Source: National Cyber Security – Produced By Gregory Evans We are excited to welcome 2020 with the release of Tufin Orchestration Suite 19-3 with new features and enhancements, including greater support of our customers’ Software-Defined Networking (SDN) initiatives, whether they implemented Cisco Application Centric Infrastructure(ACI) or VMware NSX-T (NSX Transformer). Tufin 19-3 also provides new automation […]
View full post on AmIHackerProof.com
The country has grown as a talented, and destructive, network threat over the last several years.
Expect more network-enabled spying and possibly destructive cyber attacks in the wake of the killing of one of Iran’s most important military commanders, experts said.
“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. We also anticipate disruptive and destructive cyberattacks against the private sphere,” said John Hultquist, director of Intelligence Analysis at FireEye, in a Friday statement.
Like a lot of smaller state actors, Iran has been growing its cyber capacity over the last several years. Clumsy distributed-denial-of-service attacks and website defacements in 2009 led four years later to the manipulation of search query commands in an attack on the Navy Marine Corps Intranet. In 2013, an Iranian national allegedly breached the control system of a dam in Rye, New York. Two years after that, Iran actors used wiper malware to delete files from some 35,000 computers owned by Saudi Aramco, one of the most disruptive attacks to date.
Iranian cyber actions spiked ahead of the 2015 signing of the multinational deal that limited Iran’s nuclear activities. Targets included U.S. financial organizations and even the Sands casino in Las Vegas. Owned by outspoken conservative Sheldon Adelson, who had argued publicly against the deal, the casino’s networks were wiped clean, doing a reported $40 million in damage.
Receive daily email updates:
Subscribe to the Defense One daily.
Be the first to receive updates.
Iranian cyber activity dropped off somewhat after the signing of the nuclear deal. But in 2017, a threat group that FireEye dubbed APT33 attacked aerospace and petrochemical targets across the United States, Saudi Arabia, and South Korea. The group created domain names to send convincing emails pretending to be from Boeing, Northrop Grumman, and various joint ventures. The methods — targeted spear-phishing and domain-name squatting — suggest that the intent was industrial espionage, not destruction. And in December 2018, a series of dramatic wiper attacks targeted Italian, Saudi and UAE oil interests in the Middle East, attacks that experts have attributed to Iran.
The past year brought various warnings of a new spike in malign network activity. A January 2019 report indicated that Iran had been attacking domain name service providers, aiming to set up fake domain names that could facilitate a new wave of spearphishing operations.
The following month, Crowdstrike’s 2019 annual threat report noted that despite “some short-term gaps in attributable incidents this year, Iran based malicious cyber activity appeared to be fairly constant in 2018 — particularly involving incidents targeting other countries in the [Middle East and North Africa] region…Additionally, it is suspected that Iranian adversaries are developing new mobile malware capabilities to target dissidents and minority ethnic groups.”
In June, Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, or CISA, at the Department of Homeland Security, said in a statement: “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.”
Cybersecurity has been a hot topic for large and small businesses alike throughout 2019.
Big household names such as British Airways and Marriott have faced record fines from the Information Commissioner’s Office (ICO) for data breaches, and headlines warn of the increasing threat posed by the use connected devices, potentially allowing hackers easier access to our data.
Although many businesses are taking steps to protect themselves against cyber-attacks, there are still many more that are not sufficiently motivated to protect themselves against such threats, or even feel that the threat level doesn’t warrant the investment required to implement adequate cybersecurity protocols.
We expect 2020 will be another eventful year for the ever-evolving cybersecurity industry, and have listed below our top 5 predictions for the year ahead:
1. Tighter integration between DPOs and CISO In the rush to respond to a growing cyber threat, organisations of all sizes have been equipping themselves with the resources and expertise necessary to address privacy and cyber risks. However, this haste has often seen businesses implementing cybersecurity protocols in uncoordinated and therefore more expensive ways, leaving them open to vulnerability from this fragmented approach.
We expect to see senior leadership calling for a coherent, business-wide approach, which could include the application of a single cyber security and data privacy leader to lead and coordinate resources from stakeholders across the business, such as legal, finance and IT. A coordinated strategy with an accountable cybersecurity leader in place will deliver greater resilience against attacks and data loss, and provide a much better response should an incident occur. It will also allow for detailed reporting explaining the specific threats to the business, and a demonstration that these risks are understood and being mitigated against.
2. In-depth incident response rehearsalsCyber incident preparedness training will likely become more sophisticated in 2020, as senior leadership teams start to prioritise the rehearsal of a customised major data breach and evaluate the resulting incident response.
There is a strong business case for rehearsing cyber-attacks, as it can help an organisation identify gaps in policy, reporting, decision authority, supplier services, and technical operations. Any issues identified in a rehearsal can be mitigated against, allowing a more effective response in the event of a real life situation.
