Cyber Security Intelligence

Twitter< Follow on Twitter >

July Newsletter #3 2014

MH370: New evidence of cockpit tampering as investigation into missing plane continues

Investigations into the missing Malaysia Airlines flight MH370 have revealed apparent tampering of systems in the cockpit

Air crash investigators probing the disappearance of Malaysia Airlines MH-370 have discovered possible new evidence of tampering with the plane's cockpit equipment.

A report released by Australian air crash investigators has revealed that the missing Boeing 777 suffered a mysterious power outage during the early stages of its flight, which experts believe could be part of an attempt to avoid radar detection.

MH370 underwater search areas planning map, a new underwater search will begin in August and cover about 23,000 square miles Photo: JACC

According to the report, the plane's satellite data unit made an unexpected "log-on" request to a satellite less than 90 minutes into its flight from the Malaysian capital, Kuala Lumpur, to the Chinese city of Beijing. The reports says the log-on request - known as a "handshake" - appears likely to have been caused by an interruption of electrical power on board the plane.

"A log-on request in the middle of a flight is not common," said the report, by the Australian Transport Safety Bureau. "An analysis was performed which determined that the characteristics and timing of the logon requests were best matched as resulting from power interruption."

David Gleave, an aviation safety expert from Loughborough University, said the interruption to the power supply appeared to be the result of someone in the cockpit attempting to minimise the use of the aircraft's systems. The action, he said, was consistent with an attempt to turn the plane's communications and other systems off in an attempt to avoid radar detection.

"A person could be messing around in the cockpit which would lead to a power interruption," he said. "It could be a deliberate act to switch off both engines for some time. By messing about within the cockpit you could switch off the power temporarily and switch it on again when you need the other systems to fly the aeroplane."

Inmarsat, the company that officially analysed flight data from MH370, has confirmed the assessment but says it does not know why the aircraft experienced a power failure.
"It does appear there was a power failure on those two occasions," Chris McLaughlin, from Inmarsat, told The Telegraph. "It is another little mystery. We cannot explain it. We don't know why. We just know it did it."

The Australian report released by Australian authorities has revealed that the Boeing 777 attempted to log on to Inmarsat satellites at 2.25am, three minutes after it was detected by Malaysian military radar.

This was as the plane was flying north of the Indonesian island of Sumatra. The aircraft had already veered away from the course that would have taken it to its destination of Beijing, but had not yet made its turn south towards the Indian Ocean.

The aircraft experienced another such log-on request almost six hours later, though this was its seventh and final satellite handshake and is believed to have been caused by the plane running out of fuel and electrical power before apparently crashing, somewhere in the southern Indian Ocean. The other five handshakes were initiated by the satellite ground station and were not considered unusual.

Asked whether the power interruption could have been caused by a mechanical fault, Mr Gleave said: "There are credible mechanical failures that could cause it. But you would not then fly along for hundreds of miles and disappear in the Indian Ocean."

Another aviation expert, Peter Marosszeky, from the University of New South Wales, agreed, saying the power interruption must have been intended by someone on board. He said the interruption would not have caused an entire power failure but would have involved a "conscious" attempt to remove power from selected systems on the plane.

"It would have to be a deliberate act of turning power off on certain systems on the aeroplane," he said. "The aircraft has so many backup systems. Any form of power interruption is always backed up by another system.

"The person doing it would have to know what they are doing. It would have to be a deliberate act to hijack or sabotage the aircraft."

An international team in Malaysia investigating the cause of the crash has not yet released its findings formally, but has indicated it believes the plane was deliberately flown off course. The plane disappeared on March 8 with 239 passengers aboard but an international air, sea and underwater search has failed to find any wreckage.

The Australian report added that the plane appeared to have flown on autopilot across the Indian Ocean and that the crew and passengers were likely to have been unresponsive due to lack of oxygen during the southward flight.

It has recommended an underwater search in an area about 1,100 miles west of Australia, around the location where the plane's seventh "handshake" is believed to have occurred.
The report also notes that the plane's in-flight entertainment system delivered a satellite message 90 seconds after the first power failure but not after the second failure hours later. This, it says, "could indicate a complete loss of generated electrical power shortly after the seventh handshake".

