Teenager hacks Sri Lankan president’s website to protest exams

26th February 2017

Teenage hackers have struck again. This time, a Sri Lankan teenager apparently broke into the personal website of the country’s president.

As reported by Sri Lanka’s Daily News, the 17-year-old from the province of Kadugannawa hacked into President Maithripala Sirisena‘s personal website to protest the date of upcoming exams. He was arrested on August 29 by Sri Lanka’s Crimes Investigation Department… Read the full story here http://www.scmagazineuk.com/teenager-hacks-sri-lankan-presidents-website-to-protest-exams/article/520647/

Are we ignoring the risks of mobile data?

26th February 2017

Are we ignoring the risks of mobile data?
Cybersecurity threats have boardrooms across the country quaking in their boots. The mere mention of a hacker is enough to escalate a threat straight to the top. There’s even a national cybersecurity centre. But talking about the risks from a USB stick… well, that doesn’t exactly get the same level of attention. Unfortunately, the recent research from IBM and The Ponenom Institute suggests we’re paying even less attention to mobile security that we were, despite the continuance of mobile data breaches. So why is mobile data not on the boardroom agenda and why should it be?

[Updated] New EU directive requires critical infrastructure to improve cyber-security

26th February 2017

– SC Magazine

The European Parliament has passed this morning the new network and information security (NIS) directive, placing minimum standards for cyber-security on critical infrastructure operators… Read the full story here http://www.scmagazineuk.com/updated-new-eu-directive-requires-critical-infrastructure-to-improve-cyber-security/article/507688/

AMD, ExactTrak and OptioLabs showcase security technology at the ITI Council Tech Show 2016

http://Data security is at an inflection point. As the threats faced by consumers, businesses and countries continue to grow, the need for smart security solutions that incorporate silicon and software becomes even more important. The ability to bring these innovative solutions to market depends upon a strong ecosystem, highlighted by public policies supporting research; protection of intellectual property; public-private partnership; a fair and open competitive landscape; and certainly, the skills and imagination of a talented workforce located worldwide.
26th February 2017

LBB ExactTrak hardening mobile security

26th February 2017

ExactTrak, one of the April 2016 cohort of Little British Battlers, tackles the problem of mobile data loss head on with its USB-based Security Guardian. While USB sticks can be a byword for compromised and lost data, ExactTrak uses the USB format to its advantage, embedding security into the hardware.

Click the link to read the full article.

AMD Delivers Affordable Enterprise Client Computing With HP’s EliteBook 725 G3

26th February 2017

Patrick Moorhead

HP EliteBook 725 G3 (photo courtesy HP Inc.)

Advanced Micro Devices lately has been best known for their consumer products, namely their processors and graphics cards after acquiring ATI. The company used to have fairly strong enterprise offerings in the datacenter for servers, but never really had very strong ambitions in the enterprise client space. However, under the new CEO Lisa Su the company has a new focus on commercial processors and graphics thanks to her explicit commitment to enterprise client at the beginning of her tenure as the CEO. HP Inc. says that the EliteBook are their safest and more reliable notebooks among their entire product line. This reflects well for Advanced Micro Devices who is working closely with HP in developing new enterprise client devices using Advanced Micro Devices’s newest processors and graphics chips.

Advanced Micro Devices’s involvement with the HP EliteBook has been so close that the EliteBook 725 G3 12 with Advanced Micro Devices’s AMD PRO A12 APU was actually available before the Intel 6th Generation Core version. The EliteBook 725 G3 has three different APUs in different price segments with an AMD PRO A8-8600B, AMD PRO A10-8700B and the A12-8800B with the AMD A12 being the latest and fastest of the bunch.  It features a quad core processor with a maximum core clock speed of 3.4 GHz. The GPU on the A12-8800B APU is a Radeon R7 GPU with 512 GPU shader cores and a GPU core clock of 800 MHz. This powerful APU manages to accomplish all of this with a very small 15W TDP which allows for good performance and battery life.

HP Inc. and Advanced Micro Devices have worked together to also bring many enterprise features to the EliteBook 725 G3 including Distributed Management Task Force (DMTF) for Desktop and Mobile Architecture for System Hardware (DASH) standards. HP Inc. and Advanced Micro Devices also worked with Qualcomm to deliver the latest 4G LTE modem technology in the EliteBook 700 series of notebooks. AMD also employs a secure environment using ARM’s Trustzone technology coupled with ExactTrak to establish a root-of-trust ate both the hardware and software level to meet enterprise security standards.

For my own use of the HP EliteBook 725 G3, I primarily used it for work purposes. Those included heavy usage of Office 365, Evernote, web browsing and social media. I did a lot of heavy multitasking and connected two large external displays for additional work-space and productivity. After a lot of use with this notebook I really got a good feel for what are the good things about this notebook as well as the things that might need some improvement or things that were missing.

Having a notebook with full enterprise capabilities from HP like MilSpec durability, extensive testing and a 3-year warranty is a nice starting point for this HP EliteBook 725 G3. The notebook is very nice and thin, but not quite as thin as the premium class of really thin and light notebooks. In terms of responsiveness, this notebook was very responsive but not as snappy as some of the most powerful notebooks I’ve used up until this point. It was also nice having a pretty powerful GPU in order to run multiple displays and even do some 3D graphics. It also has a 12.5” touch screen display with a resolution of 1080P, which is enough to do work and productivity tasks and fits well within the price range expectations.

