Tag Archives: cyberwar

ITNow – Upcoming Threats and Countermeasures

The following article was originally published in the Information Security section of the BCS ITNow Magazine, Spring 2012 issue (Volume 54, Issue 1), which was on the topic of Upcoming Threats and Countermeasures:

Gareth Niblett, Chairman of the BCS Information Security Specialist Group, takes a glimpse into the future* to see what emerging threats we might have to contend with.

Cloud computing offers many benefits over the traditional approach of owning, growing and maintaining a network of computers. It also brings complications and risks related to multi-tenancy hosting, off-shoring, consolidation and jurisdiction.

With such growth in this area, attackers are likely to increase their targeting of both cloud-based services and their underlying platforms, as well as leverage their scalable processing power, e.g. to break encryption.

Extraterritorial application of laws, such as the US PATRIOT Act can undermine, for example, even EU data protection rules and trust if a cloud provider is in scope.

The scale of compromises may be massive when they do occur and the scope for forensic examination of complex platforms is severely restricted by contracts, accessibility, capability and jurisdiction; thereby hampering investigations and prosecutions.

Those putting their, and their customer’s data, on cloud services should ensure that they are able to meet their legal, regulatory and contractual obligations to all parties in contracting, operation, incident response and migration.

Ghosts in the wires

So-called advanced persistent threats (APT), or continued state of ignorance (CSI), will continue. These are large-scale compromises, over a long period of time, possibly state-sponsored or condoned, aimed at extracting commercially or personally sensitive information from the targets.

They will reconnoitre, infiltrate, establish a beachhead and back doors, conduct whatever espionage they have in mind and then exfiltrate data. Social engineering / blagging, spoofing, spearphishing, blackmail/bribery, infiltration, break-ins, dumpster diving, bugging, hacking etc. can all be part of the repertoire.

If even journalists can find out information from phones and computers of celebrities, police and politicians, what do you think your chances are against a suitably motivated, technically capable and well-funded attacker?

Use of targeted attacks and malware will grow, sometimes deniable and sometimes for publicity. Stuxnet and Duqu may have been the tip of an iceberg and based on flexible attack toolkits that can be tailored for specific targets and carry specialist payloads, e.g. for espionage or disruption.

Hacktivism, where a specific message is aimed at the target group and often the intent is as much to embarrass and drive home the message as to compromise systems or information, is also gaining traction.

Not forgetting mass attacks, using vulnerabilities that affects popular software and affects many organisations; this is low hanging fruit for an attacker.

Simply keeping patches up-to-date is clearly insufficient to counter this threat, as recent attacks have used multiple zero-day (0-day) vulnerabilities. If you are running a system that holds customers’ personal and financial data, encryption needs to be both utilised and effective.

The adage of defence in depth should be de rigueur, as competent attackers will come quietly, with patience and persistence.

Your organisation needs the right personnel, policies, technology and procedures to detect, repel, contain and respond, in short order, to minimise downtime, data losses, embarrassment and costs when it does occur.

Online blockades

Excuses for filtering and blocking will carrying on growing, adding to the regime of ineffectual prevention of web access to material related to child sexual abuse, terrorism, religious and racial hatred, sedition, defamation and libel as well as blocking offshore services providing online gambling, copyright infringement and sale of controlled or duty-paid goods, such as drugs, alcohol and tobacco.

Laws and agreements with unintended consequences are the result of addressing the symptoms rather than root causes, i.e. sources – SOPA, PIPA, HADOPI, ACTA, as well as court orders requiring ISPs to block.

Breaking DNS, for example, to render websites inaccessible, undermines the security of the internet and fails in the face of technical competence. Only by removing content or services can they be truly blocked.

International rules should recognise the cross-border nature of the internet and understand that local laws might not work well in an environment that doesn’t have physical borders.

We need better agreements, cooperation and action in tackling harmful and illegal online content and services; those in child safety have had great success in taking down content, services and rescuing those being harmed with international cooperation and assistance from ISPs and others.

Lawmakers should be encouraged not to legislate in areas they don’t understand, especially when based on one-sided arguments put to them by lobbyists. The issue will remain difficult to resolve while there is a disparity in legal and moral positions between countries.

Cyber wargames

The military has traditionally favoured growth and the adoption of new technologies; a bigger empire with more weapons. ‘Cyber’ is no different. The main difference is the unresolved issue of attribution as plausible deniability is much easier in a cyber context.

