Cyber Security Intelligence

Twitter< Follow on Twitter >

October Newsletter #3 2014

Edward Snowden: It was worth it

NSA leaker Edward Snowden defended his disclosure of reams of classified information and said his actions were worth fleeing his seemingly idyllic life in Hawaii and ending up in hiding in Russia, where he was joined by his girlfriend in July.

It was about getting the information back to people so they could decide if they cared about it, and on that account … I could not have been more wrong in thinking that people wouldn’t care,” he told a New Yorker Festival audience Saturday afternoon via webcast from an undisclosed location in Moscow.

But he also suggested that if he had been a journalist handling the leaked documents, he would have been more conservative than some of the reporters who wrote about the surveillance programs.

Snowden said he was just “one small guy,” an “ordinary” man who saw the inner belly of the U.S. intelligence apparatus and had to act.

He has been criticized by many inside and outside government who have charged that he’s a traitor who jeopardized critical national security programs and made it easier for terrorists to plot and evade U.S. government surveillance. But Snowden has been hailed as a hero by civil liberties groups and libertarians for revealing the extent of government surveillance into the communications of ordinary Americans.

Snowden implied he had been vindicated by President Barack Obama, who said in January that a debate on surveillance “will make us stronger” as a country.

Obama’s statement was “very important for everybody who believes that our rights matter, our constitution matters and intelligence agencies, even if they have good intentions, can go too far, when they violate the constitution on a massive scale, that matters, and they need to be held to account for it,” he said to questions by New Yorker staff writer Jane Mayer.

Snowden, who worked with the journalists Glenn Greenwald, Laura Poitras, and Bart Gellman to bring highly classified materials about NSA surveillance programs to the public eye, also responded to a Mayer question that he summarized by saying, “do I agree with all of the stories that the journalists have presented?”

“I don’t,” he went on. “I would draw those lines a little differently, and I think much more conservatively than some of the journalists have,” without naming which reporters’ stories he disagreed with.

Snowden also said that “in fact we’ve seen serial violations of the law … NSA employees have used this surveillance power to spy on exes, to spy on lovers, and that’s a felony, however none of them were prosecuted because it was considered that the value of the programs was greater than the interests of justice.”

Mayer, the event’s moderator, also delved into more personal questions and asked Snowden what he missed about the U.S., a country he may never return to.

“The question is what don’t I miss, whether it’s my family, whether it’s my home, whether it’s my friends, whether it’s my work at the agency, I was fulfilled and happy,” he responded. “Things as simple as having my old beat-up car, there’s a lot to miss. It’s a great country.”

Now he’s ensconced in Moscow, where he has reunited with his girlfriend Lindsay Mills, revealed in a new documentary “Citizenfour” and a New Yorker piece published on Friday.
“She was not entirely pleased [with what happened], but at the same time, it was an incredible reunion because she understood me, and that meant a lot to me,” he said.

NSA Revelations You Need To Know About

The NSA is perhaps the biggest threat to the deep web. As the Snowden documents continue to be released, they have a tendency to all blend together and evoke the response “What’s new?” Though, with the risk of information overload, these NSA revelations are important for any deep web user.

Tailored Access Operations (TAO), a elite squad of NSA hackers, in 2004 started revamping up its hacking efforts by hiring new hackers and developing new tools to infiltrate computers. 10 years later they have a massive worldwide network that is able to gather and store data of people who happened to be caught into the fray. Though, TAO is a smaller and elite unit who job is to go after the most difficult targets, it has created a mostly automatic network that has been valuable to the NSA in its board sweeping hacking efforts. TAO’s main task was to install implants into hardware that was ordered by a target. This hardware is intercepted and TAO puts a backdoor into it, allowing for easier access to the cyber spy agency. Since TAO started they have done this in a larger and more aggressive fashion, resulting in a massive network around the world.