The new underwater search will begin in August and cover about 23,000 square miles. It is expected to take up to a year.

A third of boards are in the dark on cyber defence status

Cyber resilience is increasingly overtaking cyber security as companies’ prevailing defensive objective. Despite daily reports of financial losses and reputational damage as a result of cyber breaches, a high proportion of boards are still in the dark as to the current state of their companies’ cyber defences.

This is a key finding of ‘Boardroom Cyber Watch 2014’, the second annual international survey of senior executive opinion conducted by IT Governance.

32.5% of respondents said their boards receive no regular reports on how their organisation is developing and implementing its cyber defence strategy.

>See also: ‘Cyber resilience’ is the new boardroom priority

Nevertheless, there are signs of progress, according to the international sample of 240 board directors, IT directors and other technology professionals polled by IT Governance in April and May 2014.

While 38% of the respondents who did receive a board report on cyber defences said this information is provided only annually or less than annually, the other 62% received this at least monthly – up from 48% in last year’s study.

The survey also suggested that the quality of cyber-security reporting to the board is an area requiring improvement, with 21% of respondents believing their company’s board reports fail to provide the information necessary to take decisions, while another 28% were unsure if adequate information is provided.

An additional area of concern is the quality of communication between the IT function and the board. According to the survey, almost a third of respondents (29%) believed that fear of retribution could be discouraging the IT department from fully disclosing details of cyber breaches to top management.

“The lack of boardroom insight into cyber threats revealed by our survey may partly explain the reluctance of some companies to give up outdated security goals,” said Alan Calder, founder and executive chairman of IT Governance.

“This situation is underlined by the fact that 38% of respondents still say their objective is to prevent all cyber-attacks, an aspiration which will strike many information security professionals as unrealistic or even naive.”

Highlighting this sea change, the report revealed that 51% of respondents now accept that cyber security is no longer appropriate to ensure business sustainability, and the inevitability that some attacks will be successful.

Other findings in the survey included the importance of information security to customers. Some 55% of respondents said customers have enquired about their infosec credentials in the past 12 months. This situation contrasts with 50% in the 2013 study, indicating rising demand for documented compliance with best practice standards such as ISO 27001.

Finally, the role played by governments in pushing businesses to demonstrate assurance was highlighted by the report.

>See also: Boardrooms lack cyber understanding, says think tank

Asked if they believed that their country’s government was taking cyber security seriously enough and providing sufficient support for companies to tackle this growing threat, about the same percentage of respondents – 42% – answered yes as no.

“Breaking the figures down further, a marked difference of opinion between the UK and the US has come to light, with British respondents revealing more trust in their government’s tackling cyber threats than that of their US counterparts,” said Calder.

“While only about 28% of Americans expressed confidence in their government, approximately 51% of Britons did so. This endorsement perhaps reflects the recent official launch of the UK government’s 2014 Cyber Essentials Scheme, which aims to help businesses address cyber security and demonstrate assurance.”

Efforts to detect terrorism hampered by mass surveillance, says former NSA technical director

The US National Security Agency (NSA) is collecting too much intelligence data to analyse, one of its former technical directors has warned.

As a result, the agency could be missing indications of the very terrorist threats it is attempting to counter.

Bill Binney is the former technical director of an NSA research unit that developed a targeted data acquisition programme, Thinthread, which was later shelved in favour of bulk data collection.

But the NSA’s decision to harvest “everything” has swamped its analysts, causing them to miss vital intelligence, Binney said in an interview with Computer Weekly.

“That’s the problem,” said Binney. “They’re basically buried in information and that’s why they can’t succeed.”

Shortly after 9/11, Binney’s fellow NSA whistleblower, Thomas Drake, used elements of Binney’s programme to discover that the NSA had suppressed a report on Al Qaeda’s movements in the US before the attack on the twin towers.

He also found that the NSA had withheld key monitoring data on Al Qaeda.
“Make no mistake,” Drake wrote in an open letter to President Obama, “that data and the analytic report could have, should have, prevented 9/11.”

Drake’s discovery led to an immediate clampdown. “In spring 2002, the remnants of Thinthread were unceremoniously put on the shelf in NSA’s 'Indiana Jones’ data warehouse, never to be seen again,” Drake wrote.