The HP EliteBook 725 G3 also comes with 16GB of RAM and has a fingerprint scanner, even though I would have preferred a fingerprint reader with touch capability instead of swipe. The USB Type-C connector is quite nice as well and very future looking although having Thunderbolt 3 would be even better, but that is an Intel-only platform for now. In terms of additional connectivity, it also has a 2×2 802.11AC Wi-Fi chipset and a real RJ-45 wired Ethernet port.  Having a real RJ-45 port on a thin notebook isn’t but HP made it happen. In addition to connectivity I found the back-lit keyboard to also be pretty good in terms of use and experience. I tested the battery life, which seemed decent but I didn’t test it thoroughly enough to provide an accurate amount of battery life.

For managed enterprises there were also some beneficial features of the EliteBook 725 G3. The first and most obvious benefit of the EliteBook 725 G3 was the price which starts at $799. It also has full HP manageability and security including smart card and DASH. It also has a port replicator that allows for more wired peripherals. It also has Skype optimization which is useful considering how many businesses use Skype for teleconferencing nowadays. It also has a spill-proof keyboard which is great for large enterprise deployments to prevent daily users from possibly bricking their device from a spill.

In addition to the things I thought were done well I thought that there were a few things in this laptop that could have been better. The fan on the laptop would kick in more than I am used to or would like and blew out a lot of hot air. The touchpad experience was a bit challenging with 4 buttons and even a point stick, I would have preferred a simple clickpad or a larger touchpad. In terms of storage capacity, the 128GB may not last long with my photos and videos that I use for business. The VGA port which I’m sure IT loves and only one digital graphics port limits the resolutions and the amount of displays you can use with this laptop.

The HP EliteBook 725 G3 is an overall well rounded notebook for what it offers and for the price that HP is charging. There are a lot of good performance and connectivity features, especially the built-in modem which provides for some really good mobile experiences for users on the go since using public Wi-Fi is inherently insecure. It’s very important to recognize that HP considers EliteBook the most durable, safe and reliable notebook line and that says a lot. There is still some room for improvement for this notebook, but it is quite clear that HP and Advanced Micro Devices have worked very closely together to deliver lots of manageability and enterprise features in an affordable notebook.

Disclosure: My firm, Moor Insights & Strategy, like all research and analyst firms, provides or provided research, analysis, advising, and/or consulting to many high-tech companies in the industry, including Advanced Micro Devices, HP Inc., Intel, Dell, Lenovo, Qualcomm cited or related to this article or topic. I do not hold any equity positions with any companies cited in this column.

Note: Anshel Sag at Moor Insights & Strategy, contributed to this article.

GCHQ wants ‘closer relationship’ with tech sector

26th February 2017

Robert Hannigan, the director of GCHQ, has called for a rapprochement of the often fraught relationship between national security bodies and the tech sector.

GCHQ director Robert Hannigan: Trade-offs between security and privacy must be made
GCHQ director Robert Hannigan: Trade-offs between security and privacy must be made

The head of GCHQ has called for a closer relationship between the intelligence community and the tech sector. Robert Hannigan,  the director of the UK signals intelligence body, GCHQ, said as much at a recent speech at the Massachusetts Institute of Technology (MIT).

Hannigan said, “We recognise that we need a new relationship between the tech sector, academia, civil society and government agencies. We should be trying to bridge the divide, sharing ideas and building a constructive dialogue in a less highly-charged atmosphere.”

Citing the achievements of Alan Turing, the man who cracked Enigma, Hannigan mentioned that Turing actually spent more time in the middle-century equivalent of the modern cyber-security industry than he did in the fight against European fascism.

Comments Hannigan had previously made in a Financial Times opinion piece had raised the ire of more than a few within the tech sector. “The comments caused a bigger stir than I expected, to be honest, and were widely seen as an attack on the tech industry,” he conceded.

The authoritarians of state security have traditionally had a chilly relationship with the libertarians of the tech sector. While state bodies tend to put individual privacy behind security concerns, technologists usually do the opposite. The response to the incoming Investigatory Powers Bill or Apple’s recent collision with the FBI over the unlocking of the San Bernardino shooter’s iPhone are just such examples of that fraught interaction.

“In principal, tech firms and GCHQ need to work together. Sadly, there is a conflict between our privacy and the requirement of keeping people safe”, Norman Shaw, CEO and founder of ExactTrak told SCMagazineUK.com.

He added, “It comes down to robust safeguards. Do we want the security services to prevent terror attacks and catch murderers and child molesters. Of course we do. In that case, we need to work together. It would be nice if the security services could request access to a secure device and following appropriate oversight, a tech firm could make the secure data available but without giving the security services the ability to have an unlock capability that they could use as and when they feel like it.”

Hannigan also used his speech to take on what he believes to be some of the mischaracterisations of the government’s desires, embodied in the incoming Investigatory Powers Bill, when it comes to encryption and privacy.

Hannigan was “puzzled by the caricatures in the current debates where almost every attempt to tackle the misuse of encryption by criminals and terrorists is seen as a ‘backdoor’. It is an overused metaphor, or at least misapplied in many cases, and I think it illustrates the confusion of the ethical debate in what is a highly charged and technically complex area.”

Michael Hack, senior vice president of EMEA operations at Ipswitch, told SC that one company accepting the embrace of state security could mean problems for the rest. “Data encryption is only secure if there are no weak links. No matter how noble a cause, any technology company that provides a back door to its encrypted technology creates a weak link.”

