AT LAST!
A CYBERCRIME
AFRICA
CYBER SECURITY
CONFERENCE
Africa’s premier cyber security publication
Edition 3 - Jul - Sept 2013
AWARENESS SITE
FOR AFRICA
STUXNET WAS OUT OF
CONTROL
WHY YOUR
CEO IS A
SECURITY RISK
SPECIAL CYBER ESPIONAGE EDITION • National audit office challenges UK cyber security • The cyber criminal underground (info graphic) • Other agencies that make up the US intelligence community
A Wolfpack Information Risk (Pty) Ltd publication
Inside this issue: INTERNATIONAL NEWS
Th
In S U e
te
nc llige
eA
ies2 c n ge e 1 Pag
PREPARING FOR THE NEXT WAVE OF CYBER ATTACKS - EDITOR’S LETTER 3 FROM RIO TO THE WORLD - WHAT SECURITY MANAGERS CAN LEARN FROM BRAZIL 4 DANISH NATIONAL POLICE SAYS HACKERS INFILTRATED IDENTITY REGISTER 5 CYBER EXPERTS SAY CALLING OUT CHINA MAY BE WORKING 6 INDONESIA TO SET UP CYBER ARMY TO TACKLE CYBER ATTACKS AGAINST 7 ISRAEL UPGRADES 10TH GRADERS CYBER SECURITY SKILLS 8 GLOBAL SECURITY MARKET 9 OBAMA ASKED INTEL AGENCIES TO DRAW UP LIST OF POSSIBLE CYBER TARGETS 10 OTHER AGENCIES THAT MAKE UP THE US INTELLIGENCE COMMUNITY 12 SPECIAL REPORT ON PRISM 14 AFRICA NEWS ANONYMOUS AFRICA HACKED US NEWS SITE OVER MANDELA REPORT 16 AFRICAN NATIONAL CONGRESS WEBSITE HIT BY DDOS ATTACK 16 MAURITIAN HACKER ON AN ISLAMIC MISSION 17 CYBER INSECURITY THREATENS NIGERIAN ECONOMY 17 BABA JUKWA’S ACCOUNT HACKED 18 MOBILE SECURITY IN SA - Q&A WITH CHECKPOINT 19 HOW ITS DONE BLACK HAT HACKERS BREAK INTO ANY IPHONE WITH MALICIOUS CHARGER 20 APPLE IOS SECURITY 21 HOW KILIM COMPROMISES YOUR MACHINE AND SOCIAL NETWORKING SITES 22 GOVERNANCE RISK AND COMPLIANCE HOW TO FAIL AT CORPORATE FRAUD GARTNER: 7 MAJOR TRENDS FORCING IT SECURITY PROS TO CHANGE WHY YOUR CEO IS A SECURITY RISK IT SECURITY PROS HAVE TROUBLE COMMUNICATING WITH EXECUTIVES
News S ite Hac ked Aft er Fake Report
24 25 26 27
AUDITS AND ASSESSMENTS
Page 1 6
NATIONAL AUDIT OFFICE CHALLENGES UK CYBER SECURITY THE COST OF A BREACH THROUGH THE LENS OF THE CRITICAL SECURITY CONTROLS
28 30
MANAGED SERVICES WHY YOU SHOULD OUTSOURCE MANAGEMENT OF YOUR COMPANY’S NGFW MALICIOUS EMAILS ABOUND IN SOUTH AFRICA
32 34
CYBER THREATS AND ESPIONAGE THE CYBER CRIMINAL UNDERGROUND (INFOGRAPHIC) MCAFEE REPORT DETAILS RISKS TO RETAILERS THROUGH POINT OF SALE SYSTEMS STUXNET WAS OUT OF CONTROL - WE HAD TO REVEAL IT (KASPERSKY)
35 37 38
CYBER FORENSICS AND INCIDENT MANAGEMENT
Fraud4 e t a r o Page 2 t Corp A l i a F How To
DELL SHIPS MALWARE INFECTED MOTHERBOARD MICROSOFT AND OTHERS JOIN FORCES TO COMBAT MASSIVE CYBERCRIME RING
40 41
AWARENESS CYBERCRIME AWARENESS SITE FOR AFRICA 42 WHY WOULD HACKERS TARGET MY LITTLE COMPANY? 43 INFOSEC’S JERK PROBLEM 44 LOCAL TRAINING AND EVENTS
Africa’s premier cyber security publication
CYBERCON AFRICA 2013 46
Cybershield magazine is a bi-monthly publication owned by Wolfpack Information Risk (Pty) Ltd. No part of this magazine may be reproduced or transmitted in any form without prior permission from Wolfpack. The opinions expressed in Cybershield are not those of the publishers who accept no liability of any nature arising out of or in connection with the contents of the magazine. While every effort is made in compiling Cybershield, the publishers cannot be held liable for loss, damage or inconvenience that may arise therefrom. All rights reserved. Wolfpack does not take any responsibility for any services rendered or products offered by any of the advertisers or contributors contained in the publication. Copyright 2013. E&OE on all advertisements, services and features in Cybershield magazine. Editorial address: Building 1, Prism Office Park, Ruby Close, Fourways, Johannesburg, South Africa, 2055 Enquiries: Telephone - +27 11 367 0613 Advertising - sales@wolfpackrisk.com Content - craig@wolfpackrisk.com Design - design@wolfpackrisk.com General queries - admin@wolfpackrisk.com http://www.wolfpackrisk.com/magazine/
OF INTEREST SEGWAY STYLE VEHICLE IS ULTRA PORTABLE ANDROID SMARTPHONE APP TRIANGULATES GUNFIRE OPEN DATA PLATFORM REVEALS COMPLEX CORPORATE STRUCTURE OF BANKS APPLE OS7 MAKES BOLD MOVE FOR THE CAR DASH
hips fected M DELlLwS e In r a Ma
oard otherb
Page 4
23 29 31 47
0
Malicio
us Ema il Abou nd
in Sout h
Afric
Page 3 a 4
FROM THE EDITOR
PREPARING FOR THE NEXT WAVE OF
CYBER ATTACKS THIS ISSUE OF CYBERSHIELD IS FOCUSED ON CYBER ESPIONAGE. Cyber espionage can have devastating effects on your organisation and unlike other crimes such may be conducted for years without you being aware of it until serious consequences arise. Cyber espionage is so prevalent today because it is so difficult to detect and even if uncovered hard to trace the actual identities of the perpetrator. These activities may get support from the home countries from which these attacks emanate and even if substantial evidence exists of government involvement, this is once again complicated to take any further. Cyber espionage is not confined by traditional national borders and there is literally a wide array of attack techniques that can have devastating consequences for the target organisations. We hope you enjoy this edition of Cybershield and learn more about the steps you can take to refocus your security to protect your most critical assets. Yours Securely Craig Rosewarne
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 3
INTERNATIONAL NEWS
FROM
RIO TO THE WORLD WHAT SECURITY MANAGERS CAN LEARN FROM BRAZIL
Brazil has enjoyed consistent economic and social growth over the last decade. Thanks to changing demographics and the economic and political stabilisation of the 1990s, millions of Brazilian citizens have joined the middle class and are encouraging a technology boom, particularly in the country’s banking sector. In fact, the Brazilian financial services industry has a history of heavily investing in technology as a business enabler, with growth of 42% projected by 2015. However, Brazil has also experienced another area of growth that is less positive. The legal and regulatory framework has not necessarily kept pace with the advances in technology, resulting in an environment that is particularly attractive to cyber-fraudsters and hacktivists. In 2011, the banking sector reported losses of R$1.5 billion thanks to the prevalence of phishing, online theft, identity theft, online scams and credit card fraud. At the same time, the sector has been subject to widespread denial of service attacks and data leakage. In February 2012, a coordinated attack timed to coincide with quarterly earnings reports hit all the major Brazilian banks. Brazil is now the number one country in the world for the use of banking malware. But banking is really a microcosm of the threat landscape across the country. Fraudsters are applying what they have learned over the past ten years of attacking banks to monetise their expertise in other ways: pump ‘n’ dump trading scams, directed attacks on highnet worth individuals, airline mileage programmes, and utility bills have all been the subject of cyber criminal activity.
the 500+ unique malware specimens that can be produced per month. Brazil’s threat intelligence community has also identified crossover between cyberweapons developed by nation-states and cybercrime, with Brazilian fraudsters quick to build upon engines like Flame to extend their capabilities. Although this appears at first to be a very local problem, there are very real ramifications for organisations in Europe. As Brazil’s financial sector, government institutions and media bodies co-ordinate their efforts and develop the necessary security policies to protect themselves against the threat, the costs of executing a successful fraud go up, and the riskreward equation proves less attractive to the criminals. As a result, more vulnerable targets outside Brazil - that can deliver a higher return for minimal effort - become more attractive. For this reason, the cyber-fraud and hacktivist trends in Brazil should be of particular interest to security professionals at businesses in Europe. Of the trends seen in the past 12 months, we believe the following three are the ones that are most likely to cross the Atlantic and make their debut in Africa in the next 12 months.
CERTIFICATES IN DISGUISE Most software developers use digital signatures to verify their programs so that they can be installed without difficulty. But now malware writers are doing the same thing: using certificates from recognised Certification Authorities (CAs) to validate their highly damaging programs and sneak them into the corporate network under the radar of anti-malware programs. To date, criminals have obtained valid certificates with fake company data, or by hacking into the CAs’ systems, to create files that look legitimate but are in fact Trojans or viruses. These certified files can remain undetected by anti-malware programs for days - weeks in some cases - buying the cyber criminal extra time to do their damage. Unfortunately, the direct solution to the problem lies largely with the CAs and is outside the hands of the companies being attacked. However, the IT industry as a whole can demand extra diligence from CAs, while individual IT managers should ensure that only they are able to install new programs or updates throughout the corporate IT estate. As always, threat intelligence is essential to keep firms abreast of the latest potential attacks.
THE MALWARE INDUSTRY
SOCIAL MALWARE
Unlike Europe, where cyber criminals usually rely on a small number of malware frameworks like Zeus or Citadel to build on, the malware scene in Brazil is significantly more diverse. Much of it is developed locally and then constantly tweaked with new techniques, making it much harder to detect and protect against
To date most malware attacks have been designed to exploit weaknesses in one browser only. However, the past few years have seen radical changes to the way in which people access the internet, choosing new devices, new operating systems and a wider range of browsers.
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 4
And of course, they are accessing different site types - notably social media outlets. So it’s perhaps not that surprising that malware is now being written and disseminated that takes modern online habits into account. Malicious files are now being written in the form of cross-platform plug-ins for MS Internet Explorer, Mozilla Firefox and Google Chrome. Mac OS and other Linux-based browsers remain unaffected so far. The main functionality of these plug-ins is to fake advertising modules on popular sites such as Yahoo, YouTube, Bing, Google and Facebook, and then spread their malicious code through spam from compromised accounts. This is Malware 2.0 - programs that are based on modern web technologies and use fake versions of social networks and other popular services to deliver illicit returns. Short of blocking certain sites on the corporate network the solution once again lies with educating staff about modern phishing techniques. That includes ensuring they have the knowledge to spot fake sites, and establishing processes for reporting and responding to suspected attacks.
FRAUD AS A SERVICE The basic principles of economics apply to cybercrime as they do everywhere else, and specialisation of labour is now developing among the criminal fraternity in Brazil. So, instead of developing their own forms of malicious code, there are individuals or organisations involved in hosting malware, or providing protection against takedown services, or developing the front-end screens for phishing scams, or even providing the network through which to transfer the money. An entire underground economy that centres on servicing cyber criminals is being developed, encompassing smalltime, highly localised players as well as very sophisticated organised crime syndicates. As a good economics student will tell you, this form of specialisation is extremely efficient when compared to a jack-of-all-trades approach.
But what it means for cybercrime is that increasingly superior attack methods will be developed, and they will become even more prevalent.
COMING TO AFRICA The field of cybercrime and cybercrime prevention is a fast-moving one. Much can happen in three months, never mind a year: it is perfectly possible that new threats will overtake these three in popularity, particularly if they prove more profitable for criminals. Nonetheless, these are very real potential threats, and an indication of the very adaptable nature of cybercrime. If not these specific attacks, then some variation on the theme will be seen in African markets. How long they remain, and how effective they are, depends entirely on how the targeted companies respond and how up-to-date their threat intelligence and security policies are. Criminals will always look for a vulnerable mark, and there are plenty of those in Africa. Online fraud is successful partly because it is so easily replicated: the profits to be gained from attacking one large bank, which has plenty of IT security in place and invests heavily in threat intelligence and monitoring, can be the same as attacking 100 smaller e-commerce outfits who have less capital to siphon off, but also have less protective measures in place. Indeed, the high levels of e-commerce in Africa and the low levels of security often involved suggest that this is likely to be a prime target for Brazilian cyber criminals and the organisations that buy the data they steal. The longer an online business persists in the belief that it won’t be a target, the greater the chances are that it will become one. Investing in threat intelligence and security has become at least as important as logistics and fulfilment, and in an online climate where corporate reputation can be destroyed in seconds it is better to do so before an attack rather than after.
DANISH NATIONAL POLICE
SAYS HACKERS INFILTRATED IDENTITY REGISTER Last week, Denmark’s national police revealed that, in the summer of 2012, hackers might have stolen and modified information from the police driving license register, including the personal identity number register (CPR). Politiken.dk reports that the hackers retrieved CPR information, and details of individuals wanted by authorities in the Schengen area. In addition, between April and August 2012, hackers may have accessed data from the Modernization Agency and the Tax Authority. The incidents are currently being investigated but two suspects have already been identified. One of them is a Danish man, and the other one is an individual from Sweden who’s currently being detained in Sweden. Danish authorities have requested the latter’s extradition. “This has been a serious breach of the IT security that there must be in connection with police registers,” National Police Commissioner Jens Henrik Højberg stated. [Source: Politiken]
[Source: Infosectoday]
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 5
INTERNATIONAL NEWS
CYBER EXPERTS SAY CALLING OUT
CHINA MAY BE WORKING
Singapore - After years of quiet and largely unsuccessful diplomacy, the U.S. has brought its persistent computerhacking problems with China into the open, delivering a steady drumbeat of reports accusing Beijing’s government and military of computer-based attacks against America. Officials say the new strategy may be having some impact. In recent private meetings with U.S. officials, Chinese leaders have moved past their once-intractable denials of cyber espionage and are acknowledging there is a problem. And while there have been no actual admissions of guilt, officials say the Chinese seem more open to trying to work with the U.S. to address the problems. “By going public the administration has made a lot of progress,” said James Lewis, a cyber security expert at the Centre for Strategic and International Studies who has met with Chinese leaders on cyber issues. But it will likely be a long and bumpy road, as any number of regional disputes and tensions could suddenly stir dissent and stall progress. On Wednesday, China’s Internet security chief told state media that Beijing has amassed large amounts of data about U.S. based hacking attacks against China but refrains from blaming the White House or the Pentagon because it would be irresponsible. The state-run English-language China Daily reported that Huang Chengqing, director of the government’s Internet emergency response agency, said Beijing and Washington should cooperate rather than confront each other in the fight against cyber attacks. Huang also called for mutual trust.
President Barack Obama is expected to bring up the issue when he meets with China’s new president, Xi Jinping, in Southern California later this week. The officials from the two nations have agreed to meet and discuss the issue in a new working group that Secretary of State John Kerry announced in April. Obama’s Cabinet members and staff have been laying the groundwork for those discussions.
admitting to some of the breaches is a step in the right direction.
Standing on the stage at the ShangriLa Dialogue security conference last weekend, Defense Secretary Chuck Hagel became the latest U.S. official to openly accuse the Chinese government of cyber espionage — as members of Beijing’s delegation sat in the audience in front of him. “The U.S”, he said, “has expressed our concerns about the growing threat of cyber intrusions, some of which appear to be tied to the Chinese government and military.”
A recent Pentagon report compiled by the Defense Science Board laid out what it called a partial list of 37 programs that were breached in computer-based attacks, including the Terminal High Altitude Area Defense weapon, a land-based missile defense system that was recently deployed to Guam to help counter the North Korean threat. Other programs whose systems were breached include the F-35 Joint Strike Fighter, the F-22 Raptor fighter jet and the hybrid MV-22 Osprey, which can take off and land like a helicopter and fly like an airplane.
But speaking to reporters traveling with him to the meeting in this island nation in China’s backyard, Hagel said it’s important to use both public diplomacy and private engagements when dealing with other nations such as China on cyber problems. “I’ve rarely seen that public engagement resolves a problem, but it’s important,” he said, adding that governments have the responsibility to keep their people informed about such issues. The hacking issue also featured prominently over two days of meetings between the U.S. Chamber of Commerce and a leading Chinese trade think tank in Beijing. “This is arguably the single most consequential issue that is serving to erode trust in the relationship,” said Jeremie Waterman, the chamber’s executive director for greater China. “Over time, it could undermine business support for U.S. China relations.” According to Lewis and other defense officials familiar with the issue, China’s willingness to engage in talks with the U.S. about the problem even without
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 6
Cyber security experts say Chinabased instances of cyber intrusions into U.S. agencies and programs including defense contractors and military weapons systems have been going on since the late 1990s. And they went along largely unfettered for as much as a decade.