Monitoring could have detected Snowden

It would have been harder for whistleblowers like Edward Snowden to leak information under Thinthread – and unnecessary, claimed Binney.

The project included an internal monitoring system that would have picked up a mass download such as Snowden's on the spot. “We’d have known as soon as he started doing it.”

Binney used automated analysis-based targeting to restrict collection to legal and necessary data in Thinthread.

Today, the NSA is deploying upstream collection on major fibre optic lines, in conjunction with major telecoms companies, to collect data on a huge scale.

NSA surveillance affects three billion people 

Binney estimates that US blanket surveillance has affected between two and three billion people worldwide.

The NSA has built a centre in Bluffdale, Utah, complete with a cutting-edge supercomputer and costing at least $1.5bn, to store this bulk raw data.

The NSA has been criticised in the US for targeting US citizens and foreigners in breach of the US Constitution.

Surveillance abroad may also be illegal under the respective national laws, including in the UK. 
Dangers of reconstructing evidence from illegal surveillance

Evidence obtained by the NSA and other government agencies through illegal covert surveillance is not admissible in US courts.

They must reconstruct it through a method known as parallel construction, a process that prevents legal discovery by defence lawyers, said Binney.

Binney claims there is a risk that the NSA data could be selectively mined to imprison people seen as political threats to the establishment, particularly under new legislation enabling suspected terrorists to be subject to indefinite military detention.  

Members of Congress have attempted to remove funding from the NSA’s collection programme amid concerns about its effectiveness and its legality. 

“And the reason they did it,” said Binney, “was they found they weren’t being told the truth by the intelligence committees inside Congress. So Congress is lying to [itself] about what’s going on. It’s not just the agencies which are lying to Congress [and] to everybody else.”

Migrating to the Cloud? 4 Key Steps

Insurers already immersed in the cloud share their steps to success.

In a few years’ time cloud may simply become the way things are done and those insurers that move more quickly to embrace it will gain a competitive lead that others may struggle to match. 

Insurance companies already immersed in the cloud agree and cite a variety of benefits they are already seeing. Here are their suggestions to getting there. 

1. Pinpoint the specific applications that can benefit from cloud, and whether the time is right for “cloudifying” those applications. “Create a prioritized list of what should go to the cloud and when,” says a report from Accenture. “Security and regulatory concerns undoubtedly will play a major role in determining which apps can move to the cloud and which likely will always have to remain in-house. However, another determinant is the lifecycle of the app. If an insurer knows that one of its apps is due for a major upgrade program, replacement or retirement within the next two years, that could be the trigger point to move to the cloud.”

2. Work closely with the business to set priorities. For example, disaster recovery and business continuity are important benefits to the cloud, and the business needs to decide what has to be continuously up and available in the event of an incident. “The ability to respond very quickly to an event has a higher cost,” says Paul Brissette, director of corporate accounting for National Life. “There’s a cost to cloud in general – an insurance cost based on what could happen to your systems and the benefit cloud would provide.”

3. Form a close relationship with cloud vendors, just as you would with an on-premises software vendor. “You need to be able to trust your vendor, and make sure they’re knowledgeable about your business, not just their own,” says Marianne Petillo, president and CEO of ROM Reinsurance. In addition, she adds, it’s important to explore the vendor’s business model and its own IT strategy. “You want to know who are they using to maintain their systems – are they doing it themselves, or is it a third party? If it’s a third party, what kind of protection will they agree to provide your data? Talk to them about their policy with respect to downtime and recovery.” In addition, the ability to handle a well-integrated mission-critical app requires “a well-thought-out, tighter relationship between organizations,” adds Gary Ramunni, senior project manager at Penn Mutual. This ensures “that the provider is fully in tune with the needs of the consumer, and that no gaps have been left or disconnects in service-level expectations exist.”

4. Establish a clear governance structure for cloud computing. Cloud policies and reporting lines should be the same as those established for on-premises arrangements. “Many organizations have rules and structures in place that govern how IT decisions are shared between departmental leaders and IT executives,” the Accenture report states. Use these to define who inside and outside IT should be engaged in cloud computing decisions.”

