketing value

We have seen a lot of buzz around the Internet of things and how it will change the way all the physical things in our lives work. We are told every device will soon be connected to the Internet, which will boost our productivity, make transport more efficient and reduce our energy needs.

While our fridges might not be ordering us another pint of milk just yet, the phenomenon is ready to explode. The UK government recently announced it would spend an extra £45m on developing Internet of things-enabled technology – doubling the funds currently available to UK technology firms working on everyday connected devices.

Ovum also predicts that the number of global machine-to-machine (M2M) connections will increase to 360.9m in 2018. With an influx of connected devices, we will also see an influx of data, where every device will be programmed and tracked. The question is: how can marketers use the data to enhance the performance of their business?

The Internet of things brings about an opportunity to measure, collect and analyse an ever-increasing variety of behavioral statistics. In theory, the "mash-up" and cross-correlation of this data could revolutionize the targeted marketing of products and services.

The challenge, though, is that the companies selling the devices containing the sensors that monitor us, and the companies operating the networks storing that data, are committed to data security. Disclosure of any information to a third party can therefore only practically happen with the explicit consent of the monitored party.

This means that marketers may find the doors to any M2M-derived information, which is traceable back to an individual, are permanently shut.

Aggregation and anonymity could be the solution for marketers. It might seem counter-intuitive from a marketing perspective to omit the identity of the concerned individuals but consumers are more likely to give consent en masse. It is also the only way companies monitoring and storing data can sell or release such data without seeking end-user approval.

This approach is already a successful commercial reality. Mobile phone networks are using "passive anonymous geo-location" or "network insights" techniques where they use existing data that allows network infrastructure to operate efficiently and effectively in a predictable and standardised way. Instead of the data being discarded after it has accomplished a single action at a single point in time, operators are logging the data to monitor population movement by mode of transport, time of day, and personal characteristics like age group within a specific geographic area.

The information collected by operators presents myriad opportunities to marketers. Shop and billboard owners can monitor footfall near their properties and segment the data by relevancy so they can easily determine where their target market has come from and where it might be going next. Local councils can also profile peoples' reactions to specific types of environmental situations, for example, to help with crowd control during an emergency. Data that is collected from many thousands of people is aggregated and made anonymous, and then presented as a single report showing societal trends.

The Israeli Hacktivists' War in Gaza

Soon after Israeli soldiers crossed into Gaza, the hactivism group the Israeli Elite Force (IEF) recruited an army of volunteers. The Hash tag for the operation was #OpIsraelRetaliate and the chosen targets were official Palestinian websites.

The plan was “not to break through the main sites and change its appearance” but to breach them and get “databases, usernames, passwords, remote control etc.," according to the IEF, which stated that the objective was to “jeopardize sensitive information of internet users in the Arab world” and not, as one might expect, to harm Hamas.

Asking hackers to promote the mission in every possible way, the IEF announced on their Facebook page around 07:30 PM local time: “Israel Defence Force We Are With You!”
The IEF Twitter account, which has about 1,600 followers, bragged, “We are the Israeli Elite Force. Hackers and darn good at it,” telling people to: “BOW DOWN!”

A few hours into the operation, the activists published lists of hacked websites, emails addresses and other information from sites such as the Palestinian ministry of health. The members were also directed to a chat room for questions or assistance.

The region has a long history of cyber attacks, retaliations and counter attacks.
The IEF was established last year in response to an April 7 attack on Israeli websites that aimed to “erase Israel from the Internet.” Using the codename #OpIsrael, the anti-Israeli hackers tried to break into a number of different Israeli sites.

OpIsrael operates a Twitter account, which is followed by about 32,000 people. In the last few days, it has been dedicated to updates about the situation in Gaza.

Another group of anti-Israeli hackers took over the Israeli Domino’s Pizza Facebook page and changed the photos and posts to fit their agenda, threatening to hit various parts of Israel with rockets and publishing photos of Israelis hiding in shelters.

The online battle also features more standard attacks. Earlier this week, the Facebook pages of both Hamas and Islamic Jihad were taken down, after several Israelis complained to Facebook that posts in those pages are incitement to violence. Uri Perednik, who initiated the report against the Hamas page, wrote "To my surprise, the Zuckerberg machine acted quickly, and within 24 hours I learned the page was closed down thanks to my report."