While this could, said Hack, “speed up investigations of high profile crimes it would come at a significantly high cost to millions of law-abiding citizens. A weak link would very quickly become a target for hackers and cyber-criminals; we know from experience that there are plenty out there who would be keen to find a key of their own just for the hell of it.

“However, there is also a whole wealth of people with dark motives waiting to kick in any backdoor they can. Despite GCHQ’s best intentions and efforts, opening up encryption technologies would mean personal data such as bank accounts, health records and even details of frequently visited locations could be readily up for grabs.”

Not only did Hannigan call for a closer relationship but was also keen to point out that the relationship is often warmer than it might seem from the outside: “Government agencies do not have the answer here. The solutions lie with those who run the internet: that wonderful collaboration of industry, academia, civil society, governments and, above all, the public. The perception that there is nothing but conflict between governments and the tech industry is a caricature; in reality companies are routinely providing help within the law and I want to acknowledge that today.”

Antony Walker, deputy CEO of techUK, was more trusting of Hannigan’s sentiment. “We welcome Robert Hannigan’s commitment to constructive dialogue with the tech industry. The solutions lie in government, academia and industry working together.”

He added, “These are hugely complex issues. This speech makes it very clear that there are no easy answers. It is a realistic assessment of the trade-offs that need to be made to secure our digital world. The Investigatory Powers Bill gives us the opportunity to create the best possible legal framework. To be successful, it must reflect the trade-offs that need to be made. We have to be constantly wary of the long term implications of our actions. We must not jeopardise our long term security.”

Over ¼ UK CIOs ‘not concerned’ about breaches

26th February 2017

A report by the relaunched Carbon Black has shown that 28 percent of UK CIOs are unconcerned with being breached.

CIOs clearly haven’t been listening to the near constant warnings from IT security professionals
CIOs clearly haven’t been listening to the near constant warnings from IT security professionals

CIOs have apparently not been getting the message, according to a new report from Carbon Black. Among the more shocking of the report’s findings are that 28 percent of CIOs are ‘not concerned’ about breaches.

The report, which surveyed 200 CIOs in a range of companies with more than 1000 employees, was commissioned by Carbon Black, formerly known by the clunkier moniker of Bit 9 + Carbon Black.

“The situation is not good,” said Ben Johnson, former computer scientist at the NSA and co-founder of Carbon Black, as he presented the report’s findings to the press.

The industry cliche that “there are those who’ve been breached and those who don’t know they’ve been breached,” has clearly not settled with the UK’s CIOs. Nor, it appears, have they taken notice of the stats.

The numbers vary on how long it takes to detect a breach. Research from Trustwave released last year said that it takes, on average, 188 days to discover a breach. FireEye reported in in 2013 that the average time was 229 days. Research from the Ponemon institute put that number at 258 days and then another 100 days at least to fully remediate the threat.

Nobody told the UK’s CIOs apparently. Twenty-six percent believed that they would be able to uncover a breach in less than two weeks, while 33 percent believed they could uncover a breach in less than three months. Only a handful, 14 percent, believed that it would take up to six months to discover a breach.

Still, over half believed that were a breach to happen to them, they would discover what systems and data had been affected in less that 24 hours.

The problem may lie, according to Johnson, in the fact that most companies continue to be reactive, as opposed to proactive when tackling cyber threats. He said, “Most companies do not try to figure out how the problem started. So that door that the bad guys walked through? It’s still open.”

Nearly all of those surveyed use firewalls and anti-virus software and 62 percent use encryption. But fewer than half used advanced endpoint protection, leaving many in the dark about who or what is aimed at their organisation.

In some cases, these companies may feel they’ve done enough, said Johnson. Often, companies will write a big cheque, get a massive security system and sit behind those walls with a false sense that they’re strong enough to keep anything out. They don’t stop to think about who is digging under those walls.

Johnson told SCMagazineUK.com, “It is likely that some of those who aren’t concerned simply think they are not yet a target, and what is more likely is that they feel like they have adequate protection in place, something that is woefully untrue.  We know that everyone is a target and pretty much no organisation has the cyber resiliency to achieve anywhere near 100 percent effective defence.”

With the constantly morphing nature of threats and a massively broadening attack surface for assailants, this is no longer enough.

Johnson told SC that there are two things keeping CIOs from being proactive. First, proactivity “requires changing their posture, their processes and most likely their budget”.

Second is that CIOs and CISOs often don’t understand how to be proactive about IT security. “It’s a case of, ‘Oh, you’ve always had a firewall and a SIEM and a team that just looks at whatever issues service, so why change it?’ It’s the status quo combined with not enough progressive leadership that works against more effective cyber-defence change.”

Norman Shaw, CEO and founder of ExactTrak, told SC, “For any CIO not to be concerned about data breaches is just plain negligent. They are putting their heads in the sand and nothing good ever comes of that.”

This kind of negligence will soon be addressed as a matter of law, too, added Shaw: “They have a legal responsibility to fully protect data and neither AV nor firewalls are data protection. Customers also have a right to expect that their information is protected at all points and at all times.

“Under the new EU GDPR legislation, if the CIO is a main board director they can be personally fined. And if data protection is in their objectives or job description then they need to be dismissed. Ignoring potential threats is negligent and needs a P45 to sharpen their minds.”

Update: eBay ‘cesspit’ has ‘no plans’ to fix severe vulnerability

26th February 2017

Though a large vulnerability was discovered in eBay’s global sales platform, the company has ‘no plans’ to fix the active code exploit.