Recently, it has been revealed that Yahoo has tried to fight and stop the NSA when the NSA tried to gain access to information to certain oversea users in 2007. This might be a PR push for Yahoo but the court documents support their claim that they tried to stop the NSA and protect their user’s privacy.

The NSA has made its own version of Google that easily and quickly searches 850 billion records about phone calls, emails, cellphone locations, and Internet chats. The search engine is open to 12 US governmental agencies, which include the FBI, CIA, DIA, and DEA.

The search engine makes finding stolen documents very easy and quickly. Concerning the deep web, it is quite disturbing that the DEA and FBI have access to the information. This obviously represents a massive violation of human rights but so far seems unlikely that we get information about how the data is used by these agencies in cases.

Social media is being used against you

Social media brought great benefits but the public had yet to understand the full implications of living under "permanent scrutiny", he told BBC News. "It's about being able to live a private life and whether that's possible". He was speaking anonymously at a meeting at the Conservative conference. The man, who works for one of the world's largest tech companies, cited the example of health insurance as an area where the unintended consequences of posting on social media might harm people financially.

"You have an insurance policy you have signed which says you are a non-smoker and you may have signed that back in 2002 or something. "At the point at which you fall ill in your seventies if there is a single photograph of you on Facebook or any other social media that happens to show you holding a cigarette is your insurance policy completely voided?"

Then there was also a risk that the "internet of things" - household appliances and other devices talking to each other over the net - would collect data on your "habits of behaviour" that could be used against you.

A former high-ranking cyber-security expert with the British government told the meeting that the cost of online crime was being dramatically under-estimated. "According to the Cabinet Office £56bn is lost in fraud and error every year. If you ask them off the record, they say the more they look, the more they find," said the man, who also did not wish to be named. He said eliminating cyber fraud "could reduce the deficit in two and half years without austerity" or "just hand every household in the UK £2,500 in cash." But there was no incentive for the government or the banks to take it seriously.

"How can government properly direct resource if it doesn't acknowledge the scale of the issue? If bankcard fraud had been added to the official crime statistics then the level of reported crime would have gone up from 7.3 million cases to 11 million cases. And that means that police forces are not properly directing resource but it also means that citizens aren't engaged. Banks and insurers suck up the cost of fraud. It means higher premiums and charges for all of us."

Japan court orders Google to delete data

A Japanese court has ordered Google to delete search results linking the claimant to a crime he did not commit, the latest in a series of rulings around the world on what search engines should tell users.

The man requested the injunction in June, arguing that these search results suggest he was involved in a crime and that this constitutes a threat to his current way of life and compromises his privacy, the Asahi said.

The ruling comes after the EU's top court said in May that individuals have the right to ask Google to delete personal data produced by its search engine.

Individuals have a right "to be forgotten", under certain circumstances when their personal data becomes outdated or inaccurate, the European Court of Justice said.

Google's 'right to be forgotten' reveal 18,000 UK requests

The latest figures from Google show that the search giant has received 144,907 requests to remove links to 497,507 pages, following the decision by an EU court that individuals have "the right to be forgotten".

The newly updated of the company's Transparency Report includes a section detailing the impact of the European Court of Justice's ruling earlier this year that upheld the right to request to have irrelevant results about you removed from search results. All of the figures Google has provided dates back to 29 May 2014. During that time Google has approved nearly 60 percent of requests to have URLs removed from results.

The majority of requests have come from France, Germany, the UK, Spain and Italy, Google has revealed in a blog post. In total Google has received over 18,000 requests from within the UK relating to over 63,000 URLs. It has agreed to honor around 65 percent of these requests, which is obviously higher than the EU average.

For the sake of transparency, Google has also chosen to reveal information about top 10 domains which have seen their URLs removed from search results Among these domains are YouTube and Google Groups -- showing that Google's own services have been very much affected by the ruling. The domain that has seen the most URLs removed is Facebook, with a total of 3,331 requests honored by Google.

