Cyber Security Intelligence

Twitter< Follow on Twitter >

June Newsletter #4 2014

Four ways that NSA’s Prism is changing Business

Some US companies said they have already lost business, while UK rivals said that UK and European businesses are increasingly wary of trusting their data to American organisations, which might have to turn it over secretly to the National Security Agency, its government surveillance organisation.

A survey by the US-based Cloud Security Alliance, quoted by the Information Technology & Innovation Foundation (ITIF) found that American companies which offer file storage and computing in cloud systems – so they can be stored and accessed anywhere in the world – are gloomy about the effects of the Guardian's revelations of the extent of US government snooping and data gathering through projects such as Prism and Xkeyscore.

Daniel Castro, author of the ITIF survey, said that it seemed reasonable to suggest that US Cloud businesses could lose between 10% and 20% of the overseas market to rivals.
The effect has already been felt, Castro said. The ITIF survey found that of those outside the US, 10% had cancelled a project with a US-based cloud computing provider, and 56% would be "less likely" to use a US-based cloud computing service. Of those surveyed inside the US, 36% said that the NSA leaks had "made it more difficult" for them to do business outside the US.
With headline after headline detailing such high-profile repercussions, it begs the question: how has Snowden changed the attitude of ICT decision-makers towards the Cloud?

Prism has shaken businesses and changed their attitudes towards cloud computing – and understandably so. But confidence can be rebuilt. Encryption is now being discussed more than ever as a counter-measure. In the short-term, the most effective solution is partnering with cloud providers that can keep information in country. This way, businesses can still harness the benefits of cloud computing while keeping their valuable data safe.

http://www2.itif.org/2013-cloud-computing-costs.pdf
http://www.theguardian.com/media-network/media-network-blog/
http://www.networkworld.com/article/2225929/cisco-subnet/
http://www.theguardian.com/world/2013/aug/08/

Snowden - Wrangling over the meaning of 'bulk'

The Snowden revelations about NSA surveillance have ignited a debate, but little action in Washington. The debate in the US is about whether the National Security Agency should end its bulk collection of US telephone and business records. This has come down to an argument over the meaning of the word ‘bulk’.

A year after the first leaks by former NSA contractor Edward Snowden were published, it appears that already scaled-back proposals to limit the NSA's bulk collection of US telephone and business records may not even happen. And officials with President Barack Obama's administration, backing an NSA reform bill called the USA Freedom Act, have already begun to pick holes in its definitions.

An amended version of the USA Freedom Act that passed the House of Representatives in May would allow the NSA to continue to target wide groups of US records, critics said, because of its expanded definition of the terms the NSA must use to define its searches.

President Barack Obama in January announced plans to end the bulk collection of US phone and business records, and administration officials have said the amended version of the USA Freedom Act would accomplish that goal.

But whether Obama's plan or the bill ends bulk collection depends on the definition of "bulk." Deputy Attorney General James Cole told the Senate Intelligence Committee Thursday that the prohibition on bulk collection means the "indiscriminate" collection of US records. The USA Freedom Act would allow the NSA to collect "large numbers of records," if a surveillance court judge approves the request, he said.

Somewhat contradictory, Cole said the bill would prohibit the collection of all phone records in a ZIP code. "That would be the type of indiscriminate bulk collection that this bill is designed to end," he said.

But the language in the bill tells a different story, critics said, "Senators, let us not use the phrase, 'bulk collection,' as coded jargon for existing programs or nationwide surveillance dragnets," Harley Geiger, senior counsel at the Center for Democracy and Technology, said during the Thursday hearing. "Rather, bulk collection, as any normal person would understand it, means the large-scale collection of information about individuals with no connection to a crime or investigation."

The version of the bill that passed the House would allow the NSA to target wide groups of U.S. records, critics said, because it allows an expended definition of a "specific selection term" that the NSA must use to define its searches. The amended version of the bill allows the NSA to target things "such as a person, entity, accounts, address, or device," language that would give the NSA few limits on what groups it can target, critics said.

The result is that, one year after Snowden's leaks, a heated debate continues about the appropriate role of government surveillance, but there has been little change in US policy.

http://www.computerworld.com/s/article/9248919/Snowden_leaks

Edward Snowden took less than previously thought, says James Clapper

As the intelligence community continues its assessment of the damage caused by Edward Snowden’s leaks of secret programs, Director of National Intelligence James Clapper says it appears the impact may be less than once feared because “it doesn’t look like he [Snowden] took as much” as first thought.

“We’re still investigating, but we think that a lot of what he looked at, he couldn’t pull down,” Clapper said in a rare interview at his headquarters Tuesday. “Some things we thought he got he apparently didn’t.” Although somewhat less than expected, the damage is still “profound,” he said.

