Latest Cyber Crime posts

H4cked Off: UK cyber security – a disaster waiting to happen?

19 Aug 2011

Computing reporter Stuart SumnerCyber security is viewed by the government as a ‘tier one threat', as it stated in October last year, along with a pledge to invest £500m over four years into the UK's response to the problem.

And with the Olympics now just under a year away, with the accompanying global attention (both from sports fans and criminals) that it will bring, the need for a ‘tier one response' to the tier one threat appears more pressing than ever.

In March this year, Neil Thompson, director of the Office of Cyber Security and Information Assurance (OCS), stated that the UK wants to lead internationally on cyber security.

But are we as a country set up in the right way to even lead our own fight against cyber criminals, hacktivists and malicious foreign agencies, much less lead our peers?

Off the top of my head I can think of 20 different public sector organisations with cyber security as a core function, besides the OCS mentioned earlier.

I haven't got the space to list them all, but a few of the more recognisable names are the Government Communications Headquarters (GCHQ), Centre for the Protection of National Infrastructure (CPNI), Police Central e-Crime Unit (PCeU), Cyber Security Operations Centre (CSOC) and the National Crime Agency (NCA) (itself an eventual replacement for the Serious Organised Crime Agency (SOCA).

And there are many more, with overlapping briefs and confused chains of command. 

In the words of former security minister Baroness Neville-Jones, who possesses the gift of understatement, the organisational structure of the UK's cyber crime effort is 'not ideal'.

Does this sound like a cogent and co-ordinated response to the cyber threat? Or does it sound like a fragmented mess, possibly the result of organic and unplanned growth rather than a strategic and cohesive network of assets?

In July this year, the Information Security Council (see, there's another organisation) released its annual report which stated that the government has shown "confusion and duplication of effort" in its approach to cyber security.

Apparently the chief of the Secret Intelligence Service (and there's another) was similarly unenthused at the UK's setup, stating: "I'm not sure the Cabinet Office processes for determining what is a coherent cyber programme [are] as sophisticated as [they] should be."

I spoke to the Cabinet Office requesting a list of all government organisations with a cyber security function. I was told that such a list would be impossible to pull together. I'm guessing that's because they have no idea exactly how many such bodies exist.

OK, "How about a list of those organisations with cyber security as their principal function?", I asked. "We'll think about it" was the terse and slightly irritated response I got.

I'm still waiting for the results of that cogitation. I shan't hold my breath.

 

Stuart Sumner, chief reporter and security geek

H4cked Off: Losing the Cyber War

17 Jun 2011

Computing reporter Stuart Sumner

In recent months hacktivist group Anonymous has been keeping security commentators busy with its humiliation of such global brands as Sony, Mastercard and Paypal.

Though often basic in nature, the sheer muscle-power behind these attacks was sufficient to knock these mighty websites off their not-so-mighty pedestals, and go some way towards the group's political goal of supporting whistle-blowing site Wikileaks.

Its preferred method of attack? Distributed denial of service (DDOS). This is where a website is bombarded with so many requests for information that the server, unable to cope, falls over and has to go for a quiet lie down and a glass of milk.

As Graham Cluley from security firm Sophos told me this week, it's like a group of fat men all trying to go through the same revolving door – it just won't work.

This is a very basic form of attack – the DDOS, that is. It's successful for two reasons. First: scale. Anonymous ‘members' (though the group is so loosely affiliated that this can apply to just about anyone who once visited one of its forums, or who just plain thinks it's ‘cool') can download a tool that enables their PC to be used as a bot.

And that's all they need to do. Then their machine becomes part of the Anonymous network, and can be programmed to send out countless requests to a targeted website until it runs sobbing from the internet.

As anyone in the world with access to a PC can do this, and as a lot of people like the vague sense of rebellion and the stylings of V from the graphic novel series (chosen as the Anonymous figurehead), that results in a very large, free, powerful network.

The second reason it's successful is that even in this day and age of DIY malware kits, Zeus, SpyEye and Stuxnet, hardly anyone seems to know how to secure a website.

Even security companies such as HBGary and secure token specialists RSA seem not to know, both having experienced large-scale and embarrassing cyber attacks in recent months.

DDOS is not a sophisticated form of attack. Neither is SQL injection, where malicious code is inserted into a webform rather than, say, a user's name and address as the original coder anticipated. But that seems often to work too.

But now there's a new(ish) kid on the block. I've written a few stories over the past couple of weeks about Lulzsec, another hacking collective, although this one is nothing like Anonymous, as one of its members told me recently (at least I assume he's one of the members – pretty secretive on the whole, hackers). As the name implies, Lulzsec are in it for the lulz (laughs).

This week, besides taking down the CIA website (a DDOS attack) and an Australian web registrar, it published 62,000 email and password combinations via a file-sharing site.