In the updated Transparency Report, Google has also chosen to include some anonymised versions of real requests it has received, in order to shed light on what people are asking of the search engine and what decisions Google is making.

In Italy, for example, a woman requested that Google remove a decades-old article about her husband murder that mentioned her name. One request that Google did not agree to take action from the UK involved a media professional who wanted four links to articles reporting on embarrassing content he had posted to the internet removed.

Google seems to honor requests made by victims of crime, but perhaps comfortingly, perpetrators do not fare so well. Financial professionals from Switzerland and Italy asked the search engine to remove multiple links to pages reporting their arrests and conviction for financial crimes. Google did not adhere to these requests.

Google’s Schmidt Fires Back Over Encryption

To hear Google Executive Chairman Eric Schmidt tell it, the US government has only itself to blame for new efforts by Google and Apple to keep police out of suspects’ smartphones.
Speaking at a round table of technology executives organized by Sen. Ron Wyden (D., Ore.), Mr. Schmidt offered Silicon Valley’s first public retort in a renewed debate about how far technology companies should go to protect user data.

Last month, Google and Apple said they would begin encrypting data on their phones in ways that would prevent them from unscrambling it for police—even with a warrant.

US officials said it marked a new low in relations between Silicon Valley and Washington since former National Security Agency contractor Edward Snowden began leaking state secrets last spring.

Mr. Schmidt replied, “The people who are criticizing this are the ones who should have expected this,” he said. At another point, he said new regulations by foreign governments to shield more data from US spying would end up “breaking the Internet.” He also said that Google had been “attacked” by the British version of the NSA. Documents leaked by Snowden indicated spies mined data from Google’s overseas data centers without its knowledge.

National Crime Agency director general: UK snooping powers are too weak

Britons must accept a greater loss of digital freedoms in return for greater safety from serious criminals and terrorists in the Internet age, according to the country’s top law enforcement officer.

Warning that the biggest threats to public safety are migrating to the internet and that crime fighters are scrambling to keep up, Keith Bristow, director general of the National Crime Agency said he accepted he had not done a good enough job explaining to the public why the greater powers were necessary.

The UK Home Secretary, Theresa May, has backed the introduction of greater mass surveillance powers, and committed the Conservatives to implementing the communications data bill that had been blocked by the Liberal Democrats amid protests over civil liberties.

Bristow warned it would be wrong to grant the greater powers to access email and call data without public agreement. Some may see that as an implicit criticism of how previous secret mass surveillance powers, revealed by the US whistleblower Edward Snowden, were enacted.
He said he thought the concerns about excessive government invasion of privacy and secret mass surveillance programmes were legitimate. But he thought once the need for greater surveillance was explained, the public would understand. Bristow accepted that it would be harder now to win support for greater surveillance powers. “The Snowden revelations have damaged public confidence in our ability, whether it’s law enforcement or the intelligence agencies, to access and use data in an appropriate and proportionate way.”

Bristow argued that cybercrime posed a threat to Britain’s national security and way of life, and that powers he had to investigate criminals using modern technology were inadequate and needed boosting.

Asked if he sees advantages for terrorism and organised crime fighting being led by the same organisation, Bristow said: “I can see advantages for shared capability.”

UK: Fraud police chief warns of lack of officers

There are not enough fully trained fraud investigators, the senior police officer responsible for tackling the crime in England and Wales has warned. The number of recorded fraud cases has risen by two-fifths over the last three years, mostly due to an increase in computer-related fraud. Commander Steve Head said criminal gangs were behind it.

Fraud in England and Wales:
211,000 cases (Mar 2013-Mar 2014)
Rise of 17% on previous year
333,000 other cases reported by industry bodies

And research for Radio 4's File on 4 programme suggests a recent increase in the number of specialist fraud officers has been outstripped by the rising caseload.

A growth in computer-related fraud has contributed to a rise in offences, though much of the rise in the number of cases may be explained by the fact that a new organisation, Action Fraud, has made it easier for the public to report incidents. In the 12 months to the end of March, 211,000 frauds were recorded by police in England and Wales - up 17% on the year before. In addition, 333,000 frauds were reported by industry bodies, a 2% rise.