3. Increase in attacks on SMEs
With bigger companies investing heavily in cyber defence in recent years, cybercriminals are turning their attention to small and medium sized enterprises (SMEs). Smaller scale ransomware attacks are continuing to pay off for cyber-bandits, and despite small businesses becoming the cyber-attackers’ new easy target of choice, many are unprepared and unaware of the risk.
The security resilience in smaller organisations is still developing, and employing expert help is often seen as unaffordable, making these organisations easier targets. Human error and weaknesses in the supply chain are still areas for concern, however, we expect to see training and technology solutions that will drive down the cost of building cybersecurity resilience. For example, inexpensive training programs will help eliminate the weakest security link in these businesses – people.
The National Cyber Security Centre is the UK’s independent authority on cyber security and publishes a broad range of advice and guidance that can help SMEs. Growing adoption of basic security standards such as Cyber Essentials standard will also help. NCSC oversees the “cyber essentials” certification scheme – a government-backed and industry supported scheme that provides self-assessment certification to help organisations protect themselves against common cyber-attacks and aids compliance with the NIS Regulations.
4. Use of AI to defend against phishing attacks
A business can also face risk from inside the organisation. Phishing scams have become increasingly more sophisticated and are harder to detect. Spear phishing – where cyber criminals have taken their time researching their victim and crafted a bespoke email – is becoming a really big problem, as it’s even harder for the recipient to identify the scam.
In a typical working environment, where employees are busy or distracted, the risk is likely to be higher. However, AI, and machine learning in particular, could be the answer.AI can be put to work analysing emails and noticing patterns of behaviour, suspicious language or metadata, and would intelligently detect and autonomously neutralise phishing emails. We’ve seen a movement towards the use of automation in an effort to reduce the burden on understaffed cyber security teams and increase efficiency.
However, it’s important to remember that AI can also be used against a business, with cyber-criminals making use of it to make their attacks even smarter. Employee training and regular engagement to increase staff awareness, and company-wide response rehearsals, will still be required to combat these attacks and reduce the risk from careless or uninformed staff.
5. Regulatory response to drive up standards
Cybersecurity is not just an IT issue, but a regulatory issue too. Indeed, the financial sector is sitting up and taking notice – the Financial Conduct Authority has seen increasing reports of cyber-attacks that are growing in scale and complexity and has stated: “Firms of all sizes need to develop a ‘security culture’, from the board down to every employee.”
A UK government consultation in 2019 saw the government request industry views to help it understand what barriers were preventing organisations from adopting cybersecurity standards. Home-grown security standards may not be credible if they are not widely adopted internationally and easily auditable.
Although significant changes have been brought about by the implementation of the GDPR (concerned with the security of personal data) and the Network and Information Systems Regulations (concerned with the security of information systems) which both took effect in May 2018, there remains a gap for a cohesive cybersecurity legal and regulatory framework in England and Wales.
The implications of Brexit also provide an icing of uncertainty, and it will important to consider how the UK might chose to adhere to any existing EU security regulations.
Regardless of regulatory attention, or the size of an organisation, businesses must take an increasingly joined-up approach and continue to take steps to improve their defences, or risk severe financial and reputational damage.
The importance of cybersecurity must be promoted at all levels, with a strong senior leadership team ensuring a centrally-managed strategy is in place, and implementing the necessary policies, procedures and training to minimise risk and strengthen incident response.
This article was first published by Data Protection Magazine.
In 2020 we will see more and more sophisticated attacks perpetrated by a larger number of threat actors, including many who are backed by organised crime or nation-states. According to the 2019 Verizon Data Breach Investigations Report (DBIR), organised criminal groups were behind 39 per cent of breaches in 2019, and actors identified as nation-state or state-affiliated were involved in 23 per cent of breaches.
These attacks may leverage side-channel attack techniques (similar to Spectre, Meltdown and the slew of other discovered hardware-related vulnerabilities that are so hard to address purely through software fixes), attacks living in firmware and others going beyond a traditional file-based or even living-off-the-land (aka fileless) malware. While the industry is still struggling with old known malware, these types of attacks will proliferate mostly unchecked.
For the first time, we may see an attack that results in death(s). Internet of Things (IoT) devices incorporated into critical infrastructure systems (e.g. electric grid, water treatment, communications), as well as life-critical medical devices, will see a slew of new disclosed vulnerabilities that could prove deadly, particularly to the most vulnerable patients in intensive care units (ICU). Attackers will become more specialised in different areas of IoT device types.
The evolution of ransomware
Ransomware has been around since 1989, yet it will remain a very effective malware type for attackers in 2020. McAfee’s researchers found that ransomware attacks have more than doubled this year, including a Q1 increase of 118 per cent.