The global bidding giant was deaf to this particular disclosure
The global bidding giant was deaf to this particular disclosure

eBay will apparently not be fixing a ‘severe vulnerability’ on the company’s global sales platform. Check Point Software’s research team apparently disclosed details of just such a vulnerability in mid-December last year.

But, according to Check Point, on 16 January eBay stated in a private communication to the company that it had no plans to fix the vulnerability.Scams have been known to take place on eBay, in fact it seems reasonable for a platform so large to miss a few things occasionally. This particular vulnerability, though not yet seen exploited in the wild, is particularly large and Check Point’s proof of concept, according to the company, works.

This ‘severe vulnerability’ allows the bypass of the global bidding platform’s code validation, from which point, any wilful attacker can manipulate the vulnerable code remotely and release malicious javascript code on users. If the vulnerability is left unpatched, Check Point told press in a statement “eBay’s customers will continue to be exposed to potential phishing attacks and data theft.”

When an attacker sets up an eBay shop he or she can add a listings page which may be laden with malicious code. With a simple pop-up message on the store, advertising an eBay mobile app discount, any passing prey can be lured into downloading a malicious app. From there, an array of the usual suspects can be unleashed onto the infected machine; anything from phishing to downloading malware, according to Check Point.

The company’s Magento e-commerce platform was assaulted by hackers in June last year and the year before that an XSS vulnerability was exposed by the BBC in 2014.

It was Check Point researcher Roman Zalkin who made the above video and discovered the vulnerability as an ongoing investigation into flaws and vulnerabilities, using a technique colourfully monikered “JSF**K”. While eBay doesn’t let users put in scripts or iFrames, JSF**K allows the dogged hacker to insert additional, remotely controllable JavaScript from their own server that, according to Check Point’s statement they, “can use to create multiple payloads for a different user agent”.

This was disclosed late last year closely followed by a proof of concept and a rundown of the details, but in a private communication between Checkpoint and eBay on 16 January the online auctioneering giant declared that it would not be fixing the vulnerability as it allows ‘active content’

Active content is software code that automatically performs an action, say, opening a pop up. This is the tool that the vulnerability seems to hinge on. A spokesperson from Check Point spoke to SCMagazineUK.com saying that though the eBay’s policies allow certain active code, and, “should be able to automatically prevent malicious parties from uploading malicious code to eBay store pages,” this exploit, “allows the hacker to get around eBay’s policy and upload malicious code.”

Check Point apparently can’t comment on the company’s decision not to address this vulnerability but is, “publishing the details of its findings with the aim of eBay addressing the issue.”

Such a cool response has in turn elicited an icy one from around the industry. Norman Shaw, CEO and founder of ExactTrak, a specialist mobile security company put it plainly to SC. “eBay is clearly wrong not to provide a fix”, said Shaw, “it is being cavalier with customer’s information that can be hijacked and used for illegal purposes or even terrorism.”

“This is a classic example where the senior executives need to be held accountable and dealt with accordingly. They fall foul of the requirement to provide a robust customer data protection infrastructure, in addition to watching what happens to the executives,” Shaw told SC.

Shaw believes that perhaps the best way to bring the company to heel, “is for the payments company it is using to suspend its ability to take money. This would mean that until there is a verifiable fix, customers will not be able to put their details into the eBay cesspit.”

SC spoke to an eBay spokesperson from the company who commented that at eBay “we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Cops aim to enlist volunteers in fight against cyber-crime

26th February 2017

The Home Secretary has announced her plans to grant police forces powers to recruit expert volunteers with policing powers to help fight crime online.

Theresa May: looking for cyber-security professionals to work for free
Theresa May: looking for cyber-security professionals to work for free

The home secretary Theresa May has announced she wants to invite volunteers to help the police combat cyber-crime in the UK.

May announced earlier this week that as part of the new Policing and Crime Bill, police forces around the country will be allowed to recruit expert volunteers with special skills and grant them powers normally only afforded to regular police officers.

The UK’s police already employ around 16,000 volunteers, called special constables, who are trained in the same way and granted the same powers as sworn officers.

The volunteers that May is proposing, however, will assume a more specialised role. As part of the Crime and Policing Bill, the Home Office is calling for specialists in IT and accountancy to help with investigations.

The home secretary announced that while “we value the essential role they play”, police officers “cannot do this on their own”. To that end, said May, “We want to help forces to create a more flexible workforce, bring in new skills and free up officers’ time to focus on the jobs only they can carry out.”

The National Police Chiefs’ Council lead for citizens in policing, chief constable Davey Jones, echoed the home secretary’s remark, saying, “The new approach to designating police powers will help the police service be more flexible when it comes to attracting and deploying volunteers with valuable skills, especially in situations where the full powers of a constable are not necessary.”

Dave Prentis, general secretary of the public sector union UNISON, gave a statement to press saying, “Police staff will be pleased that they are to get new responsibilities and powers that will stand them in better stead when it comes to fighting crime in our towns and cities.”

However, the same does not go for volunteers who, according to Prentis, “cannot be deployed to tackle serious crime in the middle of the night, and they are free to absent themselves from the workplace at any time, because they have no contract of employment. This makes volunteers totally unsuitable for police forces that need to know they can turn out staff in an emergency.”

What kind of volunteers police forces will accept is not yet clear. Law enforcement across the Atlantic has typically been saddled with the burden of not being able to hire those with a criminal record, who unfortunately happen to be some of the big talent in the world of IT professionals.

