Community Contributions



By Aqsa Hussain.

We recently witnessed a cyber attack which left individuals and organisations virtually crippled. The WannaCry ransomware cyber-attack hit over 200,000 computers in 150 countries demanding up to $600 per ransom. From the Indian Police stations to French car manufacturers and UK Hospitals, it seems as if disruption was the primary aim for these hackers. With the importance of cyber security reemerging in the mainstream public domain, it’s worth spending some time explaining what all the fuss was about. What is ransomware and why did its intrusion in computer systems result in patients being turned away from hospitals and factories being shut down?

In a nutshell, ransomware is the use of technology to extort money from victims. Its scale varies from it preventing you from being able to access Windows to encrypting files so that you cannot use them to stopping certain applications such as web browser from functioning. Simply put, your files and data have been taken hostage and you are unable to use your PC until you pay up. Typically, you have to pay in bitcoins since this cypto-currency is untraceable by law enforcement (for now) and there is always a time-limit adding another level of psychological despair to this extortion.

As with any hostage situation, there is no guarantee that by paying the ransom, you will be granted access to your PC; by paying on time, you may be able to access your files again. Missing the deadline could result in the ransom amount increasing or all of your files being deleted or released into the public domain.

The history of ransomware dates back to 1989 when the AIDS Trojan was spread via the floppy disk. In order to get access to your data, you had to send $189 to a post office box in Panama. It has definitely advanced a bit since then…

It is not only your home PC which can be targeted. In fact, after realising how lucrative this business was, ransomware creators and distributors moved onto bigger targets such as business networks, city councils, hospitals, and police servers. Public institutions have huge databases of confidential information which if leaked can cause immeasurable damage. The NHS in the UK has experienced the most attacks on its servers than any other public agency with a noteable one in 2016 which resulted in a 4-day IT shutdown and non-urgent appointments and treatments being cancelled. Last weeks attack has been described as even worse. Attackers know that these institutions often use older software and equipment which is easy to infiltrate (the NHS still operates predominantly on Windows XP!). When it comes to businesses, cyber criminals also know that businesses have money and that their ransomware will cause major disruption, therefore increasing the likelihood of them being paid. They also realise that businesses fear legal or reputational consequences so will probably not report the attack. That being said, since 2016, ransomware has seen a 50% increase in both homes and enterprises. Is this due to more cybercrime or more reporting? There is no clear cause.

Many crime TV shows such as 24 (a personal favourite) have stimulated the imagination showing us how criminals are able to infiltrate network utilities such as water and electricity, right the way to nuclear reactor sites holding these hostage until a demand has been met. It would be naive to think that this is not yet a possibility and perhaps even something that the security services have already grappled with.

On the flipside, there is something to be said about the entrepreneurial spirit of ransomware creators and distributors. They’re business-oriented, know where their opportunities lie and are daring in their pursuits.

To prevent your own computer from being taken hostage, there is not much you can do apart from the obvious – don’t open suspicious emails (even SMS messages!), don’t use untrusted WiFi connections etc. More importantly, always keep a backup!

 

 

 

by Kate Dinnison

The Office for National Statistics estimates that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the UK in 2015. There are simple ways to improve the security of your personal data and that of your business, from the mouth of industry and government experts.

Ben Buchanan, author of the Cybersecurity Dilemma and Fellow at Harvard University’s Belfer Center Cybersecurity Project told the War on the Rocks Podcast his tips for improving personal cybersecurity.

  1. Two Factor Authentication – a notification you receive when you log into your account from an unfamiliar device. He says, “John Podesta will spend the rest of his life wishing he had it.” Google already offers it on Gmail, but there are apps such as Duo and Entrust Identity Guard.
  2. Password managers like KeePass, Dashlane, 1password help you create unique, secure passwords for every website you visit on an easy, encrypted platform.
  3. Don’t open unfamiliar attachments, he lastly suggests, to . He says that even the most sophisticated, high-end attacks often begin with a dangerous email attachment. In our ever-connected world, “It’s an irony of international politics that one of the most powerful tools of statecraft is being able to write a message someone else opens,” he said.

Ciaran Martin, GCHQ’s director general of Cybersecurity told WIRED his top tips.

