Tag: cyber-security

China calls for cyber-security spruce up

big-trouble-in-little-chinaChina’sĀ top cybersecurity body has called for increased scrutiny of local and foreign technology used in industries deemed critical to the national interest.

A strategy document, released by the Cybersecurity Administration of China (CAC), laid out the framework for a controversial cybersecurity law released in November, which foreign business groups say could block them from competing in the market.

The CAC has said that that the measures are not designed to target foreign enterprises, but to counter rising threats of terrorism and cyber-theft.After all you can get away with any atrocity if you are protecting people from terrorists, or trying to save children from seeing something they shouldn’t.

The paper said key Chinese industries must “carry out a security review” of technology to prevent providers and other groups from “implementing unfair competition” and “harming the interests” of users.

Foreign companies are worried that the wording of the new law couldĀ legalise requirements to hand over intellectual property.


US CISPA senator lacks the personal touch

US Republican senator Mike Rogers has found himself at the centre of a geek storm after he dubbed opponents to his controversial cybersecurity bill as teenagers in their basements.

The bipartisan Cyber Intelligence Sharing and Protection Act, known as CISPA, aims to defend US industries and corporate networks from cyber-attacks by foreign governments, terrorist groups and other criminals, or so the line goes.

While it might do that rather well, it is clearly a law which is designed for Washington’s big corporate backers rather than ordinary people.

The law will mean that ordinary people will have to hand over shedloads of their personal data to the government. Needless to say Privacy and civil liberties advocates, including the American Civil Liberties Union, have strongly protested.

Showing his unique ability to stand up for voters rather than big corporate and government interests, Rogers moaned that the bill’s opponents were all teenagers living in basements.

People on the internet, who are all 14-year-old tweeters in their basements, don’t understand how important it is, the Huffington Post reports. 

“I took my nephew, I had to work with him a lot on this bill because he didn’t understand the mechanics of it,” he moaned.

He patronised everyone by saying that once you understand the threat and you understand the mechanics of how it works and you understand that people are not monitoring the content of your emails, most people ‘got it’.

Sadly for Rogers, not everyone who opposes his bill are teens who don’t understand what is going on.

Most opposition comes from those who feel the law is so broad that it could mean anything. If a government official wanted to violate civil rights using the law, they could, whatever Rogers’ intentions were.

President Barack Obama was another non-teen who objected to the Bill and said that he would veto it in its current form.

The White House was concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities, the administration said in a statement.

He also felt that US citizens have a right to know that corporations will be held accountable and not granted immunity for failing to safeguard personal information adequately.

UK launches cyber crime research institute

The UK government has spent £3.8 million on launching a research institute, which it claims is aimed at shoring up defences against cybercrime.

The Research Institute in the Science of Cyber Security aims to improve the understanding behind cyber security threats, with a number of organisations, including GCHQ, working alongside universities.  

The aim is to bring together leading cyber security academics from a range of fields including mathematics and computer science, as well as drawing in industry experts and international researchers to create a greater pool of knowledge for fighting cyber crime in its many forms. Universities chosen to take part in the Institute include University College London, Imperial College, Royal Holloway and Newcastle University.

“Britain has one of the largest online economies in the world and a growing cyber security sector, and we need to ensure this success continues,” David Willetts, Minister for Universities and Science, said, commenting on the launch.

“This new Research Institute will draw on the leading expertise in our universities from both technological and behavioural disciplines to address key challenges,” he said. “It will help businesses, government and individuals to better protect themselves from cyber threats so they can make the most of the opportunities the internet presents”.

The government has been keen to highlight the increasing threat level from cyber attacks, both to the private and public sector, and has already earmarked £8 million to spend on developing security skills at the university level.  

This figure is itself dwarfed by estimated costs of cybercrime in the UK, which generally runs into the billions of pounds for the economy. Some business groups are all too aware, they say, of the danger posed.

The government will claim it is increasing the United Kingdom’s defences against a wide range of threats, while simultaneously presenting an opportunity to grow the economy by leading the defence against cyber crime, a lucrative and growing business. Of course, the word defence has had many definitions over the years.