Recently FBI director James Comey told the Wall Street Journal that “I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview”, which unfortunately prevents them from working for the FBI. UK law enforcement has similar regulations, stating that no one with a criminal record can work for a policing body.

This volunteering drive may be a handy way around that problem. A Home Office spokesperson told SC that “there will be a vetting process, but it will be down to chief constables in a local forum” to decide who will be allowed to volunteer.

The importance of cyber-security was thrown into sharp relief in the minds of the public just as police cuts were expected to come into place. The Talk Talk, VTech and Wetherspoons breaches which exposed the personal data of millions of people all came right around the expected cuts in police budgets in the Chancellor’s Autumn statement.

While the Chancellor did not do what was widely expected and froze police budgets instead this may mean that fighting crime on the new frontier of cyber-space may get harder and harder.

Despite the freeze, police numbers have been in long term decline. Since March 2010, national police numbers have dropped by 17,000, with support staff taking an even larger hit, losing close to 20,000 staff and community support officers.

What is more is that though crime has been on broad decline, the recent inclusion of cyber-crime and computer enabled crime such as fraud in national statistics has shown that cyber-crime is the most common kind of crime in the UK, nearly outmatching numbers of traditional crime.

Is this drive for volunteers an attempt to bridge the gulf between the increasingly large problem of cyber-crime and the shrinking resources to fix that problem?

Prentis certainly thinks so: “Having cut police budgets relentlessly, the government is clearly pinning its hopes on a volunteer army to plug the huge gap left by the loss of so many dedicated and skilled police staff. Ministers are making a big mistake.”

Norman Shaw, CEO and founder of ExactTrak, had typically frank words for the scheme: “Getting volunteers to work on cyber-crime rather than investing in full time talent to deal with this very real crime is wrong and a step backwards both in terms of sending out the message that cyber-crime is a real and serious thing and that the police are in a position to combat it. I can almost see the hackers at their computers, typing, ‘ooh they’re getting volunteers to hunt me down, I’m so scared!’”

Shaw added, “Giving volunteers extra powers seems like a short-sighted answer and not a very good one at that. Real police officers need to be recruited and trained up in specialist divisions to deal with cyber crime.”

Thomas Fischer, principal threat researcher at Digital Guardian, had a critique of a different nature. While the announcement was welcome, it seems to assume that these crime-fighting volunteers exist: “The announcement implies there are large quantities of trained infosec personnel out there that are willing and able to help for free, which simply isn’t the case.”

If the cyber-security industry has trouble finding highly skilled individuals for lucrative positions, then the police won’t have much luck getting the people to do the same jobs for free:  “For many years the infosecurity industry has faced a recruitment drought. As a result, individuals that do meet the required training standards are highly sought after assets, likely to be in well-paid positions, with very little time to do volunteer work on the side.”

Cyber-attack among World Economic Forum’s top global risks

26th February 2017

The World Economic Forum (WEF) has listed cyber-security as one of the greatest threats to business around the world. In the Global Risks Report, the annual study of what the WEF fears and what the forum feels the world should fear, cyber-security has made its third appearance.

The category finds itself ranked fairly high, above food crises, interstate conflict, terrorist attacks and spread of infection diseases but below climate change, fiscal crises and mass migration.

In 140 economies, the report notes, cyber-attacks rank in the top ten threats. The United States is considered to have the most to be concerned about given  the effects cyber-threats can have on  the economy.

Economies increasingly reliant on connected technologies, like Asia and Europe, are predictably worried as well. It’s a concern that will only grow with those connections, the report notes: “As the Internet of Things leads to more connections between people and machines, cyber dependency – considered by survey respondents as the third most important global trend – will increase, raising the odds of a cyber-attack with potential cascading effects across the cyber ecosystem.”

As cyber-dependence rises, the report adds,  “the resulting interconnectivity and interdependence can diminish the ability of organisations to fully protect their entire enterprise.”

There are two particular areas of concern, the report says, that organisations often overlook: mobile internet and machine-to-machine connections.  The report says it is vital “to integrate physical and cyber management, strengthen resilience leadership and organisational and business processes, and leverage supporting technologies”.

While the report clearly states cyber-security as one of the main threats to economic stability going into 2016, worry has diminished since the category was first introduced into the annual report in 2012. Back then, cyber-security came 4th in the top five global threats in terms of likelihood, it disappeared from the ranking in 2013 and then came back at fifth place in 2014. It has not ranked in the top five most likely global threats since then.

This high estimation of cyber-threats, notes the report, may be down to the fact that large data breaches are finally creeping across newspaper headlines and into the public imagination as a more present danger, than it might have otherwise been. In fact, considering the global risk report is gathered from interviews, we might also say that this particular report is just as much a catalogue of global fears as it is actual global risks.

Norman Shaw, CEO and founder of ExactTrak, told SCMagazine UK.com, “This is a really positive thing actually, because there’s still some enterprises, and some employees within those enterprises who don’t take data protection and cyber-security seriously, despite the mass media reporting it on almost daily.”

For example, said Shaw, “Employees can also use the same passwords for work as they do for everything else, including their personal devices and accounts which are often not subject to much security, making it easy for hackers to find a way into the corporate data.”

He added: “More awareness of how serious the problem of cyber-security is can only be a good thing.”

Tim Grieveson, Hewlett Packard Enterprise’s chief cyber strategist, enterprise security products, said: “Businesses need to understand that it’s not a matter of whether they will be breached, but a matter of when. As such, security professionals need to start thinking like an adversary to identify what data is most likely to be targeted and what tools are most likely to be used. Make the assumption you’re going to be breached or have been but don’t know about it yet, and look at how you can disrupt and manage the breach when it inevitably occurs.”