The report also listed 29 broader defense technologies that have been compromised, including drone video systems and high-tech avionics. The information was gathered more than two years ago, so some of the data are dated and a few of the breaches such as the F-35 had already become public. According to U.S. officials and cyber experts, China hackers use gaps in software or scams that target users’ email systems to infiltrate government and corporate networks. They are then often able to view or steal files or use those computers to move through the network accessing other data. Chinese officials have long denied any role in cyber attacks and insisted that the law forbids hacking and that their military has no role in it. They have also asserted that they, too, are often the victim. Cyber experts say some of the breaches that emanate from Internet locations in China may be the product of patriotic hackers who are not working at the behest of Beijing’s government or military but in independent support of it.
The Chinese government’s control of the Internet, however, suggests that those hackers are likely operating with at least the knowledge of authorities who may choose to look the other way.
great gain at very little cost to the hackers. The U.S. government, they said, had to make it clear to the Chinese that continued bad behavior would trigger consequences.
more than 140 companies, Mandiant concluded that they can be linked to a unit that experts believe is part of the People’s Liberation Army’s cyber command.
U.S. officials have quietly grumbled about the problem for several years but steadfastly refused to speak publicly about it. As the intrusions grew in number and sophistication, affecting an increasing number of government agencies, private companies and citizens, alarmed authorities began to rethink that strategy.
In November 2011, U.S. intelligence officials for the first time publicly accused China and Russia of systematically stealing American hightech data for economic gain.
The change in tone from the Chinese leaders came through during recent meetings with Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, and has continued, according to officials and experts familiar with more recent discussions with Chinese leaders.
They were pressed on by cyber security experts including prominent former government officials who argued that using cyber attacks to steal intellectual property, weapons and financial data and other corporate secrets brought
That was followed by specific warnings about Chinese cyber attacks in the last two annual Pentagon reports on China’s military power. And in February, the Virginia-based cyber security firm Mandiant laid out a detailed report directly linking a secret Chinese military unit in Shanghai to years of cyber attacks against U.S. companies. After analyzing breaches that compromised
Still, experts say that progress with the Chinese will still be slow and that it’s naive to think the cyber attacks will stop. “This will take continuous pressure for a number of years,” said Lewis. “We will need both carrots and sticks, and the question is when do you use them.”
INDONESIA TO SET UP CYBER ARMY TO TACKLE
CYBER ATTACKS AGAINST GOVERNMENT Indonesia’s Defense Ministry has revealed its intentions to set up a special force it dubs “CYBER ARMY.” The unit’s main goal will be to tackle cyber attacks aimed at government websites and portals. According to Xinhua, ministry officials are preparing a law that would legalise the cyber army’s operations. The new force will be formed of uniformed soldiers that possess the knowledge and skills necessary to protect the country against cyber attacks. Pos M. Hutabarat, director general of security potentials at the ministry, has compared the cyber army to similar units in Iran, South Korea, China and the United States. The unit will be embedded in the army, the navy and the air force.
The Defense Minister Purnomo Yusgiantoro says that the cyber army needs the support of the country’s Communication and Information Ministry, which is in the process of building a system called National Cyber Security. Several government agencies are contributing to the National Cyber Security system, including the national intelligence body and the anti-terrorism desks. [Source: Softpedia)]
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 7
INTERNATIONAL NEWS ISRAEL UPGRADES 10TH GRADERS’ CYBER SECURITY SKILLS
TO GROW CYBERSECURITY RECRUITMENT POOL Israel has been subjected to a growing number of cyber attacks and has itself used cyber warfare against its adversaries. To make sure it stays ahead, Israel is accelerating its recruitment and development efforts in cyber security. Among other initiatives, the country is expanding the pool of potential cyberwarriors by going into high school classrooms to tap the cyber skills of tenth graders. Israel currently has twice as many scientists and engineers per capita, and ten times more soldiers in active duty, relative to its population than the United States, so the country already has many smart people working on defensive and offensive aspects of cubersecurity. The Christian Science Monitor reports that now the country is expanding the pool of potential cyberwarriors by going into high school classrooms to tap the skills of tenth-graders, and calling on venture capital firms to recruit cyber experts. The Israel Defense Forces (IDF) will begin to send soldiers to universities for specialised cyber training, and three years ago the IDF launched a special program – the Magshimim program — to identify qualified high school students and enroll them in cyber security training as early as tenth grade.
Israel’s model can be followed by other countries looking to boost their cyber capabilities. Some American cyber security experts say Israel is out in front of the United States when it come to developing cyber talent with the ability to write and modify computer code, spot software vulnerabilities, move clandestinely inside networks, and manipulate systems, rather than just develop cyber security policy. All these efforts have contributed to Israel achieving a top-3 ranking in preparedness for cyber attacks in a 2012 report by security technology company McAfee, along with Finland and Sweden - and ahead of the United States, China, and Russia. Israel’s critical infrastructure sector has been required by law to implement cyber protections since 2002, a decade before U.S. Congress tried, and failed, to pass similar legislation. “What Israel has done is focus much more heavily on technical skills and leave the political work to the politicians,” Alan Paller of the SANS Institute, told CSM. “Their skill level [per capita] … outdoes everyone, even China,” he adds, despite China’s “massive program” for developing skilled cyber experts. Professor Ben Israel has been a significant figure in the country’s cyber efforts, and has even started an annual International Cyber Security Conference in the country, which this year features speakers Eugene Kaspersky and former White House official Richard Clarke.
hi-tech industry, and the military when it comes to cyber security. Ben-Gurion University (BGU), located in the city of Beersheva, is the first Israeli university to offer a cyber security graduate program. Next to the campus is the Advanced Technologies Park (ATP), a two-million square foot complex which will open next month. Deutsche Telekom and EMC have already committed to setting up offices in the park. In addition to the campus and the park, a new military communications center is set to open next year, which will include the main cyber security training center for the IDF. Bracha Shapira, the head of BGU’s Information Systems Engineering department, says the short distance between the campus and the park will result in significant research opportunities. “When you collaborate, industry gives you money to research,” Shapira told CSM. “Also, you work on more interesting things because you understand the real problems that industry and defense are facing. You get good sources of data, and really get to work on cutting-edge technology.” According to Ben Israel, the advancements have put the country in a good position to defend itself from cyber attacks, but more needs to be done.
Professor Isaac Ben Israel, a former major general in the air force and one of the creators of Israel’s new National “In relative terms, we are in good Cyber Bureau, says Israel’s cybershape,” Israel told CSM. “In absolute defenses has improved due to “the terms, we are not in the required shape. pleasure, the benefit, of selecting the right Unfortunately we have more threats than people for the right positions,” thanks in Other efforts by Ben Israel include Finland, Sweden, or even the United large part to mandatory military service, pushing for the unification of academia, States.” which pools the country’s talent and “When you collaborate, industry gives you money to research,” Shapira told makes for efficient recruiting. CSM. “Also, you work on more interesting things because you understand the According to U.S. cyber security experts, real problems that industry and defense are facing. You get good sources of data, and really get to work on cutting-edge technology.” [Source: Homeland Security Newswire / Christian Science Monitor] Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 8
GLOBAL SECURITY MARKET A new report from research firm Gartner has predicted a very bright future for the security market and vendors involved in it. As companies continue to expand the technologies they use to improve their overall security, the worldwide security technology and services market is forecast to reach $67.2 billion in 2013, up 8.7% from $61.8 billion in 2012, according to Gartner, Inc. The market is expected to grow to more than $86 billion in 2016. Gartner analysts discussed the outlook for the security market at the Gartner Security & Risk Management Summit. “With security being one of the top IT concern areas, the prospect of strong continued growth is assured,” said Ruggero Contu, research director at Gartner. “The consistent increases in the complexity and volume of targeted attacks, coupled with the necessity of companies to address regulatory or compliance-related issues continue to support healthy security market growth.” Gartner analysts see three main trends shaping the security market moving forward mobile security, big data and advanced targeted attacks. Bring your own device (BYOD) is a megatrend that will have a far-reaching influence on the entire security industry. Changes in how security addresses BYOD leaves several opportunities for technology service providers (TSPs). 1. Firstly, with the shift from device security to app/data security there is a chance for some security TSPs to capture endpoint protection budgets. 2. Secondly, since some BYOD projects are centered on the productivity gains of one to two apps, there could be buying centres adding security outside of traditional information technology centres. 3. Finally, being able to understand the device type and how your users are computing today is just as important as who they are. An opportunity exists for those able to determine that context, and provide it for other points of influence, such as the network or applications. The amount of data required for information security to effectively detect advanced attacks and, at the same time, support new business initiatives, will grow rapidly over the next five years. This growth presents unique challenges when looking for patterns of potential risk across diverse data sources. However, big data, in and of itself, is not the goal. Delivering risk-prioritised actionable insight is.
integration methods and processes will be required, including security data warehousing and analytics capabilities, and an emerging role for security data analysts within leading-edge enterprise information security organisations,” said Eric Ahlm, research director at Gartner. When examining the advanced targeted attack (ATA), and the new methods being used to breach today’s security controls, it can be distilled to a basic understanding that attackers, especially those who have significant financial motivation, have devised effective attack strategies centered on penetrating some of the most commonly deployed security controls (largely signature-based antivirus and signature-based intrusion prevention), most often by using custom or dynamically generated malware for the initial breach and datagathering phase. Advanced attackers are now capable of maintaining footholds inside an organisation once they successfully breach security controls. By actively looking for ways to remain persistent on the target organisation’s internal network either through the use of malware or, even if the malware is detected and removed, via postmalware use of user credentials gathered during the period of time the malware was active. They then change their tactics to secondary attack strategies as necessary, looking for other ways around any internal security controls in the event they lose their initial attack foothold. “Mitigating the threat from ATAs requires a defencein-depth strategy across multiple security controls,” said Lawrence Pingree, research director at Gartner. “Enterprises should employ a defence-in-depth, layered approach model. Organisations must continue to set the security bar higher, reaching beyond many of the existing security and compliance mandates in order to either prevent or detect these newly emergent attacks and persistent penetration strategies. This layered approach is typical of many enterprise organisations and is often managed in independent ways to accomplish stated security goals, namely, detect, prevent, respond and eliminate.” Additional information on the outlook for the security market is available in the Gartner Special Report “The Future of Global Information Security” The special report can be viewed at http://www.gartner.com/ technology/research/security-risk-management/ and includes links to reports and commentary that explore the major tectonic forces at play that will change how business use of technology will be dramatically changed by rapid escalations in threat, defence and societal demands.
“To support the growing need for security analytics, changes in information security people, technologies,
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 9
INTERNATIONAL NEWS
OBAMA
ASKED INTEL AGENCIES TO DRAW UP LIST OF
POSSIBLE CYBER TARGETS OVERSEAS According to a secret US government document obtained by UK newspaper The Guardian, President Obama ordered national security officials to compile a list of potential cyber attack targets. The order was made in The Presidential Policy Directive 20, which is dated October 2012, but was never published Four years after the U.S. and Israel allegedly launched the first known cyberweapon against Iran, President Barack Obama ordered U.S. intelligence agencies to draw up a list of overseas targets for possible offensive U.S. cyber attacks, according to a top-secret presidential directive obtained by The Guardian.
The Guardian this week provides a full look at a directive that until now has only been partially disclosed. Earlier this year, the administration declassified portions of the directive, but these only discussed intrusion detection systems for protecting federal computer networks and the government’s role in securing critical infrastructure. They did not discuss the nation’s plans to initiate offensive cyber operations against foreign targets, a highly controversial topic that has become even more so in light of the administration’s plans to confront China this week for its role in cyber espionage attacks against U.S. government and private networks. A senior administration official downplayed the offensive cyber plans, telling the Guardian anonymously that it was the natural evolution of things. “Once humans develop the capacity to build boats, we build navies. Once you build airplanes, we build air forces,” he told the paper. The deadline for drawing up the list of attack targets was to be six months after the directive’s approval.
The 18-page directive (View here - http://www.guardian.co.uk/ world/interactive/2013/jun/07/obama-cyber-directive-full-text ) issued last October states that “The secretary of defense, the DNI [Director of National Intelligence], and the director of the CIA … shall prepare for approval by the president through the National Security Advisor a plan that identifies potential systems, processes and infrastructure against which the United States should establish and maintain OCEO capabilities” The directive defines Offensive Cyber Effects Operations, or OCEO, as “operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks.” Such operations, the document notes, “can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” The revelation, one of a string of classified leaks published by Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 10
The directive not only discusses attacking foreign targets, but authorizes the use of offensive cyber attacks in foreign nations without the consent of those nations, whenever “US national interests and equities” require such nonconsensual attacks.” This presumably involves not attacking foreign government systems but hacking or otherwise attacking systems that are simply located in a foreign country and are engaged in attacks on the U.S. and present an imminent threat. The directive also discusses possible cyber actions within U.S. borders, but states that any actions “intended or likely to produce cyber effects within the United States” would require the approval of the president, except in the case of an emergency, when the Defense Department and other agencies would be authorized to conduct such domestic operations without presidential approval. The document does assert that all U.S. cyber operations should conform to U.S. and international law and only work as a complement to diplomatic and military options, and that presidential approval would be required for any actions that were “reasonably likely to result in significant consequences” such as the loss of life, property damage, severe retaliation or adverse foreign policy and economic impacts.
Among the risks and assessments to be considered were the possible impact an offensive cyber attack would have on intelligence-gathering, the risk of retaliation, the impact on the stability and security of the internet, the political risks and gains, and the establishment of unwelcome norms of international behavior. The criteria for offensive cyber operations in the directive is not limited to retaliation for attacks against the U.S. but can also be approved if they would advance “US national objectives around the world.”
The directive comes at least four years after the U.S. is believed to have launched the first known cyber weapon in space to attack centrifuges at a uranium enrichment facility in Iran. The New York Times and Washington Post have reported that high-level sources within the current and former U.S. administrations saying that the U.S. and Israel were responsible for the worm, known as Stuxnet, which reportedly damaged some of the centrifuges. A group of international legal experts commissioned by a NATO defense center in Europe recently published a report saying they believed that under international law the Stuxnet attack was an illegal “act of force.”
[Picture Source: https://en.wikipedia.org/wiki/File:NATO_partnerships.svg ]
A group of international legal experts commissioned by a NATO defense center in Europe recently published a report saying they believed that under international law the Stuxnet attack was an illegal “act of force”
THE BYOD CHALLENGE As smartphones and tablets multiply in the workplace, do you know the best way to take advantage of these devices while retaining control of your network? Fortinet provides security for users, applications, and data, enabling secure mobile device access in any networking environment, regardless of other technologies or solutions in place. With promises of increased productivity and worker satisfaction Bring Your Own Device (BYOD) is now at the forefront of most IT discussions today. From a security perspective BYOD opens up numerous challenges around network, data, and device security. It blurs the lines between privacy and accessibility, security and usability.
Many organizations have tried a variety of approaches to allow for BYOD, to capitalize on this trend by shifting maintenance costs to the employee, eliminating the standard-setting role of IT, with limited success. Workers have discovered the power of constant connectivity and have come to expect secure access to their corporate network regardless of location. End users want the ability to use personal devices for work purposes, their belief being that personal devices are more powerful, flexible, and usable than those offered by corporate. Talk to Fortinet today about securing BYOD within your enterprise.
“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force” and likely violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, a study produced by a group of independent legal experts at the request of NATO’s Cooperative Cyber Defense Center of Excellence in Estonia. Acts of force are prohibited under the United Nations charter, except when done in self-defense, Michael Schmitt, professor of international law at the U.S. Naval War College in Rhode Island and lead author of the study, told the Washington Times when the report was published. [Source: Wired.com / The Guardian]
Visit us at www.nu.co.za for more information or call us on +27 11 304 6200
www.fortinet.com
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 11
INTERNATIONAL NEWS
OTHER AGENCIES THAT MAKE UP
THE US INTELLIGENCE COMMUNITY AN OVERVIEW OF THE EXPANSIVE REACH OF THE U.S. INTELLIGENCE COMMUNITY
The top-secret world the government created in response to the terrorist attacks of September 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.
These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States. A Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.
THE INVESTIGATION’S OTHER FINDINGS INCLUDE: • Some 1,271 government organisations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States. • An estimated 854,000 people, nearly 1.5 times as many people living in Washington, D.C., hold top-secret security clearances. • In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001.
Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings - about 17 million square feet of space. • Many security and intelligence agencies apparently do the same work, creating redundancy and waste. For example, 51 federal organisations and military commands, operating in 15 U.S. cities, track the flow of money to and from terrorist networks. • Analysts who make sense of documents and conversations obtained by foreign and domestic spying share their judgment by publishing 50,000 intelligence reports each year - a volume so large that many are routinely ignored.
