Cyber Security Intelligence

Twitter< Follow on Twitter >

July Newsletter #2 2014

New NSA leaks show how US bugs European allies

US intelligence services are spying on the European Union mission in New York and its embassy in Washington, according to the latest top secret US National Security Agency documents leaked by the whistleblower Edward Snowden.

One document lists 38 embassies and missions, describing them as "targets". It details an extraordinary range of spying methods used against each target, from bugs implanted in electronic communications gear to taps into cables to the collection of transmissions with specialised antennae.

Along with traditional ideological adversaries and sensitive Middle Eastern countries, the list of targets includes the EU missions and the French, Italian and Greek embassies, as well as a number of other American allies, including Japan, Mexico, South Korea, India and Turkey. The list in the September 2010 document does not mention the UK, Germany or other western European states.

One of the bugging methods mentioned is codenamed Dropmire, which, according to a 2007 document, is "implanted on the Cryptofax at the EU embassy, DC" – an apparent reference to a bug placed in a commercially available encrypted fax machine used at the mission. The NSA documents note the machine is used to send cables back to foreign affairs ministries in European capitals.

The documents suggest the aim of the bugging exercise against the EU embassy in central Washington is to gather inside knowledge of policy disagreements on global issues and other rifts between member states.

The new revelations come at a time when there is already considerable anger across the EU over earlier evidence provided by Snowden of NSA eavesdropping on America's European allies.

Germany's justice minister, Sabine Leutheusser-Schnarrenberger, demanded an explanation from Washington, saying that if confirmed, US behavior "was reminiscent of the actions of enemies during the cold war".

The German magazine Der Spiegel reported at the weekend that some of the bugging operations in Brussels targeting the EU's Justus Lipsius building – a venue for summit and ministerial meetings in the Belgian capital – were directed from within Nato headquarters nearby.

The US intelligence service codename for the bugging operation targeting the EU mission at the United Nations is "Perdido". Among the documents leaked by Snowden is a floor plan of the mission in midtown Manhattan. The methods used against the mission include the collection of data transmitted by implants, or bugs, placed inside electronic devices, and another covert operation that appears to provide a copy of everything on a targeted computer's hard drive.
The eavesdropping on the EU delegation to the US, on K Street in Washington, involved three different operations targeted on the embassy's 90 staff. Two were electronic implants and one involved the use of antennas to collect transmissions.

Although the latest documents are part of an NSA haul leaked by Snowden, it is not clear in each case whether the surveillance was being exclusively done by the NSA – which is most probable as the embassies and missions are technically overseas – or by the FBI or the CIA, or a combination of them. The 2010 document describes the operation as "close access domestic collection".

The operation against the French mission to the UN had the cover name "Blackfoot" and the one against its embassy in Washington was "Wabash". The Italian embassy in Washington was known to the NSA as both "Bruneau" and "Hemlock".

The eavesdropping of the Greek UN mission was known as "Powell" and the operation against its embassy was referred to as "Klondyke".

Ex-NSA chief under scrutiny over secrets leak

Former head of the NSA General Keith Alexander is under scrutiny following revelations that in negotiations with the financial industry, his security company has asked for consultancy fees ranging from $1 million to $600,000.

Last year, former NSA contractor Edward Snowden leaked confidential documents to the media, which detailed the US government's surveillance activities, ranging from wiretapping to mass data collection. This not only damaged the general public's trust in the government, but also caused an international relations storm. President Obama promised reforms, but the damage was done — and the NSA has been in the hot seat ever since.

Alexander weathered most of the storm, but eventually retired in March from both the NSA and US Cyber Command to set up a CyberSecurity firm, IronNet Cybersecurity Inc.

US officials have previously claimed that cybercrime is the "top threat" facing the United States — overtaking terrorism as a priority — but this doesn't take away the fact that cyberdefence is now a very lucrative business as companies and organizations scrabble to protect themselves from frequent and often devastating cyber campaigns.

This month, it emerged that Alexander was pitching his company's services to financial institutions for as much as $1 million a month. In an interview, Alexander said "it would be devastating if one of our major banks was hit, because they’re so interconnected," and so has met with large banking trade groups to offer his firm's services.

According to Bloomberg, Alexander offered the Securities Industry and Financial Markets Association, known as Sifma, advice for $1 million a month — a price that later dropped to $600,000 in private negotiations.

However, IronNet Cybersecurity has come under scrutiny because of these high consultancy fees, and Representative Alan Grayson (D-FL) is pushing for a formal investigation into the activities of the former NSA chief.

There is no evidence of any wrongdoing by the former intelligence chief, but in letters to Sifma (PDF), Grayson notes such excessive fees are likely to be seen as unreasonable, and questions whether Alexander would have any information of this value for the financial industry without disclosing secrets learned through his governmental work.

