Cyber Security Intelligence

Twitter< Follow on Twitter >

July Newsletter #1 2014

US to Cut Funding for NSA Surveillance

In a late night session, the House of Representatives voted 293 to 123 to pass an amendment to a Department of Defense appropriations bill that would cut off all funds for two of the agency’s most embattled activities:

First, using the 702 provision of the Foreign Intelligence Surveillance Act to perform searches of collected surveillance data that target Americans, and second, asking hardware markers and software developers to build backdoors into their tools designed to give the agency access to users’ communications.

On that second count, the amendment specifically forbids funding for any agency attempt “to mandate or request that a person redesign its product or service to facilitate…electronic surveillance."

Both of those funding bans represent a clear reaction against behavior revealed from the leaks of Edward Snowden, which have shown over the past year that the NSA subverted cryptography standards, diverted hardware shipments to plant bugs in products, and found other ways to gather raw communication data from Silicon Valley firms like Google, Facebook, Microsoft, Apple, and others.

Though the amendment’s bans still haven’t been mirrored in the Senate, the House vote nonetheless sends “an unambiguous statement that there’s political will to do something about the issue of unchecked NSA spying," says Parker Higgins, an activist at the Electronic Frontier Foundation, which supported a campaign to persuade citizens to call their congressman in support of the amendment.

Even if the amendment becomes law, it still wouldn’t necessarily end all federally mandated backdoors in hardware and software, cautions Matt Blaze, a computer science professor and cryptographer at the University of Pennsylvania. According to his reading of the amendment, it wouldn’t cover the FBI, for instance. “The goal is clearly important. I worry that the scope…is limited," he says. “Even when the NSA and CIA don’t request or put pressure on vendors to incorporate backdoors, other agencies, like FBI, may be in the same business."

Still, the passage of the amendment marks a serious shift in the political landscape following a year of Snowden’s spying disclosures.

NSA 3rd Parties use the Web for Spying

‘Third parties’ give NSA access to international fiber-optic cables, sharing massive amounts of phone and Internet data, new Snowden documents show. Germany and, by all accounts, Denmark, are among the partners in the NSA mass surveillance program codenamed RAMPART-A.

Top-secret NSA documents from whistleblower Edward Snowden provide insight into a new and controversial chapter in the NSA's global mass surveillance plot. Under the codename RAMPART-A, ‘third party’ countries tap fiber optic cables carrying the majority of the world's electronic communications in collaboration with the NSA. These partnerships are among the NSAs closest-guarded secrets, and play a central role in the NSA’s ambition to be able to intercept any electronic communication, anywhere in the world.

It has previously been revealed that the UK monitors, records, and shares large volumes of data intercepted from the Internet backbone, which carries everything from emails to Skype calls across the globe at the speed of light. But the new documents show that a number of nations with weaker ties to the NSA – so-called “third party" partners - are more deeply involved in the NSAs global mass surveillance of individuals and organizations than previously known.

According to the Snowden documents, there are 33 third party countries. While the documents do not explicitly state which countries participate in the RAMPART-A program, details in the documents and extensive reporting points to Denmark and Germany being partners.

A large part of the Internet traffic from Russia and the rest of Scandinavia flow through Danish networks, which justifies the US interest in working together with the authorities.

German participation in RAMPART-A can be inferred from NSA documents reported by Der Spiegel earlier this week in combination with documents seen by Dagbladet Information.
Edward Snowden made the same argument earlier this year. In a statement to a European Parliament committee, he mentioned Denmark and Germany as examples of how this could be carried out.

The agency should only collects data to meet specific security and intelligence requirements, such as force protection for U.S. troops and allies, counterintelligence, counterterrorism, counter proliferation, and combating transnational crime.

Snowden Derailed Information Sharing Efforts

A former deputy National Security Agency director said intelligence secrets leaked by Edward Snowden last June derailed legislative attempts to encourage the public and private sectors to share information about vulnerabilities in cyberspace, and said the government must do more to encourage such collaboration.

The Snowden leaks “unfairly, inappropriately, unfortunately" damaged the private sector, said Chris Inglis, the former NSA deputy.

He also said the Snowden leaks delayed legislation that would have provided companies with legal protections to share data with the government in an effort to improve security measures.
Snowden last year leaked classified NSA information that revealed an extensive web of government surveillance programs targeting electronic communications. Facing US charges for the leaks, he is living under temporary asylum in Russia.

The House and Senate Homeland Security committees also have voiced support for cyber security legislation, he said.