The most successful online attack during the recent round of violence took place 2 weeks ago, as Hackers targeted the Israeli Defense Forces spokesperson Twitter account,

DFSpokesperson. “"#Warning: Possible nuclear leak in the region after 2 rockets hit Dimona nuclear facility,” tweeted the attackers from the account. They were later identified as the pro-Assad Syrian Electronic Army.

The breach was quickly spotted and the Israeli military apologized, promising to fight terror on all fronts, including on the web.

90% of NSA Spies on Are Not Real Targets

The National Security Agency's wide-reaching Internet surveillance dragnet sweeps up more ordinary Internet users' communications than previously thought, according to a new report.
Nine out of 10 people on which, the NSA spied were not actually the intended targets of its surveillance, and nearly half of the surveillance files either belonged to U.S. citizens or residents, a Washington Post investigation revealed.

‘Ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks, according to a four-month investigation by The Washington Post.

Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.
Many of the surveillance files, nearly half, contained names, e-mail addresses or other details that the NSA marked as belonging to US citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to US citizens or US residents.

The surveillance files highlight a policy dilemma that has been aired only abstractly in public. There are discoveries of considerable intelligence value in the intercepted messages — and collateral harm to privacy on a scale that the Obama administration has not been willing to address.

Among the most valuable contents — which The Post will not describe in detail, to avoid interfering with ongoing operations — are fresh revelations about a secret overseas nuclear project, double-dealing by an ostensible ally, a military calamity that befell an unfriendly power, and the identities of aggressive intruders into US computer networks.’

The Report is based on a treasure trove of 160,000 intercepted conversations, including more than 120,000 instant messages, roughly 22,000 emails and nearly 4,000 social-network messages coming from 11,400 unique accounts. The conversations spanned from 2009 to 2012, and were provided to The Post by former NSA contractor Edward Snowden. They were collected using Internet-surveillance programs such as PRISM and the Upstream collection, a set of surveillance programs that tap directly into the Internet backbone.

The investigation highlights how the NSA's spying activities — even when focused on legitimate security targets — ended up ensnaring the conversations of many innocent Internet users. Although the surveillance files analyzed by The Post did result in the capture of some terrorist suspects, in many cases, they "have a startlingly intimate, even voyeuristic quality," the newspaper said.

To spy on the content of Americans' communications, the NSA normally has to get an individual warrant, but for foreigners, no warrant is needed. Many of these communications got swept up because the NSA had lax criteria when it came to judging whether a target was an American or a foreigner, according to The Post.

NSA analysts assumed that emails written in a different language belonged to foreigners, or that all people on a foreign contact list were also foreigners, The Post said.

The investigation puts last week's NSA transparency report in perspective. In the report, the Office of the Director of National Intelligence, the agency overseeing all American spy agencies, said the NSA spied on nearly 90,000 targets in 2013.

However, according to Snowden's new documents, dated from 2009 to 2012, the proportion of targets to non-targets was 1 to 9. If this ratio was the same in 2013, it would mean the NSA collected Internet communications of around 810,000 people last year.

Recently speaking at the Hope X conference, taking place in New York, Edward Snowden put out a call for developers to build systems that protect privacy and constitutional rights by design. He also revealed his own intention to work on developing privacy protecting technology.
Snowden was speaking via video link from Russia where he currently has asylum after the US government cancelled his passport, following his leak last year of classified NSA documents detailing security agency surveillance programs.

Responding to a question about what people working in technology can do to counteract dragnet, overreaching surveillance, Snowden said encryption is an “important first step”. But he added that simply securing the content of communications is not in itself enough. New privacy-protecting protocols and infrastructures need to be designed.

Google faces US privacy suit over user data policy

A California court has allowed a privacy class action suit against Google to continue, though only in part.

After evaluating each claim of each sub-class in the suit, Magistrate Judge Paul S. Grewal has allowed two claims of the "Android Application Disclosure Subclass," which includes all persons and entities in the U.S. that acquired an Android-powered device between Aug. 19, 2004 and the present, and downloaded at least one Android application through the Android Market or Google Play.

On March 1, 2012, Google introduced a single, unified policy that allows the company to comingle user data across accounts and disclose it to third parties for advertising purposes.
This move triggered the class action lawsuit in March, 2012 in the U.S. District Court for the Northern District of California, San Jose division, which argued that by switching to the less-restrictive privacy policy without user consent, Google violated both its prior policies and consumers' privacy rights, according to court records.

