Editor’s Letter
Audits and Assessments Edition The second quarter of 2014 has seen several large companies being breached, in this edition of Cybershield we look at a selected number of these breaches, there were in fact so many data breaches that one could have dedicated an entire edition of Cybershield just to them! This edition looks at how mobile apps are spying on people, smart TVs and refrigerators are being used in attacks and how cyber attack can be used to create traffic jams. We also highlight the key findings of a landmark research project conducted by Wolfpack Information Risk in partnership with Digital Jewels which identified the cyber security challenges, threats and initiatives that exist Nigeria. We also provide you with a list of tools, browser extensions and software that you can use to stay one step ahead of cybercriminals in 2014. This is part of a Cybercrime Survival Guide that Wolfpack will be bringing out soon to help users deal with the ever changing cyber threat landscape. Lastly, we would like to apologise to our loyal readers for the delay in releasing this edition. The release of the edition was delayed in order to allow us to include a write up on the 9th Annual ITWeb Security Summit. This year the ITWeb Security Summit was full of interesting and informative sessions from privacy to hacking cars. We hope you enjoy this edition. Maunuel Corregedor
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 2
Inside this issue: FEATURED ARTICLES A LOOK AT THE 2014 NIGERIAN CYBER THREAT BAROMETER SHIFTING POWER IN ABUJA AFFECTS, IS AFFECTED, BY NIGERIA’S SECURITY OUTLOOK HIGHLIGHTS FROM THE ITWEB SECURITY SUMMIT 2014
4 10 16
INTERNATIONAL NEWS
014 2 e h T
Ni
Cy n a i r ge
ber
at B e r h T
a
ter rome
Page
4
HEARTBLEED BUG - THE BIGGEST POSSIBLE INTERNET THREAT 28 MORE NSA REVELATIONS 31 SYRIAN ELECTRONIC ARMY TARGETS THE BIG NAMES! 32 DATA BREACHES, DATA BREACHES, DATA BREACHES 34 NATIONAL CYBER SECURITY CHALLENGES & OVERVIEW OF CYBER ACTIVITIES IN ITU-UN SEMINAR 37 AFRICA NEWS SA’S PUBLIC INVESTMENT CORPORATION SITE HACKED BY MAROC ELECTRONIC ARMY SAPS DISCUSSES PLANS TO TACKLE CYBERCRIME SEVERAL SECURITY FLAWS UNCOVERED ON SOUTH AFRICA’S E-TOLL WEBSITE PROTEAS BOARD ACCUSED OF HACKING GHANA PLANS TO CREATE A NEW FACILITY TO FIGHT CYBERCRIME RWANDA PRESIDENT PUSHES FOR COLLABORATION BETWEEN ICT AND THE POLICE 5 YEAR JAIL SENTENCE OR N10M FINE IF YOU INSULT SOMEONE ON THE INTERNET ZAMBIAN POLICE CRACK DOWN ON THE MISUSE OF INTERNET SERVICES THE FIGHT AGAINST CYBERCRIMES IN TANZANIA BY YUSUPH KILEO
38 38 38 38 39 39 39 39 40
LOCAL TRAINING AND EVENTS WOLFPACK CYBER ACADEMY
Heartble threat ed - The biggest p
43
GOVERNANCE RISK MANAGEMENT AND COMPLIANCE
ossible in
ternet
Page 28
WEBSITES STILL USING WEAK DIGITAL CERTIFICATES CYBER CRIME IS A ‘BLACK SWAN’ - (ASIC) OBAMA ADMINISTRATION UNVEILS CYBERSECURITY FRAMEWORK
44 45 46
AUDITS AND ASSESSMENTS PCI COMPLIANCE IS A ONCE-OFF ANNUAL EVENT AGENCIES OFTEN FAIL TO TAKE BASIC PREVENTIVE MEASURES
47 48
MANAGED SERVICES MICROSOFT’S HANDS ARE CLEAN 50 FREE MICROSOFT WINDOWS FOR MOBILE DEVICES 50 GOOGLE CHROME PROTECTS USERS FROM BROWSER HIJACKING 51 CRIMINALS TARGET FACEBOOK USER ACCESS TOKENS 51 A VULNERABILITY FACEBOOK CAN’T FIX 51 CYBER FORENSICS AND INCIDENT MANAGEMENT
aches e r B a t a D
, Data B
reaches B a t a D , Page 34 reaches
ANALYSING SUPER WORMS 52 BANKING TROJANS DECREASE AFTER THE ARREST OF SPYEYE AUTHOR 53 AWARENESS WARNING! THERE IS A ZEUS BANKING TROJAN SIGNED WITH A VALID DIGITAL SIGNATURE 54 WAZE APP REPORTS FAKE TRAFFIC 54 FIFA WORLD CUP 2014 - ATTACKS 54 WHETHER FREE OR PAID, YOUR APPS COULD BE SPYING ON YOU! 55 ‘INTERNET OF THINGS’ BEING USED AS WEAPONS BY HACKERS 55 FACEBOOK ACTIVATION SCAM 55
Africa’s premier cyber security publication
OF INTEREST Cybershield magazine is a quarterly publication owned by Wolfpack Information Risk (Pty) Ltd. No part of this magazine may be reproduced or transmitted in any form without prior permission from Wolfpack. The opinions expressed in Cybershield are not those of the publishers who accept no liability of any nature arising out of or in connection with the contents of the magazine.
GETTING HANDS ON AGAINST CYBERCRIME 58 TRACK YOUR LOST SMARTPHONE OR LAPTOP 59 BACKUP, BACKUP, BACKUP! 59 DUCKDUCKGO GOODIES FOR SYSTEM ADMINISTRATORS 60
While every effort is made in compiling Cybershield, the publishers cannot be held liable for loss, damage orinconvenience that may arise therefrom. All rights reserved. Wolfpack does not take any responsibility for any services rendered or products offered by any of the advertisers or contributors contained in the publication. Copyright 2014. E&OE on all advertisements, services and features in Cybershield magazine. Editorial address: Unit A2, Rock Cottage Office Park, Cnr Christian de Wet & John Vorster Roads, Randpark Ridge, Johannesburg, South Africa Enquiries: Telephone - +27 11 794 7322 Advertising - sales@wolfpackrisk.com Content - manuel@wolfpackrisk.com Journalist - shingai@wolfpackrisk.com Design - design@wolfpackrisk.com General queries - info@wolfpackrisk.com http://www.wolfpackrisk.com/magazine/
rcrime e 58 e b y C Pag ainst
More NSA R g evelations a n o s d 2014 • Audits and Assessments • Page 3 n Cybershield Magazine • April - June a H g Gettin
Page 31
Feature
A look at
The 2014 Nigerian Cyber Threat Barometer The 2014 Nigerian Cyber Threat Barometer is a landmark research project conducted by Wolfpack Information Risk in partnership with Digital Jewels. The research project was funded by the British High Commission. The 2014 Nigerian Cyber Threat Barometer makes an important contribution towards addressing the threats and risks to Nigeria from cyber space. It attempts, for the first time, to establish a baseline of the extent and degree of cyber threats against which future progress in combating them can be measured. It offers encouragement and support for the progress already being made to address the risks and threats, including the Cyber Crime Bill, the adoption of international standards and strong cyber security measures. This article provides an overview of the report’s findings and recommendations for proposed initiatives to maintain progress.
Nigerian Cyber Threat Barometer launch in Lagos Nigeria
“... the victim goes to the attacker just as animals go to a watering hole.” An Overview of Information Security in Nigeria Nigeria’s economic growth has increased significantly due to the Central Bank of Nigeria (CBN) pushing towards a cashless economy, increased use of smart technology in government and the rapid growth of online commerce. However, this economic growth coupled with the rapid internet penetration in Nigeria (43% coverage as at 2012) has made the country an attractive haven for cyber criminals. The state of security as a whole in Nigeria has been described as a rather difficult situation to deal with. The cyber security structure can have multi-faceted root causes and multi-dimensional symptoms. Often the physical security threats are somewhat regionalised and situational. An example of such a sore situation is the recent uprising of the Boko Harem extremist group which is causing havoc and destruction in Northern Nigeria.
The impact and consequences of technical and administrative security are still barely understood in many organisations, even though the risks are present and the impact unmistakable. Information security continues to be an unfolding dilemma mainly within the context of the unfortunate reputation Nigeria has in the international community of being the hub for security breaches of every dimension and especially what has come to be known as the ‘Nigerian 419 scams’– advance fee fraud. The Nigerian cyberspace is plagued with computer-generated minefields and cyber threats that appear to be multiplying. Reports on repeated assaults on public and private sector websites and other e-delivery channels are dominant as the rebellious militant communities are joining the growing mobs of hackers. The growth of e-delivery channels also seems to be a double-edged sword as the Central Bank of Nigeria continues to aggressively push the “Cashless Nigeria” initiative aimed at reducing the volume of cash in circulation.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 4
A look at the 2014 Nigerian Cyber Threat Barometer
What makes Nigeria vulnerable to cybercrime In Nigeria, there are several factors that influence the country’s vulnerability to cybercrime. These include: •
•
• • • • •
The expected benefits and risks of “Cashless Nigeria” are as follows: Benefits: • Improved security • Increased velocity of money • Financial inclusion • Transparency
• • • •
Risks: • Greater magnitude and impact of fraud • More internal threats • Prevalent social engineering attacks There are approximately 170 million people in Nigeria and a large percentage between the ages of 18 and 25. Many are unemployed and unskilled which poses a significant risk to the state of security in the country. For the younger generation in Nigeria, cyber space is already the only way they know how to run their personal and professional lives. However, the vast population of the country is not aware of the pervasive security threats, are susceptible to social engineering attacks and are insufficiently skilled for the present day digital era challenges. It would be unfair to state that the situation is completely one of doom and gloom. It is important to acknowledge that Nigeria is taking great strides in implementing controls to strengthen its information security framework. Recently, the Central Bank of Nigeria through its subsidiary Nigeria Inter-Bank Settlement System (NIBSS), launched a biometric project for the entire banking sector using the Bankers Committee as a platform. Nigeria has also put in place a strong banking regulator that is aimed at driving the adoption of global best practice standards, especially those focused on information security across the e-payments value chain.
• •
The absence of a legal and regulatory framework that clearly recognises the pervasiveness and approaches to cybercrime and one that prescribes clear penalties The high rate of unemployment within the context of a huge population with over 50% of the youths (accounting for 70% of the population) unemployed or underemployed High rates of poverty and low per-capita incomes Perceived high levels of corruption The inadequacy of cyber security skills in law enforcement agencies, government and private sectors Low security controls at a personal, institutional, sectorial and national level The lack of awareness of cyber threats which lends itself to widespread social engineering attacks The lack of comprehensive statistics on cyber security The absence of wide-spread industry collaboration initiatives The absence of a national crime database, making criminals more difficult to track The recent emphasis on electronic delivery channels in a bid to reduce cash in circulation in the country (“Cashless Nigeria”) The increase of online retail stores and e-commerce activity The growth of e-government initiatives
The effects of cybercrime tend to be significant and wide ranging, with the most apparent and dreaded being financial loss – both direct and indirect. Most cases lead to reputational loss or impairment suffered particularly by e-government initiatives, financial institutions, online retail stores and other fiercely competitive commercial ventures. Other consequences associated with cybercrime incidents include business disruption, loss of productivity, increased mistrust within and beyond organisations.
Cybershield Magazine • April - June 2014 • Audits and Cybershield Assessments Magazine • Page • April 5 - June 2014 • Audits and Assessments • Page 5
Feature
The Key Findings DATA BREACHES Although there was no clear consensus on the trends of cyber security in Nigeria, what appeared as a definite agreement is that the top cyber security breaches in Nigeria result from social engineering attacks such as phishing, 419 scams, identity theft and unauthorised access. Another common trait are the breaches resulting in financial fraud and embezzlement through internal collusion and those involving e-delivery channels such as ATMs, mobile channels and the web. These breaches were also rated as high, particularly for the financial sector. The third highest category of cyber security breaches is information asset theft through session hijacking, email hijacking and website hijacking. Respondents rated the internet as the leading source of cyber security breaches in Nigeria, followed by insider collusion, pharming and phishing
CYBER ATTACK METHODS An overwhelming majority of respondents selected social engineering as the key cyber attack method in Nigeria and also identified malware and key loggers as other frequently used methods
CYBER VULNERABILITIES
COST OF CYBERCRIME - US$ 200 MILLION As there is currently no accurate data addressing the cost of cybercrime in Nigeria and most of the loss still goes unreported, the respondents were only able to provide a conservative loss in excess of US$ 200 million annually whilst noting that the key emerging threat to cyber security in Nigeria today is related to e-delivery channels (ATM fraud, mobile fraud & card holder data theft), followed by social engineering attacks.
DEALING WITH CYBER CRIME INCIDENTS
The respondents of the survey identified lack of user awareness as the leading cyber vulnerability in Nigeria for both employees and customers. The vulnerabilities caused from the use of weak technical security practices such as poor patch management, out-dated anti-virus software and unsecured or misconfigured networks were also highly rated
DETECTION OF CYBERCRIME The use of monitoring tools and other detection mechanisms were identified by survey respondents as the principal ways of detecting cybercrime in Nigeria today. Customer reports are the next most prevalent detection method. The use of internal audits and routine staff checks were also identified as key detection methods
In terms of addressing cybercrime incidents most organisations stated that they use diverse methods with the most common being reporting cybercrime cases to law enforcement officers with the Economic and Financial Crimes Commission (EFCC). Respondents from financial institutions and telecoms sectors reported having in-house staff with requisite Information Security training and certifications. The in-house staff and external service providers are used to detect incidents and conduct investigations. From the report, it can be concluded that Nigerian organisations, especially financial institutions, do not report the majority of cybercrime incidents, out of fear of reputation damage. Other reasons for not reporting incidents is the lack of confidence in the ability of law enforcement agencies to handle cybercrime incidents and the absence of consequences for not reporting cybercrimes.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 6
A look at the 2014 Nigerian Cyber Threat Barometer
LACK OF LEGISLATION
SKILLS SHORTAGE
The respondents noted the absence of a legal and regulatory framework as a glaring impediment to cyber security in Nigeria. It was, however, noted that the Cybercrime Bill 2013 is awaiting passage by the National Assembly. This bill together with the Central Bank of Nigeria’s (CBN) mandate for Banks to attain compliance to the PCI Data Security Standards and ISO27001 international standards, amongst others, have been outlined in a three year road map for industry. These are regarded as the top initiatives to develop and strengthen Nigeria’s legal and regulatory framework.
COLLABORATION According to the report, the respondents are aware that there are a number of key collaborative initiatives aimed at addressing the cyber threat quandary to include the Nigerian Electronic Fraud Forum (NEFF), the CBN Biometric project and Professional Association led initiatives. Another interesting finding in the report is that most respondent organisations participate in various public-private partnerships for the purpose of preventing and detecting cybercrime and suggestions have been made towards collaborating on a National, Pan- African and International scale. The participants also feel that required research to drive these initiatives and combat cybercrime should be driven by public-private partnerships. Additionally, most respondents voted for the establishment of a government run National Computer Security Incident Response Team (CSIRT).
The survey shows that there is a need for top skill sets in Nigeria, in particular computer and digital forensics, forensics investigation, cybercrime prevention, detection and incident handling and technical ethical hacking skills. In order to deal with the skills shortage training capabilities need to be established. The respondents feel that this training could best be addressed by establishing a National Cyber Security Training Academy, in conjunction with private training institutions, which should be properly regulated and accredited. The study also revealed that cyber security related training for government and regulatory authorities is inadequate, whereas, training for e-payment companies appears to be sufficient. The respondents identified various training interventions, ranging from general awareness to highly skilled information security courses addressing incident response, attack and defence, secure coding, ethical hacking and forensic investigation.
CYBERCRIME BUDGET An overwhelming majority of respondents do not believe the country is investing enough resources in mitigating cybercrime, although it was noted that considerable investment had been made by the financial services sector, mainly in response to the CBN’s mandate for all banks to attain certifications (ISO/IEC 27001 & PCI DSS).
AWARENESS There was a somewhat unanimous agreement that there should be an inclusive large scale and sustained national awareness campaign on cyber security across the country addressing all stakeholder groups with an emphasis on the key sectors of the economy and targeted at the top tier of organisations.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 7
Feature
Recommendations Cybercrime is a global concern and one that we as Africans need to prioritise. Cybercrime has continuously been on the rise over the past decade and this could be as a result of global economic instability and due to individuals responding to monetary and psychological incentives. The cyberspace landscape in Nigeria, similarly to the rest of the world, continues to evolve rapidly and is an issue of national concern demanding urgent, focused and far reaching measures to address it.
Establish an Overriding Framework with relevant Systems & Standards • • •
The passing and enforcement of the Cybercrime Bill 2013 to provide a basis for securing the nation’s cyber space. The formation of a stakeholder-centric national CSIRT initiative with private sector input. The use of global best practice standards, with a bias for information security, on a national level to strengthen institutional controls, processes, systems and skills. This can be achieved by taking the lead from the banking regulator, other regulators should follow suit to adopt these standards within their sectors. Critical infrastructure sectors such as telecoms, public sector, non-bank financial institutions and oil and gas would be a priority as well as the emerging sectors such as mobile and e-payment providers and large retailers.
