Cyber Security Intelligence

Twitter< Follow on Twitter >

October Newsletter #1 2014

Shellshock: Bash bug 'bigger than Heartbleed' could undermine security of millions of websites

A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as ‘bigger than Heartbleed', the computer bug that affected nearly every computer user earlier this year.

The 'Bash bug', also known as Shellshock, is located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices power by these operating systems open to attack.

Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators – rather than average users.

Security firm Rapid7 has rated the bug as 10 out of 10 for its severity, but "low" for complexity - with hackers able to exploit it using just three lines of code.

However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.

If Heartbleed's effect on users was akin to unlocking everyone's front door simultaneously, sending people scrambling back home to turn the key (i.e. change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with - they're just as likely to use older methods, but it's still a blow for general security.

Security researchers are especially worried about its potential - but as yet unknown - effect on Apple Mac computers, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal.

Robert Graham, a security expert and CEO of Errata Security told The Independent: “It's really important that people who maintain websites make sure their computers are patched as quickly as they can. Hackers are already going to all websites and trying out this bug.”

Mr. Graham added that as Shellshock affects “a common bit of code that is used all over the place” it will take a long time for experts to fix all affected systems. “Years from now we’ll keep finding yet another device that’s still not been patched,” he said.

The severity of Shellshock has been recognized by even the US government, with the US Department of Homeland Security releasing a warning about the bug and providing patches to fix affected servers.

Despite this, security experts have said that the affect of Shellshock will be minimal. “Of the top 10 ways hackers will hack computers this year, this won't make the list,” said Graham.

The bug itself was first identified by a security team at Red Hat, an American company that provides open-source software and has sponsored initiatives including the Fedora Project and the software for the One Laptop per Child initiative.

It's been estimated that the bug has been present for at least a decade and most likely longer. Writing about the flaw on his blog, security researcher Michal Zalewski commented that it wasn't unusual for Shellshock to have gone unnoticed for so long:

"My take is that it's a very unusual bug in a very obscure feature of a program that researchers don't really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on."

Edward Snowden Emerges as a Cult Hero in Germany

In Germany, the new Che Guevara wears glasses instead of a beret, wields a computer rather than a shotgun, and is popping up on the streets of the German capital in graffiti, posters, and T-shirts.

In the year since goateed ex-National Security Agency contractor Edward Snowden catapulted to fame, he has been portrayed in street art, installations, pop songs and performances, not to mention stickers, posters and fridge magnets. In Germany in particular, revelations of the NSA's eavesdropping activities have tapped into the deep-seated aversion to an omniscient, all-powerful state—giving birth to a Snowden cult among creative types here.

"I know you're monitoring my cellphone, I'm talking and meeting with Manning and Snowden," raps German hip-hop artist MoTrip in his German-language music video "Guten Morgen NSA"—or, "Good Morning NSA"—also referring to Chelsea Manning, the ex-U.S. soldier who is serving 35 years in prison after releasing classified documents.

MoTrip's recent chart hit compares the NSA to the feared Stasi, the Communist-era East German secret police, and the video features two hapless spies tailing the rapper on daily errands. In German postwar culture, the heroes are those seen as dissidents, like Argentine revolutionary Che Guevara—or nowadays Mr. Snowden.

Artist Oliver Bienkowski's light installation "NSA in da House" projected guerilla-style in the wee hours of the night on the side of the U.S. embassy in Berlin in July, made national headlines in a country where a sense of betrayal by the U.S. has penetrated cultural life. A German intelligence worker was arrested earlier this year on suspicion of passing information to the U.S. and leaks last year suggested the NSA had tapped Chancellor Angela Merkel's cellphone. The U.S. has declined to talk specifically about the case.

"[Snowden] showed he's prepared to undergo risk. That's admirable," said Martin Keune of advertising agency Zitrusblau GmbH, who designed an image of Mr. Snowden in the style of Shepard Fairey's "Hope" poster of Barack Obama's 2008 presidential campaign.

Instead of "Hope," the image reads "Asylum," tapping into calls—so far dismissed by the government—to grant Mr. Snowden refuge in Germany. A T-shirt with the image sells for about €20, and the civic action group Campact alone has sold about 2,000 so far.