“After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach,” said Christiaan Beek, lead scientist and senior principal engineer at McAfee.
To that point, we can not only expect the number of ransomware attacks to increase in 2020, but as the discovery of the RIPlace evasion technique demonstrates, they will become more difficult — if not impossible — to detect.
All organisations across all industries are potential targets, but healthcare and government organisations appear to have the biggest targets on their backs. CNN reports 140 attacks targeting public state and local governments and health care providers this year (and counting).
The attacks hit schools, local government offices and hospitals, wreaking havoc and costing victims hundreds of millions of dollars. The victims included:
A network of Alabama hospitals had to stop accepting new patients.
The city of Baltimore, which ended up spending more than $18 million recovering from an attack.
Louisiana schools – Governor John Bel Edwards was forced to activate a state of emergency after ransomware took down three school districts’ IT systems
Three Florida cities – Key Biscayne, Lake City and Riviera Beach – were unable to provide residents with access to many vital government services while officials scrambled to spend hundreds of thousands of dollars to bring downed IT systems back online. The attackers collected ransoms totaling over $1.1 million.
The most recent victim (as of this writing) was the city of Pensacola, Florida, was hit by ransomware that took phones, email, electronic “311” service requests, and electronic payment systems offline.
As Dave Hylender, a senior risk analyst at Verizon and one of the authors of the 2019 Verizon Data Breach Investigations Report said, “There’s an impression that ransomware has sort of run its course. It hasn’t. I don’t think ransomware is ‘back’ this year because I don’t think it ever left.”
An organisation’s employees will continue to initiate some of the most devastating losses. Companies rely on awareness training to educate users on how to avoid falling victim to attacks, but that cannot eliminate user error entirely.
Consider that nearly a third of all breaches in 2019 were the result of phishing attacks, according to the Verizon DBIR. Worse, it’s easy for attackers to secure and use well-built, off-the-shelf tools, lowering the skill required to launch a phishing campaign. According to the IDG Security Priorities Study, 44 per cent of companies will increase their security awareness programs and make staff training priorities is a top priority.
Attackers will respond by improving the quality of their phishing campaigns by minimising or hiding common signs of a phish. Expect greater use of business email compromise (BEC), too, where an attacker sends legitimate-looking phishing attempts through fraudulent or compromised internal or third-party accounts.
Organisations in 2020 need to prioritise strengthening the environment around users to reduce the opportunity for them to be presented with attacks, strengthening the technology around the user to ensure that users cannot initiate losses, and then proactively anticipating the losses that users can initiate and putting technologies in place to mitigate the resulting losses.
Look for both the bad and the good
The reason for ransomware and other malware so easily being able to inflict damage is our continued reliance on security tools that chase badness (rather than ensuring good). It is impossible to detect all badness with a high degree of confidence by relying on the enumeration of badness approach.
Organisations should complement their existing security layers with an approach that does the exact opposite – ensuring what’s good. The emphasis is on the word “complement.” Do not rip out your existing solutions. When you combine your existing tools focusing on the bad with ones that track the good, by applying a whitelisting-like approach, you create the most effective defense in depth posture.
Rene Kolga, CISSP, heads Product Management and Business Development for North America, Nyotron
Source: National Cyber Security – Produced By Gregory Evans When it comes to computing, Vladimir Putin is old-school. Reports surfaced this week that the president of Russia is still using Windows XP as his primary operating system. Photos released by the 67-year-old world leader’s press service showed the operating system, released in 2001, running on […]
View full post on AmIHackerProof.com
East Africa attracts millions of tourists every year. Over the past 10 years, its earnings from tourism have doubled. Compared to the rest of Africa, the region is experiencing healthy economic growth. This makes it a promising investment destination.
Factors like regional tourism, movement of workers and technology development have catalysed East African integration and cross-border banking.
Many cross-border banks originate from Kenya with branches across the region. One example is Kenya’s Equity Bank, which relies heavily on digital technology. The digital space has many positive attributes but the threat of cybercrime and insecurity is prevalent.
Uganda lost 42 million shillings to cybercrime in 2017. In 2018, Rwanda lost 6 billion francs. In Kenya, between April and June 2019 alone, the country experienced 26.6 million cyber threats.
Across the region, with the increase of digital banking, financial institutions have become targets. These institutions are attractive to cyber criminals because they hold the biggest cash reserves. Africa’s digital infrastructure is ill-equipped to manage the continent’s growing cyber-security risk.
Equity is a pioneer in online and mobile banking with technology that merges banking and telephony. However, it recently suffered a cyber-attack. Last month, Rwandan authorities arrested a cybercrime syndicate comprising eight Kenyans, three Rwandans and a Ugandan. The syndicate had attempted to hack into the Equity Bank system. The group has been involved in similar attacks in Kenya and Uganda.