  1. Accept the inevitable“You need a playbook ready for how you will react when an incident occurs,” says Martin. “You may not be able to hold off a breach but, by having procedures in place, you can quarantine them, isolate the damage and keep the organisation running.”
  2. Guard your interior“Perimeter defence is just about rising the barrier for entry into your system so that you’re not an easy target,” Martin asserts. “You need both perimeter defence and active internal monitoring to look for spikes, or unusual patterns of activity.”
  3. Collaborate“There needs to be information sharing between companies who are normally competitors.” Martin contends. “The financial sector has made great strides because they face a measurable financial threat every day, so they’ve set aside commercial rivalries to pool their data.”
  4. Keep things human“System administrators are your key vulnerability,” Martin says. “If they’re compromised then systems like encryption offer no further protection.” Yet malicious insider activity is less of a threat than accidental breaches. Make the procedures for everyone simple and accessible to minimize this risk.

The National Cyber Security Center put together a comprehensive white paper outlining how to respond to and reduce the impact of common cyber attacks. Providing a simple lexicon for the types of actors and attacks involved makes their 10 Steps to Cyber Security an easy paper to understand vulnerabilities. The document states, “doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defenses to ensure that your name is not added to the growing list of victims.”

by Kate Dinnison

Encryption is essentially the process of turning information into code that prevents snoops, criminals, and spies from accessing it. Apps like Signal, Whatsapp, Aloo, Duo and Confide are bringing this technology to the masses but are posing problems to the aims of law enforcement and intelligence services worldwide. What we’re seeing today is an absolutist clash that is based on ideological binaries. Privacy and security are complicated ideas in the digital age, especially when faced with cases such as Apple vs. FBI in 2016.

After the San Bernadino shootings in December 2015, the encryption debate entered the public arena when the FBI submitted a federal court order for Apple to create code unlocking the iPhone of one of the shooters in order to obtain information for further investigations. An open letter to Apple from FBI director James Comey argued they do not desire to “break anyone’s encryption or set a master key loose on the land.” The security features of the iPhone software prevents the FBI from automatically testing passwords, or using “brute force” for risk of the device locking them out permanently. For a more technical explanation from a cryptographer, go here.

However, Apple and the anti-exceptional access camp worry that customers will lose faith in the security of their products. The risks involving building ‘back doors’ are varied, but the main arguments arise from economic comparative advantage and erosion of cybersecurity. For security, it could change the norm of having one-time use decryption keys, which protects past and future communications. Additionally, it would augment system complexity, whereby additional code creates new potentialities for vulnerability. Lastly, the storage of exceptional access keys by tech companies becomes a target for attack, risking high-volume theft of user data.

The questions posed by the encryption debate are therefore twofold:

  • Do we desire a world of end-to-end encryption?
  • Should authorities be able to still intercept decrypted signals while holding up security and privacy objectives?

Creating an internet where surveillance is technically impossible also forms a vast ungoverned space, which is appealing to the techno-anarchist type. Not only would your data be protected from state actors, but non-state criminal hackers. However, Benjamin Wittes, a senior fellow at the Brookings Institution urges one to, “consider the comparable argument in physical space: the creation of a city in which authorities are entirely dependent on citizen reporting of bad conduct but have no direct visibility onto what happens on the streets and no ability to conduct search warrants (even with court orders) or to patrol parks or street corners.”

As the encryption-security-privacy saga continues into 2017, more actors and cases will bring this subject to head. The case of Apple vs. FBI was unique because it involved domestic terrorism, which allowed the FBI to appeal to the public with a sense of urgency. But lawmakers and companies must think of the long-term implications over the immediate gains. James Comey ends his letter by saying: “And in that sober spirit, I also hope all Americans will participate in the long conversation we must have about how to both embrace the technology we love and get the safety we need.” Until then, it is likely we will see the public struggle over encryption on an ad-hoc and very partisan basis.

By Oliver Yule-Smith

Much of the current excitement on the Internet of Things (IoT) revolves around a focus on how we as individuals increasingly embed the use of internet-dependent devices to make our lives easier. However, there is a much more prevalent, but less discussed of late, practice of using this same IoT to run our cities. This IoT automates our traffic systems, runs our metros, surveys our streets bringing us ever closer to the Smart Cities of the future. Although, unlike the use of the IoT by individuals this does not involve an active choice, by say the purchase of this IoT technology for a household, the wider public does not have a say in the increasing digitisation of the city.