This assessment contrasts with the initial view in which officials, unsure of what Snowden had taken, assumed the worst — including the possibility that he had compromised the communications networks that make up the military’s command and control system. Officials now think that dire forecast may have been too extreme.

It’s impossible to assess independently the accuracy of what Clapper said, either about the damage Snowden allegedly caused or its mitigation. That’s one reason why a legal resolution of the case would be so valuable: It would establish the facts.

In the damage evaluation, the intelligence community has established three tiers of material: The first tier is the 300 or so documents that a senior intelligence official said news organizations in the United States or overseas have already published, often with redactions. The second is an additional 200,000 documents the United States believes Snowden or his associates gave to the media.

It’s a third tier of documents, which Snowden is assumed to have taken but whose current status isn’t known, for which officials have lowered the threat assessment. This batch of probably downloaded material is about 1.5 million documents, the senior official said.

http://www.washingtonpost.com/opinions/edward-snowden-took-less
http://www.washingtonpost.com/blogs/the-switch/wp/2014/06/09/
http://gizmodo.com/the-nsa-wont-hand-over-data

Spy fiction: From Mata Hari to Edward Snowden

David Ignatius's The Director in which hacked computer information has replaced Mata Hari-style boudoir indiscretions.

Assange and Snowden are the government-destabilising spirits presiding over this complex thriller in which an American president attempts a massive spring clean of those supplying information to the Russians and Islamic terrorists. An authoritative novel, but it is perhaps undercut by the American author's tenuous grasp of English idioms.

http://www.independent.co.uk/arts-entertainment/books/features/

Silk Road Bitcoins Auctioned By US Government

The US government is to auction 30,000 bitcoins valued at $18m (£10.6m) which were seized during the FBI raid on the Silk Road black market website.

The online hub was notorious for transactions involving illegal drugs and criminal activities, and was shut down last October.

The bitcoins were contained on Silk Road servers, and will be auctioned over a 12-hour period on June 27. Nine blocks of 3,000 bitcoins and one block of 2,657 bitcoins will be up for grabs. The US Marshals Service said it would only accept all-cash offers for the bitcoins.

Those wishing to take part in the auction must transfer a $200,000 (£117,000) deposit to the US government in advance, and provide a copy of government-issued photo identification.
Bitcoin is a virtual currency, which is not backed by any government or central bank. Each bitcoin is 'mined' by users who use powerful computers to carry out complex mathematical equations.

Bitcoins are currently worth $602.24 (£354.59) each. They fell below the $600 (£353.27) mark at one point following the announcement of the government auction, but soon recovered.

Ross William Ulbricht, who is alleged to be the owner of the Silk Road, has been charged by the US with drug trafficking, computer hacking and money laundering. He denies all of the charges. Bidders have been asked to certify that they are not acting on behalf of anyone representing Silk Road or Ulbricht.

Bitcoins contained on the computer hardware belonging to Ulbricht are not part of the auction.

http://news.sky.com/story/1281413/seized-silk-road-bitcoins-auctioned-by-us-govt
http://www.bbc.co.uk/news/technology-27830566
http://www.cbc.ca/news/business/silk-road-bitcoins

Cybercrime 'As Lucrative As Drugs Trade'

Cybercrime costs £266bn every year - about as much as the global drugs trade - according to a new report revealed exclusively by Sky News.

Computer Security Company McAfee said that cybercrime is worth 0.8% of the global economy. And if cybercrime was a country, its GDP would rank 27th - above Singapore, Austria and Denmark.

The UK ranked fifth in the G20 countries most affected, with an annual loss of £6.8bn as a result of cybercrime. One British company told officials that it had incurred revenue losses of £770m because of one attack, through the loss of intellectual property.

The report also suggests that cybercrime leads to 150,000 job losses in Europe every year. It warns that, "The cost of cybercrime will continue to increase as more business functions move online and as more companies and consumers around the world connect to the Internet".

Last year, 93% of large corporations and 87% of small to medium sized companies suffered data breaches, with the average cost of an attack worth £770,000 and £60,000 respectively.
Raj Samani, chief technical officer of McAfee EMEA, told Sky News: "In the past, studies such as this have relied on surveys…We commissioned a think-tank to work with economists and intellectual property lawyers, as well as the security industry, to understand the true impact of cybercrime."

The £266bn figure, more than twice as high as previous estimates, is based on data aggregated from 28 countries around the world, which between them account for 80% of global cybercrime. The report comes after a number of high-profile cyberattacks, notably the hacking of eBay users' details and the Game Over Zeus and Cryptolocker pieces of malware.

