Community Contributions

Minimising risk in business: the relevance of cybersecurity and data protection

Despite being a term on everyone’s lips and an increasing wealth of information becoming available online, cybersecurity remains somewhat of an abstract concept. This may have something to do with its intangibility or perhaps more simply because most us don’t feel the need to gain knowledge of the topic and apply it to our everyday lives.

The fallout from that way of thinking, however, can be catastrophic. Unfortunately, the ever-expanding number of businesses being hacked says a lot about what we can expect in the future.

As a small to medium-sized company in the virtual data room space, security has always been a top priority for Drooms. We sat down with Rosanna Woods, Country Head UK of Europe’s leading VDR provider, to discuss cybersecurity in 21st-century business and how you can minimise risk.

So first and foremost, introductions: what does Drooms stand for and what are some of the key strategic objectives of the business?

 

What role does cybersecurity play in Drooms’ business practices?

The GDPR has shaken things up big time. What are some of its implications for business?

Still on the topic of data protection, is Drooms GDPR ready?

Drooms has always taken the security of its customers extremely seriously and has been GDPR ready for a while now. Several factors have made the road to compliance rather straightforward. Certainly, being a European provider historically compliant with strict German data protection standards has helped.

When it comes to a cyber threat, are there some sectors more at risk than others? Any tips for those wanting to minimise risk?

Sharing business-critical information in the era of cyber threat is risky with a lot of platforms out there. Security should be a major area of focus for providers who ought to be able to explain the various measures adopted to protect data from modification, unsanctioned processing or loss.

To learn more about Drooms and their business, visit https://drooms.com/.

 

A collaboration between Ivan Seifert from Demystify Security and Leonora Staines from Drooms. Thanks to India Lewis for providing video editing support.

Changing characteristics in private-public cybersecurity cooperation

 

 

1. Techplomacy

First came the creation of a U.S. Government ambassador to the Silicon Valley, then came the world’s first national technology ambassador, Casper Klynge of Denmark.

The Danish government recognised the lacuna in communication between politics and the private sector tech giants like Facebook and Google that are shaping the global internet. “If you look at what impacts us in our daily lives and how much data they can pull on all of us… (the firms) are truly influential players”, Klynge said. Like diplomacy between nation states on cybersecurity matters, it is becoming increasingly important to discuss policy issues like counter-radicalisation, propaganda, and internet sovereignty with these companies.

 

2. Threat alliances

Organisations like the Cyber Threat Alliance headed up by a former Obama administration advisor, Michael Daniel. The unique organization aims to increase information sharing and change the rules of the road in cybersecurity competition. Instead of a field dominated by “my inadequate pool of data is bigger than your inadequate pool of data”, thinking as Daniel puts it, they aim to communicate about and minimise threats. Despite the size of any given company’s IT department, or cybersecurity team, all can benefit from the new vision of information sharing that includes government resources.

 

3. Anti-cybercrime collaboration

International Law Enforcement organisation INTERPOL is teaming up with Palo Alto Networks, an American network and enterprise security company, to combat the global phenomenon of cybercrime. Palo Alto became the first private cybersecurity company to sign a Data Exchange Agreement with the organisation, marking an important advancement in cross-sector data sharing for the purposes of protecting networks, information and, by extension, citizens. Their integration extends to the presence of members at operational briefings at both INTERPOL HQ and at Palo Alto’s flagship in Santa Clara, CA.

 

By Kate Dinnison

Darkweb crack-down spurs digital refugee crisis

 

The FBI, DEA and Europol are celebrating the successful take-down of AlphaBay and Hansa, two of the Dark Web’s largest marketplaces. There are consequences for one marketplace closing, however, other Darkweb sites are finding significant spikes in membership, new vulnerabilities, and a wave of market saturation. In the week following the bust, similar sites saw their number of listings rise by as much as 28%, according to the BBC.

After Silk Road and its 2.0 version were taken down in 2013 and 2014, AlphaBay quickly emerged as the forerunner in its field and grew to be ten times its size according to acting FBI Director Andrew McCabe. When Alphabay went dark, it hosted 40,000 vendors, 200,000 users, and over 350,000 listings for illicit goods and services.

The Dark Web is accessed through Tor Hidden Protocol Service and is known for its sinister products – child porn, illegal drugs, sex workers, and even hit-men. Customers are attracted to such sites because the monetary exchange is untraceable using blockchain technologies to exchange crypto currency.

The movement of users and increased attention to such sites is being used as an opportunity to exploit and Phish new users. Additionally, this “refugee crisis” is causing a drop in product quality according to some customers.

This event has sparked an interesting debate about the ramifications of a seemingly desirable outcome for law enforcement. The joint operation to restrict interfaces enabling illegal activities was indeed a success, but demand does not disappear overnight. The Alphabay saga begs the question: what role should governments and business play in providing a safer internet experience on illicit sites? Or does an individual assume all the risk when engaging in illegal activity?

To make the story ever-more thriller-like, the 20-year-old Canadian founder of the site was found hanging in a Thai prison, spurring internet conspiracy theories, despite evidence of suicide. Federal agencies will continue to play whack-a-mole with these types of sites with the hopes of suffocating the illicit economy it facilitates. While the aim in shutting down these sites is to protect citizens from malware, dangerous drugs, identity theft and the like, there will continue to be a demand, and inevitably a supply elsewhere in the shadows of the internet.

By Kate Dinnison

 

Interview with Dr. Tim Stevens, Lecturer in Global Security at King’s College London

 

 

Recently, we chatted with Dr. Tim Stevens, a lecturer in Global Security at King’s College London. His most recent publication titled ‘Cyberweapons: an emerging global governance architecture’ discusses the already-existing structures in place that oversee the use and regulation of offensive cyber capabilities. Our Communications Manager, Kate Dinnison, discusses with Dr Stevens what constitutes as ‘weaponised’ computer code and the Chinese view of internet sovereignty, among other topics. You can follow his Twitter @tcstvns and his blog at https://assemblingsecurity.wordpress.com.

 

KD: Firstly, tell me a bit about how you found your place in academia and how you would define your field of research, because I don’t want to try to define it for you.

 

TS: I came to academia through a rather circuitous route. I had a previous career as an archaeologist, that was my first degree. I worked in archaeology for 10 years in the field. I was a field archaeologist doing excavations both in the U.K. and abroad. I was also a stone tool technologist, so I used to look at flint, tools and artifacts from thousands of years ago.  That always reflected in me an interest in technology, in ancient technologies. But I also got very interested in information technologies, so I decided I wanted to go back to college to study that more extensively. I got caught up in the foreign security-conflict relation between information technology and politics. And I did a PhD at King’s and ended up teaching at King’s as well, so now I look at cybersecurity.  And for the last ten years I’ve been looking at cybersecurity. What I do now really is thinking more about the global aspect of cybersecurity rather than the technical aspect. And by the global, I mean international politics. How information technology, security, affect the way that states interact, the way that global governance operates in that space with respect to the internet, and lots of issues surrounding those two main areas of research.

 

KD: That leads perfectly into my second question which is related to the article you recently published. So obviously all eyes are generally on Russia when you’re talking about changing the current, as you put it, global internet sovereignty architecture. But you just published an article on China’s view of Cyber Governance in Politics & Policy. And I was wondering if you could explain a bit about your assessment of their views and their intentions.

