Latest Cyber Security posts

H4cked Off: UK cyber security – a disaster waiting to happen?

19 Aug 2011

Computing reporter Stuart SumnerCyber security is viewed by the government as a ‘tier one threat', as it stated in October last year, along with a pledge to invest £500m over four years into the UK's response to the problem.

And with the Olympics now just under a year away, with the accompanying global attention (both from sports fans and criminals) that it will bring, the need for a ‘tier one response' to the tier one threat appears more pressing than ever.

In March this year, Neil Thompson, director of the Office of Cyber Security and Information Assurance (OCS), stated that the UK wants to lead internationally on cyber security.

But are we as a country set up in the right way to even lead our own fight against cyber criminals, hacktivists and malicious foreign agencies, much less lead our peers?

Off the top of my head I can think of 20 different public sector organisations with cyber security as a core function, besides the OCS mentioned earlier.

I haven't got the space to list them all, but a few of the more recognisable names are the Government Communications Headquarters (GCHQ), Centre for the Protection of National Infrastructure (CPNI), Police Central e-Crime Unit (PCeU), Cyber Security Operations Centre (CSOC) and the National Crime Agency (NCA) (itself an eventual replacement for the Serious Organised Crime Agency (SOCA).

And there are many more, with overlapping briefs and confused chains of command. 

In the words of former security minister Baroness Neville-Jones, who possesses the gift of understatement, the organisational structure of the UK's cyber crime effort is 'not ideal'.

Does this sound like a cogent and co-ordinated response to the cyber threat? Or does it sound like a fragmented mess, possibly the result of organic and unplanned growth rather than a strategic and cohesive network of assets?

In July this year, the Information Security Council (see, there's another organisation) released its annual report which stated that the government has shown "confusion and duplication of effort" in its approach to cyber security.

Apparently the chief of the Secret Intelligence Service (and there's another) was similarly unenthused at the UK's setup, stating: "I'm not sure the Cabinet Office processes for determining what is a coherent cyber programme [are] as sophisticated as [they] should be."

I spoke to the Cabinet Office requesting a list of all government organisations with a cyber security function. I was told that such a list would be impossible to pull together. I'm guessing that's because they have no idea exactly how many such bodies exist.

OK, "How about a list of those organisations with cyber security as their principal function?", I asked. "We'll think about it" was the terse and slightly irritated response I got.

I'm still waiting for the results of that cogitation. I shan't hold my breath.

 

Stuart Sumner, chief reporter and security geek

H4cked Off: How the hell did the RSA hack cost EMC £40m?

29 Jul 2011

Computing reporter Stuart SumnerStorage company EMC has admitted that the cyber attack on its security division RSA Security has cost it £40m, both in investigating the hack, and in tightening security to make sure it doesn't happen again.

I'm not entirely sure how you manage to spend that amount of money in those ways. How much does it cost to check your log files, scan your network for malware or oddities, and go through all your documents to see what has been accessed, when and by whom?

There's quite a bit of work there, so let's say you hire in some incredibly expensive external talent and it takes them a month. I still don't see how that can possible come to more than £1m tops.

And then you have to improve your security in the hope that someone somewhere might actually trust you enough to use your products again.

As part of this drive, RSA created a new CSO role, which it gave to Eddie Schwartz, who was already working at EMC, and originally at NetWitness, which EMC bought in April.

If they're paying him £39m, then that would both explain where the money went, and prompt an immediate change of career direction for myself, and probably most of you too.

Unless they're factoring in loss of sales, which is possible and would certainly come close to explaining the figure.

Companies are understandably reluctant to reveal their losses as a result of security breaches. They'd rather brush the whole thing under the carpet as soon as possible, and hope their customers suffer from amnesia.

Sony has probably lost far more as a result of its encyclopaedia of security mishaps, but it isn't telling us, besides to say that it has lost something (besides all credibility).

So had EMC properly secured RSA's network in the first place, what else could that £40m have bought?

Well for a start it's what the US military paid recently for the manufacture and delivery of the new XM-25 computer smart-rifles, complete with explosive shells and thermal imager sighting.

Are your competitors' sales teams all armed with smartphones? They're no match for the smart-rifles, and the thermal imaging should help track them down even in the comfort of their air-conditioned BMWs.