Hillary Clinton backs overhaul of NSA

Former secretary of state calls for the restoration of constitutional privacy protections weakened after 9/11 attacks. Hillary Clinton has thrown her weight behind political efforts to rein in US surveillance powers in her most forthright criticism yet of the National Security Agency (NSA).

The former secretary of state, who has hitherto largely stayed out of the debate sparked by leaks from NSA whistleblower Edward Snowden, called on Congress to restore constitutional privacy protections weakened after terrorist attacks on the World Trade Centre.

‘We are finally taking stock of the laws that we passed after 9/11,’ she told Fox News interviewer Greta Van Susteren. ‘We did all of this in an a hurry because we were worried and scared and now we need to take a step back and figure out how we make sure that the balance between liberty and security is right.’

Clinton, who admitted in an earlier CNN interview that she had disagreed with her husband's cautious support for Snowden, defended the government's legal right to carry out some bulk collection of American data but said she now backed efforts in Congress to change the law.

The House of Representatives recently passed a version of the USA Freedom Act that seeks to outlaw the bulk collection of American data, although civil liberties campaigners worry that it has been watered down by administration lawyers and are pushing for a tougher version in the Senate.

Clinton was also scathing the of NSA's spying on the leaders of foreign allies such as Germany and was asked whether chancellor Angela Merkel was right to be angry.

‘Yes, she should be. That was absolutely uncalled for,’ replied Clinton. ‘There is [legitimate counter-terrorism] work that we need to do with the Germans and inside Germany ... that has nothing to do with Angela Merkel's cell phone and that should be off limits.’

Super-Secure - NSA Proof - Blackphone

The much-awaited NSA proof smartphone with advanced security and privacy features is about to hit the market before the start of July 2014.

Several thousands of Blackphones, developed by Silent Circle in partnership with Geeksphone, have been already pre-ordered and sold out. Available at a cost of USD 629, the smartphone is equipped with PrivatOS, an Android based operating system minus the privacy compromises; at USD 879, free software and services are provided.

Its features include privacy and security measures to make you confident about your personal communications, encrypted phone calls, texts and video chats, a Virtual Private Network to anonymize user’s web, smart disabling of all Wi-Fi except trusted hotspots, frequent secure updates from Blackphone directly, secure cloud file storage from SpiderOak.

The smartphone was launched at Mobile World Congress 2014 held at Barcelona, Spain. The joint venture, SGP Technologies, touted it as ‘the world’s first smartphone, which places privacy and control directly in the hands of its users.’

Alleged ‘NullCrew’ Hacker Arrested by FBI

NullCrew is a hacktivist group founded in 2012 that takes responsibility for multiple high profile computer attacks against corporations, educational institutions, and government agencies. Its members are listed as: Zer0Pwn, rootcrysis, nop, and Siph0n. NullCrew is often compared to LulzSecurity, even though the group has lasted twice as long; and is still going strong.

The group is led by a person using the pseudonym Null, and describes itself as supporting Wikileaks founder Julian Assange as well as being against all types of corruption. The FBI officers have arrested a 20-year-old Tennessee man and charged with federal computer hacking for allegedly conspiring to launch cyber attacks on five organizations in 2013, including two universities and three companies in the US and Canada, federal law enforcement officials announced today.

The accused named Timothy Justin French, who go online by the name “Orbit," is a key member of the collective “NullCrew" hacking group, that claimed responsibility for dozens of high-profile computer attacks against corporations, educational institutions, and government agencies.

NullCrew is a hacktivist group that came into light in 2012 after a successful cyber attack against the World Health Organization (WHO) and Public Broadcasting Service (PBS) in 2012, which resulted in plain-text username and passwords being posted online on Pastebin.

The group, represent itself as a part of Anonymous hacking collective, has since 2012 carried out a number of similar high profile cyber attacks, including a successful infiltration into the servers run by the U.S. Department of Homeland Security last year.

If convicted, French faces a maximum sentence of 10 years in prison and a $250,000 fine.

The growing threat to critical infrastructure

Those responsible for protecting critical infrastructure would like to be detecting and protecting, but most find themselves mitigating, responding and recovering, on the right side of what speakers at SC Congress Toronto on Tuesday, called "the boom."

Before organizations can assume a more proactive posture they must eliminate the long lag times between an incident and its detection.

While critical infrastructure faces threats from the outside, a significant number come from within. Citing the findings of a recent Repository of Industrial Security Incidents (RISI) report, Fabro noted that insider’s account for 18 percent of the known perpetrators involved in security incidents in 2012, which represents a one percent uptick from the 17 percent recorded in 2011.