The key standards will include: The Payment Card Industry Data Security Standard (PCI DSS) to be applied to all organisations that store, transmit or process payment card data. •
Recommendations for People Training Create a stakeholder-centric development of a 3 year information security skills blue print by the Ministry of Communication Technology (MCT) and private-sector. A skills baseline assessment survey may be required to build on the work of this research and to provide a factual basis for the blue print to be developed. The development of a private sector-led Cyber Security Academy governed and accredited by the MCT and based on global best practice. This Academy should be equipped with labs and state of the art tools to enable scenariobased training which will give learners hands on skills Education The fundamentals in information security with reference to cyber security should be built into the University and the secondary school curricula which could be achieved through a collaboration between the Ministry of Education and MCT. Awareness A large scale awareness programme addressing cyber security specifically and information security in general should be developed. The awareness should be aimed at, but not limited to, addressing the significant social engineering threat as revealed in the study.
ISO/IEC 27001:2013, the international standard for best practice Information Security Management Systems (ISMS) and its relevant supporting standards which include: • ISO/IEC 27032:2012 - provides guidance for improving the state of cyber security • ISO/IEC 27035 - international standard for incident management • ISO/IEC 27031 - international standard for ICT readiness for business continuity. • ISO/IEC 22301 - international standard for Business Continuity Management (BCM).
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 8
A look at the 2014 Nigerian Cyber Threat Barometer
Conclusion The Cyber Threat Barometer report has revealed that Nigeria needs a robust approach to cyber security for the country’s broader economic and social interests
All organisations, that is, the federal and state governments, public institutions and the private sector have an important role to play. This can be achieved through legislation, the adoption of international standards, awareness, information and education campaigns, a rigorous approach to online security and zero tolerance towards the exploitation of cyber space.
Although it is not feasible to say that there can be absolute security, the collective wisdom garnered from all participating stakeholders in the report will provide valuable guidance to drive initiatives aimed at safeguarding the digital security of the Nigerian people. Besides, security is a process not a project and in many ways an ever-moving goal post.
Download your complimentary copy of The 2014 Nigerian Cyber Threat Borometer at:
http://wolfpackrisk.com/publications
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 9
Feature
Shifting power in Abuja affects, and is affected, by Nigeria’s security outlook Pre-election politics has turned violent and divisive By Conway Waddington Nigeria is set to hold presidential elections in 2015. These elections are likely to be heavily contested, as evidenced by the recent, temporary arrest of the key opposition leader Nasir el-Rufai over comments he made about the likelihood of violence during the election. These elections also appear to be an increasing source of pressure on the current president, Goodluck Jonathan, who faces collapsing support amongst his own political party and backers, over the, as yet unanswered, question of whether he will compete in the 2015 elections, exemplified by recent mass defections from his own political party, the People’s Democratic Party (PDP). The PDP has been dominant in the country’s elections since 1999, but now appears substantially weakened by infighting and factionalisation. Jonathan is also struggling to maintain the delicate balance of ethnic, religious and political alliances and appointments which had previously secured his presidency.
The Iaw are a minority group from the Niger Delta region and as such, Jonathan was considered a satisfactory compromise to both the Hausa-Fulani and Yoruba ethnic majorities who have traditionally competed for control of the country.
Usually seen with a hat and a smile, Nigerian President Goodluck Jonathan at World Economic Forum in Davos, Switzerland, February 2013 The Nigerian political environment has been characterised by high levels of inter-ethnic or inter-tribal tension since the country achieved independence in 1960. The devastating 19671970 civil war, and a succession of military governments, has created an underlying attitude of ‘winner takes all’ that continues to overshadow Nigeria’s troubled relationship with democracy. Jonathan’s ascension to the presidency in the aftermath of the death, in office, of President Umaru Yar’Adua in 2010 was heavily influenced by the fact that Jonathan is an ethnic Iaw.
This article is extracted from the March 2014 edition of the Africa Conflict Monthly Monitor (ACMM). Published by Consultancy Africa Intelligence (CAI, www.consultancyafrica.com), ACMM is the brainchild of award-winning journalist and columnist, James Hall, whose team of Africa-based conflict experts dissect conflict trends across the African continent, with the aim of guiding businesses, governments, academics and other stakeholders on the meaning and potential ramifications of conflict in Africa. Access the complete March 2013 edition of ACMM here: http://consultancyafrica.com/ACMM/79101/ACMMMarch2014
For a 30% discount on a subscription to ACMM, contact: officesa@consultancyafrica.com and mention that you read this article in Wolfpack Information Risk’s Cybershild publication. Find out more about ACMM here:
http://www.consultancyafrica.com/index.php?option=com_hikashop&view=product&layout=show&Itemid=275
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 10
Countering the rise of Islamist militancy has overshadowed the Jonathan administration
Nigeria has faced numerous internal security and stability threats since independence, particularly in terms of crises arising out of inter-ethnic or inter-tribal antagonism. The attempted secession of ‘Biafra’ by Igbo separatists (an ethnic minority concentrated in the south-east of the country) led to the 1967 Civil War. More recently, Ijaw dissatisfaction at political and economic marginalisation by the Abuja-based government led to protracted outbreaks of violence in the Niger Delta – the source of Nigeria’s oil wealth – from the mid-1990s until a tenuous ceasefire in 2009. However, for Jonathan, the overwhelmingly dominant security threat of his presidency has been the rise of Boko Haram. This militant Islamist sect was first formed in 2002 but, since 2009, has grown increasingly violent. The continued conflict in northeastern Nigeria where Boko Haram operates is a major source of insecurity, and a significant blemish on Jonathan’s political record. Perhaps with the 2015 elections in mind, Jonathan has attempted to decisively end the uprising, announcing a State of Emergency in certain key states in north-eastern Nigeria in May 2013 as a pre-cursor for a military crackdown and outright offensive against Boko Haram urban strongholds. Despite numerous claims of substantial successes by the military, this offensive has failed to eradicate Boko Haram. Going into 2014, the group has shown that it is not only still capable of terrorist attacks, but also willing and able to directly confront the Nigerian military itself. In an effort to address the disintegrating political situation in Abuja, as well as the violence in the north-east of the country, Jonathan has resorted to reshuffling both his cabinet and his military command structure. Major reshuffles occurred in late 2013, and then again in February 2014, seeing an entirely new military command structure, as well as new cabinet positions. It also appears that Jonathan is actively attempting to revitalise his flagging ground-level support. A notable example of this is a recent presidential signing-into-law of a bill which criminalises same-sex relationships. While gay and lesbian tolerance is low in Nigeria, as with many African countries, the signing of this law, which had sat on the president’s desk awaiting confirmation since May 2013, is indicative of the pressure on the president. This move has resulted in significant criticism from the international community from which Jonathan has previously made efforts to garner support. Such measures, which sacrifice international support for local favour, are indicative of the prioritisation of the 2015 election.
Jonathan’s presidency has been dominated by the counterinsurgency campaign being fought against Boko Haram. This group, since its early formation in 2002, has undergone several stages of evolution, both strategically and tactically. The group dramatically escalated its violence after the 2009 death, in police custody, of its original leader Mohammed Yusuf. Boko Haram has embarked on a campaign of terrorist attacks designed to weaken the Nigerian Federal Government, through direct attacks, and also through inflaming preexisting inter-ethnic tensions. Nigeria’s longstanding sectarian clashes between the predominantly Christian south and the Muslim north has played out in Central Nigeria, and has been exacerbated by Boko Haram attacks on Christian targets. Critics of the group, such as the media and the Muslim community itself, have also been targeted. The group has also periodically targeted banks or prisons holding captured members, in order to finance and continue the fight. The Jonathan government, as with the previous government of President Umaru Yar’Adua, has tried several means of countering Boko Haram. Initial efforts included downplaying the group – describing many of the early attacks as either criminal attacks, or extensions of sectarian conflict. In both cases this is true to an extent, but these attacks were nonetheless ostensibly the work of Boko Haram. The frequency and nature of the attacks grew – particularly as motorcycle drive-by shootings gave way to increasingly sophisticated improvised explosive devices (IEDs) and outright large scale ground assaults on villages and military bases. Consequently, the Nigerian government finally began to acknowledge the extent of the security threat it faced.
The ACMM infographic on the next page illustrates Boko Haram’s trail of violence across north-eastern Nigeria in the early months of 2014
Cybershield Cybershield Magazine Magazine • April •- January June 2014 - March • Audits 2014 and • Cybercrime Assessments • Page • Page 11 11
Feature
14 Jan: Maiduguri Killed
2 March: Mafa Killed
31
29
1 March: Mainok Killed
39
14 - 15 March: Giwa Barracks 19 Jan: Alau Ngawo village Killed 12 Feb: Konduga LGA Killed
1 March: Maiduguri Killed
18
46
51
19 Feb: Bama Killed
27 Jan: Kawuri Killed
47
85 24 Feb: Federal Government College of Buni Yadi Killed
47
16 Feb: Igze
90-106
21 Jan: Njaba Killed
10
Killed 26 Jan: Waga Chakawa Killed
22 26 Feb: Kirchinga/ Shawa Killed
12
19 Feb: Biu Killed
1
F
12
G 16
H 19 I
19
J
24
K 26 L
1
M 1 N 2
O 14 A
M
B 19 Jan
29 18 dead, houses burnt in Alau Ngawo village (Borno state).
C 21 Jan
18
D 26 Jan
22
and explosives detonated (possibly hand grenades, not IEDs).
Consult expert quarter
E
85 killed in Kawuri village (witness reports of gunmen arrived in trucks, dressed in military uniform).
clientel
14 Jan
27 Jan
BREA0J13720 haram-idUSBR us-nigeria-
con
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 12
Countering the rise of Islamist militancy has overshadowed the Jonathan administration
by Boko Haram are rapidly growing in intensity
F
12 Feb
G 16 Feb
51 Ranges between
90 – 106 1 of the soldiers
H 19 Feb I
19 Feb
47
J
24 Feb
59 pupils killed when gunmen stormed the Federal Government college of Buni Yadi, a
K 26 Feb L
1 March
12 46
At least killed in twin bomb blasts in Maiduguri. One bomb was detonated in a busy market area in Ajilari-Gomari near the Maiduguri airport.
M 1 March
39
N 2 March
31 killed by gunmen stormed Mafa village. Included in the list of dead are 2 police members killed by an
O 14 – 15 March
-nigeria-violence-idUSBREA0D15220140114 , -nigeria-violence-idUSBREA0J13720140120 , -nigeria-violence-idUS-violence-idUKL5N0L12AF20140127 , -nigeria-violence-idUSBREA0R1A120140128 , -nigeria-bokoBREA0J13720140120, haram-idUSBREA1B1LY20140212 , -nigeria-violence-idUSBREA1F0RB20140216, -nigeria-violence-idUSBREA1I1L520140219 , us-nigeria-violence-idUSBREA1I24T20140219 , -nigeria-violence-idUKBREA1O0GR20140225 , -nigeria-bokoharam-idUKBREA1Q1RA20140227, -nigeria-violence-idUS -nigeria-violence-toll-idUSBREA210K620140302 , -nigeria-violence-idUSBREA221JT20140303
Consultancy Africa Intelligence (CAI) expert research and analysis on Africa, in Africa. With our headquarters in South Africa and consultants spread across the African clientele.
consultancyafrica.com
is a dynamic CAI monthACMM expertly synthesises past developments, current dynamics and future prognoses into an analysis—driven, intelligible and in-
Find out more about ACMM Subscribe | Contact Us
1
Download this inforgraphic from: http://www.consultancyafrica.com/images/stories/articles/2014/Newsletter-April2014-ACMM-infographic-Boko-Haram.pdf Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 13
Feature
The Nigerian military has pursued that leverage, although it has often appeared bent on the total eradication of the group. The Joint Task Force (JTF), a specially formed military and security force previously tasked with adding military pressure to compel MEND to attend the negotiations table, has been responsible for a particularly violent counter-insurgency campaign against Boko Haram in its urban strongholds in north-eastern Nigeria. The JTF’s campaign has been characterised with allegations of extra-judicial detentions, torture, and extra-judicial executions by human rights groups such as Amnesty International (AI) and Human Rights Watch (HRW). In May 2013, the military-centric approach of countering Boko Haram was further emphasised with the declaration of a State of Emergency in three states in Northern Nigeria, specifically Adamawa, Borno and Yobe. The resulting military crackdown saw a major offensive launched against Boko Haram’s urban strongholds by newly designated military formations that took over from the JTF. This offensive succeeded in pushing Boko Haram out of cities in the north-east of the country, or at least disrupted their previous strongly held positions.
The Jonathan government has also attempted negotiations with Boko Haram in hopes of achieving a similar peace to what was achieved previously in the Niger Delta region in the south of the country. There the leadership of militants fighting under the banner of the Movement for the Emancipation of the Niger Delta (MEND) was effectively bought off with promises of amnesty and pensions or access to lucrative government contracts. These bribes were ostensibly part of a broader promise of greater inclusion in the political and economic dealings of the country. However, such promises, made either tacitly or overtly to Boko Haram, did not achieve the same effect. Boko Haram expresses an extremist or fundamentalist set of goals of seeking to replace the Federal Government with an Islamic one, as well as installing Sharia (Islam-based) law. Considering the nature of the group itself, it is little wonder that negotiations have not been possible. Boko Haram has a highly secretive leadership structure and often appears more of an umbrella organisation to multiple groups, rather than one unified force. Moreover, as a result, negotiations have only been considered likely to succeed with substantial leverage first being achieved by the Nigerian government.
Keeping security forces vigilant: Nigeria’s hotspots NIGER
CHAD
Kano
Maiduguri
1
2
BENIN
Kaduna Jos
Abuja
3
Lagos
Benin City
5 Gulf of Guinea
CAMEROON Port Harcourt
4
Map compiled by ACMM with data from D.Maps
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 14
Countering the rise of Islamist militancy has overshadowed the Jonathan administration
Failure to secure the north-east of the country adds to political pressure on Jonathan The military crackdown has, however, not succeeded in either eradicating the group or in forcing it to the negotiations table. If anything, the military-centric approach has worsened the situation. Substantial civilian deaths have occurred, according to human rights groups, while Boko Haram has not only retained the ability to conduct terror attacks, but has also shown itself capable and willing to directly attack military and security forces. Reports on the specifics of the fighting are unclear and obscured by a lack of media access. Reports are also heavily twisted by biased Nigerian military announcements which invariably claim to have inflicted substantial losses on Boko Haram with minimal, if any casualties to their own troops in the aftermath of each bout of fighting. International commentators and media have questioned the Nigerian military’s account of the fighting in north-eastern Nigeria, but the behaviour of the military itself is increasingly evident of the failure of the military counter-insurgency campaign. The senior leadership positions of the military have been substantially reshuffled in recent months. Moreover, the newly promoted leadership in charge of the campaign against Boko Haram has backtracked on calls made in early 2014 to end the insurgency by April. Recent ‘clarification’ by military spokesmen suggests that these calls were not intended to be taken literally. The failure to quell the Boko Haram threat and, indeed, the possibility that the military approach taken thus far has worsened the situation has provided significant fodder for President Jonathan’s political critics. Other criticism has arisen, as Jonathan’s position is increasingly judged to be weakened. Even his previous benefactor and mentor, former Nigerian president Olusegun Obasanjo, wrote a series of public letters to Jonathan that criticised Jonathan’s presidency and argued that he should not run for re-election in 2015.
It is worth noting that Jonathan has faced several domestic crises previously. A notable example involves his efforts to reform fuel subsidy initiatives that had been put into place by previous governments. Jonathan removed those fuel subsidies in January 2012, arguing that they were a source of corruption and cost the country in revenues which could be directed at infrastructural development. Nigerians, many of whom see low petrol costs as one of the few benefits of the local oil industry which actually reaches them, disagreed – violently. Widespread protests erupted to the extent that Jonathan had to quickly back down, and reinstate the subsidies. Another source of pressure has been maintaining the fragile peace in the Niger Delta region. This troubled area is the source of Nigeria’s oil wealth, but is also closely tied to multiple security and stability issues, in the form of MEND, as well as a black-market which has sprung up around the practice of oil-bunkering. This practice involves the theft of crude oil from pipelines and tankers. Additionally, the area has experienced increasing instances of maritime piracy, which initially targeted at the oil industry which stretches into the Gulf of Guinea. In response, Nigeria’s navy has become increasingly active in counter-piracy efforts, while the JTF is once again active in the Niger Delta region, targeting oil thieves. Another, persistent, stability trouble-spot is the central band of Nigeria, where inter-ethnic conflict plays out between pastoralist and agrarian groups, who also tend to identify as Muslims and Christians respectively. Any president of Nigeria will invariably face a range of crises which threaten the peace and stability of the country, but winning re-election is arguably more difficult. President Jonathan knows that if he is to compete in the 2015 election, he must find a way to end the violence in north-eastern Nigeria, and must also take decisive steps to return his own political house to order. It appears that the possible outcome of the election will be decided in the coming months, and will depend on whether Jonathan can stop the hemorrhaging of PDP members, and successfully reconstitute a sufficiently representative cabinet. Moreover, Jonathan must find a way to facilitate a militarily effective command structure capable of dealing with Boko Haram, while also ensuring the loyalty of the command which, historically, has been the biggest threat to Nigeria’s democracy.