The phenomenon is no longer a subculture: Big businesses are exploiting the Snowden brand in advertising.

An ad for last-minute summer vacations by German travel company L'Tur slapped a picture of a beach island next to Edward Snowden's image "for anyone who needs to get away quickly." On a billboard for Berlin lingerie brand Blush, a scantily clad red-haired woman tells Mr. Snowden "there's still a lot to uncover." Furniture company Mömax satirizes NSA eavesdropping and advertises curtains for "the perfect private space."

Mr. Snowden's unassuming appearance means people can relate to him, giving a face and narrative to abstract issues like privacy and surveillance, said Jeanette Hofmann, a political scientist at research institute WZB.

Betina Kuntzsch, a Berlin artist whose "Let it Snowden" snowflake-themed design is sold on apparel and accessories from coffee mugs to umbrellas, comes from the former Communist East Germany. She said she rarely works directly with political topics, but wants people to wear her Snowden T-shirts to "recognize Snowden for the hero that he is—he could be leading a quiet life but he's in Russia and doesn't know what's going to happen next."

"The Stasi spied on my father for a long time," Ms. Kuntzsch said. She added that her father's declassified file revealed spies monitored his day-to-day movements as well as "his hobbies, friends, where he went on vacation," noting the irony that many people voluntarily post such things on Facebook. FB +0.31%

According to Mr. Snowden's attorney, the former NSA contractor views the hero worship as a distraction. Mr. Snowden "always says the struggle should not be about him," his German lawyer Wolfgang Kaleck told a packed audience at a recent "Worldwide Reading for Edward Snowden" at the International Literary Festival in Berlin, where excerpts of interviews with Mr. Snowden were read aloud.

For all the fun and parody, Mr. Snowden's leaks and subsequent exile to Russia stir somber feelings for many of his German fans.

"Snowden failed, because we learned from him that we'll always be spied on. He failed in stopping that," said Jörg Janzer, who last year papered over a Berlin street sign to rename it "Snowden Street" in a performance-art project. "But he did something important: he got the population engaged in the digital world—he's courageous; Germans have to support a hero like that."

Snowden Won't Talk About His Time In Hong Kong

Edward Snowden has provided few details about his flight from the US and subsequent month-long stay in Hong Kong in May 2013. We now have a better idea from some on-the-ground reporting by Edward Jay Epstein of The Wall Street Journal (WSJ).

WSJ confirmed that Snowden did not arrive at the five-star Mira Hotel, where he gave an estimated 200,000 NSA documents to journalists Glenn Greenwald and Laura Poitras, until June 1. And a source familiar with the Defense Intelligence Agency's report on the Snowden affair told WSJ that there are no records indicating the former CIA technician's whereabouts between his arrival, on May 20, and June 1. And so where was Edward Snowden between May 20 and May 31st?

Based on inquiries made by WSJ reporter Te-Ping Chen, Snowden arrived on June 1. And Epstein reported, citing a hotel security guard, that Snowden "was not in the Mira during that late-May period and, when he did stay there, he used his own passport and credit card."
Albert Ho, one of the lawyers, did tell The New York Times that Snowden had assistance from a "well-connected" resident of Hong Kong with whom he had been acquainted prior to his arrival. The person served as Snowden's "carer," setting him up in safe houses in both Hong Kong and in the adjacent New Territories.

Greenwald, for his part, writes that "a longtime reader of mine who lives in Hong Kong ... insisted that Snowden urgently needed to retain well-connected lawyers in the city."

A US official in Hong Kong told WSJ that CCTV cameras showed Snowden entering the building that housed the Russian consulate on three occasions in June. And Russian President Vladimir Putin has said that Snowden reached out to Russian "diplomats" while scrambling for asylum in Hong Kong. However Snowden denies cooperating Russia's post-Soviet security services (FSB) when he arrived in Moscow, which implies that the fugitive leaker turned down the offer by Russian security services after Putin agreed to his flight to Moscow. Snowden also contends that he has "no relationship with the Russian government at all" despite the fact that Anatoly Kucherena, his Moscow lawyer who got him an apartment, is a Putin loyalist, and serves on an FSB advisory board.

And given the prevailing secrecy and contradictions surrounding the story of his escape, it's clear that the true story has not yet been told.