HERE IS AN OVERVIEW OF THE EXPANSIVE REACH OF THE U.S. INTELLIGENCE COMMUNITY:
THE CENTRAL INTELLIGENCE AGENCY
THE NATIONAL SECURITY AGENCY
THE DEFENSE INTELLIGENCE AGENCY
• The CIA was formed by the passage of the National Security Act of 1947. • The agency has its roots with the Office of Strategic Services (OSS) that operated during World War II.
• The NSA was established in 1952 with a mission primarily dedicated to code breaking, after the Allies’ success in cracking German and Japanese codes during World War II. • For a long time, the NSA, which operates under the Dept. of Defense, was not even recognised by the government, commonly referred to as “No Such Agency.”
• The DIA was established in 1961 with the goal of sharing information collected by the major military intelligence outfits (such as Army or Marine Corps Intelligence). • More recently, the DIA has been expanding its overseas spy network to collect first-hand intelligence.
Headquarters: Langley, Va. Mission: CIA collects, analyses, and disseminates intelligence gathered on foreign nations. This comes through signals and human intelligence sources. An estimated 854,000 people, nearly 1.5 times as many people living in Washington, D.C., hold top-secret security clearances.
Headquarters: Fort Meade, Md. Mission: The main functions of the NSA are signals intelligence - intercepting and processing foreign communications, cryptology - cracking codes, and information assurance. Put simply: preventing foreign hackers from getting secret information.
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 12
Headquarters: Washington, D.C. Mission: The DIA serves as the lead intelligence agency for the Dept. of Defense, coordinating analysis and collection of intelligence on foreign militaries, in addition to surveillance and reconnaissance operations. The DIA is the common link between military and national intelligence agencies.
THE STATE DEPARTMENT’S THE FBI’S NATIONAL SECURITY BUREAU OF INTELLIGENCE AND BRANCH RESEARCH
• The State Department’s Bureau of Intelligence and Research (INR) has ties to the Office of Strategic Services from World War II, but was transferred to State after the war. • INR now reports directly to the Secretary of State, harnessing intelligence from all sources and offering independent analysis of global events and real-time insight. Headquarters: Washington, D.C. Mission: This agency serves as the Secretary of State’s primary advisor on intelligence matters, and gives support to other policymakers, ambassadors, and embassy staff.
The Federal Bureau of Investigation’s National Security Branch (NSB) was established in 2005, combining resources that include counterterrorism, counter-intelligence, weapons of mass destruction, and intelligence under a single FBI leader. Headquarters: Washington, D.C. Mission: Formed after 9/11 and the Iraq WMD commission - when intelligence agencies were not sharing data with each other - the NSB integrates intel on national security and criminal threats from a variety of sources that are often intertwined in order to protect U.S. interests.
THE DEPARTMENT OF ENERGY, OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE
• Surprisingly, the Energy Department even has an intelligence service. • The Office of Intelligence and Counterintelligence focuses on technical intelligence on nuclear weapons and nonproliferation, nuclear energy (especially foreign), and energy security. Headquarters: Washington, D.C. Mission: The Dept. of Energy doesn’t have the ability to conduct foreign intelligence, instead relying on information passed to them by other agencies (such as the CIA or NSA). If it involves weapons of mass destruction, the DoE offers up the analytical expertise.
AIR FORCE INTELLIGENCE
ARMY INTELLIGENCE AND SECURITY COMMAND
THE UNITED STATES SECRET SERVICE
• Formerly known as the Air Intelligence Agency, the agency is now known as the Air Force ISR - Intelligence, Surveillance, Reconnaissance. • Air Force intelligence was established in 1948 to get information to troops on the ground, and most recently, the ISR has collected that intelligence from aerial drones.
Army intelligence has been around since spies worked for the Continental Army in 1775, but the U.S. Army’s Intelligence and Security Command (INSCOM) was established in 1977 to become the major unifying command of army intelligence.
The United States Secret Service is a U.S. federal law enforcement agency that is part of the United States Department of Homeland Security.
Headquarters: Fort Belvoir, Va.
Mission: The U.S. Secret Service has two distinct areas of responsibility:
Headquarters: Lackland Air Force Base, Texas Mission: Air Force ISR collects and analyses intelligence on foreign nations and hostile forces, both in and out of combat zones. They also conduct electronic and photographic surveillance, and provide weather and mapping data to troops in the field.
Mission: INSCOM provides commanders on the ground with information they may need on the battlefield: intercepted enemy radio communications, maps, ground imagery, and information on force structure and numbers. In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001.
Headquarters: Washington, D.C.
• Financial Crimes, covering missions such as prevention and investigation of counterfeiting of U.S. currency and U.S. treasury securities, and investigation of major fraud. • Protection, which entails ensuring the safety of current and former national leaders and their families, such as >> PAGE 15
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 13
INTERNATIONAL NEWS
SPECIAL REPORT ON
PRISM
Edward Joseph Snowden (born June 21, 1983) is a former technical contractor for the National Security Agency (NSA) and Central Intelligence Agency (CIA) employee who leaked details of a top-secret American mass surveillance programme called PRISM to the press. Snowden’s leaks are said to rank among the most significant breaches in the history of the NSA. PRISM was first publicly revealed when classified documents about the program were leaked to journalists of The Washington Post and The Guardian by Snowden - at the time an NSA contractor - during a visit to Hong Kong. The leaked documents included 41 PowerPoint slides, four of which were published in news articles. The documents identified several technology companies as participants in the PRISM
program, including (date of joining PRISM in parentheses) Microsoft (2007), Yahoo! (2008), Google (2009), Facebook (2009), Paltalk (2009), YouTube (2010), AOL (2011), Skype (2011), and Apple (2012). The speaker’s notes in the briefing document reviewed by The Washington Post indicated that “98 percent of PRISM production is based on Yahoo, Google and Microsoft.”
The slide presentation stated that much of the world’s electronic communications pass through the United States, because electronic communications data tend to follow the least expensive route rather than the most physically direct route, and the bulk of the world’s internet infrastructure is based in the United States. The presentation noted that these facts provide United States intelligence analysts with opportunities for intercepting the communications of foreign targets as their electronic data pass into or through the United States.
Snowden’s subsequent disclosures included statements that governments such as the United Kingdom’s GCHQ also undertook mass interception and tracking of internet and communications data described by Germany as “nightmarish” if true - allegations that the NSA engaged in “dangerous” and “criminal” activity by “hacking” civilian infrastructure networks in other countries such as “universities, hospitals, and private businesses”, and alleged that compliance offered only very limited restrictive effect on mass data collection practices (including of Americans) since restrictions “are policy-based, not technically based, and can change at any time”, adding that Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 14
“Additionally, audits are cursory, incomplete, and easily fooled by fake justifications”, with numerous self-granted exceptions, and that NSA policies encourage staff to assume the benefit of the doubt in cases of uncertainty. Alleged NSA internal slides included in the disclosures purported to show that the NSA could unilaterally access data and perform “extensive, in-depth surveillance on live communications and stored information” with examples including email, video and voice chat, videos, photos, voice-over-IP chats (such as Skype), file transfers, and social networking details.
Snowden summarised that “in general, the reality is this: if an NSA, FBI, CIA analyst has access to query raw SIGINT [signals intelligence] databases, they can enter and get results for anything they want”. According to The Washington Post, the intelligence analysts search PRISM data using terms intended to identify suspicious communications of targets whom the analysts suspect with at least 51 percent confidence to not be United States citizens, but in the process, communication data of some United States citizens are also collected unintentionally. Training materials for analysts tell them that while they should periodically report such accidental collection of non-foreign United States data, “it’s nothing to worry about.”
OTHER AGENCIES THAT MAKE UP THE US INTELLIGENCE COMMUNITY
CONTINUED FROM PAGE 13 AN OVERVIEW OF THE EXPANSIVE REACH OF THE U.S. INTELLIGENCE COMMUNITY
... the President, past presidents, vice presidents, presidential candidates, visiting heads of state, and foreign embassies (per an agreement with the U.S. State Department’s Bureau of Diplomatic Security (DS) Office of Foreign Missions (OFM)
THE TREASURY’S OFFICE OF INTELLIGENCE AND ANALYSIS
THE DEPARTMENT OF HOMELAND SECURITY OFFICE OF INTELLIGENCE AND ANALYSIS
• The Office of Intelligence and Analysis is fairly new, established in 2004 by the Intelligence Authorization Act. • OIA’s focus is mainly on providing information to combat terrorism and illicit financial transactions.
• Associated Press • The DHS Office of Intelligence and Analysis works primarily on homeland threats — collecting and analyzing information, and sharing intelligence with local and federal law enforcement through the use of “fusion centers.”
Headquarters: Washington, D.C. Mission: OIA safeguards the U.S. financial system “against illicit use and combating rogue nations, terrorist facilitators, weapons of mass destruction proliferators, money launderers, drug kingpins, and other national security threats,” according to DNI.
Headquarters: Washington, D.C. Mission: They work on four main areas: understanding threats through analysis, collecting information relevant to homeland security, sharing that information with the agencies that need it, and managing the homeland security enterprise, according to DNI.
THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE
Established in 2004, the Office of the Director of National Intelligence (ODNI) manages the efforts of the entire U.S. intelligence community. Director James R. Clapper serves as the principal advisor to the president as well as the National Security and Homeland Security Councils. Headquarters: Washington, D.C. Mission: The DNI has two main missions: to lead intelligence integration, and “forge an intelligence community that delivers the most insightful intelligence possible.” [Source: Washington Post / Wikipedia / Business Insider]
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 15
AFRICA NEWS
A US News website was attacked by Anonymous Africa, after it had reported that Mr. Nelson Mandela had died after his life support had been shut off. On Friday, Anonymous Africa performed a Distributed Denial of Service (DDOS) attack on the Guardian Express website, taking the site down for several hours. On their twitter handle, Anonymous Africa said before it launched the attack: “That website is false. It is profiteering off false news. Which is why we are running ops against it”.
ANONYMOUS AFRICA
HACKED
US NEWS SITE OVER MANDELA REPORT The reason for this attack, was an article that appeared in the Guardian Express on Wednesday that stated that Mandela had been taken off life support and had died. They reported that the government and the Mandela family were now part of a huge cover-up as this would cause economic turmoil and that “the different tribes will make a massive drama about his death”. On Twitter, Anonymous Africa accused the Guardian Express of making money off this fake news.
[Source: thehackersblog.com]
Mr Nelson Mandela
AFRICAN NATIONAL CONGRESS WEBSITE HIT BY DDOS ATTACK Anonymous is a loosely organised group that has been blamed for attacks on the FBI, Visa, MasterCard, the Kremlin, global intelligence firm Stratfor and Sony Pictures Entertainment among others. The latest hacking attack “Someone calling themselves Anonymous and claiming to be appears to be linked to South Africa’s stance on the ongoing the legitimate representative political crisis in neighbouring of the people of Zimbabwe has flooded the website of our Zimbabwe. organisation,” the ANC said in a statement. The South African government has been criticised for its The denial of service attack perceived failure to take a hard line against Zimbabwean -- which floods a website with President Robert Mugabe, the so many data requests that it leader of a fellow liberation crashes -- appeared to be in effect from around 09:00 GMT movement. to 10:00 GMT. Using the Twitter handle “@ “Our website management zim4thewin”, a group calling team is currently working on the themselves “Anonymous Africa” warned the ANC of the problem, including assessing impending attack. means to strengthen our security so that such does not recur in future,” said spokesman “Tick tock tick tock, your site will stop working in 40 minutes. Jackson Mthembu. think about all the blood on your corrupt hands when it is down,” South Africa’s ruling African National Congress said its website had been recently hacked by Zimbabwe activists claiming ties to the global “hacktivist” group Anonymous.
the unverified group warned. A subsequent tweet read: “anc.org.za is tango down! for being corrupt and supporting the mass murdering mugabe #anc #africa #zimbabwe #anonymous” Members of the group told AFP the attacks were aimed at getting as many people as possible discussing corruption, Mugabe’s rule and his army’s 1987 “Gukurahundi” suppression in which around 20,000 largely ethic Ndebele died.
Mugabe on Thursday plunged Zimbabwe back into political crisis by unilaterally announcing that elections will be held on July 31 2013. His political rival Prime Minister Morgan Tsvangirai vowed to fight the decision, arguing that Mugabe wants to avoid reforms and press ahead with a flawed poll to extend his 33-year rule.
The hack also came on the eve of a summit of regional leaders that will decide a response to Mugabe’s gambit. The ANC on Friday defended its role in easing political violence Anonymous claimed in Zimbabwe, pointing to the responsibility for previous establishment of a power attacks on the websites of sharing government and the South African media, Mugabe’s passing of a new constitution. Zimbabwe African National Union Patriotic Front The ANC vowed to “continue to (ZANU PF) party, the work with the government and Zimbabwean ministry of people of Zimbabwe to assist defence and the country’s them find their own lasting revenue authority. solution to the challenges facing that country.” The timing of this latest attack is [Source: securityweek.com] politically sensitive.
“Tick tock tick tock, your site will stop working in 40 minutes, think about all the blood on your corrupt hands when it is down,” the unverified group warned. Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 16
AFRICA NEWS
MAURITANIA HACKER
ON AN ISLAMIC MISSION
Mauritania, a poor desert nation straddling the Arab Maghreb and sub-Saharan Africa, is an unlikely hacker base. It has 3.5 million inhabitants spread across an area the size of France and Germany, and only 3% of them have internet access. Much of the population lives in the capital Nouakchott, which has boomed from a town of less than 10 000 people 40 years ago to a sprawling, ramshackle city of a million inhabitants. In its suburbs, tin and cinder-block shanties battle the Sahara’s encroaching dunes and desert nomads stop to water their camels. In the past six months experts have noted an increase in hacking activity from Mauritania and neighbouring countries. In part, that reflects Mauritania Attacker’s role in connecting pockets of hackers. In Nouakchott, a dusty city wedged between the Atlantic ocean and western dunes of the Sahara, a young hip-hop fan co-ordinates a diverse group of hackers targeting websites worldwide in the name of Islam. Logging on to his computer, he greets his Facebook fans with a “good morning all” in English before posting links to 746 websites they have hacked in the last 48 hours along with his digital calling card: a half-skull, half-cyborg Guy Fawkes mask.
During a series of conversations via Facebook, the 23-year-old spoke of his love of house music and hip-hop, and the aims of his collective, whose targets have included US and British small businesses and the oil industry. He represents a new generation of western-style Islamists who promote religious conservatism and traditional values, and oppose those they see as backing Zionism and Western hegemony. An unlikely hacker base. In April, AnonGhost launched a cyber attack dubbed OpIsrael that disrupted access to several Israeli government websites, attracting the attention of security experts worldwide. “AnonGhost is considered one of the most active groups of hacktivists of the first quarter of 2013,” said Pierluigi Paganini, security analyst and editor of Cyber Defense magazine. An online archive of hacked websites, Hack DB, lists more than 10 400 domains AnonGhost defaced in the past seven months (Source: voicesofafrica.co.za)
He calls himself Mauritania Attacker, after the remote Islamic republic in West Africa from which he leads a youthful group scattered across the Maghreb, southeast Asia and the West. As jihadists battle regional governments from the deserts of southern Algeria to the scrubland of north Nigeria, Mauritania Attacker says the hacking collective which he founded, AnonGhost, is fighting for Islam using peaceful means. “We’re not extremists,” he said, via a Facebook account which a cyber security expert identified as his. “AnonGhost is a team that hacks for a cause. We defend the dignity of Muslims.”
CYBER INSECURITY THREATENS NIGERIAN ECONOMY The Nigerian economy is being threatened by cyber criminals who hack into corporate and government sites and steal vital documents and peoples’ passwords, the National Information and Technology Development Agency (NITDA) has said.
NITDA’s Director General, Professor Cleopas Angaye, who disclosed this at a press conference in Abuja, said the high rate of cybercrimes in Nigeria poses serious economic and security challenge in the country. According to Prof Angaye, the recent ranking of Nigeria among the countries
with significant abuse of the internet is a thing of concern to the government. He said criminals are increasingly employing information and communication technologies to facilitate their illegal activities, particularly in relation to money laundering, identity crime and terror activities.
He also said the country and other African nations are vulnerable to the loss of economic competitiveness through the continued exploitation of ICT networks and the compromise of intellectual property and other sensitive commercial data.
“This has the potential to undermine confidence in the digital economy”, he added.
National security is under threat from a range of cyber actors, added Tim Akano, the coordinator of International Telecommunications Union’s cyber protection group, IMPACT, who also addressed journalists at the press conference. Akano said cyber criminals are often well resourced, highly skilled and able to defeat commercially available security solutions.