Any president of Nigeria will invariably face a range of crises which threaten the peace and stability of the country, but winning re-election is arguably more difficult.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 15
The ITWeb Security Summit 2014
Highlights from ITWeb
Security Summit 2014
The ITWeb Security Summit now in its ninth year is the largest Information Security summit in South Africa. It brings together international and local Information Security professionals and provides them with a platform to share knowledge, experiences as well as acquiring knowledge about key tools, techniques and strategies needed to safeguard an organisation’s information. The summit consists of both international and local speakers who provide a combination of information security thought leadership, technology updates and innovations and case study-based success stories.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 16
The ITWeb Security Summit 2014
Surveillance and privacy
- a global overview Jacob Appelbaum
Appelbaum started his presentation by stating that, regardless of who you are, choosing surveillance means you always lose because when it comes to surveillance you are unlikely to beat other agencies such as the NSA. He warned people and / or organisations that if you think using a commercial VPN ensures you are safe then you are incorrect because VPN providers log the information you are sending which agencies such as the NSA can get access to.
Jacob Appelbaum (Independent international hacker and researcher)
Appelbaum further highlighted that the reason why federal agencies such as the NSA are able to perform mass surveillance is because of the underlying weaknesses that exist in internet protocols. The protocols allow the spying parties, for example the NSA, to intercept the information, process it based on tags of interest, for example a person’s identity, and pass it to the relevant system where an analyst can view and /or analyse the information in real time. The information gathered can then be used to conduct targeted attacks against people and / or organisations. He then went on to speak about the various tools that the NSA and GCHQ use to spy on citizens and conduct mass surveillance globally. He went onto state that he heard that, due to service level agreements, Belgacolm are still using hardware that the NSA and GCHQ compromised in order to collect data. Appelbaum suggests the following be done in order to prevent law agencies, governments and any other parties from spying on you: • Use Open Source software, Appelbaum made it clear that he is not saying that open source software has no vulnerabilities or possible backdoors. However, with open source software we can see the code and as such have a starting point to become autonomous from i.e. not reliant on proprietary vendors. • Use Free and Open Hardware e.g. The Novena Project, to make hardware locally which will prevent the NSA from intercepting it and making modifications • Use Tor to defend against traffic analysis in order to protect your privacy online • Using cryptography that we can audit/check to ensure that it is secure from everything. Cryptography will prevent mass surveillance and force agencies such as the NSA to use targeted surveillance only. For example: • RedPhone can be used on Android phones to provide end-toend encryption of phone calls • TextSecure in Cyanogenmod for sending secure messages • Internet protocols should comply with RFC7358 in order to ensure privacy
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 17
In closing Appelbaum made it clear that he believes that lawful interception, including wire tapping, is bad and that we need to rebuild trust in service providers.
The ITWeb Security Summit 2014
When “trust us” isn’t enough: Government surveillance in a post-Snowden world
Christopher Soghoian
Christopher Soghoian (TED fellow and privacy, surveillance, and information security researcher)
In opening his presentation Soghoian stated that cryptography is still regulated in some countries as ammunition. He added that in the past cryptography was seen as a very bad and unwanted technology due to the fact that law enforcement agencies could not monitor the data being transmitted. However, due to international pressure and pressure from the private sector, the US government was forced to lift the restrictions imposed on the use of cryptography. Soghoian indicated that the reason why encryption technologies such as PGP have not been widely adopted by consumers is due to its usability i.e. the tools are not easy to use and frustrate normal end users. He goes on to explain that up to 2009 major online service providers all used HTTP, from 2010 onwards service providers started to roll out HTTPS by default. The roll out of HTTPS was completely transparent and effortless to the end user which is what made it successful. The wide adoption of HTTPS made it very difficult for agencies such as the NSA to intercept traffic, however the agencies found that the traffic between the servers and data centres were not being encrypted allowing them to intercept the traffic at that point. In order to prevent this from happening service providers now also encrypt traffic between data centres. However, this has not stopped agencies such as the NSA from simply coming to the “front door” and legally requesting the data. Soghoian highlighted that, according to documents leaked by Snowden, Microsoft was the first company to comply with the NSA’s PRISM collection programme. Furthermore, he highlighted the fact that e-mail providers such as G-Mail have openly admitted that they do not encrypt e-mails because they need to be able to analyse their users’ e-mails in order to be able to know which advertisements to show them. Therefore, service providers are not encrypting users’ data on the server itself which means government agencies can request access to such data through the appropriate legal channels. Additionally, if data is encrypted the provider can be forced to hand over their encryption keys to the respective law enforcement agency. Soghoian, further stated that most companies would hand over data on their clients in the case where they felt they were doing their patriotic duty to protect their country from possible threats e.g. terrorism. Soghoian ended by saying that the threat model is changing, nowadays companies need to also be aware of how to protect themselves from lawyers and / or agencies who are requesting access to customer information.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 18
Soghoian indicated that the reason why encryption technologies such as PGP have not been widely adopted by consumers is due to its usability i.e. the tools are not easy to use and frustrates normal end users.
The ITWeb Security Summit 2014
Next generation security In what generation will we get it under control? John McCormack McCormack started his presentation by providing the audience with a number of statistics that demonstrated that companies are not adequately dealing with advanced threats and are unable to keep all data secure. McCormack believes that in order to deal with the threats we must understand the approach used by attackers. The following steps are used as part of an attack: Recon • Attack: Attacker identifies the victim and gathers information on them Lure • Attack: Using Social Engineering, Watering holes and spam • Defence: User education Redirect • Attack: Redirect user to a number of pages to avoid detection, on average they have found that attacks consist of 4 redirects and a maximum of 20 • Defence: Signature-less defences are required and the full redirect path must be analysed. Exploit Kit • Attack: In the previous step the victim is directed to a page with an exploit targeted specifically at them using Flash, Java etc • Defence: Patching and making use of real time defence mechanisms that make use of exploit heuristics Dropper File • Attack: Once a user is exploited, the malware will download and / or install the payload. The installation of the payload may be delayed in order to avoid being detection. For example, some malware is able to detect that it is in a sandbox by checking for mouse
movements, existence of a virtual environment etc. Once a sandbox environment is detected the malware will not install the payload.
John McCormack (CEO, Websense)
Call Home • Attack: Once completely installed the malware will connect to the external attacker server using techniques such as redirection, dynamic DNS and encrypting traffic. • Defence: Scan and monitor all outbound traffic including encrypted traffic. Check for traffic encapsulation. Data Theft • Attack: The data that is being stolen is rarely sent in the clear, in most cases it is encrypted before being sent to the attacker. Additionally, Websense found that 30% of malware in 2013 used custom encryption algorithms. • Defence: Prevent this from happening by address the previous steps, scan the traffic leaving the network and use Data Theft Prevention (DTP) technology. In closing McCormack had the following to say: • Technology is moving towards the network of one – empowering mobile and cloud • Combatting the insider threat is becoming increasingly important • We need to raise the human security IQ but not just for the computer users but for everyone • We must start getting and using actionable threat intelligence
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 19
We need to raise the human security IQ but not just for the computer users but for everyone
The ITWeb Security Summit 2014
The idiot’s guide to
Destroying a Global 500 Company for £500 Kevin Kennedy In his talk Kennedy describes how it would be possible to change the economics of hacking and by doing so bring down or completely eliminate the malware economy. He described how spam has been significantly reduced by changing its economics in such a way that the “return on investment” for a spammer would be so little that the effort required would not be worth it. Initially spamming was a very big problem which made spammers a lot of money i.e. their return on investment was very large in the beginning but this was changed as follows: •
• •
Kevin Kennedy (Senior director: security product management, Juniper Networks)
Technology advanced and was able to block 99% of all spam, therefore for every 100 spam messages that were sent by a spammer only 1 would get through. This significantly reduced the returns for a spammer. Servers were taken down which resulted in spammers having to invest in new servers. The Visa Global Brand Protection programme made it very difficult for spammers to get accounts in “high risk areas” e.g. on gambling websites. Additionally, those found to be guilty of questionable practices were fined. This effectively cut off a large number of spammers’ income streams.
The use of technology, collaboration and targeting the money of the spammers effectively reduced spam, the question is, can the same principals be used to reduce malware? Kennedy certainly thinks that this can be achieved by doing the following: • • • • •
•
Drive investment up – make it difficult to for attackers to break in so that it requires more time and skills. Use active defence Establish cross border collaboration to take servers done and to catch the cyber criminals Take down illegal currency exchangers Assume applications and devices have been compromised – design and segment applications to ensure that if one gets compromised it is impossible for the attacker to reach any other device and / or application IDS and IPS generate large amounts of logs which cause “noise” making it difficult to detect malicious behaviour. This can be dealt with as follows: • Use intrusion deception where you look for specific behaviours, for example, embedding certain data in a web page that no other program should be accessing. Any program accessing this data can be considered to be malicious. • Push fake Command and Control Server signals onto the network and check for responses. A response indicates that there is an infection on the network. • Create fake files that can be used to lure out the malware, for example, create a file called Passwords.pdf, any program accessing this file can be considered to be malicious. • Create fake anti-virus processes and monitor their execution to see which programs disable them, such programs are most likely malicious.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 20
In his presentation Kennedy discussed how easy it is to fingerprint a system and track it online. To see how trackable your browser is visit https://panopticlick.eff.org/
The ITWeb Security Summit 2014
Cyber resilience
calls for strategic action. Now. Antonio Forzieri
Antonio Forzieri started his presentation by identify the cyber security risks that customers face, which are as follows: • • •
Antonio Forzieri (EMEA cyber security and ISS technology lead: technology sales and services, Symantec)
Hyper connectivity Rapid IT evolution Agile Targets
He then provided the audience with some statistics around cyber threats which indicated that cyber threats are increasingly being ranked within the top 4 threats business faces. Forzieri discussed how in 2013, according to Symantec, there was a 91% increase in targeted attacks. Additionally they found that most attacks took place in October, November and December. Interestingly, 8 out of 10 breaches resulted in more than 10 million records being stolen. Forzieri broke the attacks down into five stages: • • • • •
Recon Incursion Discovery Capture Exfiltration
He shared with the audience that 98% of the time it takes only seconds to crack a password, additionally, attackers make use of legitimate sites to launch attacks. Forzieri also identified who the attackers were and how each of them can be stopped: • • •
Script Kiddies – Technology can easily detect and stop script kiddies Experienced Attacker – Do the basics right and monitor, monitor, monitor! State Sponsored Attackers – No way to defend, you are dead!
Forzieri then took the audience through a demonstration which showed how easy it is to use an exploit kit. At the end of his presentation Forzieri recommended that the following be done: • • • • •
Understand there is no silver bullet Review security programme and become risk aware Break glass ceiling between IT and Business (align business with IT) Put more investment into detecting, responding and recovering from threats as opposed to putting it all towards preparation and prevention Get the basics right: • Use the CESG 10 steps to Cyber Security as a guideline • Adopt a cyber standard e.g. ISO 27001, PAS 555 (outcomes based)
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 21
Forzieri then took the audience through a demonstration which showed how easy it is to use an exploit kit.
The ITWeb Security Summit 2014
Case study:
Ensuring data privacy and protection in Software as a Service platform at Ooba Dominique dHotman In his talk dHotman spoke of how to ensure data privacy and protection in a Software as a Service platform. He started by explaining the different terminology used as well as providing the background of the system of how it evolved from a normal application to a Software as a Service platform. In the evolution of the application they realised that it was important to provide assurance to customers that their data is safe. Initially the controls that were introduced to ensure the data was safe were to strict which resulted in customers rejecting the solution. In order to address the issue a coalition was formed to establish the security vs usability of the system (business value).
In order to ensure data privacy and protection, it was firstly important to ensure that all data could be easily traced throughout the entire platform. This was achieved by embedding a unique identifier into the envelope used to transfer the data. The unique identifier consisted of, amongst others, a user ID and organisational hierarchy data. The unique identifiers were then used in conjunction with a Role Based Access Control (RBAC) model to control access to the data. The platform allows simple and reliable auditing with on demand exception handling and tenant boundary alerting. Additionally, due to the extensive documentation produced a third party can easily validate the platform. Lastly, dHotman highlighted that is important to not re-invent the wheel when implementing such a platform, instead one should leverage and make use of existing technologies.
Dominique dHotman (CIO, Ooba Group)
The legal obligation Prof David Taylor (Admitted attorney, former associate professor of ICT law, and legal consultant)
A number of companies provide services that can be used to restore an individual’s identity, this process takes 6 to 12 months.
to report of IT security compromises
Prof David Taylor In his presentation Prof. Taylor examined the 8 conditions, also known as the 8 principles, of POPI. He highlighted that it is important to have a process in place to ensure compliance with POPI while covering all applicable laws and regulations. If through your act you allow personal information to be stolen you are accountable and you will have to pay. Throughout his presentation a number of questions were asked which resulted in Prof. Taylor not completing his presentation, one of the question was who is excluded from POPI? The answer to this question is parliament, SARS and law enforcement. However, it should be noted, that there are limitations imposed on each of them.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 22
dHotman highlighted that is important to not re-invent the wheel when implementing a software as a service platform, instead one should leverage and make use of existing technologies.
The ITWeb Security Summit 2014 Panel members:
PoPI Panel
Q&A: Will you be ready? The panel started by briefly describing, at the request of the session chair (Jacob Appelbaum), what POPI was. POPI regulates how anyone who processes personal information must handle, keep and secure that information. The POPI Act will bring South Africa in line with international best practices when it comes to the protection of personal information as well as giving substance to the Constitution’s protection of privacy. Although the Act has been signed into law a commencement date has not yet been set by the president. The commencement date refers to when the Act is fully operational. All relevant businesses and / or individuals will be given a year from the commencement date in order to comply with the POPI requirements (unless this period is extended which is provided for by the Act). Francis Cronjé estimated that a commencement date will be established by September 2014. However, as from the 11th of April 2014, the sections of the Act relating to the establishment of the Information Regulator became operational. A number of questions were received in the session as well as via Twitter, below is a summary of the questions and answers: How does POPI affect vendors who sell mass surveillance software? The way in which POPI affects such vendors would depend on how the tools they produce are being used and for what purpose.
Who is notified when there’s a breach? And how are they notified? As soon as you detect a breach you need to firstly understand who has been impacted, notify the regulator and then everyone who has been affected. You must ensure that your data quality is good so that you do not end up notifying the incorrect parties resulting in another contravention of the act. It is also important that you ensure that all your “ducks are in a row” when engaging with the regulator and affected clients or you could face heavier fines and / or jail time.
Dianne Stigling (Independent IT and information security consultant)
Francis Cronjé (Founder & MD, franciscronje. com, CEO at InfoSeal)
According to POPI, is mass surveillance allowed? Mass surveillance, by law, is not allowed in South Africa. How is a consumer informed of purpose specification? At the time of collection, the collector must clearly specify why and for what purpose the information is being collected for. How will POPI practically work in a country that is filled with corruption? The POPI regulator will have to be will financed and strong in order to ensure compliance. Additionally, it is important that every consumer be made aware of their rights when it comes to POPI.
How would a family GP be punished if he/she did not comply with POPI? Given the GP is ultimately accountable for the patient information, he/she would be fined for the breach of personal information.
Ritasha Jethva (Governance, risk and compliance lead, Liberty)
“The first step that needs to be taken towards protecting personal information is to not collect anything you don’t need” - James Appelbaum
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 23
The ITWeb Security Summit 2014
Excuse me…
your phone is leaking Nader Henein
Nader Henein opened his presentation by providing the audience with a number of statistics around Android apps: • 124 different permissions exist on Android • 33% of apps ask for permissions they do not need • 83% of users do not pay attention to the permissions apps are requesting
Nader Henein (Regional director: advanced security solutions - advisory division, BlackBerry)
As a company do you need to worry about what apps your employees have on their phones? Henein provided a scenario that answers this question: An employee installs Whatsapp on his company phone, Whatsapp then automatically imports the employees’ address book which contains company contact details and client information. All of the collected information is then sent to and stored on a remote Whatsapp server. Another question posed by Henein is how does POPI deal with this situation i.e. where a client’s personal information has been transmitted and stored on a remote server? Answer: Given that POPI is relatively new legislation this and other questions still need to be addressed. Henein ended his presentation by highlighting the following: • Personal Information is now seen as currency and should be protected as such • Adapting to new regulations is hard • Be diligent and treat all personal information as if it’s your own • Bring Your Own Device (BYOD) needs to protect both parties i.e. the company and the employee
It’s 2AM do you know what your apps are doing?