In the same way that individuals increased acceptance of the IoT into their lives involves greater security risks so too does a city’s use of this technology herald increased risks. You don’t need to look far for examples of this. Last November the San Francisco Municipal Transportation Agency was hacked by ransomware, extorting the San Francisco Municipality for the safe return of its rail system. The result of this hack allowed riders of the light transit system to ride for free. Whilst, being an economic issue for the San Francisco Municipal Transportation, the hack was generally not threatening for railway users. However, the hacking of Ukraine’s power grid last year provides a more nefarious example of threats to cities. Whilst, the identity of the hackers is unclear, given the scale of the operation and a simple Cui Bono explanation would quickly point the finger to the Russian state or patriotic hackers who have a vested interest in the Ukraine’s demise. This attack was able to knock out 30 substations leaving 230,000 residents without power for close to 6 hours. It is easy to say that this is a result of weak investment in cyber security in Ukraine and a case and point of poor cyber hygiene, but it is worth noting that according to sources for Wired magazine, “the control systems in Ukraine were more secure than some in the US”.

Cities have thought about aspects of this potentiality by ‘air-gapping’ the use of certain IoT systems’ or using an intranet to prevent direct contact with the internet, for example. For their part, the San Francisco Municipal Transport Agency will wish that they had backup systems NOT connected to the internet. However, with the closing of the gap between what is provided by the public sector and what is provided by the private sector in cities, there is a need to ensure consistent security standards across internet-dependent systems, particularly those that are automated. This can come about through the use of security regulatory agencies, education on good cyber hygiene and the use of regular security audits.

Ultimately, all technological advances present opportunities as they do challenges. The increasing digitisation offers increased efficiency and opportunity into our lives but it is clear that the challenges in the form of intrusion vulnerabilities must be mitigated. Unlike, an individual’s use of the IoT, a city’s increased use of the IoT cannot be managed single-handedly. It requires active engagement by residents and security professional to bring about not just smart cities but secure cities.

By Aqsa Hussain

Estonia is considered one of the world’s most digitally advanced societies. Much of the country’s state and financial infrastructure is online with ICT being considered one of the central pillars of nation-building by the country’s government. In 2005, it became the first country to hold its elections online and soon after, the first nation to provide e-residency for its citizens. Today, the government is virtually paperless with 99.6% of banking transactions done electronically and 94% of taxes declared online.

Without a doubt Estonia has a keen interest in ensuring its cyber security is up to date. Any hack could result in democratic elections being incorrectly managed or private citizen data being exposed – not that non e-governments are immune to this…

The grand attack…

In 2007, Estonia experienced a cyber attack on an unprecedented scale crippling the banking sector to the media. Known as the ‘digital Pearl Harbour’, it was the first time a country was targeted in an international large-scale cyberattack. The hacks were allegedly committed by Russian authorities after Estonia decided to move a Soviet war memorial. According to the BBC, “Estonians say the memorial symbolised Soviet occupation of the Baltic state. Russians say it is a tribute to those who fought the Nazis.” This was supposedly enough to lead to a full-scale cyberattack on Estonia’s online infrastructure.

The technicalities

The bulk of the attacks were in the form of a denial-of-service attack (DoS attack): this is when the perpetrator disrupts a network connected to the internet by flooding it with superfluous requests which overload the system and ultimately make it unavailable to its intended users.

Although the nature of the attacks were not all that crippling, it did leave users unable to access certain services for several weeks.

Since the attacks in 2007, the government has worked tirelessly with the public and private sector to increase the IT infrastructure’s resilience to another cyberattack. Moreover, it sought to create constructive dialogue within the international community about the imminence, damages and potential prevention of cyber warfare. Several measures the country has taken since the attacks include building stronger ‘authentication services, firewalls and back-up systems’.

Estonia has great motivation in making sure that better solutions to protect their cyberspace are found and that it never has to deal with a crippling online attack again. With a reputation as a leader in e-governance and cyber security across EU and NATO states, Tallinn is now home to the NATO Cooperative Cyber Defence Centre of Excellence whose mission is to “enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence by virtue of education, research and development, lessons learned and consultation”.