Early in the year, Kenya’s director of criminal investigation issued warrants of arrest against 130 suspected hackers and fraudsters for alleged banking fraud.
These incidents show that financial losses to cyber insecurity are a growing threat to East Africa’s economy.
Cybercrime occurs through the use of computers, computer technology or the internet. It often results in identity theft, theft of money, sale of contraband, cyber stalking or disruption of operations.
Within East Africa, Kenya, Rwanda and Uganda are taking steps to manage the huge cybercrime risk. But the cyber attack on Equity Bank is proof that these countries need to do more to protect their financial institutions from massive losses going forward.
The African Union’s Convention on Cyber Security and Personal Data Protection is East Africa’s overarching policy guideline on cybercrime. It was adopted by member states in 2014. The Convention is similar to the Council of Europe’s Cyber Crime Convention which established a cyber security on the European continent.
Rwanda signed the Convention earlier this year, but it’s the only East African country to have done so.
The Convention requires member states to share responsibility by instituting cyber security measures that consider the correlation between data protection and cybercrime. These measures will keep data safe from cyber criminals and preempt its misuse by third parties. It also encourages the establishment of national computer emergency response teams.
The Convention advocates closer cooperation between government and business.
The Convention also creates a provision for dual criminality. This means that cybercrime suspects can be tried either in the country where the crime was committed or in their home country. This provision is meant to ensure smooth cooperation and sidestep any conflict of laws.
There is also a provision on mutual legal assistance. This allows for member states to share intelligence and collaborate on investigations.
Even though Uganda and Kenya aren’t yet signatories, they have nevertheless been establishing legal and policy frameworks provided for under the convention. Rwanda is doing so too, and as a signatory is one step ahead.
In 2015, Rwanda came up with a national cyber security policy that established a National Computer Security and Response Centre. The centre detects, prevents and responds to cyber security threats. And in 2016, the Regulatory Board of Rwanda Utilities rolled out network security regulations to protect the privacy of subscribers. They also empower the government to regulate and monitor internet operators and service providers.
The country also has a National Cyber Contingency Plan to handle cyber crises.
Further, Rwanda’s telecom network security regulations require service providers to secure their services by protecting their infrastructure. Every service provider must be licensed and must guarantee the confidentiality and integrity of their services. They must also set up incident management teams. These teams work with the government to manage cyber security threats effectively.
Additionally, Rwanda passed an information and communication technology law in 2016. This contains provisions on computer misuse and cybercrime which criminalise unauthorised access to data.
The country has managed to build the foundations of a strong regulatory framework. It has also taken measures to raise awareness around cyber security. In fact, in the attack on Equity Bank, the authorities acted on a tip from members of the public.
In 2014, Kenya launched its National Cyber Security Strategy to raise cyber security awareness and equip Kenya’s workforce to address cyber security needs.
In line with this strategy, Kenya amended its information and communications law to criminalise unauthorised access to computer data.
Kenya has also set up a national computer incident response coordination centre to consolidate key cyber infrastructure and create pathways for regional and international partnership.
Generally, Kenya has a robust cyber security policy which includes a legal and regulatory framework. The result has been that impending cyber attacks are discovered before massive damage is done and ongoing attacks are rapidly arrested.
Uganda has legislation to protect cyber security. This includes the Computer Misuse Act which ensures the safety and security of electronic transactions and information systems, and the Regulation of Interception of Communications Act to monitor suspicious communications. It also has a national computer emergency response team.
This regulatory framework is similar to those in Kenya and Rwanda. But in addition, Uganda has a National Information and Technology Authority that provides technical support and cyber security training. It also regulates standards and utilisation of information technology in both the public and private sectors. These measures have boosted the countries’ cyber security strategy.
While Uganda has these measures in place, Kenya and Rwanda are two of the top three cyber secure countries in Africa.
Kenya, Uganda, and Rwanda have taken solid steps to harmonise cybersecurity processes, data protection, and collaborative prosecution and investigation measures.
They have criminalised cybercrime and established frameworks to manage cyber attacks. International cooperation within the region has also enhanced cyber security.
A new era calls for fresh blood in Buckingham Palace. In the latest season of Netflix’s lavish Emmy and Golden Globe-winning monarchy drama, Olivia Colman takes up the mantle from Claire Foy as steely Queen Elizabeth II. This season, the narrative moves away from exploring marital tension between Elizabeth and Prince Philip, and instead focuses on the now middle-aged royals as they face a rapidly modernising Britain under Harold Wilson’s prime ministership. Colman’s reign is joined by Tobias Menzies as her mellowed-out husband, and the Helena Bonham Carter as Princess Margaret.
Season three spans the years from 1964–76, covering events such as Prince Charles’s investiture as the Prince of Wales (Josh O’Connor) and the Apollo 11 moon landing. Netflix’s review embargo prevents us from saying more, but all signs point to a dramatic ride.