[Source: allafrica.com]
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 17
AFRICA NEWS
BABA JUKWA’S
ACCOUNT HACKED Zimbabwe’s very own “Julian Assange” and the faceless thought-provoking Facebook character who has rattled ZANU-PF ahead of this year’s elections, has had his email account briefly hacked this morning in an attempt which was foiled as his tech team quickly recovered it before anything could be stolen. Baba Jukwa who has over 150,000 followers on his Facebook continues to shock top government officials including those from the security sector through the social networking site and it would appear that many people want to know the identity of this character who has pulled many powerful people to their knees. “Zimbabwe these people think I am here to play games with them. Hacking of pages won’t stop me from firing from all corners,” Baba Jukwa is quoted as saying. “I have just gathered that this Australian based hacker/spy is working hand in hand with ‘Mr/s Back Man’ Psychology Maziwisa. Instead they have intensified the struggle and I will be soon opening another backup page that I will introduce to you to like,” he added. He told ZimEye that he also managed to delete vital information before it could be accessed: “they have taken the page back but I had deleted vital information,” he said.
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 18
A few weeks ago ZANU-PF spokesperson Rugare Gumbo denied that the party was ruffled by Baba Jukwa. There have been reports that alledge that some politburo members had put up a bounty for Baba Jukwa’s head. In recent weeks, Baba Jukwa has named several politicians whom he accused of being HIV positive and infecting young girls before using money to silence them. His “inside stories” on ZANU-PF “chiefs” have caused a stir with allegations ranging from murder most foul, a looting spree of state resources, personal problems and treats on Politburo discussions to hacking of the Facebook page itself by supposed ZANU-PF aligned security agents. Said Baba Jukwa: “Our team on ground will intensify an eye for an eye information with immediate effect Zimbabwe. Just inbox us the names of those victimising you and place they are situated.” “Zimbabwe news coming in, is that since we challenged citizens to inbox us names of… those evil soldiers terorrising communities there have been great panic and these guys ended up hacking the easily accessed gmail thinking that they might find their names on the targeted list.” [Source: Zim Eye]
MOBILE SECURITY IN SA From smartphones to tablets, mobile devices continue to cause ongoing concern for IT teams responsible for information security. Sensitive corporate information can be easily transported, leaked, or lost while the Bring Your Own Device (BYOD) movement has dramatically increased the number of expensive security incidents. Even so, corporate information, including sensitive customer information, is increasingly stored on personal mobile devices and not managed by the corporate IT department.
c. Adhering to the Protection of Personal Information Act (POPI): The imminent Protection of Personal Information Act will hold companies responsible for loss of personal information. Assuming that these mobile devices have access to personal information about their clients makes it imperative to secure the devices as you would with a laptop or even a desktop.
To contextualise these findings for the South African market, Doros Hadjizenonos, sales manager at Check Point South Africa provides insight into trends driving mobile security in South Africa, challenges facing the South African mobile security market, top tips for businesses regarding managing mobile security and predictions for the future of mobile security in the South African market.
3. WHAT ARE THE KEY HURDLES OR CHALLENGES FACING THE SOUTH AFRICAN MOBILE SECURITY MARKET?
Q&A WITH CHECK POINT also be extended to cover all devices which connect to the network i.e. tablets, laptops, desktop PC’s and notebooks. 5. WHAT ARE YOUR PREDICTIONS FOR THE FUTURE OF MOBILE SECURITY IN SOUTH AFRICA?
a. I believe that we will continue to see an increase in attacks targeted at mobile devices – smartphones specifically. South Africans have accepted and adopted 2. ARE THE FINDINGS OF THE LATEST CHECK POINT MOBILE SECURITY a mobile device as a primary form of REPORT IN LINE WITH THE SA MARKET? communication and I don’t see this trend changing anytime soon. As legislation Mostly, yes. I would agree that the number comes into effect I believe that corporates Check Point® Software Technologies of devices connecting to the corporate will take mobile security more seriously. Ltd, a leader in securing the Internet, network is on the increase - 96% of recently published its second mobile security report, revealing that the majority companies surveyed in the report confirm b. The devices that are used in the work place are not always corporate owned of businesses (79%) in the United States, this. BYOD most definitely creates challenges for security administrators devices – making managing BYOD Canada, United Kingdom, Germany, and and business owners, where a balance more complicated. Looking ahead, I Japan had a mobile security incident needs to be found between security and believe that corporates will place more in the past year, with the costs proving convenience. The report found 63% of emphasis on ensuring that corporate data substantial. The new report found mobile businesses do not manage corporate remains secure, but at the same time not security incidents tallied up to over six information on personal devices, and 93% prohibiting employees from using their figures for 42% of businesses, including devices for personal use. 16% who put the cost at over R5.1 million. face challenges adopting BYOD policies.
1. WHAT ARE THE TOP THREE TRENDS THAT YOU SEE DRIVING MOBILE SECURITY IN SOUTH AFRICA?
a. The increasing mobility of the work force: The work force is becoming more mobile which means they require information to be available at their fingertips, and as such require a solution to protect this information from getting into the wrong hands. The form factor of these devices makes them more prone to being lost. b. The rise of mobile device exploits: We are seeing an increase in the number of exploits on mobile devices (especially smartphones) which increases the security risk profile of allowing such devices to connect to the corporate network.
a. The major hurdle that I see is the impact of security exploits on the end user. Security should be a business enabler and not an inhibitor. Users should be able to bring their own device and use it for both personal and business practices, without compromising any functionality.
ABOUT THE REPORT: The report, The Impact of Mobile Devices on Information Security, surveyed almost 800 IT professionals in the United States, Canada, United Kingdom, Germany, and Japan.
This is the second survey on this topic, and the report evaluates differences in responses to similar questions asked one year ago. The goal of the survey was to gather data to quantify the impact of b. In addition, I believe that users need mobile devices on corporate information to be educated on the safe use of mobile security. To read the full report, please devices, creating the need for companies to establish a security awareness program click here: http://www.checkpoint.com/ downloads/products/check-point-mobile– ensuring the security message is security-survey-report2013.pdf communicated to all employees. 4. WHAT ARE YOUR TOP TIPS FOR BUSINESSES WHEN IT COMES TO MANAGING MOBILE SECURITY IN SOUTH AFRICA?
a. Embark on a mobile security project to ensure that the enterprise data stored on mobile devices is secured. It is vital to choose a solution that minimises the impact on the end user. b. Ensure there is security awareness program to educate users about the risks of mobile devices. This program should
Doros Hadjizenonos, Sales Manager, Check Point South Africa
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 19
HOW ITS DONE BLACK HAT HACKERS
BREAK INTO ANY IPHONE IN UNDER A MINUTE
Previous jailbreaks have been performed by using the old 30-pin connector’s serial pins, which were only meant to be used by Apple for internal debugging.
USING A MALICIOUS CHARGER
Security researchers at the Georgia Institute of Technology have built a malicious USB charger that can inject persistent, undetectable malware onto your iPhone, iPad, or other current-gen iOS device. This USB charger, called Mactans, takes less than a minute to compromise a device once it has been plugged in. Mactans, which is named after the black widow spider’s Latin taxonomy, will be demonstrated by Billy Lau, Yeongjin Jang, and Chengyu Song at the Black Hat 2013 conference in July. The security researchers have disclosed the vulnerability to Apple, but presumably Apple hasn’t fixed the hole yet as the researchers are refusing to give out exact details until the conference. For now, though, we know that the exploit can be performed on a current-generation device, running the latest version of iOS, simply by plugging it into the malicious charger.
Curiously, the researchers note that they’ve also found a way of installing apps that are hidden from the user much in the same way that Apple hides its own built-in software. It isn’t clear if this attack vector also gives The malicious USB charger is, essentially, access to sensitive data on the device, but it certainly sounds like the researchers a Texas Instruments BeagleBoard. A have obtained root access. BeagleBoard, which has an ARM CPU and a bunch of connectors, is very similar to the Raspberry Pi. Basically, the security As for how this compromise is performed, researchers have built a power brick with we can only make an educated guess. From the description given by the a BeagleBoard inside it — so rather than researchers, it sounds like iOS’s defense plugging your iPhone/iPad into a normal mechanisms primarily prevent against USB plug, you’re actually plugging it into attacks from within (sandboxing), rather a computer. It isn’t clear what operating than without. Previous jailbreaks have system the researchers are using, but been performed by using the old 30-pin it’s probably Linux-based. Once you plug connector’s serial pins, which were only in, some custom software then gets to work, cracking iOS in under a minute and meant to be used by Apple for internal debugging. The researchers say that installing some malware. Mactans works on “current-generation” “ but the most secure Linux, Mac, or Windows boxes can be compromised with devices, though, which suggests that just a few minutes of physical access” Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 20
their exploit uses the Lightning connector and the Lightning connector isn’t terribly well understood at this point. Given that the attack isn’t instant, and that there’s a computer dedicated to the task, it might be some kind of brute-force cryptographic attack. However the attack is performed, the main thing is that it requires physical access to your device and when it comes to security, if a hacker has obtained physical access, you’ve already lost. For the most part, every modern OS is incredibly resilient to remote attacks via the web or spear phishing, but all but the most secure Linux, Mac, or Windows boxes can be compromised with just a few minutes of physical access. If anything, this attack is essentially a cautionary tale against using third-party USB chargers, or USB chargers belonging to other people. [Source: http://www.extremetech.com]
APPLE IOS SECURITY Apple always touts the security inherent in the iOS platform, and uses that as a bludgeon against the more open Android platform. While iOS does have a very well-managed and safe software ecosystem, the one place Apple has fallen short is in the real world — Apple devices are common targets for muggers and thieves because of the high resale value. The anemic feature set in Find My iPhone has never really prevented the theft of iDevices before, but that might change with iOS 7. It seems Find My iPhone finally has some teeth.
to it. If stealing an iPhone almost always results in a locked and useless handset, thieves will eventually start looking for easier targets. Some of those Android phones are getting pretty nice, too. Even the authorities have been keeping an eye on the rates of iDevice theft. The NYPD launched a special task force to recover lost iPhones and iPads a few months ago. This is part of an initiative to track down caches of stolen property, which almost always include piles of Apple devices. Several attorneys general, including New York’s Eric T. Schneiderman and San Francisco District Attorney George Gascón, sounded notes of optimism when the activation lock feature was announced yesterday.
Starting in iOS 7, an iPhone is no longer an easy day’s work for a phone thief. The new activation lock feature of Find My iPhone can render a lost iPhone or iPad unusable if it looks like it isn’t coming home. So now, in addition to merely tracking the location of a lost phone, Apple takes device security seriously to the point of users have the option to nuke it from orbit permanently. hindering its own users. The long-term battle among Jailbreakers to defeat Apple’s draconian restrictions Remote wipe is nothing new — BlackBerry has been are legend on the internet. But with activation lock doing the same thing for nigh on a decade now. What we’re starting to see where Apple’s cautious approach makes Apple’s activation lock unique is that it ties in is paying off. A jailbroken device may offer industrious with the owner’s iCloud account. The original iCloud thieves a way to bypass security measures like password will be required to make a wiped device activation lock. This might be a solid argument against functional again. Even if a thief manages to disable jailbreaking. Find My iPhone or wipe the device on his or her own, activation lock renders it little more than a lovely The improved security in iOS 7 isn’t just good for paperweight. people that take their phones out on the subway. It will act as a theft deterrent for all iDevice users. To take things a step further, a locked iPhone will still be able to display messages should it come into the possession of a more reputable party. You can hope against all odds that the device is returned, but at the same time know that your data is not compromised. Well, there’s also the satisfaction of knowing the thief isn’t seeing any benefit from inconveniencing you.
the good vs the bad
APPLE’S IOS 7 ACTIVATION LOCK COULD MAKE IPHONES WORTHLESS TO THIEVES
This feature isn’t just about protecting individual users and their data it’s about setting a precedent. The epidemic of iPhone thefts has been on Apple’s radar for a long time, and this is its effort to put a stop
This feature isn’t just about protecting individual users and their data — it’s about setting a precedent.
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 21
HOW ITS DONE
HOW KILIM COMPROMISES YOUR MACHINE
AND SOCIAL NETWORKING SITES Malware authors and distributors follow the money. When you consider the growing popularity of social networking websites, it should come as no surprise that malware continues to maintain its presence in this area.
Every year we are spending a growing percentage of our time online using social media tools such as Facebook, Twitter and YouTube. What does this mean for the malware ecosystem? Malware authors and distributors know that social networks don’t just connect people, they also instil a form of implicit trust. You are more likely to trust a URL or a video that is shared with you by a friend or connection. We are seeing more and more cases of malware stealing passwords, spreading, and posting malicious links through social media networks. Many malware authors target browsers (Internet Explorer, Chrome, Firefox or Safari) to easily intercept and manipulate data at the origin, to avoid dealing with secure protocol (such as HTTP) once data leaves a user’s system. One such piece of malware that we recently came across is detected as
Trojan:AutoIt/Kilim.A Kilim specifically targets the Google Chrome browser. The trojan may be installed when an unsuspecting user clicks on a shortened hyperlink that redirects to a malicious website. The website masquerades itself as a download site for legitimate software, and tricks the user into downloading and executing Kilim.
Followers that were automatically added by Kilim
As always, the best advice is to keep your security software up-to-date and use caution when clicking unknown links - even if they are shared in your trusted social network.
Upon successful execution, Kilim disables User Account Controls (UAC) and adds an auto-start entry in the system registry to survive reboot. It then proceeds to download two malicious Chrome browser extensions. We detect the malicious scripts in the extensions as Trojan:JS/Kilim.A. Kilim connects to a remote server to download configuration files that indicate the location of the malicious extensions: www.<removed>/crx.txt www.<removed>/crx.txt It then closes Chrome and installs the two extensions using the following configuration files and registry entries that it creates: %windir%\adobeflash\update.xml %windir%\adobeflash2\update.xml
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 22
Kilim also uses the following tricks to hide the installed extensions: If you click on the About menu in the Chrome browser, then select Settings, you will be taken to google.com instead of the settings page It you type “chrome://extensions/” it will redirect to “https:// chrome.google.com/webstore”, instead of showing internal settings. This is to prevent you from seeing the installed extensions list page This means you never get to see, or uninstall, the malicious extensions.
OF INTEREST Once the malicious browser extensions are installed, Kilim can gain access to your social networking sites such as: Facebook.com Twitter.com YouTube.com Ask.fm The next time you log in to those websites using Chrome, it may post messages, “like” pages in Facebook, follow profiles and send direct messages on Twitter, or comment on YouTube videos. It can continue to do this as long as the session cookie of the authenticated web site is active - in other words, until you log out.
SEGWAY-STYLE VEHICLE IS ULTRA PORTABLE The Hovertrax is a Segway-like electric gyroscopic vehicle that is hands-free and can fit in the user’s backpack
The screenshot on page 22 shows unknown page followers that were automatically added by Kilim. Posts from the two unknown followers also appeared in the user’s newsfeed (picture below)
We’ve already seen portable transport upgraded from fold-up bicycles to the suitcase-sized Moveo motorbike. Now the Hovertrax is a Segway-like electric gyroscopic vehicle that is hands-free and can fit in the user’s backpack. The Hovertrax features a platform that connects two electric motor-powered wheels, which use gyroscopes and accelerometers to keep users upright. After stepping onto the vehicle, users lean forward to start moving. Posts from the two unknown followers also appeared in the user’s newsfeed
One might wonder, how does this benefit the malware author or distributor? Kilim appears to be selling Twitter followers for a price. There is also a possibility that Kilim can extend its functionality to do more - perhaps stealing sensitive information such as passwords, or even spreading other malware for a price and getting paid per-clickthrough rates, similar to a pay-per-install model. Kilim has the ability to extend and update itself whenever it connects back to the server, as it obtains JavaScript code and executes it in the context of the browser. Social media presents a quick and lucrative avenue to spread malware. Combine this with the growing online population and I predict we will see more of these social bots in the future.
The platform is split into two, enabling users to turn by putting greater pressure on one side than the other. The batteries that power the device allow riders to travel at up to six miles per hour for around four miles. Without handles users can step off the machine at any point and at nine pounds in weight, the vehicle can easily be carried by hand or in a backpack when not in use. Inventist – the company that developed the Hovertrax – has already surpassed its target on crowdfunding site Kickstarter. With greater development and more power, could this be the future of pedestrian transport? [ source: www.inventist.com]
[Source: Karthik Selvaraj - MMPC] Cybershield CybershieldMagazine Magazine••July July--September September2013 2013••Special SpecialCyber CyberEspionage EspionageEdition Edition••Page Page23 23
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
HOW TO FAIL AT
CORPORATE FRAUD Working with forensic experts from the FBI, Ernst & Young’s Fraud Investigation and Dispute Services Practice developed a piece of linguistic, fraud-monitoring software that identified language commonly used among employees engaged in corporate malfeasance. The accounting giant plans to offer their newly developed fraud-detection capacity as a service to their clients. So, if you are thinking about charging some “special fees” or exploiting a “grey area” in order to pick up some “off the books,” “friendly payments” that “nobody will find out” about, think twice, even if you think your employer “won’t miss it,” because E&Y determined that these and some 3,000 other phrases commonly indicate the existence of employees attempting to defraud their employers.
or “come by my office” raise flags in the detection system. In addition, the software also tracks and evaluates code words and notes obvious and uncharacteristic changes in tone.