And this is the bitesize version of how the country is considered the poster child for national cyber security.

 

 

By Aqsa Hussain..

We have all heard about the whistleblowing scandal of 2013 which erupted in the USA resulting in a monumental leak of classified CIA files. Edward Snowden, the former contractor at the NSA and man responsible for this scandal soon after became the ‘coverboy for unpatriotism’ for some and heroism for others. Amongst many revelations, Snowden’s leaks disclosed mass surveillance programmes run by the USA; both nationally and abroad.

The leaks resulted in huge debates between governments, intelligence agencies, various industries and the public over the morality and responsibility behind the right to information and privacy. Opinions were torn. Without condemning, condoning or celebrating Snowden’s actions, it is important to note that he was not the first to leak information like this (perhaps the first to do so at this scale) and he will most probably not be the last. Scary thought?

What cases similar to Edward Snowden’s illustrate is that it is very difficult to predict who will be responsible for such leaks. Snowden was contracted into a position which with his expertise granted him almost unlimited access to the network. The truthful quote ‘with great power comes great responsibility’ was turned on its head when Snowden proved that ‘with great responsibility comes great power’. Using his advantaged position, he was able to secretly acquire a copy of 1.7 million classified documents (according to the DoD) without raising any red flags… until he escaped to the other side of the world and leaked.

How did he manage to do this?

Snowden did not need to bypass any firewalls since he had high-level access as a contractor. He could even use USB sticks to transport files from one computer to another within the office – something which could be explained as an authorised job task if considered suspicious by colleagues. Was there anyone who had the required skill level and would have been able to see his subtle ‘mismoves’?

Thus, raising the question: when there is someone as skilled as Snowden, who can be assigned to monitor their activity?

How can intelligence agencies learn to spy on themselves?

Before Snowden, there was Executive Order 13587 (2011) which required intelligence agencies to continuously evaluate anyone with the ‘top secret’ clearance level. Since Snowden, civilian contractors have been limited to what they are able to access. Executive Order 13587 is being more forcefully implemented and apart from that there seems to be little else that can be done, legally.

Still, this doesn’t answer the question ‘who watches the watcher?’… The truth may be that it is simply not possible to monitor every action of every single individual at all times. Almost every government, intelligence agency and large company has been – or will be – victim to leakages, whistleblowing and the like.

The Panama Papers, leaked Brexit negotiations in, leaked phone call transcripts of Donald Trump… these all happened within the last year. Data and information leakage is inevitable. Perhaps the bigger question is how to limit the impact by building resilience to manage the aftermath.

Today, Snowden sits in Russia unable to re-enter the USA with the guarantee of his safety.

By Philip Smedegaard

It is now three years ago that the Russian Federal Protection Service (FSO) (in charge of protecting high-ranking officials), ordered large quantities of typewriters and fax machines after the surfacing of Edward Snowden’s NSA leaks. Whilst it is improbable that this is due to the Kremlin joining the hipster nostalgia of an analogue world, it did signify the growing mistrust of storing sensitive data on digital platforms. Similar measures have been considered in Germany, after it was also revealed that the NSA had been monitoring Chancellor Angela Merkel’s calls. The nature of espionage has morphed away from the game defectors revealing secrets about the operations of their intelligence agencies, rather to one of intrusion of domestic citizens. This can partly be attributed to the post 9/11 counter-terrorism wake, which some agencies have perceived as a carte blanche for their intelligence operations. The difficulty for the intelligence agencies as Sir David Omand, (former British intelligence chief) states is, “intelligence services must be able to employ secret sources and methods that inevitably involve intrusion. Yet to command that public trust, they must also be transparent and prepared to live by rules that protect individual privacy”. Whilst most people do not have anything to hide, this shift closer towards Orwell’s 1984, society creates a sort of discomfort that ordinary citizens are starting to feel. It is perhaps a good idea then to follow the Russian example, albeit, the local bearded millennial in your town will probably overcharge you for your typewriter.

Where does that leave society today?

The changing effect of modern-terrorism and technology, has made surveillance an even more intrinsic aspect of society. Perhaps, greater transparency in the revealing of successful operations would justify their existence e.g. the capture of dark-net paedophiles. However, this is a difficult request as the intelligence community naturally seeks to retain the cloak of secrecy and independence to operate.