By Paul Thomas Anderson (US, 2017) – 9 November
Paul Thomas Anderson’s dizzying, quietly beguiling romance – of sorts – is imbued with visual restraint and elegant beauty. In Daniel Day Lewis’s apparently final acting role, he finds charismatic rigour in Reynolds Woodcock, a famous dressmaker of London’s 1950s couture world. On the surface, it’s the story of a capricious perfectionist, finding his muse in Alma, a young, shy waitress, with whom he begins a love affair. But when the tables turn, underneath lies a domestic power struggle that develops into something disturbing – and wickedly funny. Radiohead’s Jonny Greenwood composes a classical-style score that’s lush, swoony and increasingly eerie, adding enigmatic layers to the film’s perverse undertones.
By Kay Cannon (US, 2018) – 11 November
The three girls at the centre of the raunchy Blockers make a pact through emoji-coded texts to lose their virginity on prom night. Upon discovery of this thread, their overprotective parents (a hilarious Lesley Mann, Ike Barinholtz and John Cena) band together to put a stop to their daughters’ plans. It’s silly, riotous fun, with ridiculous obstacles standing in the way between parents and kids. Director Kay Cannon instils what could be an outdated concept with surprising maturity, entrusting her trio of teens with a self-aware confidence around their sexuality. Here, the unhinged adults have more to learn from the intelligent adolescents. It’s this level of depth that makes this overlooked comedy stick out from the crowd – proving the experiences of a coming-of-age story aren’t just limited to youngsters, it can be for grownups too.
Honourable mentions: Bojack Horseman season 6, part one (TV, out now), Dolemite is My Name (film, out now), Outlander season 4 (TV, 5 November), The King (film, 1 November), Seven (film, 15 November), The Irishman (film, 27 November), Atlantics (film, 29 November)
By John Carney (US, 2019)– out now
Nothing quite beats the feeling of turning on a comforting rom-com and embracing all of its gooey predictability. In John Carney’s (Once, Sing Street) anthology series, each episode brings to life stories inspired by the popular New York Times column on “relationships, feelings, betrayals, and revelations”. While it may prove frustratingly mawkish for some, there are a few gems tucked in between all the cheese. The episode titled When Cupid Is a Prying Journalist, with Dev Patel as an app founder and Catherine Keener as the journalist interviewing him for a story, particularly shines. With a stacked cast including Anne Hathaway, Tina Fey and Andrew Scott, the show’s lightness and warmth should be enough to tickle the fancy of those who want to snuggle up in bed with a cup of tea and lose themselves in some breezy escapism.
One Child Nation
By Nanfu Wang and Jialing Zhang (US, 2019) – 8 November
This Grand Jury prize-winning documentary from Sundance takes a deep dive into the harrowing consequences of China’s 35-year one-child policy. Told through the perspective of co-director Nanfu Wang, the film paints a shocking picture of the ways this social experiment – scrapped at the end of 2015 – affected more than 1 billion people, and continues to have a devastating impact on its citizens’ lives to this day. The film’s eye-opening revelations are simultaneously up close and personal: mothers forced into abortions, foetuses discarded in garbage dumps, abandoned babies on the streets. Among the interviewees are Wang’s own family members, village chiefs and former family planning officials – and the spectrum of emotions on display, which range from grief, guilt to remorse, is heart-wrenching. A vital, enthralling watch.
Honourable mentions: Brittany Runs a Marathon (film, 15 November), The Report (film, 29 November)
(Australia, 2019) – out now
This horror anthology, which made the rounds of the Australian film festivals earlier this year, consists of bite-sized stories from five emerging Indigenous Australian filmmakers. Full of blood and guts (at times literally), each narrative varies in style and tone, all the while leaning into and shaking up familiar horror conventions. Featuring mythical creatures from other worlds such as bush ghouls and fanged water creatures, to the murky, more realistic horrors of sex slavery, these films are united by their confrontation of Australia’s ugly colonial past and how this manifests in the present. Collectively, a telemovie that goes beyond mere spooky popcorn entertainment.
By Rachel Perkins (Australia, 2019) – new episodes every Sunday
Deborah Mailman is Alex Irving: a gutsy Indigenous activist appointed as a senator in federal parliament by prime minister Rachel Anderson (Rachel Griffiths) after a video of her role in a horrific domestic violence incident in her hometown of Winton goes viral. Directed by Rachel Perkins, Total Control features all the walking and talking, back-stabbing and moral conflict you’d expect of a political drama – but it’s made especially timely by its refreshing manoeuvring of the obvious gender and racial imbalance in Canberra, and its protagonist’s ambition to create change through the system. With puncturing, snappy dialogue, the show shines a damning spotlight on the drastically high rates of young Indigenous deaths in custody, entrenched racism, and the shortfalls in the recognition of Indigenous land rights. Mailman’s performance is magnetic, commanding, and at times gleefully unpredictable.
