TECHNOLOGY SERVICES Your Trusted Technology Partner
SBL’s 30 years of experience supplying products and services to the Public and Private Sector has established us as a trusted technology partner for many organisations in the UK. Our commitment to providing our customers with outstanding customer service, access to specialised industry knowledge and honest trustworthy relationships, ensure our clients return repeatedly. Our range of Technology Services builds on SBL’s well-established offerings to provide unrivalled services that you can trust.
MANAGED SERVICES Our fully managed IT services free up your in-house resources and provide quality-assured, cost-effective support to safeguard, maintain and optimise your entire IT infrastructure
SUPPORT SERVICES
Cost-effective, flexible and responsive IT support for your critical systems
CONSULTANCY
Access to specialist skills and expert knowledge to ensure your projects are always a success
SECURE DATACENTRE HOSTING
Resilient and secure UK Datacentre hosting
Our expertise does not stop there. Our highly trained and dedication Services Team are always on hand to support and guide your organisation through today’s challenges in Information Security. For more information on how SBL can assist you, please don’t hesitate to contact us today.
01347 812100 w w w.s of t b ox. co . u k
CITIZENS OF THE INTERGALACTIC
computer network
Greetings!
14-17
24-26
54-56
cybertalkmagazine @CyberTalkUK
4
Don’t Panic!
5
6
7
9
Dr. Char Sample Steve Hutchinson and Bil Hallaq
10
11
Anti-virus and anti-malware solutions provide data fidelity testing but only for known signatures. At present, there exists no mechanism that is capable of efficiently grouping and abstracting the signatures into a larger class where that would allow the technology to adapt to changing threats.
Ken Munro Partner, Pen Test Partners
We’ve even found a DVR that hooks up to a home alarm system, potentially paving the way for Mirai bot-nets to be rented out to burglars who can then disable the alarm before stealing your possessions.
14
15
It’s only a matter of time before we see ransomware over IoT devices and as we become ever more dependent on the devices, those ransoms will bite. From home security, to your car to your heating controls, there will soon be thousands of smart objects that will make profitable targets.
16
17
18
19
20
21
We need to work together to achieve the Government’s worthy aim “to prepare Britain for the challenges it faces now and in the future…and inspire future talent” by encouraging more 14-18 year olds to consider a career in Cyber Security
22
Close The Door to Cyber-Attacks
with
Privileged Access Management
Bomgar Privileged Access Management helps security professionals protect high-value targets from cyber-attacks and meet compliance standards by managing and controlling access by privileged vendors and insiders with session recording, application whitelisting, password management and rotation, and more.
for more information: www.bomgar.com 01628 480210
Noel Hannan
24
Let us first examine Brexit. The campaign, ostensibly, was initiated by the Conservative Party to destroy UKIP and return the Tories to their perceived position as the guardians of the British position in Europe.
26
27
28
29
Dr Daniel G. Dresner FInstISP, University of Manchester
There are warning signs. We hear absolutes like, ‘We take our customers’ [data] security seriously
30
31
32
ʻʻSHADOW ITʼʼ WREAKING HAVOC IN YOUR NETWORK? Cyber criminals are developing ever more intelligent means to hack us, but even our own colleagues are putting entire company networks at risk! Discover ways to deal with Shadow IT:
www.paessler.com/shadow
Paessler AG info@paessler.com www.paessler.com 822490/UK/20170210
Wrap an unprecedented layer of protection around email, web and endpoint collaboration. Track, trace and secure critical data in real time. Advanced cyber attack protection. Confidential data leak prevention.
www.clearswift.com
Jon Guy SBL
34
If the internet didn’t exist, commerce, news, studying, home life and politics would be completely different - Donald Trump’s Twitter feed wouldn’t exist.
35
Colin Williams SBL
36
“self-regulation” of the modifications by the human bioform must “function without the benefit of consciousness”
37
Weiner’s conclusion was clear, and correct, humans “have modified our environment so radically that we must now modify ourselves in order to exist in this new environment. We can no longer live in the old one.”