MH370: Pilot Committed Suicide & Killed Everyone Else

An aviation expert who has been researching the disappearance of Malaysia Airlines flight MH370 says it is likely the pilot committed suicide. Ewan Wilson, a New Zealand-based air accident investigator and the founder of Kiwi Airlines, believes captain Zaharie Shah was mentally ill and that his actions ultimately resulted in the deaths of all those on board.
Furthermore Wilson, a veteran commercial pilot himself, alleges five previous incidents of “murder/suicide” in the aviation industry over the past three decades.

Wilson, whose book Good Night Malaysian 370: The Truth Behind The Loss Of Flight 370, was released in July, is in Birmingham to meet with aviation experts to discuss his findings and “have a candid chat about mental health screening for pilots in the airline industry.”

He told the Birmingham Mail: “There is a fundamental desire to ignore the mental health issue in the aviation industry.

“We have shown why hijacking by a passenger or accidental depressurisation are highly unlikely scenarios.

“By process of elimination, this leaves pilot suicide as the only other serious option in our analysis of what occurred on March 8.

The authors say the most likely scenario is that Shah deliberately depressurised the cabin, thereby depriving those on board of oxygen and causing them to lose consciousness for up to four hours before the Boeing 777 disappeared beneath the waves.

Although oxygen masks would have dropped down automatically from above the seats, the available supply was limited to just 20 minutes.

Those unable to grab a mask, including sleeping passengers, would have passed out within the space of a few minutes.

The entire 'ghost plane', including her cabin crew whose air supply is only marginally longer, would have slipped into a coma and died shortly after from hypoxia.

Shah, who locked his co-pilot out of the cockpit, survived long enough - either by re-pressurising the aircraft, or from breathing his own, more extensive air supply - to evade radar and "execute his master plan", the pair conclude.

They say he then performed a controlled ditching in the sea, which would explain why no debris has been found because the plane landed and sank in one piece.

An earlier report from the Australian Transport Safety Bureau (ATSB) also concluded that passengers may have died from hypoxia, and Malaysian authorities have previously named Shah as their prime suspect.

While Wilson stressed incidents of suicide flights are “highly unusual experiences”, he called for “more proactive tests for mental health screening”

He added: “This isn’t a witch hunt. Pilots should be encouraged to have mechanisms to feel free to say if they have got pressure in their lives and need some assessment.”?

The New Offensive On Canadian Government Spying

As parliament resumes in Canada, privacy advocates OpenMedia are hoping to stir up renewed public debate in the country, about the role of its spy agency, CSEC, in government surveillance.

Vowing to “stop illegal spying,” the group just launched a new video campaign designed to stoke concern about the Communications Security Establishment Canada’s shadowy mandate. The group alleges that said mandate allows for spying that is “secretive, expensive, and out-of-control.”

“Canada’s national spy agency can collect and analyze your private communication data without a warrant," the video warns. “This could include your phone calls, your email, your Internet data, and even wherever you go with your phone.” The video is another phase of the organization’s campaign to raise awareness and exert pressure on the government over warrantless bulk data collection.

With the return of the Conservative party's cyber-snooping legislation, under the guise of Bill C-13, OpenMedia cobbled together the Protect Our Privacy coalition to push Canadians to voice their views. The group includes the usual suspects of Amnesty International, the BC Civil Liberties Association, and a slew of unions. It also includes some unlikely partners like the right-leaning Canadian Taxpayer Federation, the National Firearms Association, and several media groups. The wider campaign by OpenMedia and its partners signals a growing concern and public debate surrounding privacy issues—a similar public dialogue to the one that Americans underwent shortly after the Edward Snowden leaks.

With members of Parliament back to work in Ottawa after a summer off, the plan is to show the Harper government that this isn’t an issue that can be ignored, explained OpenMedia spokesperson David Christopher.

“If the government doesn’t take action, this is going to be an election issue,” he said. “And it’s something where the Conservative government is out of touch with their base.”