Honourable mentions: Frayed (TV, new episodes every Wednesday), The Strange Chores (TV, every day from 31 October), Julia Zemiro’s Home Delivery (TV, 13 November), Carpark Clubbing (web series, out now)
SBS On Demand
Years and Years
By Russell T Davies (UK, 2019) – 6 November
Set in the not so distant future, this brilliant six-part BBC One series from Russell T Davies (Doctor Who, A Very English Scandal) envisions a post-2019 world that has only become “hotter and faster and madder”. It’s terrifyingly realistic, though miraculously still maintains moments of light-hearted optimism. The show is grounded in the day-to-day life of three generations of the Lyons family based in Manchester, leaping through time between 2019 and 2034. It imagines a planet where Donald Trump is elected for a second term, the north pole has melted, and China and US trade wars have escalated to the point of nuclear explosive. It’s not all doom and gloom though: energetic family dynamics and giddy technological forecasts (think Snapchat dog filters as actual masks) infuse the show with playful wit. The show is ultimately a blaring alarm bell: a glimpse of what could so easily lie ahead. It’ll be hard completely suspending your disbelief for this one.
By Michael Powell and Emeric Pressburger (UK, 1947) – 6 November
Eye-popping technicolour and staggering extreme close-ups come to mind when one thinks of Michael Powell and Emeric Pressburger’s psychological melodrama. Often heralded as one of the first true erotic dramas, Black Narcissus is a feast for the eyes. Amid the remarkable, lofty landscape of the Himalayas (it won the Oscar at the time for best cinematography and art direction), a group of nuns struggle to set up a convent in the high altitude of the mountains. Howling winds and geographic isolation stir up repressed memories and carnal passions, festering and eventually exploding with a hyperbolic sensuousness. In particular, the film is brought to delicious, electric heights by Kathleen Byron as Sister Ruth, driven to the brink of madness by lustful jealousy. A special collection of films by the writing, directing and producing duo Powell and Pressburger will be playing on SBS World Movies this month, later dropping into SBS On Demand.
Honourable Mentions: Sink or Swim (film, 2 November), Broadchurch box set (TV, 14 November), Blue Murder (TV, 20 November), On Becoming God in Central Florida(TV, 21 November), Wellington Paranormal Season 2 (TV, 28 November)
School of Rock
By Richard Linklater (US, 2003) – out now
The premise of a rock music enthusiast posing as a substitute teacher at a private elementary school is made irresistibly fun by the genius pairing of celebrated indie director Richard Linklater and actor Jack Black, whose sprightly comedic performance here bursts with infectious energy. A class of young gifted musicians are handed down lessons in rock‘n’roll and life, defying parental and teacher expectations with rebellious joy and humour, to compete in the Battle of the Bands. The film has since been turned into a stage musical (showing at Sydney’s Capitol Theatre from November), but it still holds up magnificently as the feel-good, rocking delight it was upon its cinematic release.
Honourable Mentions: Hairspray, Dreamgirls (films, out now), Wayne’s World (film, 2 November), Ain’t Them Bodies Saints (film, 6 November), Tom Cruise collection (films, 15 November), Grease, Saturday Night Fever (films, 16 November),
His Dark Materials
UK, 2019 – 5 November
Philip Pullman’s esteemed fantasy novel trilogy is finally given the proper treatment it deserves with this new adventure-packed TV series from HBO and the BBC. Erasing the ill-judged 2007 film The Golden Compass from memory,this adaptation stars newcomer Dafne Keen as Lyra: a young orphan living in an alternative world, where the human soul takes the form of a physical animal companion, and the north pole is the only place to escape the oppressive rule of the Magisterium. Featuring Ruth Wilson as the alluring Mrs Coulter and James McAvoy as Lyra’s adventurer uncle, the show follows Lyra in her search for her kidnapped best friend, taking her on an epic quest from Oxford up to the north pole, to understand a mysterious phenomenon called Dust. The world-building is rich and technically impressive, capturing the complexities of the universe – peculiar and wondrous – through a child’s eyes.
Honourable Mentions: Watchmen (TV, out now), Catherine the Great (TV, 3 November), The Favourite, The Hate U Give (films, 1 November), Love Simon (film, 29 November)
From 2 November
It’s a huge month for streaming, with Apple adding their own platform into the increasingly crowded arena. At the top of their line-up is Morning Wars, the high-stakes TV drama budgeted at a gobsmacking $15m per episode (that’s as much as Game of Thrones). The A-list cast is led by Reese Witherspoon, Jennifer Aniston and Steve Carell, and the show pulls back the curtain on the razing ambitions and tussles for power behind an early morning newscast.