References 1 From the essay “Transhumanism”, published in the collection “New Bottles for New Wine”, 1957. Huxley is one of the foundational thinkers of what has become the contemporary Transhumanist movement. Julian Huxley was influenced by J. B. S. Haldane. This Huxley’s influence on the other, his brother, is as obvious as Aldous’ rejection of Julian’s “Brave New World”. 2 National Aeronautics and Space Administration. 3 Advanced Research Projects Agency. 4 Now known as the Baikonur Cosmodrome in the Kazakh Steppe region of Kazakhstan. 5 Here there is a clarion echo of the cadences invoked by Karel Čapek’s play of 1920, “R.U.R. (Rossum’s Universal Robots)”, in which the new word “robot” is formed from the Czech ‘robota’, suggesting meanings such as: hard and menial work, drudgery, servitude, subjugation to a feudal overlord and discharge of forced labour obligations by a serf to a lord in a feudal society.
40
Magaus Wakander Swedish Tinkerer
41
we’re born with. Time is, therefore, an unnatural state of affair but core to the human experience as all of our feelings, abstract in themselves, are managed in direct correlation to time itself. We can, therefore, not discard the notion of time as core to our existence and the following successes and failures of our endeavors. If we accept time as a tool to be used at our leisure, we become time and we embody the three stages of it: past, present and future. ore inherently flawed as a direct consequence of the flaws n unnatural state of affair but core to the human experience as “That is because you don't yet know how to deal with time," said Wen. "But I will teach you to deal ves, are managed in direct correlation to time itself. We can, with time as you would deal with a coat, to be worn when necessary and discarded when not." me as core to our existence and the following successes and "Will I have to wash it?" said Clodpool. Wen gave him a long, slow look. "That was either a very complex piece of thinking on your part, Clodpool, or you were just trying to at our leisure, we become time and we embody the three overextend a metaphor in a rather stupid way. Which, do you think, it was?” ― Terry Pratchett, Thief of Time ow to deal with time," said Wen. "But I will teach you to deal Humans do not like change and they like it even less if they’re told everything about the coming at, to be worn when necessary and discarded when not." change process. It is important, if you’re a change manager, to understand that a change passes . through different stages and that the information you share with the subjects of change need to be different depending on what stage you’re in. of thinking on your part, Clodpool, or you were just trying to pid way. Which, do you think, it was?” A change manager deals with impressionism and forces new knowledge to be created. Most people that you face have a position in the mental knowledge space that which they try to protect. As a change manager your main job is to question this and enforce changes. This is one form of violence ke it even less if they’re told everything about the coming which is why not everyone should be allowed to wield this sword. Care must be taken to select an re a change manager, to understand that a change passes empathic but strong change leader before beginning. nformation you share with the subjects of change need to be u’re in.
onism and forces new knowledge to be created. Most people ental knowledge space that which they try to protect. As a uestion this and enforce changes. This is one form of violence allowed to wield this sword. Care must be taken to select an fore beginning.
Change according to my method passes through these stages: 1. Setting the stage. a. Top management buy-in and orienting the crew. 2. Direction a. Directing change work and increasing entropy: externally created body of knowledge injected aggressively into the organization. This is the stress period which forces the crew to assume responsibility for the coming solutions. External information creates
es through these stages:
-in and orienting the crew.
k and increasing entropy: externally created body of knowledge nto the organization. This is the stress period which forces the nsibility for the coming solutions. External information creates
43
Andy Heather Vice President of Centrify EMEA
44
When we leave our homes in the morning, we would not dream of leaving the front door open – and the way we secure our data should be treated in the same way.
45
Mark Eaton Thales Account Manager, UK Government and Defence
46
48
Sir Dermot Turing
49
Some commentators have noted that (unlike banks) payment initiators will be relatively weakly capitalised, and if they are the victims of large-scale fraud they may just buckle under.
50
How can the bank protect itself? Ordinarily a bank says, in its terms and conditions, that customers must not do things which allow third parties to undermine its firewall.
51
52
53
Tom King IBM Security Specialist
54
But I do have to ask, do I really know what’s happening on my network? Would I even know how to spot targeted attack activity?
