Cyber Security Intelligence

Twitter< Follow on Twitter >

July Newsletter #4 2014

Government Stops Glenn Greenwald from publishing Snowden Revelations… but others will publish

All of the National Security Agency files accessed by former contractor Edward Snowden could be published in the month of July if vaguely worded predictions tweeted this week from the digital library site Cryptome prove to be correct.

A month ago, Glenn Greenwald announced that he was going to publish his biggest story yet:  the names of those the NSA has been spying on. Then at the end of June Greenwald tweeted that he would finally publish the story tonight at midnight.

8 hours later, he tweeted: ‘After 3 months working on our story, USG (United States Government) today suddenly began making new last-minute claims, which we intend to investigate before publishing’.

Many responded that it is a trap, and that the government is dishonestly and illegally censoring Greenwald.

At the same time, Cryptome announced that all of the Snowden documents would be released in July.

The site clarified that will not be publishing the documents itself.

‘July is when war begins unless headed off by Snowden full release of crippling Intel. After war begins not a chance of release,’ Cryptome tweeted on its official feed. ‘Warmongers are on a rampage. So, yes, citizens holding Snowden docs will do the right thing,’ it said.

Cryptome is a digital library host created in 1996 by American independent scholars and architects John Young and Deborah Natsios. The digital library functions as a repository for information about freedom of speech, cryptography, spying, and surveillance. According to its mission statement, "Cryptome welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance—open, secret and classified documents—but not limited to those."

FBI, CIA Join NSA In ‘Backdoor’ Searches On Americans

Thousands of Americans were targets of so-called “backdoor” warrantless surveillance by the NSA and other intelligence agencies last year, according to a letter sent to Senator Ron Wyden.

The missive, written by the Office of the Director of National Intelligence (ODNI) to the Senator in response to a question posed earlier this month, is plainspoken. The Office also stated that the searches in question are not based on an exploited legal “loophole.”

The House recently voted to curtail such searches by defunding them.

Section 702 of the Foreign Intelligence Surveillance Act allows the government to collect information on foreign targets that are, to use its own language, “reasonably believed to be outside of the U.S. at the time of collection.” It can’t target United States persons by law, and it isn’t allowed to reverse-target — picking a foreign target with the hopes of picking up the communications of someone thought to be in the United States.

The information collected under Section 702 authority may include the communications of Americans picked up in the process of collecting data on foreign targets. The NSA, and its intelligence brethren, using search terms to find the communications of Americans, can then query the stored information. Hence the term “backdoor.”

How many Americans are caught up in the mix? According to the letter, the NSA used such queries to search the communications content of 198 U.S. persons in 2013. It also made around 9,500 metadata queries for the communications of U.S. persons in the period. The number of people impacted by the meta-data searches isn’t clear.

The CIA made 1,900 queries of Section 702-sourced information “using specific U.S. person identifiers” in 2013.

Ominously, the FBI also has access to some of the pooled data, but doesn’t count how often that it queries it using U.S. person identifiers.

While intelligence officials have often argued that it is impossible to estimate how many Americans’ communications are getting swept up by the government under Section 702, the Foreign Intelligence Surveillance Court has noted that the NSA acquires more than two hundred and fifty million Internet communications every year using Section 702, so even if US communications make up a small fraction of that total, the number of U.S. communications being collected is potentially quite large.

In short, using a law named the Foreign Intelligence Surveillance Act, the NSA and the CIA and the FBI are able to search and read the content of the communications of Americans.

Why cyber-insurance will be the next big thing

Earlier this year, New York City-based staffing agency Clarity bought cyber-insurance for the first time. This spring it added more coverage.

"We were actually hearing about it from our clients," said Elizabeth Wade, Clarity's operations manager. "They were asking us about it and in order to prevent being behind the eight ball we felt like we really wanted to be proactive and get the insurance 'cause we knew it was something that was important to our clients, and then it was important to us as well."

With a staff of 30, Clarity was looking to protect the information it takes from the clients it places, like their Social Security numbers and dates of birth. The initial coverage it bought from insurer CNA covered any legal costs and the costs of lost business that would come with a breach. This spring it added coverage for credit monitoring if its client data are hacked.
Clarity is one of a growing number of small businesses buying cyber-insurance, and one of the reasons sales of this product are skyrocketing.

Robert Parisi, network security and privacy practice leader for insurance broker Marsh USA, a unit of Marsh & McLennan, told CNBC that on the heels of a 21 percent increase in Marsh's cyber-insurance sales in 2013, sales for the first half of 2014 are double what they were for the same time last year.

