now browsing by tag
Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.
Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.
In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.
Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.
Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.
And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.
But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.
Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.
“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”
To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.
“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.
The Shadowserver Foundation currently serves 107 National computer emergency response teams (CERTs) in 136 countries, more than 4,600 vetted network owners and over 90% of the Internet, primarily by giving them free daily network reports.
“These reports notify our constituents about millions of misconfigured, compromised, infected or abusable devices for remediation every day,” Shadowserver explained.
The group is exploring several options for self-funding, but Shadowserver Director Richard Perlotto says the organization will likely depend on a tiered “alliance” funding model, where multiple entities provide financial support.
“Many national CERTs have been getting our data for free for years, but most of these organizations have no money and we never charged them because Cisco paid the bill,” Perlotto said. “The problem for Shadowserver is we don’t blog about our accomplishments very frequently and we operate pretty quietly. But now that we need to do funding it’s a different story.”
Perlotto said while Shadowserver’s data is extremely valuable, the organization took a stance long ago that it would never sell victim data.
“This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services,” he said. “Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime.”
Most immediately, Shadowserver needs to raise approximately $400,000 by the end of this month to manage the migration of its 1,300+ servers out of Cisco’s California data center into a new facility.
Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.
Update 10:46 a.m., ET: Added comment from Cisco.
Tags: Cisco Systems, Richard Perlotto, Shadowserver Foundation
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans We are looking for a student to join our team for a 12-month internship at our Abingdon, UK, headquarters. If you’re currently studying marketing, business or another relevant field, and have strong written, project management and organisational skills, we want you! As part of the Content […] View full post on AmIHackerProof.com
There are some key conditions that must be met before governments are authorised to hack, and these must limit the uses of hacking.
There is a palpable fear gripping South African politicians, activists and journalists at the moment about whether their communication devices are being hacked. Even President Cyril Ramaphosa claims to have been hacked during his campaign for the presidency. Every public figure and prominent politician must dread the possibility of waking up one Sunday to find their hacked and leaked intimate videos circulating on some WhatsApp group.
Yet, surprisingly little is being said about hacking and what to do about it. This is in spite of the fact that regulation of hacking is big news in other countries. This lack of attention is puzzling, as it is probably the most invasive and damaging communication surveillance method of all.
Hacking can be defined broadly as interference with a system to make it act in ways that were not intended or foreseen by the manufacturer or user. Cellphones and laptops can be hacked, but so too can devices that contain sensors and linked to the Internet of Things. This includes everything from the energy grid to your smart electricity meter, your security system, television, fridge, autonomous car and Fitbit.
Hacking presents unique threats to privacy and freedom of expression because it can do things that other forms of surveillance cannot do. Unlike passive forms of surveillance, such as bulk surveillance, you cannot protect yourself against hacking even if you encrypt your communications. This danger leaves people working in sensitive professions (such as journalism) exposed. The dangers are amplified if it is the government that hacks your devices.
Governments should not have these powers without public and judicial scrutiny, but throughout the world, all too often, they do. Government hackers can suck everything out of your device whether there is evidence of a crime or not. They can turn your device against you to spy on you, and alter your personal information to embarrass you or even incriminate you. When placed in the hands of unaccountable governments, this capability can be very invasive indeed.
In Mexico, for instance, the government has hacked the emails of opposition politicians, journalists and even estate agents, regularly and with impunity. It has also been known to alter the hacked communications slightly to make their victims look worse than they actually are, release them publicly and then sit back and laugh as their victims squirm with embarrassment.
The South African government has not publicly avowed that it hacks, unlike some other countries. But there is publicly available evidence to suggest that these capabilities do exist, and are a factor in the South African surveillance set-up.
In spite of this, the recent High Court judgment about the unconstitutionality of sections of South Africa’s main communication surveillance law, Rica, did not even touch on hacking. Perhaps this is because the facts of the case, involving the surveillance of journalist Sam Sole, did not lend themselves to including this issue.
Hacking and South Africa
The University of Toronto’s Citizen Lab – which specialises in using internet scanning techniques to detect surveillance tools on communication networks – has detected FinFisher on two IP addresses belonging to communications parastatal Telkom in South Africa.
