Embed Size (px)
Citation preview
Cybersecurity TrendsEnglish Edition, No. 3 / 2018
Wrongly Wrongly designed designed
blockchainsblockchains
Unsecured Unsecured smarthomes smarthomes
vs. a tsunami vs. a tsunami of new threats of new threats
The vital role of the human The vital role of the human in an IoT, AI and quantic worldin an IoT, AI and quantic world
1
Cybersecurity TrendsCybersecurity Trends
2 Editorial: As autumn approaches will GDPR reveal an iceberg of issues By Norman Frankel
4Obituary: A last homage to Romulus MaierBy Laurent Chrzanovski
5GDPR – a real opportunity for a new digital revolution By Marjola Begaj
8Cyber Security Awards By Karla Reff old
10The Next Generation Cyber Operations Center: Cyber Multilayered Centers, a unique vision approach with multiple capabilities By Virgilius Stanciulescu
14Innovative uses of blockchain in Cybersecurity By Giannella Borg
16How the human weakest link can still break quantum messagingBy Norman Frankel
20Why waste time hacking an enterprise for client’s personal data, when you can collect it directly from people’s smart home?By Bruno Napoli
24Social Engineering: You’re Never Too Smart to Be Scammed By George Hannah
26Mobile Financial Malware 2017: international threat report By Davide Fania
28ATM heistBy Norman Frankel
30Ransomware-as-a-Service (RaaS)By Antonio Pirozzi
2
- Cybersecurity Trends EditorialEditorial
Author: Norman FrankelChairman, iCyber-Security
The summer months in the UK has been recorded as the longest and one of the warmest and this has resulted in people getting to spend lots of time with family and friends. After the frenzy leading up to May 25th and the implementation of the GDPR programme, for those working in security it will have come as a relief. Surprisingly the volume of high profile breaches post implementation has been low. Is this a testament to the new regulations and the work put in or is it a calm before autumn rushes in a raft of announcements.
Computing Magazine published an article with quotes from one city law firm, FreshField, which stated that they had seen a year on year ten fold increase in security breach cases since the implementation of GDPR. If this is the case then there is a noticeable quietness on the communication front or a mastery in PR. The article highlighted that last year the law firm was handling three cases a month, but is now approached for advice on a daily basis.
In this issue we have a diverse range of articles from blockchain security to a look at quantum computing and how that like blockchain can add extra security but the article on social engineering reminds us that the human always remains the weaker link.
As we move into Autumn we gear up for buying more gadgets and Black Friday from a retail perspective offers everyone an excellent chance to stock up at a lower cost on connected devices. The growth of the internet of things market is accelerating. Cars are already smart
and becoming smarter. There is a big push to build smarter cities. Without realizing it many of us are building smart homes and there is an excellent article within on the risks this brings and why insurance companies are struggling to quantify how to insure smart homes.
The smart home will bring many challenges for those of us who are not intimately technical and familiar with security and that will likely bring rise to new industries forming. Already some companies are ahead of the curve in their investments such as Cisco and perhaps more surprisingly Bosch, which demonstrates the expectation of the commercial opportunity that will rapidly evolve.
Even the Security Operation Centres are becoming smarter and another excellent article from AnCom, equivalent to the UK Ofcom, which is the national authority for management and regulation of communication sets out how the SOC is having to evolve and become smarter along with a different structure for managing this as the roles evolve.
Some traditional SIEM providers are evolving too by making their services more automated, whilst others are buying companies who provide the automated response component that the largely passive, as opposed to reactive SIEM solutions, in the main, offer today.
This part of the market is starting to become of age having recently been recognized by Gartner as a SOAR category, that acronym standing for Security, Orchestration, Automation and Response.
These trends are increasingly pointing toward a future that takes us toward the self-defending network. The objective here is to enable technology to do the majority of the work, automating tasks and taking actions, being overseen by a human operator but essentially the system operating on auto-pilot. There are many benefits to achieving such a goal as it would enable the human risk element to be significantly decreased. For those with smart automotives or smart homes, the day probably can not come quick enough for such a capability to arrive at a cost effective scale.
The concept of a self defending network is simple: Remove the human element from network security, make every device security-aware and enable those devices to automatically respond and prevent threats. The human body instinctively operates in the same way when finding common colds and viruses, where the auto-immune system forms antibodies to automatically defend itself without the brain having to “think” about it.
However, self-defending networks, and the technology enabling them, remain in their infancy. Whilst some say it will be decades before networks have the capability to self-defend, the reality is it will be much sooner than most of us think.
The key challenge that has to be solved is inter-operability. Especially making many of these immature technologies sufficiently interoperate with a basic level of self-managing artificial intelligence. The good news is that the building blocks for much of this is already here.
As autumn approaches will GDPR reveal an iceberg of issues
3
Keeping up to speed with the key trends is critical. For readers of this magazine I would like to make three suggestions:
a. When in London aim to time your meeting to attend a cybertalks evening networking event. If you can not get along aim to watch one of their podcasts. Details can be found on one of the adverts within;
b. Come and join us, along with industry thinkers at the United Nations endorsed conference in Porrentruy, Switzerland at the end of Autumn. Details can be found on one of the adverts within;
c. Start preparing for the Industry CyberSecurity awards. There is a great write up on the award ceremony this year and some of the winners. Details on the entry categories can be found on their website.
The goal of this publication remains to open up knowledge and information sharing across research and commercial activities, so providing a bridge between public and private dialogues, in an aim to help our world operate more safely giving the growing frequency of attacks that seem to endlessly get media attention.
If you would like to contribute articles or have suggestions for us to cover in future editions of the magazine, or even wish to purchase hard copy versions of the magazine to give to your customers, please do contact us via email at [email protected].
On our website http://www.cybersecuritytrends.uk you can also view publications in other languages / countries and purchase advertorials for future editions. �
The key challenge that has to be solved is inter-operability. Especially making many of these immature technologies sufficiently interoperate with a basic level of self-managing artificial intelligence. The good news is that the building blocks for much of this is already here.
London’s Leading Independent Cyber Security EventsMonthly Cyber Events
Meet, Learn and Network with Cyber ProfessionalsOver 4000 Members
We are Independent, no Sales PitchesJoin Our Community for FREE at:
www.CyberTalks.co.uk
4
- Cybersecurity Trends
Sadly on the 19th of July, Romulus Maier left us, after facing a long and painful illness with a courage which is difficult to describe. In the same way, it is extremely difficult to find the words to write a last homage to one of the founders of the IT media in Romania and the quarterly magazine CyberSecurity Trends.
It is with the same courage, coupled with his discretion and humility which were Romulu’s “genetic characteristics”, a man of few words and lots of facts, that he decided in 1992 to face the challenge of directing, redacting and editing media dedicated to the technological world, founding the AGORA media group.
For all those not acquainted with Romanian recent history, and to seize the mountain Romulus decided to climb, 1992 was the worst year ever for the Romanian economy. The country’s GDP was cut by half as a consequence of the lack of investors’ trust after the last bloody repression of protesters – in September 1991 – performed by the miners called by the Government to put an end to social protests.
How far Romulus then went in 26 years of career! He gave birth to numerous topic-dedicated yearly congresses and published more than thirty journals, among which we can quote the most renowned, like «If», «PC Report», «Open – Tehnologia Informaţiei», «Byte România», «Net Report», «Gazeta de informatică», «PC Magazine România», «eWeek România», «IT Trends», and the famous «Digital Trends».
Behind the scenes, Romulus has been the “magnus artifex” who made possible the launch and the smooth realization of the first editions of the yearly Central European Public-Private dialogue platform a.k.a. “Cybersecurity-Romania” in Sibiu – today replicated in Porrentruy (Switzerland) and in Noto (Italy), adapted respectively to the Western European and the Mediterranean ecosystems and their needs.
Remaining in this field, when, in January 2015, the ITU (UN-Geneva) and several Institutional partners of the “Cybersecurity-Romania” congress asked us to evaluate the possibility to
materialize the fruitful debates held at Sibiu, I met Romulus for a coffee in the center of Bucharest. Well aware that we were dealing with a totally voluntary and huge effort, I still remember his crystal clear phlegmatic, “come on, ok, let’s do it: one issue each three months”. The first volume of Cybersecurity Trends in the Romanian language was printed two months later…
The same year, the congress and the journal were awarded the highest possible recognition, as one of the “Best practice Examples for the European Continent”. Today, the quarterly magazine is published in five different linguistic variants , thanks to prestigious partners, among which iCyber-Security Group, co-ordinating the U.K. edition.
Crafted by Romulus and by his team in Bucharest, delivering texts written by specialists from all over Europe, the different versions of Cybersecurity Trends offer, free of charge, a little drop of security culture to their readers, from Rome to Chisinau, from Berlin to Paris and of course all over Romania.
This year’s second issue was published just a few days before Romulus departed for other horizons. We had a bitter feeling while achieving the different editions. Usually, once ready, proof-read, corrected and indexed, it was “our” moment, with Romulus coming with all sorts of images, from the most serious to the most funny ones, for choosing together the one to use to adorn the main cover. It was our relaxation break, knowing that the hard work was behind us. This time it did not happen. This time, in our hearts, Romulus was already on every cover. There is a little of him in each page of the editions you read, are reading and will read in future. The curtain came down, a Great Man who wrote the history of the IT media in Romania and abroad is no longer with us. Now it is our duty to keep alive a flame which would never have been lit without him. �
Rest in Peace, Romulus Maier!
Obituary: A last homage to Romulus MaierAuthor: Laurent Chrzanovski
Romulus Maier
FocusFocus
5
BIOLaw education background with expertise in International and European Regulatory framework, programs and policies. Marjola has lived and worked in UK, Italy, Albania and has several years of experience in helping SMEs and Start -ups handling compliance and business matters with a smooth, innovative and profitable approach. She also has a strong understanding and interest in Ethics, Business and Social Impact of technology in the Information Technology era. Marjola is an Affiliate Member of International Compliance Association (ICA) UK and hold a Diploma in International Financial Crime Prevention and a Certificate in Understanding Cyber Security.
Author: Marjola Begaj
A tsunami of reports, research & updates about the General Data Protection Regulation1 (GDPR) compliance before and post May deadline still seems insufficient to handle the compliance efforts with this regulation.
One of the latest that hit my inbox just few weeks ago sounds like this: A new research report made by TrustArc, benchmarks the GDPR compliance status post May 25th deadline of 600 US, UK and other EU companies. “…It provides information as to their GDPR compliance approaches, top compliance challenges
GDPR – a real opportunity for a new digital revolution
and post-deadline needs, among other issues. Some of the key takeaways, are:�Only 20% of companies have fully completed their GDPR
implementations;�Companies are most compliant with updating policies and procedures
and cookie consent management, and least compliant with vendor risk management and international data transfer;�50% of the companies will seek a GDPR compliance validation from an
independent firm.2”The fact that a company can be compliant with updating policies
and procedures but less compliant with vendor risk management and international data transfer doesn’t sound totally right. Yes, the policies are part of the GDPR road map compliance, but they should, at their best, mirror and reflect among others how the vendor risk is managed all the way through international data transfer. And yet, businesses had two years of transition period in order to implement the GDPR within their processes.