An attacker’s computers don’t need to mass at a border, nor are they marked so that independent observers can identify them; indeed compromised systems may be used to further obfuscate things.

Cyber arsenals are being built up, not only by the usual suspects of US, UK, Russia and China, but by Israel, Japan and smaller countries.

Cyber warfare capability is a force multiplier and provides the potential for asymmetric warfare. Israel and others have said that they will treat a cyber attacker in the same way as a physical attack and may respond kinetically, rather than simply in kind. Bits vs bombs, if you will.

Rules of cyber conflict, broadly similar to traditional rules, are starting to emerge. This needs to continue and ensure that some of the trickier questions are answered.

Surveillance nation

The false zero sum game of security vs. privacy will continue to play out, with the enforced information sharing of personal and financial data, in the name of protecting life and liberty.

As everyone is a suspect, who needs to be monitored to ensure compliance, we need a panopticon for all communications – so say an increasing number of governments, trying to suck up everything to find needles.

Without transparency, oversight and being made to justify and temper ambitions, governments, law enforcement and intelligence agencies will continue to take liberties with our privacy, and abuses will stay hidden, unless citizens take a stand.

Trap and trade

Where miscreants are identified, we will see increased use of mutual legal assistance, international arrest warrants and extradition even where the suspect may not have committed an offence in the jurisdiction where they are sought from.

Nationals that would not be extradited by their home country will be tricked into, or tracked, travelling to more co-operative countries where they are then seized.

This will not just be for criminal hackers and fraudsters but also whistleblowers, copyright infringers and online gambling site operators etc.

International rules in this area should be equitable and extradition requests should be based on the same level of evidence required for a prosecution in the country holding the subject in question; preferably for a crime recognised there also.

Media Muddle

Writers will continue to conflate and confuse denial of service with hacking and downloading with sharing.

The fear mongers will repeat long in the tooth scare stories about terrorist hackers taking down all the technology and services we take for granted.

There will often be seeds of truth and fact behind the dark sinister tales, but should not be taken as gospel without supporting evidence.

Identity matters

UK citizens will fail to realise the benefits of a robust service-focussed digital identity, due to past government mistakes on the national ID card, whereas, in the US, NSTIC may create a two-tier internet in relation to online identity.

ID cards and online identities need not be bad things, provided the intentions of those providing them can be trusted and the necessary checks and balances are in place and used.

Problems arise when your information is gathered without clear informed consent, analysed, sold and used ‘against’ you. Users can gorge on cookies, becoming the product that is marketed to advertisers, whilst adding increasing amounts of personal detail and value to their social profiles.

Use of social logins and sharing will exacerbate this. ‘Do not track’ will fail to gain significant traction, due to technical reasons and user adoption, as have other web privacy and security standards.

What can be done? Well, I don’t think people are going to suddenly stop using Google, Facebook, Twitter and LinkedIn, but the new EU Data Protection reforms may well finally make non-EU entities play fair with data belonging to EU citizens.

You’re unique

People share passwords between accounts. It is human nature, especially when long and complex passwords are required.

The brain can only cope with so much, and there’s only so much space for Post-Its. If you register with any online service you need to be mindful that many attacks have exposed client information (including personal details, passwords and credit cards).

This can lead to further compromises, especially when an email address is used as the user ID and the password is reused.

Use a password manager. Long, Unique, Complex and Kept safe – you make your own LUCK. Password reminders and resets are often sent to your registered email account.

Never use your email password with another online service; otherwise you may be gifting an attacker with another route in. If you have control of your own domain name(s) and email accounts, you have the option of using a different email address for each online service.

Combined with unique logins, this would mean that a single compromise doesn’t undermine all your accounts.

*Risk can increase as well as decrease. Past security performance does not guarantee future success. We suggest you seek advice from a qualified security advisor etc.

A PDF version of the magazine is available online to BCS members at:

https://wam.bcs.org/wam/sentinelcheck.exe?/20799/20802/20964/20967/pdf/mar12.pdf

NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) – 3rd International Conference on Cyber Conflict (ICCC)

The following conference report was originally published in the BCS Information Security Now Magazine, Summer 2011 issue (Volume 5, Issue 4), which was on the topic of Cyber Warfare:

ISSG Chairman Gareth Niblett reports from the 3rd International Conference on Cyber Conflict (ICCC), organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia.