Other highlights include Dickinson, a modern comedic twist on the coming-of-age story of rebellious young poet Emily Dickinson (Hailee Steinfeld); See, a dystopian future where humans have been either wiped out or blinded (with Jason Momoa as a father of twin girls gifted with vision); and The Elephant Queen, a character-driven wildlife documentary centred on a species on the verge of extinction.
While there’ll be only a small selection of originals available upon launch, the catalogue will expand in the months ahead, to include M Night Shyamalan’s thriller Servant, Oprah (an in-conversation between Winfrey and authors around the world), and Sundance award-winning film Hala, starring Australian Geraldine Viswanathan.
From 19 November
Disney’s new dedicated streaming service will house their own library of original TV shows and films, and the plentiful entertainment that falls under their subsidiaries Pixar, Marvel, Lucasfilm, National Geographic and 20th Century Fox. Offering access to its back catalogue of nostalgia trips (Australia’s suite is yet to be announced, though this US tweet thread might clue us in on a few, including all 30 seasons of The Simpsons), it will also exclusively hold Disney’s 2019 cinema releases and beyond, including Captain Marvel, Avengers: Endgame and The Lion King.
Most notably, the much-anticipated live-action Star Wars TV series spin-off The Mandalorian headlines Disney+’s launch. Created by Jon Favreau, this original series is set after the fall of the Empire and before the emergence of the First Order, following a lone gunfighter in the outer reaches of the Star Wars galaxy.
Other Disney+ originals to keep an eye out in their continual roll-out include The World According to Jeff Goldblum, High School Musical: The Musical: The Series, the holiday comedy Noelle (all available on launch), as well as Diary of a Female President (available January 2020) and a new Lizzie McGuire series with its original cast members.
The U.S. government’s idea to take the reins of the development of 5G mobile networks has been met with cynicism and criticism. But there are good reasons the government is worried: Standards haven’t been set in stone yet, and 5G will present a bevy of new security challenges.
The FBI is making increasing use of an investigative technique that puts the public’s internet security at risk. This month, the ACLU filed amicus briefs in two cases to challenge the FBI’s use of this technique, which has significant cybersecurity implications for everyone.
The technique — government hacking — involves sending malware over the Internet to search computers remotely, often for information that is transmitted by or stored on anonymous targets’ computers. The malware can give investigators total control over a computer system. Absent extraordinary circumstances, courts should not grant this kind of power to law enforcement — much less with just a run-of-the-mill search warrant.
Malware — software designed to covertly damage a computer, take control of a system, or steal data — is not new to the federal government. The FBI has been deploying tools to search anonymous users’ computers since at least 2002. More recently, however, the FBI has expanded its use of this technique. Rather than deploying tailored malware against individual targets, the agency is now conducting “watering hole” operations that deliver malware to everyone who visits a particular webpage or pages. This can result in hundreds or thousands of computers being compromised, as well as the uncontrolled distribution of malware around the globe.
What the FBI didn’t disclose in court
This month, the ACLU filed briefs in thetwocases pending before the Ninth Circuit Court of Appeals that involve the most recent publicly known malware investigation, aimed at users of the Playpen website. Playpen was a site primarily dedicated to disseminating child pornography, though it also hosted some lawful activities like chat and fiction forums. The FBI learned of Playpen, seized the server, and then actually ran the site out of its Virginia offices for two weeks. During that time, the federal government reportedly became one of the largest purveyors in the world of child pornography.
The FBI took this step in an effort to identify people who visited the site, since visitors were using a privacy-protective web browser called Tor to mask their IP addresses, and thus their identities. (Playpen was designed so that only people using Tor could visit it. The U.S. government originally funded Tor, which serves as an essential tool for activism and free speech across the world. Journalists, bloggers, whistleblowers, human rights workers, and other activists have relied on the Tor network to avoid surveillance by potentially repressive regimes.)
To obtain permission to deploy the malware — to which the government gave the anodyne name “Network Investigative Technique,” or “NIT” — the government sought a warrant from a magistrate in the Eastern District of Virginia. The warrant granted the FBI permission to send computer instructions from Playpen to anyone who logged in with a user name and password. These instructions, the magistrate was told, would gather identifying information from the activating computers and send it to the FBI.
In Playpen, the FBI sought to search as many as 158,000 computersaround the world with this malware. As a result, there are now approximately 140 Playpen prosecutions for possession of child pornography wending their way through the federal courts. The ACLU has filed several other amicus briefs with the Electronic Frontier Foundation challenging Playpen searches on the grounds that a single warrant cannot lawfully authorize a search of more than 100,000 people, and that the searches unconstitutionally violated Federal Rule of Criminal Procedure 41, which at the time limited magistrates’ ability to authorize searches to the district in which they operate — whereas the Playpen searches were global in scope. (Rule 41 has since been modifiedand now removes that procedural obstacle for the government to hack remotely.)