But it was not a matter of time and even a matter of not being familiar at all with data protection laws. The real issue with this regulation is that for the first time we’re facing on a large scale the missing culture within businesses and in the public sector as regarding to the way they treat and protect personal data. And how important is the security of the information assets in our digital world. And all this come out in the middle of a new wave of digital transformations such as AI, IoT, Blockchain and cryptocurrencies. Technologies that feed themselves with our data among other.
We all know, and with GDPR we should know, that our identity, based upon our personal data, is directly related to everything we use and do from:�Financial & legal services �Healthcare �Voting �Property ownership (physical and intellectual property) �Communication �Entertainment�Travel, to
6
- Cybersecurity Trends
�Security features and measures – some of them already based on personal data (mostly on biometric data such as fingerprint, face and voice recognition, heart beatings to mention few).
Thus, the way these data elements are being used and the services that all these technologies are promising to offer are very important to the economy and to the well-being of our society. And here is where GDPR places itself.
There might be different ways to see and interpret GDPR, in the means of real applications and implications. But a few basic considerations must be made which are unlikely to change for many years to come:
F irst, besides the mere legal meaning of General3 and Regulation4, the subject matter of GDPR is personal data and protection and within its articles we find in more detailed terms who, how, what, where, and when. The main areas being: �Data subject rights; �Accountability;�Security; �Processors, third parties and International data
transfer; �Higher sanctions -thought to be as a more cost-
effective way of reducing the abuse of this right! Second, the central reason of its implementation is
to incorporate fundamental rights into EU legislative process. Specifically, the right of protection of personal data which is stated in Article 8 of the Charter of Fundamental Rights of European Union5. GDPR is far from perfect and with respect of its efficiency, it requires ten years practise in order to prove itself. And might be subject to changes, and, as often happens with any legal act, is open to interpretation. However, one thing will not change, at least for a long time and this is the fundamental right of protection of personal data.
Third, it aims to restore the trust in the digital and in the businesses, to promote innovation, enhance cyber security, and steer both the culture and the practical ways of evolving of our digital life and its security. Cyber
security cannot be enhanced without a proper understanding of the relationship between security and other national (and international) imperatives such as
privacy, transparency and technology. Having regard to the Cyber 2025 Model proposed by Windows, it can be said that GDPR places itself in the Peak scenario, which has as one of key characteristics: clear, effective government policies and standards6.
Fourth, GDPR is becoming a de facto standard around the world. Think only of the tech companies that treat customer data and have to be obeyed by any multinational that operates in Europe. But not only. It is leading the way to other countries outside the EU. The latest one being California which passed a sweeping consumer privacy law that might force significant changes on companies that deal in personal data – and especially those operating in the digital space. While the law, which is set to come into effect at the start of 2020, technically applies only to California residents, it will most likely have much broader implications. Most major companies that deal in consumer data, from retailers to cellular network providers to internet companies, have some Californian customers. That will leave those companies with two main options: either reform their global data protection and data rights infrastructures to comply with California’s law, or institute a patchwork data regime in which Californians are treated one way and everyone else another. That last option can be more expensive for companies and could disgruntle non-Californian customers should they be given fewer data privacy options by the service provider. Indeed, similar questions about Americans’ data rights arose during Mark Zuckerberg’s congressional testimony in regard to Facebook’s compliance with EU GDPR.
But, where to focus, being both personal data and cyber security among with developing cutting edge technologies the main topic of our agendas?
Compliance in general is a burden and bares real cost to the entire society. And GDPR is not an exemption. As a matter of fact, any applied compliance within an organisation requires three essential things:�Compliance Culture �Ongoing Monitoring �Team Efforts
Compliance culture: In recent news we read: “The Information Commissioner’s Office (ICO) has fined Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, £140,000 for illegally collecting and selling personal information belonging to more than one million people7.” There is everything but a compliance culture in this example. And yet, controversial behaviours from both companies and customers are part of the today debate. Here it’s a quote from Chris Rouland, founder and CEO of Bastille - “I see an opportunity to pay a premium for retaining my own data, or at least guaranteeing that my data is de-attributed from me,” he said, adding that he’d happily pay his fitness wearable provider another $1.99 (£1.33) a month not to sell his data somewhere else8. As Geoff Mulgan - Chief Executive Officer at Nesta puts it in one his lectures at University College: ‘Most people feel quite anxious when they discover just how much information they are leaving
FocusFocus
7
1 Full text of GDPR available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
2 https://info.trustarc.com/CS-2018-07-25-SC-Mag-UK-Q3-GDPRPost25_ResearchReport_LP.html.
3 General means that it covers mostly everything related to its subject matter. But, it also means that is subject to the interpretation rule known in Latin as generalia specialibus non derogant - the provisions of a general statute must yield to those of a special one. Simply put, in case of confl ict the special one prevails.
4 Regulation means that it applies directly to all EU members without the need to be implemented into national laws.
5 http://fra.europa.eu/en/charterpedia/article/8-protection-personal-data. The journey to human rights is not an easy one and even today human rights have a diffi cult life. Among others, there is a real inspiring and meaningful reading for who is interested to know about human rights: Lynn Hunt, Inventing human rights. A history., W. W. Norton & Company, New York-London 2007
6 Cyberspace 2025: Today’s decisions, Tomorrow’s Terrain. Navigating the Future of Cybersecurity Policy, June 2014, available at https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/REXXtS
7 Emma’s Diary fi ned £140,000 for selling personal information for political campaigning, available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/08/emma-s-diary-fi ned-140-000-for-selling-personal-information-for-political-campaigning/. See also: ICO has put the UK’s 11 main political parties on notice to have their data-sharing practices audited later this year and is contacting data brokers, including Experian as part of its data analytics investigation. More info at https://ico.org.uk/media/action-weve-taken/2259369/democracy-disrupted-110718.pdf ; Form another perspective: Supreme Court rejects Telegram’s appeal over FSB’s demands to access users messages, available at http://www.ewdn.com/2018/08/09/supreme-court-rejects-telegrams-appeal-over-fsbs-demands-to-access-users-messages/
8 Danny Bradbury. How can privacy survive in the era of the internet of things? http://www.theguardian.com/technology/2015/apr/07/how-can-privacy-survive-the-internet-of-things
9 Reddit discloses a data breach, a hacker accessed user data, available at https://securityaff airs.co/wordpress/74982/data-breach/reddit-data-breach.html
10 https://securityaff airs.co/wordpress/74952/malware/play-store-malicious-apps.html
11 A grand Alliance of 17 leading UK organisations impacting cyber-security has been formed in response to a call by the UK government’s Department of Digital, Culture, Media and Sport (DCMS) to develop a national professional body for cyber-security. https://www.scmagazineuk.com/national-professional-body-cyber-sec-established-combines-17-orgs-just-gov-criticised-inaction/article/1488356?bulletin=sc-newswire
behind, and yet there’s a huge advantage to be gained from this collecting of data, the sharing of data, the cross-mining of data to offer people services in better ways, to reduce crime and so on. My guess is in the next 10 years we will need almost a new social contract around that data.’ For the moment we just had a legal basis of that contract - the GDPR.
Ongoing monitoring: - “A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company9. What if a Data Protection Impact Assessment (DPIA) was made before, what if the investigation of what you already have would have helped to make the post investigation and hence the response plan less painful, more cost effective, more reliable and receptive? The ongoing monitoring of the systems and processes as a normal practice of the cyber resilience it is not an option anymore under GDPR. It’s mandatory. The players involved still underestimate the importance of both cyber security and personal data. Sooner or later the waves of regulations will make the cyber security – which until now is looked as a mean to protect valuable assets and based upon principles – as a right and asset in its own. Or at least, in the near future we can except a more detailed and rule based cyber security strategy.
Team Efforts: - the fact is that even the big fails. Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside. The type of infection “is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks10”.
So far, personal data as a digital asset and cyber security is still not going hand to hand. It is normal to ask why it’s missing the Information Commissioner’s Office from what it seems one of the most important alliance in UK cyber security strategy11? And though the invitation to participate was open to other organisations to join the alliance, the fact that the Data Protection Authority was missing on the first call speaks volumes. The truth is that the link between personal data as a digital asset and not only compliance burden under GDPR (or national privacy bills) and cyber security as a mean to protect those assets is dimly perceived even on top levels.
In conclusion, GDPR speaks to all of us. The challenges create opportunities. GDPR is inviting to develop creative ways to balance conflicting issues and guarantee the protection of personal data as a human right. If it is true, that is tremendous value to be unlocked in applying digital technology to new customises services and more in general to our lives, it is also true that with the nascent technologies that are emerging now, we can’t dismiss the serious ethical issues surrounding technologies such as artificial intelligence or genomics to mention few. If we’ve spent the last few decades learning how to move fast, over the next few decades we’re going to have to relearn how to go slow again. Or maybe the one way to move forward is to restore simplicity and efficiency.
And we cannot think in silos either. Everything is interconnected, so are the interests involved, the players, the regulations, the data and the security. We can not afford to go back but we have the responsibility to make right and responsible choices now, in order to shape a better future of our digital life. There is more in being compliant and it is not a kind of decision-making which requires only a cost-benefit analysis. Who hasn’t seen the personal data
as a real digital asset that needs to be protected or who has abused of it, now it’s the time of making things right.
So, think of GDPR not as a compliance burden, but as game changer, and to use it as aid to a more coherent and ethical progress in building new technologies and doing new businesses taking into consideration its core principles: �security of personal data, �responsibility and accountability on top of the
businesses, but also on top of us as individuals�its relationship with other core principles of our
society and ever evolving of new technologies. �
8
- Cybersecurity Trends FocusFocus
BIOKarla Reffold is the MD and Founder of BeecherMadden. Karla has over 12 years recruitment experience, building teams in cybersecurity up to C-level. Founded in 2010, BeecherMadden are a leading recruitment company for the cybersecurity industry. Leveraging our long-held relationships, industry knowledge and data driven approach, we help companies and candidates make better hiring decisions.BeecherMadden are a leading cyber security recruitment company with offices in London, New York, Singapore and Zurich. Established in 2010, we leverage long held relationships, industry knowledge and data driven approach to help companies and candidates make better hiring decisions.
Author: Karla Reffold
Now a highly coveted award, the ceremony itself has grown to reflect this. The awards were presented by George Lewis, an award winning comedian and presenter of Top Gear’s Extra Gear. George had the audience laughing before putting everyone out of their misery and announcing who had won. Entertainment and celebration is always key to the Cyber Security Awards and the focus is on making sure everyone there thoroughly enjoys the evening. In keeping with this, Greg Williamson attended for the third year to entertain everyone with his 21st century magic performance. Working his way around the guests, he managed to leave everyone perplexed with his tricks!
As well as enjoying the celebration, winning an award is good for business and a film crew were on hand, to interview those shortlisted. With these videos now
Cyber Security Awards
being circulated, it keeps the ROI high for companies attending the awards. With everyone looking their best, there was a long queue from individuals looking for their moment on camera! Those interviewed shared about their company and application, as well as why they felt they should win their category. There were also some interesting thoughts and insights on the industry to come through. As an organisation committed to celebrating the best of the industry, we work hard with shortlisted companies and winners to help them publicise their success.
A full list of winners is below but there are some key individuals who stand out.
Chelsea Cadd of Invotra won the Newcomer of the Year category. Chelsea demonstrated a strong passion for cyber security in her entry, as well as a desire to become a role model for others as her career progresses. Attending with several members of her team, they all had a great night celebrating her win.