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 24
The ITWeb Security Summit 2014
Failures of the infosec community - an in-depth insight
Charlie Miller
Charlie Miller (Security engineer at Twitter and four-time winner of the CanSecWest Pwn2Own competition)
Miller started his presentation by highlighting the fact that from 2007 until now the same problems still exist in terms of attacks, breaches and vulnerabilities i.e. vendors still have bugs. In particular, in 2007 Internet Explorer had remote code execution vulnerabilities and in 2014 new remote code execution vulnerabilities are still be reported. Miller in his years of being in the field has learnt that everything can be hacked regardless of whether or not it is secure. Additionally, just because you are compliant with a standard does not mean you have security i.e. compliance != security. It is also a lot easier to find one bug than it is to find all the bugs. Organisations need to remember that even though they do everything right in terms of securing end points etc., they will still get hacked if their users, for example, have a vulnerable browser running an older version of Java. Miller then asked who or what can help us secure our environments:
Can the vendors help? Miller went on to discuss the reasons as to why it is that bendors release products that have vulnerabilities: • It is difficult to produce code without a single vulnerability • Looking for vulnerabilities is costly and takes time • Rush to market i.e. getting the product to market as soon as possible is a lot more important than identifying security issues • There are no financial consequences for products having vulnerabilities because a vendor can just push out a patch and cannot be held accountable for any vulnerabilities that are discovered. • Therefore we cannot rely on vendors to make secure software
Can the government help? If we can’t trust the vendors then who can we trust? Government? Miller said that the government has military resources that could be used for defence and offence purposes, however, the military is there to protect the country and not our online banking account.
Should we outlaw exploit sales? Outlawing the sale of exploits would not work well because penetration testers would then not be allowed to use network scanners etc. Also, it is already illegal to use exploits for bad purposes. CONTINUES ON PAGE 26
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 25
How will you stop the real attackers, if you can’t keep the script kiddies out?
The ITWeb Security Summit 2014
CONTINUED FROM PAGE 25
Can the press help? The press could create awareness around a subject or inform users about important aspects which could help reduce security threats. However the press’ main objective is to sell papers and / or get clicks on their website. Unfortunately, talking about new compliance frameworks and technology will not sell papers, what does sell papers is ‘exaggerated’ headlines and stunt hacking.
Can researchers help?
Charlie Miller (Security engineer at Twitter and four-time winner of the CanSecWest Pwn2Own competition)
In the past researchers use to trade vulnerabilities for ‘street cred’, then reported them to vendors for street cred but nowadays they do it for money. This change occurred as a result of bugs becoming more difficult to find and the fact that researchers are busy with other work.
Good versus Bad? The reality is that when someone finds a bug they have the following options: • Notify the vendor • Sell the bug but notify the vendor – get $5000 • Sell the bug without notifying the vendor – get $100 000 In all the bad stuff Miller identified some good that has come of it all, for example, the mass media exposure around HeartBleed got people talking about relevant issues such as the use of open source and vulnerabilities that exist. Over the years security products are getting better in terms of the number of bugs that exist in them. Additionally, security products now also have advanced features such as sandboxing and anti-exploitation. He also pointed out that bug bounty programmes work very well. In conclusion, the Information Security industry is in bad shape and we are only as safe as the products we rely on.
We cannot rely on vendors to make secure software!
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 26
The ITWeb Security Summit 2014
Snowden Revelations: What do they mean for South Africa?
Haroon Meer Meer started his presentation by highlighting the important lessons learnt from Snowden, the first is that when it comes to Offence vs Defence - offence always wins! Other lessons learnt are that there is a need for cryptography and the insider threat is a real and dangerous one. However, the deeper and often less obvious lessons are that you need to know what you have and who has access to it. He went on to state that is not just enough to ask a cloud provider if they use cryptography, a person also needs to ask the cloud providers what cryptography technology they use and how they use it. He also highlighted in reality when it comes to surveillance and cyber space there are no allies there are only interests. He went on to ask, where does South Africa stand in all of this? Are we not affected by things such as NSA surveillance? The truth is if you using services based in the USA, example Gmail, then you are affected. Additionally by using such services you are in fact accepting the fact that you will be spied on. Meer went on to state that the majority of people believe that they are not really targeted, however, the truth is the NSA collects information on anyone and anything by utilising various technologies and techniques. South Africa in particular is deeply dependant on international providers, specifically those from Silicon Valley.
(Founder of Thinkst)
Can we build our own Silicon Valley? Meer believes we can indeed build our own South African Silicon Valley, he described how Silicon Valley was started and how it grew when academia, military and private sector got involved in funding start up projects i.e. involvement from all the sectors, public and private, is necessary in order to establish South Africa’s own Silicon Valley.
Currently – How close is South Africa to creating its own Silicon Valley? Meer says that although the CSIR and Department of Science and Technology do provide funds for projects, we still need to channel those resources correctly. For example, Universities are just pushing out technology consumers whereas the majority of funds is being spent on ICT projects which are not needed or overly priced, for example, the Free State provincial government website which is said to have cost R40 million. Meer went on to say that in addition to not having the necessary funds, South Africa also does not have the skills needed to create its own Silicon Valley. Therefore, based on these facts, Meer concluded that South Africa is nowhere close to creating its own Silicon Valley. Meer believes we can still move away from our reliance on International Software vendors by making use of free software. Meer went on to say that we are already making use of free software such as VLC, Google Chrome, Android and even Mac which was built on free software but is free software more secure? Meer, did not go into details about this but only said that it depends on which free software you are comparing and to what you are comparing it to. In closing Meer said that we need to get to a point where experts tell you what will be in the news.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 27
The US treats Cyber Space as one of its colonies.
International News
Heartbleed Bug
The Biggest Possible
Internet Threat What is the Heartbleed bug? Security expert Bruce Schneier has described it as «catastrophic» and on a scale of one to 10, rates it as 11. The bug, called Heartbleed, exists due to a vulnerability that exists in the ‘heart beat’ functionality of OpenSSL that is used to check if two computers that are communicating with each other are still ’alive’ i.e. online. The concern is that cyber criminals may manipulate a critical flaw in OpenSSL, which is an encryption technology used by millions of websites to encrypt website communications and protect sensitive data such as e-mails, passwords and banking information. Heartbleed allows cyber criminals to easily read sensitive information such as credit card details, usernames, passwords, encryption keys, private information etc. contained in the web site’s computer memory. In essence an attacker can simply ask the server for any and all information. The bug was discovered by a team of security engineers at
Codenomicon, who came across the bug while improving the SafeGuard feature in Codenomicon’s Defences security testing tools. Neel Mehta, of Google Security, also discovered the bug and was the first to report it to the OpenSSL team. Though most software vulnerabilities eventually get phased out, this bug appears to be a bit more serious because a large amount of sensitive information may already have been compromised by cyber criminals since March 2012. There are also several freely available tools that attackers can use to exploit the vulnerability. This exposure leaves a path that attackers can use to recover private keys, decrypt the server’s encrypted traffic or even duplicate the server. Once criminals have information such as usernames and passwords and the actual content, they can snoop on communications and steal data from the services and users or impersonate services or users.
According to Netcraft’s April 2014 Web Server Survey, over 66% of the active sites on the Internet use OpenSSL which is why Heartbleed has a global impact. Moreover, OpenSSL is used to protect network appliances, email servers and chat servers as well as a wide variety of client side software. Numerous large consumer sites have been saved by choosing SSL/ TLS termination equipment and software. Robert Graham, a Security researcher scanned the Internet and found that more than 600,000 servers are vulnerable to the heartbleed bug, including Yahoo.com, imgur.com, flickr.com and hidemyass.com. Numerous organisations have had to shut down and repair their websites because of the Heartbleed bug. For example, the Canada Revenue Agency was forced to shut down its electronic tax collection service and the world’s largest audio platform SoundCloud, also logged out its users in order to fix this flaw. Yahoo, which has more than 800 million users around the world, has also been affected by Heartbleed.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 28
Heartbleed Bug – The Biggest Possible Internet Threat
How does Heartbleed work? Computers use heart beats to ensure that the other is still alive by transferring data back and forth to each other. The client (user) sends its heart beat to the server (website), and the server sends it back. If any of them goes down during the transaction, the other will know thanks to the heartbeat sync mechanism. A small amount of the server’s short-term memory of about 64 kilobytes is included in the reply from the server when that heartbeat is sent. If an attacker grabs it, it may result in sensitive data such as message contents, user credentials, session keys and server private keys being leaked. The more heartbleed requests the attacker sends out the more memory contents they collect from the server. Although popular websites such as Gmail, YouTube, Facebook, Tumblr, Yahoo and Dropbox have fixed the problem there are still thousands of websites that are yet to address the bug. Reverse Heartbleed The Heartbleed bug does not only affect servers i.e. where a criminal steals information from a server, a server can also exploit a client. In particular, android devices that have a vulnerable version of OpenSSL installed are also vulnerable to malicious servers stealing information from the mobile devices. For example a malicious server could steal a user’s personal data. Android version 4.1.1 is vulnerable to Heartbleed but security firm Lookout detected the vulnerability in devices running version 4.2.2. However, the prior may be due to users that have custom versions of Android installed. Android users can install the free detector app released by Lookout (http://goo.gl/kYmjhv) to check if their device is vulnerable to Heartbleed. If your device is vulnerable to reverse Heartbleed you must update your Android to the latest version. Apple mobile devices are not vulnerable to reverse Heartbleed because Apple doesn’t ship its mobile operating system with OpenSSL.
The above xkcd comic taken from https://xkcd.com/1354/ illustrates how the Heartbleed bug works:
For a video explanation of Heartbleed see http://goo.gl/ELIQMK
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 29
International News
As technology evolves we may see current encryption technologies such as OpenSSL ultimately being replaced by more advanced encryption technologies. Additionally, given the fact that the NSA is rumoured to have a “Quantum computer” that can be used to break or decode almost every kind of encryption used to protect medical, banks, businesses, including top secret information held by government around the world. A need for new encryption patterns are on demand that are harder to break. Scientists have come up with the innovative encryption pattern which is nearly uncrackable to make life tougher for cyber criminals and government spying agencies. A team of physicists at Lancaster University in the UK have built up a strong encryption scheme, which results in an endless number of secret encryption sessions shared between the sender and receiver. The idea of unbreakable encryption came from the interdisciplinary research carried out by the scientists. Subsequently the two ends of encryption are the sender and the receiver. To coordinate their rhythms, they need to communicate back and forth with each other at various times, and so the information is encrypted on both the ends and decrypted using the coupling functions. Coupling functions send and receive multiple encrypted signals. Scientists have illustrated their new communication framework. “A number of information signals coming from different channels or communication devices (e.g., mobile phone, sensor networks, or wireless broadband) are to be transmitted simultaneously.” The diagram below provides a high level view of the scientists’ communication framework.
Wolfpack have the following suggestions to deal with Heartbleed: •
It is advisable for users to change their passwords on both those affected websites that have announced that they have fixed the problem as well as all sites in general
•
Tighten up security once again by creating stronger passwords and using multi-factor authentication where possible
•
Advise your users / colleagues to be on the lookout for false “Heartbleed” phishing password reset emails
•
Be suspicious of Heartbleed browser plugins / utilities from untrusted sites
Source: The Hacker News Sources: The Hacker News, PC INpact and Krebs on Security
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 30
International News
More
NSA Revelations MORE NSA Revelations
It was revealed through documents leaked by Edward Snowden to SPIEGEL that the NSA has a secret unit that produces special equipment ranging from spyware for computers and cell phones to listening posts and USB sticks that work as bugging devices. When agents with the NSA’s Tailored Access Operations (TAO) division want to infiltrate a network or a computer, they turn to their technical experts. This particular unit of the United States in light China has demanded an explanation from Washington intelligence service is known internally as ANT. of reports that the U.S National Security Agency (NSA) infiltrated SPIEGEL obtained an internal NSA catalogue Huaweidescribing Technologies’ servers. ANT’s various products, along with their prices. The catalogue ofraised several The president of China,consists Xi Jinping, the “implants, concerns”with U.S as the NSA calls them, for computers, servers, president, Barack Obama, at the nuclear summit held in The routers and hardware firewalls. There is special Hague. The US responded by stating that it does not engage equipment for covertly viewing everything in any activities where the objective is to provide US companies displayed on a targeted individual’s monitor. with anAnd economic advantage. there are bugging devices that can conduct
China demands US explanations on Huawei spying Report
surveillance without sending out any measurable radio The Times signalsand thatthe areGerman sent out are However, thesignal. New York magazine Der instead picked up using radar waves. Many of Spiegel, both published confidential NSA information, provided theseNSA items are designed subverting by former contractor EdwardforSnowden, thatthe contained technical infrastructure of telecommunications classified information about Huawei companies to exploit them, undetected, for the NSA’s purposes, or for tapping into company The US State Department spokeswoman stated that all networks. information collected by US intelligence agencies are focused on national security needs where there is a foreign intelligence or counter intelligence purpose. She made it clear that information is not collected to give US companies an economic advantage.
NSA allegedly spoofed LinkedIn profile to hack Belgian Cryptography Expert A cryptography professor by the name of Jean-Jacques Quisquater was part of a targeted attack performed allegedly by the NSA and GCHQ. The NSA and GCHQ are suspected of performing the attack because Quisquater’s computer was hacked in the same way that Belgacom, Belgium’s largest telecommunications company, was hacked. Belgacom was hacked in September 2013 and in November 2013 it was revealed in documents leaked by Edward Snowden that the NSA and GCHQ were behind the attack. The documents revealed that the GCHQ created fake LinkedIn and Slashdot pages and made use of a method called “quantum insert” to redirect Belgacom’s users to a malicious site. Quisquater fell victim to the same “quantum insert” attack when he responded to LinkedIn message that ended up redirecting him to a fake LinkedIn page that infected his computer with Spyware.
‘Implants’ for Cisco, Juniper, NSA hacked into webcam of The NSA is listening in Yahoo usersand for personal Dell, Huawei HPimages
Source: The Hacker news
Source: My Broadband
The Washington reported that,upbased on theMany leaked ThePost catalogue is not to date. of the documents provided by Edward Snowden and the input software solutions on offer date as far backfrom as 2008 people with direct knowledge, the NSA is collecting 100% of whereas some apply to server systems or mobile phone that country are no (or longer on the The market. all voice calls from an models unspecified countries). However, it is part safe of to an assume that ANT’s hackers collection of this data forms NSA program called are constantly improving their arsenal. Indeed, MYSTIC. It is important to understand that the actual voice data the catalog makes frequent mention of other is being collected i.e. it’sthat not will just be metadata. systems “pursuedThe forcollected a futuredata release.” is stored in database called NUCLEON and a tool called RETRO is used to access data. Post withheld thewellThethe NSA has The alsoWashington targeted products made by known manufacturers and foundwere ways to details that could be American used to identify which countries into professional-grade routers and hardware within scope ofbreak the MYSTIC program. firewalls, such as those used by Internet and mobile phone operators. ANT offers malware and hardware Source: Washington Post for use on computers made by Cisco, Dell, Juniper,
A shocking revelation showed the ugly side of the governments Hewlett-Packard and Chinese company Huawei. whenisit no wasinformation revealed that and the British There in the theNSA documents seen GCHQ are storing Yahoo users’ pictures. by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support the NSAfrom or former even had The Guardian received to documents NSA employee, any knowledge of the intelligence solutions. Edward Snowden that revealed that the GCHQ worked with the NSA on a joint project dubbed ‘Optic Nerve’. Optic Nerve The implants which were placed around the world conducted surveillance capturing webcam images have played amass significant role inbythe NSA’s ability every five minutes from random Yahoo users’ video chats and to establish a global covert network consisting storing in a database. project but targeted webcam partly of them the agency’s own The hardware, also Yahoo of other subverted to serve its purposes. chatscomputers between 2008 and 2010.
E-mails obtained through the Freedom of Information Act have revealed that Google has a close relationship with the NSA
Source: The Hacker News Source: SPIEGEL
It has been reported that South Korea will be developing cyber weapons, similar to Stuxnet, to damage and ultimately destroy North Korea’s nuclear facilities. Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 31
International News
Syrian Electronic Army targets
the big names! The Syrian Electronic Army (SEA) appeared in the media again in February 2014 after listing popular sites, eBay UK and PayPal UK as their latest victims. Websites of various media agencies, government organisations and big enterprises, including CNN and Microsoft, have also been targeted and defaced. Attacks on websites like PayPal could jeopardise the bank information of millions of people. However, SEA did reassure people that is was “Purely a Hacktivist Operation” and that the ‘operation’ against PayPal was motivated by the fact that PayPal discriminates against Syrian citizens. It was reported that on the 11th of January 2014 Microsoft’s official @XboxSupport Twitter account was hacked and taken over for about 3 hours. The aim of the attack was to send an awareness message to people about the civil war in Syria. SEA claimed that a Microsoft employee wanted to make his password stronger, by changing it from ‘Microsoft2’ to ‘Microsoft3’. Several prominent South African websites also fell victim to the SEA in September 2013. Forbes was another victim in a long line of high-profile attacks by the SEA. The SEA hacked multiple Forbes websites and hijacked three Twitter accounts related to the website. The SEA published screenshots which showed that they had gained access to the Wordpress administration panel of the Forbes website. Once they had gained administration access they changed several articles which had been posted earlier on Forbes by several authors, which they titled as “Hacked by Syrian Electronic Army.”