 

TS: I think what we’re seeing at the moment is potentially the beginning of what a lot scholars have been suggesting for years which is that when we talk about the global internet, we shouldn’t get too excited about the fact that it’s going to flatten traditional political hierarchies, that it’s going to need some form of transnational governance automatically, just because the internet exists. These same scholars have argued for a long time that what we may be witnessing, what we’re about to witness, is a fragmentation of the global internet, roughly along national, sovereign, territorial lines. The recent resurgence in this term internet sovereignty or what’s sometimes called cyber sovereignty is exactly what these scholars have been suggesting is that we’re seeing countries attempting to throw up borders in cyberspace, if you’d like, roughly contiguous with their territorial borders, and therefore exert control over the internet in a much more complete and total sense based upon sovereign lines. So when the Chinese talk about internet sovereignty, we’re not entirely sure quite what it means yet, which is the point of the article, but it’s very much about trying to exert sovereignty at particular points and lines in the internet that don’t actually exist in a physical fashion. The internet does cut across borders, but the Chinese are trying to develop the idea, as are the Russians, as indeed are many Western countries as well, about how to exert control of the internet in their borders, about how to control what comes in, about how to control what goes out, how to control what happens within national cyberspace.

 

KD: Again, that’s perfect segway to talk about the current debate in the U.K. After that attacks of last month, Theresa May came out with this statement, saying the internet must be regulated and we must find a way to get rid of these safe spaces for terrorists to communicate etc, etc. What nuances is the UK debate missing, for those who read this in the Daily Mail and don’t really understand the opposing sides? Going off of that, should the brunt of the responsibility, like she said, be placed on these social media companies, or should it be somewhere else?

 

TS: There’s a lot of issues packed in there. The first thing to say, clearly, that any regulation of the internet is difficult. The internet is developed, primarily as a fairly lightly regulated space, which has mainly been driven by private actors, corporates, and the like who, by nature of them being high-tech companies, have tended to be lightly regulated, because governments don’t always quite know how to regulate them. Or the fact that they’re seen as great economic drivers, therefore we don’t want to regulate them. And the tech companies know this. The other interesting thing about the U.K. example is that in 2008, then Labour home secretary Jackie Smith said precisely the same thing when she said that the internet is not a no-go area for governance. This is not the first time we’ve been here in the U.K. Theresa May is articulating the same thing that Jackie Smith was. You know, one of her predecessors as home secretary. Jackie Smith’s comments were in the context of exactly the same debate – about terrorism, about online radicalization, about internet terrorism, if you like. And we haven’t progressed an awful lot further. It is not clear precisely how you would go about these measures short of really cracking down on any form of internet content or expression that you deem problematic. And that notion in itself is problematic in a democracy.

Ostensibly, we do have, if not in constitutional terms, at least in international legal and in human rights terms, the right to freedom of speech and expression on the internet or wherever it happens to be. And putting the onus of responsibility on social media companies, while I understand that impulse, because they are effectively these days publishers of content as much as they are just platforms for content. I think it’s going to take a much more cross-government cross-sector approach to this. And what worries me about this is that there’s actually not a lot of public debate about this issue. Maybe that’s because everyone knows intuitively that the internet is so difficult to regulate that whatever governments suggests social media companies do, simply won’t work. Or whether it’s that people don’t care. I really don’t know. Lots of these supposedly technical issues tend not to attract much public attention, but this is not just a technical issue, it’s a political issue. So if you can choose to restrict freedom of expression by one group of people, how do you stop it being applied to another? I think it’s a real thorny issue for government, and I haven’t seen an awful lot of public consultation on this issue. All governments like to think big, talk big, but it remains to be seen what sort of concrete measures the U.K. government is going to actually put in place.

 

KD: Next one is related to the recent assessment of Crash Override. I was reading into your article on cyberweapons a little bit. I was wondering if any of these recent attacks, in your mind, qualify, with that idea of intentionality and harm, as such?

 

TS: The whole term cyberweapons is absolutely fraught because when you use it, it brings connotations of military, hardware, of national intent, of them being somehow strategic. So I try to use the term very very sparingly, but it is a term that’s being used. In direct answer to your question, no I would not. I would suggest that this is malware. The WannaCry example may well be something to do with North Korea, a lot of people think it is. In which case, there is intent there, in terms of creating disruption. But what’s the strategic goal? There doesn’t seem to be any kind of clear political aim to releasing malware like that on the internet. It may have just been a test. It may have been to disrupt. We simply don’t know. But I hesitate these days to call many things cyberweapons unless there’s a military, perhaps intelligence context.

 

KD: I got the feeling that many people were comparing crash override to Stuxnet, saying that this was the second public occurrence of something of this kind, of something this far-reaching. They’re saying it’s a dry-run for something larger, perhaps an attack on American infrastructure.

 

TS: It really depends on how you define weaponry. And there is no international legal definition of weaponry. When you use the term weapon it comes loaded with all manner of connotation and resonances with conventional weapons, and of course nuclear weapons too. I think there would be a case for calling targeted malware weaponry, but whether I agree with it or not is lute. I’m not going to stake my house on it.

 

KD: This is more for my personal curiosity. In doing some research for Demystify and for your course as well, there are so many fantastic code names, operation names, kind of hacking aliases and things like this. Do you have a favorite you’ve come across over the years.

 

TS: I’m quite a fan of Moonlight Maze. I know that Thomas Rid has done an awful lot to unpack precisely what happened and so on, and he’s done brilliant work. But it still has this mysterious, early history of internet war if you like, of espionage, of intelligence. And when I hear that name, it resonates in so many different ways when we look back 20 years. And were thinking now again about the Russians and precisely what they’re up to. And what the Americans are doing, because that quite often drops out of the conversation. It’s all about the darn Ruskis, when we’re forgetting of course the main center of expertise and cyber operations is American, not Russian. All these things come to mind when I think about Moonlight Maze.

 

KD: And our tools are coming back to bite us!

 

TS: Yes they are, you can thank Shadow Broker for that.

 

KD: Last one – what are your go-to blogs, sites, podcasts, twitter pages, to keep up to date on all of these cybersecurity matters.

 

TS: I think the best one, even if I don’t agree with him all the time, is Stewart Baker.

 

KD: It’s not the Steptoe Cyberlaw podcast?

 

TS: Yeah it’s that one. I think because they have such a weight of expertise when they’re discussing these issues. And they’re deeply embedded in the security establishment as well. They can get anyone they want to talk about anything they want, they have that kind of draw. They’re quite hawkish in many respects, but they really kind of cut issues open and analyse them forensically, and sometimes come to rather surprising conclusions. It’s great to hear people doing that kind of forensics, very intellectualised, but practically focused work. So I’d definitely recommend the Steptoe Blog and Podcast.

 

Crash Override: Too Big to Ignore

Last December, hackers targeted an electric transmission station in Ukraine, causing approximately one-fifth of the city to go dark. Earlier this month, Cyber security firms DSET and Dragos Inc. released a report on the malware, suggesting an alternative utility for the event.

They’re calling the attack a potential “dry run” for the malware to be adapted and used on a larger scale. “Nothing about this attack looks like it’s singular,” said Robert M. Lee of Dragos.

Nicknamed “Industroyer” or “Crash Override”, it is only the second known malware that targets industrial control systems in order to disrupt their functioning. Stuxnet captured the attention of cyber security exerts after its existence was made public in 2010. The US-Israeli worm however was released for military purposes, to delay the enrichment of uranium needed for the production of nuclear weapons in Iran. The world of nuclear weapons and the world leaders who wield them operates somewhat outside the civilian sphere. Malware that affects public infrastructure, however, has the potentiality to be wide-reaching.

Ukraine is not a stranger to Russian-initiated blackouts. In 2015 hackers remotely controlled power grids to deprive 225,000 people of power. This specific malware functions by scanning industrial systems, manipulating their settings, and opens circuit breakers to cause the power cut.  Once the malware infects a Windows machine on the target’s network, it can map and obtain network logs and send the information back to the proverbial mothership.

Crash Override’s newfangled ability to both physically affect power grids and serve the function of an information-driven computer network operation should serve as a wake-up call. The successful one-hour long operation in Ukraine could serve as a springboard for affecting infrastructure in Europe or North America.

Some nations have built their critical infrastructure to be more resilient to disruption, however. The United States and many coast-bearing nations prepare themselves for natural disasters and for operating infrastructure manually, instead of relying on software.