Come this fall, OpenMedia will be launching a crowdsourcing campaign to ask Canadians what their privacy priorities are. These priorities will then become the basis of its lobbying efforts. And, of course, the group is also, in conjunction with the BC Civil Liberties Association, suing the federal government for spying on its citizens. That lawsuit, which Ottawa is trying to have dismissed, is hobbled by the fact that CSEC can claim national security exemptions for its operations while refusing to hand over pertinent information on how Canada spies on its own citizens.

In the end, a judge may just overrule the spies’ paranoia, if it determines that Ottawa is indeed riding roughshod over its citizens’ privacy rights.

Wikileaks Releases German Spyware Governments Use to Hack

As part of its ongoing Spyfiles series of posts, Wikileaks has released the back and front-end systems used by multiple governments to spy on journalists, dissidents, and others. The files appear to be Windows malware although the software, called FinFisher, also works on OS X.
FinFisher (formerly part of the UK based Gamma Group International until late 2013) is a German company that produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows and Linux computers as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices. FinFisher first came to public attention in December 2011 when WikiLeaks published documents detailing their products and business in the first SpyFiles release.

Three back-end programs route and manage traffic, which is sent to FinSpy Master, a collection program. The system can steal keystrokes, Skype conversations, and even watch you via your webcam. While there is no definitive proof that any one organization is using the software, a list of FinFisher customers leaked as well shows us that Pakistan, Estonia, and Italy (among others) have bought the service.

Wikileaks’ Julian Assange hopes the malware will allow researchers to pinpoint and destroy the command and control structure in the wild and help prevent the software from infecting new users.

NSA Chief: Yes, We Still Have Friends

Admiral Michael Rogers, commander of US Cyber Command and director of the National Security Agency, said the Obama administration’s controversial spying programs have not cost the country friends or allies either in the technology industry or abroad. Indeed, the agency shows no signs of slowing down at all. “I fundamentally reject the premise of the question that says the NSA is no longer in a position where it has a relationship with foreign counterparts or with the corporate sector, or that foreign counterparts have walked away from the NSA. That’s not what I’ve observed in my five months as director,” he said.

Rogers’ assertion at the Billington Cyber Security Summit contradicts wide reports of the worsening relationship between foreign partners like Germany and the United States. In July, Germany ejected the CIA station chief in that country over spying allegations.

He rejected criticism that the NSA acted improperly in its controversial data collection and analysis programs, such as PRISM, and spent the majority of his speech describing the growing threat posed by cyber attacks against infrastructure, banks, and regular citizens. It was a threat that was “foundational to the future” of Cyber Command, he said, and one that future technology would only exacerbate, not solve. He also suggested that a growing role for NSA-style spying in the fight—not against the Islamic State or al-Qaeda—but against the murky malefactors of the Internet, wherever they might be.

He outlined some simple, common sense measures, albeit ones he may not be able to achieve. Cyber Command is pursuing partnerships with businesses that make up the nation’s infrastructure to get them to report data breaches much more quickly.

Of course, many business are also concerned that partnering with the NSA could earn them public distrust. The revelation of the scope of the NSA’s activities are pushing more governments to contemplate restrictions on the way that US companies operate, collect and store data on their shores, which could hurt companies but also US foreign signals intelligence activities, since the NSA will increasingly rely on American companies to hold data that the agency wants to mine under the proposed USA Freedom Act. Rogers said that he has made the pursuit of cross-border partnerships on issues like cyber security a key element of his approach to leading Cyber Command. Obviously, the question of how you form better partnerships with parties that don’t trust you becomes moot if you’re convinced that no gap in trust exists.

But technology companies like Yahoo and others may have been forced to comply with the NSA. Recent revelations in court documents show that Yahoo and other companies were compelled to participate in NSA programs, or face harsh fines, and in the case of Yahoo, this is approximately $90 million dollars per year. That fee that looks paltry compared to the potential $30 billion in revenue that cloud-computing giants could ultimately lose as a result of the NSA revelations, according to David Castro and the Information Technology and Innovation Foundation.

Retired Gen. Michael Hayden, former NSA and CIA director – a man who once said: “We kill people based on metadata” – admitted that revelations of NSA activity under President Barack Obama signal a change in political mood. At some point, Hayden said, the public lost faith in the oversight of the congressional and executive branches and the Foreign Intelligence Surveillance Court, or FISA, oversight over the NSA. Nobody felt like the watchers were being watched.