Francis Maude, Minister for Cyber Security, highlighted the financial benefits of a strong cyber security sector supported by leading edge research:

“The UK is one of the most secure places in the world to do business – already eight percent of our GDP is generated from the cyber world and that trend is set to grow,” Maude said. “But we are not complacent. Through the National Cyber Security Programme we are putting serious investment into the best UK expertise to lead thought in the science of cyber.”  

Tom Burton, Head of Cyber for Defence, BAE Systems Detica, labelled the launch of the research institute an “encouraging step” and said it would help boost the economy for future generations.

Burton said that building an economically strong cyber industry can help to create the diversified economy that the government is seeking, as well as creating a strengthened cyber security sector.

Ross Brewer, vice president and managing director for international markets at LogRhythm, told us he welcomed the launch of the research institute, which he believes shows that the government is finally catching up to the dangers it faces from online attacks.

“By investing in a programme to foster the collective effort of scientists, mathematicians and other experts, the government seems to finally understand what it takes to successfully address today’s cyber threat,” Brewer said, speaking with TechEye. “Reactive IT defences are undeniably outdated, what’s needed now are mechanisms to give context to data and to facilitate a deeper understanding of all network activity, as it happens.”

Brewer thinks that as data volumes increase at unprecedented rates, the potential for intellectual property or other critical information to get lost in the chaos, or exposed to attacks, grows exponentially.

“Generally speaking, the bigger the IT estate, the greater the need for the monitoring and analysis of all IT activity, and the marriage of academia with enterprise will go a long way to drive this home,” Brewer said.

“Hopefully this news will help organisations better protect the data that they are entrusted with.” 

South Korea lines up cyber security measures against the North

South Korea has announced that it will be tightening its cyber security policies in a bid to protect itself from cyberattacks from the North.

However, experts have said the new measures will only be good for lining the pockets of security companies.

According to the Korea Joongang Daily, South Korea is planning to develop a variety of offensive and defensive cyberwarfare weapon, as well as reinforce manpower at the military cyber command, following fears of threats of cyberattacks from North Korea.

A defence plan, which has been presented to President Lee Myung-bak, urges the military to secure intelligence assets and double the number of service personnel at the Cyber Command to 1,000 after increased fears that an attack is imminent.  

The two sides have been locked in disputes for many years and are claimed to be technically at war as the 1950-53 Korean War ended in a truce, not a peace treaty.

However, over the years the cyber threats have become stronger. Earlier this month Seoul accused Pyongyang of interfering with GPS jamming signals on civilian flights and commercial ships operating near the nation’s western border. It also pointed the finger claiming it had hacked government websites and banking systems.

Experts, however, have said these claims are more “paranoia” rather than a threat.

One told TechEye: “This level of paranoia is great for security companies but not so good for the governments at war with each other. While it’s no secret that South and North Korea don’t get along, accusations of interfering with GPS jamming signals on civilian flights and commercial ships is moving into tin hat territory.

“I can accept the website hacking as this is common for warring Asian countries, but the GPS claims are a little bit extreme.

“The fact that South Korea is now claiming it will develop a variety of offensive and defensive cyberwarfare weapons and reinforce manpower at the military cyber command is nothing new as many countries are doing this, but the question is, will they be spending money on nothing?

“After all, the only real way to secure these operations is to hire underground hackers who will have also been employed in the North instead of throwing money at security companies who can’t offer the true protection they need”. 

FEMA conducts simulated cyber attack exercise

US President Barack Obama and senior administration officials took part in a simulated cyber attack exercise sponsored by FEMA on Tuesday.

The exercise examined how the US government would respond to a massive cyber attack, resulting in physical damage to the nation’s critical infrastructure, all in an effort to practice decision-making that would follow such an attack, the Hill reports. The US conducted several similar exercises in the past, including a demonstration of response plans to a possible cyber attack on New York City’s electrical grid back in March.

The White House is pushing Congress to pass new cyber security legislation with the ultimate goal of propping up security standards for critical infrastructure, but the proposal has its detractors and house Republicans believe the added regulations will hurt businesses.  

In related news, The House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) in April, but Obama threatened to veto it, citing privacy concerns. He argued that CISPA would do nothing to protect infrastructure, while at the same time encouraging companies to hand over their customers’ personal information to the murky intelligence establishment.