Tackling the Big IT Challenges

Advice on some of the biggest challenges facing insurance IT executives was offered during a town hall meeting at the recent IASA conference, as an expert panel along with audience members shared guidance on data security, cloud computing, and recruiting and retaining talent.

The panel, which was moderated by Rod Travers, EVP at management consulting firm Nolan Co., included GPM Life IT director Gregory Lawler, Agile Technologies’ partner John Johansen, former insurer IT exec and now Smart Design managing director Anil Chacko, and Travelers VP Douglas Ramsey.

One of the first topics the group tackled was security. As Nolan pointed out, in an ultra-connected world, the risks continue to rise.

Insurance IT executives, however, face some industry-specific obstacles to building a solid data defense. For instance, carrier tech execs need to overcome the nature of the insurance business itself, according to consultant Chacko. Insurance is heavily regulated and CEOs often think that if their company is in compliance with current security regulations, their work is done and their companies are safe. Their thinking is “we’re secure, let’s move on” to other business, he said. But, of course, just because a firm is in compliance doesn’t mean it’s taken every step it can to safeguard its information assets, Chacko said.

Another challenge, said GPM Life’s Lawler, is that companies put a lot of time, effort and money into guarding against outside threats, when oftentimes the threat lies inside the company.
And there’s also the cultural challenges, said Johansen. When walking into a new client’s business, he said a consultant can often tell which organizations are very security focused and which ones aren’t. For instance, he said he has a client that doesn’t allow laptops to be stored at work. The company has determined that if someone breaks in and steals its laptops, there’s a good chance the thief is after sensitive data. However, if a laptop is stolen from an employee’s home, it believes the crook isn’t interested in corporate information.

So, how can insurers better protect themselves?

One member of the audience said companies need to do a better job with basic blocking and tackling, such as deploying the right security tools. This includes intrusion detection and data leak protection. “You have to monitor what’s coming in. But you also have to monitor what’s going out,” he said.

Chacko added that companies need to have the right security policies in place – and to hold people accountable when something goes wrong.

Another audience member asked where the buck stops when it comes to data security; with the board and CEO, Chacko said. It’s their job to make sure everything is protected. But, as Traveler’s Ramsey said, if something does happen, the CIO always pays for it.

As Nolan noted, however, when it comes to security, “there is no silver bullet.”

The topic then switched to cloud computing, with the first question being what a hosted environment should be used for and what it shouldn’t.

There was quick discussion on why policy administration systems are probably too heavy a lift to be put into the cloud and agreement that, as demonstrated by customer relationship management and payroll applications, there are plenty of other uses of the cloud that have a proven track record of providing computing efficiencies.

The issue of public versus private clouds was then raised. Both public and private clouds enable companies to access applications over the Internet, but, with a private cloud, the applications’ servers aren’t shared with other parties. In addition, the applications usually reside on virtualized servers, allowing the owner to add or reduce capacity as needed.

Big companies want to use a private cloud for the flexibility it offers, said consultant Johansen, while small and midsize companies, he said, see public clouds as an option, but not for sensitive data.

The cloud discussion then turned to data governance. An audience member asked if a separate governance program was needed for the cloud. Johansen said if an organization has a mature governance model, it’s probably in pretty good shape.

Nolan than switched the topic to recruiting.

He cited a McKinsey & Co. report released earlier this year that listed where the consultancy saw the most pressing IT talent needs, the top five of which were skills in analytics and data science, joint business and IT expertise, mobile or online development, enterprise application architecture, and cloud and distributed computing.

Insurers are competing with many other industries for people with those competencies.
Travelers’ Ramsey offered that to attract talent, insurers need to be mindful of the employee experience. It’s important to get an “end-to-end talent engine going,” and that includes good on-boarding, good coaching, and meeting employee needs. And, he said, companies have to be ready for young employees to leave.

Chacko mentioned that, during interviews, job applicants are often asked where they see themselves in five years. But, he said, does the company have a plan for them? Where does the employer expect the new hires to be in five years and how is it going to get them there. Having such a plan, he said, helps retain people.

One audience member worked at a company that made sure new people knew they had a growth path. The company emphasized training and had a talent identification process – everyone was evaluated with the intent to promote them up through the organization.