Politicians often spout imaginary disaster scenarios to encourage funding resilient infrastructure, but it seems a real weapon is looming over the West. “It’s the culmination of over a decade of theory and attack scenarios,” Caltagirone told the Washington Post. “It’s a game changer.”

By Kate Dinnison

An interview with Misha Glenny, author of ‘DarkMarket: How Hackers Became the New Mafia’

 

 

 

 

 

 

 

 

 

 

 

 

We recently interviewed Misha Glenny, journalist and author of DarkMarket: How Hackers Became the New Mafia. His 2011 book explores the world of organized crime on the internet, including spearphising, carding, hacking, and how the UK government is responding to this phenomenon. In the interview, our Communications Manager, Kate Dinnison, asks him to discuss his own personal cyber hygiene, trends in cyber security today, and how technology is aiding traditional organised criminals.

 

Dinnison: After doing research for Dark Market, what personal cyber security practices do you now find important?

Glenny: There are very basic things to do. I still have an antivirus program as standard, even though I use a Mac. Increasingly I use a VPN as well. But the most important I think for me is approach to email. Two things: the first one is simply that I don’t consider email to be a private form of communication. I consider it a public form of communication and so I am polite, courteous, and above all else I don’t put anything sensitive in there. This is the big lesson from Podesta and the DNC hacks. Everyone’s going on about how it was appalling they were hacked. And what’s really appalling is that they are sending sensitive material over email. If anyone has got that message after the Sony hack of 2014, then they shouldn’t really be using a computer. The second thing about emails is that you have to know how to read your messages. And that means being able to read a header. That means automatically being able to detect the type of language that is being used and is that language appropriate to the type of person that is sending it to you. And if there are any links and if they’re disguised links, run your cursor over it and see what that link really is. If you have any doubt about it, you just don’t go for it for attachments or links. There are some things you cannot avoid. You should have within your antivirus software a browser scanner built in as well so that anything that looks at all dodgy is blocked by your antivirus programme or that they at least ask you if you want to the site or not.

And those are the major things that I do. Because I am a member of a family I make sure that everyone else is also taking some of these security measures. Because you can be as careful as you like but if you get a bug on your network then you’re vulnerable. And also I change passwords on routers so it’s not the default password. Another thing I do is I use a master password, basically a password accumulator so that I don’t have to worry about that. Now there are problems with those programs. For logins that are not important, where you’re not storing personal data, where you’re not storing debit or credit card data, where there’s nothing sensitive, you can then use ’password’ or ‘123456’ or whatever it is you want as an easy password provided you don’t use that password on any sensitive things. I suggest basic domestic hygiene really.

 

Dinnison: I imagine the same as in a family, the same goes for when you’re operating in a business environment. Everyone must practice these security measures.      

When it comes to corporate, it’s very different. There you need active engagement from the Infosec department and the risk management department. Some companies will have a fraud department and above all else you need the board to be fully engaged with it. If the board is not fully engaged, then what usually happens is that InfoSec and IT security are unable to spread a culture of appropriate cyber hygiene through the company and that means you’re riddled with potential vulnerabilities. I keep track of various surveys that are made of IT security and board members on what their engagement with cyber security is. And what we see, even now, in 2017, we still see something the range of 50% of CEOs and other board members not engaged with the issue of cyber. This means you don’t get the vertical and horizontal communication that you need in organizations. These are corporations that have the type of money to invest in this. You have other things like government institutions but also NGOs and charities are extremely vulnerable because they don’t have the cash to put in any digital solutions and often don’t understand the culture required that all employees or members should be working with.

 

Dinnison: That was the excuse of the DNC.

Glenny: It’s not an excuse, it’s a failure. It’s a complete management failure.

 

Dinnison: The industrialization of cybercrime poses a big challenge to not only individuals but law enforcement. You illustrate this in your book through different case studies. After interviewing these subjects for DarkMarket are there any simple policy suggestions you would pass on to the UK government?

There are a number of things. You have a problem that arises from the development of secondary markets and off the shelf malware. This means that because you can either buy malware to deploy or you can hire out botnets to launch DDOs attacks. Or you can request a team of hackers to create your own botnet, which is becoming particularly dramatic with the Internet of Things. What this means is that the government really needs to step up. Here in the UK I suspect the National Centre for Cybersecurity in Victoria, which is an offshoot of GCHQ, could be a very useful thing. Britain has been pretty advanced in terms of coordinating government, business and the public sector in terms of security. I’m a little worried that the National Cyber Security Centre has absorbed too much of the culture of secrecy that necessarily defines GCHQ. So I’ve talked to a few people who have tried to approach it for advice and media requests and they have been very, very unhelpful. And I think that’s a mistake – you need to enable and encourage people. That was the whole point of putting the National Cybersecurity Centre in the middle of London so that it would be accessible, they wouldn’t be locked up in the donut in Cheltenham.

The other thing is of course resources. This is going to require more money. The British government has been channelling a lot into cyber defences and I think that’s the right thing to do. But it also requires explaining to people why you need to take police resources away from where people feel comfortable with the old syndrome we have here in the UK of ‘the bobby on the beat’. It’s necessary to shift some of those resources toward active cyber defence because many, many people are now subject to attacks whether its credit card fraud or identity theft or the use of the computer power as a botnet. People don’t know what to do when it happens. If you ring up the police and they don’t know how to proceed if you are a victim of crime online, it starts to unnerve people. One of the things I discovered talking to victims of chronic fraud or indeed identity theft is that psychologically it is perhaps not quite as devastating as finding someone has been in your home but it really does frighten people. It triggers extreme anxiety to find out that what you thought was entirely intimate, private sphere has been violated by an unknown outsider. So you really need your enforcement officers who are capable of dealing with these victims but with a degree of psychological understanding as to what victims are going through when they report crimes. You need support for that and support requires resources. And that means these days taking it away from somewhere else.

 

Dinnison: Do you anticipate any changing trends in cybercrime due either to reliance on new technologies or any societal change?

Well IOT (Internet of Things) is the greatest concern. Because in a short space of time thanks largely to the mirror botnet we have seen just how powerful the IOT can make sophisticated hackers, people with real technical ability. It basically multiplies computing power by an incalculable amount and if that computing power is in the hands of competent criminals then that can be very dangerous indeed. The problem here is quite simply that innovation, our resistance to boredom, our delight of convenience drives products coming to the market and security is never thought of. And even if people start thinking of security now, the situation with routers around the world is so vulnerable. Basically, products need to come on the market with full security requirements already built-in. And that only happens in maybe 10% of the products.

The second thing that is happening is that up until now traditional organized crime and cybercrime have tended to be two very different things. If you’re involved traditional organized crime, then a sine qua non of your activity is your ability to threaten or deploy violence. And in cybercrime that is not a sine qua non. You don’t need to have a capacity for violence. This is a unique development where an entire raft of crimes will attract socioeconomic groups that are very different from what we understand by organized crime historically. The only thing which connects the two of them in terms of their makeup is the gender issue. That is about 92-93 percent of organized crime syndicates are male, and 95-96 percent of hackers are male. So this is a huge marker. But other than that, class, intellectual capability, age, because hackers start much younger as a whole, are very different. You’re dealing with a different set of motivations, different psychology. You’re dealing with different modi operandi as well.

However, the reason why these two groups have been separate up until now is because traditional organized crime is still dominated by a generation who are frightened or even dismissive of tech. The new generation of organized criminals growing up are digitally literate. This means first of all they understand how cyber can be used to make their business more efficient and accelerated in all sorts of ways. The forerunner of that were the Nigerian 419 scammers who understood the scalability of their operation through email. But now what you’re beginning to see are entire tribe organizations assuming a cyber capacity to make their work more efficient. You can see that in the accounting capability of someone like the PCC, the first capital command of Sao Paulo, the largest organized crime group in South America. You can see it in the Mexican cartels. You can see it really wherever you go in Europe.