FinFisher is a weapons-grade intrusive hacking suite sold exclusively to governments and has been implicated in several surveillance abuses in authoritarian countries such as Bahrain and Ethiopia.
FinFisher is particularly useful for monitoring security-conscious and mobile targets like journalists, who make extensive use of encryption. Governments can use it to take control of a target’s computer as soon as it is connected to the internet, and it can even be used to turn on web cameras and microphones for surveillance purposes.
According to documents leaked from the manufacturers’ systems, and subsequently published by WikiLeaks, by 2014, FinSpy was the most popular product in the suite. This tool inserts a Trojan into a device (a malicious computer program enabling its controller to take complete control of the infected device).
Once it is inserted, the controller can do everything the device user can do, such as intercept and record a wide variety of information from an infected device, including Skype chats and calls, instant messaging, emails and even passwords. The controller can also turn the user’s phone into a little spying device in meetings and in their home, by remotely turning on the microphone and videocam.
According to the WikiLeaks documents, South Africa purchased base licences for FinSpy and was the third-largest named user of FinFisher after Slovakia and Estonia, with a total of 23 licences, with the largest unnamed user holding 47 licences: in other words, the WikiLeaks evidence pointed to South Africa being a significant FinFisher user.
Citizenlab detected FinFisher command-and-control servers on the Telkom network in 2013, and more seriously, it detected a master server in South Africa, which meant that not only was FinFisher present in South Africa, but that it was most likely being operated by a government department, given that the manufacturers only sell to governments.
In September 2018, Citizen Lab detected infections by the Israel firm NSO Group’s powerful mobile phone hacking tool, Pegasus, in South Africa, suggesting that an NSO operator was spying here.
In correspondence with Citizen Lab, the NSO Group claimed: “Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws.”
Pegasus exploits vulnerabilities in computer systems that are not known to the manufacturers or users (zero-day vulnerabilities), to take over a user’s device for surveillance purposes. The user is duped into clicking on a link that takes them to a web domain that delivers the spyware.
Why authoritarian governments would want the powers to hack is self-evident, but why would democratic governments want these powers if they are so invasive of privacy? Is there a sound operational case for government hacking?
The government spy agency case for hacking
Increasingly, law enforcement and intelligence agencies are arguing that encryption is making it more and more difficult for them to spy for legitimate purposes. Hacking allows them to gain access to the device of a terrorist or criminal suspect and circumvent encryption by reading a message at the source.
In fact, spy agencies have bemoaned the fact that Edward Snowden’s revelations about massive and abusive government spying have led to the democratisation of encryption. Consequently, they claim, encryption is creating a law-free zone where they cannot obtain information about what suspects are thinking or doing, reducing their abilities to disrupt criminal networks and terrorist plots. Justice could even be subverted if they can compel most forms of evidence of wrongdoing, with encrypted evidence being the exception to the rule.
The agencies are also concerned that bulk surveillance is becoming less and less effective in the fight against serious crime, as this form of surveillance cannot access encrypted data, and more and more criminals are using encryption. These changes in criminal communication habits are leading to what the agencies call the “going dark” problem, where communication of interest becomes less and less visible to them.
Therefore, the agencies argue, they need more innovative and agile technological capabilities. They claim that hacking provides them with an important capability to detect and disrupt possible criminal attacks, including cyber-attacks.
They also argue that hacking is a middle path between not accessing encrypted data at all (which they would not accept) and compelling communication service providers to hand over the decryption keys (which is not an option anyway when there is end-to-end encryption), or compelling them to build back-doors or vulnerabilities into their services. Another option of creating a key escrow system – where a designated government authority or third party stores the encryption keys – has been roundly rejected as too risky.
At face value, these would appear to be compelling operational arguments. However, the reality is that the internet has opened up whole new alternative sources of data and evidence for the spy agencies, and these can be used to supplement data sources lost to encryption.
South African agencies have shown that they rely far more on metadata (or data about a person’s communications, such as who they called or what their cellphone location was) for investigations than they do on communication content. This metadata may not be encrypted, although some of it can be hidden from view through anonymising security services.
Former Rica judge Yvonne Mokgoro complained in one of her annual reports that the growing use of encryption was placing more communications beyond the reach of intelligence agencies. Yet she provided no statistical information about the number of investigations that were defeated by encryption.