The 4th Annual Cyber Security Awards took place on a June evening, with a dazzling celebratory ceremony, held at the Park Plaza Hotel in Victoria, London. The awards founded in 2014 reward the best individuals, teams and companies within the cyber security industry. Excellence and innovation are core themes, throughout all categories. With independent, industry leading judges, companies are awarded solely on merit.
9
The awards are a great way for teams to celebrate together and spend time considering their achievements. Vodafone were a deserving winner of the Industry Team of the Year award. They have grown their team significantly, and also have a higher percentage of women in their team than the industry average. Their achievements were innovative, and they demonstrated how strongly they contributed to the company’s overall vision of security for their customers.
TalkTalk were, for some, a surprise winner to the Cyber Awareness Plan of the Year category. Being shortlisted gained some attention and the judges were incredibly impressed by the quality of their application. Their entry was full of strong examples and demonstrable proof of success, on how they have improved cyber awareness throughout their business. An incredibly deserving winner!
David Ferbrache, of KPMG, won the award for Personality of the Year. David is known throughout the industry for his knowledge and strong leadership qualities. It was a highly contested category and David’s strong application and reputation made him a commendable winner. We are
also pleased to announce that he will be joining the 2019 judging panel. Ensuring we have the best of the industry as our judges is incredibly important. We are very excited to have David bring his insights for the process next year.
Winners
CISO of the Year�Jordan M. Schroeder Personality of the Year�David Ferbrache Newcomer of the Year�Chelsea Cadd, Invotra Woman of the Year�Alison Brogan, ECS Security�Yinglian Xie, DataVisor – Highly Commended Penetration Tester of the Year�Mark Harrison, MTI Technology Consulting Practice of the Year�Foregenix
Cyber Security Start-Up of the Year�DigitalXRAID Industry Team of the Year�Vodafone Financial Services Team of the Year�Vocalink Not for Profit Team of the Year�Root64 InfoSec Research Foundation Best Security Company of the Year (less than 200 staff)�Performanta Best Security Company of the Year (more than 200 staff)�Digital Shadows Innovative Product of the Year�Data Visor UML Enterprise, DataVisor Innovative Product of the Year- Cloud Based�onDMARC, Red Sift�Tenable, Tenable.io – Highly Commended Innovative Product of the Year – Threat Detection�Thycotic Secret Server, Thycotic Insurance Product of the Year�Safeonline Cyber Awareness Plan of the Year�TalkTalk�Saudi Aramco Shell Refinery – Highly Commended
For those looking to enter next year, application packs can now be downloaded directly from the website, www.cybersecurityawards.com or by emailing [email protected].
The categories remain the same and the judges encourage those who are committed to improving security to apply. Innovation and demonstrable results, are key things that the judges look for, as well as sticking to the word limit! Criteria for each category can be found on the application form.
We would also like to thank our sponsors, BeecherMadden, ESET and Gulam IT for their involvement in the event. �
NdR: logo and all pictures illustrated here are © Cyber Security Awards, U.K.
10
- Cybersecurity Trends FocusFocus
BIOWith a 20 years experience in IT&C, looking forward to strategical and technical challenges imposed by digital evolution, Virgilius leads the IT Direction in ANCOM, with managerial and analytical spirit, trying to lead ANCOM on the way of digital transformation.His vision is a digital ANCOM, with safe, interoperable IT distributed systems. At ANCOM, there are advanced systems which represents itself a future development base.Virgilius has a Ph.D, Magna cum Laude, is invited Professor at the Technical University; besides, he is certified in ethical hacking, expert in competitive/ business intelligence, critical infrastructures security and national security information management. Member in National System for Fighting Against Cybercrime, he was involved to cooperation and technical exercises for detection, investigation, response to cyber incidents.
The Next Generation Cyber Operations Center:
Cyber Multilayered Centers, a unique vision approach with multiple capabilities
Author: Virgilius Stanciulescu Prevention remains a critical component of an effective security program and organizations are increasingly investing in native detection and response capabilities, trying to build Security Operations Centers (SOC).
But a new approach is that the people, processes, and technologies that are the backbone of SOC must be integrated within one Cyber Multilayered Center (CMC) that combines functions:�Security Operations Center�Cyber Threat Intelligence (CTI), �Red Teaming, �Attack Surface Reduction (ASR).
The Cyber Multilayered Center�is a comprehensive, integrated approach to security. �the CMC mission is to protect the business: its assets, people, clients,
and reputation�it ensures that all security efforts are coordinated efficiently by
leveraging the benefits of proximity (either physical or logical) and easy communication between security teams.�is designed to integrate key security functions into a single unit.
Components, comprise of:
1. Security Operations Center (SOC): the heart of the CMC and the first line of an organization’s defense responsible for detecting, responding to, containing, and remediating threats, as well as proactively identifying
High-profile breaches across different sectors, in the last few years, have proven the need for a better incident response (IR) capability to detect, contain, and remediate threats. These breaches are evidence that prevention alone is no longer a sufficient approach. However, many organizations lack a mature IR capability and once the incident is remediated, organizations are still left wondering how to effectively secure themselves.
11
malicious activity. The SOC is also home to Threat Defense Operations (TDO), the dedicated “hunting” arm of security and intelligence operations responsible for intelligence actions, conducting in-depth malware analysis, and continually building and improving prevention and detection methods.
2. Cyber Threat Intelligence (CTI): the “forward observers” responsible for identifying threats to the organization and disseminating timely, relevant, and actionable reporting to the SOC, CxO, and other stakeholders.
3. Red Team: the “attackers” who simulate the tactics, techniques, and procedures (TTP) of threats relevant to your organization. The Red Team will continually “stress test” your SOC, driving improvements in detection, response, and SOC analyst threat understanding.
4. Attack Surface Reduction (ASR): the proactive defense group responsible for identifying and mitigating vulnerabilities, unnecessary assets, and nonessential services. More than just patch management, optimized ASR teams focus on continually improving an organization’s hardening and deployment procedures to eliminate vulnerabilities before systems go live.
By integrating these functions, the CMC aims to:�break down communication barriers, �centralize threat knowledge and analysis,�unify the organization’s security strategy,�maximize the value of investments in cybersecurity.The CMC approach represents a complex interaction between the
security teams with multiple “touch points,” parallel workflows, and constant feedback mechanisms, although the security functions that make up the CMC are not new,. With the right design and implementation considerations, organizations can:�increase operational effectiveness by orchestrating the security
functions and information flow from threat intelligence, through security and IT operations�improve security readiness by enabling stronger detection mechanisms
and awareness of threats�accelerate security maturation by reducing the costs associated
with coordinating complex security functions across multiple teams.The CMC:�is not distinguished by its individual parts �is distinguished by the integration and interdependencies across its
functions. �is more than just a security approach, �is a security mind-set that organizations can implement to better
secure themselves, protect their customers, and reduce costly business disruptions.
Components, one by one, detailed, with functions:
1 A robust SOC will detect and respond to threatsOrganizations are quickly recognizing the need to detect and respond
to a variety of threats; simply blocking threats isn’t enough. The Security Operations Center (SOC) is the organization’s first line of defense against all forms of threats and is the heart of the CMC. The SOC will handle any suspected malicious activity and work closely with the other teams in the CMC. A well-designed and maintained SOC will focus on gaining efficiencies
though continuous analyst training and mentoring, and constant evaluation of the organization’s security technologies.
1.1 A tiered SOC structure. The SOC can be designed around a simple detect,
identify, and mitigate model. �Tier 1 analysts are charged with classifying the
severity of the event and correlating the event with any historical activity. �If necessary, Tier 1 analysts will escalate incidents
to Tier 2 and 3 analysts, who will conduct in depth investigations and perform root cause analysis to determine what happened.
1.2 Threat Defense Operations (TDO). �specialized analysts are responsible for creating
detection logic in the form of signatures, rules, and custom queries based on CTI-provided threat intelligence. TDO engineers deploy the detection logic to a range of devices, appliances, tools, and sensors that make up an organization’s security stack. The rules, signatures, and queries create a threat-based preventative sensor network that generates network and host-based alerts that Tier 1–3 analysts in the SOC respond to.�TDO analysts will then fine-tune their detection
logic based on SOC feedback, creating an efficient CMC that won’t waste time investigating false alarms. �The TDO team is also responsible for providing in-
depth malware analysis that yields valuable technical intelligence (TECHINT) that can be used in detection logic and further enriched by CTI.
1.3 Managing all the security alerts. This process – building detection of solutions and
then identifying and mitigating threats – is where many organizations struggle. The main point to remember is that more technology, tools, and threat feeds do not necessarily enable your SOC to operate more efficiently. Smooth workflows are more likely to succeed than those that prioritize technology. Organizations should focus on technology that enables SOC investigators to spend less time collecting data and more time investigating the root cause of the activity they’ve been alerted to.
1.4 Implementing 24/7 operations and managing investigations.
Design and implementation should focus on standardizing daily operations, case management, and methods of “measuring success.” Modern-day threats necessitate that SOCs operate 24/7, 365 days a year, requiring well-thought-out shift schedules and defined
12
- Cybersecurity Trends
roles. Having a well-integrated, easy-to-use case-management system that doesn’t get in the way of investigations and seamlessly interacts with other SOC tools is key. This tool ideally provides metrics on how effectively your SOC monitors, detects, and contains cases and will allow an organization to identify gaps in people, processes, and technologies.
1.5 Standardizing the standard operating procedures.
Successful implementation also demands accurate and up-to-date documentation. This includes documentation on network architecture, standardized operating procedures (SOPs), and point-of-contact lists. If the SOC is considered the “heart” of the CMC, then SOPs act as its beat, guiding analysts in situations ranging from collecting forensic evidence to stopping data exfiltration.
2 Integrate Cyber Threat Intelligence functions. Threat intelligence is incredibly powerful: it can
serve as a force-multiplier for CMC, helping to improve awareness of threats and offering the means by which these threats could be prevented or detected.
Good threat intelligence will be implemented in a way that demonstrates the following characteristics:
2.1. Cyber Threat Intelligence is timely. Receiving that intelligence before the threat is
realized is crucial to the organization. Dissemination of strategic and tactical intelligence, including indicators of compromise (IOCs), can take the form of indications and warning (warning of an imminent threat), daily or weekly reports (highlights on relevant threats), and executive briefs (assessments on major and specific cyber issues for C-suite stakeholders).
2.2. Cyber Threat Intelligence is relevant. Relevant threat intelligence produces valuable insights
on not only issues occurring in the global business environment but also on specific issues within industry and related to a specific IT environment.
2.3. Cyber Threat Intelligence is actionable. Actionable threat intelligence is created when analysts
filter through large volumes of data and information, analyze why specific pieces of information are relevant to an organization, and communicate how that information can be used by various stakeholders. SOC, TDO, and ASR teams need tactical and technical intelligence to support current investigations, create detection logic, and prepare for potential attacks. Technical intelligence will also be used to determine if certain malicious actions or indicators have already been present on your network.
2.4. Strategic and tactical threat intelligence. Although the SOC team is the organization’s first line of defense, it can
operate more effectively and efficiently with the support of CTI. The security team will handle a wide array of potential threats and must be able to quickly triage events, determine the threat level, and mitigate incidents. CTI can help SOC analysts to prioritize these alerts, can aid in investigations, and can help SOC analysts attribute malicious activity to specific threats or threat groups.