After editing the articles they tweeted, “Syrian Electronic Army was here” from the organisation’s compromised Twitter accounts, including accounts of Social media editor, Personal finance report account and the @ForbesTech account. The reason behind the attack was, as stated by the SEA, because “Many articles against the SEA were posted on Forbes, also their hate for Syria is very clear and flagrant in their articles.” A few minutes after the SEA group attacked Forbes, they posted a screenshot in which they claimed they had compromised the US Central Command’s repository. The screenshot worked as proof that the group had successfully hacked into the repository of Army Knowledge Online (AKO). AKO serves as a provider of web-based enterprise information services to the United States Army, joint, and Department of Defence customers.
The SEA group tweeted : “This is part of an on-going operation and we have already successfully penetrated many central repositories”
The SEA hinted that the motive for the attack was because of the US president, Obama’s decision to attack Syria through electronic warfare. Sources: My Gaming and The Hacker News
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 32
Sticks in a bundle are
unbreakable To effectively manage risk in your IT Governance, Privacy or Information Security Programme you need great people on your team.
We help companies optimise their valuable people assets through: • Research and Threat Intelligence • Advisory • Training • Awareness • Talent Management
www.wolfpackrisk.com
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 33
International News
Data Breaches Worst Data Breach in German History The days are gone when the start of a day would mean a cup of coffee. In this day and age a start to a day means an enormous data breach being reported in the news. In Germany the login credentials, e-mail addresses and passwords of about 16 million online users were stolen. The German Federal Office for Information Security (BSI) discovered the login credentials after analysing malware infected computers that were part of a botnet. The Federal Office for Information refused to share details on the source of the information, as such, it is not yet known how and when the analysis was carried out and who exactly was behind this massive data breach. As a result authorities have established a German language website which allows users to enter their email address and check whether their email accounts are compromised or not. The agency spokesman, Tim Griese, said about half the accounts have ‘.de’ domain-name endings, denoting Germanbased accounts. The data breach poses a significant risk to the affected users that use the same login credentials for social media accounts and other services. The information could also be sold to spammers and to people looking to phish account holders.
EBay Compromised EBay has asked 145 million users to change their passwords after hackers compromised a small number of EBay employee credentials and got access to thier data.
Coca-Cola’s Laptops not Encrypted A total of 74, 000 Coca-Cola current and past employees, contractors and suppliers in North America may become victims of identity theft due to the theft of unencrypted laptops. The laptops contained sensitive information such as social security numbers, drivers licence numbers, addresses, financial compensation and the ethnicity of the employees. The laptops were stolen by a former employee who was responsible for maintaining and disposing of company equipment. The laptops had not been encrypted even though Coca-Cola’s policies require it. Coca-Cola offered free identity theft protection services to all affected.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 34
Data Breaches, Data Breaches, Data Breaches !
Orange Squeezed in Data Breach One of the world’s largest mobile operator, French multinational telecommunication’s company Orange, was a victim of a data breach. This came after the company announced that it had been targeted by unknown hackers on the 16th of January 2014, and the hackers allegedly gained access to a database of up to 800,000 customers. According to a report published on the PC INpact website, the company warned their customers in an email that their client area had been hacked and personal data of about 3% of customers had been stolen, but that the passwords were not affected. However the hacker successfully stole customers’ names, mailing address, email, landline and mobile phone numbers. The company warned that the information stolen could be used by hackers to perform phishing attacks, allowing them to steal personal data, including bank account details and passwords. Orange confirmed the data breach, and after the discovery of the attack, closed the account page for a few hours as a precaution. However, Orange was once again breached for the second time in three months and personal information of 1.3 million customers was stolen. The second data breach took place on the 18th of April but Orange only informed its customers of the breach in May.
Target suffered serious data breach US Retailer Target suffered a serious data breach in December 2013. Their CEO has just recently stepped down. Brian Krebs has analysed the numbers to highlight some of the lesser known stats surrounding the incident. The following statistics are taken directly from the source (http://krebsonsecurity.com/):
•
100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.
•
0 - The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) roles at Target (according to the AP).
•
18 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market.
•
40 million – The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.
•
1 million to 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market.
•
70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers.
•
53.7 million – The income that hackers likely generated from the sale of 2 million cards stolen from Target.
•
46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.
•
•
200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.
55 million – The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation on his departure as Target’s chief executive.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 35
International News
“National Cyber Security Challenges” and “Overview of Cyber Activities in ITU-UN” Seminar Craig Rosewarne (Managing Director – Wolfpack Information Risk) was recently invited to run a training Cyber Security workshop at the Eastern Mediterranean University (EMU) School of Computing and Technology’s campus in Cyprus. He explained how cyber security continues to be a growing global problem and based on his research highlighted the following: •
•
• •
•
Cyber Security is fast becoming a national priority in many countries due to the global increase in cybercrime and cyber espionage activity and the threat of cyber terror attacks against critical infrastructure. It appears that Northern Cyprus currently has few cyber security initiatives in place and perhaps may not necessarily even see the need for this. The country needs to have a basic cyber security response capability in place EMU can play a leading role in helping to establish this through training, executive awareness and the establishment of a National CSIRT (Computer Security Incident Response Team) and a lab for hands-on exercises and simulations. There is room for improvement with regards to the university’s own internal information security and by doing so become a role model to the industry.
Asked about his trip, Craig stated that overall he was very impressed with the university and the warm hospitality of its people. It was interesting to note the large numbers of students from Africa, especially Nigeria that were studying at the university. Special acknowledgment was made to Kileo Yusuph from Tanzania whom he thanked for all his efforts in arranging a successful event.
About Eastern Mediterranean University (EMU) Eastern Mediterranean University is ranked within the best 5% universities among 25,000 world universities. The university was also placed within the first 7% of 5500 European Universities which were included in the rankings. In the 2013 University Ranking by Academic Performance (URAP) evaluations, EMU took its well-deserved place within the first 2,000 universities of the world. The University continues to increase its recognition day by day and proudly possesses the full membership of various prominent organisations such as the International Association of Universities, the European University Association, Community of Mediterranean Universities and the Federation of the Universities of the Islamic World. EMU boasts a highly developed infrastructure, prominent academic staff members, 16,000 students from 85 different countries and 1,000 academics from 35 different countries (including Africa). The university provides quality programs in English, the opportunity of learning a second foreign language, student exchange programs, rich sports, social and cultural activity opportunities, international accreditations, an international teaching context, and a diploma recognised throughout the world. Students of EMU benefit from a wide variety of sports facilities which include a modern stadium with a capacity of 5,000 seats, tartan athletics track and cardio centre. EMU also has a fully equipped Health Centre with 13 specialist doctors and a private ambulance. There are over 30 research centres some of which directly provide services for students. For more information visit the university’s website: www.emu.edu.tr
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 36
Craig Rosewarne (Wolfpack Information Risk) and the management team of Eastern Mediterranean University (EMU)
About Cyprus Officially known as the Republic of Cyprus, is an island in the Eastern Mediterranean Sea. It is the third largest and the third most populated island in the Mediterranean, and a member state of the European Union. It is located west of Syria, northwest of Israel, north of Egypt, east of Greece and south of Turkey and Lebanon. The country is divided and the UN has created a buffer zone (known as the Green Line) which separates the self-declared Republic of Northern Cyprus and the Greek controlled South. There are three UNESCO World Heritage Sites in Cyprus: a whole town called Paphos, the Painted Churches in the Troodos Region and Choirokoitia. Cyprus is one of Europe’s most southerly resorts and the country enjoys 340 days of sunshine. The country is very clean with more than 45 of its beaches been awarded the EU Blue Flag for cleanliness and safety. The crime rate is very low, which makes it one of the safest places in the world to live. In terms of technology, Cyprus is among the most developed countries in the world regarding telecommunication and ranks 3rd in the world regarding quality and technology.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 37
Africa Cyber News
Cyber Newsmakers - South Africa
South Africa’s Public Investment Corporation Website Hacked by Maroc Electronic Army The South African Government Public Investment Corporation website PIC Real Estate (www.picream.gov.za) has been hacked by Ayoub Injector. Ayoub Injector is a member of Maroc Electronic Army hacker group. The hacker compromised the Investment Corporation’s website database and posted information on Pastebin along with telephone numbers, email accounts and names. PIC Real Estate Asset Managers is a division of PIC, which operates as the asset manager for South Africa’s public sector. The attacker uploaded the Maroc Electronic Army image on the website. The reason for the defacement has not been stated. Source: Cyber Protector
Several Security Flaws Uncovered on South Africa’s E-toll Website Another security flaw has been uncovered on SANRAL’s E-toll website that lets a hacker see the outstanding balance on any vehicle, this vulnerability on the E-toll website lets any registered user access anyone’s outstanding balance. The report released by ITWeb revealed that exploiting the vulnerability is trivial, and indicated that all that is needed is an E-toll account and a modern browser with built in developer tools, this is because the E-toll website billing page embeds the license number as a hidden field which can be easily accessed and modified. Reportedly, instead of preventing the user from querying the balance of a vehicle not registered to their account, the E-toll site returns the outstanding amount. It is not the first time a security flaw has been identified in the E-toll website. Another vulnerability that it had is that registered users’ pins were easily accessible from the site. That would make it much easier for hackers to access a person’s private details.
SAPS Discusses Plans to Tackle Cybercrime The South African Police Service has undertaken a joint venture with Scientists and Technology experts in a cutting edge mission to fight cybercrime. This comes after the National Police Commissioner, Riah Phiyega, and Council for Scientific and Industrial Research head, Sibusiso Sibisi, signed the joint venture agreement. This partnership is expected to bring in new ideas and ways to help cyber and forensic detectives and forensic laboratory technicians. This initiative will speed up forensic cases, because work will be completed on time, since there will be adequate laboratories in all the different provinces. In the SAPS sector the relationship between SAPS and the Scientists and Technology experts will help detectives attain the knowledge necessary to find cyber criminals who use computers and cell phones to mislead people with bogus winnings. Source: The Times
Proteas Board Acccused of Hacking There are allegations that South Africa’s cricket board, Cricket South Africa (CSA), illegally accessed its franchises’ data. This comes after one of its franchisees reported that the Proteas board gained access to their data without permission. Additionally, the CSA is suspected of having snooped into three of its franchises’ data. The CSA’s president did not deny or confirm the allegations and advised the affected parties to approach law enforcement agencies, since they did not have any concrete evidence to prove that the CSA was guilty. Reportedly the CSA warned its employees not to say anything about what was going on within the CSA.
However, the Roads Agency seems to have patched its website. Further attempts to query bills without providing a valid ID number and validation code now reportedly result in an error being displayed. This is the latest in series of security flaws discovered in SANRAL’s E-toll website since its inception in December 2013. Perhaps it is time that the roads agency change its approach to security on its website. SANRAL could have avoided this from happening repeatedly had they performed regular audits and assessments of the E-toll website. Source: My Broadband
Source: The Cricket Country
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 38
Africa Cyber News
Cyber Newsmakers - Africa
Ghana Plans to Create a New Facility To Fight Cybercrime Ghana is intending on partnering up with the Commonwealth Cybercrime Initiative to start a cyber security research and training centre at Ghana Technology University (GTU). This idea came after GTU started a programme of awareness for government agencies and students. Dr Edward Omane Boamah, the minister of communications, suggested that government and tertiary institutions should work together to combat cyber threats and help with the economic growth of their country. The minister also raised the concern that universities are commonly exposed to and are struggling with cybercrime. Source: All Africa
Rwanda President Pushes for Collaboration Between ICT and The Police Force The Rwandan President has highlighted the importance of ICT providers and integration of police forces in the SubSaharan African region. He addressed the LACP Sub-Saharan Africa Executive Policing Conference in Kigali. He spoke about how the security challenges of the twenty–first century are increasingly becoming more sophisticated and globally widespread requiring international collaboration to effectively deal with the security challenges. He also raised a point that police forces ought to be connected internally and across the region, and set up the requisite infrastructure for gathering and sharing information, concerning the security threats from the using technology. He further stated that in order to ensure that technology remains a force for a good and that criminals are kept in check, the police have to be on top of the latest developments in technology. This requires rethinking and reshaping the approach to community policing. Therefore, it is essential, first to establish a technology based global framework for law enforcement. Secondly, it is necessary to establish greater harmonisation of standards, regulations, laws and practices in order to cope with the reality of globalisation and to safeguard the benefits of technology. Source: Ivory Talk
Zambian Police Crack Down on the Misuse of Internet Services 5 Year Jail Sentence or N10m Fine if you Insult Someone on The Internet A new bill has been established in Nigeria to prevent Nigerian citizens from using defamatory words or language on all the social networking platforms. This bill will deal with those who make offensive statements about others on social networking sites. Those who do not abide by the law could be jailed for up to 5 years or even face the death penalty. The punishment will differ according to the effects or damage the cybercrime caused to the victim. To make this a success internet service providers will be requested to keep all subscriber information in order to be able to punish whoever has been found guilty. Source: The Times
The Zambian police force have launched investigations into the rise of the misuse of internet services for identity theft, hacking, cyber trespassing and internet pornography. The police are pursuing authors and publishers of online media with a mission of arresting and prosecuting them for allegedly abusing the internet. This action is undertaken to identify those people who take advantage of cyberspace to commit crimes. The police department are planning on employing legal provisions aiming at tracking down those who make defamatory comments, remarks and seditious statements on the internet. Police spokesperson, Charity Katanga, raised the fact that cyberspace is a great platform for cybercriminals to interact with the majority of people and warned parents to be on the lookout, since cyber criminals are also targeting children. Source: IT Web Africa
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 39
Africa Cyber News
The Fight against
Cybercrimes in Tanzania
by Yusuph Kileo
The number of phishing sites spoofing social networking sites increased by 125% and web-based attacks increased by 30% each year. Introduction Yusuph Kileo begins his report by stating that, every good thing has its dark side and information communication technology is no different. Its misuse results in its dark side being revealed which leads to cyber threats and cybercrime.
Problem description The rate of technology use in Tanzania continues to grow at a fast rate and so has the rate of crime committed with the aid of growing technology. These crimes are classified as Cybercrimes. Kileo mentions how cybercrime appears to be rife in the capital city, Dar-es-salaam where the majority of the people make use of the internet to exchange ideas, keep in touch with family and friends, buying and selling products (including online transactions) and accessing online services. He states that, it is highlighted that cybercrime in Tanzania is committed with two groups of people. Namely, those who perform the act without knowledge of what they are doing is wrong and those who know what they are doing but are determined to perform the act in order to distract the country’s equilibrium in different angles from destabilising peace in a country through misuse of social media and other communication media to stealing money through online transactions.
From 2010 there was an increase of unauthorised access to websites and networks in order to steal sensitive information. There was also the destruction / change of web content and launching of Denial of Service (DoS) attacks which happen to be one of the growing cybercrime threats in Tanzania.
Cybercrime in Tanzania Kileo states that, cybercrime continues to be a growing concern in the world and quotes the startling facts from ITU-IMPACT, 2013 Internet Security Threat Report which show that: • There was a 42% increase in targeted attacks in 2012. • The number of phishing sites spoofing social networking sites increased 125% and web-based attacks increased by 30% each year. Tanzania has a high rate of cybercrime and hate speech was highlighted in Mtanzania, a local newspaper, July 26, 2013, page 6, “There is fear of high rate of individuals who made use of the internet to threaten national security (Tanzania) due to misuse of the blogs and social media along with mobile phones to spread hate speech among communities in Tanzania and the number of cyber criminals worldwide has now increased.” In the past, there were a few cases where criminals made use of technology to tamper with ATM machines in Tanzania. Nowadays the act is growing faster and the fear among the ATM user has increased due to the fact that each day cyber criminals are coming up with new techniques to steal money from ATMs.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 40
Africa Cyber News
The Fight against Cybercrimes in Tanzania by Yusuph Kileo
How criminals are stealing in Tanzania
Effect of cybercrime on tourism in Tanzania
Kileo mentions some of the popular techniques used by cyber criminals to steal money through ATMs in Tanzania.
Tourism contributes to the economy of the country with most revenue coming from this sector. Foreign tourists visit the country all year-round and rely on online transactions to secure their bookings and activities which are done before arrival. The high statistics of cybercrime in the country have resulted in fear and uncertainty among prospective tourists who perform online payments before visiting the country.
Social engineering Criminal send phishing emails and trick the victims by convincing them to provide their bank details and ATM pins.
Card Skimming Kileo talks about card skimming in the country whereby, cyber criminals use and record card details by using a device called a “card skimmer” which is placed right over the card slot or over the keypad of the ATM machine and captures card and PIN information.
Web Attacks Another attack he mentions is web attacks which occur when criminals may hack websites which has turned out to be a technique now commonly used in Tanzania. Cyber criminals hack the websites to gain unauthorised access to the personal information of clients or web visitors. He explains how globally, hackers are now using this technique to destabilise websites by performing attacks to deny and / or destroy information, steal information, manipulate information, alter the context in which the information is viewed or change the perceptions of people towards the information. Kileo last year conducted research in Tanzania where he asked a few hackers and students who are into hacking what their motives were and they said that stolen information from sensitive websites can be sold at a good price. This shows that those performing this act in the country did so mainly for financial gain.