By Aqsa Hussain.

Do you remember receiving that email some time ago mentioning ‘Here is an invoice to the flight you recently purchased’ and you immediately thought ‘hmm, what flight? Maybe it was that flight to …?’ There was a time you received an email saying ‘You have been selected as the winner of the National Lottery’ and you thought ‘FINALLY, some good luck!’ And then there was that email from your long lost cousin reading ‘Dear cousin, I have been captured by the pirates and they are demanding a sum of $10,000 in order to be released and finally return to you and the family. Please help me, you are the only family I can rely on’ and naturally you thought ‘hmm this cannot be true’. In all these cases, there was always an attachment in the email which you may or may not have been tempted to open. Hopefully, you didn’t.

Opening Pandora’s box

These emails are examples of phishing – the malicious attempt to obtain private information from an individual or a company. As soon as you open one of these attachments, you have opened Pandora’s box and allowed a criminal access to your online life. How do you prevent this? Make sure you only access URLs you are familiar with, use spam filters in your email, only use secure websites to transmit your information, always be wary if you are unexpectedly asked for personal information, use anti-virus/anti-spyware/firewalls and NEVER open an attachment you are not expecting.

Hopefully this is common sense to the large majority of us who have ever had access to computers. But, a lot of us have made mistakes. These mistakes led to us seeing our bank accounts being rapidly depleted or spam emails being sent from our personal account to our entire contact network. We can only hope that those friends and family did not fall victim to the same mistake.

The myth of covering your webcam…

There are also many of us who may not have yet realised the consequences of opening such an attachment simply clicking it away after we self-classified it as spam. However, in doing so we have opened up a direct route of access for the sender of that phishing email, the hacker, into our computer. Although these hackers remain dormant, they could have access to our emails, see everything we type, see us through our webcams… Is there a reason why cybersecurity experts have warned us to place something opaque onto the little camera above our computer screen?

Your value on the black market

It is true that everything comes at a price. Most things you can buy or sell online: clothes, food, books, electronics etc. And for the most part these transactions are recorded on some forum online for future reference. But something which will be news for many of us is that our personal information, probably obtained through illegal phishing practices now also has a price. It sits on the online black market, an area of online space many of us have no idea even exists. The online black market comprises of anything and everything which is online and that you could imagine. You can buy 1000 Hotmail email addresses for $12, 6-20% of a paypal account, stolen healthcare insurance information worth $1300 or even the hacked webcam of a girl for $1. This price information is collected from open-source documents such as news and government reports which closely track such sites, however are unable to catch the perpetrators.

Our information is private so long as we desire so we must ensure we protect it. Report anything which seems phish-y and more importantly ensure that you take sufficient anti-virus/anti-spamming steps to reduce your likelihood of being phished in the first place. Whatever you do, do not be tempted to open the email to save your long lost cousin who has been captured by pirates. Otherwise, you too will fall victim to online pirates but in this case, ransom money will not help.

By Aqsa Hussain.

What is ethical hacking?

There are codes of conduct for almost every industry, from the rules of the game in sport to the constitution in law to safety measures in factories. Ethical hacking is no different. It is governed by a code of conduct created by a community who consider themselves to be experts in this line of work. In the formal sense, an ethical hacker is either a company or an individual who identifies and exposes potential threats on a computer system, before someone with malicious intentions does so. Upon discovery, these gaps in the system are plugged to ensure the safety of the computers and networks being probed.

Rules of the ethical hacking game

The rules of the game include: asking for explicit consent from the party to be probed, respecting their privacy, ensuring that there are no open avenues for malicious hackers to enter the systems and finally they must alert the organisation/individual if there are any vulnerabilities they have found.

In fact, most companies with an online presence use a Bug Bounty program – a crowdsourcing initiative – to identify vulnerabilities on the company website in exchange for rewards in the form of compensation or recognition. Companies hope that in this way instead of becoming the victim of cybercrimes, they continue to remain a secure environment for their users.

However, there are instances when hackers attack a system under the umbrella of ethics, without adhering to the rules of the game. Can the ethical element of hacking still be present here?