55
56
David Bird FIAP
57
58
References 1 Lucian Constantin, (2014) Hacker puts ‘full redundancy’ code hosting firm out of business, http://www.pcworld.com/article/2365602/hacker-puts-full-redundancy- codehosting-firm-out-of-business.html 2 NCatherine Shu, (2016) Passwords for 32M Twitter accounts may have been hacked and leaked, https://techcrunch.com/2016/06/08/twitter-hack/ 3 Sam Thielman, (2016) Yahoo hack: 1bn compromised by biggest data breach in history, Link: https://www.theguardian.com/technology/2016/dec/14/yahoo-hack- security-of-one-billion-accounts-breached 4 Sarah Perez, (2016) 117 million Linkedin emails and passwords from a 2012 hack just got posted online, https://techcrunch.com/2016/05/18/117-million-linkedin- emails-and-passwords-from-a-2012-hack-just-got-posted-online/ 5 Jack Clark, (2015) GitHub code repository rocked by ‘very large DDoS’ attack, http://www.theregister.co.uk/2013/08/15/github_ddos/ 6 Dan Goodin, (2015) DDoS attacks that crippled GitHub linked to Great Firewall of China, http://arstechnica.com/security/2015/04/ddos-attacks-that-crippled-github- linked-to-great-firewall-of-china/ 7 Natasha Lomas, (2016) Github accounts targeted in password reuse attack, https:// techcrunch.com/2016/06/16/github-accounts-targeted-in-password-reuse-attack/ 8 Dan Goodin, (2011) Kernel.org Linux repository rooted in hack attack, http://www. theregister.co.uk/2011/08/31/linux_kernel_security_breach/ 9 Tim Anderson, (2016) Linux Mint hacked: Malware-infected ISOs linked from official site, Link: http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_ malwareinfected_isos_linked_from_official_site/ 10 Infosecurity Magazine, (2013) DDoS Weapon Found Hidden in Orbit Downloader, http://www.infosecurity-magazine.com/news/ddos-weapon-found-hidden-in-orbit- downloader/ 11 Jeremy Kirk, (2014) Pre-installed malware found on new Android phones, http:// www.computerworld.com/article/2488173/security0/pre-installed-malware-found- on-new-android-phones.html 12 Manish Singh, (2015) Ghost Push Malware Hits Google Play, Affects 900,000 Android Devices: Report http://gadgets.ndtv.com/apps/news/ghost-push-malware- hits-google-play-affects-900000-android-devices-report-753399 13 Claude Xio, (2015) Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store, http://researchcenter.paloaltonetworks.com/2015/09/ novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app- store/ 14 Swati Khandelwal, (2015) Lenovo Shipping PCs with Pre-installed ‘Superfish Malware’ that kills HTTPS, http://thehackernews.com/2015/02/lenovo-superfish-malware.html 15 Swati Khandelwal, (2016) Pre-installed Backdoor on 700 Million Android Phones Sends Users’ Data to China, http://thehackernews.com/2016/11/hacking-android-smartphone. html?m=1 16 Zack Whittaker, (2017) Secret tokens found hard-coded in hundreds of Android apps, http:// www.zdnet.com/article/secret-tokens-found-hard-coded-in-hundreds-of-android-apps/
Zack Whittaker, (2017) Dozens of popular iPhone apps vulnerable to man-in-the-middle attacks, http://www.zdnet.com/article/dozens-of-popular-iphone-apps-vulnerable-to-man-in- the-middle-attacks/ 18 Dan Goodin, (2016) Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears, http://arstechnica.co.uk/security/2016/01/et-tu-fortinet-hard- coded-password-raises-new-backdoor-eavesdropping-fears/ 19 Kacy Zurkus, (2017) Dangerous assumptions that put enterprises at risk, http://www. csoonline.com/article/3155424/security/dangerous-assumptions-that-put-enterprises-at-risk. html 20 Veracode, (2016) “Application Security: Sast & Dast”, p2. 21 Veracode, (2016) “State of Software Security”, pp4,9. 22 Certificate Authority Security Council, (2013) Code Signing, https://casecurity.org/wp-content/ uploads/2013/10/CASC-Code-Signing.pdf 23 Michael Macnair & Keith Mayes, (2016) “Verifying the integrity of open source Android apps”, Royal Holloway Information Security Thesis series. 24 Dave Winder, (2015) How to write secure software, https://itsecuritything.com/code-secure- default-software/ 25 Dave Shackleford, (2011) “Integrating Security into Development, No pain required”, SANS Institute Reading Room White Paper, p7. 26 OWASP Project, (2016) Open Software Assurance Maturity Model, http://www.opensamm. org/downloads/SAMM-1.0.pdf 27 John Wango, (2016) “Brief: App Security Can’t Happen Without Developers”, Forrester, p2 28 Veracode, (2016) “Secure Development Survey: Developers Respond to Application Security Trends”, pp5, 8. 