Mobile transaction attacks A report stated that there is a woman in the Kilimanjaro region in Tanzania who steals money from Mobile Money agents and is very good at it. She apparently does so by approaching agents pretending to want to draw some money but after a while the agent will find all his money gone after she left the place. It is hard to tell what she does but most of the agents have confirmed that the criminal is the same woman, (Unknown, 2013). Such a report comes after a study that shows that transactions through mobiles are growing rapidly in Tanzania. The mentioned attacks are the most common and fast-growing techniques used by criminals and it is unfortunate that the majority of the population are not aware of this.
If this problem is not resolved it is likely to affect the flow of tourists into the country which will impact the economy in a negative way. Though there is no study which shows the reasons why the number of tourists visiting the country continues to decrease over the years, Kileo is convinced that high-level investigations or research will show that the increasing cybercrime statistics are pushing away tourists. In a recent case one of the country’s leading airlines known as Fastjet released a warning through its social media to warn their customers who use credit cards for payment that if they did not have the card with them that was used to purchase the ticket they would be denied access to board the flight regardless of whether or not they were in possession of a ticket. The statement was released on 7 Feb 2014 with the airline stating that it was due to an increase in the number of fraudulent transactions. Fastjet is one of the Airlines in Tanzania which offers international flights to South Africa and other destinations. Kileo feels there is a dire need to mitigate these risks so as to provide a safer environment for the tourists, especially when it comes to online transactions.
Initiatives Kileo does acknowledge that the struggle to fight against cybercrime in Tanzania has started to take a new picture. The Tanzania Police Force (TPF) through its sub unit under the forensics bureau called Cybercrime Unit, Tanzania Communications Regulatory Authority (TCRA) and other sectors have shown the progress on the fight against cybercrime. In this section he focuses on TPF and TCRA initiatives on cybercrime in Tanzania. TCRA is recognised as the government agency and has played a significant role in reducing cybercrime through its campaigns such as “FUTA KABISA” meaning delete, which is intended to encourage citizens in Tanzania not to conduct hate speech through blogs, social media and short messages (SMS). The theme “Futa kabisa” prohibits the sharing of a targets’ hate speech via social media or SMS. Specifically any information which may negatively affect the country’s stability.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 41
Africa Cyber News
The Fight against Cybercrimes in Tanzania by Yusuph Kileo
The Police force has the authority to take action and punish those who oppose this campaign. Kileo feels that this move has helped reduce the impact of cybercrime in Tanzania. Another TCRA initiative aimed at reducing cybercrime in Tanzania is the registration of mobile lines. Mobile registration is designed to reduce cybercrimes committed using mobile phones. Though it was difficult to start up this initiative, telecommunication companies in Tanzania try to make sure that each mobile phone user is registered with a valid ID which has helped to reduce the number of mobile phone related crimes. The Bank of Tanzania (BOT), has initiated the move to reduce ATM crimes by asking all banks in the country to insert an electronic chip on all ATM cards. This was conducted after multiple reports identified that crime was increasing in the country.
The cybercrime unit of the TPF is responsible for ensuring rules and regulations related to cyber issues in Tanzania are well observed. Forensics investigations are also the responsibility of this unit. With regards to fighting against cybercrime, the unit has a significant role to play to mobilise the society and help them remain safe from cybercrime. To ensure success of the discussed initiatives, Kileo feels there is a need for training cybercrime personnel, conducting cyber events, building up forensics labs to provide the best environment to perform cybercrime investigations and to teach/provide awareness to the societies in Tanzania.
How these initiatives were conducted by the Cybercrime Unit? Cyber training The Tanzania police force initiated three important ways to provide constant learning to all of its personnel i.e. not only the cybercrime unit. This helps to grow the skills of personnel and ensures that they perform their jobs effectively. Some of the initiatives to combat cybercrime are: • • • • •
Security awareness Legal requirement for cybercrime personnel Digital forensics training (First responder) Forensics LAB training Courses to train effective security professional
Cyber events In January, 2013, the Cybercrime unit headquarters organised an event that allowed cybercrime personnel across regions to meet and exchange knowledge that will maximise their ability to perform daily activities. The event also highlighted updates on the challenges in cybersecurity and forensics investigations, provided knowledge on how to collect and manage digital evidence and provided security awareness lectures to increase awareness of all participants.
In September, 2013, another event called “Cyber security event” was conducted and the invited guest, Craig Rosewarne (founder and MD of Wolfpack Information Risk) presented to cyber and ICT members from TPF as well as personnel from government and private sectors in Tanzania. Rosewarne’s advice was that the country should focus on the region’s cyber security issues and get information from experts and case studies in order to create discussion panels. This should be done in order to achieve the following objectives: • Increase stakeholder awareness on cybersecurity issues • Drive adoption of proactive industry best practices on how to mitigate cyber threats • Understand the impact of strengthening security in organisations
Conclusion Kileo ends his report by stating that even though there are initiatives in place to tackle cybercrime, there is still a need for organisations from both private and government sectors to join forces to fight against cybercrime. He mentions that: • The “Tanzania crime awareness campaign” should be broader and include ways in which ordinary citizens can protect themselves against the crime before it happens, what should be done when a crime has been committed (how to report the crime) and the impacts/effects of cybercrimes in any nation. • He also stresses the need for a cyber law in Tanzania that will clearly highlight the punishment of various types of cybercrime which will help facilitate the prosecutor’s judgement when bringing cybercriminals to justice. • Kileo recommends that there be constant awareness through media to reduce the number of cybercrimes committed by citizens without knowing what they are doing is wrong. • The government should encourage and emphasize obedience to the law with a very effective slogan in Tanzania “Utii wa sheria bila shuruti”. Kileo feels that such slogans may have a positive impact in the fight against cybercrime in Tanzania, than actually enforcing laws.
by Yusuph Kileo Yusuph Kileo Cyber security and Digital Forensics Expert. P .O. Box 55105, Dar Es Salaam, Tanzania Mobile: +255 (0655) 299515. Email: yajk2002@yahoo.com Yusuph Kileo is an expert in the fields of cyber security and digital forensics. Yusuph started developing his IT skills while working with Brand East Africa in 2006. In 2008 he joined the Tanzania Telecommunication Company Limited (TTCL) MIS department where he developed his interest in the security field. In 2010 he joined Deloitte’s IT department where he further strengthened his security skills. In 2012, Yusuph joined the Tanzanian government’s Criminal Investigation Department (CID) as a cyber security and digital forensics investigations expert. The CID falls under the Forensics Bureau section which is focused on cybercrimes. During his time with the cybercrime unit he conducted several trainings and provided insights on cyber challenges in Tanzania. He is often invited to speak or chair information security, risk, and crime sessions as well as provide opinion pieces via TV, radio and print and / or online media.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 42
Local Training and Events
WOLFPACK CYBER ACADEMY
2014 Information Risk Foundation Programme
COMPANIES Companies can send their staff on the 3 week programme. For more information please contact us at academy@wolfpackrisk.com GRADUATES Each intake Wolfpack will sponsor a number of talented graduates (or passionate unemployed IT people under the age of 29) through the programme. For our top achievers there may even be an option for an internship with Wolfpack. Visit www.wolfpackrisk.com/training to apply
www.wolfpackrisk.com/training Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 43
Governance risk management and compliance
Websites Still Using
Weak Digital Certificates Experts at Netcraft discovered that the NIST.gov website has been using an SSL certificate that makes use of SHA-1 hashes for its digital signature. This is after the National Institute of Standards and Technology (NIST) published a document in 2011 calling for the SHA-1 algorithm to be banned after 2013 because it was considered to be insecure. Below is a caption from the document: “From January 1, 2011 through December 31, 2013, the use of SHA-1 is deprecated for digital signature generation. The user must accept risk when SHA-1 is used, particularly when approaching the December 31, 2013 upper limit. SHA-1 shall not be used for digital signature generation after December 31, 2013.” The secure communication of electronic documents is facilitated through digital signatures which provide a way to assess both the legitimacy and integrity of information exchanged digitally. SHA-1 is being phased out of most governmental applications and NIST has recommended that SHA-1 not be used after 2013 because SHA-1 has a flaw which hackers can manipulate to exploit the crypto hash to spoof any digital signatures. This means that an attacker could create their own malicious certificates that would pass browser verification checks.
Verisign now verifies the most current digital certificates of NIST and uses SHA-2 (SHA-256) with RSA in their certificates. This is done to ensure that attackers cannot create trusted malicious certificates. “In total, more than 98% of all SSL certificates in use on the Web are still using SHA-1 signatures. Netcraft’s February 2014 SSL Survey found more than 256,000 of these certificates would otherwise be valid beyond the start of 2017 and, due to the planned deprecation of SHA-1, will need to be replaced before their natural expiry dates.” In February 2013 Symantec announced the inclusion of an Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA), a multi-algorithm SSL certificate for Web servers that goes beyond traditional cryptography. ECC provides greater security compared to other prevalent algorithms and is 10,000 times harder to break than an RSA-bit key. In short Symantec ECC-256 certificates are said to offer the security equivalent to that of a 3072-bit RSA certificate.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 44
Source: The Hacker News
Cyber Crime is a
‘black swan’
- Australian Securities and Investments Commission (ASIC)
Greg Medcraft, the chairman of the Australian Securities and Investments Commission (ASIC) said cybercrime is a risk and could be the next black swan event, as senior business executives have indicated that companies were not sufficiently prepared for such dangers. A black swan is a metaphor which describes, ‘An event or occurrence that deviates beyond what is normally expected of a situation and that would be extremely difficult to predict,’ (Financial Times Lexicon, 2014). Greg Medcraft said the technological advancements had fuelled a “significant growth” of cybercrime across the world – taking it to an estimated annual cost of $110 billion, Medcraft stated that, each attack was estimated to have cost Australian companies, $2 million. He emphasised the fact that, the issue with cybercrime is that it is almost impossible to know everything because cybercrime is constantly evolving. Therefore, it is not about avoiding cybercrime but rather about being resilient against it. Furthermore, Mr Medcraft called for stiffer penalties to combat corporate misconduct, saying that such penalties are a very powerful deterrent against cybercrime. The Obama administration unveiled its Cybersecurity Framework in February, a 39-page report on a plan for information sharing between the federal government and public and private critical infrastructure providers. Medcraft said the ASIC would draw from some of the ideas proposed in the US Cyber Security Framework and work with regulators around the world to establish international standards on risk management systems. A report by accountancy firm PricewaterhouseCoopers in March stated that 39% of financial services companies were victims of cybercrime, in contrast to 17% in other industries. The researchers believe that the impact of cybercrime was even greater than what was officially reported. Senior business executives feel that companies are not doing enough to guard against cybercrime attacks, and that leadership in companies needed to start at the board level. It was reported that in January, hackers had used malware to infect US retailer Target’s point-of-sale systems and steal credit and debit card information of more than a 110 million Target customers.
Cyber security firms said the scale and sophistication of such attacks, which also affected Neiman Marcus, were new and would be difficult to detect and trace. According to Tim Phillipps, a global managing partner for Deloitte Analytics and a former ASIC investigator, the Target case showed that even though companies are becoming skilled at collecting data and analysing their customer bases, they are still not particularly strong in securing that information. Mr Medcraft again touched on the need for tougher penalties for white-collar crime, saying the public expected ASIC to take strong action against wrongdoing. ‘‘Often it is a situation where it’s a fear versus greed equation,’’ he said. Source: The Sydney Morning Herald
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 45
Governance risk management and compliance
Obama Administration unveils
Cybersecurity Framework “While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cyber security, America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.”
Earlier this year in February the Obama Administration announced the launch of the Cybersecurity Framework. The framework is an outcome of a private-sector led effort, made to develop a voluntary ‘how-to guide’ for organisations in the critical infrastructure community to enhance their cybersecurity. The cybersecurity framework will also include best practice guidance for the different critical sectors namely, defence, banking, utilities and other industries on how to protect themselves against attacks by hackers. The framework also came about when the Commerce Department called for the development of the guideline after President Obama signed an executive order last year. The executive order was issued by the President after failing to convince Congress to pass legislation requiring companies to better defend their networks. In his speech, Obama stated that, “While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cyber security, America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.” The first call was made by Obama on creating the guidelines in 2013 at his State of the Union address were he urged the government sector to unite with the private industry and settle on a plan to conduct and improve information-sharing and raise the level of cyber security across critical U.S. infrastructure by promoting widely accepted standards and best practices. All moves were to be directed while keeping civil liberty concerns in mind. Five broad categories build the framework that companies should consider in cyber security planning which are to identify, protect, detect, respond and recover. The Secretary of the Department of Homeland Security, Jeh Johnson, announced that his agency was starting a programme to assist companies in implementing the framework. Unfortunately, the present framework does not include tax breaks or other financial incentives, which could have given organisations the required push to adopt the framework. The White House believes that even without financial incentives companies will welcome the framework. Randall Stephenson CEO at AT&T recognised that there is no need to motivate executives at his company on the issue and stated that “There is nothing more brand-affecting for a company like AT&T than cybersecurity” Source: USA Today
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 46
Audits and Assessments
PCI Compliance is a Once-off Annual Event Verizon stated that, ‘Compliancy is often treated as a lone annual event by most organisations which leaves them vulnerable.’ Verizon elaborated that, ‘A majority of companies that achieve annual compliance with the Payment Card Industry Data Security Standard (PCI DSS) fail to then maintain that status. As a result, they often remain exposed to potential data breach risks and other security threats.’ The report conducted by Verizon is based on actual compliance data gathered from companies in the following sectors: financial services, retail, travel, hospitality and other vertical markets. The core part of the report is on the results of annual PCI compliance assessments of more than 500 large organisations between 2011 and 2013. The study indicated that only 11.1% of the companies were able to maintain their compliance status between each assessment. According to Rodolphe Simonetti (Managing Director of PCI practice for Verizon Enterprise Solutions) more than 82% of the organisations were compliant with only about 8 out of 10 PCI DSS requirements at the time of their annual assessments and needed an additional three months or so to close the gaps. The problem lies with organisations developing a tendency of treating PCI compliance as an annual end goal and not as part of a continuous risk management effort.
Simonetti added that, “Too many companies still look at PCI as pure compliance and don’t use it to mitigate risk. Often, compliance is managed as a project - particularly as the build phase of a project. Once compliance is achieved, many companies simply stop paying attention.”
Simonetti shared why most companies seem to struggle when it comes to PCI requirements on protecting data, monitoring security controls, conducting security and identifying and reacting to security breaches. When it came to being compliant with the requirements needed for protecting data at risk, more than half of the companies assessed failed the assessments in their first annual participation in the compliance study. The data breach incident at Target exposed the information of more than 40 million debit and credit cards, which acted as a rude awakening for organisations to pay considerable attention to PCI standards and compliance issues in general. Target, noted that it was breached despite being compliant with all PCI requirements. The truth is that the measures do little to protect companies against new and sophisticated threats. However, according to Simonetti, the reality is that “most breaches are not a failure of the technology or standards but rather a failure to implement the standards.” Additionally, limited expertise and resources hinder ongoing PCI compliance for most companies. The study revealed that once an organisation passes the annual security audit the manpower is immediately reallocated to conduct other duties instead of upholding and ensuring PCI compliance. According to the PCI rules large companies like Target need to perform vulnerability scans every quarter of the year, checking for threats to payment card data. Simonetti stated that it is unfortunate that most companies fail to take the requirement in the spirit it was intended and fail to do their quarterly scans.
“Too many companies still look at PCI as pure compliance and don’t use it to mitigate risk. Often, compliance is managed as a project -- particularly as the build phase of a project. Once compliance is achieved, many companies simply stop paying attention.”
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 47
Source: Computer World
Audits and Assessments
Agencies Often Fail to Take Basic Preventive Measures An absurd emergency broadcast was distributed to several states stating that: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living.. . . Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.”
The Department of Homeland Security faces much criticism because it helps in overseeing cyber security in other federal agencies. In conclusion it was found that the department was not even successful in basic security measures like the updating of essential software.
Even though the supposed ‘zombie invasion’ was not out of the movie, “The Walking Dead,” according to a Senate cyber security report, it was the federal Emergency Alert System that was being controlled by hackers. The hackers continue to exploit flaws that are becoming alarmingly common in critical systems in the government.
This incompetency was a problem and Senator Tom Coburn (Okla.), the ranking Republican on the committee who administered the development of the report stated that, “None of the other agencies want to listen to Homeland Security when they aren’t taking care of their own systems.” They aren’t even doing the simple stuff.”