It said shortly afterwards on Twitter: "Hope everyone enjoys that list. Good to see some refreshing carnage." Their followers later thanked the group for access to other people's Paypal accounts, pornographic sites and in one case, ownership of a World of Warcraft account.

And Lulzsec appears to be engaged in something of a spat with security firm Sophos, having posted several disparaging posts aimed its way on Twitter.

One read: "Sophos, every one of our tweets gets more views than a week's worth of your website traffic, and we're just spouting inane sh*t. umad?"

All in all, the episode lends further credence to the idea that hackers are unaccountable, unassailable and just maybe, unstoppable. Anonymous style themselves as the ‘Lords of the Internet'. At the moment it appears that they, and their peers are exactly that.

Stuart Sumner, Chief Reporter and security geek

H4cked Off: Pity the CSO

10 Jun 2011

Computing reporter Stuart Sumner

This week a sizeable chunk of masonry detached itself from the building opposite the Computing offices and plummeted to the Soho streets below.

Fortunately a parked car was the only casualty. I understand there will be no legal repercussions for the building owners, because they're now intending to appoint a chief masonry officer.

Similarly, my four year old son would ordinarily be in grave trouble for refusing to listen to me last night when I told him it was time for bed, but I understand he's looking at appointing a chief behavioural officer, so that's the end of it.

This being a security blog, hopefully by now most of you have realised I'm talking about the recent actions of secure token specialists RSA, and consumer tech giants Sony.

Both firms have seen their brands dragged through the mire of late as a result of security failings. Both have since sought to wipe away the mud and restore a bit of gleam through the creation of a new role, that of the chief security officer.

In both cases, the role will, at least initially, be a bit of a poisoned chalice. Perhaps not on the scale of anyone hapless enough to allow himself to be put in charge of the England football team, but a sticky wicket nonetheless.

In the case of corporate behemoth Sony, much appears to be wrong. I've written recently about the persistent nature of its data breaches so I won't go into detail here. But suffice to say if its security policies were a hard hat, I wouldn't stalk the streets of Soho in it just at the moment.

When a large and disparate corporation with myriad servers storing presumably countless petabytes of data suddenly and unexpectedly finds itself targeted by the world's hacking elite, the pain is going to be deep and enduring.

There's no security switch that it can flip to ‘on'. Given the sloth's pace of Sony's response to its security troubles, it seems apparent that it had either no, or at best severely deficient, policies in place for dealing with breaches.

And RSA is little better. It too has been accused of a ponderous response to its attack, which it describes as ‘extremely sophisticated' and others describe as ‘fairly basic, you just weren't very well prepared'.

The point is it takes time, certainly months, to improve security across an organisation. The larger the enterprise, and the more disparate its services, the more likely those months roll on into years.

Multiple security solutions need to be implemented to create that mystical ‘layered approach' that security evangelists like to preach.

Penetrate one layer? Here's another. Accessed our network? Well done, you won't find anything though. Found something? Tough, it's encrypted. Found the encryption key? Fire the chief security officer...

And that's why it's a poisoned chalice. In the short term these appointments are an attempt to reassure customers that similar troubles won't happen again. And if they do? Well you've got a nice scapegoat installed to take the bullet.

Stuart Sumner, chief reporter, Computing

H4cked Off: Doom-mongering for fun and profit

27 May 2011

Computing reporter Stuart Sumner

Media commentators on cyber security are prone to bouts of hysteria. And I say this as a media commentator on cyber security. Stuxnet! Hackers! Zeus! The Sky is Falling! You get the picture.

But exactly how scared should we be? In his novel 1984, George Orwell advanced the case that the state benefits by keeping its populace cowed and fearful. Leaving aside debates on non-virtual forms of terrorism, is cyber-fear the natural evolution of Orwell's dystopian vision?

The latest piece of scare-mail to fall into my inbox warned that anyone can learn to be a hacker in 15 minutes. Free hacking tools are available on the net, as are free tutorials on how to use them (the search term ‘hacking tutorials for beginners' returns over 126,000 results on You Tube).

‘Crime doesn't pay' is a fairly well known phrase, but I've never heard anyone suggest the small amendment: ‘Cyber-crime doesn't pay'. And that's because it does. It's quick, it's easy, it's lucrative and you probably won't get caught.

So perhaps I'm right to be scared, and occasionally hysterical (in the bad sense). Literally anyone with fingers and a keyboard can be a hacker. So why don't more people take cyber crime up as a profession? Do hackers not have a presence at graduate fairs? Are malware authors not invited into schools on careers day?

I'm not suggesting it's a dying profession, but I am perhaps questioning how scared we need to be of the casual villain – someone who finds him or herself with a spare half hour and decides to drain my bank of funds (good luck with both of my pounds).