“You look at the most controversial program… it blew up not because of what NSA was doing…but a significant change in American political culture. A significant faction of our countrymen… said, ‘OK, you told them, you didn’t tell me. That’s consent of the governors, not consent of the governed.’”

Rogers’s comments suggest that the NSA will not be changing its approach to metadata collection in any meaningful way unless compelled by changes in law. In fact, he seemed to imply that the growing threat posed by massive cyber incidents could serve as justification of expanded types of data collection, bordering on the controversial.

In other words, the NSA sees the looming threat of more consequential cyber attacks as justification enough to do even more data collection under parameters it views as legal.

European Law Operation Against Organised Crime

Law enforcement officers from 34 countries take part in the largest ever coordinated operation against organised crime in the EU - 1027 individuals arrested

Between 15 and 23 September, law enforcement authorities from 34 countries, coordinated and supported by Europol from its headquarters in The Hague, joined forces in Operation Archimedes. The operation targeted organised crime groups and their infrastructures across the European Union (EU) in a series of actions in hundreds of locations, with the cooperation of Eurojust, Frontex and Interpol.

"Operation Archimedes is a milestone in attempts by the law enforcement community to deliver concerted action against organised crime groups in Europe. The scale of the operation is unprecedented and the outcome, with over 1000 arrests made across Europe, a reminder to even the most serious criminal groups that the international law enforcement community is determined to combat their illegal activities," says Rob Wainwright, Director of Europol. "This week, as EU police chiefs gather at Europol for the 2014 European Police Chiefs Convention, our focus will be on how our combined strengths can best be applied to bringing down even more of the organised criminal groups that threaten the safety and wellbeing of our society."

Focused on disrupting the activities of the most threatening criminal groups and top targets active in key crime hotspots across Europe, the intelligence-led Operation Archimedes saw the participation of law enforcement officers from all 28 EU Member States as well as Australia, Colombia, Norway, Serbia, Switzerland and the USA (ICE and CBP).

In the largest period of joint action days held so far in the EU, raids and other interventions took place between 15-23 September 2014 in hundreds of locations including airports, border-crossing points, ports and specific crime hot spots in towns and cities all of which had featured variously in Europol's SOCTA1, criminal intelligence reports from EU Member States and third countries and analytical products drawn from Europol's criminal databases.

Results from the operational actions include:

Joint action days have become a regular feature, over the years, of the EU law enforcement response to specific aspects of organised crime. Operation Archimedes builds on this experience. In parallel, investigators targeted the key infrastructures used by criminal groups, the use of the Internet as a facilitator for crime, and the illicit movement of criminal proceeds using money transfer systems.

In cooperation with Frontex and EU Member States, around 10 000 irregular migrants were checked which also led to the arrest of criminals facilitating illegal immigration. In total in the overall operation, 170 facilitators were arrested and important intelligence was gathered.
Europol played a central role in coordinating and directing the overall operation from a 24/7 operational coordination centre in The Hague, manned by Europol officials, liaison officers from all involved countries and colleagues from international law enforcement partners.

Europol specialists, supported by their liaison officer colleagues, coordinated the exchange of information and intelligence between national law enforcement authorities, international partners and Europol, while Europol analysts processed the information and produced real-time reporting to those engaged in interventions and operational activity in the field.
Europol officers were also deployed on the spot in various locations, with their Europol mobile office which gave them direct, secure access to Europol's centralised databases and analysis tools.

While Operation Archimedes may be over it is clear that the huge operational activity will provide many leads, which will, in turn, direct further investigations and arrests.

China says US hacking accusations are 'totally groundless'

The Chinese government says accusations that it was involved in cyberattacks against U.S. transportation contractors are "totally groundless and untenable."

The U.S. Senate Armed Services Committee said Wednesday that the Chinese military stole emails, documents and log-in credentials from contractors for the U.S. Transportation Command, a network that ties civilian airline and shipping contractors together for use in times of disaster.

Contractors faced more than 50 intrusions in the year from June 2012, almost half of which were successful in planting malware in computer systems, the committee said in a declassified report.