3 Red Team exercises to stress-test and strengthen the Cyber Multilayered Center.
A fundamental question for every business is: Will your cybersecurity organization be ready when an attack comes? An important means of assessing and “stress-testing” the CMC is to actively attack it. Through coordinated Red Team exercises, the CMC personnel can learn to detect and respond to a variety of threats.
3.1. Simulate threat actors’ TTP. Red Team operations will ideally be designed to simulate the tactics,
techniques, and procedures of threats that your CTI team has assessed to be a risk.
It is the Red Team’s responsibility to test these questions and the limits of your SOC and broader CMC. For example, if it is known that the SOC rarely encounters web shells – a type of malware installed on web servers – your Red Team may choose to directly attack a web server.
An important aspect of a Red Team operation is that only selected leaders are aware of operations (often referred to as the “white team”), adding to the realism of the event. This implementation allows those who are aware to observe the event as it unfolds, particularly how teams interact with each other, how information is passed along, how stakeholders are engaged, and how the teams handle a variety of attack scenarios. These leaders can also help to scope Red Team activities to ensure no critical data or operations are actually compromised or exposed.
Implementation of Red Team operations should therefore emphasize the interdependency between the SOC and Red Team mission. The Red Team should assist the SOC during remediation efforts to ensure any uncovered vulnerabilities are no longer susceptible to exploitation.
4 Reducing the organization’s attack surface.The goal of Attack Surface Reduction (ASR) is to close all but the
required doors to your technical infrastructure and limit access to those doors through monitoring, vulnerability assessment/mitigation, and access control.
The ASR team is dedicated to identifying, reducing, and managing critical vulnerabilities, services, and assets, while also focusing on preventing the introduction of vulnerabilities via improved hardening procedures.
4.1. Understanding and prioritizing the “attack surface.” Implementing ASR is all about identifying and understanding your
most critical business applications and services including their functions, supporting infrastructure, scope, and inherent vulnerabilities.
The ASR team should prioritize each asset, considering their critical value to operations and the ability for the most relevant threat actors to leverage
FocusFocus
13
these assets in an intrusion. In addition, the impact of these attacks must be considered.
4.2. More than just patch management. While vulnerability and patch management is a core ASR function,
achieving a vulnerability-free organization is not a realistic goal. Vulnerabilities must be identified and managed appropriately, keeping a focus on preventing and quickly responding to the most critical. Continually improving deployment and hardening procedures, especially for publicly facing services and services that may permit attackers to access high-trust zones, is a critical ASR process for facilitating preventive measure and effective mitigation timing.
4.3. A highly technical function that demands strong human
analysis. Maintaining complete asset awareness is increasingly difficult in today’s
dynamic business environment. Organizations require continuous scans and costly-to-maintain configuration management databases (CMDB) to track and ensure the attack surface hasn’t expanded beyond the organization’s acceptable risk level. And, new exposures often emerge throughout the course of normal business as new IT systems are introduced or upgraded.
Experienced ASR security professionals, who possess a deep understanding of network engineering, IT concepts, and security, are able to synthesize disparate pieces of information that can point to a previously undetected or contextually important attack vector.
Conclusion:
“Will we be next?” or even, “Have we already been breached?” are the questions that all companies should have in mind. By developing a Cyber Multilayered Center, organizations develop the speed, collaboration, coordination, information flows, and C-suite awareness necessary to not only survive but thrive. �
Bibliography:
1. www.securityroundtable.org2. Booz Allen Hamilton - Bill Stewart, Sedar LaBarre,
Matt Doan, Denis Cosgrove
CYBERSECURITY TREND’S TIP: ZERO-DAY CONFERENCEThe 1st edition of the Zero-Day Conference will take place in Geneva, the 15th of November, 2018, within the frame of the Swiss Cybersecurity Conferences.The event is organized by PSYND and the highly appreciated NGO, Swiss CyberSecurity (https://swiss-cybersecurity.ch), established since 2013 in Geneva and gathering more than 700+ members attending to regular formal and informal events.Zero-Day.ch is a platform aiming to share knowledge to develop leadership skills to deepen the expertise in the cybersecurity fi eld and to connect companies, universities, national and international institutions and cybersecurity professionals. The “Zero-Day Conference” aims to help in shaping the CyberSecurity Strategy for 2019. For this reason, we are inviting CTO’s, CISO’s and IT Managers to attend the event and we deliver practical knowledge that could be used to support their cybersecurity strategy. The AGENDA is structured in 4 sections: Network Security, Infrastructure, Security and Governance. We are encouraging continuous learning, and we are according 8 CPE’s for ISACA and (ISC)2 certifi ed professionals.
Registration, more info, agenda, generic question form: https://zero-day.chDirect questions: Mária Bicsi, Event Manager, [email protected]
ZERO-DAY:ZERO-DAY: CYBERSECURITY STRATEGY CONFERENCECYBERSECURITY STRATEGY CONFERENCESwiss Cybersecurity Conference, 2nd edition15th of November, 2018, Geneva, Switzerland
14
- Cybersecurity Trends FocusFocus
BIOGiannella Borg is an Information Security Engineer, working for LeoVegas Gaming Group in Malta. She has been working in Information Technology for over 10 years, particularly in iGaming, FinTech, IT Services and Computer Software industries and has attained various certifications & certificates throughout her career including CISM, CRISC, CISA and COBIT5. She is an active board member of the ISACA Malta Chapter, where she helps organise local educational seminars and workshops, engage in IT research projects, conduct regular chapter meetings, and help to further promote and elevate the visibility of the IS audit, control and security amongst local professional members. Giannella is well versed in many Cybersecurity fields but is particularly passionate speaking about DevSecOps and security awareness gamification topics.
Author: Giannella Borg
The future is now.
In 2008 we saw the debut of Bitcoin. Just a handful of years ago, many easily dismissed this as a fad, something that wouldn’t grow past the small niche groups.
Today, a decade since its humble beginnings, Bitcoin paved its way to become one of the most disruptive technologies of the decade and has grown exponentially. It is rapidly being recognized as an accepted payment method worldwide. Users, wallet owners, traders and
Innovative uses of blockchain in Cybersecurity
investors continue to shower cryptocurrencies with their endorsement and financial support whilst ICOs increase by the day.
Bitcoin: the “digital gold”, as it is sometimes called, and for good reason, runs on a technological backbone known as the blockchain, and while the blockchain does not come with its own fancy nickname, it is truly the real hero behind the cryptocurrency’s success story.
The blockchain was originally devised as the foundation technology for the digital currency, has continued to grow and evolve into something greater, as the tech community is continuously finding new and innovative ways to potentially use the technology. Perhaps, if it continues to grow at this rate we could soon see it become a backbone of a new type of internet, an internet that can be distributed, but not copied.
The blockchain has many applications outside cryptocurrency, Steve Morgan, Founder and Editor-in-Chief at Cybersecurity Ventures, agrees. “Blockchain is a fundamental business enabler. It will be the big gainer for many organizations globally. The technology promises to break down geographic and monetary boundaries.”
Part of the success story of the blockchain is linked to its ease of use. Blockchain technology in itself is complicated, true, just like your car. However, you do not need to know what makes your car tick under the bonnet to use it, and the same concept can be applied for Blockchain.
Impact of Blockchain on Cybersecurity
Innovative uses for blockchain technology are already becoming a part of other fields beyond cryptocurrencies and can be especially useful to boost
“Innovative uses for blockchain technology are already becoming a part of other fields beyond cryptocurrencies and can be especially useful to boost cybersecurity. In this article we will take a look at how these effects have impacted our industry and understand how we can ride the blockchain wave to harness this technology to our advantage within cybersecurity.”
15
cybersecurity. Together we will take a look at how these effects have impacted our industry and understand how we can ride the blockchain wave to harness this technology to our advantage within cybersecurity.
Crucial for minimizing data destruction
The blockchain could play an important role in guaranteeing data availability, because unlike the atypical scenario, every piece of information will be distributed throughout the entire system.
Therefore, given that a single data exists mutually in multiple locations, in the event that data in one node is altered or deleted, either by accident or on purpose, a verification mechanism would be triggered and compare the faulty data with the metadata packet. If then the data is found to not match the rest, it would be discarded and replaced with a valid copy.
This means that the only way that the data can be accidentally or maliciously destroyed is for the whole blockchain to be wiped out, and then wipe out every single node separately. If even one node remains within the system, the data could be fully restored.
Critical for DNS distribution and DDoS prevention
Di stributed Denial of Service (DDoS) attacks have recently become more frequent and potent for big companies. GitHub was hit with a 1.35Tbps earlier this year, breaking the largest DDoS attack record (so far).
The market for DDoS mitigation tools continues to grow and pick up pace on finding innovative techniques on how to stop an attack. Nevertheless, as proven in a few recent successful attacks, DDoS isn’t just about volume, there still remains a flaw within the Domain Name System (DNS). DNS servers are partially decentralized meaning there could be multiple DNS servers, which are great for redundancy but not so much for resiliency, since the mapping is one-to-one, which makes the DNS system open to DDoS-ing. This allows an attacker to overwhelm a DNS server or servers with queries and render it unavailable without having to resort to huge amounts of Gigabytes in an attack.
With blockchain, DNS would be completely decentralized, so that each DNS would point to multiple nodes. In this scenario, an attacker would have to direct a DDoS attack to all nodes in the blockchain, making it almost impossible for a website to be taken offline.
We have recently started seeing some companies emerge with an implementation of decentralized DNS in blockchain, so as to prevent DDoS attacks from occurring. For instance, Blockstack fully decentralizes DNS while MaidSafe a UK-based company offer an alternate, decentralized internet.
Transparent and Incorruptible
The blockchain network lives in a state of consensus, one that automatically checks-in with itself every ten minutes. A self-auditing ecosystem of a digital value, the network reconciles every transaction that happens in ten-minute intervals. Each group of these transactions is referred to as a “block”. Two important properties result from this:
Transparency – data is embedded within the network as a whole, by definition it is public.
It cannot be corrupted – altering any unit of information on the blockchain would mean using a huge amount of computing power to override the entire network.
As some of us may have experienced first hand, while many software vulnerabilities can lead to security problems such as data leaks or network compromises. Investigation of such incidents sometimes reveal that the issue behind these incidents may be in the logistics network or supply chain.
While the blockchain itself will provide little to no value in thwarting or detecting such attacks, it does offer an infrastructure of transparency, event tracking, cryptography and the chance to improve security sensor and data sharing – which some security solutions and implementations on enterprise networks lack.
Security by design, as the new standard
While originally designed to facilitate the exchange of virtual currency, the blockchain’s decentralized system seems exciting and applicable across different cybersecurity topics. The increased transparency and distribution afforded by
blockchain technology definitely lends itself to solving a lot of problematic cybersecurity issues.
For instance, we may yet see the blockchain technology provide a trustworthy infrastructure for vendors to better retain control of enterprise systems and networks, perform audit trails with added confidence, and as a means to tackle weak spots in security protocols.