The latest Europol organized crime threat assessment makes it very clear that organized crime is being digitalised. Now for example you now get organized crime involved in burglary. They’ll do two things before they attack a street of houses; they’ll send drones over first of all to ascertain where the vulnerabilities are in terms of breaking in. At the same time as scoping it physically though drone technology, they’ll be checking everyone’s social profile on the street so they identify who lives there, when they go to work, when they go on holiday, what sorts of things they’re involved in. Whether they have lots of computers or cameras. Then they will coordinate the actual break-in very carefully and they’ll take six to eight houses all in one go in the space of about an hour or so, and they’ll be gone across borders before anyone gets home. So that is using cyber to increase your capacity but then there is also the industrialization of cyber malfeasance. I use the word malfeasance because attribution is a big problem. You don’t know if you’re dealing with espionage, intellectual property theft or whether you’re dealing with bulk standard ransomware criminals and credit card fraudsters.

In terms of the current threat the two fastest-growing cybercrimes are ransomware and what’s called CEO fraud. It’s basically when a CEO gets a message from someone he or she knows asking for a payment to be made. It’s a very targeted attack where they authorize the transfer of money which is in fact going to fraudsters. There were two cases last year in which single transfer where a CEO of a large German electronics company called Leone and a large aerospace manufacturer in Austria called FACC. Both of them authorized the transfer of 4 million euros. This led to the FACC CEO having to resign. This is a huge industry now against American companies increasingly and the European Union as well.

 

Dinnison: Lastly, where do you go to keep up-to-date on cybercrime related subjects?

Glenny: I track websites like Brian Krebs’ website. I met Brian when I was researching DarkMarket and he does a fantastic job. Bruce Schneier has a fantastic blog. What Bruce does is link cybersecurity to larger security issues and geopolitical issues which is what really interests me. I’ll also look at The Register and various tech-security websites to see what’s happening and then talk to people in the industry.

Bitcoin: the risks and how to stay safe using it?

Developed in 2009 by an unknown individual or group under the pseudonym Satoshi Nakamoto, Bitcoin was the first ever crypto-currency to be used in the world. Bitcoin is a decentralised digital currency, which means it can be transferred instantly to anyone in the world without having to rely on a central authority such as a government or a bank.

Instead, it uses cryptography and block chain technology to control the creation and transfer of money therefore giving it an advantage over other traditional currencies that we use. Other benefits of using Bitcoin include being free from government interference and manipulation (e.g. inflation), reduced transaction costs, faster transactions and inability to commit credit card fraud.

Consequently, there has been a rise in many online services and retailers in different industries that now use and accept Bitcoin. A few examples include Amazon, Paypal, Bloomberg and Microsoft. It’s also worth mentioning the rise of Bitcoin usage within the Darkweb. Did you know that the selling of illegal drugs on the Internet make up a large proportion of transactions made using Bitcoins today? Due to its powerful encryption protections, it’s no wonder that other illegal activities such as selling of arms, weaponry and illegal services or tax evasion take advantage of this impressive technology.

It’s true that when scaled to a global and mass level of consumption, major issues such as criminality, security and price volatility concerns need to be addressed, and like any new financial technology, the use of a decentralised online currency introduces many uncertainties and risks that we haven’t had to face before.

However, our society is slowly transitioning towards a digital age and this provides us with more opportunities to liberate ourselves from old traditional concepts such as bank-controlled currencies. It may take several decades or even a lifetime before we see the Bitcoin become a global currency but as the world is evolving towards new technologies, we should make an effort to embrace Bitcoin with open arms. I imagine it won’t be long before we see a digitally rich economy that includes Bitcoin, other crypto-currencies and a working coalition between central banks and digital currencies.

So when it comes to using Bitcoins, here are a few ways you can keep safe and prevent these risks when making transactions online.

Make sure to secure your wallet:

Unfortunately once Bitcoin is stolen it is almost impossible to recover. There is no refund or guarantee against fraudulent charges so we cannot emphasise how important it is to make sure to secure your Bitcoin wallet. There are several security features and good practises that you can read up on to prevent theft (see link below). A few examples include enabling two-factor authentication, phone number verifications and multi-signatures.

 

Read up on scams:

Online scams and fraud are on the rise and scammers are becoming increasingly sophisticated, especially when it comes to new technology. The best way to stay safe and avoid them is to know what to look for. This can be done by spending time learning about some common scam traps to prevent you from falling into them. A few can be found on these websites:

https://www.weusecoins.com/bitcoin-scams-how-stay-safe/

https://www.cryptocoinsnews.com/bitcoin-scams/

 

Price volatility:

The price of a Bitcoin can be volatile and in the past, has shown to unpredictably increase or decrease quite rapidly. An important risk factor for the future of Bitcoin is whether it can achieve a stable value. Stable prices are an important quality of a successful currency but due to Bitcoin’s young economy and novel nature, it’s important to be wary of the risks when storing money with Bitcoin.

 

Protect your privacy:

Although a Bitcoin transaction is often perceived as an anonymous payment, in reality, all transactions are public, traceable and permanently stored in the Bitcoin network. A Bitcoin address holds all the information about where Bitcoins are sent and once an address is used, it becomes tainted by the history of all transactions used with it. The address history, along with the revealing of user identity during a purchase, shows that trading Bitcoins is not at all anonymous. It’s therefore vital to only use a Bitcoin address once, and users must be careful not to disclose their addresses.

 

Bitcoin is new:

Bitcoin is still a relatively new technology and there are a lot of potential risks associated with investing in it. There is still a lot of room for development and ‘unknown unknowns’ and with each improvement there is a liability of revealing new challenges and issues. Make sure to be prepared for problems and if they arise, consult a technical expert before making any major investments.

For more information on how to stay safe please visit https://bitcoin.org/en/you-need-to-know

 

Written by Melissa Liow; MSc in Physics, interested in outer space, artificial intelligence and Elon Musk!

Protecting yourself against Ransomware

If you’ve watched the news lately you will see ransomware, ransomware, ransomware all over the place. Some of you may ask: what is ransomware? Ransomware is simply a program that encrypts your hard drive and or files and asks for a sum of money in return for a decryption key. Ransomware can spread very easily and can cripple a network in matter of minutes, if not seconds.

 

How To Defend Short Version

Literally the short way to defend against ransomware is to simply follow best practices.

 

Detailed Version

Well if you made it this far, I guess you really want to know what you can do to help yourself and your organization. Here is a list:

1. Train Everyone – Training is essential. Every employee of your organization needs at the very least awareness training. They need to know how to spot hazards and how to avoid them. Please include higher ups such as the CEO and other non-technical management staff in your training because they will be vulnerable to Spear Phishing attacks.

2. Install and Keep Your Anti-Virus Updated – In this day and age people still avoid updating their anti-virus and some even worse have none at all. This puts you and your organization at serious risk. Ransomware can also infect your mobile devices from phones to tablets so get to it. Some protection is better than none.

3. Stay Away From Sketchy Websites – A seasoned internet user may not fall for this and some know when to get out because it just doesn’t feel right. For those of you who have trouble identifying sketchy websites you can use an anti-virus such as Avast. It has a feature called Real Site. There is no free version available, but it helps a lot.

4. Don’t Torrent Anything – Many people don’t know this but a lot of torrents are infected with malware that can more than encrypt your hard drive and files. Black hat hackers use torrents to secretly steal people’s login information for websites like your bank, PayPal etc.

5. Implement a Paranoid Web Usage Policy – Network administrators: this one is for you. You can do a lot to protect your network. Ban everything except for what are known to be a safe sites. Even then you can’t fully protect your network because legitimate sites if their security is not up to par they can become infected and spread malware also. A good idea also is to set a rule to automatically delete web attachments in email once they hit your server. Email still is and will always be a popular infection vector. As network admins you can hold people accountable if you train them how to recognize and avoid threats. Perform a sting operation. Send out some prank malware and when they call you for help you say you didn’t do what you needed to do. Make sure you retrain them. Training is essential.