In the US, intelligence agencies have vastly overstated the threat of encryption to their investigations, to justify more expansive powers. So, it is important not to take the spy agencies’ “going dark” argument, and their subsequent justifications for hacking, at face value.
Privacy and security concerns around hacking
In addition to the privacy risks, hacking threatens the security of the internet, which can affect many more people than a criminal suspect or two. An entire device is compromised during the hack, which is much more dangerous than simply listening in to a phone call.
Legalised government hacking means that the agencies have a vested interest in promoting an insecure internet to make hacking easier, which creates a host of new security threats, some of which can even be life-threatening if they compromise critical infrastructure.
Hacking creates perverse incentives for governments to keep the internet vulnerable so that they can exploit these vulnerabilities. This is leading to a huge trade in zero-day vulnerabilities, where governments buy the vulnerabilities to stockpile them for future exploitation in hacking activities.
Rightfully, governments should be fixing or patching security problems instead of creating them or contributing to them through exploiting them. The problem with promoting an insecure internet is that these insecurities can be used by governments and criminals alike: something that should concern South Africans, given our extremely high levels of cybercrime.
The Cybercrimes Bill forbids unlawful hacking. The government could argue that this leaves the door open to using lawful hacking. But the problem is that Rica is silent on hacking, although it is a form of interception of communications.
Furthermore, former Rica judge Mokgoro and the Joint Standing Committee on Intelligence have both argued that the surveillance technologies used should not be taken into account when deciding whether to grant an interception direction (or a warrant). In other words, once the judge has issued a direction, then the spy agency concerned should be allowed to use whatever spying tool it sees fit.
This approach of technology neutrality is problematic as some surveillance tools are more invasive than others. As hacking can circumvent encryption and threatens cybersecurity too, it needs to be regulated as a discrete form of surveillance with even more stringent controls than other forms of surveillance.
Legislating for hacking
While many countries continue to use hacking under the legal radar, some have publicly avowed their uses of hacking. France, Germany, Poland and the UK have adopted specific legislative measures around hacking and some other countries are in the process of doing so.
However, too many countries take advantage of the “law lag” – the lag between technological innovations and the laws that regulate these innovations – to implement hacking. They may rely on “grey area” provisions in existing laws, in spite of the fact that the United Nations Special Rapporteur on Freedom of Expression has called for clear, narrowly framed laws limiting encryption and those mandating hacking.
Hacking triggers unique and specific privacy, security and evidentiary concerns that general surveillance laws cannot address adequately. For instance, according to Rica, intercept information – or information that is derived from communication intercepts – is admissible in court.
Yet, information derived from hacking exploits can be polluted by the manner of interception, as hacking alters the device that is hacked. Therefore, as a general rule, intercept information obtained from hacking should not be admitted as evidence in court. Alternatively, a forensic expert should be brought in to verify that the integrity of the hacked information has not been compromised. If intercept information is presented in court, then the attack method should be disclosed in court so that the defence can respond appropriately.
There are some key conditions that need to be met before governments are authorised to hack, and these limit the uses of hacking. Hacking should be prescribed explicitly in law, and the spy agencies seeking to use hacking should seek a warrant from a judge beforehand. The hacking should also be appropriately targetted, and only the device of the suspect should be hacked to limit the potential impacts on cyber-security. Non-essential data should be deleted.
Bulk hacking, along the lines of what the UK has written into law recently, should not be allowed as it opens the door to the government hacking thousands of devices at a time on an indiscriminate basis, and in ways that threaten cybersecurity massively. There should be no place in a democracy for untargeted bulk hacking, and, quite rightly, the UK is being challenged on this at the moment.
Key pieces of information should be stipulated in the application for the warrant. The application should provide sufficient information enabling the judge to assess the potential risks and damages to the security of the targeted device, and how these risks can be mitigated.
The duration for hacking should also be limited, preferably to a month: the three-month duration for interception directions in Rica is too long. The warrant should mention all the applications, data and sensors that will be targeted, the software and hardware to be used, and what information may or may not be collected.
Serious consideration should also be given to having separate authorisation processes for different functionalities of a hacking tool. Italy does that, which limits (potentially) overuse of hacking’s extensive capabilities. The Netherlands spells out in its law what functionalities and techniques are permissible for use by law enforcement agencies.