Or, how about Manchester City striker Carlos Tevez? £40m should be enough to prize him away, then simply install him in the foyer of your headquarters and make him do keepy-ups. That'll be more interesting than a few potted plants and a drinks dispenser.

Personally I'd plump for the Meamina, a luxury 200 foot boat available from Burgess Yachts. It lists one of its features as ‘teak decks'. And it leaves a cool million in loose change for important things like gin and helicopters.

So EMC, those are just a few things to reflect on as you eye the hole in your profits this quarter. For everyone else, go spend £50,000 upgrading your security then blow the rest on a teak-floored yacht.

Stuart Sumner, chief reporter and security geek

H4cked Off: I hate to say I told you so...

07 Jul 2011

Computing reporter Stuart Sumner

Last month, I quoted security firm Kasperky's CTO Nikolay Grebennikov as he explained why he feels that Apple can't keep its iOS platform secure all by itself.

It's a fairly bold statement, but he went further, stating that Apple would be forced to open up the iOS within a year.

Apple keeps a firm grip on its mobile operating system, only allowing applications and services to be downloaded from its own store. And it, presumably painstakingly, vets these apps and their developers first, ensuring that they're free of malware and other nasties.

Android, a far more open platform, has no such restrictions.

Both operating systems are doing well, although Android is the faster growing, perhaps partly because it's easier for developers to get involved.

Having said that, Android has the worse security record, with DroidDream and other malware bursting out from seemingly innocuous apps once in a while.

Hell hath no fury like an Apple customer spurned. My article was quickly swamped with outraged comments from Apple devotees.

"Currently, iOS is completely immune from viruses and malware," shrieked one.

Another addressed Grebennikov directly with some career advice: "Dude, go get a new job, your business model is going bye-bye!"

Leaving aside the disconcerting and cultish fervour with which some Apple customers exalt the company, their unshakable belief that the platform is safe could be their undoing.

McAfee put it well in its 2011 Threat Predictions report:

"The popularity of iPads and iPhones in business environments and the easy portability of malicious code between them could put many users and businesses at risk. The lack of user understanding regarding exposure on these platforms and the lack of deployed security solutions make a fertile landscape for cyber criminals."

I realise I'm quoting security companies with something to gain from identifying a need for additional security in the iOS, but that doesn't mean the need isn't there.

This week, elite hacker Comex released a jailbreak service for the latest iOS version. In so doing, he revealed a zero-day flaw in the platform, managing to skirt around its security counter-measures. That flaw is now in the public domain. By the time you read this, malware will be out there in the ecosystem, exploiting this vulnerability.

And as a closed system, there's little iOS users can do to protect themselves until Apple releases a patch. Actually that's not true. You can jailbreak your device using Comex's service, then download his own patch which fixes the problem.  Irony?

OK. So I lied. In fact I love to say I told you so.

Anything can be hacked, it just has to be worth the effort. Apple products are no exception. And I say this as an Apple user myself, just one who has yet to be initiated into the cult.

Stuart Sumner, chief reporter and security geek

H4cked Off: Losing the Cyber War

17 Jun 2011

Computing reporter Stuart Sumner

In recent months hacktivist group Anonymous has been keeping security commentators busy with its humiliation of such global brands as Sony, Mastercard and Paypal.

Though often basic in nature, the sheer muscle-power behind these attacks was sufficient to knock these mighty websites off their not-so-mighty pedestals, and go some way towards the group's political goal of supporting whistle-blowing site Wikileaks.

Its preferred method of attack? Distributed denial of service (DDOS). This is where a website is bombarded with so many requests for information that the server, unable to cope, falls over and has to go for a quiet lie down and a glass of milk.

As Graham Cluley from security firm Sophos told me this week, it's like a group of fat men all trying to go through the same revolving door – it just won't work.

This is a very basic form of attack – the DDOS, that is. It's successful for two reasons. First: scale. Anonymous ‘members' (though the group is so loosely affiliated that this can apply to just about anyone who once visited one of its forums, or who just plain thinks it's ‘cool') can download a tool that enables their PC to be used as a bot.

And that's all they need to do. Then their machine becomes part of the Anonymous network, and can be programmed to send out countless requests to a targeted website until it runs sobbing from the internet.