In the briefs we filed with several of our affiliates located in the Ninth Circuit this month —United States v. TippensandUnited States v. Henderson — we argue that the FBI failed in its duty of candor to the magistrate judge, rendering the searches unconstitutional. What the FBI did not tell the magistrate judge, among other things, is that for its NIT to work, it had to force visitors’ computers to do something that Tor and every other web browser is not supposed to do — download, install, and run the code transmitted by a webpage. To get that to happen, the NIT used exploit code — software designed to take advantage of a flaw in the way the Tor browser works. Further, because the Tor browser runs on the Firefox Mozilla code, this exploit likely worked on millions of Firefox users.
In other words, the government became a hacker, sending exploit code around the country and the world, compromising browser security and searching computers for information. And astoundingly, it didn’t tell the court that this was how the NIT worked. It even kept secret from the magistrate the very fact that it was, through its exploit, planning to take advantage of a vulnerability in Tor (and likely Firefox).
While the public doesn’t know what the vulnerability was, it likely gave the government, in Mozilla’s words, “total control” over the users’ computers. The FBI may have chosen to use that power only to collect identifying information, as it represented in the search warrant affidavit. But it could have accessed far more — and more private — information.
Without knowing that the government’s malware contained an exploit, the court was not in a good position to closely supervise the computer searches that the FBI’s computer instructions conducted. The magistrate likely had no idea she should police the search to ensure that the government would not misuse its capabilities to search private data for which it had no probable cause. Where searches are particularly intrusive (and especially when they involve digital media like computers), Fourth Amendment case law recommends heightened standards of proof for issuing warrants, search protocols, destruction of unrelated materials, and more to ensure that legitimate government searches do not metastasize into fishing expeditions. The magistrate couldn’t have known that she might want to impose such safeguards in this case.
How FBI hacking can hurt the public
Beyond just the facts of this case, the government’s development, storage, and use of exploits create computer security risks for the public that cannot be mitigated by the warrant process. The government may lose control of malware if an insider leaks or sells the tools, if the government itself is hacked, or if a malware target identifies and publishes the code. Once a hacking tool has been disclosed outside the government, malicious actors have a window of opportunity to use it for their own nefarious purposes.
We know the risk that the government will lose control of exploits is real, because we’ve seen it happen a number of times:
In 2013, the FBI deployed malware on multiple websites hosted by a company called Freedom Hosting. This malware similarly took advantage of a Firefox security vulnerability to identify users of Tor. Innocent individuals who visited the targeted Freedom Hosting sites — which included TorMail, an encrypted email service used by all kinds of people all over the world to ensure privacy in their communications — noticed the hidden computer instructions embedded in the sites, and within days, the code was being “circulated and dissected all over the net.” Eventually, the same attack showed up “in the wild”, using essentially the same exploit the government used to compromise Freedom Hosting visitors to hack users of the Tor browser more widely.
The government’s exploits also can be stolen. In 2016, the public learned that an entity calling itself the Shadow Brokers obtained National Security Agency malware from an external NSA “staging server.” Following some initial attempts to sell the exploits, the Shadow Brokers dumped dozens of NSA hacking tools online for free in April 2017. One of the tools the Shadow Brokers released — called EternalBlue — exploited a flaw in Microsoft software. Once released, the tool was repurposed into a virulent piece of ransomware called WannaCry, which infected hundreds of thousands of computer systems worldwide in May 2017.
The very next month, another malware attack began spreading internationally after initially hitting critical infrastructure in Ukraine. Similar to WannaCry, the worm, dubbed NotPetya, made use of EternalBlue as well as another NSA exploit, called EternalRomance, also released by the Shadow Brokers. WannaCry and NotPetya infected such crucial systems as hospitals, power companies, shipping, and banking, endangering human life as well as economic activity.
Courts have said that dangerous tools used to effectuate otherwise lawful searches — tools like flashbang grenades and battering rams — can be unreasonable under the Fourth Amendment. Government malware is another such tool. Some investigative techniques are just too dangerous to use.
Cybersecurity is hard, and we are not doing a very good job of protecting the systems that we rely on. This task gets even harder if the government is an active attacker on the network with a vested interest in keeping computers insecure in case an investigator wants to conduct a search. If we aren’t careful, this powerful tool that the FBI now uses, like other powerful tools, will eventually trickle down to state and local police departments.
The government should be fighting to secure computers — not to hack them or to stockpile exploit codes that can be lost or stolen, and then misused and abused. As we told the Ninth Circuit, the Fourth Amendment needs to protect the public’s privacy and security. Secretive and unregulated government hacking endangers both.