At an estimated $1 billion to $2 billion, 2013 sales of cyber-insurance were a fraction of the $1.1 trillion in total U.S. insurance premiums last year. But Parisi sees the number growing exponentially in the foreseeable future.

"The growth trajectory, I see no sign of it abating," Parisi said. "Cyber-insurance is underpenetrated in the economy in general and we're at the long end of the hockey stick heading upward."

A 2014 study, "Net Losses: Estimating the Global Cost of Cybercrime," conducted by software security firm McAfee for the Center for Strategic and International Studies, estimated that cybercrime costs the global economy $445 billion a year. The report also forecast the cost will rise as more consumers and businesses connect to the Internet, creating in turn a larger potential market for cyber-insurance.

"Just about every business today needs cyber-insurance," said Bob Hartwig, president of the Insurance Information Institute. "More and more businesses are transacting online and the reality is it's only going to increase as we move forward."

Cyber-insurance policies will depend on a company's size and the industry in which it operates, how much data it has and what a company already does to secure it.

Among the expenses a policy might cover: the cost of conducting an investigation into a breach, notifying customers, reputational and crisis management, lost business and the cost of credit monitoring.

Like the policies, the price of the coverage varies, too, though Francis said prices are coming down as more insurers enter a market served by the likes of Travelers, AIG, Chubb, ACE Limited and CNA. The increased competition is making cyber-insurance more affordable for many smaller firms, which can buy policies tailored to their risk profile, which is increasingly important for small- to mid-sized firms.

The Ponemon study found the average cost of a data breach to an organization in 2013 rose to $5.9 million from $5.4 million in 2012. The study looked at firms where the information of more than 500 clients had been compromised.

The study found the cost of a breach could be reduced if a firm already had a strong security profile and an incident response plan in place. It also found companies that notify customers too quickly—before doing a thorough assessment or forensic examination—risked increasing their costs.

The 5 Biggest Cybersecurity Myths, Debunked

“A domain for the nerds.” That is how the Internet used to be viewed back in the early 1990s, until all the rest of us began to use and depend on it. But this quote is from a White House official earlier this year describing how CyberSecurity is too often viewed today. And therein lie the problem, and the needed solution.

Each of us, in whatever role we play in life, makes decisions about CyberSecurity that will shape the future well beyond the world of computers. But by looking at this issue as only for the IT Crowd, we too often do so without the proper tools. Basic terms and essential concepts that define what is possible and proper are being missed, or even worse, distorted. Some threats are overblown and overreacted to, while others are ignored.

Perhaps the biggest problem is that while the Internet has given us the ability to run down the answer to almost any question, CyberSecurity is a realm where past myth and future hype often weave together, obscuring what actually has happened and where we really are now. If we ever want to get anything effective done in securing the online world, we have to demystify it first.

Myth 1: Cybersecurity Is Unlike Any Challenge We Have Faced

It’s easy to feel overwhelmed by the faster-than-light pace of global information networks. Yet nothing is ever truly new: imagine how the Victorians felt as communications and commerce went from horse and wind powered to wired telegraphs and then wireless radio and they had to wrestle with how to regulate it all.

Myth 2: Every Day We Face “Millions of Cyber Attacks”

This is what General Keith Alexander, the recently retired chief of US military and intelligence cyber operations, testified to Congress in 2010. Interestingly enough, leaders from China have made similar claims after their own hackers were indicted, pointing the finger back at the US. These numbers are both true and utterly useless.

Counting individual attack probes or unique forms of malware is like counting bacteria—you get big numbers very quickly, but all you really care about is the impact and the source.
Good strategy is not about press-release numbers and lumping together unlike things for shock value–much as in the real world, we need to disambiguate online threats, weighs the risks and prioritizes how and who should address them.

Myth 3 This Is a Technology Problem

In the tech support world, there’s an old joke about “PEBCAK,” or Problem Exists Between the Chair and Keyboard. Cybersecurity really is all about people and incentives. There are plenty of important technical fixes and new tools to adopt, but if organizations and individuals aren’t willing to invest in securing themselves, then they will remain insecure.

The most important thing we can do is a mentality shift from fear and ignorance (which leads us to be taken in by silver bullet solutions and false hopes for some man on cyber horseback to rescue us) to working toward what matters more: resilience.