As anyone in the world with access to a PC can do this, and as a lot of people like the vague sense of rebellion and the stylings of V from the graphic novel series (chosen as the Anonymous figurehead), that results in a very large, free, powerful network.

The second reason it's successful is that even in this day and age of DIY malware kits, Zeus, SpyEye and Stuxnet, hardly anyone seems to know how to secure a website.

Even security companies such as HBGary and secure token specialists RSA seem not to know, both having experienced large-scale and embarrassing cyber attacks in recent months.

DDOS is not a sophisticated form of attack. Neither is SQL injection, where malicious code is inserted into a webform rather than, say, a user's name and address as the original coder anticipated. But that seems often to work too.

But now there's a new(ish) kid on the block. I've written a few stories over the past couple of weeks about Lulzsec, another hacking collective, although this one is nothing like Anonymous, as one of its members told me recently (at least I assume he's one of the members – pretty secretive on the whole, hackers). As the name implies, Lulzsec are in it for the lulz (laughs).

This week, besides taking down the CIA website (a DDOS attack) and an Australian web registrar, it published 62,000 email and password combinations via a file-sharing site.

It said shortly afterwards on Twitter: "Hope everyone enjoys that list. Good to see some refreshing carnage." Their followers later thanked the group for access to other people's Paypal accounts, pornographic sites and in one case, ownership of a World of Warcraft account.

And Lulzsec appears to be engaged in something of a spat with security firm Sophos, having posted several disparaging posts aimed its way on Twitter.

One read: "Sophos, every one of our tweets gets more views than a week's worth of your website traffic, and we're just spouting inane sh*t. umad?"

All in all, the episode lends further credence to the idea that hackers are unaccountable, unassailable and just maybe, unstoppable. Anonymous style themselves as the ‘Lords of the Internet'. At the moment it appears that they, and their peers are exactly that.

Stuart Sumner, Chief Reporter and security geek

H4cked Off: Pity the CSO

10 Jun 2011

Computing reporter Stuart Sumner

This week a sizeable chunk of masonry detached itself from the building opposite the Computing offices and plummeted to the Soho streets below.

Fortunately a parked car was the only casualty. I understand there will be no legal repercussions for the building owners, because they're now intending to appoint a chief masonry officer.

Similarly, my four year old son would ordinarily be in grave trouble for refusing to listen to me last night when I told him it was time for bed, but I understand he's looking at appointing a chief behavioural officer, so that's the end of it.

This being a security blog, hopefully by now most of you have realised I'm talking about the recent actions of secure token specialists RSA, and consumer tech giants Sony.

Both firms have seen their brands dragged through the mire of late as a result of security failings. Both have since sought to wipe away the mud and restore a bit of gleam through the creation of a new role, that of the chief security officer.

In both cases, the role will, at least initially, be a bit of a poisoned chalice. Perhaps not on the scale of anyone hapless enough to allow himself to be put in charge of the England football team, but a sticky wicket nonetheless.

In the case of corporate behemoth Sony, much appears to be wrong. I've written recently about the persistent nature of its data breaches so I won't go into detail here. But suffice to say if its security policies were a hard hat, I wouldn't stalk the streets of Soho in it just at the moment.

When a large and disparate corporation with myriad servers storing presumably countless petabytes of data suddenly and unexpectedly finds itself targeted by the world's hacking elite, the pain is going to be deep and enduring.

There's no security switch that it can flip to ‘on'. Given the sloth's pace of Sony's response to its security troubles, it seems apparent that it had either no, or at best severely deficient, policies in place for dealing with breaches.

And RSA is little better. It too has been accused of a ponderous response to its attack, which it describes as ‘extremely sophisticated' and others describe as ‘fairly basic, you just weren't very well prepared'.

The point is it takes time, certainly months, to improve security across an organisation. The larger the enterprise, and the more disparate its services, the more likely those months roll on into years.

Multiple security solutions need to be implemented to create that mystical ‘layered approach' that security evangelists like to preach.

Penetrate one layer? Here's another. Accessed our network? Well done, you won't find anything though. Found something? Tough, it's encrypted. Found the encryption key? Fire the chief security officer...

And that's why it's a poisoned chalice. In the short term these appointments are an attempt to reassure customers that similar troubles won't happen again. And if they do? Well you've got a nice scapegoat installed to take the bullet.

Stuart Sumner, chief reporter, Computing