Perhaps, a reason why blockchain resonated well, and is being enthusiastically picked to solve issues within cybersecurity was the fact that it offers a solid model that operates “securely by design” because of the importance given to data security, in an age when trust in systems is of utmost importance. �
16
- Cybersecurity Trends FocusFocus
Secure messaging remains fundamental even today. Not just for keeping communications private but for keeping our information secure. The need for secure messaging is not really about individual freedom and privacy, it is more about allowing business and commerce to operate. Without secure communications, you would not be able to pay for anything online. There would be no Amazon or Netflix or online banking.
Advancements in this area mean big things for industry. And now we are seeing technology creating one of the biggest secure messaging breakthroughs we have ever had.
Before diving into the future, let us understand how secure messaging works at a basic level. For example the way WhatsApp secures your messages. It uses one of the most common and most secure methods, which is to use end-to-end encryption. It works by using a public and private key combination.
These two keys are created together. Only the private key can decrypt messages that were encrypted using the public key. This is how encrypted messaging in WhatsApp and other services works. You will notice at the start of any WhatsApp chat, it will say “messages to this chat and calls are now secured with end-to-end encryption”.
What that means is, both parties have shared their public keys with each other, and any messages sent will be encrypted with those keys. If someone intercepts the messages, or if they are stored on a server, and the server gets hacked, the messages will not make any sense.
How the human weakest link can still break quantum messaging
The only way to decrypt them is with the corresponding private keys, which are only stored on your phone, and not on a server or network.
Crypto also use public and private keys the same principle as secure messaging. When you send crypto, you send it to someone’s “public address”. This is their public key. They then use their private key to get access to the crypto you’ve sent them.
So what happens if someone steals your private key?. The problem with this type of encryption is, what if someone has managed to copy your private key without you knowing. Now if they intercept your messages, they will be able to decrypt them with your private key. A private key is just a series of characters that can be copied and pasted like any other series of characters. Further, you have no way of knowing if someone has copied your private key or not.
This I where the new technology breakthrough, in the form of quantum physics computing can help. A wax seal for digital messaging. But quantum theory can be used to secure messages, as well as crack them.
Before delving into the wax seal of quantum computing, let us understand the basics of computing a little more.
Author: Norman Frankel
Seals often with unique emblems were used for hundreds of years to prove a document was both authentic and untampered. Before the advent of computing and telecommunications, if you wanted to send a secure message you would seal it with wax. When the recipient received it, if the seal was broken, they would know it had been intercepted. Whilst there was nothing they could do about it, they at least new the message was no longer secure.
17
Most computers use a binary system. That means their code, at its most basic level, is made up of strings of 1s and 0s. These essentially represent on or off. And using different combinations of these on and offs, you can represent any number. For example, the number 346 in binary is 0101011010. It’s not important that you know how that is worked out, but just that you know binary can be used to represent any number. At computing’s smallest level it comes down to binary.
So to understand the basics of quantum mechanics, at an object’s smallest level – the quantum level – it comes down to waves and particles. Is something a wave, or is it a particle?. In the world of quantum mechanics, it is both.
Light, which is made up of photons, can act as either a wave or as a mass of particles. Until someone observes it, it is both. Whilst that might sound confusing and odd, it has been proven many times over with the double slit experiment. The mere fact you observe it - changes its state. Until that observation it exists in both states. This is called superposition, and it is key. To make superposition seem more tangible, let us illustrate this with Schrödinger’s cat thought experiment.
Schrödinger’s cat is a thought experiment, devised by Austrian physicist Erwin Schrödinger in 1935. Imagine a cat in a large steel box. Inside the box with it is a glass vial of poison gas. Above the glass vial a hammer is suspended by a piece of string. That string will be severed when a random event happens – when a radioactive particle decays – and the cat will be killed by the poison gas.
The radioactive particle follows quantum laws. So it is either decayed or not decayed. But until you observe or measure it, both outcomes are equally valid. This means the cat – whose fate is tied to that particle – is both alive and dead at the same time. The cat is in superposition of being both alive and dead.
Combine superposition and binary and you get quantum computing.So, while normal computers can only represent 1 and 0, a quantum
computer represents both at the same time, thanks to superposition.This means it can approach problems in a different way. It doesn’t have to
work on one problem after another. It can work on all problems at the same time. It is not tied to an either or. It has either or and an additional maybe.
For example, if a normal computer wanted to escape a maze, it would try one path at a time until it found the exit. A faster computer could run down these paths faster than a slower one and so find the way out faster. But a quantum computer could try all the possible paths at the same time and find the exit instantly.
So quantum computers can represent both 0 and 1 at the same time. But what does that mean practically? A bit is one bit of information. In a normal computer it’s a 0 or a 1. A two-bit computer can have four possible combinations of numbers: 00 01 10 11, but it can only represent one combination at any one time. A two-bit quantum computer can represent all four combinations at the same time, thanks to superposition. So a two-bit quantum computer is like having four normal two-bit computers running side by side. This means quantum computers can process exponentially faster. As you add more bits to a quantum computer, it speeds up at an exponential rate.
So, let’s say you have a normal 64-bit computer. That computer can represent 264 states. Which is: 18,446,744,073,709,600,000 possibilities. It can only represent each of these states one at a time.
A quantum computer can represent all of them at the same time. This is why they are so suited to breaking cryptography and why they can crack codes instantly.
So, for instance, a modern computer can cycle about two billion combinations per second. So in a password-cracking scenario, it would take around 400 years to crack a 64-bit code. A 64-bit quantum computer could try all 264 combinations instantly and break a code a normal computer would essentially find impossible.
Thankfully, a quantum computer powerful enough to do this is not expected for another decade or so.
Currently, many people are working on making cryptography work differently so it is normal and quantum-proof.
It is not just about breaking codes. As you can imagine, quantum computing has far more possibilities than just codebreaking. It will allow people to write entirely different computer programs and run entirely different experiments and simulations.
18
- Cybersecurity Trends FocusFocus
Richard Feynman, a physicist famously said in 1981 “Nature is not classical, and if you want to make a simulation of nature, you had better make it quantum mechanical, and it’s a wonderful problem, because it doesn’t look so easy.”
Quantum computing has the potential to change our understanding of the laws of nature and everything that follows on from that. In the end, it will bring us much more than codebreaking. It will change everything.
Quantum Matter changes its state when observed. So, if you are using quantum matter to send a message, if it is intercepted, it will change state. Just like the wax seal, the message will look different to how it should, if it has been opened. Just like the wax seal, this can only help you after the event. So it’s not really that much use. However, when combined with end-to-end encryption, it becomes unhackable. At least in theory.
So we can tell if our messages have been intercepted, but we can not do anything to stop them being intercepted before we find out. So how do we achieve truly secure messaging. The solution is to use the quantum messaging to share your private keys. Give both parties the same private key and share them with quantum messaging. If anyone else intercepts the keys, both parties will know, and they can just use a new key instead.
Here’s how Scientific American described it in 2013. A device in a satellite creates entangled photon pairs and simultaneously transmits one of each pair to two ground stations in beams of millions of photons, all in entangled quantum states. That means both stations should have the same key.
The two stations would compare them. If the transmissions were not intercepted or modified by an eavesdropper, the two keys should be identical. The sender can then send a conventionally encrypted message secure in the knowledge no one is listening.
But, if there is any alteration in the keys, which would happen if anyone intercepted the key message, Heisenberg’s theory would strike, and the photons would be altered. The two parties would know if there was an eavesdropper and either resend the keys or try another system. Several corporations and government research facilities around the world are working on similar satellite systems.
Things have moved on since 2013. What was just a theory in 2013 was proven to work in 2017. In 2017, Chinese scientists managed to prove that quantum messaging really does work. Nature magazine wrote last June 2017 -
Just months into its mission, the world’s first quantum-communications satellite has achieved one of its most ambitious goals. Researchers report in Science that, by beaming photons between the satellite and two distant
19
ground stations, they have shown that particles can remain in a linked quantum state at a record-breaking distance of more than 1,200 kilometres. That phenomenon, known as quantum entanglement, could be used as the basis of a future secure quantum-communications network.
But one thing does stick out about this “impossible” to crack method of messaging. In a real-world situation, it would still be fairly easy to intercept. Don’t hack the message, hack the person sending it. As any system is only as strong as its weakest link. In this case, it is the people sending and receiving the messages. Those people could be compromised for far less money and with far less hassle than trying to break the laws of physics.
For purely machine-to-machine messaging, it would be unbreakable. It may be complex, but quantum messaging is destined to play a big
part in the future of communication, which is fundamental to every business on the planet. And that is before we even get into using quantum entanglement to communicate instantly, over any distance.
Whilst we transition technologica lly more toward this quantum computing world, we need to be aware of the increasing automation being used to pin point vulnerabilities. Vulnerabilities can exist anywhere in the 7 layers of the security stack, the full stack. Vulnerabilities are introduced by people and often unintended error.
Therefore the only real solution from this point onward is to increasingly use automated and specifically robotic process automation tools to help give you the edge in identifying vulnerabilities and acting on them and even fixing them, all faster then a human has probably even identified the problem and doing so in parallel on a multi-tasking basis.
The age of computing power and automation for security defence is already here and should be embraced far more quickly than business seem to be exploring it. �
20
- Cybersecurity Trends FocusFocus
BIOBruno Napoli is a Smart Home veteran & expert, serial entrepreneur, blogger, speaker, thought provoker, influencer known as “The GAFA man”. He has created and been involved in many companies since 1992, covering all aspects of the AV and Home Automation industry. Bruno’s latest company Krika has created a product for professional use, that enables remote supervision of AV & Home Automation products. Using all possible API and protocol, we have been able to easily talk and control almost all IoT in a home… This is where I started to blog about the weakness of IoT in the Smart Home industry. Follow me on Twitter @brunonapoli_FR on Medium @brunonapoli and LinkdedIn
Author: Bruno Napoli
Billions of Dollars are going to be spent by consumers on IoT in the next 5 years. Studies predict that by 2022, all households will probably have more than a hundred connected objects.
Why waste time hacking an enterprise for client’s personal data, when you can collect it directly from people’s smart home?
It’s an incredible cake to share between manufacturers and service providers. Trust me, the consumer electronic industry is going to be very creative. As a result of the aggressive marketing and industrial supremacy of the leaders of this industry, Google, Amazon, Facebook and Apple (aka the GAFA) everyone can “Smartify” a home with just a few hundreds of dollars. That budget already declines from month to month as products are mass-produced by the likes of Chinese firms such as Baidu, Alibaba, Tencent and Xiaomi (referenced in China as BATX) and easier to deploy.
By chance, the enterprise world can count on a myriad of experts and consultants to help secure infrastructure and systems against a cyberattack that would for example collect client’s private data. But with this crazy wild and totally unsecured consumer run for a smart home, it might become easier to collect directly from the client itself!
21
The trap starts with a $49 voice assistant who gives the weather and can order a pizza. Then you gradually populate your home with a Wi-Fi camera on the right, a smart door lock on the left, a connected light bulb at the top and a wireless speaker at the bottom. Without even realizing it, without spending a fortune, your home is now Smart, it knows everything about you and you can control it remotely. Once you started with success on those first easy steps, you’ll hysterically want to try all possible smart products and services the industry will churn out and suggest you buy. Within a few months, your home will have more connected products than in a SME! This untamed jungle of IoT uses all possible protocol, TCPIP ports and APIs, all possible radio signal and frequencies and is connected to the “Baker family WIFI” using the Mrs. Baker mobile phone number as the password for everything.
