Oct 262016
computer and internet security

Are we focusing too much on technology and not enough on people when it comes to insider threats? Talking to Keith Lowry, the Senior Vice President of threat intelligence and analysis for Nuix, it’s hard not to come away with the impression there is too much emphasis on technology and not enough on human factors when looking at IT security risks.

Lowry gave a briefing to journalists at Nuix’s Sydney office last week discussing the types of insider threats organizations face.  “Why is it, despite all the money we’re spending, we seem to be losing the cybersecurity battle?” he asks.

“The majority of insider threat programs that I’ve seen begin with the foundation of technology when in reality the foundation of a counter insider threat program should be about people,” he stated as one of the reasons why organisations are struggling with security their networks.

Supporting his belief that people are a problem is a 2015 survey by information security company Clearswift that found more than a third of employees are willing to sell their company’s private information.

All of the six examples he cited illustrated the problem facing managers, each breach was as much a failure in managing people as it was technology not being implemented correctly.

Naturally the Chelsea Manning case was one of the headline cases, “Manning was a failure of leadership.” Lowry said, “what’s really interesting is before his unit went to Afghanistan was deemed by a psycologist to be unfit to deploy. They took him anyway.

Two of the other examples, alleged Chinese spy Hao Zhang and Russian intelligence agent Anna Chapman are classic espionage tales while Edward Snowden is a continuing tale that may well define our public security policies for a generation.

Of the examples, Aussie twosome Christopher Hill and Lukas Kamay along with US student Glenn Duffie Shriver are the two that should worry organisations the most.

Duffie-Shriver was sentenced to 48 months jail after being recruited by PRC intelligence officers while studying in China.

Born in 1981, Duffie-Shriver is part of a generation that’s far less loyal to organisations believes Lowry and, coupled with economic pressures such as student loans, they may be far more likely to be tempted by offers such those alleged to have been offered to the American scholar.

The Aussie example is probably more concerning for managements as Hill was passing Australian Bureau of Statistics data ahead of its public release to Kamay who arranged trades. Their insider trading scheme netting Kamay seven million dollars.

Kamay and Hill present a far more typical risk to most organisations as employees motivated by greed, addiction or some vulnerability are much more likely to steal data. This is certainly a human, rather than technology, problem.

Ultimately the focus on technology, foreign hackers and government agencies in protecting an organisation’s data is missing the greatest risk of all in our businesses – the people. How we manage and treat staff is essential to securing information.

Oct 252016

Last weekend a cyberattack launched from compromised webcams crippled a number of high profile services. In response, the Chinese manufacturer has withdrawn the devices from the market.

That dodgy webcams should have been used to launch a massive DDOS doesn’t surprise anyone who’s spent any time in the home automation field. These problems are endemic in the Internet of Things.

In the early 2000s I became involved in a home automation company through my IT support business. Basically we were kitting out Sydney’s harbourfront mansions with state of the art technology.

Very quickly I realised something was wrong. Almost all the home automation and CCTV systems were running on outdated, insecure software. The leading brand of home security systems used servers running on an old version of Windows 2000 at a time when malware was exploding.

It wasn’t a matter of if, but when, these systems would become hopelessly compromised given the networks they were running on were shared with the home users.

The real concern though was when I raised this with the vendors, installers and designers – no one cared. It was clear security wasn’t a concern for the market and the industry.

We could have patched the systems and boosted their security policies but given the shoddy software being used – mainly DOS batch files – and the assumed file permissions we’d have completely broken the systems and it would up to us to fix it given the attitudes of vendors and clients.

After realising this problem was industry wide I pulled the pin on that business venture as I wasn’t prepared to carry the legal risk and moral obligation of helping install dangerous equipment into people’s homes or businesses.

I’ve since watched as the Internet of Things has become fashionable with the knowledge that the industry’s cavalier attitude towards customer security hasn’t changed.

Now we’re at the stage where script kiddies can launch massive attacks from compromised webcams – God knows what the serious bad guys like state sponsored actors, criminal organisations and commercial spies are up to with these things – which shows the industry’s robotic chickens have come home to roost.

What last weekend’s events show is we have to demand better security from our technology suppliers. That though comes at a cost – we’ll pay more, we’ll have to sacrifice some convenience and we’ll have to spend time maintaining systems.

Are we prepared to wear those costs? Is the tech industry prepared to move beyond it’s ‘good enough’ attitude toward security? Are governments prepared to legislate and enforce proper design rules?

We may not have a choice if we want to enjoy the benefits of technology.

Aug 172016
padlock on a cd drive

What can consumers do to protect themselves online? Nuix’s Chief Information Security Officer, Chris Pogue, believes it’s all about sticking to the basics.

“It’s honestly easier than you think. It’s basic IT hygiene.” “Just the basics – bad passwords, reutilisation of passwords. There’s password managers available for ten dollars a year. Don’t reuse passwords.

“Close your wi-fi, don’t broadcast your Wi-Fi SSID. Make your PSK password longer than normal. Just make sure that you’re being smart and you’re exercising due diligence and you can stop a lot of attacks.”

Pogue also points out no computer, or device, is unhackable. The point with security is to make your devices less attractive to opportunistic cybercrooks.

“If you make it a little bit harder, the attacker have an ROI for their time. It’s a business, a multi-billion dollar business. They’re not going to mess around with you if you’re messing up their gross margin. Just make it not cost effective.”

“Nothing is unhackable but you just make it so it takes too much time,” he says.

One useful resource for home users is the Australian Signals Directorate’s Top Security Tips for the Home User. While basic, that advice is well worth while for those looking at protecting their systems.