‘Key member’ of DD4BC arrested in international crackdown

26th February 2017

The cyber-extortionist gang DD4BC has reportedly suffered a blow as one of the group’s key members was arrested and another detained this week in a crackdown which has brought together law enforcement agencies from around the world.

One arrested and one detained in DD4BC investigation
One arrested and one detained in DD4BC investigation

International police say they are closing in on suspects believed to be behind cyber-crime rascals DD4BC. One ‘main target’ of the cyber-gang has been arrested with another kept in detention in a global campaign to take down the group.

Police working under Operation Pleiades, named for the seven sisters of Greek myth, busted in on the suspects earlier this week. According to Europol, this particular taskforce, initiated by Austria, was supported by law enforcement agencies from all over the world including Japan, France, Australia, Romania, Switzerland and the USA.

Alleged top members of DD4BC were identified by the UK’s Metropolitan Police Cyber Crime Unit as living in Bosnia Herzegovina.

First emerging towards the end of 2014, DD4BC quickly locked itself into the world’s cyber-rogue galleries by targeting organisations large and small, including banks, companies, online gambling groups and financial institutions, attempting to extort large sums.

The pesky group pioneered a certain modus operandi: find a target, performing a DDoS attack on them and threaten to double down on those attacks, not relenting until the victim pays up.

The group demanded payments be made in Bitcoin, a largely untraceable crypto-currency. This modus operandi was the basis for the DD4BC name which stands for ‘DDoS for Bitcoin’.

DD4BC was noted for being able to carry out these attacks on a considerable scale. It boasted it could organise DDoS attacks as high as 500 Gbps but the highest recorded examples of DD4BC’s flood power ran to around 60 Gbps.

It is not easy to tell how much money DD4BC made. According to a Europol spokesperson who spoke to SCMagazineUK.com, “The fact that many of these incidents are unreported by companies and individuals poses particular difficulties to provide estimations on the financial losses incurred by the targets of these campaigns.”

One particular ransom email, found by Heimdal Security, struck the calm, reasonable tone of Hans Gruber taking the staff of Nakatomi plaza hostage in the classic Bruce Willis film, “Die Hard”.

The note read: “All your servers are going under attack unless you pay 40 Bitcoin. Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps. Right now we are running small demonstrative attack on 1 of your IPs. Don’t worry, it will not be hard, since we do not want to crash your server at this moment, and will stop in 60 minutes. It’s just to prove that we are serious.”

At this point DD4BC would give the victim 24 hours to respond: “But if you ignore us, and don’t pay within 24 hours, long term attack will start, price to stop will go to 100 BTC and will keep increasing for every hour of attack.”

And it included this cocky warning about reporting the incident to the police: “If you think about reporting us to authorities, feel free to try. But it will not help. We are not amateurs. The best thing that can happen, they will go publicly about it. We will, again, get some free publicity. But for you, price will go up.”

Perhaps predictably, the industry has responded to these arrests with loud applause. Norman Shaw, CEO and founder of ExactTrak, said: “These arrests should make it clear to both hackers and society more generally that cyber-crime is a very real crime and will be prosecuted as such. Meanwhile, enterprises can take heart in the fact that law enforcement has both the skills and the will to fight this crime alongside them.”

A 2015 report by cyber-security company Verisign claimed that not only were groups like DD4BC pioneers of the DDoS extortion tactic but had inspired other ill-intentioned miscreants to adopt a similar strategy in attempting to bleed cash from their victims. So will these arrests, significant though they are, have a ripple effect on cyber-crime in the wider world?

Brian Chappell, director of technical services at Beyond Trust, told SC, “Police actions such as this have the potential to make a difference but I believe that it’s going to take more instances before the perpetrators of DDoS extortion feel there is a real threat. The risk of being caught always hangs over such activity but it’s obviously considered a low risk.”

“That said, do we think the criminals will abandon crime altogether? I doubt it, they will probably refocus their efforts on other activities that are harder to trace. Direct intrusion and data theft are likely targets but as long as we make sure we have the basics covered then we won’t be easy targets in that arena either.”

A spokesperson from Europol admitted that this is not a killing blow to the extortion racket: “All the operations, arrests and house searches performed are new sources of information and they could entail new developments in the criminal cases investigated by the law enforcement agencies”.

This case is not “fully closed until all the information from the operation has been properly analysed”.

It will be some time before we can write, “RIP: DD4BC”.


Prosecution for breach-deniers says Liam Fox MP

26th February 2017

“We live in a new world”, said former Secretary of State for Defence, Dr Liam Fox MP. He addressed the Royal United Services Institute (RUSI) yesterday afternoon, drawing for his audience a sketch of a world profoundly transformed by the very existence of cyber-threats and perhaps, some weapons with which to fight what he called “The War of the Invisible Enemy.”

Lectures by cabinet members on the importance of cyber-security are not uncommon these days and Dr Fox, rehearsed many of the well worn facts of today’s threat landscape  but the Conservative MP for North Somerset made one particularly striking comment during his address to RUSI this afternoon. Specifically, that those businesses who don’t confess to breaches, should be prosecuted.

Winding down his speech, the MP noted that “denial of cyber-intrusion is too often the response of companies worried about their reputation. This encourages the entirely wrong culture.” That is why, said Fox, “I believe the government needs to change the law to make it illegal to be hacked without informing shareholders and other stakeholders.”