Christian-Marc Lifländer, a cyberdefence policy adviser at Nato, told Sky News: "To tackle the problem, you first have to realise it is a serious problem…It is no longer an emerging threat, it is here. It is a new way of life, in many ways."

http://news.sky.com/story/1278411/cybercrime-as-lucrative-as-drugs-tradehttp://www.lbc.co.uk/cybercrime-as-lucrative-as-drugs-trade-91790
http://www.youtube.com/watch?v=LH0X9My36Ic
http://www.mcafee.com/uk/resources/reports/rp-economic-impact-cybercrime.pdf

The Internet of things isn’t about things. It’s about cheap data

Imagine if your kitchen scales could advise you about nutrition or if your lavatory could tell you to see a doctor. The Internet of Things is making these ideas possible, but at what price?
We’re entering a new era of computing technology that many are calling the Internet of Things (IoT).

Machine to machine, machine to infrastructure, machine to environment, the Internet of Everything, the Internet of Intelligent Things, intelligent systems—call it what you want, but it’s happening, and its potential is huge. We see the IoT as billions of smart, connected “things” (a sort of “universal global neural network” in the cloud) that will encompass every aspect of our lives, and its foundation is the intelligence that embedded processing provides.

The Internet of Things may be one of the clumsier neologisms to have emerged in recent times, but that has seemingly done nothing to slow its growth. For those unfamiliar with it, the Internet of Things (also known as M2M or machine to machine) refers to an expanding network of interconnected internet-enabled devices. Driven by miniaturisation, the affordability of components such as cheap Bluetooth sensors, and the growing ubiquity of technologies such as Wi-Fi, it is now possible to connect devices in a way that would never have previously been thought possible. While still in its "early adopter" infancy, some estimates suggest that by 2020 there will be in the region of 50bn IoT devices – all talking with one another on a constant basis.

The Internet of things is a way to deliver cheap information that could be used for good or ill. So let’s start talking about what we want as a society. A good place to start is at Structure Connect, this October in San Francisco.

The value that comes from connecting your thermostat to the Internet isn’t that you can now control it from your smartphone, or that it’s a theoretical home for new ads. The value is that you suddenly have access to cheap information about the temperature of your home, and by collating other data points or simple extrapolation techniques, you also have access to detailed information about what is happening in the home.

So sensors on your car should be sending information back to the manufacturer about features you use, and your mechanic about how you are driving and wear and tear on the car’s parts. The manufacturer could then change the car’s design, as Ford has done, while your mechanic can offer you a preventative maintenance contract. Shared over a wider network, you can offer real-time traffic information or even improve weather forecasts by acting as a traveling weather station. But you might also open yourself up to tracking by the government or unscrupulous data-miners seeking to help advertisers establish ever-more-granular demographic profiles.

http://gigaom.com/2014/06/09/the-internet-of-things-isnt-about-things
http://www.embedded-know-how.com/chips-a-components/article/
http://www.theguardian.com/technology/2014/jun/08/internet-of-things

The war against cybercrime goes private

Organised cyber-gangs cost Britain £27bn a year, and tougher laws are proposed. But one 22-year-old has taken matters into his own hands

He takes on international criminals, refuses to be paid, and laughs in the face of danger. He has received death threats, cracked scams and helped police make arrests. Not a bad evening's work for a man who spends his day on the car assembly line.

Xylitol – the name of an artificial sweetener – is the nom de guerre of one of a new breed of civilian amateurs taking on organised cyber-gangs armed only with their computer expertise, a fast Internet connection and a sense of purpose.

The 22-year-old is based close to the Swiss border in the north-eastern French city of Belfort – other personal details are kept deliberately vague – and his success in tackling lucrative criminal scams has shown how blurred the lines have become between state agencies, unregulated private companies and individuals tackling the criminals who cost Britain £27bn every year, according to a report commissioned by the Government.

Working as an independent, he says that he has "more liberty than someone who works for a company or a group. Warning people by releasing information about threats is a way to know your enemies and their techniques".

But the role of people such as Xylitol raises questions about who has the right to destroy computer infrastructure based in another nation. Troels Oerting, the head of the European Cybercrime Centre, told The Independent last month that "hacking back" should usually be the role of the state.

http://www.independent.co.uk/news/uk/crime/the-war-against-cybercrime

Newspapers try to survive the digital revolution

From pay walls to web-only brands, media across the continent are belatedly looking at ways to make money as print sales plummet

Newspapers are in free-fall. Print editions are being discontinued. Editors are being replaced with alarming regularity. Financial losses are mounting. Digital strategies are yet to bear fruit. New readerships are fickle, promiscuous and hard to impress.

If that's true of British and American newspapers, then the situation is, if anything, worse in continental Europe. Here much of the traditional media is considered to be several years behind in the digital revolution, still experimenting with pay walls, digital technologies and alternative means of storytelling. Bankruptcy stalks the sector, and staff layoffs are a weekly fact of life.

http://www.theguardian.com/media/2014/jun/12/european-newspapers

The full web site is currently under development and will be available during 2014