The most common fraud phrases, according to an E&Y press release, are “cover up,” ”write off,” “failed investment,” “off the books,” “nobody will find out,” and “grey area.” E&Y and the FBI produced these common fraud phrases by monitoring email conversations that take place within what they call the “fraud triangle,” which is apparently that dubious place where “pressure, rationalisation, and opportunity meet.”
“Most often such email traffic is only seized upon by regulators or fraud investigators when the damage has been done,” said Ernst & Young Fraud Investigation & Disputes Services director, Dr. Rashmi Joshi. “Firms are increasingly seeking to proactively search for specific trends and red flags – initially anonymously – but with the potential for investigation where a consistent pattern of potential fraud is flagged.”
E&Y claims that targeted analyses in concert with human judgment could save companies’ millions by rooting out fraud preemptively instead of reactively.
[Source: threatpost.com]
The software revealed that rogue employees under pressure to commit various wrongdoings often sent emails containing the phrases “not comfortable,” “want to be part of this,” “don’t leave a trail,” and “make the number.” The technology also found that such employees rationalise their behaviour via email with phrases like “told me to,” “not hurting anyone,” “won’t miss it,“ and “fix it later.” The report highlighted other phrases like “off the books,” “off balance sheet transactions,” and “pull earnings forward” as common indicators of employees with the opportunity to commit fraud. The software will also scan for emails in which it appears that employees are attempting to avoid the possibility of being overheard by others, for example the words “call my mobile” The report highlighted other phrases like “off the books,” “off balance sheet transactions,” and “pull earnings forward” as common indicators of employees with the opportunity to commit fraud.
Innovation
Professionalism
Agility
Thought Leadership
Specialists
Commitment
Security Experts
Security Systems Integrator
Trustworthy It Risk Management
Information Security Experts Cybercrime It Governance
Subject Matter Experts
Management Security Services Cybercrime Intelligence Services
Industry Relationships
+27 11 523 1600 • www.drs.co.za Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 24
. innovation . specialists . security experts . professionalism . system integrators . thought leader . Agility . Easy to do business with . trustworthy . information security . IT risk management . IT governance . cybercrime . subject matter experts . Security management services . cybercrime intelligence services . committed . strong industry relationships
7
GARTNER:
MAJOR TRENDS
FORCING IT SECURITY PROS TO CHANGE
Enterprises are under heavy pressure to change their approach to IT security because of a “nexus of forces” that include big data, social networking, mobile and cloud computing, according to Gartner. Ray Wagner, Managing Vice President of Gartner’s secure business enablement group, summed up these forces at the Gartner Security & Risk Management Summit in National Harbor which has attracted 2,200 or so chief information security officers (CISO) and chief security officers (CSO).
WAGNER’S TOP TRENDS: • The adoption of cloud services, especially when end users access them without IT department approval, means traditional security controls such as anti-virus and perimeter firewalls are increasingly ineffective. There’s a need to “shift up the stack” in security, “beyond networks and devices,” Wagner said. • All packets across the network are suspect. It’s extremely hard to detect compromises and infections in corporate resources, so monitoring should be considered a basic means to detect attacks. Gartner estimates by 2020, 75% of IT budgets will be set aside for rapid detection and response approaches, up from less than 10% in 2012. • IT security jobs generally fall into security operations (with a technical focus) or security management (with an active involvement in the business side of things). Wagner said the better course to take is to be the business-savvy CISO with creative approaches to security issues. The use of cloud resources are, to some extent, diminishing the enterprise need for technology expertise in terms of programmers, security testers, and database administrators, Wagner said.
involve customer identity based on social-network identities rather than managing an account for them. The problem with this, of course, is that social networks generally don’t ask for proof of real-world identity, Wagner pointed out. On the other hand, he added, new accounts traditionally only relied on self-assertion. CISOs will need to ask security questions related to use of social networking as a basis for a customer account. “Is it a little creepy that Facebook knows what your customer is doing?” Wagner wondered aloud. • Rise of the “Security Free State”. This Gartner concept may be a little maverick for many, but it’s being seriously presented as one security approach for the future. Basically, Gartner is saying the CISO can decide to reduce security controls in a bid to eliminate bureaucracy and costs, plus improve company morale, since “let’s face it, they don’t like us,” Wagner said. The Security Free State idea is “peoplecentric security” in which employees are allowed a privilege such as BYOD access to corporate e-mail in return for say, not keeping sensitive data on the device. There are no specific security controls except a monitoring process that would be set up to make sure the agreement was being maintained. If an employee does something wrong, the IT security division takes action. The idea behind it is “they’re being treated as people who do things right,” Wagner said. [Source: networkworld.com)]
“Bring Your Own Device” and mobile technologies are here to stay, and are driving new technology segments such as mobile-device management, containerisation tools and mobile data protection. “People tried to say ‘no,’ and it didn’t work,” Wagner said. Security managers will likely find themselves moving from an “avoid” stance to phases such as accommodating, adopting and eventually, assimilating. Identity management and context-aware security will be key to supporting this. • Operational technology and management in business are under increasing security threat, and “it’s not just the power utilities or national infrastructure,” said Wagner. It’s all companies with important data-processing. • Identity and access management may need to be looked at from a new perspective. That’s because the power of social networking has businesses considering strategies that
Ray Wagner, managing vice president of Gartner’s secure business enablement group Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 25
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
CEO
WHY YOUR
IS A SECURITY RISK
Don’t underestimate your cyber attacker. He’s patient and meticulous, adept at targeting the weakest link in your network’s security: Your organisation’s employees. He analyses his targets in great detail and probably knows your employees better than you do. He studies them on social-networking sites to understand what they care about, what they respond to, how they behave, where they went to school, who their friends are, where they live, and what their hobbies are. Hackers have proven themselves to be astute “social engineers,” to use the creepily euphemistic term that’s current in the world of data security. They understand that if they can create some sort of emotional trigger and deliver it in the form of an email message, people will pull it.
Providing users with more and better information about the risks is an obvious way to address the problem, but too much of that information goes to waste. At an investment firm I’m familiar with, the security team sends out a monthly newsletter addressing multiple security topics, but one employee got so sick of the “There was an error in your payslip,” messages she set up an automated rule to a message might say. Click. “We’re route them to her junk folder. Her thinking migrating our payroll system — follow this was: This is IT’s problem; why should I link.” Click. They prey on people’s undying have to read all that? interest in anything that appears to promise a reward or that might cost them People can be taught to fly fighter jets and money, and they’re practiced at using an perform brain surgery. Surely they can be authoritative tone that seems to insist on taught to recognise and report suspicious compliance. emails. But how can a company overcome the not-my-problem mind-set? And, of course, once someone clicks, There’s a lot to be learned from educators or opens the file attached to the email, and marketing people. Training should the hacker is in. These links and files appear innocuous, but they’re often laden be bite-sized, focused on the most relevant issues, and based on immersion with malware that compromises your computers and provides hackers a crucial in experiences. Traditional methods like newsletters and PowerPoint presentations foothold in your organisation’s network. are too passive. In today’s world, where most of us unknowingly suffer from some I’ve found that in simulations of such degree of ADD, training needs to be more attacks, on average, 58% of people will engaging. One approach that has worked click an email hyperlink that could have led really well is simulating attacks against to a malware infection. Typically, these are employees and, at just the moment when people who have been through years of they “fall prey,” presenting a short training conventional security-awareness programs module. Other suggestions: Don’t harp that have included poster campaigns, on people’s bad behavior. Instead, be mandatory annual computer-based entertaining, make sure your message is training, and brown-bag sessions on topics perceived as relevant to the audience, and such as how to choose a strong password. reinforce positive behaviours. Use case studies and anecdotes to tell about breakins and discuss what could have been The dismal figures on user naiveté have done to prevent them. And, of course, led a lot of security professionals to give up on the human factor and focus instead measure the outcomes. on creating increasingly sophisticated Teaching executives can be particularly detection systems. But the human factor tricky. It’s often a given that they don’t have remains critical for stopping attacks. time to participate in security training. One A report recently published by security company Trend Micro indicates that 91% technique that works is telling executives that you want them to see what the rankof all cyber attacks start with a targeted and-file are going to experience in the phishing email. training. “There was an error in your payslip,” a message might say. - Click “We’re migrating our payroll system follow this link.” - Click Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 26
Show them what happens when they click on a link in a phishing email, and then discuss the consequences. Training is particularly important for executives, because they represent a vulnerability in the company’s defences. For one thing, their high-profile positions make it easy for hackers to dig up a lot of information about their activities and interests, and that data can be used to craft fake messages. For another, they’re always hurrying through their inboxes; if they see a message that contains an emotional trigger, such as “Company XYZ is filing a lawsuit against your company. Please find attached the details,” they’ll click. For another, because they so often exclude themselves from security training, they may lack a basic understanding of threats. With immersive training, companies can reduce average employee susceptibility to targeted attacks to below 10%. Not only are trained employees better at avoiding the traps of phishing, but they can be your eyes and ears too, alerting relevant members of the organisation’s security teams to attempted break-ins. Still, you always have to think about the timing of any training: How long will new hires be on the staff before they’re taught to avoid clicking the wrong links and opening potentially dangerous attachments? And you have to be aware of changes in the threats. On the near horizon are attacks that employ “conversational phishing,” in which a very-real-sounding but computer-generated conversation lulls you into thinking you’re interacting with someone you know. You’ll get an email from an address you recognise, saying, simply, “Great talking with you.” A few hours later, you’ll get another, saying something equally innocuous. Pretty soon you’ll get one with a link. Click. [Source: Harvard Business Review]
IT SECURITY PROS HAVE TROUBLE COMMUNICATING WITH EXECUTIVES A Hanover Research survey of 131 information security professionals revealed key differences between the way executive and non-executive IT professionals communicate with senior leadership.
Only 38% of non-executive respondents use business-oriented language when communicating with senior executives 48% of non-executive respondents believe it is somewhat or very difficult to discuss information security with senior management 78% of executive respondents and 85% of non-executive respondents ranked risk management as the highest among key issues they need to communicate with executive leadership about.
“Information security risk is getting a lot of attention due to high-profile incidents and increasing pressure from the SEC, but the good news is this means critical security and risk conversations are occurring at very senior levels in the organisation,” said Dwayne Melancon, chief technology officer for Tripwire. The bad news is most IT security professionals haven’t developed the necessary skills to communicate effectively with non-technical executives.
Melancon continued:
“IT security professionals tend to focus on granular, technical information, but senior leadership wants to focus on how security can protect business goals like revenue growth, profit, competitive agility and customer satisfaction. This ability to communicate the value of information security in terms easily understood by the rest of the business is a critical skill for career success in IT security. Connecting security to the business is destined to become the new normal.”
[Source: net-security.com ] Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 27
AUDITS AND ASSESSMENTS
NATIONAL AUDIT OFFICE
CHALLENGES UK CYBER SECURITY Amyas Morse, head of the NAO, said the threat to cyber security is persistent and continually evolving. “Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack,” Morse said.
The UK government’s strategy for cyber security is beginning to deliver benefits despite still being in its early stages, according to a review by the independent National Audit Office (NAO). The UK Cyber Security Strategy, published in November 2011, set out how the government planned to deliver the National Cyber Security Programme until 2015. To support this programme, the government committed £650m in additional funding. But collaboration with business and citizens and addressing the shortage of cyber skills remain crucial to success, the NAO report warned.
HOWEVER, THE NAO IDENTIFIED SIX KEY CHALLENGES TO IMPLANTING THE GOVERNMENT’S CYBER SECURITY STRATEGY: • Forming effective partnerships with industry to reach a common understanding of risks and share the costs of protecting UK; • Addressing the UK’s current and future ICT and cyber security skills gap; • The need to increase awareness so that people are not the weakest link; • Tackling cybercrime and enforcing the law at home and abroad; • Getting government to be more agile and joined-up; • Demonstrating value for money. The NAO report expresses particular concern about the lack of cyber talent, leaving the UK vulnerable to attack. The shortage of cyber ICT skills “hampers the UK’s ability to protect itself in cyberspace and promote the use of the internet both now and in the future,” the report said.
THE REPORT HIGHLIGHTED SEVERAL AREAS OF INITIAL PROGRESS, INCLUDING: • The take-down of 36 website domains that were selling compromised credit card and financial data in 2012 by the by the Serious Organised Crime Agency (SOCA), preventing more than £500m in fraud; • In the past year, the public reported to Action Fraud over 46,000 incidents of cybercrime, representing £292m in attempted fraud; • The Police Central e-crime Unit, with other international agencies, suspended over 15,000 websites engaged in fraud; • Intelligence agency GCHQ and CPNI launched the cyber incident response pilot scheme to provide links to organisations certified to deal with cyber security attacks; • GCHQ launched a scheme to certify information assurance and cyber security professionals in the UK and a programme to develop cyber security talent in schools and universities; • The first eight UK universities have been awarded “Academic Centre of Excellence in Cyber Security Research” status. Amyas Morse, head of the NAO, said the threat to cyber security is persistent and continually evolving.
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 28
UK CYBER SECURITY STRATEGY AIMS • Tackle cybercrime and make the UK one of the most secure places in the world to do business; • Make the UK resilient to cyber attack and be better able to protect its interests in cyberspace; • Help shape an open, stable and vibrant cyberspace which the UK public can use safely; • Build the UK’s knowledge, skills and capability to underpin all cyber security objectives.
COSTS AND BENEFITS The NAO recognised some challenges in establishing the value for money of the cyber security strategy. The report noted that, if cyber attacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy. There was also the challenge of determining the relative contribution to overall success or otherwise of different components of the strategy. And there was the challenge of assigning a value to the overall outcome to set against the cost of the strategy, the NAO report said.
HOWEVER, THE NAO NOTES THAT GOVERNMENT HAS WORK UNDERWAY TO MEASURE THE BENEFITS OF THE STRATEGY. Amyas Morse, head of the NAO, said the threat to cyber security is persistent and continually evolving. “Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack,” Morse said. Morse said although it is good that the government has articulated what success would look like at the end of the programme, it was crucial to have some way of measuring progress towards those goals and assessing value for money.
PUBLIC ACCOUNTS COMMITTEE CONCERNS The NAO said the report is designed to set the scene in an area likely to be of continuing interest to the Public Accounts Committee (PAC). Although the PAC has not specifically examined the issue of cyber security, it has raised concerns about cyber security in relation to the government’s plans for smart meters, which will enable energy suppliers to collect meter readings over the internet. The PAC has also expressed concern about a lack of detail on cyber security plans in the government’s 2011 ICT strategy. The NAO report stresses that government must work hand-in-glove with people and businesses to build awareness, knowledge and skills, said Margaret Hodge MP, chair of the PAC. “With this government committing £650m additional funding to cyber security, my committee will want to ask how the action of the fifteen government organisations involved in delivering the strategy is being properly coordinated and what progress has been made,” Hodge said.
COMMERCIAL BENEFITS Hodge noted that safe and secure use of the internet is increasingly essential for UK businesses to flourish and for society to function. “The value of the UK’s internet-based economy stood at an estimated £121bn in 2010, some 8% of the UK’s GDP, which is a greater share than for any other G20 country,” she said. The use of the internet for commerce and communication is a force for good, said Hodge, but it also poses new and growing threats that government, businesses and individuals cannot ignore.
OF INTEREST
ANDROID SMARTPHONE APP
TRIANGULATES GUNFIRE Researchers at the Vanderbilt University in Nashville have developed a smartphone app that can detect the origin of gunfire. We recently saw Vaporsens, the handheld electronic dog’s nose that can help police forces accurately determine the presence of illegal substances. Now, researchers at the Vanderbilt University in Nashville have developed a smartphone app that can detect the origin of gunfire. Gunshots have a unique sound that can be separated out from ambient noise due to the fact that the majority produce a “muzzle blast – an expanding balloon of sound that spreads out from the muzzle each time the rifle is fired”, followed by the “distinctive shockwaves” created by traveling bullets, the team explain. The app is combined with an external sensor module, which contains multiple high-sensitivity microphones that can detect when a gunshot is fired. Using triangulation based on the differing times the soundwaves hit each microphone, the device then sends information about the direction and distance of the shot to the smartphone via Bluetooth, overlayed onto a map of the location. The system currently takes the form of two versions; one which uses only one microphone module that provides a rough estimate of the location, and another which relies on six separate modules, which could be placed on the persons of separate officers, to provide an accurate location of the shooter. The app could help police forces, soldiers or even civilians by providing them with greater information when under attack, potentially saving lives. Could the technology be modified to detect the location of other types of soundwaves such as explosions to help firefighters locate the cause of a blaze, or the epicenter of an earthquake to help emergency responders?