Cyber attacks have been ranked by US officials as one of the top threats to the nation, as a result of this ranking there has been an increase in money spent on computer security. Contrary to the former statement, a report by the Department of Homeland Security (DHS) and the Republican Governmental Affairs Committee show that federal agencies are not prepared to defend networks against even amateur hackers. Alan Paller a research director at the SANS Institute was able to review the draft version before its release and vented his anger by stating that, “As a taxpayer, I’m outraged that we are spending all this money and getting so little impact for it.” The report shows a broader picture of continuous dysfunction in the prior work by the Government Accountability Office and agency inspectors general. The report also shows recurring failures by federal officials when enforcing information security in the organisation. The officials faced recurrent issues when it came to updating anti-virus software, installing security patches, communicating on secure networks and creating strong passwords. The word ‘password’ was found to be the most common password used on federal systems which was a rather astonishing finding in the report. Even though the officials of the Obama administration have equivocated with elements of the report they feel that getting agencies to secure their systems against possible attacks has proved to be rather difficult. Michael Daniel who is the special assistant to the president on cyber security policy stated that, “Almost every agency faces a cyber security challenge. Some are farther along than others in driving awareness of it. It often depends on whether they have been in the crosshairs of a major cyber incident.”
According to Coburn and several outside experts, the core problem, is that the federal agencies are failing to not only hire expert information technology workers, but also underpaying them and not entrusting them with authority to enforce routine security practices. According to a Columbia University computer science professor and former Federal Trade Commission technologist Steven Bellovin, “It’s a low-status, often low-paid, high-stress position because people only notice systems administrators when something breaks. It becomes a very easy position to neglect.” Experts said they felt that because it is often unclear who is responsible, those with high ranks in the chain of command, are hardly held responsible for security failures and no consequences are commanded by law. For example the bogus zombie alert incident highlighted flaws of the Emergency Alert System, which is mandated by the Federal Communications Commission (FCC) and managed by the Federal Emergency Management Agency. Several television stations in Michigan, Montana and New Mexico carried this bogus alert. Some television stations somehow managed to connect their alert-system equipment to the internet without installing a firewall or changing the default password, as instructed in the company’s guide and the hackers discovered this and manipulated the error, said Ed Czarnecki, an official with Monroe Electronics, which manufactured the equipment that was breached. Czarnecki added that such errors in the network security might have been prevented should there have been more instruction from government. Czarnecki also mentioned how, “Neither the FCC nor FEMA had issued clear guidelines on how to secure this gear.”
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 48
Experts feel that even though the incident was quickly brushed aside as a prank, it did show weaknesses that could have been more dangerous if the hackers had broadcast false information during a real attack. Affected stations worked with organisations like Monroe Electronics and the FCC to prevent a similar recurrence, they said. A Department of Homeland Security (DHS) spokesman S.Y. Lee, mentioned in an e-mail that the, “DHS has taken significant measures to improve and strengthen our capabilities to address the cyber risks associated with our critical information networks and systems.”
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.”
The following statistics were highlighted: •
•
•
•
•
In every year since 2008, the Government Accountability Office (GAO) has found roughly 100 weaknesses in the computer security practices of the Internal Revenue Service, which took an average of 55 days to patch critical system flaws once they were identified. Ideally it is supposed to only take three days to do so. The Energy Department had been hacked and the hackers had gained access to the private information of 104,000 past and present department employees. There had been regular experiences of unauthorised disclosures of sensitive information in the Nuclear Regulatory Commission (NRC). The NRC keeps information on the security and designs of every nuclear reactor and waste facility in the country. One of the agency spokeswoman issued a statement saying they “take information security very seriously and work continuously towards improvements.” It was also found that the laptops that belong to the Securities and Exchange Commission (SEC) and contain sensitive information were not encrypted and employees would sometimes send private information concerning financial institutions on their personal e-mail accounts. The study also showed that on at least one occasion, a Securities and Exchange Commission (SEC) employee logged onto an unsecured WiFi network during a convention of computer hackers.
The spokeswoman for Sen. Thomas R. Carper (D-Del.) named Emily Spain said, “Federal agencies still have more work to do in this area, and the laws that govern the security of our federal civilian networks need to be reformed.” Unfortunately, Washington has been slow to act and the 2000 law to advance government cyber security was not
implemented because it lacked consequences for those agencies who did not adhere to it. At the same time, the White House is trying to entrust the Department of Homeland Security with more authority to apply cyber security rules across government. James A. Lewis, a cyber security expert at the Centre for Strategic and International Studies concluded that, “At the end of the day, it’s a lot like the problem you have in businesses. The CEOs don’t see cyber as their mission, as a fundamental problem. You don’t see your job as running a secure network. If something goes wrong, nothing happens to you.”
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 49
Source: The Washington Post
Managed Services
Microsoft’s Hands are
Microsoft’s VP of Trustworthy Computing Group, Scott Charney, told the RSA 2014 conference that Microsoft is not part of the mass spying undertaken by the NSA and it is not installing backdoors in its software. He added that doing so would be unethical and bad for business. He further stated that, they were not concerned about the Snowden disclosures because they have been principled. He emphasised that, “We do defence, not offence. We never do bulk data collection.” According to Charney, Microsoft was happy to help law enforcement – up to a certain extent. Their organisation has the capability to use Computer Online Forensic Evidence Extractor (COFEE) tool which can be installed on a USB key and used to investigate Microsoft systems. He stressed on the point that, Redmond would not participate in illegal searches and would fight in the courts against such orders. Charney also denied the claim that Microsoft was putting backdoors into code. With reference to a past NSA Key saga that occurred in 1999, when a researcher found an encryption key in Windows NT called _NSAKEY. Charney explained how Microsoft always maintained that the key got its name because the NSA oversaw encryption export controls. He argues that if Microsoft had put a backdoor in its code, it would have been ironic to call it NSA Key.
Charney stated that, “If I put a backdoor in our product, our market capitalisation goes from $260bn to zero overnight. I can’t even sell it. Its nuts! Economic suicide! So no backdoors.” Redmond makes its source code available to other country’s governments for checking, in order to reassure foreign governments that Microsoft’s code is secure and contains no back doors. If flaws are discovered, they are fixed at Microsoft, which is another way of reassuring customers. Charney has called for the ban on software weaponry, arguing that it is counterproductive to all concerned and with high chances of blowback damage on the sender, because it always leaks out. Stuxnet is cited as a case in point. Whereby the code supposedly slowed down Iran’s efforts to process uranium, but the software itself was picked up and analysed by researchers and malware authors. To get its job done, the Stuxnet code used multiple zero-day attacks and as a result millions of computer users were put at risk and had to update their systems. While Charney is obviously sincere in his beliefs that Microsoft is on the side of the angels, others are less sure. Security expert and Chief Technology Officer (CTO) of CO3 Bruce Schneier told The Register, “The best Microsoft can say is that we are secure except for the vulnerabilities that we don’t know about and the ones we are prohibited by law from telling you about.” “This is the problem. Microsoft might be 100 per cent truthful about this, but they have no way of proving it. Because the NSA has poisoned the environment, we have no reason to believe them.”
Clean “This is the problem. Microsoft might be 100 percent truthful about this, but they have no way of proving it. Because the NSA has poisoned the environment, we have no reason to believe them.”
Free Microsoft Windows for Mobile Devices Microsoft is going to stop charging for its Windows Operating System on devices with screens smaller than nine inches. Free Windows, this is good news for the manufacturers of small tablets, phones and any other small devices as they won’t have to buy a license from Microsoft. This Operating System, called Windows for Internet of Things, will use the same code base as Windows Phone 8, will run only the mobile apps and not any desktop software. The reason behind it may be in an effort to make it tough for hackers to exploit the functioning system and to ensure the code is secure. Distributing free Windows could be a prominent step, but it is one that the organisation needed to take earlier, because Google’s free mobile operating system Android is used widespread among the consumer electronics devices. Microsoft may have done this as a strategic approach to catch up with Google’s Android and Apple’s iOS operating systems. Google’s android is open source, which makes it freely available to everyone, so anyone can use it without paying. But, on the other hand, Microsoft is charging $10 for the use of its Windows Phone operating system on each Smartphone and tablet.
Source: The Register
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 50
Source: The Hackers News
Managed Services Google Chrome protects users from Browser hijacking Google is perceived as a trustworthy brand and is continuously trying to keep its products more robust and secure for its users. Google values vulnerability hunters under its Bug bounty program and also offers substantial rewards to hackers in its ‘Pwnium’ hacking competition for finding critical vulnerabilities. Google has added a new feature to its Chrome browser that will warn a user whenever the browser’s settings get altered by any malware that has been added to Google Chrome, in particular the feature has been introduced to deal with browser hijacking. Browser hijacking is described as the alteration of browser’s settings. The term ‘hijacking’ is used when the alterations or changes are performed without the user’s permission. Browser hijackers usually replace the existing home page, with a search page or error page and redirect traffic to increase hits on a particular website. High hits on a particular website increases its advertising revenue through Click jacking and Adware. To gain control over what and how your browser displays web content, a hijacker uses malicious software to modify your internet security and registry settings.
Criminals target Facebook User Access Tokens Several security measures have been put in place by Facebook to protect user accounts. For example, there is a user “access token” which is given to Facebook applications (like Candy Crush Saga, Lexulous Word Game). By authorising it, the user would have provided the application with temporary and secure access to Facebook’s Application Programming Interfaces (APIs). The Access Token stores information about permissions that have been granted and when the token will expire as well as which app generated it. Opting for the access tokens, and not using your Facebook passwords gives the allowed Facebook apps authority to publish or delete content for you.
Google posted the following message on its official blog “So, you’re trying to download a free screensaver or a game or something else you really want. But later you find out that the game came bundled with a malicious program that’s trying to hijack your browser settings. You’re not the only one having this problem, in fact, it’s an issue that’s continuing to grow at an alarming rate.” Browser Hijacking has been reported as one of the top issues reported on browser forums. Fortunately going forward, Windows Chrome users will be prompted to reset the browser settings to factory defaults should the browser detect any sort of hijacking activity. The reset feature is not new to the Chrome browser and a user can manually reset all the settings, plugins, and extensions to the default factory settings by entering chrome://settings into Chrome’s address bar. Once the page is displayed a user can navigate to Show Advanced Settings > ‘Reset browser settings’ Once the browser has been reset, it will disable all extensions, themes and / or installed apps.. Source: The Hacker News
A vulnerability Facebook can’t fix. The Facebook Security team recognised the weakness claimed by Ahmed Elsobky, a penetration tester from Egypt. They stated that, “We’d actually received an earlier report from another researcher regarding this same issue. In response to that report, we’ve been working on limiting this behaviour when it comes to our official apps, since they’re pre-authorized. For other apps, unfortunately, fully preventing this would mean requiring any site integrating with Facebook to use HTTPS, which simply isn’t practical for right now.” Elsobky demonstrated ‘How to hack a Facebook account by hijacking access tokens with a Man-in-the-Middle attack’. He also showed how Facebook apps can be protected effectively from man-in-the middle attacks by using HTTPS to encrypt any traffic that contains sensitive information or authentication credentials. Source: The Hacker News
The flaw of the Access tokens is that anyone who knows the access token of a user can access the user’s data and perform any actions without the user’s knowledge or authority. Security Researchers have reported numerous Oauth vulnerabilities to the Security team at Facebook. The sad reality is that if the app is Facebook app developers, should not send an ‘access not encoded, you may be prone to a man-intoken’ over unencrypted channels and Facebook users the middle attack which could lead to your should only use apps that encrypt data that is being private information being stolen. Facebook transferred. Additionally, users should make use of the has fixed the vulnerability. “HTTPS Everywhere” Browser Extension for automated security. Source: The Hacker News
How to protect your account
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 5151 Cybershield Magazine • April - June 2014 • Audits and Assessments • Page
Cyber Forensics and Incident Management
Analysing Super Worms Following the government-grade malware, Red October, Turla, Flame and Gauss may have been inspired by a mysterious worm that dug into US military computers to steal sensitive information six years ago. This conclusion came about after researchers at Kaspersky Lab found striking resemblances between Agent.btz – the worm that attacked in 2008 – and Turla, a powerful computer spying tool that was discovered in February 2014. Agent.btz is said to have infected the network of the US Central Command in the Middle East. Back then it was described by military officials as the “worst breach of US military computers in history.” Military computers were affected by the worm after a USB drive containing the software was plugged into a PC. It took the specialists at the Pentagon about 2 years and 2 months to effectively disinfect the worm from the networks. The US Cyber Command was formed after the outbreak. The worm scans computers for sensitive information and sends that topsecret data to a remote command-and-control server. The worm is said to have been created in 2007. Experts from G Data wrote a report in February about the discreet Turla spying malware, and BAE Systems published its own research. Both studies confirmed the similarities between the evolution of Agent.btz and Turla (aka Uroburos or Snake). The information-stealing rootkit Turla as described by G Data as sophisticated - which shows that it was probably made by an intelligence agency and also strongly hinted that Russian spies were responsible.
Researchers at Kaspersky Labs are convinced that Agent.btz was probably used as a template for Snake and other data-stealing cyber-pathogens. Flame is said to have been part of the same “Olympic Games”- codenamed US-Israeli operation that dumped Stuxnet, software malware that was engineered to specifically exhaust and bring down uranium filters at Iranian nuclear sites. In conclusion Kaspersky Lab researchers, found that “developers of the four [later] cyber espionage campaigns studied Agent. btz in detail to understand how it works, the file names it uses, and used this information as a model for the development of the malware programs, all of which had similar goals.” It is important to understand that this does not necessarily mean that there is an undeniable connection between Agent. btz’s makers and the developers of subsequent cyber espionage tools. A senior security researcher at Kaspersky Lab, Aleks Gostev, is of the view that, “It is not possible to draw such a conclusion based on these facts alone because the information used by developers was publicly known at the time of Red October and Flame/Gauss’ creation.” According to Kaspersky Lab data from last year, Agent.btz was in a 100 countries and on 13,800 systems around the world. The malware seems to continue to spread because of the continued circulation of infected USB drives. Source: The Register
Not only were systems in the Ukraine targeted by the Snake espionage tool, but systems in Belgium, the UK, US and Georgia were also infiltrated. The malware came at the beginning of the ongoing political and military tension between Ukraine and Russia in Crimea. The director of security dashboard tools firm AlienVault, Jaime Blasco said, “We haven’t found any infection vector yet but based on the techniques and the targets that they are compromising it is very likely that they are using a combination of spear-phishing campaigns, waterhole and strategic web compromises and even physical access to drop payloads.”
Not only were systems in the Ukraine targeted by the Snake espionage tool, but systems in Belgium, the UK, US and Georgia were also infiltrated. Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 52
Cyber Forensics and Incident Management
Banking Trojans decrease after the arrest of SpyEye Author Today when we discover different malware, exploit kits and botnets, we try to figure out an effective Antivirus solution or a Security Patch, but the truth is the most effective solution is always to arrest the criminals who developed the malware in the first place.
Tilon also known as SpyEye2 is the more complicated version of the SpyEye Trojan. The major functional part of the malware is the same as that of the SpyEye banking Trojan that was developed by a 24-year-old Russian hacker ‘Aleksandr Andreevich Panin’ or a.k.a Gribodemon, who was arrested in July 2013. SpyEye was designed to steal people’s identities and financial information, including online banking credentials, credit card information, user names, passwords and PINs and is said to have infected more than 1.4 million computers worldwide since 2009. It works by secretly infecting the victim’s computer in order to give cyber criminals remote control over the infected computers. Once the criminals have access through command and control servers they can steal victims’ personal and financial information through a variety of techniques that include keystroke loggers, web injects and credit card grabbers without authorisation. Researchers have confirmed that the team that developed SpyEye must be the same that created Tilon, hence it is labelled SpyEye2.
The researchers found a ‘slightly funny’ and interesting part of SpyEye2, which is that the malware checks and removes the older version of SpyEye installed in the infected system and replaces it with the new version, SpyEye2 with better stability features. Researchers say that, “No other malware families are checked for removal. Early versions of the original SpyEye were likewise equipped with a feature to remove older versions of ZeuS installed on the infected system.” Fox-IT researchers say, “The arrests, like Gribodemon and other key figures in the underground economy, such as Paunch, the author of the popular Blackhole Exploit Kit, is the key to decreasing the worldwide activity around online crime.” Even though this does not mean that the malware will not circulate its fraudulent activity in the future, it does mark a decline of its usage which will likely come to an end after a year.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 53
Source: The Hacker News
Awareness FIFA World Cup 2014 - Attacks Security experts are seeing more cyber criminal operations that are influenced by the upcoming FIFA World Cup. Cases of malware attacks, phishing schemes and even 419 scams have been spotted by Symantec experts. The cyber criminals are distributing malware with the aid of emails which inform recipients that they have won tickets to go to Brazil for the FIFA World Cup. The links from the messages direct the victims to a malicious site that serves a file called eTicket.rar. The archive file contains an executable named eTicket.exe. Which is actually a variant of Bancos, a Trojan that was designed to steal personal and financial information from the computers of users in Latin America. The 419 scam as seen by Symantec targets English-speaking users. Scammers are sending emails that carry the subject line “Window Live Games 2014 FIFA World Cup.”