29 Sue Poremba, (2015) The Internet Of Things Has A Growing Number of Cyber Security Problems, http://www.forbes.com/sites/sungardas/2015/01/29/the-internet-of-things-has-a- growing-number-of-cyber-security-problems/#cf7cb74a472c 30 Mario Barcena & Candid Wueest, (2015) “Insecurity in the Internet of Things”, version 1.0, Symantec. 31 Alex Scroxton, (2015) IoT and smart devices need ethical programmers, http://www. computerweekly.com/news/2240242453/IoT-and-smart-devices-need-ethical-programmers- says-Gartner 32 Jane Chong, (2013) Bad Code: The Whole Series, https://www.lawfareblog.com/bad-code- whole-series 33 Bruce Schneider, (2016) Schneider on Security, https://www.schneier.com/blog/ archives/2016/10/security_econom_1.html 34 Sam Thielman, (2016) Can we secure the internet of things in time to prevent another cyber- attack, https://www.theguardian.com/technology/2016/oct/25/ddos-cyber-attack-dyn-internet- of-things 35 Veracode, (2016) “State of Software Security: Developer View on Application Security”, p2. 17
59
60
The Turing Trust aims to promote education through the donation of re-used information technology equipment to bring essential learning resources to rural schools and communities in sub-Saharan Africa.
61
On the ground in Africa, the challenges are to ensure that IT is fully integrated into the regular school curriculum – we don’t want to see schools treating computers as something ‘specialists’ use, but to have them recognised as the day-to-day workhorses in the way we all take for granted.
62
Mike Gillespie Managing Director & Co-Founder, Advent IM Ltd
63
One of the most disturbing turns in the worrying world of ransomware, is business’ attitude to it. Citrix recently carried out some research into business and ransomware and as well as the proliferation and increasing impact of this malware, it noted the speed and resignation with which businesses were paying up, leading to the conclusion businesses are starting to see ransomware as simply another cost of doing business; a protection racket to put it another way. Like paying protection, victims can expect to be continually re-victimised as their profile as an easy target, spreads through the criminal fraternity. Information is shared more easily across the criminal network and across the dark net, than in standard business networks. Criminals and hackers (and criminal hackers) share expertise, experience and tools readily; leaving the potential victims very far behind in defence and in a state of near permanent vulnerability if they choose the path of initial least resistance and pay-up on a ransomware demand. If this impression is correct and panic sets in as soon as a ransomware demand is received, then this malign activity will continue to thrive, and the growth of criminal activity, which we know funds organised crime and terrorist activity, will eventually impact all businesses and organisations - as this ‘cost’ is effectively passed on. The private sector as we know, is not alone in being in criminals’ sights, as hospitals and charities have also fallen prey to this malware, as well as local authorities and other public bodies. This tells us that these people are remorseless and without compassion. Compassion may be a strange thing to raise in an article about malware, but the willingness to put lives at risk in order to extort money, surely has to be acknowledged as an elevated threat; given the funding activities of the recipients too, and then treated as such? Seeing this lack of compassion should be a huge warning to everyone; they don’t care who gets hurt and they will go wherever they think there is a big payday. You have to remember that even when the ransom has been paid, there is no guarantee you will get your files back. Even if you do, do you know what else has been planted while you were busy sourcing Bitcoin? We know that malware often evolves beyond its initial deployment to lay down command and control settings; future proofing it for further versions; expanded access and an enhanced ability to hide for longer. The possibility that the attack is over once the files have been restored, diminishes with the growing level of sophistication in the software. It’s a bit like putting Dracula in charge of a blood bank.