The grounds for issuing a hacking warrant should be even more stringent than those applying to more passive forms of surveillance, and the judge should be empowered to consult with a technical expert to assess the application before granting it.
There should also be provisions in the law to prevent the agencies from altering, deleting or adding data to the targeted device, and in addition to notifying the surveillance subject as soon as it is possible to do so, the hardware and software manufacturers should be informed too.
As part of its contribution to non-proliferation of weapons of cyber-warfare, the government should not be allowed to stockpile zero-day vulnerabilities for possible exploitation. Undoubtedly, this will create problems where a legitimate target is using a new, and most likely patched, operating system, but the government will be failing to prevent criminal activity by not disclosing a vulnerability when it becomes aware of it. However, reporting vulnerabilities does not preclude them from being exploited, at least until they are patched.
Private contractors should be disallowed from operating the hacking tools, as this could lead to security risks, and may reduce transparency, as disclosing the tools used, even to a judge, may be limited by vendor secrecy agreements. Third parties (such as internet service providers) should not be compelled to assist with hacking, either.
The spy agency undertaking the hacking must keep an audit trail to record the hacking trail, the method, extent and duration, and any alterations or deletions. Independent experts should also be brought in to audit the entire operation.
Information should also be published on the number of hacking operations each year, and whether they have been used extra-territorially. Extra-territorial hacking is a serious matter, as it could be considered an act of aggression, even war. If it is found during the course of a hack that the device being hacked is located out of the country, then the agencies should be required to abandon the hack, and seek the required information through a mutual assistance agreement with the other country, if one exists.
Trusting our devices
Under-regulated surveillance is creating a world where we can no longer trust our devices, and nothing destroys trust more than hacking. Of course, ethical hacking can be a public good as it encourages manufacturers to develop more robust systems. However, if we are to communicate openly and securely then the spaces for abuse need to be closed. The High Court judgment on Rica has been a huge step forward in ensuring more accountable state spying; but when it comes to hacking, South Africa is wide open for abuse. Future revisions of Rica need to take this reality into account. DM
Jane Duncan is a professor in the Department of Journalism, Film and Television, School of Communication, Faculty of Humanities, University of Johannesburg. She is author of Stopping the Spies: Constructing and Resisting the Surveillance State in South Africa, published by Wits University Press in 2018. She tweets at @duncanjane.
Comments – share your knowledge and experience
Please note you must be a Maverick Insider to comment. Sign up here or if you are already an Insider.
View full post on National Cyber Security
Source: National Cyber Security News
Security advisories for critical infrastructure like power plants often recommend patches. But in most cases, a report finds, the advice isn’t practical.
Imagine if every time you were sick, all your doctor did was tell you to take some medicine.
That’s it. No prescription, no details on what to take, when to take it, where to get it, or even whether you can take it. Just, “take medicine.” That’d be completely useless information.
This is essentially what vulnerability advisories for industrial controls have been like over the last year, according to a new report by Dragos. The cybersecurity company focuses on critical infrastructure, which includes everything from power plants to factories to water supplies.
Government officials have become increasingly worried about cybersecurity at critical infrastructure facilities. Attacks in recent years have shown that attackers can get access to power grids and factories. In 2016, Russian hackers causing a blackout in Ukraine.
On Wednesday, Dragos CEO Robert M. Lee testified before Congress during a Senate Energy and Natural Resources committee hearing on cybersecurity threats to critical infrastructure.
“I’m very confident the US government has a response if a major cyberattack were to occur,” Lee said.
View full post on National Cyber Security Ventures
Source: National Cyber Security News
Awareness and concern over security against cyber threats is growing. It’s about much more than the risk of personal data being hacked into.
A hostile cyber attack is classed by the UK’s National Security Risk Assessment as a Tier 1 risk, putting it in the most serious category alongside international terrorism, an international military crisis and a major accident or natural hazard. The National Cyber Security Centre was set up in 2016 (as a branch of GCHQ), and later the same year the government confirmed a cyberstrategy budget of £1.9bn over five years.