Paul travelled to Las Vegas for the Black Hat conference as a guest of Nuix

Aug 072016

I’ve spent the last week in Las Vegas attending the Black Hat and DefCon security conferences. Among much of the discussion about protecting oneself against the misuse of technology, one thing that stood out was the focus on the Internet of Things.

Listening to some of the discussions and speaking to various people, it’s increasingly clear the consensus is the IoT is effectively unsecurable – the range of devices connected to the internet is just too great to be protected.

Compounding the problem are the plethora of poorly designed devices where security is, at best, a vague afterthought along with an older generation of equipment that was never intended to be connected to the public facing internet.

Given many of these devices are going to be critical to business and individual lifestyles, their reliability and quality of the data gathered by them is going to increasingly come into question and the systems that rely upon them are going to need ways to validate the information they receive.

Perhaps this is where machine learning and artificial intelligence are going to be valuable in watching for anomalies in the information and flagging where problems are happening within networks.

As those networks become more essential to society, we’re going to have build more  redundancy and robustness into our systems, the key component though may be trust.

Aug 052016
Computer security is evolving in a time of social media

One of the sad truths of today’s online world is that dissidents, lawyers and journalists are ripe targets for governments that want to suppress who they perceive to be their enemies.

At the Black Hat security conference in Las Vegas today, the Electronic Frontier Foundation’s Eva Galperin and Cooper Quintin gave a demonstration of just what lengths governments will go in hacking their opponents.

In When Governments Attack, Galperin and Quintin illustrated how Syria, Ethiopia and Vietnam are all countries whose hacking campaigns they’ve encountered but the particular focus was on Operational Menul, which resolved around the Kazakhstan regime’s attacks on its opponents.

The government of Nursultan Nazarbayev is well known for its corruption, intolerance and global harassment of its opponents as Quintin and Galperin showed. What’s of particular interest to them is the use of off the shelf malware tools.

Using cheap commodity tools has the advantage of not leaving distinctive patterns that may give investigators hints to who has developed the malware. The downside of course is that most anti-viruses can detect these tools.

For the regimes this is not such a problem as most of their targets are relatively unsophisticated, as most of the activists, lawyers and journalists targeted by government agencies or their contractors do not have high level tech skills or use advanced security tools.

Another concern is how private contractors are employed by these governments. An interesting tactic used by the EFF is to commence legal proceedings against US based corporation for operations they’ve conducted against dissidents visiting or living in the United States.

Galperin and Quintin have three conclusions from examining these attacks.

  • Attacks don’t need to be sophisticated to work
  • None of this research is sexy
  • The tools and actors are not sophisticated

While the tools and actors in these sad tales are not sophisticated, the costs to the targets are usually high as they and their families can be subject to terrible consequences.

As we increasingly see both simple and sophisticated software tools available to be used against citizens we can expect to see more abuses by governments around the world. The job of organisations like the EFF is not going to get easier any time soon.

We citizens though need to do what we can to demand safeguards and legal protections from our governments. Those of us in democracies should be making that clear at the ballot box.

Aug 042016

We’ve heard much about the benefits of fun about drones – remote control aircraft – but what about the security and safety issues of the device. At the Black Hat Security conference today Jeff Melrose of the Yokogawa industrial controls company described the risks posed when bad people use these devices.

With typical consumer drones having a range of up to five kilometers the idea of an attacker needing to be physically close to their target no longers applies. A drone, as Melrose points out, can  can tailgate workers easier than people and even navigate within offices.

Fences are no barrier as Melrose showed with a camera equipped drone being able to fly up to valve within a gas field and then read its meter. The drone doesn’t even need to have to make it back, it could be landed on a roof where it quietly record its surroundings for weeks.

Put more than a camera on a drone, say a wireless packet sniffer or a jamming device and the possibilities for mischief are endless. Melrose illustrated this by starting his presentation with a video of The Killer Drone, a flying chainsaw developed by a pair of Finnish farmers.

Scarier still, was Melrose demonstration of the ‘target tracking’ technology included on the latest consumer drones by chasing one of his research assistants across a lawn. Despite the assistant’s best efforts to escape, the aircraft was able to follow her.

Despite the scary aspects of drone spying, vandalism and harassment the devices aren’t invulnerable. The two Finnish farmers had their drone brought down by a balloon and all the risks – from chainsaws to signal jammers – that drones present they themselves are vulnerable to.

Melrose’s demonstration shows how the physical security world is changing a drones become commonplace. Fences, padlocks and ‘keep out’ signs are not enough to keep today’s generation of technologically savvy trespassers.

Jeff Melrose’s presentation was a thought provoking view of how the threat landscape is changing and that risks evolve with technology.

Paul travelled to Las Vegas as a guest of Nuix

Jun 192016
Computer security is evolving in a time of social media

Following the success of their Hack the Pentagon project, the US Department of Defense is to extend the project across its network.

Run over four weeks earlier this year, the pilot program reportedly generated t138 unique bug reports and paid out $71,200 to hackers.

The company running the pilot, Hacker One, is one of a group of companies organising bounty hunts for the hacking community.

Casey Ellis, the CEO of competing service Bugcrowd, describes his business as being “essential a community of thirty thousand hackers from around the world.”

“The whole idea is to identify where the vulnerabilities are discovered and fixed before the bad guys,” he says. “your guys who you are paying by the hour are plenty smart but they are competing with a crowd of bad guys who think creatively.”

Ellis explained how services like Bugcrowd allow clients like the US Department of Defense to manage the risk and administrative aspects of running a security competition, making it easier for large organisations to run crowdsourced projects like this.

Much has been written about crowdsourcing but it’s commercial fields like security testing where tapping the wisdom of the community really pays off. For some consulting firms, these services could turn out to be real threats.