You have to remember that even when the ransom has been paid, there is no guarantee you will get your files back.
64
Although less technically harmful, bluffware is also on the increase. It is capitalising on this apparent compliance with demands from businesses to pay up and using the fear it has happened as another means of extorting money for nothing. But in this case, they are not even bothering to encrypt the files; merely placing a full screen display on the users’ machine which tells them their files have been encrypted or their network has been blocked and a ransom for release is demanded. They threaten to delete files if any attempt is made to bypass this warning by shutting down the machine or re-booting. It relies on victims being too scared to risk this and they are, in droves. Recent research from Citrix suggests that 2 in 5 businesses have been targeted by bluffware and two thirds of those have actually paid up. The same researcher also pointed out that 33% of UK businesses are stockpiling Bitcoin to meet ransom demands, whilst half of them do not perform daily back-ups on their data. This is a bit like leaving your door unlocked and leaving price tags on all your belongings to tell the burglars what you would be prepared to pay them in order to get it back from them. The legal aspect of ransomware is an interesting one and it would appear, not straightforward. In the physical world, it is basically illegal to pay a ransom in the UK if there is a reasonable belief that the ransom will go to fund terrorism or organised crime. Given that most ransomware attacks are carried out by organised crime groups, it is safe to assume it is funding it. We also know that this in turn can fund terrorist activities and training. This leads us to the inevitable question, why is paying a cyber ransom not illegal and why is the advice offered by both the FBI and the NCSC, is ‘pay up’ and ‘it’s up to you’, respectively? It has long been a frustration for those working in cyber security, that the disconnection between how physical crimes and virtual crimes are legislated for and punished, is so vast. Walking into a bank with a shotgun will most likely attract a sentence of twenty years. However, a cyber heist will more than likely be prosecuted under the Computer Misuse Act and the criminal receive a much lighter sentence. The impact of ransomware on society and business is inescapable. The attitude and legislation we are fighting it with is unequal to the task. The question is, what are we going to do about it?
why is paying a cyber ransom not illegal and why is the advice offered by both the FBI and the NCSC, is ‘pay up’ and ‘it’s up to you’, respectively? 65
Scott Cattaneo SBL
66
How will you safeguard from catastrophe? When the Technological Singularity becomes a reality how can you prevent robots from destroying us?
67
During WW2, Allied intelligence determined that munitions factories in Coventry were about to be targeted by the Luftwaffe.
68
69
EVENTS
AofEvents lmanac
MAY
JUNE
juLY
oct
NOV
5-6
16
IP Expo Europe ExCel, London
Cyber Security Summit & Expo QEII Centre, London
11 - 13
NISC The Westerwood Hotel, Scotland
18
Cyber Security EU 2017 Leeds
70
AUGUST
1/
In Print CyberTalk produce and distribute over 15,000 printed copies each year across the UK, Europe and America
2/
3/
Over 70,000 CyberTalk readers from more than 25 differnt countries access the magazine digitally each year at softbox.co.uk/cybertalk
Social Media Follow us on Facebook, Twitter, and Pinterest to join the debate
5/
Online
4/ SBL
CyberTalk is proud to be supported by The National Museum of Computing, and to have been recognised by the UK Home Office Cyber Streetwise campaign and the US Dept.of Homeland Security
CyberTalk is published by SBL, a Value Added IT Reseller widely recognised as the market leader in Information Security. SBL offers a comprehensive portfolio of software, hardware, services and training, with an in-house professional services team enabling the delivery of a comprehensive and innovative range of IT solutions
7/
6/
Partnerships
CyberTalk Past and Present You can access all previous issues of CyberTalk at softbox.co.uk/cybertalk We’re always looking for new, exciting and innovative content so please contact the team if you’d like the opportunity to feature within CyberTalk at cybertalk@softbox.co.uk
Events CyberTalk was present at over 100 events in 2016 and this number looks set to grow significantly in 2017
ALL ACROSS CYBERSPACE
01347 812100 cyber talk@softbox.co.uk www.softbox.co.uk/cyber talk cybertalkmagazine
@CyberTalkUK