The Android Application Disclosure Subclass claimed Google's disclosures to third parties caused increased battery and bandwidth consumption as well as invasions of their statutory and common law privacy rights.

The suit was filed over two years ago and since then the court twice dismissed the plaintiffs' claims. Google moved for a third dismissal.

The claims allowed by the judge includes a breach of contract claim that Google breached terms of the contract by disclosing user data to third parties following every download or purchase of an app, resulting in damages in the form of resource consumption. The second claim is under California's Unfair Competition Law.

Claims by persons and entities in the U.S. that acquired an Android-powered device between May 1, 2010 and Feb. 29, 2012 and switched to a non-Android device on or after March 1, 2012 were dismissed.

Now You Can Publish on LinkedIn

Recently, the signs have been pointing to LinkedIn to become a content site and formidable media contender, in addition to being the place professionals go to connect. This is good news for the smaller or lesser-known business people in the community, because LinkedIn has just opened up something exciting toward that end: publishing.

Now to be fair, LinkedIn has had a publishing platform for quite some time. It’s just that it was extremely limited in who could use it. You had to be an influencer if you wanted a piece of that online real estate. Seeing as how influencers include names such as Martha Stewart and Barack Obama, and that the pool of influencers was capped at 500, the dreams of a small-town entrepreneur from Iowa ever getting in on that action were hopeful at best.

In an epiphany of sorts, it seems the crew of LinkedIn became cognizant of the fact that you don’t have to be a multi-millionaire, well-known celebrity or fearsome politician to have great ideas. Modest business people can be experts in their respective fields, too. Moreover, other people want to hear what these people have to say.

What this means for you is that you now have an incredible opportunity to get your content in front of the eyeballs of the people you want to see it most. It’s going to be a gradual process, starting with 25,000 users initially, but eventually, every single LinkedIn user will have access to the powerful publishing platform.

If you’re currently publishing on a blog, you’ll want to continue publishing on that blog. Publishing on LinkedIn should either be in addition to those posts or syndicated across the board.

Black Hat presentation on TOR cancelled

A presentation on a low-budget method to unmask users of a popular online privacy tool, TOR, will no longer go ahead at the Black Hat security conference early next month.

The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website.

It's rare but not unprecedented for Black Hat presentations to be cancelled. It was not clear why lawyers felt Volynkin's presentation should not proceed.

Volynkin, a research scientist with the university's Computer Emergency Response Team (CERT) was due to give a talk entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" at the conference, which take places Aug. 6-7 in Last Vegas.

TOR is short for The Onion Router, which is a network of distributed nodes that provide greater privacy by encrypting a person's browsing traffic and routing that traffic through random proxy servers. Although originally developed by the U.S. Naval Research Laboratory, The TOR Project now maintains it.

TOR is widely used by both cybercriminals and those with legitimate interests in preserving their anonymity, such as dissidents and journalists. Although TOR masks a computer's true IP address, advanced attacks have been developed that undermine its effectiveness.

Smartphone Photos 'Can Be Found After Reset'

People who sell their old Android smartphones are at risk of blackmail because private intimate photos are not being correctly wiped before sale.

Hundreds of naked selfies and intimate pictures were found on a batch of 20 Android phones bought through eBay and tested by researchers.

A factory-reset function appears on the smartphones, but standard forensic security tools can retrieve deleted information from older devices.

The researchers said they found more than 40,000 photos, including 750 photos of women "in various stages of undress" and 250 photos of male anatomy.

Details of the person's residence could also be traced using EXIF data embedded in the image file.

Four of the phones tested included the previous owners' identity in the file data.

One Reddit user said someone who bought his phone, saying they had extracted “embarrassing” images from the device had contacted him.

The factory reset function on older Android devices wipes the index that points to the locations where data is written, but forensic tools can still directly access storage areas.

Google has said that more recent versions of Android are harder to crack. That is because phones running Android 3.0 onwards offer a setting to encrypt the phone using a cryptographic key generated from a user's passcode. A reset will then delete the key, rendering the data unreadable.

Newer Apple iPhones and iPads encrypt data by default using a software key, which renders all data unreadable after a reset.

Securing big data - off to slow start

While so-called "big data" initiatives are not new to a number of industries such as large financial services firms, pharmaceuticals, and large cloud companies it is new to most organizations. And the low cost and ease of access of the software and hardware needed to build these systems, coupled with an eagerness to unleash any hidden value held within all of those enterprise data, are two trends that have sent large, next-generation database adoption soaring.