I performed a quick and definitely scientific survey of my Computing colleagues to find out why they don't transform themselves into masters of the criminal underworld.

Interestingly fear of prosecution wasn't high on the list of reasons for staying on the relatively straight and narrow (speeding and library fines notwithstanding). But then lots of cyber criminals go about their careers without ever suffering any legal complications, so perhaps that's reasonable.

Ethical concerns were mentioned, but only after I said; "So you're not worried about the ethics?" So I don't think it counts as an especially valid explanation. I told you it was scientific.

In fact there were two principal themes that emerged as reasons for not turning to cyber crime. The first? Inertia. Even 15 minutes of training still counts as re-education. And swapping careers is notoriously stressful. Is that a comforting thought? Many people won't turn to cybercrime because they're already a postman / bank clerk / astronaut and they can't be bothered to retrain. I suppose in a way it is.

But the main reason for ignoring the internet's scarcely hidden treasures? Computers. Technical frustrations.

And I think that's a very good point. Think of every piece of software you've ever used for the first time. Was it utterly intuitive? Was the process completely without technical hitch or glitch? Or did it make you want to drive your fist through the screen?

The simplest and most intuitive computer I ever used was my first, a Sinclair ZX Spectrium 48k. And its metal casing had a row of bite marks below the little rubber keys where I'd let my frustrations get the better of me one morning.

A few months ago I was treated to a demonstration of a free Zeus-like hacking tool from McAfee. They trained me, and a few other journalists in how to create and disseminate our own malware.

I'm reasonably technically competent, but still had to be walked through some of the stages several times. At one point even my instructor got confused and had to call the director of McAfee research over for second line support.

The point is, hacking isn't that simple. Yes, free tools are out there. Yes, we should protect ourselves online and exercise both common sense and caution. But no, most people will not learn how to execute complex hacking manoeuvres in 15 minutes. Let's save our fear for the real bad guys.

H4cked Off: OMGWTFBBQ!

20 May 2011

Computing reporter Stuart Sumner

ssumnerIf you've ever frequented an internet forum, besides dodging the incessant sniping, flaming and accusations of being just like Hitler, you might have seen the odd acronym that I've chosen as this week's title.

Whilst I won't translate it for you (come on, it's not hard to work out), I will describe it as an expression of extreme frustration. That's the sort of emotion you might be feeling right now if you're a Sony customer.

Not content with leaking the personal (and in some cases financial) details of over 100,000 customers following a cyber attack, it has stumbled, Harold Lloyd-like, into a succession of security and PR failures since.

Let's have a look at what Sony's done so far:

• Took a week to tell anyone about the breach. Given the extent of the attack, and that other DDoS attacks were being perpetrated simultaneously, you could argue that it should be forgiven for this one.

• Complained (in a letter to the US House of Representatives) that it was hard to detect the hack. Yes, welcome to the internet. Hacks are often hard to detect, that's often sort of the point.

• Complained that it was hard to know what was stolen because the hackers deleted the log files: see above. Log files are all well and good but if your forensic capability begins and ends with log files then you're living in 1996.

• Finally began to bring the PlayStation Network (PSN) back online... then immediately had to take it down again because everyone was changing their passwords and the system couldn't keep up. Not a massive issue, but what were they expecting people were going to do when access was restored?

• The PSN comes back online again...then the password reset pages are taken down as reports of another vulnerability emerge, where anyone can hack an account simply by knowing the username, and date of birth used in its creation.

At the time of writing the PSN is up across most countries, and normal services appear to have been restored... for now.

But what can we learn from Sony's experience? Hackers are good at what they do? Everyone is vulnerable, even (or perhaps especially) large organisations? Nothing new there.

Since the initial attack, Sony has engaged external security advisers both to plug the security hole, and help to ensure there aren't others. It has also announced that it will appoint a new CISO (chief information security officer), who will report directly to the CIO.

To my mind, given the scale, severity and notoriety of the problem, it doesn't appear to have done an awful lot. And the reason is that ultimately it doesn't need to. It all comes down to financials, quel surprise. Sony needs to balance the cost of its restorative measures against the cost of doing nothing.

And the cost of doing nothing is very low. Plug the breach sure, as making exactly the same mistake twice will incur the wrath of the governments of several countries in which the corporation operates. But don't go overboard. Don't bother changing your infrastructure, or stripping out your existing (and patently ineffective) security measures and replacing them with more layers.

The harsh reality is Sony just needs to make a few of the right noises, give its customers a little compensation (both of which it has done), and then it's back to business as usual.

After all, its customers just want to get back to playing games. They're not all going to switch to Xbox Live; they've invested in the PlayStation platform and its games, so very few will jump ship. OK, they might type a few obscenities onto internet forums, some may even go as far as OMGWTFBBQ, but they'll be back on the PSN soon enough, credit card details and all.