"The Chinese law bans all the activities that sabotage Internet security, including hacker attacks, and resolutely combats relevant criminal activities," Chinese Foreign Ministry spokesman Hong Lei said during a briefing Thursday in Beijing, according to a transcript of his remarks. "The Chinese government and military by no means support any hacking activities."

"The Chinese side urges the American side to stop irresponsible attacks and finger pointing against China, stop large scale and systematic cyberattacks against other countries and do more to uphold peace and security of the cyberspace," he said.

This isn't the first time this year that the US government has leveled such accusations against China. In May the US Department of Justice indicted five people apparently affiliated with the Chinese military, on charges related to cyberattacks and cyber espionage.

At the time, the Chinese Foreign Ministry said it was "deeply outraged" by the accusations and summoned the US ambassador so he could hear the country's objections directly.

A Multi-Pronged Approach to Cyber Risk Insurance

Insurance companies are facing new and growing cyber risks and need to develop a comprehensive, multi-pronged approach to address them, according to panel of Deloitte & Touche executives who spoke on the topic earlier this week.

“Insurance Cyber Risk: Impacts of a Changing Technology Environment,” presented as part of Deloitte & Touche’s Dbriefs Insurance Series, detailed the evolving cyber threat landscape, provided industry insights and mapped out a series of steps and processes insurance companies can implement to build an effective cyber risk program.

Insurers focus on cyber security has lagged other sectors, such as banking and financial services, according to Taryn Aguas, a senior manager with Deloitte. She was joined by colleagues, Rich Godfrey, principal and national insurance advisory leader, Ash Raghavan, principal, and Adam Thomas, principal with the firms cyber risk group.

The Internet, cloud, mobile and social networking technologies—platforms inherently oriented for sharing—are becoming more pervasive. Insurance clients want real-time access to their information, and insurance companies are grappling with changing business models including outsourcing, offshoring, contracting and a remote workforce. There is also more data to protect, and increased compliance requirements. All of these factors, in addition to a growing force of hackers that are difficult to catch, make cyber threats tougher to manage and risk harder to mitigate, the Deloitte executives say. And insurance companies are becoming a target for attacks, they say.

Traditional security controls are no longer sufficient to address the risk, according to the executives. Thomas says insurance companies need to consider their threat landscape and take a right-sized approach. In addition, various stakeholders need to work together to share intelligence about who is trying to attack, especially among public and private sectors. Companies also need to get their boards involved. “There’s a growing sentiment among investors that cyber risk requires persistent involvement and oversight,” he says. Insurance companies, and the industry at large, also need to focus on talent, so there’s the expertise and “muscle memory” on hand to know how to detect and respond to threats.

To craft a multi-pronged approach to combat and mitigate cyber threats, Thomas suggests companies:

• Move away from a compliance-first activity to one that focuses on where the risks are and how and where to spend time and resources;

• Commerce should treat cyber threats as less of a technology problem and more of a business problem. “It should be part of a company’s daily DNA, and treated like any other risk,” he says;

• Remember technology is a great enabler but not the only answer. Companies need to address the talent issue, collaborate with peers including law enforcement agencies and regulators, and focus on embedding cyber security into the corporate culture.

Specifically, Thomas recommends insurance companies adopt agile risk management policies that, for example, embed security policies and practices into processes from the start. He also says companies need to focus on obtaining good cyber intelligence by making use of predictive and other analytics, mobile security, and the security practices of any third-party they engage with, as well as the security of cloud computing services they may leverage. Finally companies, need to pay attention to regulatory requirements. “We are seeing more interest from regulators regarding insurance companies and how their cyber security is being done,” Thomas says.

Cyber Security Challenge joins with GCHQ

The Cyber Security Challenge is linking with GCHQ to develop counter-espionage and cyber security skills for the real world.

The Cyber Security Challenge, now in its fourth year, has teamed up with the UK’s intelligence agency to give the public the chance to act like a security operative and attempt to prevent an attack on a fictitious aerospace firm from a group of fictitious group of cyber-criminals called the Flag Day Associates.

The new game ‘Assignment: Astute Explorer’ will see players who register to take part given the chance to analyse code from the aerospace company, identify vulnerabilities and then suggest fixes.

