Cyber Security Intelligence

Twitter< Follow on Twitter >

November Newsletter #1 2014

Change at the top for Britain's spies

It was a telling sign that candidates to be head of GCHQ a few months ago had to undergo a mock broadcast interview as part of the application process. A few years back, the idea of such a thing would have been laughed out of the gentleman clubs of Pall Mall where old spies used to gather to drink. Go back a couple of decades and even the names of British spy chiefs were kept out of the public eye. How times have changed.

And as two new spy chiefs begin work on the same day - Robert Hannigan (who clearly passed his screen test) at GCHQ and Alex Younger at the Secret Intelligence Service MI6 - dealing with those changing times will be at the top of their inboxes.

The interview process shows that, paradoxically, to be the head of a secret intelligence agency in the modern world you need to know how to communicate to the public - as witnessed by the trend towards speeches, the odd interview and a precedent-setting (but not exactly electrifying) appearance before cameras in front of the Parliamentary Intelligence and Security Committee. Those appearances are just one part of a wider challenge of dealing with changing public expectations and new technology.

In London, Alex Younger moves into the spacious office belong to 'C', the chief of MI6, with its view over the river towards parliament.

Alex Younger will need work out how best to harness developing technologies and part of MI6's job is to recruit human spies abroad.

A few years ago, the bitter legacy of Iraq's absent weapons of mass destruction still hung over MI6, the questions over what had gone wrong dominating what seemed like every conversation. That era has largely passed although the new chief may still not escape other 'legacy' issues - including for instance, ongoing court cases and inquiries into MI6's involvement in US rendition operations after 2001, and the attacks of 9/11.

A more forward-looking challenge though will be working out how technology is changing the face of human spying - acting sometimes as an enabler to find targets to approach, but also making the business of going undercover for your own spies much more challenging.
All three British spy agencies - GCHQ, MI5 and MI6 - have moved much closer together in recent years but the centrality of technology means that GCHQ - once the most secret - has grown in importance and prominence in an increasingly digital world.

Picture: New GCHQ chief Robert Hannigan is an outsider

Over in Cheltenham, the task for Robert Hannigan is to guide an organisation still dealing with the aftershocks of the Snowden disclosures, which began a year and a half ago.

In the first few months, GCHQ was caught in the headlights as they saw their once secret intelligence programmes splashed across the front pages of the newspaper amid accusations of 'mass surveillance'.

Hannigan is an outsider who comes from a career dealing with security issues in other departments. His task will be to draw the geographically distant GCHQ closer to Whitehall and to build public understanding. But in doing so he will need to reassure staff who may be nervous of that process whilst ensuring his teams maintain an edge against the hardest targets.

Back in London and over the river from MI6, Andrew Parker at MI5 is the one intelligence chief providing continuity. His domestic Security Service is under pressure though because of the threat posed by returning foreign fighters from Iraq and Syria.

There is a grim awareness that whilst they have stopped a number of plots - and are likely to stop many more - something will almost certainly get through. The nature of terrorist plots has changed over time. Compared to the 7/7 attacks in 2005 they are less sophisticated but also harder to detect.

There is less travelling to Pakistan for training and more communicating with Syrian jihadists online. This has placed more pressure on communications and digital intelligence than in the past. And it is the reason that intelligence officials and police say they worry that revelations about the state's capabilities have tipped off adversaries as to what is and is not possible allowing them to evade monitoring.

In contrast, a vocal band of those concerned with privacy argue that there is a need for the public to know what is being done by the spies and they want to ensure accountability and oversight mechanisms are sufficiently robust.

They worry that advances in technology will enable spies to do too much, the converse of spies who worry about keeping up with the technology used by everyone else.

Thinking through what needs to be secret, and what does not, is going to be much harder than just being willing to do the occasional speech or interview. Working out where technology is a problem and where it is a solution - and where it changes the balance of ethics and accountability - is going to be the challenge.

Trying to reconcile these different pressures - and doing so at a time of a high operational tempo in an uncertain world - is likely to keep all three spy chiefs busy.


The National Security Agency has had agents in China, Germany, and South Korea working on programs that use “physical subversion” to infiltrate and compromise networks and devices, according to documents obtained by The Intercept.

The documents, leaked by NSA whistleblower Edward Snowden, also indicate that the agency has used “under cover” operatives to gain access to sensitive data and systems in the global communications industry, and that these secret agents may have even dealt with American firms. The documents describe a range of clandestine field activities that are among the agency’s “core secrets” when it comes to computer network attacks, details of which are apparently shared with only a small number of officials outside the NSA.

“It’s something that many people have been wondering about for a long time,” said Chris Soghoian, principal technologist for the American Civil Liberties Union, after reviewing the documents. “I’ve had conversations with executives at tech companies about this precise thing. How do you know the NSA is not sending people into your data centers?”