Microsoft launches Interflow to pool threat data in the cloud

Microsoft has launched a private preview of security and threat information exchange service called Microsoft Interflow.

The service will produce machine-readable threat reports that are published in real-time across networks. Microsoft believes that automating this process will reduce end-user costs.

Microsoft Interflow runs on Microsoft's Azure cloud service, and can be rolled out and scaled in minutes across the Microsoft Active Protections Programme (MAPP), which the company launched in 2008 to incubate a sharing culture between security software companies.

Interflow has a plug-in architecture enabling it to integrate with existing systems easily, and relies on common formats for improved interoperability. Microsoft believes that proprietary approaches to threat management have delayed the establishment of an orchestrated threat monitoring system.

Microsoft has announced that it will share its own CyberSecurity intelligence for the duration of the private preview. At present, network managers are invited to talk to their contact within Microsoft if they wish to join.

Microsoft recently found vulnerability in its own anti-malware engine that caused a denial of service, causing it to release an out-of-cycle patch.

Cloud security: Firms worrying over the wrong issues?

Even though many businesses have been using the cloud in some form for years now, real or imagined security fears persist as the biggest single issue hampering wider adoption.
Companies are still hung up on questions such as the physical location of their data in the cloud, as much for emotional reasons as for regulatory compliance, a recent Dell round-table event in London heard.

"The irony is that most of these organisations will be using outsourced development teams in India, who probably have access to live production instances and have access to all the data anyway," technical lead for Dell's EMEA information security practice Don Smith said.
He said that one of Dell's largest European customers is in Finland, which shares a robust approach to data protection with Germany.

"They're very happy for their data to be flowing to the US. They're mature about it. They realise that that if an intelligence agency wants to access their stuff, whether it's Finnish, British or American, they're going to get it. Let's be big boys about it," Smith said.

"They are far more comfortable with being secure and getting good services than they are with a fallacious argument about where their data flows to."

New European data protection rules that could be in place in 2015 will provide an opportunity for vendors, according to O'Conor, DLA Piper UK managing partner.

"If you go to Germany, it's fortress Germany, or CNIL in France, or a slightly more liberal, relaxed attitude in the UK. So that should go. If you're a vendor, you're talking to your US customers and saying, 'It's one set of rules, 28 member states. Here's how it's going to be'."

Dell EMEA director of cloud services Nick Hyner said the company is setting up partnerships in a number of countries to address the demands for cloud services to be delivered locally.

"It's often not lawyers' perception. People say, 'I want it in my own country'. They actually sometimes can't be bothered to be bothered about all the legal stuff: 'I want to be able to go to the data centre and the backup'," he said.

Companies are interested in encrypting all data sent to the cloud to address data protection issues but their fundamental concern in this context should be the location and ownership of encryption keys, Dell's Don Smith said.

"If you're going to stick data in the cloud and you're going to encrypt, who's got the keys? Does the provider have the keys, does an escrow agency have the keys or do you have the keys?" Smith said.

Because the response to many cloud security questions is emotional rather than rational, Smith said he wished the Americans had given the Patriot Act a less interesting name.

"Ours isn't called the Union Jack Act. It's called the Regulation of Investigatory Powers Act. If theirs was called the really boring investigatory act, no one would be talking about it in Europe," Smith said.

"But the fact they called it the Patriot Act — they might as well have called it the Stars and Stripes Act. The UK government has exactly the same powers. If they want something, they can get it."
"Google Analytics is the biggest privacy breach in the universe, where they're giving away the web master tools. More than 50 percent of websites globally are feeding back everyone's surfing habits to Google so that they can then use it to target advertising. That's insidious."

Sensors help keep smartphone data secure

Researchers are making a smarter "kill switch" for phones that knows when a gadget is in the hands of a thief.

Software on the phone watches how you use your phone to build a portrait of your "normal" behavior.

The software logs which apps were used and when, where the phone goes as well as more subtle indicators such as how the phone is held.

The software quickly spots if a phone is not being used by its owner and shuts down to stop data being stolen.

Swipe security

"We're leveraging the predictability in our everyday lives," said Dr Gunes Kayacik who is heading the research project at the Interactive and Trustworthy Technologies Group of Glasgow Caledonian University.

Phone-owners use different apps at different times of the day and the patterns of use are usually linked to the same locations, said Dr Kayacik.

Using seven separate sources of data generated by a phone it becomes possible to quickly build up a profile of a smartphone owner's typical behavior, he said.

Profiling-software developed by the Glasgow team logs the apps being used, the base stations the phone talks to and which wi-fi networks are nearby as well as ambient data about noise, light, magnetic fields and the handset's orientation and location.

Early versions of the behaviour-logging software currently take a few days to build up a profile of average use, said Dr Kayacik. The software gets better at spotting its real owner the longer it runs.