IoT and Smart Home is already so trendy that in the coming months, no home builder or property developer will appear to be credible if they are not able to deliver a house or apartment that display a “Wannabe Smart Something Wi-Fi Amazon compatible” logo, whatever it means, whatever people understand of it, whatever products will be installed and most important: however it will be deployed and maintained. When you sign the order form for your future home, you will check the option Google, Amazon, or Apple. Ultimately, the word “Smart” will disappear and where we live will be called Home again. We are not here to debate if smart home is good or bad. Smart Home will reach all homes like electricity did a century ago. It is inevitable, get over it.
The direct consequence of this digital transformation is the same for the consumer world as in the enterprise world. The more connected we are the more vulnerable we are. We live in houses that can literally turn against us, either through bad programming of the home automation system, compatibility issues between devices, or simply because it has been hacked. And there, once our home will be turned into a smart chimera, the gloomiest scenarios will become real. Products like Fing or competitors exist to help consumers to control and protect their network, but unfortunately, it’s not sufficiently deployed yet.
Consumers are already a much easier target than any company to collect data or harm people and they are definitely the Achilles heel
of a secure cyber world. All the efforts and millions invested in securing a company’s infrastructure to protect client’s data could be ruined overnight, when the next massive cyber-attack will use a security breach found in this new incredible must have Trojan horse $5 connected hand spinner every child in the world will ask their parent to buy. The latest massive DDOS cyber-attack on an IP camera proves to us that hackers know how to exploit consumer products. That was just a warm up.
Consumers have no real security strategy, no IT guy to tell them what do to, no best practices. They just want things to work, get rid of passwords and have fun. And as manufacturers in the consumer channel just want to sell their stuff and absolutely create no stress that could stop the buying process, they will not really place emphasis on the security and will leave all the responsibilities for security either to the installer or to the end user itself. I would like to emphasize here the fact that lots of IoT are going to be used for health and keeping people at home instead of a hospital. In this case, the level of security of the network at home should be mission critical. Who will help them?
As an expert in smart home for 25 years now, I saw this industry emerge and becoming entirely dependent to a local network infrastructure and to Internet. I also saw home automation professional installers wade into managing and secure a network because it’s just not a skill you can acquire by watching a tutorial on YouTube during a lunch break.
Watch the latest podcast recorded on July 11, 2018 from AV Nation TV (https://avnation.tv/podcast/resiweek-127-cyber-security-rmr/) , one of the leading consumer electronic professional podcast producer. Can you imagine that the first 10 minutes is spent talking about “Changing the default password”?
22
- Cybersecurity Trends
Today professional home automation installers are former Audio/Video and home cinema guys, low voltage CCTV/alarm installers or electricians, a long way from technical networking skills. And even if they would like to partner with a local IT company to create and maintain the network of their clients, the prices are usually too expensive for the residential market as it is tailored for company’s needs. In short, the enterprise world has built protection walls only on one half of the fortress.
More than stealing personal data, hacking a smart home can be deadly. Let’s try to list the risks introduced by a Smart Home, if someone hacks it. Just keep in mind that this list only uses the smart devices we have today. But try to imagine the exponential nature of it in a few months… a few years… who knows what other incredible smart devices the industry will produce.�Hack the setup of my HVAC so it can possibly
destroy itself.�Hack the setup of the garden watering system and
have water disaster consequences.�Disable or change the sensibility of all smart
detectors (alarm, smoke, leak…).�Open all doors, disable the alarm and turn off my
CCTV.�Ask the bathtub to overflow while I’m on vacation.
�Disable the security of my gas water heater and ask it to boil the water until it explodes.�Turn on all appliances that produce heat in the house during a hot
summer, including the ethanol fireplace, close all ventilation grids and turn off the air extraction.�Once inside a local network, it’s even possible to flash the firmware of
almost any device with a custom one, which can give over total control of a device and disable all internal protections.
There is a big challenge for the professional cyber security industry within the enterprise world to help consumers. And where there is challenge, there are tons of business opportunities to innovate in terms of products and services. It’s a question of balance and common sense as both enterprises and consumers should have the same level of security. It can start with the creation of white papers and best practices, creation of certifications and quality marks for consumer professional installers and maybe the biggest opportunity of all would be to create dedicated to consumer IT service companies to create, secure, manage and maintain “smart” networks for consumers.
Can you imagine the everyday Joe who chooses to DIY its Smart Home will have to maintain it, as IT managers take care of a small business, meaning: �Constantly check and update the firmware/OS of the home automation
system, all mobile app and connected objects; �try all new features as well as make certain that all these beautiful
devices continue to work well together after been upgraded. �audit and protect his local network and regularly change passwords of
the Wi-Fi and all apps and services;
FocusFocus
23
�And finally, since the life span of a house is supposed to be several decades, in any case much longer than the programmed obsolescence of technological products, it will also be necessary to ensure that the components installed are always up to date and supported by manufacturers. And by the way, what is he supposed to do when he finds out that an IoT product is not supported by the manufacturer anymore, meaning that even if one day a security breach is found on this device, there will never be any update. Will we have to change our IoT components every 4 or 5 years to benefit from new features and protections in cyber security? As you can see, a lot of challenges for an end user that just would like to stream Game of Throne!
I’m not an expert in Cyber Security, and I’m sure readers have an idea of what to do to secure a Smart Home and propose a service for the residential world. Just keep in mind that it’s residential, so the product/service should be 24/7 and very user friendly.
The challenge for home automation professional installers will be more or less the same as an end user with more responsibilities. �First, as professionals, they have a legal duty to clearly inform end
users of the issues described above in terms of the monitoring, updating, upgrading and maintenance a connected home requires. �At the same time, professional installers must create contracts to offer
all these services. Today, 99,99% of AV and Home Automation professional in the world do not propose any service or maintenance contract to end users. They do the job, install a local network and leave (as long as it works…). �And since we are talking about people’s safety, it is also highly likely
that they will have to obtain new professional certifications and insurance. �The final challenge is that they will need the human resources to carry
out these service and maintenance contracts. There is no doubt that these contracts will create millions of hours of work that will open the eyes of nifty entrepreneurs who will seize the opportunity to create dedicated service companies.
For real estate developers, the creation of a “Smart Home” department will need to be staffed with competent people to choose products that can be integrated on a very large scale, as well as to negotiate good partnerships and agreements with service companies to maintain all of this working smoothly, the GAFA, industrial partners and local governments. A lot to think about for a builder who doesn’t usually set foot back on a construction site after delivery.
The last challenge will be for home insurers who will certainly not let us turn our houses into smart chimeras without reacting. We are now able to remotely control the opening of all doors and windows but also remotely control devices capable of inflicting serious damage, such as gas boilers, bioethanol fireplaces, automatic water tap… And as smart fire, water leak detectors and alarm systems are connected on our local network, they all can be hacked and turned into bots. Below are some of the challenges for Insurance Companies to answer with respect to a Smart Home in the context of questions a policyholder might ask: �I want to know your recommendations and best practices, so you can’t
tell me in the future that you won’t reimburse me because my Smart Home was not secured enough because I didn’t follow the best practices in use in the industry or because it was not installed and/or not maintained by a qualified specialist.�And by the way, what industry, specialist, qualifications and best
practices are we talking about? Is that an IT guy? An electrician?
�Will you sign a document to acknowledge that my actual insurance policy will cover me as usual no matter what I am turning my home into?�Will you one day set some limits as to what we can
do in a Smart Home?�How strong should my password be for my Wi-Fi
system, on all my smart devices, and how many times should I change it per year?�Can I still use connected devices that are not
supported by the manufacturer, meaning that even if they found a major security breach, there will never be any firmware update?�Will you give me a list of forbidden connected
devices I can’t use in my home because they are too vulnerable?�If there is a new firmware update that patches an
important security issue on my bathtub or my gas water heater smart thermostat, how fast am I supposed to update it? And if the problem occurs before I patch the device, will you still be covering me?�What if my professional installer has been hacked?
He probably has all my information, login and passwords. Does his insurance cover him for this?
For the moment, no insurance companies are ready to answer these questions.
In fact, as autonomous cars will need a totally new type of insurance policy designed in collaboration with the car industry, a smart home - will also need a totally new type of insurance policy. Be sure that one day, home insurers will require the AV and Smart Home industry to design specific Smart Home certifications and maintenance contracts to avoid or minimize all risks because in the end, Insurance Companies will be the ones who pay when there is damage.
As you can see, there is a lot to talk about and lots of opportunities. Let me know your thought about this article, I’ll be happy to share with you more about the Smart Home industry. You can follow me on Medium LinkedIn & Twitter. �
24
- Cybersecurity Trends FocusFocus
BIOGeorge has over twenty years of experience in delivering IT and cybersecurity solutions to organizations in the education, government, healthcare and finance sectors. He is currently the Regional Sales Manager for Northern Europe and the UK for Ericom Software, a global leader in securely connecting the digital workplace and protecting organizations from web-borne threats. Twitter: @GHannahEricomUK ; @Ericom_Software LinkedIn: https://www.linkedin.com/in/ghannah/; https://www.linkedin.com/company/ericom-software/
It’s no secret that system users within an organization pose a great threat to cybersecurity, even when an organization has invested in advanced technology to prevent security breaches. Whether they are naïve or merely distracted, these users can – and all too often do – compromise the security of the whole organization with a single click.
Of course, the users themselves don’t bear sole responsibility. Hackers use a plethora of sophisticated techniques, commonly referred to as “social engineering”, to trick or otherwise manipulate people into cooperating with their underhanded agenda, taking shrewd advantage of common human behaviors and cognitive biases. Cognitive biases refer to a deviation from rational
Social Engineering: You’re Never Too Smart to Be Scammed
Author: George Hannah
behavior, such as the very human tendency to take mental “short-cuts” when making decisions under pressure, or to mindlessly carry out routine actions out of sheer habit. These social engineering tactics are used to trick people into infecting their own device with malware or giving up their private information – voluntarily.
For a hacker, social engineering may be the method of choice for getting access to privileged information. With traditional hacking methods, the hacker first has to gain access to a secure network, and then search for the information, which can take a long time and a lot of technology. By electing instead to manipulate users into giving up the information of their own accord, the hackers can just sit back and relax while responses come in, providing them with the right information to carry out a cyberattack. In fact, according to a recent Data Breach Investigations Report by Verizon, nearly half of all reported security breaches involved social engineering.
Scamming the savvy
You might still be thinking, “Sure, some people might fall for these tricks, but I know a scam when I see one.” Don’t be so sure. Hackers can use social engineering to successfully target even the most tech-savvy executives. In 2017, a British teenager, Kane Gamble, broke into the email accounts of DNI and CIA chiefs using social engineering. Through impersonation, he
25
managed to get enough personal information about these US officials to convince their email providers to reset passwords, giving Gamble full access to their email accounts.
Email scams these days are more sophisticated than ever. Hackers targeting particular organizations may gather a wide variety of details about their targeted users, to make the emails seem as convincing as possible. They may also create a sense of urgency, further clouding judgement. The email may spin a logical story, such as an organization prompting all users to download a phony “software update” to resolve a security problem or to urgently review an email attachment documenting some other (fake) company-wide concern.