One audience member at a small insurer said he has an intern program that works. He said he pays interns well and gives them interesting work. He said many interns then want full-time jobs, and he’s in a position to cherry pick the best. He also said he’s had success finding experienced people by “paying them what they’re worth.”

An audience member added that for some experienced people, lifestyle is important. Sometimes people want to work from home. Or they want to be able to participate in activities outside of work. Silicon Valley firms might be attractive, but they also might want people to work 14 hours a day. The audience member said it might be attractive for someone to know that, while they’re expected to get the job done, extreme hours aren’t required.


A cyber security company has uncovered evidence of a three-year Iranian-backed online espionage campaign. iSight Partners officials said that, among others, the hackers spied on top government officials and military personnel in the United States and Israel.  

The hackers created fake personas through social networking sites, such as Facebook, Twitter, LinkedIn, Google+, and Blogger.

iSight claimed, “The targeting, operational schedule, and infrastructure used in this campaign is consistent with Iranian origins.” The hours seemed to conform to the work hours in Iran, as the hackers worked only half the day on Thursday and never on Friday, which is the Iranian weekend. iSight also analyzed that other leads, such as the individuals targeted, ultimately led them to determine that Iran was behind the operation.

A four-star Navy admiral was targeted, along with U.S. government representatives and diplomatic personnel. American pro-Israel groups were also targeted in the cyber espionage pursuit. Leaders in the UK, Saudi Arabia, Syria, Iraq, and Afghanistan were potentially compromised.

The company refused to specify the exact identities of the victims, and they were unsure what was specifically stolen. However, they were able to report that the hackers were looking to obtain government and corporate credentials to access their networks.

“If it’s been going on for so long, clearly they have had success,” an iSight vice president said of the three-year campaign.

The hackers created six fake “personas” who worked for a nonexistent news website. They created eight additional fake identities claiming to work for government and private defense contractors.

iSight determined the stolen data could be used to “support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S., especially with regards to sanctions and proliferation issues.”

The company worried that there may be additional victims who are at risk as a result of the cyber scheme. iSight strongly recommends that individuals who fear they may have been a victim to immediately contact the Federal Bureau of Investigation.

Iran makes accessing Facebook a crime

The hardline mullahs calling the shots in Iran have made accessing Facebook a crime and anybody caught logging onto the site faces a serious prison sentence if caught, VentureBeat has learned.

The Iranian government has previously banned major online outfits like Facebook, Twitter, and Google in order to stifle debate about the regime. In 2009, Facebook use was banned amid a turbulent election.

Sources inside Tehran and Iranian activists based in the U.S. told VentureBeat that making Facebook use a crime shows the desperation and brutality of a regime reeling from economic sanctions and global criticism for supporting the Syrian dictator Basher Al Assad, among other factors.

“It’s now illegal to visit Facebook,” said Saghar Kasraie, an activist based in Virginia.
Kasraie said Iranians rely on Facebook to keep in touch with family members and friends both in the country and outside. Users are able to get around the blockage of Facebook by using proxy servers, portable hotspots connected to cell phones, and Turkey-based ISP’s.

Despite outlawing social media, Iran’s new president Hassan Rouhani, who came to power vowing reforms, uses Facebook and in particular Twitter, as do numerous high-ranking Iranian politicians, military, and intelligence officials.

“Rouhani and his people all have Facebook and Twitter accounts,” Kasraie said. “Many Iranians also use Facebook, but not with their real names.”

In addition to Facebook, many Iranians inside the country use Skype, Tango, and Viber to keep the conversation going and for the exchange of information about what are actually happening inside the Islamic republic. The U.S. considers Iran one of the biggest state sponsors of terrorism and severed diplomatic ties with Tehran in 1979.

The mullahs mean business. Earlier this month, a hardline judge in Tehran sentenced eight Iranians, mostly students, to 8 and 20 years in prison respectively for posting on a Facebook page the mullahs don’t like. That was the precursor to the outright criminalization of social media, activists told VentureBeat.

“Hojjatol-Islam val-Moslemin Hamid Shahriari, the deputy chief justice for the Statistics, Information, and Technology Ministry, is the highest official at the Islamic Republic of Iran’s judiciary system stating that Facebook and other social media sites are a threat to the country,” Kasraie said.