This conference rated as one of the best I have attended in the last 20 years – not having to speak or organise possibly helped. The first day opened with an introduction and scene setting by Col Ilmar Tamm, the NATO CCD COE Director followed by a keynote from the President of Estonia, Toomas Hendrik Ilves, who demonstrated both a deep understanding of cybersecurity issues and an ability to communicate them clearly, even to an expert audience. I’d be impressed if leaders of other countries could do even half as well.

Ilves told the audience to look past state-to-state for asymmetrical cyber attacks, and towards handling an increase in plausibly deniable online operations, subcontracted to the private sector, with official public statements of disbelief when accused of involvement. Cyber attacks can offer a negative take on public private partnerships (PPP), with botnet-herders and hackers implementing state desires without being part of the apparatus of government or military directly.

The president challenged governments to look beyond their fixation on military infrastructure (~2 per cent GDP) and towards protecting intellectual property. It is easier to steal than develop through investment and R&D (~3 per cent GDP) and arguably this could have a greater impact on a country. As part of a positive PPP, providing information sharing for mutual protection, Estonia has established a Cyber Defence League (CDL), weekend warriors with ponytails, to help protect its critical national infrastructures – much of which resides in the private sector, which is also where the otherwise unaffordable knowledge and expertise also lies.

Nation perspective
Major General Jonathan Shaw, UK MoD, followed with a talk covering cyber force from a nation state perspective, and a view that cyber warfare will not overtake kinetic, although the UK MoD has woken up to the threat and is addressing it in the Defence Review. Shaw expressed a position that cyber war is about people, not technology, and we should also start looking for the next thing beyond it. He stated that cyber war sits in a continuum of tools and must be integrated into training and operations, as well as a traditional defence capability of defend, detect and respond and it should be mainstream for defence in the UK by 2015.

Concepts and challenges
Apart from the keynotes, the days were split into two tracks – one covering concepts, strategy and law, which remains an emerging area, and the other covering technical challenges and solutions, which is a continual battle. All had an excellent array of speakers and topics but some of the highlights for me were:

Charlie Miller, Accuvant Labs, explaining the technical approaches to discovering unknown vulnerabilities in products, including Apple iPhones, and watching the media concentrate on slides about code disassembly and buffer overflows.

Tom Wingfield, Marshall Centre, Germany, discussing the ongoing development of a manual of international law applicable for cyber conflict, which was explained with the use of onstage shrubbery during the media workshop prior to the conference.

Raoul Chiesa, United Nations, giving a overview of the long-term study on the underground hacking scene, with statistics from over 1,200 interview / profiles, along with an interesting view of five generations of hackers, from original to present.

Ralph Langner, who led the efforts in reverse engineering and analysing the StuxNet worm, which was referred to as the first actually deployed cyber weapon in history, covering its architecture, highly targeted nature and implications. Ralph was engaging and had an excellent appreciation of the cybersecurity world, having come from a control systems background – a boon in the SCADA world.

Sachin Deodhar, Cyberconflict Researcher, India, discussing the use of covert communications channels in VoIP and its possible uses in terrorist planning and co-ordination and the challenges it presents to investigators. This is a threat area that I warned lawful interception agencies of quite a few years ago, as certain types wish to evade both traffic and content analysis yet want near real-time communications.

Richard LaTulip, US Secret Service, on shedding the suit and growing long hair to infiltrate both the underground credit card fraud and surfer scene, winning the trust of criminals and, with Operation Carder Kaos, dismantling one of the leading online black market sites for stolen card details.

Iosif Androulidakis, Ionnina University, Greece talking about how the introduction of modern communications technology doesn’t address traditional issues of PBX security, interception and forensics; indeed adding IP can make things worse.

Mikko Hypponen, Chief Research Office of F-Secure, covering cyber espionage in practice, provided real world examples of spear-phishing emails and malicious files, which had been collected by anti- virus research organisations. Mikko’s constant research, targeting the criminal underworld, also makes him a target; shortly after the conference, a fake news story was released in an attempt at discrediting him.

Unfortunately, it was not possible to attend or cover all the talks, but it was obvious why people from all over the world keep coming back to Tallinn for this conference, beyond the local sights, food, drink and summer weather.

Estonia is known as e-Estonia (http://e-estonia.com/) due to its highly digital society, and this can only be sustained through constant vigilance and protection. As such, Estonia is working to be at the forefront of research and preparation.

No hype
Obviously, the infamous 2007 cyberattacks against Estonia were mentioned numerous times, but without much of the hype that the media heaped upon it. Most delegates recognised it as a minor annoyance – rather than a cyber war or cyber terrorism delivering widespread panic, real-life casualties, or significant infrastructure or economic damage – whilst cognisant that the next attack may go beyond mere inconvenience.