Previous disclosures about the NSA’s corporate partnerships have focused largely on US companies providing the agency with vast amounts of customer data, including phone records and email traffic. But documents published today by The Intercept suggest that even as the agency uses secret operatives to penetrate them, companies have also cooperated more broadly to undermine the physical infrastructure of the Internet than has been previously confirmed.

In addition to so-called “close access” operations, the NSA’s “core secrets” include the fact that the agency works with US and foreign companies to weaken their encryption systems; the fact that the NSA spends “hundreds of millions of dollars” on technology to defeat commercial encryption; and the fact that the agency works with US and foreign companies to penetrate computer networks, possibly without the knowledge of the host countries.

The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into “commercial entities.” The briefing document states that among Sentry Eagle’s most closely guarded components are “facts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A/B/C).”

It is not clear whether these “commercial entities” are American or foreign or both. Generally the placeholder “(A/B/C)” is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder “(M/N/O).” The NSA refused to provide any clarification to The Intercept.

The briefing sheet does not say whether foreign governments are aware that the NSA may be working with their own companies. If they are not aware, says William Binney, a former NSA crypto-mathematician turned whistleblower, it would mean the NSA is cutting deals behind the backs of friendly and perhaps not-so-friendly governments.

The avalanche of NSA disclosures since the Snowden leaks began in 2013 has shattered whatever confidence technologists once had about their networks. When asked for comment on the latest documents, Prince, the CEO of CloudFlare, began his response by saying, “We’re hyper-paranoid about everything.”

Snowden’s Great Escape

As Laura Poitras’s Citizenfour premiered in New York another major documentary on Edward Snowden is set to launch in 2015.

Snowden’s Great Escape is an 80-minute documentary being coproduced by Germany’s NDR and Denmark’s DR, which incorporates two new interviews with the American whistleblower, filmed in Moscow.

The doc is being directed by John Goetz (NDR) and Poul-Erik Heilbuth (DR) and is expected to launch at a major international film festival in either January or February (possibly Sundance or Berlin), before airing on TV in some form in the first quarter of 2015.

In addition to Snowden, other notable figures who have been interviewed for the doc include Bolivian president Evo Morales, former NSA director Michael Hayden, former German justice minister Sabine Leutheusser-Schnarrenberger, WikiLeaks co-founder Julian Assange and his adviser Sarah Harrison, Guardian correspondent Ewen MacAskill, Hong Kong lawmaker Regina Ip, and journalist Glenn Greenwald and his Hong Kong lawyer Robert Tibbo.

The film is described as being a fast-paced documentary thriller, and focuses on Snowden’s escape from Hong Kong to Moscow after leaking a cache of secret NSA documents to journalist Greenwald and filmmaker Poitras.

The doc promises to expose “how close [Russian leader Vladimir] Putin was to having Snowden deported from Moscow, as he landed at Sheretmetyevo Airport,” according to DR television.
Mette Hoffmann Meyer, head of documentaries for Denmark’s DR, told realscreen: “Snowden’s Great Escape is a breathtaking account of the NSA’s frantic search for Snowden and the brilliant plan that enabled his remarkable disappearing act.

“The film is the story of a young man who has just given journalists an explosive cache of documents exposing the power and reach of the NSA,” she adds. “As they return home to publish his shocking revelations, he is left behind.

“Far from being a whistleblower hero, we now learn that Edward Snowden was in fact broke and very much alone.”

She added that the film is not a “fly-on-the-wall” documentary. “It documents one of the largest manhunts in modern U.S. history,” she said.

The news comes on the eve of the premiere of one of the most anticipated feature docs of the year.

Poitras’s long-in-the-works Snowden doc Citizenfour, which premiered in the Big Apple on October 10, was a late addition to the New York Film Festival’s main slate. It has since been programmed for a host of European festivals, including CPH:DOX, DOK Leipzig and the London Film Festival.

In a piece on CNN Daniel Ellsberg supports Snowden and the way in which he has operated. He says the Espionage Act must be rescinded as it is unconstitutional and does not allow Whistleblowers to be able to explain their reasons for their actions in court – something that affected Ellsberg when he went to court.

Google and Oxford brings ‘human’ Robots close to Reality

Google has further demonstrated just how serious it is about making computers think like humans.

The California tech giant has teamed up with two of Oxford University’s artificial intelligence (AI) teams to help machines better understand users, and improve visual recognition systems using deep learning.

This partnership follows reports Google is also developing superfast ‘quantum’ chips modeled on the human brain, to make searches and software more intuitive.

Google is also reportedly working on a super-fast 'quantum' computer chip as part its vision to one day have machines think like humans. The acquisition of DeepMind in January wasn't Google’s first foray into artificial intelligence and machine learning. Its Google Now app uses ‘predictive analysis’ to predict what Android users will do next, before offering relevant help and information at each step without ever being asked.