And although there have been high-profile examples of cyber security breaches, including the ‘Wannacry’ ransomware attack on the NHS last year, the centre’s head Ciaran Martin recently said that the UK had been fortunate so far to avoid a so-called ‘category 1’ attack – an assault that could cripple critical infrastructure such as water or electricity supplies or financial services. He warned that it was a matter of “when, not if” such an attack occurred.
There is little wonder, then, that demand for cyber security specialists has grown dramatically in the past few years, as has demand for the services of companies seeking to hire their expertise.
View full post on National Cyber Security Ventures
As hackers become smarter and healthcare facilities rely more and more on the cloud and technology to share and store personal and sensitive information, we’ve seen an increase in security breaches in businesses across the country. In fact, the Identity Theft Resource Center found that breaches are up 25 percent this year.
Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. What’s more is that basic security features like firewalls and antivirus protection aren’t enough in today’s “smart” marketplace.
But where should businesses start if they want to avoid the repercussions of a major data breach? Here are 8 tools for businesses to consider to stay ahead of the game and help protect sensitive data and private information in 2018.
Developed specifically for Windows (sorry, Mac users!), the Enhanced Mitigation Experience Toolkit is a tool to help keep a software’s vulnerabilities from being exploited by outside hackers. Often employees unaware of proper security protocols compromise a business’s security. This toolkit helps to prevent these leaks.
With the increase of sensitive data on the move, it’s important to protect the information stored on laptops, external hard drives and IoT devices. ExactTrak uses embedded security to take data protection beyond basic encryption. Both system- and Internet-independent, the technology works to protect information, even when devices are turned off.
Supported on Exchange Online, Office365, G Suite, and Exchange, MailControl works to protect email accounts from Spyware hidden in emails. Spymail can be used to track location, email open rates and browser information through metadata. MailControl works to detect remove and report spymail to protect customer’s private information and data.
If you’re a small business owner just dipping your toes into cybersecurity, and worried about making too large of an initial investment, Comodo is a great place to start. They offer multiple solutions, all either free or low cost, that meet the needs of different businesses. Some include malware prevention, IT management platforms, security for POS systems and SSL certificates.
If you operate a business that is responsible for handling other people’s personal data, you know the stress and risk that comes with the handling of secure data. There is also the added responsibility of organizing and managing this sensitive data. Evident ID serves business by taking them out of the middle of the process. Businesses are able to verify users’ and customers’ information with minimum disclosure, and minimize their security risks.
A recent cybersecurity concern for many businesses is a hacker’s use of ransomware, a malicious software that holds a computer system “hostage” until the ransom is paid.If Ransomware is a concern for you, Cryptostopper is a great line of defense. CryptoStopper uses Watcher Files to detect ransomware in real time and stop the software from running.
Lookout Mobile Security
If mobile security is your main concern, Lookout Mobile Security should be on your list. Lookout recognizes that there are multiple threats to mobile security, and uses 10 years of research to provide threat remediation and app security assessments.
The post Eight #cybersecurity tools your #healthcare facility needs #today appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Source: National Cyber Security – Produced By Gregory Evans Hackers around the world are attacking targets as diverse as North Dakota’s state government, the Ukrainian postal service, and a hospital in Jakarta, Indonesia. Unfortunately, many governments—in the developing world, and even cash-strapped states and local communities in the United States—lack the skills to effectively protect […] View full post on AmIHackerProof.com | Can You Be Hacked?
Source: National Cyber Security – Produced By Gregory Evans As organizations embark on their digital transformation journeys, they are seeking to tap new business opportunities, improve operational efficiencies, and deliver better services to customers. Digital transformation is driving businesses to embrace the cloud, the Internet of Things (IoT), big data, and other digital initiatives in […] View full post on AmIHackerProof.com | Can You Be Hacked?
Many people believe that website security is only important where personal information, and credit card transactions are involved. This could not be further from the truth. Your website needs security regardless of whether it is an e-commerce site, or blog. SSL is the industry standard in website protection and millions…
View full post on National Cyber Security Ventures
Source: National Cyber Security – Produced By Gregory Evans Barely a month passes in 2017 without some kind of IT failure hitting the headlines, but the hacks, leaks and breaches that make the news may represent just the tip of the iceberg. An investigation by the i newspaper has revealed that public bodies such as […] View full post on AmIHackerProof.com | Can You Be Hacked?