Even users who are specifically trained to recognize phishing or spoofing attempts can make mistakes. While training is an essential and effective technique to reduce security breaches, it relies on one thing – the ability of the user to think slowly and rationally. Even the most careful user can make a careless click when they are distracted, under pressure, or even just plain tired. In these cases, the user might ignore the clear signs of phishing or a spoofed email address because they’re thinking quickly. As Daniel Kahneman writes in his book, “Thinking, Fast and Slow”, even those of us who are trained in advanced logic can fail to evaluate simple risks and make errors in judgement when thinking fast, leading to bad decisions – like clicking on a malicious link. No amount of training can prevent such a natural human behavior from happening - at least occasionally.
Smart solutions for smart scams
To mitigate the insider threat created by users who fall prey to social engineering, most organizations rely on traditional hardware and software solutions such as anti-virus software, firewalls, and email gateways to detect and block suspicious traffic or files from getting onto their network and endpoints. In fact, best practices dictate the use of multiple layers of security throughout the organization to ensure that there’s no single point of failure that exposes the network to a broad scale attack.
However, for advanced threats that can evade detection, organizations need to supplement these detect-and-block solutions with more proactive
defenses, particularly when it comes to outward-facing applications such as email programs and web browsers. Advanced technology such as remote browser isolation, for example can proactively shield endpoints against even undetected browser-borne threats, preventing phishers and other cyber criminals from gaining entry through this popular threat vector.
Whe n using RBI, users can browse the web as normal through an interactive content stream. However, in the background, all active code for the browser session is executed in a virtual container in the DMZ or cloud. The container is destroyed when the session is over. Thus, if a user hastily clicks on something malicious, the code will never enter the organizational network. This keeps the organization protected from the potentially catastrophic result of a simple error in judgement.
Nothing will completely eliminate the threat of social engineering. Relying on training and education definitely isn’t enough. Attackers are always on the lookout for new ways to con and breach, both on the human and machine level. New, smart solutions, like RBI, should be used to provide a preventative layer of protection, allowing for human mistakes and cognitive biases without leaving an organization vulnerable to cyberattacks. �
26
- Cybersecurity Trends FocusFocus
BIOAt the beginning, I was an Analyst Programmer, Application Specialist and Project Manager in a wide variety of business applications. Particularly specialized in Production & Planning solutions. Over the past 15 years, I’ve created and led some private organizations that initiated breakthroughs in areas as diverse as computer software for textile, food and biomedical markets. I’m one of the pioneers who created, installed and improved the automation system for specimen processing named WASP (www.copanitalia.com) I created the LIS (Laboratory Information System) Interface connector Architecture (UIC™ - Universal Interface Connector) necessary to updload and download patient and specimen data from/to Hospital&Laboratories Management Software. I’m the inventor of MALDItrace system (now Colony Picker for WASPLab automated system), a patented equipment created for specimen and organism’s traceability in mass spectrometry.
Developers of mobile banking/payments malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in mobile operating systems.
The full report is composed of four sections as follows: �Section 1 describes the context of a mobile
malware attack. A huge amount of mobile malware has
Mobile Financial Malware 2017: international threat report
Author: Davide Fania, President, XTN
been developed in the last years. This is caused by two factors. In the first place, the mobile app development context is technologically less mature, especially considering the security prospective. Secondly, users have less insight into the implications of their actions when they use a mobile device. A very meaningful quote that best describes this aspect in a few words, is: “For those who target personal bank accounts, mobile malware is cheaper and safer to use than banking trojans.”
With the purpose of addressing the importance of mobile security, Figure 1 shows the ever-growing number of Mobile devices across the world, that in 2016, has even surpassed Desktops in terms of connections to the Internet. Enforcing security on mobile devices has never been so crucial: what we’ve seen so far is only the beginning.
Figure 1: Snapshot of worldwide Internet usage through May 2017 (source: StatCounter).
�Section 2 describes how attackers inject malicious applications or code in users’ devices. The typical goal of attackers is obtaining payment credentials, that could be used later on to commit fraud, or accessing private user data.
Summarizing, a mobile attack consists of three main phases: injection, backdoor installation, data exfiltration.
The international threat report is intended to describe the typical behaviour of Android malware, in particular within a financial context. To access the full document please scan the QRCode below.
27
� The malware injection phase aims at bringing a malicious application or piece of code to the execution environment in which the attack will be performed. � The backdoor installation phase aims at opening a unidirectional or
bidirectional connection towards a backend owned by the attacker. Its purpose is to set up a persistent communication channel between the infected device and the malicious agent. � The exfiltration phase purpose is to access sensitive information and
forward them through the communication channel established in the previous phase.
“Attackers typically aim at compromising confidential user information with the purpose of executing final attacks on other channels. In order to access private user data, an In order to access private user data, an attacker exploits users’ trust in known sources and users’ risk misperception in performing sensitive actions on mobile devices”.
This approach is used in the injection phase, for example by means of trojans and/or in the data exfiltration phase. Figure 2 shows an example of a bankbot malware sample, Jewel Star Classic distributed through the Google PlayStore. This trojan, created by injecting a malicious payload in a legitimate code, aimed at spoofing the identity of Jewels Star, a quite famous game, according to statistics, with 50 to 100 thousand of legitimate installations. This way, attackers were able to induce users at downloading and installing it. At this point, the injection phase is completed.
Figure 2: The malicious version of Jewel Star in the PlayStore.
�Section 3 describes how financial malware typically works and provides an overview of the current malware landscape. An extensive analysis of a relevant amount of financial malware samples identifies the six typical behaviours of malware, the malware families and their geographical distribution. Financial cybercriminals are always looking for new ways to exploit users and extract money from them. In these last years, a huge amount of financial malware has been developed which has led to a variety of malware families. However, the most widespread trends are gaining administration privileges and tricking users through overlays. A very representative family that is showing such behaviour and is currently attacking a variety of organizations is Red Alert24.
In addition to its behaviour, another interesting part is the overlay attack mechanism which differs from older families both in terms of implementation and in targets management. In fact, targets are stored onto the attacker’s server and are not sent back to the mobile malware, making the life of an analyst much harder. Cybercriminals are constantly looking for ways to bypass Android’s new protection mechanisms, often using basic, but valid techniques.
�Section 4 describes the solution against the ever-growing threat of financial malware, that is a behavioural-based detection mechanism named
malware engine. Conventional antivirus programmes that are available in the market often still base their detection on signatures, even if these are more punctual in detection, this type of approach presents many drawbacks and is generally unable to detect unknown malware. In the mobile context, which is drastically dynamic, this is a huge problem.
To verify if a new file is malicious can be complex and time consuming. In many cases the malware has already evolved by then. The delay in identifying new forms of malware makes corporations and consumers vulnerable to serious damage. For this reason, our engine based on behavioural analysis involves machine learning mechanisms and advanced algorithms, modelled and implemented as a result of long-term business intelligence tasks.
The advantages for analysts using this kind of solution can be explained with the following quote: “Malware detection is only the first step. It provides information about the related family along with the detected behaviours, allows an analyst to understand the possible impacts on a final client and then trigger the most suitable mitigation”.
Figure 3: The worldwide targets distribution maps
Downl oad the report!
*We thank the Global Cyber Security Centre for allowing the reproduction of this article, published in the «GCSEC Newsletter» in April 2018. �
28
- Cybersecurity Trends FocusFocus
Some ordinary people will have been offered cash by these ATMs, for no apparent reason. But the majority was collected by criminal gangs. In fact, it was just one criminal gang, known as Carbanak.
Carbanak is responsible for what must be, by far, the biggest bank heist in history. The fact is, no one actually knows how much money it has stolen altogether.
A 2015 report by Kaspersky Lab put the figure around $1.25 billion. That was before Carbanak developed its most sophisticated techniques, which it continued to operate until its alleged mastermind was recently caught. This was such a big operation that it is unlikely any one person was in charge and doubtful that such a mastermind would be as stupid with their money as the alleged mastermind was.
So, there is every chance Carbanak is still taking billions from banks, all around the world.
Software that does bad things is known as “malware”, as in malicious software. The particular malware the robbers used was called Carbanak, hence the name the gang was given. Carbanak was likely downloaded, as most viruses are, from an email attachment.
An email would have been sent to bank employees designed to look like it was coming from another employee, with an attached Word document, which would have contained the malware. This is why it is important to keep all your software updated. Most of the time, updates are patches for known security holes in the program.
WannaCry hack was so successful in the UK because most of our institutions are inept with computers. So inept that many of them, including most of the NHS, kept their systems running on Windows XP. Windows XP is decades old and no longer receives security updates. WannaCry had no effect on up-to-date systems.
The Carbanak malware once “in” the bank’s system, then replicated and infected more computers. It allowed the hackers to see what was happening on infected computers’ screens. The hackers could then see how real transactions and money moving looked. Then the hackers used their malware to take control of the system and fake
ATM heist
real transactions. They created extra money and then got cash machines to release it.
They had a network of money mules who were told which cash machines to wait at and when. Then these mules just collected the free money. The money was then laundered – much of it through bitcoin.
Europol has made a fun infographic explaining it all, which you can see below.
The person caught was probably not the mastermind, but seemingly definitely involved, and likely one of the main coders of the malware.
As Wired reports. The key to tracking the man down to his Alicante home was through Taiwan and Belarus. A report from Europol and security company Trend Micro published last year, details how both countries saw ATMs dispensing cash to mules.
The report says $2.5m (£1.78m) was stolen from 41 Wincor Nixdorf ATMs operated by First Commercial Bank in Taiwan during July 2016 “without using cash cards or even touching the PIN pads”. After the attack arrests were made and malware was found within the bank’s system. These were one of the typical ATM network attacks in Taiwan. They got access to the network in Taiwan and cashed out the money to mules.
The police were able to arrest a number of these mules so we started to co-operate with Taiwan to see where this was coming
Author: Norman Frankel
Go to an ATM at the right place, at the right time, and you could be collecting a whole lot of free money. Over $1.25 billion has been spewed out by cash machines, in over 40 countries, since 2013.
29
from. This s led to a group in Belarus and from there we were able to connect this target. We were able to connect Taiwan, Belarus and Spain through the information exchanged with partners.
Europol says “criminal profits” were laundered via cryptocurrencies. “Prepaid cards linked the cryptocurrency wallets which were used to buy goods such as luxury cars and houses,” the international agency said in its statement.
A report in El Mundo, Spain’s second-largest newspaper, claims Denis K [the mastermind] owned 15,000 bitcoins (currently valued around £84m) at the time of his arrest. Catalan newspaper El Periódico de Catalunya reported that the arrested man lived with his wife and son, drove two BMWs and had jewellery valued at €500,000 within the home.If you have ever seen any crime film or TV show ever, you will know that flashing your cash is not a very good plan. Yet this mastermind had two BMWs and half a million euros’ of jewellery.
Europol also don’t give any information about how they actually tracked him down. I very much doubt the mules would have known anything about anyone near the top of Carbanak.
While this is the biggest bank robbery of all time, affecting multiple banking institutions in many different countries, it did not get much press. Not while it was all going on, not at the time of the mastermind’s arrest, and not much since. In fact, it is very hard to find out which banks were actually affected.
This is because cybercrime is very very bad business for banks. Banks rely on their customers trusting that they will keep their money safe. If you knew your bank had lost millions of its customers’ money to hackers, how would you feel? Would you really trust it to keep your money safe? No. Most banks and big businesses that do get hacked is keep it quiet. The banks will have simply reimbursed any accounts that were affected and kept quiet.