Under the EU’s recently passed Network and Information Security Directive, companies can already be punished for not reporting their breaches.

While Dr Fox seems to have a profound distaste for the European Union, this appears to be one thing that he may want to keep if the upcoming referendum on the EU turns out on his favour later this year. The MP stated his plain opposition to EU membership at the end of last year on his personal website: “Britain’s laws should be made by those who are accountable to the British people, and by no others. It is time for us to recover our birthright.”

Aside from his former position as Secretary of State for Defence and his avowed Euroscepticism, Fox is known for being the victim of a burglary in which his laptop and mobile phone were stolen from his London flat, leading to fears of a data breach.

Dr Fox also proposed, considering cyber-criminals will invariably look for the weakest link in an organisation chain to penetrate, that any organisation doing business with the government meet the tenets of the Westminster-sponsored Cyber Essentials programme, which stipulates a number of basic precautions for all organisations to take in addressing their own cyber-security.

Finally, Fox put forward a restructuring of the way the UK government handles cyber-security. “I believe,” said Fox, “that the current structure of Whitehall and the way that our cyber-security is arranged is outdated, too complex and is an inefficient way of using taxpayers money.” Fox wants to see, “all government cyber-activity, including both its offensive and defensive capabilities, concentrated in one place and answerable to a single ministerial portfolio.”

The speech was met with broad approval by the industry, salad of conventional wisdom that it was. Pat Clawson, CEO of the Blancco Technology Group, a data security company told SCMagazineUK.com that he agreed with much of Fox’s speech and that, “Traditionally, when companies thought about data privacy, it was less about being safe and more about ticking the compliance box off their checklists.” This kind of attitude will not be possible for much longer, with  proposals like Fox’s being met with more and more credibility. It’s not a bad thing either said Clawson: “The number of companies affected by cyber-crime is staggering so companies really need to be transparent and communicate regularly with consumers about what they are doing to protect their users data.”

“Whether you think Dr Fox’s comments are inflammatory or not is beside the point,” Norman Shaw, CEO and founder of ExactTrak plainly told SC. This, is the new normal: “Companies need to get ahead of the ever-increasing data breach problem and sticking their heads in the sand to hide a breach isn’t a security strategy.” While ultimatums are not an ideal way to get anyone to do anything, said  Shaw, “at this point, regulation is absolutely what is needed and I welcome the new EU regulations. The ICO has tried to enforce data protection in this country but it doesn’t seem to have stymied the progress of hackers or the cases of human error – hopefully with the new EU laws, it will have more power to force companies to act responsibility.”

Technical director for Alert Logic, Richard Cassidy, was not quite as welcoming of Fox’s comments: “Prosecution is not the answer to developing an effective working forum between businesses and government in the interests of improving security awareness and augmentation of existing practices to prevent exploits.”

That coercive instrument need not be there if only industry had a, “closer working relationship with key government intelligence agencies that that they turn to should they fear the worst”.  This, Cassidy told SC, will promote an environment where companies are forthcoming with their threat data: “The last thing we need is organisations sitting on key threat data that could be used by our national agencies to the benefit of other businesses, because they fear prosecution and will want to spend a far greater degree of time in assuring, before announcing.”

Meanwhile, Jens Puhle, UK managing director for 8MAN, an access right management specialists thinks that, “it may make a difference but it’s unlikely. When something like this happens, I think the first step will always be trying to brush it under the carpet. One has to bear in mind that by not reporting it, if it doesn’t come to light the particular company will not face a massive devaluation by the public / shareholder.”

Why hardware-based security will always trump software

26th February 2017

Opinion: Norman Shaw, Founder and CEO of ExactTrak, on the perfect storm of data breaches and how hardware security is the future.

Security has become a mainstream topic. With reams of negative media coverage surrounding data breaches, it’s on everyone’s radar. For the enterprise, policies and practices such as BYOD, IoT, and remote working amplify security as a concern while the fines associated with a breach have escalated it to a Boardroom issue.

Protecting against data breaches has become a priority but organisations must start looking to hardware-based solutions.

The year of the data breach
Huge cyber security breaches at Ashley Madison and TalkTalk brought global media coverage of the problem and how it affects consumers. But the problem isn’t just cyber attacks, as evidenced by the human error breaches at the Dean Street Clinic, Thomson, and the various local authorities that were repeat offenders according to the Big Brother Watch report.

In what could easily be described as the year of the data breach, what was noticeably absent was the debate about how to stop these attacks and what methods would be best for different circumstances.

BYOD, remote working and IoT
Increasing consumer expectation to access information anywhere, anytime has overflowed into the workplace with employees now expecting their employers to have a Bring Your Own Device (BYOD) policy.

This, combined with the proliferation of the Internet of Things (IoT) and remote working has created the perfect storm for the IT department. Security is now one of the highest priorities but most organisations are running to keep up rather than getting ahead of the problem.

The problems with software encryption
Software encryption has traditionally been the most popular security solution because updates can be done remotely by the IT department. It’s always been perceived as cheaper than hardware but that’s not necessarily true as it often means numerous annually payable license fees.

Software encryption can also be complicated or perceived as slowing down the device, which can often lead to users finding a way to disable the encryption. Those that require passwords can also be problematic for the IT department as users choose easy-to-remember passwords, write them down in as easy-to-find place, share them with colleagues and family or simply use the same ones as they do for everything else, including their personal devices and accounts which are often not subject to much or any security, making it easy for hackers to find a way into the corporate data secured by software encryption. There’s also the issue that the software encryption is only ever as good as the security on the actual hardware or OS.