6. Keep Your Systems Updated – Time and time again people just don’t update their PC’s phones and tablets. It simple guys. As a network admin or security professional it is your job to make sure that all the PC’s are updated. Remember that Microsoft and other vendors and makers of software release updates that could potentially save you and your organization from disaster.

7. Perform Vulnerability and Penetration Testing – Sometimes you may feel like you’re safe when you really aren’t. If you perform this type of testing on a regular basis you can stay on top of things. It may be costly but would you rather lose a little money or A LOT OF MONEY? Just a little? I thought so.

8. Keep Up With The News – Yes this one might be a little boring but this could be the difference between your company losing millions of dollars or you just losing a few minutes of your time daily.

9. Log Monitoring – This one is hard to do I must admit. Combing through logs day after day will probably drive anyone insane but it’s a must. Many hackers try for months or even years to break into a system. If you can notice a pattern like failed admin login attempts after works hours – bingo.

10. Browse Forums – I would never tell anyone to browse the deep web but sometimes black hats know about vulnerabilities and ways to exploit them way before security experts. If you do decide to go there make sure you know what you’re doing but for the average Joe STAY FAR AWAY !!!

 

Conclusion

No system is ever secure 100% of the time. If you keep up with all that I have mentioned here in this blog you can rest assure that you have a relatively safe system. Remember to be forever a student and keep learning. The more you know, the better you can protect yourself.

 

Written by Joel Chang; Cyber Security Professional and forever a student of learning (CEH,Security+,Network+)

 

Four recommended Cyber Security Summer reads

We’ve selected some celebrated books in the world of cyber security you should check out this Summer to expand your knowledge of contemporary issues.

 

A cautionary tale: Spam Nation by Brian Krebs

In an exposé delving into a dark side of the online world, Krebs, a former Washington Post journalist and cybersecurity expert, pulls back the digital curtain to reveal the secrets behind email spam, botnets, rogue pharmacies, and other Internet threats. Armed with reams of information sent to him by feuding hackers and cybercrooks, Krebs explores just how and why these spammers get away with so much—how they make millions by flooding our email in-boxes with ads for cheap (and often unreliable, dangerous, or illegal) drugs, and how they stay one step ahead of the authorities. He traces many of them back to cabals taking refuge in the relatively laissez-faire former Soviet states, where the so-called Russian Business Network flourishes somewhat openly. Krebs plays the role of fearless crusader and hard-nosed investigative journalist, his crusade costing him his job at the Washington Post and his curiosity taking him to meet Russian spamlords face-to-face. By exposing our digital weaknesses and following the money, he presents a fascinating and entertaining cautionary tale. Krebs’s work is timely, informative, and sadly relevant in our cyber-dependent age.

Review from Publisher’s Weekly

Buy at your local bookstore or online here.

 

 

A holiday read: Zero Day by Mark Russinovich

If you’re looking for something less complex that still provides an accurate picture of what’s going on in cybersecurity, this novel can give you that mental break. Although the story is fictional, the scenario it depicts of a cybersecurity attack on an airplane’s on-board computer isn’t at all unrealistic. Several references to real cyberattacks are included, and descriptive language brings the mechanics of these threats to life in a way that a wide audience can understand and appreciate. You won’t get any technical knowledge from this book, but its subject matter is timely enough to make you think more critically about current cybersecurity issues.

Review from Homeland Security Degree

Buy at your local bookstore or online here.

 

 

A comprehensive cyber security guide: Cybersecurity and Cyberwar: What Everyone Needs to Know by P. W. Singer and Allan Friedman

“I found Cybersecurity and Cyberwar: What Everyone Needs to Know to be an enjoyable read, filled with engaging (funny) stories and illustrative anecdotes. Readers are taken on an entertaining tour of the important issues, history and characters of cybersecurity, from the Anonymous hacker group and the Stuxnet computer virus to the cyber units of the Chinese and U.S. militaries.

For readers without a military or public policy background this book will provide a common base of knowledge around cybersecurity issues. As cybersecurity practitioners, having a common base of knowledge will allow us to cooperatively engage in a dialogue and much-needed conversation around how to approach, understand and deal with the important policy implications of cybersecurity and cyberwar.

Cooperation is a key theme and takeaway from the book, focusing on how difficult, yet necessary, cooperation is for addressing cybersecurity issues. Today we talk in terms of “threat intelligence sharing.” The authors suggest that a governance model based on the U.S. Centers for Disease Control and Prevention could serve to encourage cooperation, disseminate information and recommendations, and mobilize rapid responses as needed. Understanding, communication and cooperation in cybersecurity are truly what everyone needs to know.”

Review from Palo Alto Networks

Buy at your local bookstore or online here.

 

 

For some state-on-state political intrigue: The Cybersecurity Dilemma by Ben Buchanan

Why do nations break into one another’s most important computer networks? There is an obvious answer: to steal valuable information or to attack. But this isn’t the full story. This book draws on often-overlooked documents leaked by Edward Snowden, real-world case studies of cyber operations, and policymaker perspectives to show that intruding into other countries’ networks has enormous defensive value as well. Two nations, neither of which seeks to harm the other but neither of which trusts the other, will often find it prudent to penetrate each other’s systems. This general problem, in which a nation’s means of securing itself threatens the security of others and risks escalating tension, is a bedrock concept in international relations and is called the ‘security dilemma’.

This book shows not only that the security dilemma applies to cyber operations, but also that the particular characteristics of the digital domain mean that the effects are deeply pronounced. The cybersecurity dilemma is both a vital concern of modern statecraft and a means of accessibly understanding the essential components of cyber operations.

Review from the Belfer Center

Buy at your local bookstore or online here.

 

Click here for the Cyber Security Cannon, a longer list of books that every cyber security professional should read, according to Palo Alto Networks.

Your PC taken Hostage



By Aqsa Hussain.

We recently witnessed a cyber attack which left individuals and organisations virtually crippled. The WannaCry ransomware cyber-attack hit over 200,000 computers in 150 countries demanding up to $600 per ransom. From the Indian Police stations to French car manufacturers and UK Hospitals, it seems as if disruption was the primary aim for these hackers. With the importance of cyber security reemerging in the mainstream public domain, it’s worth spending some time explaining what all the fuss was about. What is ransomware and why did its intrusion in computer systems result in patients being turned away from hospitals and factories being shut down?

In a nutshell, ransomware is the use of technology to extort money from victims. Its scale varies from it preventing you from being able to access Windows to encrypting files so that you cannot use them to stopping certain applications such as web browser from functioning. Simply put, your files and data have been taken hostage and you are unable to use your PC until you pay up. Typically, you have to pay in bitcoins since this cypto-currency is untraceable by law enforcement (for now) and there is always a time-limit adding another level of psychological despair to this extortion.

As with any hostage situation, there is no guarantee that by paying the ransom, you will be granted access to your PC; by paying on time, you may be able to access your files again. Missing the deadline could result in the ransom amount increasing or all of your files being deleted or released into the public domain.

The history of ransomware dates back to 1989 when the AIDS Trojan was spread via the floppy disk. In order to get access to your data, you had to send $189 to a post office box in Panama. It has definitely advanced a bit since then…

It is not only your home PC which can be targeted. In fact, after realising how lucrative this business was, ransomware creators and distributors moved onto bigger targets such as business networks, city councils, hospitals, and police servers. Public institutions have huge databases of confidential information which if leaked can cause immeasurable damage. The NHS in the UK has experienced the most attacks on its servers than any other public agency with a noteable one in 2016 which resulted in a 4-day IT shutdown and non-urgent appointments and treatments being cancelled. Last weeks attack has been described as even worse. Attackers know that these institutions often use older software and equipment which is easy to infiltrate (the NHS still operates predominantly on Windows XP!). When it comes to businesses, cyber criminals also know that businesses have money and that their ransomware will cause major disruption, therefore increasing the likelihood of them being paid. They also realise that businesses fear legal or reputational consequences so will probably not report the attack. That being said, since 2016, ransomware has seen a 50% increase in both homes and enterprises. Is this due to more cybercrime or more reporting? There is no clear cause.