The RISI report shows that the number of incidents involving industrial computers grew tremendously, by 29 percent from 2011 to 2012. The figures are even more jarring when looking at the time period ‘between 2010 to 2012’. In that two-year span the number grew 80 percent. The rise is attributed to the growing number of PCs and servers deployed in ICS applications, though their susceptibility to malware may also account for the rise, Fabro noted.

State-Sponsored Attack Breached UK Government

U.K. Cabinet Office minister Francis Maude disclosed that an attack by an unnamed “state-sponsored hostile group" resulted in the compromise of a system administrator’s account on the Government Secure Intranet in a speech at the IA14 Conference this week.

“I can tell you of a recent case where a state-sponsored hostile group gained access to a system administrator account on the Government Secure Intranet. Fortunately this attack was discovered early and dealt with to mitigate any damage," Maude told the attendees.

Maude went on to stress that good security is a collective effort, and it is the duty of every employee from the bottom of an organization up to the leadership to practice good security habits to avoid the risk of compromise.

“There’s an onus on the most junior employee to protect his or her passwords – just as there’s an onus on the chief executive and the non-executive directors to ensure cyber security is taken seriously in board meetings." Maude said.

Beginning this October, the UK government will require all vendors bidding on contracts that involve certain types of sensitive information to participate in the new Cyber Essentials program, which certifies that companies are committed to some basic security best practices that are designed to counter the most common of threats.

Add cyber insurance to your cyber strategy

Digital information is fundamental to businesses; it’s at the core of what they do and allows them to operate effectively.

Without this digital information, businesses would not be able to foster a commercial advantage allowing them to outperform and outgrow competitors, and become more efficient while continuing to satisfy their regulatory and legal requirements. Yet the volumes of digital information compromised through cyber attacks continues to rise, with major brands continuing to lose sensitive data and fall victim to cyber criminals.

The issue has become so serious that the Lloyds Risk Index 2013 now puts cyber risk up with high taxation and loss of customers as one of the three biggest concerns for senior executives.
Recent years have seen a growing demand for specialist cyber insurance to cover cyber breaches, including the cost of putting things right after an incident, and handling fines and civil claims.

A report by broker Marsh shows that the number of companies buying cover increased by a third between 2011 and 2012.

Yet despite these developments, many firms still do not make insurance part of their cyber security strategy. Only $500m worth of cyber-related premiums was paid in the US in 2013, and the market is even less mature in Europe.

As the threat of cyber attacks continues to grow, we think the turning point is due. Private sector organisations must make insurance against cyber attacks an integral part of their cyber security strategy.

Nokia 'Blackmailed For Millions Of Euros'

Nokia paid several million euros to criminals who threatened to sabotage its smartphone operating system, it has been reported.

It was claimed in a local TV report that the Finnish phone giant left the cash in a car park for the blackmailers to collect – as police looked on. But the crooks managed to slip the police tail after picking up the money, and are still at large.

The TV report claimed that hackers managed to get hold of the security encryption key for a key part of Nokia's Symbian software, and threatened to make it public. If the hackers had done so, anyone could have written additional code for Symbian, including possible malware.

Nokia contacted police before agreeing to deliver the cash to a car park in Tampere, central Finland. After the money was picked up, police lost track of the culprits. The blackmail attempt happened in 2008, but has only just been revealed.

Nokia later moved to Microsoft's Windows software in its smartphones, and its phone arm has since been sold to the software giant.

Nokia has refused to comment.

Social media surveillance is legally okay, says British counter-terrorism official

If you’re opposed to mass surveillance, the plot just thickened. Privacy International reports that a top British counter-terrorism official has revealed a UK Government policy that is used to justify social media snooping within legal parameters.

The statement came from Charles Farr, Director General of the Office for Security and Counter Terrorism, who claimed that ‘the indiscriminate interception of UK residents’ using Facebook and Google communications would be permitted under law because they are defined as ‘external communications,’ according to Privacy International.

This revelation comes after Privacy International, a UK-registered charity that’s “committed to fighting for the right to privacy across the world", joined forces with Liberty, Amnesty International, the American Civil Liberties Union, Bytes for All, and another five civil liberties organizations to launch a legal challenge following former NSA contractor Edward Snowden’s revelations about the UK’s global digital surveillance activities.

The Investigatory Powers Tribunal between July 14 and 18 will hear the challenge.

The full web site is currently under development and will be available during 2014