The benefits of hardware-based security
Hardware-based security, contained on the device itself, means that authentication is completed before the operating system even boots up. This makes it especially hard for cyber hackers to penetrate the device.

Previously, hardware-based security was designed as closed systems whereby no code or know-how was shared so it was hard to verify or audit the solution. Now, ARM’s TrustZone technology is bringing hardware-based security into the future by providing an open source platform where organisations can develop a broad security ecosystem through its programmable operating environment.

Trustzone‘s technology essentially creates a separate zone on a chip where organisations can create rules so specific security-related requests can run in these special areas designed for trusted code. This reduces the potential attack surface while the programmable aspect of the technology allows organisations to create security solutions within the ecosystem to address their individual security threats.

It’s not all about hacking
Cyber security and hacking are much reported on but human error remains the number one cause of data breaches. Hardware-based security solutions exist that take control away from the user, keeping it under the strict purview of the IT department that can remotely control whether the user can see the data on the device or not, and track the files that are added, deleted or printed from the device.

Devices such as USBs and laptops can also contain geo-location positioning that can be helpful in locating a lost device and providing a verifiable audit trail. Hardware-based security on devices like this can also allow the IT department to delete the data held on those devices remotely if they are lost or stolen – an incredibly useful tool when the horse has bolted.

Sadly, the remote data delete option of many mobile devices only works about 50% of the time due to to a variety of factors. Of course, many organisations will say it’s okay if a device is lost because it was encrypted but the problem with this argument is that it simply cannot be proved without recovering the device.

Whenever a security solution is deployed, it must address several key themes. Compliancy laws such as HIPAA, PCI and the new EU regulations on data protection must be met. How the solution interacts with the human element must be considered because people will make mistakes.

And of course, security solutions must be deployed taking into consideration the specific security threats of each individual organisation and the open-source TrustZone platform by ARM is leading the way towards a collaborative eco-system which allows organisations to do just that.

How TV cop shows like CSI: Cyber and Mr. Robot are making cyber crime sexy and mainstream

26th February 2017

Charlotte Henry

13:44, December 22 2015

Culture and tech collide to make the public aware of cyber threats.

The geeks have long been told that they will inherit the Earth, and flicking on a television recently you might be forgiven for thinking it has already happened.

Hackers have been popping up in all sorts of programmes this year, notably the latest CSI spin off Cyber (broadcast in the UK on Channel 5), and Mr. Robot (available on Amazon Video). Both series started this year, and have been commissioned for a second season.

It is all rather a move from the how Angelina Jolie and Jonny Lee Miller took on the issue of cyber security in the 1995 film Hackers, which still evokes rather strong reactions from real hackers 20 years on.

CSI: Cyber is based in the FBI’s elite cyber crime unit in Washington D.C., starring Patricia Arquette and James Van Der Beek. The team tackle murders, school shootings, and robbery with the use of cyber forensics…and a S.W.A.T team, naturally.

Mr. Robot tells the story of Elliot Alderson, a cyber security engineer gone rogue, and is considered by people working in the cyber security industry as one of the most accurate depictions of hacking and computer science we’ve ever had on our screens. Think House of Cards with hackers.

British programmes that have depicted some elements of hacking and cyber crime have fared less well than their US counterparts. While Adrian Lester’s band of tech savvy con artists in Hustle survived 8 seasons, Hunted did one season, before poor reception saw it shunted to Cinemax from BBC One, and then get the spin off treatment.

The Hackers film was all payphones and rollerblades, accompanied by some decidedly dodgy dialogue and graphics. Today’s tales of hacking are much slicker and darker – less pay phone, more Raspberry Pi. The way devices and code are displayed are also far more accurate than the rather dubious imagery of diving into a screen deployed in the film.

Indeed, Mr. Robot’s makers have been obsessive in realistically showing hacking. So much focus was put on this, that the programme even received praise from NSA whistleblower Edward Snowden, according to star Rami Malek in the Guardian. “When you realise how much he knows about government spying tactics… it feels like we’re doing a very accurate job,” Malek said.

These programmes, as well as being binge watching ready boxsets for over the Christmas break, help highlight the threats cyber criminals pose, reaching people who may never have looked into the issues before. In the current climate of TalkTalk and VTech, increased awareness of cyber threats amongst the general public can only be a positive thing.

Norman Shaw, CEO of mobile security firm ExactTrak told CBR: “Anything that raises the awareness of crime in general has to be a good thing and TV shows such as Mr Robot that raise the profile of cyber crime is no exception. However, it’s a well known fact that human error is the biggest cause of data breaches so while it’s lovely for these TV shows to raise awareness of what some would call the sexier side of data breaches, and for the Chancellor to plan a £1.9 billion cyber investment, I have to ask, where’s the investment in training people who deal with data to better understand how to protect it?”

No doubt law makers currently pushing for greater surveillance powers will also delight in the depictions of digital tools helping tackle serious criminals, as happens every episode in CSI: Cyber.

Given what we’re told by Mr Snowden the world as portrayed by programmes such as CSI could be accurate. This is a world where after running around for 40 minutes one of the good guys types something into a database to identify the culprit and then tracks a mobile phone in order to pinpoint them to a warehouse for the inevitable shootout.

With cyber crime so mainstream we are ready for something a bit more realistic and whole lot more techie. If cyber security went mainstream in 2015, maybe that is what we can look forward to in 2016.