The Obama administration recently appeared to have given the nod to an extensive article in the New York Times admitting responsibility for the Stuxnet worm, aimed at dismantling Iran’s nuclear enrichment programme. It was originally put together by Bush, but ‘sped up’ by the Obama administration.




Big business ignores smart meter security risks for short term profit

Smart meter vendors are ignoring the cyber security risks associated with this technology, pushing it on the masses mostly to drive profits.

A recent FBI report highlighted a number of cyber attacks against smart meter installations over the past several years. It said the attacks could have cost the US hundreds of millions of dollars per year.

According to the Krebsonsecurity blog, the report warned that insiders and individuals with only a moderate level of computer knowledge could hack meters with low-cost tools and software, which could be bought quite easily over the internet.  This could then be used to change the details of the smart meter and ramp up electricity bills for households.

According to a security expert, speaking under anonymity, this isn’t a new threat.

“We’ve been saying for years that smart meters are targets for hackers but companies looking to make money from this technology have ploughed ahead regardless,” our source said. “Now it seems that governments and the legal authorities are finally waking up to what a big threat this is”.

Back in 2009, the Georgia Tech Information Security Centre warned that cyber tactics could be used to defraud utilities or perhaps cause power outages. They said the threats applied to water and gas systems, which are rolling out smart meters and advanced metering infrastructure. A further warning was issued that hospital infrastructure could be caught up in the attacks either through a direct attack, or accidentally through unpatched software on critical systems.

“There is a problem and this latest FBI finding is just bringing it to the surface,” TechEye heard. “The fact that most small time hackers can break into one of these shows there’s a huge gap in the regulatory market”.

Earlier this year, E.ON got heavy handed and criticised the UK parliament for citing cyber security fears as delaying the UK’s smart meter roll out.

However, our source told us this “may have been one of the most sensible things parliament had done in a very long time.”

“Ruled by big businesses,” our source said, “governments are having their hands forced into signing requirements for this technology without being 100 percent sure about the cyber security consequences”.

“They are ruling the roost and putting huge pressure on authorities and businesses.

“Until big business butts out and stops forcing authorities to make rash decisions we’ll have a problem on our hands. And as this technology grows and companies and vendors continue to push on regardless of the consequences, then we could see a lot more problems.”

Krebsonsecurity agreed: “Two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference earlier this year, but agreed to pull the presentation at the last minute at the request of several vendors and utilities that they declined to name.”

According to our source, there are other worrying implications, which suggest that big business is being short sighted and, most likely, is in danger of shooting itself in the foot.

“If the smart meter has personal information, such as names and addresses, these could be used for ID theft,” TechEye was told. “Secondly, if they can hack a residential meter, then hackers can also move onto big businesses, smart grids and much more.”

Vendors need to “for once” put cash aside and “really think about consequences” – or they could team up and create security regulatory and research into how these abuses can be curbed. “Of course,” our source said, “this will never happen.”

Huawei stopped from working on Australia's National Broadband project

Although Huawei has been spreading itself fast and thick across Europe, Asia and India, the network company has now come up against a brick wall in Australia where it has been blocked from bidding on the country’s $37.5 billion national broadband (NBN) project. 

The “prudent decision” was outlined by Australian Prime Minister Julia Gillard who cited concerns about cyber security.

Although she wouldn’t go into too much detail as to why the Chinese company was targeted, a source close to the broadband deal told the Economic Times that the country feared attacks by China.   

The source said the NBN would endeavour to connect around 93 percent of Australian homes to superfast fibre-to-the-home internet by 2017. It is seen as the future “backbone of Australia’s information infrastructure,” meaning that security surrounding the project must be tight.

Huawei has so far bowed out of the decision gracefully with a spokesman stating that it was hopeful of playing a role in the NBN in the future.

It said it would work hard to be open and transparent to show the country that its technology was trustworthy.

The spokesman added that individuals and governments around the world were still coming to terms “with the emergence of the new China which is an innovation leader.” And although network security was an issue for all vendors, “the real risk [was] missing out on the innovation China has to offer.”