Players are expected to identify the cracked code and its vulnerabilities. Once they have found the flaws, players must then explain how and why they might be exploited – and then offer security fixes. The competition is designed to promote the UK’s cyber talent and encourage entrants into the IT security profession.

According to a spokesperson for the Challenge, the Astute Explorer game follows on from an assignment set by global security software vendor Sophos that, over the last weekend, tasked the public to analyse a hard-drive recovered from the Flag Day Associates.

The hundreds of candidates who tackled the Sophos competition revealed plans for a future attack on Ebell Technologies – described as an aerospace and electrical engineering company, who are world leaders in the production of military and civilian aircraft, green energy technologies such as wind turbines, and a variety of electronics products.

Professionals that pass the tests will need to see beyond the current limits of ISO 27001 certifications. They will evolve a set of skills that can be used to counter and mitigate the rising tide of adverse attention from hackers, hacktivists, criminal gangs, and state sponsored cyber-attacks.

Have your Private Bits been exposed online?


The latest hack of personal data has struck, and combines two of the Internet’s favourite worlds: nudity and celebrities. The latest celeb-photo-gate appears to be particularly bad with as many as 400 nude photos of 100 celebrities being leaked in one go via the website The photos appear to have been hacked from the celebrities iCloud accounts; this led to a quick slide in Apple’s stock just when it is gearing up to launch the iPhone 6 with extra emphasis on cloud storage.

Many people, not just 4chan trolls, don’t feel sorry for the latest celebrity who has lost dignity and privacy. A stock response is “if they take the pictures they deserve it”. So is privacy possible in today’s cloud-based Internet?

In a world full of hackers, NSA and GCHQ many say that privacy is dead and who cares? It’s easy to say privacy is meaningless until you have lost it. So-called “life-ruin-camgirls” know this all too well. These are girls who (maybe stupidly) revealed too much information about themselves along with nude pictures and video on the 4chan website. The “life ruin” starts with “doxing” the girls (i.e. finding real information about them, such as address, telephone and publishing them), then contacting everyone the girl knows; friends, family, colleagues, boyfriend etc and sending them the compromising shots. This is called a “life ruin” for obvious reasons; the internet trolls are not happy until the girl is driven from the internet entirely and everyone she knows has access to the compromising pictures. Victims of the “life ruin” will say that privacy was alive, but not for them anymore.

The point isn’t whether people should or shouldn’t take nude pictures of themselves, a recent Yougov poll found that 30 percent of British adults under 40 have done so, and 21 percent have had sex on camera. The point is that if they chose to do so they shouldn’t have to worry about those pictures leaking on the Internet. Who is to blame; the user for taking them, the hacker for stealing them, or the company for storing them? The only ones breaking the law are the hackers of course, however, by quickly increasingly the security on it’s iCloud accounts Apple clearly realised it’s own protocols weren’t strong enough.

More worryingly a number of the celebrities reported that the leaked photos been deleted years before. As we tell the students of our Internet investigation courses; what goes on the Internet, stays on the Internet, forever. This is a good argument for the “right to be forgotten” from the internet, and not just forgotten from the visible web, but also from the Deep Web databases that internet corporations hold on all of us.

Ironically, hackers skilled enough to cause these leaks are also the ones skilled enough to develop technology that may eventually allow us all to use the Internet in privacy. Free-to-use encryption standards and services like Tor have been developed by former hackers and are increasingly giving more and more people the privacy they desire when online.

A spike in the use of Tor following the Snowden revelations and an increase of over 400 percent in last two years (pictured), suggests that privacy is not dead. There has also been a big increase in start-ups focusing on tools for keeping our data and communications private and encrypted. If Apple, Google etc used encryption as standard it would make us all safer from these types of intrusions, but this is an unlikely prospect as they would not be able to read and make money from our data.

For now, what can be done to stop breaches like this occurring? Sadly for celebrities, or anyone who already has private data or photos of themselves on any internet enabled device, the likelihood is that it is all out there somewhere, and may turn up at some point in the future.

Routine encryption is very rare in devices today but if you are a celebrity or anyone who doesn’t want their voicemails intercepted or their photos leaked, the new BlackPhone has encryption as standard and is one of the most secure devices currently available. Other options include hiring an IT encryption expert to help secure your devices, or simply educating yourself on cryptography by joining a Cryptoparty. Lastly, protect yourself using the boring old rules around password protection as discussed in earlier posts here and here.