Warning! There is a Zeus banking Trojan signed with a valid Digital Signature Comodo AV labs have identified a new dangerous variant of the Zeus Banking Trojan which is signed with a stolen Digital Certificate. The Digital Certificate which belongs to a Microsoft Developer is being used to bypass detection by Web browsers and anti-virus systems. Every Windows PC in the world is created to allow software “signed” with Microsoft’s digital certificates of authenticity which is an extremely sensitive cryptography seal. Cyber criminals have managed to trick users and admins into trusting the file by making use of the stolen Microsoft digital certificate. Due to the fact that the certificate was digitally signed by the Microsoft developer no antivirus tool could detect it as malicious. A lot of attention was given to the digitally signed malware last year. It is alleged that more than 200,000 unique malware binaries discovered in the past two years were signed with valid digital signatures. Even though Zeus is considered as one of the oldest families of financial malware, this new highly sophisticated variant of the Zeus Trojan is more sophisticated as it exploits the trust of digital certificates to bypass security checks and launch attacks to obtain the banking login credentials of victims and to commit financial fraud. A researcher explained why Zeus is so dangerous, “If the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally. The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount.”
The messages read: “Notice: This e-mail message and any attachments contain confidential information and are solely for the confidential use of the intended recipient. If you are not the intended recipient, please do not read this message or any attachments.” Attached to the email is a Word document that informs recipients that they have won a lottery sponsored by some major companies. Users who fall for it are asked to hand over personal information, and possibly even some money that is allegedly needed to unlock the prize. Source: News Softpedia
Waze App Reports Fake Traffic It was recently discovered that hackers can cause traffic jams by using a navigation smartphone application. This was discovered after two Israeli students were given a college assignment to hack Google-owned Waze GPS app. They successfully did so by using an Israeli made smartphone app that provides directions and informs drivers about traffic and accidents. The student who is doing his fourth year at Technion Israel Institute of Technology, together with two advisers created a program that caused the navigation application to report fake traffic jams. They even presented a demo cyber-attack against the popular navigation app. This was done to prove how simple the assignment was and to also demonstrate what malicious hackers were capable of doing on any popular app. To complete the project, a virtual program had to be used and created by the students. The virtual program would then enact smartphones and be used to register thousands of fake Waze users with false GPS coordinates. The army of fake users were used to feed false road conditions to the app claiming to be stuck in a traffic jam at the false GPS coordinates, potentially causing confusion. The idea for the vulnerability was brought up by a Doctoral student named Nimrod Partush who thought of the idea after being stuck in a traffic jam with Professor Eran Yahav. Waze was informed about the vulnerability and the researchers submitted the demonstration report to Waze in order to help them improve their app and prevent similar hacks in the future.
Users are advised to install anti-virus software to ensure that it is kept up to date. Users are also advised not to open any links sent in mails from unknown sources. Source: The Hacker News Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 54
Source: The Hacker News
Awareness Whether free or paid, your apps could be spying on you! Whether you paid for them or you got them for free, your apps are spying on YOU! A rather interesting thought is that mobile phone apps could be snooping on you. According to Appthority security analytics firm, there are high chances of apps snooping on you, particularly if you downloaded free apps. Appthority’s winter 2014 App Reputation report, shows that out of the top 200 free apps for iOS and Android 95% of them showed signs of spying. Additionally, the report mentions that out of the top 200 paid apps 80% showed signs of spying, meaning that most apps should be considered suspicious. Appthority defines the so-called risky behaviours identified in the study as apps that conduct location tracking, access the device’s address book or contact list, single sign-on via social networks, identify the user or the phone’s unique identifier (UDID), in-app purchases, and share data with ad networks and analytics companies. In comparison, 70% of free apps tracked the user’s location, compared to just 44% of the paid apps studied. To add onto that, more than half of all of the free apps used social network sign-ins, identified the user, offered in-app purchasing, or shared user data with ad networks –which could easily be abused by malicious apps. Less than half of paid apps displayed any of these behaviours. Variation between the two platforms were noted, that is, free Android apps were more likely to exhibit risky behaviours across every category than free iOS apps. However, one interesting finding, was that iOS apps were actually more likely to exhibit suspicious behaviour. In the survey it was also found that 91% of all iOS apps, free and paid, showed at least one risky behaviour whereas Android was 83%. This according to Appthority, does not mean Android apps are generally safer, as the report explains: What’s important to note here is that although more iOS apps collect user data than Android apps, the Android apps that do collect data capture more information than their iOS counterparts. In other words, a larger percentage of iOS apps collect some data but the data collected by these apps is less than the data collected by Android. Appthority identified a number of apps that have managed to get around a restriction enforced by Apple which forbids iOS apps from directly accessing UDIDs. Criminals have still managed to implement new ways of uniquely identifying and tracking users. Another rather funny fact discovered in the study is that there is a persistent myth that games are generally more risky than non-game apps. The study showed that this is not really the case, as non-game and business apps are just as likely to exhibit suspicious behaviours. Paid apps were generally safer than free ones, but even these demonstrated enough suspicious behaviour that people should not generally consider an app as being safe just because it costs money. Source: The Register
Facebook Account Activation Scam A scam is currently spreading on Facebook where a message is posted on a user’s wall or sent to their inbox stating that their Facebook account will be deactivated unless they follow certain steps to reactivate their account. The attackers have gone as far as creating fake Facebook accounts for Mark Zuckerburg (CEO of Facebook) in order to make the messages seem more realistic. Users are warned not to click on the links even if the post is made by one of their closest friends.
‘Internet of things’ being used as weapons by hackers Cyber criminals can now control and turn home appliances into weapons of cyber destruction! This has been revealed by security researchers from Proofpoint who recently discovered that more than 750,000 malicious spam emails were sent out after hackers had compromised more than 100,000 Smart TVs, refrigerators and other smart household appliances. “The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious emails, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide.” Such attacks were only drafted theoretically by researchers in the past years, but the report by Proofpoint confirms that this is the first proven attack which involves smart household appliances being used as ‘thingBots’. Smart Household Appliances and other mechanisms of the “Internet of Things” can be transformed into slaves by cyber criminals without the knowledge of the owners, similar to how personal computers can be compromised to build a huge botnet network and be used to launch cyber attacks. Poor misconfiguration and the use of default passwords means a poorly protected internet environment of smart appliances can be easily compromised by cyber criminals. It is reported that about 25 percent of the emails were sent by gadgets such as compromised home-networking routers, televisions, connected multi-media centres and at least one refrigerator. In the previous years conventional laptops, desktop computers or mobile devices; could have been used instead. Approximately less than 10 emails used a single IP address. This makes it difficult to block the emails based on location but in most cases the devices had not been subject to a sophisticated compromise. The devices were left completely exposed on the public networks after misconfiguration and the use of default passwords which made them available for takeover and use. Source: The Hacker News
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 55
Awareness TIPS THAT WILL ASSIST YOU FROM BECOMING A VICTIM OF ID THEFT AND ID FRAUD 1) Shred all documents that contain your personal information and do not throw anything away that someone else could use to impersonate you. 2) Always remain attentive at ATM’s and ensure that no-one is attempting to gain access to your pin number. 3) Make sure all your accounts have strong passwords that are not easy to decipher. Southern African Fraud Prevention Service NPC
T |
+27(0)11 867 2234
F |
+27(0)11 867 2315
W|
www.safps.org.za
P |
PO Box 2629, Alberton, 1450
4) Never respond to an e-mail or sms that asks you to insert or update your personal and banking information by clicking on a website link provided in the content of the message. Rather copy and paste the link into your internet browser, as this will enable you to determine whether you are accessing an authentic website, or not. 5) If you receive a call from an unknown individual who requests personal information, rather offer to call them back to verify that the number they have given you in fact belongs to the correct company. Also, ask them to give you the personal information that they need to confirm, instead of providing the details yourself. 6) Be very selective with the type of information that you share on social media sites and make use of privacy settings.
Remember - if something sounds too good to be true, it probably is!
People usually find out that they have become a victim of identity crime when they are contacted by a credit provider or debt collector in connection with an account or debt that they know nothing about. Upon further investigation, these innocent individuals discover that they have been impersonated – i.e. someone else has been using their ID and personal particulars to open accounts, loans, etc.
• The victim will be required to prove his/her innocence to the company, by producing all the necessary information, evidence and personal documents to prove his/her true identity.
7) Only carry identification documentation such as your passport or identity book when it’s absolutely necessary and keep these documents safely locked away when not in use. 8) Do not get taken in by scammers who send messages telling you that you have won a prize, or inherited money.
STEPS THAT YOU CAN TAKE TO SAFEGUARD YOUR IDENTITY: • The victim needs to report the matter to the South African Police and open a case of identity fraud. • He/she must report the matter to all the companies where he/ she has been impersonated, and each company needs to issue a letter to the victim once the investigation has been completed, confirming that he/she is a victim of impersonation.
• These individuals are advised to check their credit profile at the credit bureaux (TransUnion, Experian, XDS and Compuscan) to find out whether any credit enquiries have been done by companies who they have never dealt with before.
• The Southern African Fraud Prevention Service (SAFPS) offers free PR identity protection service to members of the public. The victim may contact SAFPS to apply for Protective Registration (PR) by telephoning 011-8672234 or 0860101248, fax to 011-8672315, or send an e-mail to safps@safps.org.za.
• SAFPS will process the PR application and if everything is in order a PR and Victim filing will be made and PR and VIC reference numbers will be issued to the victim. Terms and Conditions apply. • The victim’s ID number will be stored on the SAFPS database to alert SAFPS member companies that this person has become a victim of identity theft and fraud, so they can take extra precautions to ensure that they are dealing with the true person.
• The individual needs to request a Protective Registration application form from SAFPS, fill it in and send back to SAFPS, together with the letter from the company where he/ she was impersonated.
• SAFPS will issue a Victim of Impersonation letter to the victim via post, fax or email within 24 hours after his/her record has been filed onto the SAFPS database • When a victim applies for a loan, the credit provider company may ask the individual to produce their Victim of Impersonation letter issued by SAFPS, as proof that he/she is the true person who has been listed on the SAFPS database as a victim.
www.safps.org.za Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 56
Awareness
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 57
Of Interest
Getting hands on against Cybercrime! We have compiled a list of tools, browser extensions and software that you can use to stay one step ahead of cybercriminals in 2014!
Browser Extensions to Ensure Your Privacy!
Below is a list of the extensions that can be installed based on the browser you use:
The extensions below can be used to ensure your privacy online by blocking companies from tracking you. Each one is unique and contains additional features which can further be used to protect your privacy online.
• •
DoNotTrackMe
•
URL: https://www.abine.com/dntdetail.php Installation Instructions: Enter the URL into your preferred Internet Browser, download and install the extension.
•
Ghostery URL: http://www.ghostery.com/ Installation Instructions: Enter the URL into your preferred Internet Browser, download and install the extension. Browser Extensions to protect you from the bad sites!
Firefox: You can use noscript from http://noscript.net/ Chrome: You can use scriptsafe from https:// chrome.google.com/webstore/detail/scriptsafe/ oiigbmnaadbkfbmpbfijlflahbdbdgdf Opera: You can use Scriptkeeper from https://addons.opera. com/en/extensions/details/scriptkeeper/ Safari: You can use JavaScript Blocker from https://www. macupdate.com/app/mac/42143/javascript-blocker
Internet Explorer: Unfortunately no addon/extension exists for Internet Explorer that provides the equivalent features of noscript or scriptsafe as such the best way we recommend you can block Java Script for specific sites etc is to use the zones in Internet Explorer more information can be found here http:// support.microsoft.com/kb/174360 Blocking Advertisements
Take note, the blocking of advertisements may result in some sites not working!
Web Of Trust (WOT) As indicated on the WOT site: Add WOT to your browser to protect yourself from online threats that anti-virus software can’t spot. Web safety is not just about viruses and malware. WOT’s ratings are powered by a global community of millions of users who rate websites based on their own experiences. Add WOT to your browser for protection against online threats that only real life experience can detect, such as scams, untrustworthy links, and rogue web stores. URL: http://www.mywot.com/ Netcraft As indicated on the site, the Netcraft extension is a tool allowing easy lookup of information relating to the sites you visit and providing protection from phishing. It provides the following key features: • Protect your savings from phishing attacks. • See the hosting location and risk rating of every site you visit (as well as other information). • Help defend the Internet community from fraudsters. • Check if a website supports Perfect Forward Secrecy (PFS). URL: http://toolbar.netcraft.com/ Blocking JavaScript
Take note, the blocking of JavaScript may result in some sites not working!
The blocking of JavaScript prevents malicious scripts from executing as well as blocking other plug-ins, and other code on Web pages that could be used to attack your system during visits.
The following is a list of extensions that can be used with different browsers: Chrome and Safari: http://getadblock.com/ Firefox: https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/ Opera: http://adblockplus.org/en/opera
Personal Firewall The Comodo Personal Firewall is a FREE firewall for Windows that warns you about each program that tries to make an Internet Connection as well as warning you of any incoming connections. It has the following features: • Keeps you updated on all suspicious files • Prevention-based technology stops viruses • Automatic updates for the most current protection URL: http://personalfirewall.comodo.com Instructions: Read each screen carefully before installing the product When installing the product be aware of any extra software that it may install, for example, Geek Buddy and Comodo Browser. Once the Firewall is installed you will be presented with several popups you can select to Allow, Block and Treat - Select appropriate one that applies to your action. You can also click on the name of the file and more information will be given about the program.
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 58
Of Interest
Track your lost Smartphone or Laptop Sometimes we spend too much time worrying about cybercriminals and forget about the conventional criminals. Below is a list of tools that are free to use to track your lost or stolen devices. Laptop Tracking - Prey Project Prey lets you keep track of your laptop, phone and tablet whenever missing, whether you’re in town or abroad. Prey is open source software, with hundreds of documented recoveries all around the world. The software runs in Windows, Linux, Mac, Android and iOS. URL: http://preyproject.com/
Smart Phone Tracking Software Below is a list of links to software that can be used for the different types of mobile devices. The software not only allows you to track the device but also to wipe it and depending on the software sound a siren, take pictures, record audio, lock the device and locate the device using GPS. Android: http://www.androidlost.com/#guide OR https://www.google.com/android/devicemanager Blackberry: http://za.blackberry.com/apps/blackberry-apps/protect.html iPhone: https://itunes.apple.com/za/app/find-my-iphone/ id376101648?mt=8
Backup, backup, backup! With the spread of Ransomware such as CryptoLocker it is important now more than ever to backup all your data. Remember to backup your data to a location that is not accessible by your computer directly or your backup could be compromised by malware like Crypto Locker. CrashPlan Crashplan is a cross platform tool (Windows, Linux and Mac) that is free for personal use. It allows you to have free local and offsite backup. A subscription to their cloud backup service gets you continuous backup, mobile file access and lots more. “When the world is your office, CrashPlan is your personal backup assistant–silently, continuously tucking your files away for safekeeping and ready access.” URL: http://www.crashplan.com/consumer/crashplan.html
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 59
Of Interest
DuckDuckGo Goodies for System Administrators
DuckDuckGo, is a private search engine that does not track your data over the internet and respects your online privacy. DuckDuckGo also offers hundreds of Goodies that let you quickly do certain things like Programming, Math, Geek and Music related things.
There have also been posts on Cryptography hacks using DuckDuckGo search engine. This article will provide a tutorial on DuckDuckGo Goodies for Sysadmins. Connecting to an FTP server: Being a system administrator, means you might need to connect to a number of FTP servers. While handling FTP service you must be aware of the response code that it will give you when you initiate a connection or a new command. The FTP server response code has three digits and each digit has a special meaning. First digit signifies whether the response is good, bad or incomplete.
Though there are hundreds of such FTP response codes, DuckDuckGo provides system administrators a facility to find the meaning of the response code received from the FTP server that is, ftp 230
Meaning of HTTP response code: Similar to FTP servers, web servers also give a response in the form of codes which are used by browser to manipulate the received data, and helps system admin to identify the error and hence can be debugged that is, http status 402
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 60
Of Interest Check Site status - UP or DOWN: There are several reasons as to why you might not be able to connect to a specific website, but it does not necessarily mean the web site you want to look at is down.
Using DuckDuckGo a user can easily check whether a website is UP or not, also gives the load time of the web page, you are trying to access that is, is thehackernews.com up? Check Port Number details: A port number is a way to recognise an exact process to which an Internet or other network message is to be forwarded when it arrives at a server. Port numbers are associated with network addresses. Port number ranges from 0 to 65535, which seems a very large number to remember.
DuckDuckGo enables you to search the service bound to that port number through, port 443 WHOIS Information: There are more than a billion websites on the Internet. One’s curiosity or job may provide the need to find out who owns a particular domain name, for example, thehackernews.com
DuckDuckGo provides a tool that searches the public details of the website owner from the WHOIS database directory that is, whois facebook.com Locate IP Address: By finding out the IP address of an Internet user, you can get an idea what part of the country or world they are in by using IP Lookup tool. DuckDuckGo allows you to find your IP address that is, ip address
If you want to locate an IP address, just enter the lookup location that is, 14.141.92.130 Source: The Hacker News You can find more about DuckDuck’s Sysadmin Goodies on their official website. Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 61
Cybershield Magazine • April - June 2014 • Audits and Assessments • Page 62