However, we doubt Huawei will be crying into its pillow for much longer as it has deals for broadband networks in Britain, New Zealand, Singapore and Malaysia.

Brits need to wise up on cyber crime

Brits need to wake up and smell the cyber crime coffee or we could end up falling victim to sophisticated cyber attacks.

That’s the latest warning from Janet Williams, head copper of the e-crime unit, at the Association of Chief Police Officers (ACPO) who has warned that clever criminal networks are waiting to pounce on those of us who aren’t up to date with the cyber world.

According to the Guardian, she also had a dig at her detectives, encouraging them to raise awareness amongst those Brits who haven’t woken up to cyber threats. She also said detectives not up to date in what’s happening in the cyber world should not be able to hold their title – we expect to see lots more traffic policemen in the future then.  

The topic was like “maths” in that some people would laugh when they said that they didn’t understand cyber security. However, she pointed out that it wasn’t funny and likened not understanding this was the “equivalent of not being able to read.”

She added that multinational organisations, public and private organisations, needed to understand the threats to their organisation to beat these sorts of villians, while the public had to make more time to understand the dangers.

Williams has set up a “cyber flying squad” based at Scotland Yard, and said her team of 35 detectives and specialists were having significant success.

Police are now working to come up with new ways to catch these cybercriminals and have made made recommendations to the Home Office outlining the nature of the problem.

However, Williams pointed out it was now down to this department to “find a solution.”

IT crowd to work alongside the army

The IT crowd has been ordered to work alongside the British army to put the fear of geek into the enemy.

As part of the Ministry of Defence’s (MoD) plans Counterstike-trained cyber geeks will join troops to help fight a cyber war.

The new recruitment come as the MoD moves to blast threats highlighted in last year’s National Security Strategy report, which targeted cyber crime as one of the four key areas for national security.

In fact, it’s so concerned about this threat that it’s said that the ‘cyber’ soldiers will be classified using similar ranks as conventional troops.  We would have thought that they would want to be done in levels so they can tell their mates that they are a level 21 cyber warrior armed with the plus five toolkit of doom.

It said this was because its forces abroad and in blighty depended on computer networks, which could fold if they weren’t protected from cyber threats.

Technical cyber operations could be conducted in parallel with more conventional actions the sea, land and air operations, although this might mean moving geeks outside, which is not their normal habitat.

The  MoD is  funding the IT Crowd with some of the £650m set aside for cybersecurity under the government’s strategic defence and security review last October.

And it looks like we’re in good cyber company with both the US and China slso previously announcing investment in cyberwarfare.

The truth about the DDoS threat, the elephant in the room

Recently TechEye was hit by a particularly nasty distributed denial of service (DDoS) attack. At first we, deluded as always, thought our servers were getting a thumping from Slashdot. The attackers will be happy to know that it took us time, effort and yes, dosh, to scramble around trying to fix it. WebScreen, which as far as we are aware is the only outfit offering thorough DDoS protection in the UK, jumped to our rescue. Thank you WebScreen. Anyway – TechEye decided it would be a good idea to have a chat with Paul Bristow, Chief Operating Officer.

It’s such a hot topic at the moment. Anonymous is taking down legal firms by way of DDoS attacks who don’t quite “get it”. Nationally, Cameron is planning to spend a billion on cyber “defence” and internationally, the US’ homeland security has announced a computing cold war’s on the cards.

But let’s start in more humble territory. Despite the high profile nature of DDoS, why on earth isn’t there more protection offered, by ISPs or by data centres? Why doesn’t it come as standard? Could it be that these companies don’t give a hoot about adequate protection against a threat that’s relatively easy to pull off and potentially very damaging unless there’s a way to spin money from it?

Bristow tells us that bar none, the easiest people to sell to are those that are already under attack or have been under attack. Normally, people think they don’t need to spend that money if they don’t have to – it’s another business cost most think is optional, until it happens. The reason you don’t see DDOS as part of every day discussion, unlike for example firewalls and password protection, encryption and data security, is that it’s not… sexy.

Its advent was in 2000. That’s a very long time if you consider how wide open an attack leaves you.