“With around 80% of the internet in private hands, crossing international boundaries and spanning different jurisdictions, the government cannot approach internet security in isolation,” said Hodge. “Having a robust and well thought-through strategy is crucial if the government is to respond effectively to cyber threats.” “Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack,” Morse said. [ computerweekly.com | picture source: www.ehi.co.uk]
[Website: www.isis.vanderbilt.edu] Cybershield Cybershield Magazine Magazine •• July July -- September September 2013 2013 •• Special Special Cyber Cyber Espionage Espionage Edition Edition •• Page Page 29 29
AUDITS AND ASSESSMENTS
THE COST OF A BREACH THROUGH THE LENS OF
THE CRITICAL SECURITY CONTROLS THE EVENT:
THE COST:
Idaho State University (ISU) recently agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule discovered after ISU notificed HHS of the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic. The breach was blamed on the disabling of firewall protections, and failure of ISU to notice the change or the lack of protection.
For an exposure of 17,500 records, the $400,000 fine alone is pretty significant - more than $20/account, which is about double the likely internal costs of dealing with the breach, communicating to effected customers, offering fraud monitoring services, etc. Those costs likely add in another $200K. The requirements of the Corrective Action Plan bring additional costs, including a Post Incident Risk Assessment, Annual Reports, etc. Probably the most onerous requirement is that ISU must notify HHS in writing every time it is discovered that an ISU employee failed to comply with a policy or procedure. I’m just going to estimate that over the two years it will average out to 1 full time equivalent at a fully loaded yearly rate of $200K per year.
ISU also had to agree to a 2 year Corrective Action Plan, defining enhanced security procedures and increased reporting to HHS.
Download this poster in high resolution at http://wolfpackrisk.com/downloads
I’m not going to add in any increased security or external assessment costs, since those are things the University should have been doing in the first place. Add all of this up and I estimate this breach will end up costing the University about $1M over the two year period, or roughly $500K per year. Since universities typically spend 5% of revenue on IT, and ISU reported $107M in revenue, that $500K per year is about 10% of the overall IT budget each year. Since security budgets at universities typical run 4-5% of the IT budget, another way to look at it: that one incident will cost 4 times as much as the typical university the size of ISU would spend on security over two years. Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 30
OF INTEREST So, spending $75K could have completely avoided the $1M expense - not a bad ROI, especially since I’m not including any soft costs like hiring new CIOs and CISOs, dealing with regents and other board of director-like functions, etc.
THE COST OF AVOIDING THE INCIDENT: Since the breach was blamed on change in firewall policies that exposed servers, there are several Critical Security Controls that would have detected the policy violation: • Critical Security Control 10: Secure Configurations for Firewalls, Routers and Switches is the most directly applicable. The use of firewall policy management products would have provided an immediate indication. • Critical Security Control 4: Continuous Vulnerability Assessment and Remediation tools would likely have detected internal server exposure due to firewall ports and services left open. • Critical Security Control 14: Maintenance, Monitoring and Analysis of Audit Logs would have at least registered the policy change on firewalls as an auditable event and limited the exposure period.
OPEN DATA PLATFORM
REVEALS COMPLEX
CORPORATE STRUCTURES
OF BANKS
A London-based company called Open Corporates has developed a platform that collects global corporate datasets, many of which weren’t available as open data and presents them as visualisations. One of the most revealing aspects of the platform is a visualisation of the global corporate ne tworks of the six biggest banks in the US Goldman Sachs, Bank of America, Morgan Stanley, Wells Fargo, Citigroup and JP Morgan. The map aims to illustrate how complex multinational companies are. It plots the number of subsidiaries by country, along with the ownership structure.
The usage of firewall policy management tools is growing, but not all that common at medium-sized Universities, let’s assume that would require completely new spending. I’m going to estimate $40K procurement, $15K second year maintenance costs and 1 FTE. So, spending $75K could have completely avoided the $1M expense - not a bad ROI, especially since I’m not including any soft costs like hiring new CIOs and CISOs, dealing with regents and other board of director-like functions, etc. Even if I worst-case it, the prevention costs do not exceed the hard avoidance costs. Vulnerability assessments and log monitoring are really security 101 - even a university is completely deficient if they aren’t already doing those things. But I’ll assume that it was being done so badly that signing up for a vulnerability scanning service and buying a mid-range SIEM product is required. I’ll throw $30K/year and 1 FTE at the former, and $100K acquisition, $30K second year costs and 1/4 FTE at that. Add all that up and you get about $250K of technology purchases and about $250K of increased labor - about equal to the cost of the breach. So, even in the worst case the ROI is huge if you assume a second breach was inevitable if there was no vulnerability assessment or log analysis being done.
BOTTOM LINE: It is not hard showing security ROI. The Critical Security Controls give you an easy way to prioritise and justify easy but effective increases in security. [Source: SANS.org]
Taking Goldman Sachs as an example, the platform shows that in Hong Kong there’s a company called Goldman Sachs Structured Products (Asia) Limited that’s controlled by another company called Goldman Sachs (Asia) Finance, which is registered in Mauritius. That, in turn, is controlled by a company in Hong Kong, which is controlled by a company in New York, which is controlled by a company in Delaware, and that company is controlled by another company in Delaware called GS Holdings (Delaware). This company is a subsidiary of The Goldman Sachs Group in New York City. There are hundreds of such chains, many of which have around 10 layers of control below the HQ. Goldman Sachs has more than 4,000 separate corporate entities, a third of which are registered in countries such as the Cayman Islands and Mauritius, which one might describe as tax havens. Similar patterns can be observed in all of the other banks. The data has all been taken from publicly available data at the Federal Reserve and the Securities and Exchange Commission. Much of the data was available before only in PDF or web page form, so OpenCorporates had to develop scripts that would isolate and scrape the relevant information in an automated way, so that the database is futureproofed. For each data point, users can find out where the data comes from. This means that if any figures are wrong, OpenCorporates can identify the source of the bad data. The plan is to create similar networks for every single corporation. Networks have already been created for large companies such as Starbucks, Barclays and IBM. The dataset is released as open data and third parties can collaborate by contributing to and correcting the data. [Source: wired.co.uk] Cybershield Cybershield Magazine Magazine •• July July -- September September 2013 2013 •• Special Special Cyber Cyber Espionage Espionage Edition Edition •• Page Page 31 31
MANAGED SERVICES
WHY YOU SHOULD OUTSOURCE MANAGEMENT OF YOUR COMPANY’S NEXT GEN FIREWALL It is already common knowledge that cybercrime holds enormous economic ramifications for corporate and private victims. Sometimes, as was recently proven in South Africa, it can even compromise personal safety. In May 2013, the website of the South African Police Service (SAPS) was hacked into, resulting in the personal information – including names, telephone numbers, and identity numbers – of approximately 16,000 whistle-blowers being published on a number of websites. The hacker reportedly performed a data dump, downloading details from the SAPS website’s e-mail server, which is where all that sensitive information was stored. It left many people, who had confidentially reported crimes or suspects to the police, extremely vulnerable and fearing for their safety. Although the SAPS later downplayed the severity of the breach, industry experts were quoted as saying that it was entirely preventable, since the hacking succeeded due to lax cyber security measures. “It just goes to show that not even law enforcement is safe from cybercrime anymore,” says Jayson O’Reilly, Director: Sales and Innovation at security solutions provider DRS. “Hackers are getting increasingly ruthless and sophisticated, so companies, organisations and individuals need to become more vigilant in return.”
O’Reilly says there are a number of steps companies and private web users can take to protect themselves from hack attacks, malware and viruses. “Of course anti-virus software is a given. But while that is an effective tool for identifying issues, with the nature of today’s cyber assaults becoming more vicious and invasive, you need another layer in your IT defense strategy.” He advises companies and individuals to, instead of investing in more security controls, implement one intelligent control, such as next-generation firewalls (NGFWs). “Firewalls have been accurately described as the virtual equivalent of the physical perimeter fences, guards, door locks, access cards and alarms that businesses and individuals use to protect their properties. A firewall can be a piece of hardware (external) or software (internal) that works to secure your home or company network by filtering and controlling incoming and outgoing traffic by analysing the data in order to keep out anything malicious.” NGFWs have improved greatly on traditional fireworks, O’Reilly says. “NGFWs now have such ingrained intelligence, they have intrusion prevention and deep packet inspection functionality. This enables them to distinguish one kind of web traffic from another and detect malware and other exploits before it strikes,” O’Reilly says.
The World’s Most Intelligent and Powerful NGFW
Visit us at www.nu.co.za for more information or call us on +27 11 304 6200 Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 32
“It also allows users to enforce very specific business policies. So for example, the firewall can let employees access Facebook from the work network, but prevent them from downloading apps and games within the social networking site.” While NGFWs have undoubtedly increased network security levels, they have a drawback. “If a NGFW is badly configured and not managed properly, it can cause a lot of problems, such as knock your entire network offline. Apart from being a major frustration, this will have an adverse impact on productivity and even possibly lead to a loss of income,” O’Reilly says. “According to IT market research and analysis firm International Data Corporation (IDC), 60 to 70% of all firewalls are misconfigured, which renders them worse than useless.” Realising how it enhances security, the adoption of NGFWs is growing among companies. Security policy management firm AlgoSec reveals that 36% of recently surveyed organisations and companies are now deploying them. However, according to AlgoSec’s European 2013 State of Network Security Report, in which 130 IT security and network operations professionals were surveyed in April 2013, 57% of those respondents said that the deployment of NGWs have increased their firewall management workload, and 70% of the respondents said that they have had to make more changes to their NGFWs than traditional firewalls. “Instead of running the risk of implementing it incorrectly in the first place, which will lead to major headaches for your IT team, you can outsource your firewall deployment and management,” says O’Reilly. INTRUSION PREVENTION MANAGEMENT CAN HELP THWART ZERO-DAY ATTACKS.
The saying prevention is better than cure can be applied to more than just human health. It pertains to everything. Even automobile companies advise buyers that their vehicles should undergo regular maintenance, because it is far more cost effective than having to fix a problem after it arises. The same goes for companies and their IT security, especially now that threats to networks and systems are happening faster, becoming increasingly sophisticated, complex and more targeted than ever before. In this instance, prevention ought to be a genuine concern. Security software firm Symantec recently published its 2013 Internet Security Threat Report, and the results are alarming. It shows that small and medium businesses (SMBs) have seen the greatest increase in threats and attacks, with targeted attacks in 2012 increasing to 42%, with 31% of those attacks specifically being aimed at companies with less than 250 employees. There were 14 zero-day vulnerabilities reported in 2012, up significantly from the previous year’s eight. “These zero-day attacks, which are also known as zero-hour attacks, are when hackers exploit vulnerabilities and bugs in software systems before the software companies and users are even aware of them or, in the event that the software manufacturers are aware of it, have had time to create
patches to prevent attacks,” explains Jayson O’Reilly, Director: Sales and Innovation for DRS, a company that specialises in enterprise-wide security risk management. “When hackers and cyber criminals find such security holes, they use the opportunity to create a virus or worm that wreaks havoc and harms computer systems in a myriad of ways and cause complete network and application outages. Fixing it can be costly and time consuming and, depending on what kind of software was targeted, temporarily halt productivity of many or even all employees in a company, which leads to loss of income.” Not even giant corporations have been spared. Earlier this year, Apple, Microsoft, and the social networking sites Facebook and Twitter all had their systems compromised by exploits that were traced back to zero-day vulnerabilities in Java. O’Reilly advises that the way to thwart such attacks is by employing Intrusion Prevention Management. “This preemptive approach to security aims to protect networks against vulnerabilities before they arise. It is used to identify potential threats and to respond quickly,” he says. An intrusion prevention system (IPS) is used to monitor network traffic. Since attackers can carry out attacks very quickly after gaining access to a network, IPS has the ability to take immediate action, allowing the network administrator to block all further traffic from a certain IP address or port, while continuing to forward legitimate traffic to the recipient without any delay or disruption of service. O’Reilly says DRS is one of the first companies in South Africa to have adopted Intrusion Prevention Management technologies. “Using the latest, pro-active state of the art technologies, DRS’s IPS specifically offers protection against zero-day attacks and we have had many successes locally with its implementation. DRS understands how to integrate IPS technology into a client’s environment and to tune the equipment to eliminate false positives. In addition, DRS also offers a 24/7 IPS monitoring service to monitor and maintain the client’s IPS implementation.” O’Reilly adds that all events are monitored, logged, assessed and addressed according to individual customer requirements.
Jayson O Reilly Director: Sales & Innovation at DRS (Photo source: itweb.co.za)
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 33
MANAGED SERVICES
MALICIOUS EMAILS ABOUND
IN SOUTH AFRICA
EMAIL SECURITY AS IMPORTANT AS EVER Although cyber criminals and scammers are increasingly using social media to launch attacks on companies and individuals, they haven’t abandoned email as a channel. In South Africa malicious email traffic is amongst the highest in the world and so is the phishing rate. “Email born security threats remain a major concern for local users. While individuals and companies may have the basics in place such as antivirus and anti-spyware software, these aren’t always updated with appropriate frequency to keep pace with threat evolvements. This leaves systems vulnerable to newer attacks.” “Robust, up-to-date email security is as important as it has ever been,” says Richard Broeke, sales manager at Securicom, a specialist provider of managed IT security services in southern Africa. Citing from the Symantec: Internet Security Report 2013, he says one in 178 emails are identified as malicious – putting the country in the top four geographies where malicious email traffic is high. Malicious code includes programmes such as viruses, worms and Trojans which are secretly installed on computer systems to destroy or compromise data or steal sensitive information. Phishing is another major concern, with more than one in 200 emails in South Africa identified as phishing. This high phishing rate puts South Africa second only to the Netherlands. Phishing is an attempt by a third party to solicit confidential information from an individual, a group, or an organisation by spoofing a specific, usually well-known brand. Users are usually tricked into revealing personal or sensitive information which phishers then use to commit fraud. Phishing emails convincing bearing the branding of banks, well-known retail stores, and SARS are common. Spam, a bandwidth guzzler and often used as a conduit for malicious code, is also a problem. Globally, Symantec found around 30-billion spam emails in circulation every day – accounting for 68.5 of email traffic. Broeke explains that malicious activity typically affects computers that are connected to high-speed broadband internet because these connections offer larger bandwidth capacities, higher speeds and the prospect of constantlyconnected systems.
“In fact, small to medium-sized businesses are often perceived as softer targets because they aren’t likely to have high level security measures in place as larger corporates typically do. The fact of the matter is that no organisation of any size can afford to go bare on email security nowadays. If you’re vulnerable, cyber criminals and scammers will find you. Nobody thinks it will happen to them until it does,” he says. Broeke says companies need to go beyond antivirus, antispam and anti-spyware software to mitigate these email threats. “Unfortunately, it is not only about stopping bandwidth wastage and preventing systems from being infected with destructive programmes. Companies need to exert greater control over the type of information that employees can send and receive over email to prevent sensitive information from being intercepted, stolen and compromised. “Data breaches, as well as the circulation of inappropriate and offensive content, by employees can land companies in hot water, and even lead to fraud and espionage. The only way to gain visibility and control over what employees use their email for is to employ content filtering and enforce corporate email usage policies to define and limit employees’ email use,” he advises.
Richard Broeke - Securicom
“This makes it easier and more convenient for attackers and spammers to inflict systems. Generally, attackers aren’t concerned about the size of the organisation. As long as there is a stable and constant connection to the internet, small businesses and individual home-users can be targets.
Spam, a bandwidth guzzler and often used as a conduit for malicious code, is also a problem. Globally, Symantec found around 30-billion spam emails in circulation every day – accounting for 68.5% of email traffic. Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 34
CYBER THREATS & ESPIONAGE
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 35
CYBER THREATS & ESPIONAGE
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 36
MCAFEE REPORT DETAILS RISKS TO RETAILERS
THROUGH POINT OF SALE SYSTEMS CALLS FOR MERCHANTS TO INCREASE PROTECTIONS TO ADDRESS SECURITY AND PRIVACY CONCERNS McAfee has released Retail Reputations: A Risky Business, a report on the growing risks the industry is facing with both legacy and newer point of sale systems (POS). The report discusses how the retailing industry’s reliance on third parties for service and support is creating security vulnerability and privacy issues. Today’s advanced security threats mean that a retailer needs to be more than just PCI DSS compliant in order to protect customer information beyond credit cardholder data. “The industry is very fragmented with a large base of smaller merchants utilising secondary market or used point of sale systems,” said Kim Singletary, director of retail solutions marketing at McAfee. “Merchants who do not have a broader security and privacy focus are leaving themselves vulnerable to susceptible systems and processes. If security, compliance and privacy adherence were more transparent to consumers, then retailers could look at these things as business differentiators rather than obligations.” System integrators in the retail industry are being asked to be certified by the PCI Council as a key component to the technology and service supply chain to resolve the inconsistent attention to security and vulnerable configuration issues that could lead to security compromise. Retailers need to be concerned with how they evolve customer engagement and ensure their security strategy and plans address the growing threat landscape. Securing POS systems from basic system functions to newer applications that utilise customer information is essential to protecting the retailer’s brand and reputation. The McAfee report reveals that POS systems are updated too infrequently, creating vast windows of opportunities for criminals to find and exploit vulnerabilities.