Many crime TV shows such as 24 (a personal favourite) have stimulated the imagination showing us how criminals are able to infiltrate network utilities such as water and electricity, right the way to nuclear reactor sites holding these hostage until a demand has been met. It would be naive to think that this is not yet a possibility and perhaps even something that the security services have already grappled with.

On the flipside, there is something to be said about the entrepreneurial spirit of ransomware creators and distributors. They’re business-oriented, know where their opportunities lie and are daring in their pursuits.

To prevent your own computer from being taken hostage, there is not much you can do apart from the obvious – don’t open suspicious emails (even SMS messages!), don’t use untrusted WiFi connections etc. More importantly, always keep a backup!

,

Personal Cyber Hygiene

 

 

 

by Kate Dinnison

The Office for National Statistics estimates that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the UK in 2015. There are simple ways to improve the security of your personal data and that of your business, from the mouth of industry and government experts.

Ben Buchanan, author of the Cybersecurity Dilemma and Fellow at Harvard University’s Belfer Center Cybersecurity Project told the War on the Rocks Podcast his tips for improving personal cybersecurity.

  1. Two Factor Authentication – a notification you receive when you log into your account from an unfamiliar device. He says, “John Podesta will spend the rest of his life wishing he had it.” Google already offers it on Gmail, but there are apps such as Duo and Entrust Identity Guard.
  2. Password managers like KeePass, Dashlane, 1password help you create unique, secure passwords for every website you visit on an easy, encrypted platform.
  3. Don’t open unfamiliar attachments, he lastly suggests, to . He says that even the most sophisticated, high-end attacks often begin with a dangerous email attachment. In our ever-connected world, “It’s an irony of international politics that one of the most powerful tools of statecraft is being able to write a message someone else opens,” he said.

Ciaran Martin, GCHQ’s director general of Cybersecurity told WIRED his top tips.

  1. Accept the inevitable“You need a playbook ready for how you will react when an incident occurs,” says Martin. “You may not be able to hold off a breach but, by having procedures in place, you can quarantine them, isolate the damage and keep the organisation running.”
  2. Guard your interior“Perimeter defence is just about rising the barrier for entry into your system so that you’re not an easy target,” Martin asserts. “You need both perimeter defence and active internal monitoring to look for spikes, or unusual patterns of activity.”
  3. Collaborate“There needs to be information sharing between companies who are normally competitors.” Martin contends. “The financial sector has made great strides because they face a measurable financial threat every day, so they’ve set aside commercial rivalries to pool their data.”
  4. Keep things human“System administrators are your key vulnerability,” Martin says. “If they’re compromised then systems like encryption offer no further protection.” Yet malicious insider activity is less of a threat than accidental breaches. Make the procedures for everyone simple and accessible to minimize this risk.

The National Cyber Security Center put together a comprehensive white paper outlining how to respond to and reduce the impact of common cyber attacks. Providing a simple lexicon for the types of actors and attacks involved makes their 10 Steps to Cyber Security an easy paper to understand vulnerabilities. The document states, “doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defenses to ensure that your name is not added to the growing list of victims.”

Decrypting the encryption debate.

by Kate Dinnison

Encryption is essentially the process of turning information into code that prevents snoops, criminals, and spies from accessing it. Apps like Signal, Whatsapp, Aloo, Duo and Confide are bringing this technology to the masses but are posing problems to the aims of law enforcement and intelligence services worldwide. What we’re seeing today is an absolutist clash that is based on ideological binaries. Privacy and security are complicated ideas in the digital age, especially when faced with cases such as Apple vs. FBI in 2016.

After the San Bernadino shootings in December 2015, the encryption debate entered the public arena when the FBI submitted a federal court order for Apple to create code unlocking the iPhone of one of the shooters in order to obtain information for further investigations. An open letter to Apple from FBI director James Comey argued they do not desire to “break anyone’s encryption or set a master key loose on the land.” The security features of the iPhone software prevents the FBI from automatically testing passwords, or using “brute force” for risk of the device locking them out permanently. For a more technical explanation from a cryptographer, go here.

However, Apple and the anti-exceptional access camp worry that customers will lose faith in the security of their products. The risks involving building ‘back doors’ are varied, but the main arguments arise from economic comparative advantage and erosion of cybersecurity. For security, it could change the norm of having one-time use decryption keys, which protects past and future communications. Additionally, it would augment system complexity, whereby additional code creates new potentialities for vulnerability. Lastly, the storage of exceptional access keys by tech companies becomes a target for attack, risking high-volume theft of user data.

The questions posed by the encryption debate are therefore twofold:

  • Do we desire a world of end-to-end encryption?
  • Should authorities be able to still intercept decrypted signals while holding up security and privacy objectives?

Creating an internet where surveillance is technically impossible also forms a vast ungoverned space, which is appealing to the techno-anarchist type. Not only would your data be protected from state actors, but non-state criminal hackers. However, Benjamin Wittes, a senior fellow at the Brookings Institution urges one to, “consider the comparable argument in physical space: the creation of a city in which authorities are entirely dependent on citizen reporting of bad conduct but have no direct visibility onto what happens on the streets and no ability to conduct search warrants (even with court orders) or to patrol parks or street corners.”

As the encryption-security-privacy saga continues into 2017, more actors and cases will bring this subject to head. The case of Apple vs. FBI was unique because it involved domestic terrorism, which allowed the FBI to appeal to the public with a sense of urgency. But lawmakers and companies must think of the long-term implications over the immediate gains. James Comey ends his letter by saying: “And in that sober spirit, I also hope all Americans will participate in the long conversation we must have about how to both embrace the technology we love and get the safety we need.” Until then, it is likely we will see the public struggle over encryption on an ad-hoc and very partisan basis.

,

Risk in the Internet of Things

By Oliver Yule-Smith

Much of the current excitement on the Internet of Things (IoT) revolves around a focus on how we as individuals increasingly embed the use of internet-dependent devices to make our lives easier. However, there is a much more prevalent, but less discussed of late, practice of using this same IoT to run our cities. This IoT automates our traffic systems, runs our metros, surveys our streets bringing us ever closer to the Smart Cities of the future. Although, unlike the use of the IoT by individuals this does not involve an active choice, by say the purchase of this IoT technology for a household, the wider public does not have a say in the increasing digitisation of the city.

In the same way that individuals increased acceptance of the IoT into their lives involves greater security risks so too does a city’s use of this technology herald increased risks. You don’t need to look far for examples of this. Last November the San Francisco Municipal Transportation Agency was hacked by ransomware, extorting the San Francisco Municipality for the safe return of its rail system. The result of this hack allowed riders of the light transit system to ride for free. Whilst, being an economic issue for the San Francisco Municipal Transportation, the hack was generally not threatening for railway users. However, the hacking of Ukraine’s power grid last year provides a more nefarious example of threats to cities. Whilst, the identity of the hackers is unclear, given the scale of the operation and a simple Cui Bono explanation would quickly point the finger to the Russian state or patriotic hackers who have a vested interest in the Ukraine’s demise. This attack was able to knock out 30 substations leaving 230,000 residents without power for close to 6 hours. It is easy to say that this is a result of weak investment in cyber security in Ukraine and a case and point of poor cyber hygiene, but it is worth noting that according to sources for Wired magazine, “the control systems in Ukraine were more secure than some in the US”.