In a report last year, the House of Commons Home Affairs Committee said that when it came to cyber crime, there was a "black hole which allowed criminals to make huge profits from fraud".

Rising cyber-crime is one of the factors behind the growth in fraud cases

Cdr Head, national co-ordinator for economic crime, said police needed to map and understand new types of fraud in which criminal gangs in remote locations could target people using computers and smartphones.

Among the most common types of cyber scams are mass-marketing frauds, in which people are persuaded to part with money on the promise that a larger sum will be paid later, and bogus auction websites - advertising goods that are never sent after the payment has been received.

The study showed that, compared to 2011, staffing levels had risen by 11%. The National Crime Agency has its own Economic Crime Command and the number of specialist fraud officers increased by 20, from 428 to 448, while the number of civilian financial investigators went up from 235 to 289.

However during the same three-year period, frauds recorded by police in England and Wales increased by more than 40%. "We don't have enough officers trained to deal with economic crime and fraud at the moment," said Cdr Head, adding that efforts were going on to improve the situation.

Why cyber criminals are winning: The secret weapon of the black hats

One day it’s black hats making headlines with a massive hack on Home Depot. The next, it’s the theft of 4.5 million US hospital records or 1.2 billion web credentials. The connected world is under siege and the current cyber security approach is falling woefully short — as evidenced by the headlines.

Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed with response times varying from weeks to years. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures.

Attackers can simply copy pieces of code from previous malware, such as exploits, decryptors or modules (keyloggers, backdoors etc.), and incorporate them into the new malware they are developing. Alternatively, attackers can imitate the operational methods performed by other malware, needed for the success of the operation (persistence methods for example). By reusing code and methods, hackers gain the upper hand. New malware is cheaper and easier to develop, while the tools needed to locate and disable it are only becoming more expensive. All the while, defenders need to cover a growing array of potential targets, each with their own set of weaknesses. For every dollar spent by cyber attackers, hundreds of dollars are being spent by the IT security industry. This economic imbalance is the springboard from which cyber-crime, cyber-terrorism and cyber-warfare are launched. Thus, code and method reuse has become an intrinsic part of the DNA structuring of malware development today.

BlackPOS is the malware responsible for stealing credit card information from the Target and Neiman-Marcus department stores in December 2013. The attackers reused the entire code of an earlier variant of the BlackPOS malware, modifying it slightly to deal with the specific PoS software used in Target. Yet another variant of the BlackPoS model returned in April-May 2014, stealing an even bigger number of credit cards from the Home Depot retail chain.

The bottom line is that as long as we give cyber criminals the opportunity to reuse and recycle code, hacking makes financial sense. Until hackers are forced to create attack chains from scratch they will continue to win.

MH370 search to resume in desolate Indian Ocean after crews complete deep sea mapping

The hunt for Malaysia Airlines Flight 370 is about to resume in a desolate stretch of the Indian Ocean, with searchers lowering new equipment deep beneath the waves in a bid to finally solve one of the world's most perplexing aviation mysteries.

The GO Phoenix, the first of three ships that will spend up to a year hunting for the wreckage far off Australia's west coast, is expected to arrive in the search zone Sunday, though weather could delay its progress. After a four-month hiatus, crews will use sonar, video cameras and jet fuel sensors to scour the water for any trace of the Boeing 777, which disappeared March 8 during a flight from Kuala Lumpur to Beijing with 239 people on board.

The search has been on hold for months so crews could map the seabed in the search zone, about 1,100 miles west of Australia. The 23,000-square mile search area lies along what is known as the "seventh arc", a stretch of ocean where investigators believe the aircraft ran out of fuel and crashed, based largely on an analysis of transmissions between the plane and a satellite.