Unfortunately, the efforts to secure these systems haven't soared equally as high or as fast. But fortunately, that appears to be starting to change.

In many cases, analysts say, big data initiatives began organically, within small enterprise departments or teams, and without much, if any, IT oversight or governance. In a recent survey by IDG Enterprise of more than 750 IT decision makers, almost half (48 percent) of enterprises anticipate big data will be widely used by their enterprise within three years, while another 26 percent expect significant use within a business unit, department, or division.

When it comes to security, big data poses a number of interesting challenges. Some of the challenges arise for similar reasons that make the consumerization of IT and BYOD trends so challenging for many organizations. "This is a very compelling security story because we're watching small organizations pull down open source tools and, with only a couple of programmers, be able to out-scale the largest Oracle databases in existence," says Adrian Lane, analyst and CTO at information security research firm Securosis.

"We're not talking about millions of dollars of infrastructure; we're not talking about large services teams parachuting people in and spending a couple of million dollars. We're talking agile, cost-effective, scalable modular databases that can be setup quickly by anyone," he says.

Now, add to that widespread and inexpensive access to large data sets and the reality that many enterprises don't know how to go about securing these implementations, and many vendors and open source projects don't have the security features that organizations need. There's the recipe for large privacy violations or a very large and costly enterprise breach.

It turns out that groups are starting to use these data. When Lane starting surveying organizations, he found that groups within the organizations actually were using these tools. "I was talking to marketing organizations that actually had hired data architects, under their own budgets, because they had interesting data that they wanted to mine. So, some of that went up to the cloud. Some of it was in-house, but there weren't any security controls on it, because that wasn't even part of the project's scope," Lane says.

Many times, these data were actually customer data that internal groups wanted to find out what behaviors and trends they could discern. Both Lane and David Mortman, another security analyst at Securosis, say that, almost universally, these teams believed there weren't any sensitive data in the database, but invariably that was not the case. "I'd ask them what they were doing for security, and they'd tell me they have logins; that was about the extent of it. It simply wasn't a part of the project scope," he says.

Encouragingly, some of the news on the security front is starting to brighten. According to Lane and Mortman, who both recently discussed Bigger Data, Less Security? at the Secure360 Conference in St. Paul, MN, the applications used to build big data systems are starting to take security in mind, as are some of the enterprises implementing them.

Lane and Mortman explain say that when they were preparing for the same talk a little over a year ago, the security feature in big data applications was barren.

"What was available from Hadoop and other organizations such as Cloudera, Zettaset, and others was very minimal, while many security vendors hadn't adjusted their products to work well within Hadoop environments," says Lane.

That has started to change in the past year; vendors, as well as enterprises, are starting to take a closer if not painfully slow look at securing these systems. According to Lane and Mortman, more vendors today are better at integrating identity and access management capabilities into their big data applications. That could include leveraging identity capabilities inherent within Linux, or tighter integration with Kerberos.

Enterprises are starting to take more initiative internally, too. "We're seeing teams look for the best ways to add layers of security around these databases, either to avoid security and privacy risks, or to stay on the right side of government regulatory mandates," says Mortman.
To increase security, some organizations are employing "walled gardens," or relatively closed software system that were very common in securing mainframe data. Some of the more agile, smaller development teams are using approaches similar to what we see in web application's security. They're wrapping security into the application and user identity layers.

Additionally, Lane and Mortman say that organizations are starting to do a better job at using identity to build access controls around their implementations, including between applications and the users of those applications. They're also turning to block layer encryption, which will improve security but also enable big data clusters to scale and perform. "That encryption is a very easy way to make sure that the data at rest are secured, and that your platform admins can't get access to the data files," says Mortman.

Unfortunately, there is much left to do when it comes to securing big data and next generation database implementations. One issue involves database monitoring. Enterprises have been monitoring their networks, applications, and databases for many years, and these practices should most certainly extend to their big data implementations. "There are specific ways of looking at those usage profiles or behavioral profiles, or metadata information to vet good vs. bad queries. We don't have this ability with big data yet," says Mortman.

Fortunately, there are numerous general purpose logging tools out there that enterprises can use to build their own big data logging solutions. "You're just going to be making your own queries to the log everything," says Mortman.

That's better than nothing, and until these toolsets and the security models around big data mature, many enterprises are going to be making their own way along the path to embracing big data securely.

The full web site is currently under development and will be available during 2014