Commentators would have you believe that denial of service attacks peaked around 2005 but that is factually nonsensical – remember when it was alleged that agents in North Korea DDoS’d their capitalist neighbours in the south, just last July? And social network staples Twitter and Facebook were both taken down in August by DDoS attacks. These aren’t small businesses – Facebook is widely reported to use some of the largest data centres in the world.

The threats are out there and that’s because it’s such an easily accessible route to take. In fact, Bristow tells us, consider that you are a start-up. You have a marketing budget and you’re a small business – we don’t mean tiny, but up to $15 million. Theoretically you could spend a good chunk of it on a TV campaign or for a great deal less you could seek the services of someone who’ll coordinate a DDoS attack for you.

They exist and they’re everywhere – but they tend to operate locally. So if you’re a company in the UK, it is possible to look to your own back garden and for the right price, relatively cheaply, there is someone who can carry out an attack for you. Bristow tells us that this is undoubtedly happening. Backing it up is that calls tend to come in threes – recently three jewellery retailers independently got in touch with Webscreen within days of each other. 

And there’s no protection from an ISP. A company or business under attack must convince their ISP to restore them after they’ve been taken down, all while losing money from being taken offline. The way the ISP thinks is essentially “you’ve got your traffic and used your bandwidth,” it doesn’t matter to them whether it has all happened in the space of thousands of access requests a second. “There is no doubt about that,” WebScreen says.

“All DDoS attacks in the early days were from organised crime to put rivals in online gaming or pornography out of business, or to extort money,” Bristow tells TechEye “but the whole thing has moved on now.”

There are websites you can go onto where you provide your credit card details and that will let you hire a botnet for an hour. It’s fact, says Webscreen, that you can even take a three minute try before you buy – just to show you that it works. These services play in their own back yard, employing the capabilities of attackers in the places you’d expect – China, Russia, India. But the services themselves are sold to target local businesses.

The technical capabilities of the attackers are second to none and “almost impossible” to block  unless you have a very tightly defined geographic audience – no matter where the attacks come from, they will continue to shift locations.

More worryingly Webscreen tells TechEye that with the incredible presence of news media online, some companies are seeing DDoS attacks as a “crude alternative” to filing expensive writs through the proper legal channels.

And people in the professional games space are getting whacked by competitors too. As long as you can figure out the IP details of a rival it’s fully possible to take them out before an important competition or online event. And it’s happening. “80 or 90 percent of these attacks go unreported,” Bristow says, “No one we have worked with has publicly reported anything.” There are people who work in the online gaming industry who have been taken offline for the most important weeks of their calendar years. And it’s fact that they have lost huge profits. Not turnovers, but profits.

The reason for the lack of reports is it’s like “a red rag to a bull”. If you announce to your competitors that are getting attacked it’s a window of opportunity and you are announcing a weakness. It brings us onto another topic: socio-political attacks.

With the ease of connectivity and success, as well as wide reach, of social networks, if you can gather enough people with a common ideal – whatever that may be. A good recent example is, of course, Anonymous.

Anonymous realised that together it has the means to be a thorn in the side of the bullish recording industry and its legal agents. If you can rouse enough people to be passionate on a single topic you can pose a real threat to the unprotected. Remember again how difficult it is to trace a DDoS. They rarely result in prosecution because they demand an awful lot of resources and money – one exception to the rule is DDoS attacks on the Scientology website, which ended up with fines and someone being thrown in the clink.

To conclude, then, the DDoS threat is being widely ignored. New derivatives are being developed and cooked up all the time, for example the latest, which is called slow and low – it crashes back end servers which is a very tough technique to combat. It has been evolving for ten years. Social networking gives it a whole new dimension. Governments are starting to wise up – but that’s worrying news for a different article. 

“Statistically, DDoS is the elephant in the room. Attacks are increasing in number, power and sophistication, and there is an increase in new derivatives and social political attacks,” Webscreen tells us. 

WebScreen really saved our bacon, so we’re more than happy to tell you that the technology intelligently understands traffic flows and controls them on the way to a website – you can see everything coming in, or out, and it gives you the ability to tune your network. It’s the first company in the world to offer a commercially available anti-DDOS system, and is the only British and European provider. Paul Bristow tells us he thinks WebScreen is “at the forefront of research”.