For the Internet giants while convenience and monetising our data is preferable to securing it, the needed security changes to stop these leaks in future will sadly not happen.

Smartphone app gave location of Japan’s Air Force One

A Swedish-made mobile app was leaking the flight path of Japan’s government aircraft for years.

Japan’s Defense Ministry asked the developer of “Flightradar 24” to bottle the sensitive information after the lapse was pointed out by The Yomiuri Shimbun newspaper.

“Flightradar 24” became available in 2006. The company has since taken the necessary steps to hide the aircraft.

The app works by tracking data from the onboard ADS-B (automatic dependent surveillance-broadcast) transponder, a technology that allows an aircraft to identify its position via satellite. That data is periodically broadcast for tracking purposes to avoid midair collisions.

“When a user taps an airplane icon on the map, the app instantly shows flight data including latitude, longitude, speed, altitude, route, descending or climbing rate and aircraft type, together with a photo. The function exposes take-off and landing times, which are the likeliest windows for terrorists to attack an aircraft,” according to The Yomiuri Shimbun.

Japan’s Air Force One transports the prime minister and senior government officials for overseas visits. The aircrafts’ routes are not supposed to be disclosed. The planes apparently broadcast signals during takeoff and landing due to the regulations of certain countries.

Some Japan Self-Defense Forces previously had discussed the app’s sensitive disclosures, but the matter was not seen as urgent.

Kazuki Sugiura, an aviation analyst, told the newspaper: “The government aircraft could have been targeted by terrorists during take-off or landing, when speed and altitude are low. The Defense Ministry’s awareness about safety management was at a low level.”

GCHQ Scans Entire Countries for Flaws to Exploit

British spy agency GCHQ has since 2009 been port scanning every available IP address in 27 countries across the globe for vulnerable systems to exploit, according to a new report.
The HACIENDA program was exposed in secret documents obtained by reporters writing for German publisher Heise.

Its purpose is to allow GCHQ spooks to discover vulnerable network infrastructure to exploit, with the database resulting from the port scans also shared with intelligence agencies in the other “Five Eyes” states.

Given that every target could theoretically be used to attack another target, no device or machine is safe from the program, the report claimed.

“The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of ‘Mastering the Internet’, which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems,” it added.

“Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.”

HACIENDA scans all common public services like HTTP and FTP as well as admin protocols like SSH and SNMP. It also downloads 'banners' – information sent by apps when they connect to a port which can also be useful in helping identify which software version is on a target system.
The report argues that GCHQ, the NSA and other agencies in the Five Eyes group are effectively using the same attack methodology of organized cyber criminals: reconnaissance, infection, command and control and exfiltration.

HACIENDA is being used by these agencies, at least in part, to locate vulnerable machines which they can then turn into Operational Relay Boxes (ORBs) – covert infrastructure used by the spies to hide their location when attacking a target to steal data or launch other exploits, Heise said.

“Thus, system and network administrators now face the threat of industrial espionage, sabotage and human rights violations created by nation-state adversaries indiscriminately attacking network infrastructure and breaking into services," it continued.

"As a result, every system or network administrator needs to worry about protecting his system against this unprecedented threat level.”

In a bid to help network admins, the article also suggests some potential protections against HACIENDA, including “TCP Stealth” – “an easily-deployed and stealthy port knocking variant” which is currently an IETF draft.

Mark James, a security specialist at ESET, argued that port scanning has been around for a long time and used “for good and bad since the birth of TCP”.

"It’s nothing new to be worried about, but it’s certainly something that any company or user that has a public server 'should' worry about, the same way they worry about any other type of security,” he told Infosecurity by email.

“Good network practices should be routinely maintained. Only allow ports to be opened that you’re going to use (you don’t always have to use the ‘standard’ ports to achieve a goal). Some administrative services can be moved to non-standard ports in an attempt to thwart these types of attacks.”

Admins should also routinely check network logs for unusual activity, he added.
“Regular checks are a must. It may be only be a few open ports today, but if you’re compromised the attackers may well open more ports remotely to make their life easier,” James argued.


The full web site is currently under development and will be available during 2014