"We look at when the applications are being used and where," he said. "If a phone is being used out of place and out of time we can detect it."

As well as acting as an anti-theft device, the software can also be used as a guarantor of identity when people use their phones to shop online or send messages to friends and family.
Prof Lynn Baillie said the software could be used in place of the Pin and screen-swipe systems currently used to safeguard phones against unauthorised use.

Research suggests people have to swipe or tap in their Pin up to 100 times a day just to unlock their handset and use it, she said.

That system is so cumbersome many people do not bother with any security measures at all, said Prof Baillie.

By contrast, the behaviour modeling system would keep a phone unlocked as long as it was in the hands of its owner, she said.

Mobile security expert Nigel Stanley of consultancy Open Sky said the Glasgow research looked "interesting".

"However," he said, "we need to think about the privacy implications of putting into practice such monitoring - is it sent back to a central site for processing or is it simply used locally on the device?"

Digital News Finally As Popular As Newspapers In The UK

Reports of the death of print have been greatly accelerated, judging by research from UK telecoms watchdog Ofcom.

The research has found that in the UK digital news, consumed via apps or websites, has only just reached parity with news consumed via ink and dead trees.

Yep those old media newspaper thingies are surprisingly sticky — and not just in the way their column inches adhere to one’s fingers.

Ofcom found that around 41% of people say they now access news on websites and apps — up significantly from around a third (32%) last year.

But despite digital news’ rising popularity, rates of newspaper usage are remaining steady overall — unchanged at four in 10 people (40%), year on year. However Ofcom’s report does note a decline in print readership “particular among the under-35s” over the past year.

Both newspapers and apps still massively trail the UK’s main source of news: the TV, although once you segment Brits by age then digital platforms come out as the primary news source for the younger age group (16 to 24).

Overall, Ofcom found that 75% of respondents identified the TV as their primary news source, down slightly from 78% in 2013. The research also notes a fall in people saying a particular TV channel is their most important source for news (down to 54% from 62% in 2013).


Ofcom says the rising popularity of digital news is being driven by increased mobile and tablet usage among younger Brits.

Some 60% of these younger Brits said they are consuming digital news in 2014, up from 44% last year. And around 45% of this age group said websites or apps are their most important sources for news, up from 30% in 2013.

The research also found that young Brits are 10x more likely than those aged 55 and over to access news on a mobile (40% vs just 4%), and twice as likely to access news via a tablet (15% vs 7%).

The converse is true when it comes to TV news — with older Brits consuming considerably more hours per year of TV news than younger Brits. Ofcom found that the over 55s watch an average of 196 hours of TV news each year vs just 27 hours for 16-24 year olds, who in turn watch 88 fewer hours of TV news than the average UK adult (115 hours a year).

The findings tally with the concept of the disintermediation of traditional news media channels as usage of on-demand digital services rises – so younger users are more likely to adopt flexible digital platforms as their primary news sources, while older generations retain more of a link to the linear media delivery pipelines they grew up with.

In terms of which digital news sources Brits are using, the most common method of accessing news online is reading news stories — up to 60% from 54% last year. While reading comments or articles on blogs or social media has decreased slightly, to 23%, from 27%, according to the findings.

Social media sites (Facebook and Twitter) are used as a news source by a fifth (20%) of online news users, while 19% said they use search engines to find news.

Overall news aggregators are used by 15% of online news users, which is down from 25% in 2013 — with Ofcom suggesting some of that drop could be attributable to the closure of Google Reader.

More specifically, the BBC website or app is most popular news source identified by online news consumers – used by 59% — followed by Google’s search engine (used by 18% for news); and then Facebook (17%) and the Sky News website or app (17%).

Ofcom’s findings are based on a survey of 2,731 people across the UK conducted in March/April of this year.

NSA granted extension to collect phone data

The US National Security Agency (NSA) has been granted an extension of 90 days to continue collecting US citizens' phone records in bulk, despite new legislation to end the practice.

An application to reauthorise the controversial data collection programme was approved by the Foreign Intelligence Surveillance Court (FISC).

The approval was confirmed in a joint statement by the US Justice Department and the Office of the Director of National Intelligence.

In May, the House of Representatives passed the USA Freedom Act to create a new mechanism for the government to obtain this phone metadata.

The new legislation gives access to metadata only through individual orders from the FISC, rather than in bulk. It also prohibits bulk collection by using trap and trace devices, and national security letters.

But the joint statement notes that the government applied for the extension in view of the fact that the new legislation has not yet been enacted. It is still awaiting approval by the Senate.

The bulk collection of phone metadata in the US by the NSA was first disclosed in June 2013 by whistleblower Edward Snowden, provoking strong criticism from civil liberty groups.

The latest extension to the bulk collection programme is the fifth since it was made public, according to The Guardian.

The full web site is currently under development and will be available during 2014