Myth 4: The Best (Cyber) Defense Is a Good (Cyber) Offense

Senior Pentagon leaders talk about how a couple of teenagers sipping Red Bull in their parents’ basement could carry out a WMD style attack, and indeed, one report stated that the offense would dominate “for the foreseeable future.” This, in turn, has driven the Pentagon to spend roughly 2.5 times more money on offensive cyber research in its yearly budget than it has on defensive cyber research.

The reality is more complex. The famed Stuxnet, a digital weapon that sabotaged the Iranian nuclear program, showed the dangers of new generations of cyber threats, but also illustrated how they require expertise and resources beyond just sugary drinks. Red Bull gives you wings, but not the instant expertise to attack at an advanced level. Stuxnet’s creation required everything from intelligence analysis and collection to advanced knowledge of engineering and nuclear physics.

More important is that it’s not the right strategy. This is not the Cold War of some binary relationship, where you just have to deter one other state with similar capabilities and stakes in the game. When there are countless and diverse attackers out there, spending far more on offensive breakthroughs as our primary answer is a lot like thinking that the best way to protect your glass house from tornadoes or the neighborhood kids or a terrorist is to buy a rock sharpening kit. It may not be as sexy, but in both Superbowls and CyberSecurity, the best defense actually is a good defense.

Myth 5: “Hackers” Are the Biggest Threat to the Internet Today

There are bad guys out there on the Internet, doing and planning bad things. But if we don’t watch out, the cure can end up worse than the disease. The Internet depends on an ecosystem of trust and we are seeing it threatened in all sorts of ways. This is where the cyber crime against Target meets NSA metadata collection meets the Chinese Great Internet Firewall and the 82,000 blacklisted websites in Russia. They all work against the confidence in, the openness of, and collectively shared governance of the Internet as we know and love it.

In response to online threats, many governments around the world have increased their calls for greater controls and “reforms” of Internet governance, seeking to crack down on free expression and civil society in the name of domestic order, and to throw up technical trade barriers in the guise of national security. We must be very wary of any proposal to protect us from online dangers that that ends up destroying the most powerful tool for political, economic, and social change in our lifetimes, if not all of history.

Many Companies Plagued with Cloud Challenges and Failures

A majority of the 400 organizations worldwide surveyed by Enterprise Management Associates reported experiencing challenges and failures with cloud services.

The study, “Casualties of Cloud Wars: Customers Are Paying the Price,” notes that IT is moving forward with cloud initiatives because without them, keeping pace with the innovation needed to remain competitive in most industries is nearly impossible.

Survey respondents use an average of three cloud vendors, indicating an ongoing effort to find the “right” cloud solution, risk mitigation policies that require the diversification of providers, department-level fragmentation, and no pressing need to standardize on a single vendor, according to the report, which was commissioned by cloud provider iLand.

In addition to benefits such as cost savings and rapid scalability, 49 percent of respondents view disaster recovery as a key advantage of hosting workloads in the public cloud.

Eighty-eight percent of respondents experienced at least one unexpected challenge. At the top of the list were pricing challenges stemming from complex pricing models and hidden fees that can rapidly counteract the cost-savings benefit of the cloud. Performance issues, which can be experienced with some cloud platforms, were also a concern, the study says.

“Stories about successful cloud implementations are captivating, but the reality is that cloud is more complex than many news headlines make it out to be,” Dennis Drogseth, vice president of EMA, said in a statement. “Companies must be self-aware. Unless they have an experienced staff that can manipulate the mass-market systems of the big providers, they should seek cloud vendors that take a different, personalized approach.”

New NSA boss plays down impact of Snowden leaks

Incoming NSA chief Admiral Michael Rogers has played down the impact of the Snowden revelations on the spy agency's work.

Former NSA director, General Keith Alexander, described the Snowden leaks as one of the worst breaches in intelligence history. UK spy agency bosses at GCHQ and MI6 told a Parliamentary inquiry back in November that the leaks had hurt their ability to monitor terrorists' communications because parts of the world had "gone dark" in the wake of Snowden.

However, Admiral Rogers played down the impact of the revelations during an interview with the New York Times. Admiral Rogers acknowledged that terrorists might have made changes to the way they communicate but he downplayed the significance of this tactical shift.

"I have seen [terrorist] groups not only talk about making changes, I have seen them make changes," Admiral Rogers said. "You have not heard me as the director say, 'Oh, my God, the sky is falling.' I am trying to be very specific and very measured in my characterisations."

The new NSA director added that the signals intelligence agency has put in place a range of tougher controls to safeguard against the possibility of any future Snowden-style leak involving a trusted insider walking away with thousands of classified documents. He nevertheless admitted that smaller-scale leaks are nigh on impossible to prevent.