Once a new vulnerability is located, businesses using the same types of systems can be easily identified and targeted for attack. The vulnerabilities with POS systems that are not regularly updated increase the likelihood that consumers’ cardholder and personal data is at risk. “Retailers have worked hard not to store cardholder data, however, they still maintain a great deal of specific proprietary customer data on their networks that are a potential treasure trove for criminals and identity thieves,” said Greg Buzek, founder and president of IHL Consulting Group. “When a security breach occurs, retailers are at risk of losing their customers’ trust and business.” The report calls attention to the need for retailers to invest in protecting consumers’ information. McAfee recommends retailers implement higher levels of security to defend against advanced security threats such as: • application whitelisting • point of sale integrity control & • hardware-enhanced security. The report also recommends retailers use orchestrated security management solutions for POS systems to reduce the burden of distributed system security monitoring and policy management.
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 37
CYBER THREATS
“STUXNET WAS OUT OF CONTROL,
WE HAD TO REVEAL IT”
- KASPERSKY INTERVIEW
Eugene Kaspersky interview lifts the veil on a shadowy world of internet espionage and sabotage: and it’s not a pretty sight. Eugene Kaspersky, the founder and CEO of Kaspersky Labs, one of the largest digital security firms in the world, is a celebrity among the cyber-literate crowd. Everyone in the industry is eager to hear what he has to say. For a man who has made secrecy his art, he rarely divulges genuine information about what is really happening under the surface of the cyberwars we are increasingly hearing about on the news. There are occasions, however, where he will utter a few sentences that set off controversy.
For 15 years, he has led his company, that now is a market leader with global reach. It is currently active in nearly 200 countries, providing security for over 300 million Internet users. He is considered an expert in his field. The company he owns has scored a number of considerable, important successes in snuffing out viruses, Trojan horses, and other digital parasites. Last year, Kaspersky warned of an onslaught of increasingly fierce cyber attacks, and this year it is getting worse, he says. “Every public or commercial organisation is attacked hundreds of times every day, and some of these organisations are not even aware that they are being attacked,” he said. “There is a tremendous global shortage of digital security engineers. Just a short crash course could spare an organisation serious damage while raising awareness among the workers.” Kaspersky said that it is imperative for government and privately owned entities to cooperate on this front. ARE WE CURRENTLY IN THE THROES OF AN INTERNATIONAL CYBERWAR? “This is a worldwide phenomenon. The targets are usually governments, government agencies, embassies, political organisations, and even scientific organisations. The last attack that we uncovered involving the NeTraveller virus was aimed at all of these targets. Still, we have yet to see a real war. A war is a daily struggle.” HOW MANY LARGE-SCALE CYBER ATTACKS HAVE TAKEN PLACE TO THIS DAY? “You can count them on one hand, but the pace of attacks is growing. Today there are various kinds of cyber attacks, and criminal organisations are entering this field and offering their services to governments and commercial companies. They have their own forums, their own social networks, and they run their own parallel world. Unfortunately, many countries suffer from these cyberwars.” You are supposed to help the good guys stop the bad guys. If so, why did you reveal the Stuxnet [The Stuxnet computer worm of 2010, which destroyed several Iranian nuclear centrifuges, was revealed as a joint U.S.-Israeli cyberweapon aimed at specific Iranian nuclear facilities]? Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 38
“That virus spun out of control. Although it was intended to stop the progress of Iran’s nuclear program, it also damaged 100,000 computers all over Europe. There was a need to stop it. Cyberwars act like boomerangs. In the real world, when you launch a missile, it hones in on a target and then it is completely destroyed. A virtual missile, however, is not destroyed. The attacking side could intercept it, change a few lines of code, and send it back to whoever launched it in the first place. So it would be advisable for governments not to enter cyberwars because in a boomerang war there are no winners.” WHERE DO MOST OF THE ATTACKS ORIGINATE? “It’s hard to pinpoint one specific culprit. You could see fingerprints of a number of difference sources in English, Spanish, Portuguese, Russia, the Chinese. Today there are more than 10,000 groups and individuals who wage cyberwar around the world. Still, it is safe to say that behind every cyber offensive are states and governments. It is hard to gauge where the attacks come from because the language they ‘speak’ could be for camouflage purposes. Without pointing a finger at anyone, many of the attacks are encoded in Chinese. That does not mean we can definitively state that they originate with the Chinese government, but there are not many other possibilities.” THE MOTIVE: MONEY Kaspersky argues that there are currently three kinds of cyber attacks: criminal; industrial espionage, like Stuxnet, which was a virus designed to spy; and injurious attacks that are solely designed to cause damage and not gather information. Interpol has established a special unit whose task is to counter these attacks. A number of local police departments have also adopted a similar approach. Espionage is particularly problematic. There is cyberactivity initiated by governments, while criminals operate at the behest of governments, Kaspersky asserts. There are also cyber criminals who sell the information to governments who express interest. The most dangerous type of cyber warfare is that which threatens vital infrastructure like water, electricity, oil supplies, and telecommunications systems.
“What really scares me is possible attacks on critical infrastructure,” Kaspersky says. “It’s only a matter of time before we see a ‘cyber Armageddon’” WHAT HAPPENS IN THIS KIND OF CYBERWAR? “One attack [in South Korea] caused the shut-down of 40,000 computers, and companies were unable to operate. An attack on the Saudi ARAMCO company paralysed it for two weeks. An attack on telecommunications systems in Estonia in 2007 caused an Internet blackout in the entire country. There are not many such attacks, but they are very dangerous and they are happening at an increasing frequency.” One impression that has been created is that data security companies like yours have profited from these attacks. Perhaps you are stirring up a sense of panic when there really isn’t a problem at all? “If you go to a hospital and ask doctors whether they are happy that an epidemic broke out, they’ll tell you, ‘No.’ This is my job, but I am not happy that there is more work to do. It is easy to predict what the future will look like because we see how sensitive the world is and how the bad guys are growing more sophisticated.” WHAT ARE THE MOTIVES OF CYBER CRIMINALS? “Money. They set out on espionage missions because they know someone will buy the information they possess. All the information is on the Web, and it is possible to copy it and steal it. There are many espionage attacks because the price of information is at a premium. Attacks on infrastructure are motived mainly by political considerations.”
WHAT ABOUT PERSONAL INFORMATION BELONGING TO EACH AND EVERY ONE OF US? NOW WE HEAR THE AMERICAN ADMINISTRATION IS MONITORING PEOPLE’S PHONES AND INTERNET ACCOUNTS. “For years we have been aware of the administration’s demand to receive information. There are reports that Sweden is monitoring traffic from Russia. I am sure that a lot of countries do the same thing. The PRISM project in the U.S. is nothing new. This has been the reality for quite some time. If you use a credit card, if you use the Internet, there is information about you out there. Some say that it is an invasion of privacy, but there is no other option in cyberspace unless you start conducting your affairs in Chinese. In that case there will be less people tracking you because not many people know Chinese.” SO WHAT DO YOU RECOMMEND THAT WE DO IN ORDER TO FEEL SAFER FROM CYBER CRIMINALS? “If private customers do not pay attention to the issue of security, cyber criminals will be happy to penetrate their computers and turn into the terrorists of the future. Business entities are on the front lines and they need to fend off professional attacks. It is a question of educating employees. As for the critical infrastructures, there needs to be tighter regulation that sets guidelines governing protected computer systems. Today, everyone builds a system as they see fit. In telecommunications and other critical infrastructures, there needs to be greater supervision. Governments need to decide to undertake more international cooperation against sabotage attempts on the Web.” [Source - israelhayom.com]
visit us at www.nu.co.za for more information or call us on +27 11 304 6200 Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 39
CYBER FORENSICS AND INCIDENT MANAGEMENT
DELL SHIPS MALWARE INFECTED
SERVER MOTHERBOARD Dell has confirmed that some of its PowerEdge server motherboards were shipped to customers with malware code on the embedded server management firmware. The infected motherboard was found on replacement Dell PowerEdge R410 rack servers, according to a post on a Dell support forum. A Dell representative confirmed the issue after a customer received a call warning about the infected motherboard. HERE IS THE OFFICIAL WORD FROM DELL: “As part of Dell’s quality process, we have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly. The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware. This malware code has been detected on the embedded server management firmware as you indicated. We take matters of information security very seriously and believe that any impact to a customer’s information security is unlikely.
To date we have received no customer reports related to data security. Systems running non-Windows operating systems are not vulnerable to this malware and this issue is not present on motherboards shipped new with PowerEdge systems.” UPDATE: After the publication of this story, Dell emailed the following statement from Forrest Norrod, vice president and general manager of server platforms.: “Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers – PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software. This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.” [Source: threatpost.com]
PREVENT |DETECT |RESPOND Cybercom is a leading professional services firm that assists companies in preventing, detecting and responding to Cyber Threats
Detect
Prevent
Respond
• Governance, Risk and Compliance
• Vulnerability Management
• Fraud Trend & Data Analytics
• Identity and Asset Management
• Application Security Assessment & Certification
• Social Media Investigation
• Policy and Security Architecture Design
• Network Assessment
• Digital Forensics Services during Anton Piller
• Privacy
• Penetration Testing
• Forensics Audits & Investigations
• Information Risk and Cyber Threat Research
• Social Engineer and Phishing Assessment
• Fraud Risk Management
• Business Continuity Management (BCM)
• Mobile Application Security Testing
• IT Forensics Lab
• Asset and Software Compliance Assessment
• Data Leakage Management
• Incident Management
• Information Security Programme Management
• Security Code Review
• Ethics Hotline
• CSI (SANS 20 Critical Security Controls)
• Secure Coding Training
• E - Discovery
• Disaster Recovery
• Security Incident and Event Management (SIEM)
• Case Management
• Virtualisation and Cloud
• Security Infrastructure Management
• Forensics and Fraud Awareness Training
• Information Security Training and Awareness
• Security Operations Centre (SOC) Monitoring
• ISO 27001 Certification Readiness
• Transaction Monitoring • PCI Qualified Security Assessor (QSA) • PCI Approved Scanning Vendor (ASV) • Digital Forensics Management
www.cybercomafrica.com Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 40
MICROSOFT, FINANCIAL SERVICES AND OTHERS JOIN FORCES TO COMBAT MASSIVE CYBERCRIME RING Microsoft works with financial services industry leaders, other industry partners and law enforcement to disrupt a global cybercrime operation responsible for over half a billion dollars (USD) in financial fraud. In a coordinated operation in June 2013, Microsoft in cooperation with leaders in the financial services industry – including the Financial Services – Information Sharing and Analysis Center (FS-ISAC), NACHA – The Electronic Payments Association, the American Bankers Association (ABA) – Agari, and other technology industry partners, as well as the Federal Bureau of Investigation, announced it has successfully disrupted more than a thousand botnets that are responsible for stealing people’s online banking information and personal identities. The FBI took coordinated separate steps related to the operation. Botnets are networks of compromised computers infected by malicious software to be controlled by cyber criminals known as botherders. This cooperative action is part of a growing proactive effort by both the public and private sector to fight cybercrime, help protect people and businesses from online fraud and identity theft, and enhance cloud security for everyone. This coordinated disruption resulted from an extensive investigation that Microsoft and its financial services and technology industry partners began in early 2012. After looking into this threat, Microsoft and its partners discovered that once a computer was infected with Citadel malware, that malware began monitoring and recording a victim’s keystrokes. This tactic, known as keylogging, provides cyber criminals information to gain direct access to a victim’s bank account or any other online account in order to withdraw money or steal personal identities. This means that when victims are using their computers to access their bank or online accounts, cyber criminals can use the stolen information to quietly pilfer those same accounts as well. Microsoft also found that in addition to being responsible for more than half a billion dollars (USD) in losses among people and businesses worldwide, the Citadel malware has affected upwards of five million people, with some of the highest number of infections appearing in the U.S., Europe, Hong Kong, Singapore, India, and Australia. Citadel is a global threat that is believed may have already infected victims in more than ninety countries worldwide since its inception.
“The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world,” said Brad Smith, Microsoft general counsel and executive vice president, Legal and Corporate Affairs. “Today’s coordinated action between the private sector and law enforcement demonstrates the power of combined legal and technical expertise and we’re going to continue to work together to help put these cyber criminals out of business.” Last week, supported by declarations from financial services leaders and other industry partners, Microsoft filed a civil suit against the cyber criminals operating the Citadel botnets, receiving authorisation from the U.S. District Court for the Western District of North Carolina for Microsoft to simultaneously cut off communication between 1,462 Citadel botnets and the millions of infected computers under their control. On June 5, Microsoft, escorted by the U.S. Marshals, seized data and evidence from the botnets, including computer servers from two data hosting facilities in New Jersey and Pennsylvania. Microsoft also provided information about the botnets’ operations to international Computer Emergency Response Teams (CERTs), so these partners could take action at their discretion on additional command and control infrastructure for the botnets located outside of the U.S. As stated by the FBI, the FBI also provided information to foreign law enforcement counterparts so that they could also take voluntary action on botnet infrastructure located outside of the U.S. The FBI also obtained and served courtauthorised search warrants domestically related to the botnets. This operation serves as a real world example of how public-private partnerships can work effectively within the judicial system, and how 20th century legal precedent and common law principles dating back hundreds of years can be effectively applied toward 21st century cyber security issues.
“Crimes used to happen through stickups, but today criminals use mouse clicks,” said Greg Garcia, a consultant and former Department of Homeland Security cyber official serving as a spokesperson for the three major financial industry associations. “This action aims to stop the ongoing harm of these Citadel botnets against people and businesses worldwide, and you can be assured that we will continue to partner with the public and private sectors to help financial institutions protect our customers from threats like this.” Due to the size and complexity of the threat, Microsoft and its partners do not expect to fully eliminate all of the botnets using Citadel. However, it is expected that this action will significantly disrupt the botnets’ operation, making it riskier and more expensive for the cyber criminals to continue doing business and allowing victims to free their computers from the malware. To help protect people from any remaining instances of this threat, it is critical that victims rid their computers of Citadel by using malware removal or antivirus software as quickly as possible to help prevent additional security issues. Immediately following the disruption, Microsoft will use the threat intelligence gathered during the seizure to work with Internet Service Providers and Computer Emergency Response Teams worldwide to quickly and efficiently notify people if their computer is infected. Microsoft will be making this information available through its Cyber Threat Intelligence Program (C-TIP), including the recentlyannounced cloud-based version of the program. For computer owners worried that their computers might be infected, Microsoft offers free information and malware removal tools at http://support. microsoft.com/botnets. Additionally, the FBI is providing information on its website about botnets to educate the public on how to protect themselves. Many financial services industry organisations provide resources, tips, and tools to individuals and companies on how to help protect themselves.
[Source: microsoft.com]
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 41
AWARENESS
CYBERCRIME AWARENESS SITE Africa is considered to be the cradle of mankind with evidence of some of the earliest civilizations found right here on the continent.
FOR AFRICA
Africa has journeyed through many great obstacles and the dream of unity and common purpose is within grasp of all its people. We must not lose sight of this dream. As proud stakeholders of this great land we are now called upon to join hands in the fight against a new threat that is targeting all areas of our society – no organisation, community or child is immune to its impact. We are referring to the scourge of cyber criminal activity that is rapidly becoming a global concern and one that we as Africans need to prioritise. Cybercrime has been on the rise over the past decade and is said to be a result of the global economic instability and a case of individuals responding to monetary and psychological incentives. Cyber attackers use the internet to disrupt, steal and manipulate information. This has led to an increase in economic fraud cases and the theft of confidential information. The most common ways of attacking are phishing, abuse of system privileges and malicious code infections (viruses). HOW SERIOUS IS THIS THREAT? According to the Norton Cybercrime Report 2012 cybercrime is growing at an alarming rate with over 556 million worldwide victims per year, which equates to over 1.5 million victims per day, or about 18 victims per second. South Africa has been ranked as having the third highest number of cybercrime victims after China and Russia. Information provided in The South African Cyber Threat Barometer 2012/13 put the total direct losses to cybercrime in South Africa between January 2011 and August 2012 at R2.65 billion. An estimated R662.5 million of the R2.65 billion was not recovered. It is also predicted that cybercrime will continue to rise due to unemployment, increased access to the internet and increase in criminal and cyber threats. As a proudly African organisation Wolfpack, through sponsorship from the British High Commission, have taken a step forward in the fight against cybercrime by providing a platform to raise awareness for its citizens. Phase 1 of our project will focus on South Africa and we will then partner with local entities in other African countries to cover the entire continent in the near future.