Its partnership with Oxford University follows reports Google is also developing superfast ‘quantum’ chips modeled on the human brain, to make searches and software more intuitive.

UK Police use loophole to hack phones and email

Police are hacking into hundreds of people’s voicemails, text messages and emails without their knowledge, The Times has discovered.

Forces are using a loophole in surveillance laws that allow them to see stored messages without obtaining a warrant from the home secretary. Civil liberties campaigners reacted with concern to the disclosure that police were snooping on personal messages so often, without any external monitoring and with few safeguards.

New Web flaw enables social engineering attacks

Users who carefully download files from trusted websites may be tricked by a new type of Web vulnerability, which cons them into downloading malicious executable files that are not actually hosted where they appear to be.

The attack has been dubbed reflected file download (RFD) and is somewhat similar in concept to reflected cross-site scripting (XSS) attacks where users are tricked to click on specifically crafted links to legitimate sites that force their browsers to execute rogue code contained in the URLs themselves.

In the case of RFD, the victim's browser does not execute code, but offers a file for download with an executable extension like .bat or .cmd that contains shell commands or script files like JS, VBS, WSH that will be executed through the Windows-based script host (Wscript.exe). The contents of the file are passed through the attacker-generated URL that the user clicks on, the website reflecting the input back to the browser as a file download.

This enables powerful social engineering attacks because, even though it's not physically hosted on the targeted site, the file appears to originate from it. Users would still have to approve the download and execute the file themselves, but it wouldn't be hard for the attacker to convince them to do it.

For example, a spoofed email from a bank asking users to download and install a new security product that protects their banking sessions could be very convincing if the included download link pointed back at the bank's real website -- and that's exactly what RFD vulnerabilities allow for.
The researcher also found a way to bypass the warning that Windows displays when trying to run an executable file downloaded from the Internet, making his attack even more powerful. Details of the bypass, which involves using certain strings in the file name, were shared with Microsoft's security team, who are working on a defense-in-depth fix.

Is Data the Best Preparation Against Natural Disasters?

Big Data and Open data and analytics have become fundamental tools in disaster preparedness, experts say. But public officials aren’t using them enough.

Lucy Jones, a seismologist at the U.S. Geological Survey (USGS), is collaborating with Los Angeles city officials to draft a seismic-resilience plan. She said the city is a prime example of what happens when there’s an abundance of data and absence of investment in disaster preparation and about 85% of the city’s water supply is delivered by aqueducts across the southern San Andreas Fault, a fault line the USGS estimates will generate a major earthquake sometime in the next decade or so, according to its data.

The danger centers on indications city aqueducts will break, leaving only a six-month supply of water reserves for residents, she said. These reserves are dismally inadequate when considering the aqueducts would require 18 months to repair. This would mean an entire year without water for Los Angeles.

Hopefully, the seismic-resilience plan will help city officials find data-driven remedies and propose new ordinances. For example, the city could expand its capacity for water reserves.
A primary reason to defer investment in emergency management tools and infrastructure stems from two mistaken beliefs: Such expenditures are unjustifiable because they don’t serve immediate needs. Also: and large emergencies are infrequent. disasters/

Tyupkin: Manipulating ATM Machines with Malware

Earlier this year, at the request of a financial institution, Kaspersky Lab's Global Research and Analysis Team performed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe.

During the course of this investigation, a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation was discovered. At the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe. Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the US, India and China.

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit. The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night. It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

Revealed: how Whisper app tracks ‘anonymous’ users

Picture: Brad Brooks, left, and Michael Heyward of Whisper in Santa Monica

The company behind Whisper, the social media app that promises users anonymity and claims to be “the safest place on the internet”, is tracking the location of its users, including some who have specifically asked not to be followed.

Whisper is also sharing information with the US Department of Defense gleaned from smartphones it knows are used from military bases, and developing a version of its app to conform with Chinese censorship laws.

The US version of the app, which enables users to publish short messages superimposed over photographs or other images, has attracted millions of users, and is proving especially popular among military personnel who are using the service to make confessions they would be unlikely to publish on Facebook or Twitter.

Currently, users of Whisper are publishing as many as 2.6m messages a day. Facebook is reportedly developing its own Whisper-style app for anonymous publishing. The trend toward anonymity in social media has some privacy experts concerned about security.

Whisper has developed an in-house mapping tool that allows its staff to filter and search GPS data, pinpointing messages to within 500 meters of where they were sent. The technology, for example, enables the company to monitor all the geolocated messages sent from the Pentagon and National Security Agency. It also allows Whisper to track an individual user’s movements over time.