The ethics of Hacktivism

When hackers enter a system without permission and with the purpose of hacking for the ‘greater good’, they consider themselves ‘hacktivists’ – conducting ethical hacking with a political purpose. Hacktivist attack the system of organisations they fundamentally disagree with the goal of exposing their activities to the wider public. Although they don’t play by the rules, they do not believe that their actions are disruptive or illegal since they are merely calling attention to issues that matter.

Is hacking to counter controversial morals ethical?

Take the relatively recent 2015 hack of the online dating site Ashley Madison. A group called ‘The Impact Team’ attacked this website which enabled married couples to engage in extramarital affairs. They obtained the personal information of the entire user base and in mid-August 2015 decided to release over 10 gigabytes of data (real names, addresses, credit card transactions, search history etc). That amounts to over 30 million people in over 40 countries. The Impact Team had provided the parent company of Ashley Madison, Avid Life Media, with numerous warnings expecting it to be shut down based on the fact that it was immoral to create a platform to allow people to actively be unfaithful to their partners. Yet, the parent company stood by the fact that they were merely providing a service in demand and it was not their role to judge its users’ morality. Evidently, the hacktivist team did not think such a response was sufficient. Can this be considered ethical hacking or is it a form of cyber-terrorism? The cliche of ‘one man’s terrorist is another man’s freedom fighter’ is in play here where The Impact Team wholeheartedly believed that releasing all of that private information was right. On the contrary, Ashley Madison believes that the rights of its users were violated as well as the act being nothing short of illegal.

Is hacking to counter terrorism ethical?

On the other hand, you have examples such as the hacktivist group Anonymous which claims to be ‘at war’ with the terrorist organisation Islamic State (ISIS). They have been systematically hacking the social media accounts of ISIS members and followers as well as bringing down their propaganda websites. Their aiming is to stunt the growth of the terror group. Can this be considered another form of ethical hacking, despite not entirely following the rules of the game?

Needless to say, the practice of ethical hacking is one in which you can become professionally qualified in if you have the drive to seeks vulnerabilities in a legitimate way and report them accordingly. Companies accept this intrusion into their system as a legal and justifiable act, rewarding it as such. Yet, hacktivism requires no such qualification and its legitimacy comes down to being a matter of opinion. Many agree with the morality behind the Ashley Madison hack, whilst others claim it was a cybercrime causing immeasurable damage to users. Similarly, the ethics of countering IS’ online terrorism with a form of cyber-crime itself, can we consider this more than or equally as ethical as that of the Ashley Madison hack?

What makes you feel safe? Perhaps locking your apartment door at night. Perhaps not walking alone through dark alleys.

  

By Philip Smedegaard

 

Please update your password settings. Please enter a new password that does not include your birthday. Password must contain special characters.

These terms and conditions for activating a new profile, buying flowers online, or basically Googling anything, have become engrained in the online-user experience. According to the National Cyber Security Center, the average Briton today has 22 separate passwords and uses the same password for at least 4 different websites. The exponential growth of goods and services available to the world through the internet, has inherently invited security requirements regarding the safe-keeping of personal details, payment details, and sensitive data.

The recent report on “Security Fatigue”, set out to measure the average computer users’ attitudes towards cybersecurity, however, it resulted in a high level of ‘security fatigue’ amongst the test subjects. Security fatigue can be defined as the, “weariness or reluctance to deal with computer security”. From this, risky and lazy personal security follows which makes people more susceptible to the likelihood of fraud and cybercrime.

The problem as outlined in the study, is that average computer users will thereby make rushed security decisions such as using similar passwords, or leaving privacy sections blank. This can lead one to question if, the very mechanisms designed to protect our data, are actually making people more prone to malware? According to the study, the team, “learned that the majority of their average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues”. These problems could potentially leak into the workplace as well, suggesting larger implications not only for private users, but cyber threats to firms as well.

From the findings however, it is concluded that there are three ways of combating Security Fatigue (Source: NIST).

  • Minimising the amount of security decisions users need to make
  • Simplifying security actions
  • Streamlining decision making

It is understandable that it is difficult to manage 22 passwords for different websites or having to spend loads of time filling-in privacy content. Until the security measures and privacy settings become more streamlined and consumer trust is simplified, it is worth remembering to use a variety of high-strength passwords and to take the time to protect one’s personal data.