Roya Nobakht, 47, was caught up in the social media crackdown while visiting family members from England, where she lives. She was sentenced to 20 years three weeks ago and her family in the UK claims she has been beaten and brutalized inside Evin prison where she is being held.

Facebook is an important communication platform for millions of Iranians, both inside the country and for those living abroad. Many refer to it as “Facebookistan,” Kasraie said.
“Many Iranians want to thank Zuckerberg for starting it,” she said. “It has brought many of us together.”

Coin Pocket becomes the first Bitcoin wallet for iOS to re-enter the App Store

Apple updated its policy for developers to allow Bitcoin wallets and in-app Bitcoin payments, and now the first apps taking advantage of that shift are live in the App Store. that Coin Pocket is the first standalone Bitcoin wallet app to become available for iOS. The basic app allows users to send and receive Bitcoin, check the price, and collect private keys into a single spot and encrypt them.

CoinPocket circumvented Apple’s crackdown by being available as an HTML5 app inside mobile web browsers but, now fully approved, it has access to a device’s camera for QR code scanning.

In addition, eGifter is one of the first general purpose apps to add Bitcoin payments following Apple’s change. Users can now buy gift cards for over 200 brands using the virtual currency.

Police are not equipped to deal with crime in the 21st Century: Max Vetter

The speed of technological advancement in the last 20 years has never been matched in human history. The exponential growth of computing and the internet has affected every person and business on the planet, however, there has been a considerable lag of this technological advancement in a number of areas, particularly in government, policing and the legislative sectors.

In policing, for example, we are told the crime rate is lower now than it ever has been, but those working in the area of cybercrime and fraud know that this is not the case, these crimes have in fact quickly accelerated. The Deep Web is easily accessible and largely unpoliced allowing for instance the wholesale purchase of narcotics, so why would any dealer risk the streets anymore? New virtual markets for criminality and a lack of reporting are just two reasons why these statistics are not officially being recognised but until there is a realistic picture of digital crime we will continue to get a skewed view of a decrease in the crime rate.

Police officers in the UK are required to do minimum of two years “front-line policing” and many go on to spend their whole careers there. The nature of policing means that as a group, officers are unlikely to spend any significant amount of their time interacting with computers or the internet, nowadays even the most lowly office worker is required to do most tasks via computer. This leaves most police officers lagging in even basic computing skills and this is a problem that becomes ever more noticeable as officers move up the ranks.

In today’s world every crime committed has a digital element; whether it is the phone in the pocket of the burglar, online sales of stolen goods or the large numbers of domestic incidents that now involve Facebook as a recent report found.  This shows that for many people there is little differentiation between the digital and real world, police should reflect this by making digital enquiries an integral part of any investigation. Recognising this is the first step to try and combat a lag in knowledge. Without the skills to be able to capture and properly evidence these digital interactions all police officers are at a disadvantage, and potentially missing key evidence that may turn a case, ensure a conviction or prove innocence.

I recently worked on a case of cyberstalking concerning a famous personality. The stalker began his obsession, like many do, online; in this case Twitter. This online stalking developed into threats-to-kill and eventually the stalker travelled from mainland Europe to the victims home in the UK.  The stalker was arrested before being in contact with the victim, but the police dealing with the case then told him to delete all the threats from his twitter account, processed and deported him. This lack of understanding by police —of the importance of capturing this evidence chain and the implications of it being lost—  is common place. If instead of using Twitter the stalker had sent letters through the post I am certain the officers involved would never have thought to throw this key piece of evidence away. Just because it was in the digital form the officers, through no fault of their own, were not trained to deal with it evidentially.

The College of Policing reports that it is currently training 6,000 officers on how to deal with online offences, this is a great start and should be commended, but being less than five percent of the 128,351 officers in England and Wales, where does this leave the other 95%? These skills should be part of every officers training and is sadly not something that can wait thirty years to filter up through the ranks. Though it is an expense at a time when budgets are being cut, this would drive forces forward with cost-saving digitisation. It would also build a large pool of highly technical officers who can understand and carry out simple and complex investigations needed online including in the Deep Web, essential if we hope to get policing up-to-speed in the digital age.

The full web site is currently under development and will be available during 2014