When users have turned off their geolocation services, the company also, on a targeted, case-by-case basis, extracts their rough location from IP data emitted by their smartphone. Whisper’s policy toward sharing user data with law enforcement has prompted it on occasions to provide information to both the FBI and MI5. Both cases involved potentially imminent threats to life, Whisper said, a practice standard in the tech industry.

Whisper’s in-house mapping tool identifies users who have posted in the vicinity of the National Security Agency, Maryland, using their GPS data. Occasionally, the company uses IP address location data to establish the rough location of some users who have opted out the app’s geolocation services.

It now warns users that turning on the app’s geolocation feature may “allow others, over time, to make a determination as to your identity”.

Fighting in the cyber trenches

Relations between the US and China and Russia are tense, but no shot has been fired. Online, it’s a different story.

For one unnamed American biomedical company, it took five years to bring a new product to market as it stuttered on the ideation assembly line. There was the genesis, research and development, then meticulous rounds of testing to refine what came before and meet regulatory scrutiny. Only then was the product manufactured and sold for use in a hospital.
But how did a Chinese competitor manage to rush the same product to market in 18 months? Heart valves and prosthetics take less time, it turns out, when a team of digital cat burglars can sneak into the American company’s mainframe and pop out with schematics for a fully tested product, beating the original innovators to market.

In several areas of the world, the United States is mired in economic and political tension. In China, it is facing a rising economic power that has little patience for Western dominance. In Russia, it is facing a belligerent former power that is using force to recoup what was lost so long ago (and economic leverage to keep it that way). The hostilities continue to play out in bold headlines and fraught diplomatic relations, a Cold War simmer that refuses to boil over.

In the digital world, however, the US and its adversaries have been at war for some time. Some of the largest US threats are buzzing through Russian and Chinese computer systems operated by droves of highly skilled hackers. A small biomedical company beat by a copy of its own product? Just the tip of a mammoth iceberg of cyber warfare over the last decade that has left companies and organizations that are standing on the sidelines shellacked.

Cyber sabotage has quickly become the 21st century’s preferred form of international trade theft. Hackers hunt any intellectual property worth a dollar, ruble, or yuan. Pilfered research from the biomedical, energy, finance, software, IT, defense, and aerospace industries creates not only economic gain but state-related advantage. In China, the state and economy are so intertwined that illicit intelligence-gathering doubles as national security. In Russia, the battery of economic sanctions in response to its military actions in Eastern Europe have incentivized subterfuge opportunities.

It is difficult to attribute attacks to certain nations. In the interconnected digital world, there is no equivalent of a DNA sample or fingerprint to identify the perpetrator of a specific cyber crime. Still, aggregate data—including time zone, location of the physical servers used in the attack, nation-specific tools and techniques, and language indicators—leads researchers like CrowdStrike to place the majority of blame on Moscow and Shanghai.

From Her to Watson, and What’s Next?

Her is a 2013 American science fiction romantic comedy-drama film written, directed, and produced by Spike Jonze. The film follows Theodore Twombly (Joaquin Phoenix), a man who develops a relationship with Samantha (Scarlett Johansson), an intelligent computer operating system personified through a female voice. Jonze conceived the idea in the early 2000s after reading an article about Cleverbot, a web application that uses an artificial intelligence algorithm to have conversations with humans.

It resemblance to IBM Watson is real, though IBM’s Watson is much more focused on the business side of the machine/human interaction and collaboration.

Watson is a learning system that scales human expertise by extending our abilities to perceive, reason, and relate:

Perceiving: Watson understands the world as we do; it interprets sensory input beyond traditional data. Understands natural language; reads manuals, social data, blogs, consumer reviews, etc.

Reasoning: Watson thinks through complex problems; it deepens our analysis and inspires creativity. Makes inferences, evaluates pros and cons, and finds relationships between terms and concepts

Relating: Watson understands how we communicate, and personalizes its interactions with each of us. Responds in natural language, personalizes the interaction and provides reasons
Learning: Watson learns from every interaction, scaling our ability to build experience. Trains with experts and improves with feedback.

Imagine that you can take your best employee, your best agent, your best underwriter, your best adviser, your best risk manager and teach Watson, so it could be then supporting any other employee, business partner or even a customer, 24/7 across your organization. It is the most closer to cloning I have seen lately, without the moral dilemmas. What if, based in its huge computing capacity and the ability to crunch and interpret TB of data in a very short time-frame it could provide you with more hypothesis and evidence than any human being you can hire? Imagine how accuracy and timeliness could save lives, assess risks better, lower your costs, provide a better understanding of what is going on, even under different circumstances. Watson’s aim is to become the best adviser to your employees, customers and partners while doing their job by leveraging the power and strength of search, analytic and cognitive capabilities.

The full web site is currently under development and will be available during 2014