Cities have thought about aspects of this potentiality by ‘air-gapping’ the use of certain IoT systems’ or using an intranet to prevent direct contact with the internet, for example. For their part, the San Francisco Municipal Transport Agency will wish that they had backup systems NOT connected to the internet. However, with the closing of the gap between what is provided by the public sector and what is provided by the private sector in cities, there is a need to ensure consistent security standards across internet-dependent systems, particularly those that are automated. This can come about through the use of security regulatory agencies, education on good cyber hygiene and the use of regular security audits.

Ultimately, all technological advances present opportunities as they do challenges. The increasing digitisation offers increased efficiency and opportunity into our lives but it is clear that the challenges in the form of intrusion vulnerabilities must be mitigated. Unlike, an individual’s use of the IoT, a city’s increased use of the IoT cannot be managed single-handedly. It requires active engagement by residents and security professional to bring about not just smart cities but secure cities.

Estonia: how the country became ‘poster child’ for national cyber security.

By Aqsa Hussain

Estonia is considered one of the world’s most digitally advanced societies. Much of the country’s state and financial infrastructure is online with ICT being considered one of the central pillars of nation-building by the country’s government. In 2005, it became the first country to hold its elections online and soon after, the first nation to provide e-residency for its citizens. Today, the government is virtually paperless with 99.6% of banking transactions done electronically and 94% of taxes declared online.

Without a doubt Estonia has a keen interest in ensuring its cyber security is up to date. Any hack could result in democratic elections being incorrectly managed or private citizen data being exposed – not that non e-governments are immune to this…

The grand attack…

In 2007, Estonia experienced a cyber attack on an unprecedented scale crippling the banking sector to the media. Known as the ‘digital Pearl Harbour’, it was the first time a country was targeted in an international large-scale cyberattack. The hacks were allegedly committed by Russian authorities after Estonia decided to move a Soviet war memorial. According to the BBC, “Estonians say the memorial symbolised Soviet occupation of the Baltic state. Russians say it is a tribute to those who fought the Nazis.” This was supposedly enough to lead to a full-scale cyberattack on Estonia’s online infrastructure.

The technicalities

The bulk of the attacks were in the form of a denial-of-service attack (DoS attack): this is when the perpetrator disrupts a network connected to the internet by flooding it with superfluous requests which overload the system and ultimately make it unavailable to its intended users.

Although the nature of the attacks were not all that crippling, it did leave users unable to access certain services for several weeks.

Since the attacks in 2007, the government has worked tirelessly with the public and private sector to increase the IT infrastructure’s resilience to another cyberattack. Moreover, it sought to create constructive dialogue within the international community about the imminence, damages and potential prevention of cyber warfare. Several measures the country has taken since the attacks include building stronger ‘authentication services, firewalls and back-up systems’.

Estonia has great motivation in making sure that better solutions to protect their cyberspace are found and that it never has to deal with a crippling online attack again. With a reputation as a leader in e-governance and cyber security across EU and NATO states, Tallinn is now home to the NATO Cooperative Cyber Defence Centre of Excellence whose mission is to “enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence by virtue of education, research and development, lessons learned and consultation”.

And this is the bitesize version of how the country is considered the poster child for national cyber security.

Who Watches the Watcher?

 

 

By Aqsa Hussain..

We have all heard about the whistleblowing scandal of 2013 which erupted in the USA resulting in a monumental leak of classified CIA files. Edward Snowden, the former contractor at the NSA and man responsible for this scandal soon after became the ‘coverboy for unpatriotism’ for some and heroism for others. Amongst many revelations, Snowden’s leaks disclosed mass surveillance programmes run by the USA; both nationally and abroad.

The leaks resulted in huge debates between governments, intelligence agencies, various industries and the public over the morality and responsibility behind the right to information and privacy. Opinions were torn. Without condemning, condoning or celebrating Snowden’s actions, it is important to note that he was not the first to leak information like this (perhaps the first to do so at this scale) and he will most probably not be the last. Scary thought?

What cases similar to Edward Snowden’s illustrate is that it is very difficult to predict who will be responsible for such leaks. Snowden was contracted into a position which with his expertise granted him almost unlimited access to the network. The truthful quote ‘with great power comes great responsibility’ was turned on its head when Snowden proved that ‘with great responsibility comes great power’. Using his advantaged position, he was able to secretly acquire a copy of 1.7 million classified documents (according to the DoD) without raising any red flags… until he escaped to the other side of the world and leaked.

How did he manage to do this?

Snowden did not need to bypass any firewalls since he had high-level access as a contractor. He could even use USB sticks to transport files from one computer to another within the office – something which could be explained as an authorised job task if considered suspicious by colleagues. Was there anyone who had the required skill level and would have been able to see his subtle ‘mismoves’?

Thus, raising the question: when there is someone as skilled as Snowden, who can be assigned to monitor their activity?

How can intelligence agencies learn to spy on themselves?

Before Snowden, there was Executive Order 13587 (2011) which required intelligence agencies to continuously evaluate anyone with the ‘top secret’ clearance level. Since Snowden, civilian contractors have been limited to what they are able to access. Executive Order 13587 is being more forcefully implemented and apart from that there seems to be little else that can be done, legally.

Still, this doesn’t answer the question ‘who watches the watcher?’… The truth may be that it is simply not possible to monitor every action of every single individual at all times. Almost every government, intelligence agency and large company has been – or will be – victim to leakages, whistleblowing and the like.

The Panama Papers, leaked Brexit negotiations in, leaked phone call transcripts of Donald Trump… these all happened within the last year. Data and information leakage is inevitable. Perhaps the bigger question is how to limit the impact by building resilience to manage the aftermath.

Today, Snowden sits in Russia unable to re-enter the USA with the guarantee of his safety.

Hipster Counter-espionage?

By Philip Smedegaard

It is now three years ago that the Russian Federal Protection Service (FSO) (in charge of protecting high-ranking officials), ordered large quantities of typewriters and fax machines after the surfacing of Edward Snowden’s NSA leaks. Whilst it is improbable that this is due to the Kremlin joining the hipster nostalgia of an analogue world, it did signify the growing mistrust of storing sensitive data on digital platforms. Similar measures have been considered in Germany, after it was also revealed that the NSA had been monitoring Chancellor Angela Merkel’s calls. The nature of espionage has morphed away from the game defectors revealing secrets about the operations of their intelligence agencies, rather to one of intrusion of domestic citizens. This can partly be attributed to the post 9/11 counter-terrorism wake, which some agencies have perceived as a carte blanche for their intelligence operations. The difficulty for the intelligence agencies as Sir David Omand, (former British intelligence chief) states is, “intelligence services must be able to employ secret sources and methods that inevitably involve intrusion. Yet to command that public trust, they must also be transparent and prepared to live by rules that protect individual privacy”. Whilst most people do not have anything to hide, this shift closer towards Orwell’s 1984, society creates a sort of discomfort that ordinary citizens are starting to feel. It is perhaps a good idea then to follow the Russian example, albeit, the local bearded millennial in your town will probably overcharge you for your typewriter.

Where does that leave society today?

The changing effect of modern-terrorism and technology, has made surveillance an even more intrinsic aspect of society. Perhaps, greater transparency in the revealing of successful operations would justify their existence e.g. the capture of dark-net paedophiles. However, this is a difficult request as the intelligence community naturally seeks to retain the cloak of secrecy and independence to operate.

Phishing and the cost of your information

By Aqsa Hussain.

Do you remember receiving that email some time ago mentioning ‘Here is an invoice to the flight you recently purchased’ and you immediately thought ‘hmm, what flight? Maybe it was that flight to …?’ There was a time you received an email saying ‘You have been selected as the winner of the National Lottery’ and you thought ‘FINALLY, some good luck!’ And then there was that email from your long lost cousin reading ‘Dear cousin, I have been captured by the pirates and they are demanding a sum of $10,000 in order to be released and finally return to you and the family. Please help me, you are the only family I can rely on’ and naturally you thought ‘hmm this cannot be true’. In all these cases, there was always an attachment in the email which you may or may not have been tempted to open. Hopefully, you didn’t.