He also explained that the relationship between the NSA and private telecom and Internet service firms exposed by the Snowden files had been profoundly changed as a result of the revelations. Internet service firms are no longer willing to co-operate with the spy agency voluntarily.

Telcos such as AT&T and Verizon, as well as social media companies, now insist, “You are going to have to compel us” to turn over data, Admiral Rogers told the NYT. However, he added, the vast majority of global corporation that worked with the NSA (giving the agency its "technological edge and global reach", as the NYT put it) were still doing so, even though they weren't keen to advertise this.

Admiral Rogers, who took over as NSA boss in April, said the NSA intended to be more transparent about its mission as a way of regaining public trust following numerous revelations about the NSA's dragnet surveillance programme. Rogers said that - unlike his predecessors - he would need to engage “in a public dialogue” about how the agency operated.

Russian Hackers 'Target Western Power Plants'

A group of Russian hackers known as Energetic Bear are systematically targeting hundreds of Western energy companies with malware that could disrupt power supplies, it has been claimed.

Private CyberSecurity researchers say the primary motive behind the attacks appears to be industrial espionage, but the software also allows the hackers to seize control of control systems from afar.

This could allow the culprits to sabotage facilities or disrupt power supplies to homes and businesses.

The attacks have affected more than 1,000 organisations in more than 84 countries, according to researchers at CrowdStrike, and were first discovered in August 2012.

The California-based company has since observed unusually sophisticated attacks on healthcare bodies, defence contractors and government agencies.

Now computer security company Symantec has revealed that the hacking group - which it nicknames Dragonfly - has remote-control capability over some power systems.

A statement from Symantec said: "Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.

"The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland."

It is understood the hackers covered their tracks by using advanced encryption techniques.
Finnish security firm F-Secure has said that in the past six months the group has become more sophisticated and aggressive.

The campaign is similar to alleged cyber warfare attacks mounted by the US and Israel that used a virus called Stuxnet to damage the Iranian nuclear industry in July 2010.

Government publishes defence of mass surveillance

The government's defence of its mass surveillance programme has been published in response to the case brought by Privacy International and various civil rights groups. 

Charles Farr, the government's most senior security official, argues that searches on Google, Facebook, Twitter and YouTube and of emails to or from non-British citizens abroad, can be monitored by the security services on a mass basis without the need for a warrant due to the fact they are classed as "external communications".  The argument about external communications extends to the concept of web searches constituting external communications with web-based platforms abroad.  The government acknowledges the existence of the Prism programme but says it can "neither confirm or deny" Tempora.

The publication of the defence has led for renewed calls for the overhaul of RIPA and for the introduction of new safeguards against routine surveillance of web searches, emails and social media without the need to obtain a warrant.

New Snowden Docs Show How FISA Court Gave NSA Ridiculously Broad Spying Powers

The latest reporting on previously unrevealed Snowden documents comes from the Washington Post, by Ellen Nakashima and Barton Gellman, reviewing how the FISA Court granted the NSA incredibly broad powers to spy on just about any country, and also allows them to collect a pretty broad array of information with little oversight. Basically, the FISC gave blanket approval to the NSA to spy on any country not a member of the "Five Eyes" coalition, with whom the US has non-spying agreements: the UK, Canada, Australia and New Zealand. Perhaps more troubling isn't just the big list of just about every country, but how the FISC allows spying on a broad range of communications:

An affidavit in support of the 2010 foreign government certification stated that the NSA believes foreigners who will be targeted for collection “possess, are expected to receive and/or are likely to communicate foreign intelligence information concerning these foreign powers.”

That language could allow for surveillance of academics, journalists and human rights researchers. A Swiss academic who has information on the German government’s position in the run-up to an international trade negotiation, for instance, could be targeted if the government has determined there is a foreign intelligence need for that information. If a U.S. college professor e-mails the Swiss professor’s e-mail address or phone number to a colleague, the American’s e-mail could be collected as well, under the program’s court-approved rules.

As we've noted (and as this report reminds us), one of the more recent revelations is that this set of broad powers, which come under Section 702 of the FISA Amendments Act, includes the ability to collect information any time anyone communicates about a target, not just to or from a target. And "a target" can be more than just a person -- it can be an organization or a computer or a network. That means the FISA Court more or less gave the NSA broad powers to spy on just about anyone if they did anything even remotely related to a broad set of "targets." It's hard to see how this is narrowly tailored surveillance, as NSA defenders keep wishing to imply.

The full web site is currently under development and will be available during 2014