We only hear about these hacking stories when it affects customer’s records, so the institutions are forced to tell us. Otherwise, it’s all kept as quiet as possible. Even GDPR will keep the status quo on this situation unless customer records are implicated in the breach.
Groups like Carbanak are operating all over the world, 24 hours a day. It’s just we rarely hear about them. �
Copyright:Copyright © 2018 Pear Media SRL,
Swiss WebAcademy and iCyber-Security.All rights reserved.
Redaction: Laurent Chrzanovski and Romulus Maier †
(all editions)For the iCyber-Security edition:
Norman Frankel
ISSN 2559 - 6136ISSN-L 2559 - 6136
Addresses:Bd. Dimitrie Cantemir nr. 12-14,
sc. D, et. 2, ap. 10, district 4,040234 Bucarest, Romania
Tel: 021-3309282 / Fax 021-3309285
Griffi ns Court,24-32 London Road
Newbury Berkshire, RG14 1JX, UK+44 800 086 9544
www.icyber-security.com https://cybersecuritytrends.uk/
www.icyber-academy.comwww.cybersecuritytrends.ro
www.agora.rowww.swissacademy.eu
A publication
get to know! and
edited by:
30
- Cybersecurity Trends FocusFocus
BIOAntonio is Principal Malware Scientist and Senior Threat Researcher for CSE CybSec Enterprise spa Actually, he holds more than 10 Infosec International Certification, from SANS, EC-Council and Department of Homeland Security. His experience goes beyond the classical Computer Security landscape, he worked on numerous projects on GSM Security, Critical Infrastructure Security, Blockchain Malware, composition malware, malware evasion.
Introduction
In these years, the Darknet has created new illegal business models. In fact, over the classic illegal contents, like drugs, weapons and killers, other services are born in order to allow to speculate and to earn. In information security context, you can find hacking services and illegal software development, such as malicious software. The new trend consists of platform usage that allow even the inexpert people to create ransomware on demand.
A ransomware is a malicious code that infects the victims’ machines and blocks or encrypts their files, claiming a ransom. When ransomware is installed on a victim machine, it looks for and targets sensitive files and data, such as important financial data, databases and personal files. They are designed to make unusable the victims’ machines. Then, the malware demands to pay a ransom for the encrypted user data showing a window or
Ransomware-as-a-Service (RaaS)
Author: Antonio Pirozzi
creating some text files containing the payment instructions. The user has only two options: pay the ransom without having the guarantee of getting back the original files or format the PC disconnecting it from the Internet.
Ransomware history
The first ransomware was born in 1989, when 20000 floppy disks were dispatched as “AIDS Information-introductory Diskettes” and after 90 reboots, the software hid directories and encrypted the names of files on the customer’s computer, claiming a ransom of $189. The payment had to be done depositing the request amount at a post office box in Panama.
After many years, in May 2005, GpCode, TROJ.RANSOM.A, Archiveus, Krotten and others appeared and marked the beginning of maximum spread of this kind of malware.
With the advent of the new anonymous payment ways in the end of 2008, such as Bitcoin, the ransomware has changed the approach of demanding ransom payment.
After many ransomware family, such as CryptoLocker, TeslaCrypt, Locky and others, in the 2017, WannaCry Ransomware Attack terrified most country in the world thanks to its worm behaviour, with which the malware was able to spread in more of 230k machines exploiting a vulnerability of SMB protocol. Despite its unexpected worm behaviour, WannaCry continued to encrypt the user files using the classic methods but asked a payment of 300$ in Bitcoin to send to a provided Bitcoin address.
2017 – The year of ransomware
The past year was the worst for the ransomware attacks spread in the worldwide. There were at least three ransomware attacks which made economic damages for millions of dollars.
The first one was WannaCry which hit every type of infrastructure, starting from communication companies, like Telefonica, FedEx and Deutsche Bahn
31
until English hospital agencies. It propagated through EternalBlue, an exploit in older Windows systems released by The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, many organizations that had not applied these or were using older Windows systems that were past their end-of-life.
Figure 1 - WannaCry ransom note
The second one is NotPetya, the evolution of another infamous ransomware, known as Petya spread in the wild in 2016. This ransomware propagates with the same exploit of WannaCry, EternalBlue. The characteristic of this malware is that it was designed not to be a ransomware, but a wiper, because it encrypts the Master Boot Record of the machine and due an algorithmic error, it was not possible to restore the previous condition and data are definitely lost.
Figure 2 - NotPetya ransom note
The last terror of the computer systems was Bad Rabbit. It was the evolution of NotPetya ransomware and targeted principally Turkey, Germany, Poland, Japan, United States and other countries. But the major damage was occurred at the Odessa airport of Ukraine. It is interesting to note that the malware doesn’t explicitly implement a wiper behaviour, suggesting the operators are financially motivated. However, the onion website used for the payment is no longer available, this implies that victims cannot pay the ransom to decrypt
the file. This behaviour could be intentional and used by attackers to hide as a distraction tactic.
Figure 3 - Bad Rabbit payment site
Ransomware general features
The samples related to the last ten years attacks, could be categorized in two different types: �Locker-ransomware: is a ransomware that locks users
out of their devices; �Crypto-ransomware: is a ransomware that encrypts
files, directories and hard drives.The first type was used between 2008 and 2011. It was
discarded because it was quite simple to eliminate the infection without paying the ransom. In fact, the locker-ransomware has the weakness to show a window that deny the access to the computer, but it was simple to bypass the ransomware lock.
The second type hasn’t got this problem because crypto-malware hits directly the users files, let free the usage of system to the victim. So, the user can’t access to the information contained into the crypted files.
Then, the next ransomware uses the same crypting approach of the second ones, but they involve a combination of advanced distribution efforts and development techniques used to ensure evasion and anti-analysis, as Locky and WannaCry attest.
Obviously, the creation of a ransomware needs specific and advanced capabilities, in addition to the development effort. This makes ransomware an instrument for few people. To meet the needs of people who want to take revenge, make money or just for fun, new services are born to facilitate the “buying & selling” of malicious software. So, a new approach
Obviously, the creation of a ransomware needs specific and advanced capabilities, in addition was born: Ransomware-as-a-Service (RaaS).
Ransomware-as-a-Service
The rise of the RaaS distribution model is giving would-be criminals an extremely easy way to launch a cyber-extortion business with virtually no technical expertise required, flooding the market with new ransomware strains in the process.
32
- Cybersecurity Trends
Rent-A-Hacker Services
X-HackerXHacker is a classic platform to provide a rent-a-hacker service. This hacker establishes a minimum price for a job is 200 dollars. In order to contact him, he publishes an email address attaching his PGP public key.
Hacker for Hire
It provides several hacking services, like cyber-bullism, cyber extorsion, social account hacking and more other stuff . There is a pricing list of all operations.
HXTHXT off ers an “elite hacking” services, including DDoS attacks, personal accounts’ compromising, botnet and, last but not least, Ransomware on demand too. For each service the hackers show a price list and the most expensive is properly RaaS.
Pirate CRACKER S
This site provides several services, such as Email and cell phones hacking, social media hacking, DDoS attacks and malicious software creation. For each service there is a price list, which makes explicit that the payment must be done in Bitcoin.
Rent-a-Hacker
He can do economic espionage, network and website compromising, DDoS attacks and hacking activity in general. Instead of pricing the hacking service types, he prices services based on the jobs dimension (small, medium and large).
Ransomware-as-a-Service Platforms
Raasberry
In this platform there are a personal section, in which you can see statistics about your ransomware campaign, keeping track of number of infections, number of paying people and the relative monetary earning. There is a dashboard in which you can purchase new packages that include, for each plan, the same ransomware but a diff erent subscription time to Command and Control. There are several plans, from plastic to platinum. Once you registered to platform and purchase new package, the platform assign you a personal bitcoin address and you can control statistics about your ransomware campaign and check your earning.
Ranion
This platform declares that the C&C of their “Fully UnDetectable” ransomware is established in the Darknet. In the dashboard, you can purchase new packages that include, for each plan, the same ransomware but a diff erent subscription time to Command and Control. There is a section of Ransomware Decrypter, in which the victim inserts the key, sent by the criminal once he has paid the ransom. After you press decrypt button, start the decryption process of fi les.
Earth Ransomware
Unlike the previous RaaS, this one off ers the fi xed-rate service at the price of 0.3 BTC. When the customer pays the quote to the bitcoin address indicated in the mail, he obtains his credentials to enter in the personal section. In the editor area, you can create your personal ransomware in which you can set the number of bitcoins you require, email address, First payment deadline – Last payment deadline and bitcoin address. After the infection, the ransom note is shown to the victim, where are indicated the encrypted fi les, the deadline for payment and, obviously, the bitcoin address.
RedfoxThe novelty of Redfox is that it’s hosted on the Clearnet. RedFox encrypts all user fi les and shared drives using BlowFish algorithm. The webpage says that the Command and Control, which is hosted over Tor, allows you to choose ransom amount, ransom note, payment mode, payment deadline and other technical features, such as the usage of binders, packers and crypters to guarantee anti-analysis of the sample.
Create your ransomware
It’s a totally-free platform. In its website you can download a ready-to-go ransomware fi lling only 3 form-boxes: the Bitcoin address in which you want to receive your “money cut”, the ransom amount and a simple captcha. As the website shows, the “money cut” corresponds to 90% of the ransom amount, instead the remaining amount is for the service fee. We can see some statistics about the ransomware campaign.
DataKeeperThe only platform not seized yet is DataKeeper service. When you register at the website, you have the malware confi guration page, where you can choose the malware capabilities and some other confi guration settings. This platform seems to be one of the more completed because it allows to specify which extension of the fi les to encrypt.
Ransomware-as-a-Service creates a new business model because it allows to earn both malware sellers and customers. Malware sellers, using this approach, can acquire new infection vectors and new victims which they aren’t able to reach through conventional approach, such as email spamming or compromised website. RaaS customers can obtain in easy way technological weapon logging into RaaS portal, configuring the features and distributing the malware to unwitting victims. The goals can be different and are related to make easily and fastly money or to make vengeance against someone.
These illegal platforms can’t be found on the Clearnet, so they are necessary hidden into the dark side of Internet, the Dark Web. Surfing the dark web, through unconventional search engines, you can find several websites that offer
RaaS. Each ones provides different features of ransomware creation and platform owner payment, allowing you to select the file extensions considered by the crypting phase, the ransom demanded to the victim and other technical functionality that the malware will implement.
Furthermore, beyond the usage of RaaS platforms, the purchase of custom malicious software can be done through proper website in which you can engage a hacker for the creation of your personal malware. Historically, this commerce has always existed but it was specialized into cyber attacks, like espionage, hack of accounts and website defacement. Only when hackers understood it could be profitable, they started to provide this specific service. Thus, the supply of this type of service is offered substantially in two ways: the first is to hire someone to write a malware with the requirements defined by the customer and the second is to use a Ransomware-as-a-Service platform.
In the following table are synthetized the principal platforms on the Darknet of Rent-a-Hacker and Ransomware-as-a-Service. �
*We thank the Global Cyber Security Centre for allowing the reproduction of this article, published in the «GCSEC Newsletter” in April 2018.
FocusFocus