Opening Pandora’s box

These emails are examples of phishing – the malicious attempt to obtain private information from an individual or a company. As soon as you open one of these attachments, you have opened Pandora’s box and allowed a criminal access to your online life. How do you prevent this? Make sure you only access URLs you are familiar with, use spam filters in your email, only use secure websites to transmit your information, always be wary if you are unexpectedly asked for personal information, use anti-virus/anti-spyware/firewalls and NEVER open an attachment you are not expecting.

Hopefully this is common sense to the large majority of us who have ever had access to computers. But, a lot of us have made mistakes. These mistakes led to us seeing our bank accounts being rapidly depleted or spam emails being sent from our personal account to our entire contact network. We can only hope that those friends and family did not fall victim to the same mistake.

The myth of covering your webcam…

There are also many of us who may not have yet realised the consequences of opening such an attachment simply clicking it away after we self-classified it as spam. However, in doing so we have opened up a direct route of access for the sender of that phishing email, the hacker, into our computer. Although these hackers remain dormant, they could have access to our emails, see everything we type, see us through our webcams… Is there a reason why cybersecurity experts have warned us to place something opaque onto the little camera above our computer screen?

Your value on the black market

It is true that everything comes at a price. Most things you can buy or sell online: clothes, food, books, electronics etc. And for the most part these transactions are recorded on some forum online for future reference. But something which will be news for many of us is that our personal information, probably obtained through illegal phishing practices now also has a price. It sits on the online black market, an area of online space many of us have no idea even exists. The online black market comprises of anything and everything which is online and that you could imagine. You can buy 1000 Hotmail email addresses for $12, 6-20% of a paypal account, stolen healthcare insurance information worth $1300 or even the hacked webcam of a girl for $1. This price information is collected from open-source documents such as news and government reports which closely track such sites, however are unable to catch the perpetrators.

Our information is private so long as we desire so we must ensure we protect it. Report anything which seems phish-y and more importantly ensure that you take sufficient anti-virus/anti-spamming steps to reduce your likelihood of being phished in the first place. Whatever you do, do not be tempted to open the email to save your long lost cousin who has been captured by pirates. Otherwise, you too will fall victim to online pirates but in this case, ransom money will not help.

Ethical hacking vs Hacktivism: where perspectives matters.

By Aqsa Hussain.

What is ethical hacking?

There are codes of conduct for almost every industry, from the rules of the game in sport to the constitution in law to safety measures in factories. Ethical hacking is no different. It is governed by a code of conduct created by a community who consider themselves to be experts in this line of work. In the formal sense, an ethical hacker is either a company or an individual who identifies and exposes potential threats on a computer system, before someone with malicious intentions does so. Upon discovery, these gaps in the system are plugged to ensure the safety of the computers and networks being probed.

Rules of the ethical hacking game

The rules of the game include: asking for explicit consent from the party to be probed, respecting their privacy, ensuring that there are no open avenues for malicious hackers to enter the systems and finally they must alert the organisation/individual if there are any vulnerabilities they have found.

In fact, most companies with an online presence use a Bug Bounty program – a crowdsourcing initiative – to identify vulnerabilities on the company website in exchange for rewards in the form of compensation or recognition. Companies hope that in this way instead of becoming the victim of cybercrimes, they continue to remain a secure environment for their users.

However, there are instances when hackers attack a system under the umbrella of ethics, without adhering to the rules of the game. Can the ethical element of hacking still be present here?

The ethics of Hacktivism

When hackers enter a system without permission and with the purpose of hacking for the ‘greater good’, they consider themselves ‘hacktivists’ – conducting ethical hacking with a political purpose. Hacktivist attack the system of organisations they fundamentally disagree with the goal of exposing their activities to the wider public. Although they don’t play by the rules, they do not believe that their actions are disruptive or illegal since they are merely calling attention to issues that matter.

Is hacking to counter controversial morals ethical?

Take the relatively recent 2015 hack of the online dating site Ashley Madison. A group called ‘The Impact Team’ attacked this website which enabled married couples to engage in extramarital affairs. They obtained the personal information of the entire user base and in mid-August 2015 decided to release over 10 gigabytes of data (real names, addresses, credit card transactions, search history etc). That amounts to over 30 million people in over 40 countries. The Impact Team had provided the parent company of Ashley Madison, Avid Life Media, with numerous warnings expecting it to be shut down based on the fact that it was immoral to create a platform to allow people to actively be unfaithful to their partners. Yet, the parent company stood by the fact that they were merely providing a service in demand and it was not their role to judge its users’ morality. Evidently, the hacktivist team did not think such a response was sufficient. Can this be considered ethical hacking or is it a form of cyber-terrorism? The cliche of ‘one man’s terrorist is another man’s freedom fighter’ is in play here where The Impact Team wholeheartedly believed that releasing all of that private information was right. On the contrary, Ashley Madison believes that the rights of its users were violated as well as the act being nothing short of illegal.

Is hacking to counter terrorism ethical?

On the other hand, you have examples such as the hacktivist group Anonymous which claims to be ‘at war’ with the terrorist organisation Islamic State (ISIS). They have been systematically hacking the social media accounts of ISIS members and followers as well as bringing down their propaganda websites. Their aiming is to stunt the growth of the terror group. Can this be considered another form of ethical hacking, despite not entirely following the rules of the game?

Needless to say, the practice of ethical hacking is one in which you can become professionally qualified in if you have the drive to seeks vulnerabilities in a legitimate way and report them accordingly. Companies accept this intrusion into their system as a legal and justifiable act, rewarding it as such. Yet, hacktivism requires no such qualification and its legitimacy comes down to being a matter of opinion. Many agree with the morality behind the Ashley Madison hack, whilst others claim it was a cybercrime causing immeasurable damage to users. Similarly, the ethics of countering IS’ online terrorism with a form of cyber-crime itself, can we consider this more than or equally as ethical as that of the Ashley Madison hack?

Security Fatigue

  

By Philip Smedegaard

 

Please update your password settings. Please enter a new password that does not include your birthday. Password must contain special characters.

These terms and conditions for activating a new profile, buying flowers online, or basically Googling anything, have become engrained in the online-user experience. According to the National Cyber Security Center, the average Briton today has 22 separate passwords and uses the same password for at least 4 different websites. The exponential growth of goods and services available to the world through the internet, has inherently invited security requirements regarding the safe-keeping of personal details, payment details, and sensitive data.

The recent report on “Security Fatigue”, set out to measure the average computer users’ attitudes towards cybersecurity, however, it resulted in a high level of ‘security fatigue’ amongst the test subjects. Security fatigue can be defined as the, “weariness or reluctance to deal with computer security”. From this, risky and lazy personal security follows which makes people more susceptible to the likelihood of fraud and cybercrime.

The problem as outlined in the study, is that average computer users will thereby make rushed security decisions such as using similar passwords, or leaving privacy sections blank. This can lead one to question if, the very mechanisms designed to protect our data, are actually making people more prone to malware? According to the study, the team, “learned that the majority of their average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues”. These problems could potentially leak into the workplace as well, suggesting larger implications not only for private users, but cyber threats to firms as well.

From the findings however, it is concluded that there are three ways of combating Security Fatigue (Source: NIST).

  • Minimising the amount of security decisions users need to make
  • Simplifying security actions
  • Streamlining decision making

It is understandable that it is difficult to manage 22 passwords for different websites or having to spend loads of time filling-in privacy content. Until the security measures and privacy settings become more streamlined and consumer trust is simplified, it is worth remembering to use a variety of high-strength passwords and to take the time to protect one’s personal data.