Given that the hunt has already been peppered with false alarms, from underwater signals wrongly thought to be from the plane's black boxes to possible debris fields that turned out to be trash, officials are keen to temper expectations.

How US organizations are losing the cyber war

Cyber crime, hacking and data breaches have seldom been out of the news in 2014, but just how well are organizations coping with it?

Not very well, according to a new info graphic released by security solutions company CSO that's based on the results of a survey of over 500 private and public sector executives and security experts.
Among the findings are that 77 percent of organizations have reported a security breach in the past year, with an average of 135 incidents per organization. Yet only 38 percent have a system to prioritize security spending based on risk and business impact.

Of those that detected an incident, 69 percent said they weren’t able to estimate the cost. Those that did, put the average annual loss to cyber incidents at $415,000. However, 19 percent of US companies put losses at between $50,000 and $1 million.

Among the major concerns are that most organizations don't take a strategic approach to security, supply chain risks that aren’t adequately assessed or understood, and inadequate mobile device security.

The report finds that effectively fighting cyber crime requires collaboration in order to share experience and knowledge of threats. It also needs strategic spending, particularly on security training for employees.

US Cyber Attacks and Data Breaches in September

The number of payment card breaches in the US appears to be going up and up and an end isn’t in sight. September ‘Shellshock’ bash bug affects 500 million computers, servers and devices.

Search Engine Optimisation For Your Website

SEO stands for Search Engine Optimisation. Whenever you enter a search term into a search engine, you will be provided with thousands of websites that contain your search query. You will also notice that the websites are ranked according to popularity and relevance to what you are trying to find. The better your website’s SEO, the more likely it is to show up at the top of a search engine’s results list.

Search engines are not controlled by humans, since it would not be possible to reply to so many search keywords at the same time. Instead, they operate with the help of texts. Search engine do not see images. So it doesn’t matter how well designed your website seems visually, it will make no difference to any search engine. However, the way that your web pages have been designed through HTML web coding, as well as the keywords that you use in your posts, will certainly have an impact on how quickly your visitors will be able to find your posts through search engines.

Your post’s title is one of the first things that attracts search engines to decide what the post is about. The same applies to your website’s username. So, if you want to write abstract or funny post titles that are nothing to do with the actual content, you will soon find yourself at the very bottom of the list, and will receive a much smaller number of visitors per day. The software programming that allows search engines to help you find whatever it is that you are looking for are called crawlers. They are only activated once a keyword is entered into a search engine. They do not visit websites everyday to check whether or not there are any new updates. This is why it is so important that you take great care of how you are creating all of your posts.

Once a search engine arrives at your posts, it calculates its relevancy before suggesting it as the possible answer to its users. This is calculated in a number of different ways; however, the most popular option is to see how many times the keyword has been used within your text, as well as how many other relevant keywords have been used as well. This does not mean that if you place the same keyword in your text 50 times that it will automatically be considered the best option for a search engine result.

Avoid becoming a cyber-attack victim

When someone becomes the victim of a security breach and their account is hacked, it’s not just that one account that’s at risk. Depending on what the hacker was able to obtain, additional users’ details can be reused or sold-on for other purposes.

Combining this information with other details (publically available or illicitly obtained) increases the vulnerability of other online accounts. For instance, your email address can be used to help hackers to spoof your account, set-up false accounts in your name, or even be used to send you ‘news’ of the attack in a phishing email with a link to reset your password – a malicious link which could download malware onto your system. Essentially, hackers have the ability to take advantage of consumers’ online profiles once they have just one piece of the puzzle.

What the entire Internet community really needs, including those on eBay, is to accept that simple password security is no-longer adequate enough. Two-factor authentication is now essential. Two factor security works by combining something you know (your username and password) and something you have (a security device such as a token or a mobile phone). Logging on with this form of security therefore requires possession of both a password and a physical token, such as a smart card or encrypted USB token, before you can be logged in. In the future a third factor based on “something you are” (biometric data, such as your fingerprint) will also be added to provide an even greater level of security.