Co-operation and co-ordination was mentioned throughout the conference, but issues of trust and privacy, from both a organisational and legal standpoint, require continued efforts to address and that everyone plays a part in cyber defence: government, intelligence, law enforcement, military, public sector, private sector and even the citizen. The 4th conference is scheduled for Tallinn 2012 and I hope to attend again and see how efforts have continued and increased over 12 months.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-summer-2011.pdf

ISNow – Cyber Warfare

The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2011 issue (Volume 5, Issue 4), which was on the topic of Cyber Warfare:

“One of the significant problems with cyber war, versus traditional kinetic warfare, is the lack of agreed definitions and rules.

Proposals are beginning to emerge, and the NATO Cooperative Cyber Defence Centre of Excellence (www.ccdcoe.org) based in Tallinn, Estonia, has produced a reference called ‘The 10 Rules of Behaviour for Cyber Security’, which I think provides an good starting point:

1. Territoriality. Information infrastructure located within a state’s territory is subject to that state’s territorial sovereignty. Using the concepts of property, sovereignty and jurisdiction, states can enforce cyber security from a national security perspective.
2. Responsibility. The fact that a cyber attack has been launched from an information system located in a state’s territory invokes the responsibility of that state for the attack.
3. Cooperation. The fact that a cyber attack has been conducted via the information system located in a state’s territory creates a duty to cooperate with the victim state.
4. Self-defence. Everyone has the right to self-defence when facing a clear and imminent danger.
5. Data exchange. Information infrastructure monitoring data is perceived personal unless provided for otherwise.
6. Duty of care. Everyone has the responsibility to implement a reasonable level of security in their information infrastructure.
7. Early warning. Everyone has to notify the potential victims about an upcoming cyber attack.
8. Access to information. The public has the right to be informed about threats to their life, security and well-being.
9. Criminality. Every nation has the responsibility to include the most common cyber offences in its substantive criminal law.
10. Mandate. An organisation’s capacity to act (and regulate) derives from its mandate.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-summer-2011.pdf

ISSG Magazine – Terrorism

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Autumn 2005 issue:

Recent Events
The terrible events of 7th July, and fortunate failures of 21st July, exploiting vulnerabilities in our transport system to cause death and mayhem, remind us all that we may be subject to attack, even while going about our normal business.

Our assets are not only our population, which we must do our utmost to protect, but also our way of life, which is not only being threatened by the attacks against us, but may be undermined by a hasty or draconian response to terrorist attacks.

The threat is from ‘international terrorism’, which has both the capability and intent, has grown over the last two decades, and considers its actions justified, as payback, for many years of the ‘West’ interfering in the affairs of the ‘East’.

As well as trying to convince the public that they’re safe from the risk of another attack, governments must be more open and honest, and target the causes of terrorism, as well as its symptoms, as part of their risk management strategy.

Real War or Cyberwar?
The oft-quoted ‘cyberwar’ has, as yet, failed to materialise. Personally, I don’t expect a digital equivalent of Pearl Harbour or 9/11 for some time. For now, I expect major attacks to remain physical, which makes for good ‘terrorism by TV’.

An electronic attack is much less likely to terrorise the general population unless the attackers acquire some new expertise or knowledge, which could be harnessed to create widespread carnage in Critical National Infrastructure (CNI).

What is not at doubt is that the current breed of ‘international terrorists’ has learned how to use the Internet and media outlets effectively for communications, information distribution, propaganda and recruitment.

New Powers?
The UK, and its own ‘coalition of the willing’, is still pushing, through the EU, for sweeping data retention powers. A past attempt, at slipping it through with minimal discussion and review, has been declared illegal, but we persist.

The current powers and retention requirements seem to have been sufficient in recent attacks, both at home and abroad. Those that wish for greater powers should put forward convincing arguments as to why they should get them.

Coupled with other moves – to introduce ID cards, reduce burden of proof, have detention without trial, limit legal representation, present secret evidence, impose control orders, and broaden surveillance – we must avoid a ‘1984’ scenario.

“Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety” – Benjamin Franklin (attributed)

If we become a police state, which spies on our people as the norm, at the same time as ‘encouraging’ such states to become democratic and open, would we meet in the middle, or would they become free as we become repressed?

In this growing surveillance society quis custodiet ipso custodes?”