MISSION Our mission is to establish a sustainable African presence to raise awareness & improve collaboration on critical cybercrime topics using the latest web, animation, gaming & social media tools at our disposal. VISION Establish a service that provides an update on cyber threats, awareness topics, guides and assistance to the South African and ultimately the greater African community. An alert community will ultimately help to reduce crime and prevent valuable information assets and potentially millions of dollars being stolen from the stakeholder community of Africa.
www.alertafrica.com
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 42 Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 42
WHY WOULD HACKERS TARGET
MY LITTLE COMPANY?
It’s literally true that no company is immune anymore. In a study conducted in 2006, approximately 5% of all endpoints, such as desktops and laptops, were infected by previously undetected malware at any given time. In 2009—2010, the proportion was up to 35%.
If your business is relatively small, keeps a low profile, and isn’t involved in financial services or national defence, you might assume that data security isn’t a big issue for you. Why would someone in the presumably limited pool of hackers take the time to target your company? How would they even know about it? And if by some strange chance a hacker did get in, so what? You might assume you could hire someone to clean up your systems. All of your employees would have to change their passwords, which would be annoying, but pretty soon it’d be back to business. Five or 10 years ago, those assumptions would have been at least defensible, if not correct. Cyber attackers tended to be lone wolves who went after high-profile companies or government organisations. They were trying to score political points or show off their power to break in and disrupt. They weren’t in business to siphon money out of digital commerce or trying to bring down governments. As they are today. In recent years the lone wolves have banded together into syndicates that have acquired significant resources, and a lively international market for logins, passwords, medical records — pretty much any kind of confidential data — has sprung into being. Each pilfered name or number might not be worth much on its own, but a theft of millions of records can earn a hacker an enormous profit. Many of these syndicates are sponsored by governments and have access to very, very smart people who are developing malware that doesn’t even resemble the attack software of five years ago. It’s now much more sophisticated, stealthier, and difficult to identify. Some hackers pursue non-economic goals such as crippling certain companies or governmental functions. Others are in it just for the money. They want data on credit cards, bank holdings, and investment accounts. And while you may be right that hackers wouldn’t have much interest in your company per se, they’re very interested in your connections.
Attackers are increasingly targeting small companies, planting malware that not only steals customer data and contact lists but also makes its way into the computer systems of other companies, such as vendors. Hackers also might be more interested in your employees than you’d think. Are your workers relatively affluent? If so, chances are the hackers are way ahead of you and are either looking for a way into your company or are already inside, stealing employee data and passwords, which (as they well know) people tend to reuse for all their online accounts. Your company is probably also vulnerable to being attacked through its partners. How much do you know about your vendors’ or B2B customers’ security capabilities? A lot of organisations enter into working agreements with other firms without auditing the partners’ data protections. It’s literally true that no company is immune anymore. In a study conducted in 2006, approximately 5% of all endpoints, such as desktops and laptops, were infected by previously undetected malware at any given time. In 2009—2010, the proportion was up to 35%. In a recent study, it looks as though the figure is going to be close to 54%, and the array of infected devices is wider too, ranging from laptops to phones. As for that assumption about the ease of cleaning up the mess and changing passwords: I wouldn’t bet on it being a simple, straightforward process. Getting hacked (if you’re even aware of it) is aggravating, time-consuming, and resource-draining, even if your monetary losses are insured. Your reputation with vendors and customers will suffer. Meanwhile, the battle between hackers and organisations is continuing to evolve. It’s morphing into something new all the time, and no one is sure where it’s headed. Will nations develop the capacity to cripple one another, as in the nuclear era, and will they use that threat in an attempt to deter governmentsponsored hacking? Quite likely. But even if the cyber version of “mutually assured destruction” comes to pass, we’ll still be plagued by gangs of criminals and hacktivists — and they’ll get smarter and more dangerous all the time.
Many of these syndicates are sponsored by governments and have access to very, very smart people who are developing malware that doesn’t even resemble the attack software of five years ago. It’s now much more sophisticated, stealthier, and difficult to identify.
[Source: Harvard Business Review]
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 43
AWARENESS
INFOSEC’S JERK PROBLEM Put bluntly: to others, we’re jerks. If you don’t think this is a problem, you can stop reading here.
THE DYSFUNCTIONAL TALE OF BOB AND ALICE
BACK TO THE STORY
Imagine this. Developer Bob just received an email from your Infosec department- subject Important Security Update. He sighs, thinking of the possibilities: a request to rotate his password, or a new rule? Maybe it’s a dressing-down for having violated some policy, a demand for extra work to patch a system, or yet another hair-on-fire security update he doesn’t really see the need for. His manager is on his case: he’s been putting in long hours on the next rev of the backend but library incompatibilities and inconsistent APIs have ruined his week, and he’s way behind schedule. He shelves the security update – he doesn’t have time to deal with it, and most things coming out of Infosec are just sound and fury anyway – and, thinking how nice it would be if his team actually got the resources it needed, continues to code. He’ll get to it later. Promise.
From Bob’s perspective, he’s making a reasonable risk/ reward tradeoff: not dealing with the email right now might get him yelled at, but judging from history, probably not – he gets lots of “urgent” security emails that turn out to be Windows patches, admonitions to change his password, policy reminders and so on. From your perspective, Bob is being completely irresponsible: you told him it was important; it was right there in the subject line!
Meanwhile, you, Security Researcher Alice, are trying not to panic. You’ve seen the latest Rails vulnerability disclosure, and you know it’s just a matter of hours before your exposed system gets hit. You remember what happened to Github and Heroku, and you’re not anxious to make the front page of Hacker News (again?!). If only Bob would answer his email! You know he’s at work – what’s happening? The face of your boss the last time your software got exploited appears in your mind, and you cringe, dreading an unpleasant meeting ahead. You fume for several minutes, cursing all developers everywhere, but no response is forthcoming. Angrily, you stand up and march over to his cube, ready to give him a piece of your mind. PAUSE. WHAT’S GOING ON HERE, AND WHAT’S ABOUT TO HAPPEN? INTERLUDE: WE ARE THE WATCHERS ON THE WALLS. Many in the Infosec community are fond of casting the security world as “us versus them,” where “they” aren’t external, malicious actors but unaware users, clueless managers, and bumbling executives within our own organisations. We like to see ourselves as the Night’s Watch of the tech world: out in the cold with little love or support, putting in long nights protecting the realm against the real threats (which the pampered never take seriously) so everyone else can get on with their lives in comfort. We develop a jaundiced attitude: only we understand the real danger, we think, and while we’re doing our best to stave off outsider threats, when the long night comes we need fast and unquestioning cooperation from the rest of the organisation lest (hopefully metaphorical) frozen undead kill us all. The rest of the organisation doesn’t see it that way. To them, we’re Chicken Little crossed with the traffic police crossed with their least favourite high school teacher: always yelling about the sky falling, demanding unquestioning obedience to a laundry list of arcane, seemingly arbitrary rules (password complexity requirements, anyone?) that seem of little consequence, and condescendingly remonstrating anyone who steps out of line. Once in a while a visionary (often an Infosec expat) who truly understands the threat tries to help others see the value, but most of “them” don’t get it. Users are stupid. Managers are idiots. Executives are out of touch. So it goes. Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 44
You storm into Bob’s cubicle. Images of mocking Hacker News articles dancing in your head, you accuse Bob of flagrant negligence (perhaps letting out some anger over the last security incident; Bob works on that team, doesn’t he?) and demand that he drop whatever he’s doing and fix this, now. This mood of righteous indignation doesn’t lend itself to patient explanations, and Bob’s demand that you explain the vulnerability is met with your impatient demand to “just do it.” There isn’t time for that – someone could be dumping your database as you speak! Bob, already running out of patience due to his looming deadline, fires back that he can’t deal with this now, he’s too busy, it’s not his problem (there are other devs, right?) and you should take it up with his manager. Even if he could, he wouldn’t: didn’t the last few Infosec red alerts turn out to be nothing? Why are you trying to waste his time? Don’t you understand he has real work to do, work he’ll get fired for not doing? Bob considers this a horrendous distraction from his critical dev work, and you see Bob as dragging his feet while the building’s on fire. You both walk away angry. Regardless of whether the vulnerability eventually gets closed, serious harm has been done. A common, less overtly contentious version of this exchange involves FUD on both ends, with vague yet ominous threats coming from Infosec and a haze of scheduling delays, configuration problems, and blaming other teams (QA being a favorite) from the dev team. This usually gets management involved and everyone has a bad day. There are two problems here. The first is a lack of understanding, the second, a lack of empathy. Understanding is a three-edged sword: our side, their side, and the truth Mankiw’s Principles of Economics apply here, particularly the first and fourth: “People face tradeoffs” and “People respond to incentives.” Hanlon’s Razor says “Never attribute to malice that which can be adequately explained by incompetence,” but I would add, “Never attribute to incompetence that which can be explained by differing incentive structures.”
FOR EXAMPLE:
WHEN WE GO FOR THE EASY ANSWERS:
Tradeoffs: if you give someone two tasks, both of which could take up 75% of their time, then tell them they will be fired if they don’t do Task A, don’t be surprised when Task B doesn’t get done. • Positive incentives: if you measure QA performance by number of bugs found, you’ll find dozens of spurious bugs in the system. • Negative incentives: measure developer performance by number of bugs generated and watch as devs pressure QA to not consider problems “bugs.”
This {system, product, device, network} is {insecure, vulnerable, unsafe, slow, broken, unprofitable, incomplete, poorly designed, ugly} because the {designer, manager, dev team, executives, QA, sales} {is incompetent, is lazy, doesn’t care about security, is an asshat} We erode our ability to evaluate the true cause of a situation. (Social psychology refers to this as the Fundamental Attribution Error – the tendency to attribute others’ mistakes to their inherent failings, while attributing our own mistakes to the situation at hand.) We damage our reputation (and that of Infosec as a field), make ourselves unpleasant to deal with, and generally make the world a worse place.
“Never argue with a man whose job depends on not being convinced.” – H.L. Mencken These problems are not amenable to the sort of frontal assault described above. That approach assumes the target doesn’t understand or isn’t aware of the problem, while in many cases they fully are. While yelling at someone may occasionally achieve the result you want, it doesn’t come without collateral damage, including massive loss of goodwill. Sometimes hard authority (executive fiat) is the only way to get the job done, but usually there’s a better way. Imagine a group of people invite you and your friends to a local football field to play a friendly game. You show up and are quickly bewildered: the others are mocking you, nothing seems to be going the way it should, and when one of them shouts “go!” some of your friends are injured in the ensuing confusion. You could shout at your newfound acquaintances for hurting your friends, complain privately about how stupid they are for not understanding the rules… or pause for a moment, collect the available facts, and realise that they had actually invited you to play rugby. Disregarding your goals and charging off in another direction is not necessarily an indicator of malice or stupidity. People are always playing a different game, it just occasionally has similar rules to yours. Developers are measured on their ability to get software out the door. QA teams are often measured on speed. Managers are responsible for the performance of their team. Executives worry about the overall direction of the business. You need to show how security aligns with these goals. Security can be more than just a hedge against long-term downside risk: it can be a way for everyone to produce better software. What you need to understand is others’ value calculus: what factors go into what they consider important? Given that, how can you both decide on some security goals that are in line with both their calculus and yours? EMPATHY The jaundiced attitude among Infosec mentioned above, coupled with differing incentive structures, has an unfortunate tendency to spill over into external interactions. If 90% of lunch conversations are complaints about how terrible users are, how management doesn’t get it, and how the dev team on Project Foo are a bunch of incompetent turd-burglars — the next time you have to meet with Project Foo’s team, you’ll be hardpressed to give them a fair hearing as they explain how their lack of proper resources and mountain of technical debt prevent them from addressing problems properly.
We also get used to thinking of people and teams in that way. We genuinely become less kind people. WHAT’S THE ALTERNATIVE? Practice active kindness. Go out of your way to do kind things for people, especially people who may not deserve it. If you wait for them to make the first move, you’ll be waiting a while – but extend a hand to someone who expects a kick in the teeth and watch as you gain a new friend. Smile. Don’t go for the easy, wrong answers. That team isn’t incompetent, they just have too much work to do; how can we work with them to get our thing done? That manager isn’t stonewalling, he just has a different incentive structure – how can we understand what it is? Seek to understand and make this clear. When asking someone to do something, try to understand their current situation first. Perhaps the request isn’t as urgent as all that – but say it is. “I know you have a lot on your plate, with the X deadline and the Y update, but public-facing system Z could be compromised.” Ask questions and listen to the answers. Be flexible. Recalibrate “urgent.” Think of the worst possible thing that could happen to your organisation. Now try to make it worse. I’ve worked in places where the worst-case scenario involves “loss of multiple human lives.” Will the world end if this minor security patch isn’t applied today? Think of the automated OS updates popping up in the corner of your screen: how often are those more important than what you’re doing? If you practice this and do it well, people will start to feel you understand their value calculus, and this makes them much more likely to take your advice. Create stakeholders and spread security knowledge. One thing our Infosec team tries to do is have people create their own security goals. The answer to “what does it mean to be safe” ultimately is up to them; we just guide the process. This means they’re invested in security - the more they’ve thought about the safety of their own product, the more likely they are to value it as a goal. CONCLUSION Fixing Infosec’s jerk problem benefits everyone: us, the people we deal with, and ultimately the security of the system – and since that’s our long-term goal, we should actively seek to fix the problem. Be kind, and the rest will follow. [Source: Christian Ternus - http://adversari.es] Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 45
LOCAL TRAINING AND EVENTS
2n
dY ea
r
Moving From The Cold War To The Code War
4, 5 and 6 November 2013
@ The Indaba Hotel Fourways - Johannesburg, South Africa
About The Conference Global Cyber Threat activity is on the rise, governments and private sectors in Africa are extremely vulnerable. Successful international cyber security programmes are recognising the need for increased public private partnerships to deal strategically with all types of cyber threats, cybercrime, cyber espionage and cyber warfare. Cybercon Africa 2013 is a three day conference that brings together Cyber leading experts in all cyber threat fields to share their experience in prevennng, deteccng and responding to cyber aaacks. A key focus of our event is to create an environment that will allow cyber security stakeholders to build relationships and incubate initiatives in the eld of cyber threat management.
Info & Bookings Visit www.cyberconafrica.org to book online or contact: Cybercon Project Manager - Ann Felton on Phone: +27 11 513 4186 | Mobile: +27 82 3300 264 or email info@cyberconafrica.org Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 46
OF INTEREST
APPLE’S IOS 7 MAKES A
BOLD MOVE FOR THE CAR DASH, SEEKS TO REPLACE IN-CAR INFOTAINMENT
Apple’s new iOS 7 and the revamped Siri voice assistant announced they are poised to make big inroads into car dashboards. Your iPhone could be the navigation system for a low-cost car and bypass the pricey in-car navigation and infotainment systems of costlier vehicles. A dozen automakers say they plan to support the new features of iOS 7, particularly Siri Eyes Free. You use the press-to-talk button on the steering wheel and integrated microphone to communicate with your iPhone. Your iPhone screen is blanked and a replica is displayed on the car’s center stack LCD display. More automakers are building in LCD displays even when the cars don’t come with on-board navigation. Maps and navigation would be the first apps to be ported to the car. For the best user experience, the in-car display might be slightly different than just an iPhone display rendered larger. Other apps might include texts and emails that could be be read aloud or shown on-screen. But if they’re displayed on-screen, then Apple and phone makers get caught up in the question of what should be on the center stack LCD and what’s too distracting. As if Apple hasn’t had enough run-ins with federal regulators already.
Car owners would get more up-to-date applications and phone-based navigation wouldn’t be so expensive. You might pay $10 a year for navigation; if you buy an update disc or SD card for your incar system, that could be $200. Today, what’s installed in your car at the factory is pretty much what you have to live with for the life of the car. The updates are just that: map updates and software enhancements, not completely new versions of the navigation system. With the life of the average car now at a dozen years, you could be staring at the same
clunky built-in nav system in 2025, or you could be running iOS 17. THE AUTOMAKERS ON-BOARD WITH IOS 7 Many automakers have signed on but not all. Several revealed themselves at Apple’s Worldwide Developers Conference. The most significant nonsigners include Ford/Lincoln, whose Sync system ironically was the first to make heavy use of connected smartphones, Toyota/Lexus, and Chrysler.
THOSE PLEDGED TO SIRI EYES FREE ARE: Acura BMW Chevrolet Ferrari Honda Hyundai Infiniti Jaguar Kia Opel (Europe) Mercedes-Benz Nissan Volvo
Each automaker has to work out how one press-to-talk button on the steering wheel can be used by both the car’s voice recognition system and Siri. Most commonly, a short press sends the voice command to the car, a long press sends the command to Siri and Eyes Free. [Source: extremetech.com)]
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 47
Cybershield Magazine • July - September 2013 • Special Cyber Espionage Edition • Page 48