As we move into an increasingly digital era where more and more of our personal information is stored online, organisations using and storing this data need to increase their efforts to both protect it and to make it less useful when used in isolation from the intended system.

Tigerscheme partners with PGI Cyber Academy

A new partnership has been announced between the PGI Cyber Academy, the UK’s most advanced and broadest training provider in cyber security and Tigerscheme, a highly regarded certification scheme for technical security specialists, backed by University standards. The scheme is assessed by the University of South Wales.

PGI Cyber Academy is now delivering the training and assessment for the Tigerscheme’s Qualified Security Team Member (QSTM) qualification at its state of the art training facility in Bristol. This training course allows individuals to become recognised and certified information security professionals within the public and private sector as well as offering the opportunity for IT practitioners to add information security to their skill base enabling their career progression.
The QSTM assessment has also been reviewed by CESG as the National Technical Authority in the UK and has been accepted as meeting the technical requirements for a CHECK Team Member assault course.

PGI Cyber Academy also runs information security courses at the Advanced Penetration level, for both Infrastructure and Web Applications as well as further courses supporting Forensics, Incident Response and Malware Analysis qualifications for both IT professionals and specialist commercial and government technical security specialist providers.

National Cyber Security Awareness Month – Take The Opportunity to Make Changes for the Future

Security awareness is a year-round responsibility for all of us. However, take the opportunity during National Cyber Security Awareness Month (NCSAM), a U.S.-led initiative, to further promote cyber security best practice and awareness within your own organisation here or around the globe.

Security policy and EU data protection: Don't waste a good crisis

Register now to watch this webcast with tips on formulating a security policy in light of upcoming EU data protection regulation.

Watch this live event on 6 November at 11:00 GMT - if you can't make it, just sign up and we will email you when the recording is available.

Websense research finds that 40 per cent of UK security professionals never speak to their executive board about cybersecurity issues. But we all know there are things that they really need to hear. Now there’s a way to get their attention: 2015 looks like the year that the long-feared EU data protection regulations will become law, and that’s going to affect everyone’s cybersecurity policy and practice.

Governments must respect data ownership says Silicon Valley

You own your data. And the government needs to start respecting that.

This was the assertion made today by Microsoft General Counsel Brad Smith at a Silicon Valley panel discussion on NSA surveillance. Until the US recognises and restores the fundamental right of ownership you have in your data, he continued, the US cannot hope to rebuild trust lost through the NSA's widespread surveillance programs. This stance flies in the face of what we expect from Internet companies these days, many of whom tend to act as if they own the content we create.

"If you're a consumer or a company, you own your email, your text messages, your photos and all the content that you create," he said. "Even when you put your content in our data centres or on devices that we make, you still own it and you are entitled to the legal protection under our Constitution and our laws. We will not rebuild trust until our government recognises that fundamental principle." The room erupted in applause.

The panel discussion was organised by Senator Ron Wyden (D - Oregon) to address the effects the NSA surveillance programs have had on the tech industry. It included Google Executive Chairman Eric Schmidt, and the top legal counsels for several tech companies -- Colin Stretch of Facebook, Ramsey Homsany of Dropbox and Smith from Microsoft. Also participating was John Lilly, a partner with Greylock Partners an investment firm.

Wyden is chairman of the Senate Finance Committee and has served on the Select Committee on Intelligence for more than a decade. He was one of the few lawmakers privy to the NSA's programs before they were disclosed by whistleblower Edward Snowden.

"We're Going to End up Breaking the Internet"?Wyden opened the panel by noting that until the Snowden revelations he never once heard a US official express concern about the potential impact of the government's mass surveillance programs on the digital economy.

Silicon Valley vs. the Government?In a year of profoundly disturbing disclosures, Schmidt said the one that struck companies the hardest were reports about the tapping of undersea cables used to transmit data between the overseas data centres of US companies.

The full web site is currently under development and will be available during 2014