Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.
The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.
Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s WhatsApp, say they have similar capabilities.
Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.
Telegram’s vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.
Armed with the codes, the hackers can add new devices to a person’s Telegram account, enabling them to read chat histories as well as new messages.
“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said in an interview.
Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.
telegram pavel durov
Founder and CEO of Telegram Pavel Durov delivers a keynote speech during the Mobile World Congress in Barcelona, Spain February 23, 2016. Albert Gea/Reuters
A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows – though it does not require – customers to create passwords, which can be reset with so-called “recovery” emails.
“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.
Iranian officials were not available to comment. Iran has in the past denied government links to hacking.
The Telegram hackers, the researchers said, belonged to a group known as Rocket Kitten, which used Persian-language references in their code and carried out “a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus.”
Anderson and Guarnieri declined to comment on whether the hackers were employed by the Iranian government. Other cyber experts have said Rocket Kitten’s attacks were similar to ones attributed to Iran’s powerful Revolutionary Guards.
The researchers said the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.
“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”
The researchers said they also found evidence that the hackers took advantage of a programing interface built into Telegram to identify at least 15 million Iranian phone numbers with Telegram accounts registered to them, as well as the associated user IDs. That information could provide a map of the Iranian user base that could be useful for future attacks and investigations, they said.
iran telegram security researcher amir rashidi
Amir Rashidi, an Internet security researcher who has worked with Telegram users who were victims of hacking, poses for a photograph at the offices of International Campaign for Human Rights in Iran in the Brooklyn borough of New York, U.S., July 27, 2016. Brendan McDermid
“A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has never been exposed before, Guarnieri said.
Ra said Telegram has blocked similar “mapping” attempts in the past and was trying to improve its detection and blocking strategies.
Cyber experts say Iranian hackers have become increasingly sophisticated, able to adapt to evolving social media habits. Rocket Kitten’s targets included members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents, U.S.-Israeli security firm Check Point said last November.
POPULAR IN THE MIDDLE EAST
Telegram was founded in 2013 by Pavel Durov, known for starting VKontakte, Russia’s version of Facebook, before fleeing the country under pressure from the government.
While Facebook and Twitter are banned in Iran, Telegram is widely used by groups across the political spectrum. They shared content on Telegram “channels” and urged followers to vote ahead of Iran’s parliamentary elections in February 2016.
Last October, Durov wrote in a post on Twitter that Iranian authorities had demanded the company provide them with “spying and censorship tools.” He said Telegram ignored the request and was blocked for two hours on Oct. 20, 2015.
Ra said the company has not changed its stance on censorship and does not maintain any servers in Iran.
After complaints from Iranian activists, Durov wrote on Twitter in April that people in “troubled countries” should set passwords for added security.
Amir Rashidi, an internet security researcher at the New York-based International Campaign for Human Rights in Iran, has worked with Iranian hacking victims. He said he knew of Telegram users who were spied on even after they had set passwords.
Ra said that in those cases the recovery email had likely been hacked.
Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas on Thursday. Their complete research is set to be published by the Carnegie Endowment for International Peace, a Washington-based think tank, later this year.
Good news, everyone. According to anew report from NBC, Chinese cyber attackers were hacking and reading email belonging to U.S. government officials between 2010 and 2014 (and that’s just what we know about) under the code name “dancing Panda.” Hillary Clinton, who was Secretary of State between 2009 and 2013, made their efforts really easy through her use of a private, unsecure email server at the time. Keep in mind, the FBI is currently conducting a criminal investigation into whether Clinton sent or received classified information on her private system. Clinton was certainly sending highly sensitive government information through her private account and the Chinese likely read it all.
China’s cyber spies have accessed the private emails of “many” top Obama administration officials, according to a senior U.S. intelligence official and a top secret document obtained by NBC News, and have been doing so since at least April 2010.
The email grab — first codenamed “Dancing Panda” by U.S. officials, and then “Legion Amethyst” — was detected in April 2010, according to a top secret NSA briefing from 2014. The intrusion into personal emails was still active at the time of the briefing and, according to the senior official, is still going on.
As Wisconsin Governor and GOP presidential candidate Scott Walker said last week, the Chinese and the Russians know more about the details of Hillary’s email server than Congress or the American people do.
Cyber security experts at De Montfort University Leicester (DMU) are working with the police to fight the increasing threat of cyber crime.
Officers from across the East Midlands came to DMU to learn more about digital forensics and the latest research being carried out to profile those who commit cyber crime.
DMU’s Psychology and Technology Research Group and the Cyber Security Centre work to understand both how victims view cyber crime as well as the psychology and techniques used by the cyber criminals.
Cyber crime is a growing issue. In 2014, more than half of 2,075 Britons who took part in a UK Government survey had been victims of cyber crime. A separate poll showed that for the UK as a whole, more than £670m was lost in online fraud in the 12 months to August 2014.
Recent cases in Leicestershire have included a man jailed for eight months for a cyber attack on a Leicester business. He cancelled online orders and hacked into the website in the attack which cost the company £41,000.
“The cyber environment is used to commit and facilitate all types of crimes and even people committing more traditional crimes like burglary will still leave a ‘digital footprint’”, explained DMU psychologist Dr Lee Hadlington.
“The challenges facing the police in the arena of cyber crime highlight the need to strike a balance between understanding the nature of digital forensics alongside the motivations, techniques and psychology of the attackers.
“In a similar vein, a better understanding of how victims view aspects of cybercrime allows front line staff to determine how best to direct investigations whilst placing victim support high up on the agenda.”
The event at DMU included workshops for officers and staff, plus a keynote speech from Andy Jones, Visiting Professor to DMU’s Cyber Security Centre, about the challenges which cyber crime presents to police.
Helge Janicke, Head of the Cyber Security Centre, said: “The combination of understanding the human element in cyber crime alongside cutting-edge approaches in digital forensics aims to help police tackle these challenges head on.”
Among those taking part in the event were officers and staff from Northamptonshire, Leicestershire, Nottinghamshire, Derby and Lincoln which included assistant chief constables, PCs and support staff.
Detective Sergeant Phil Donnelly from the Cyber Crime Unit at the East Midlands Special Operations Unit (EMSOU) said: “The threat from cyber-crime is a rapidly growing problem for policing at a local and national level. It is imperative that police officers and staff at all levels have confidence and take the right steps when tackling cyber crime.”
Peter Ward, head of East Midlands Police Learning and Development, said: “Under the East Midlands Policing Academic Collaboration (EMPAC) it’s great to see DMU and police managers from across the East Midlands Police Services coming together to gain a greater understanding of the threat that cyber crime treat poses to businesses and individuals.
“The Police Service is working closely with academia to ensure that evidence-based strategies are implemented to combat and reduce crime.”
A pivotal network of GPS satellites doesn’t properly guard its communication, making devices back on Earth susceptible to hacking, according to new research.
Lots of companies — everything ranging from overseas shipping containers to oil drilling rigs — use location data beamed from GPS trackers to ensure that equipment never goes off course.
But Colby Moore, a researcher with cybersecurity firm Synack, has found that it’s easy to crack Globalstar’s GPS satellite network. This is a company that bills itself as “the world’s most modern satellite network.”
GPS trackers beam data to satellites, which send them back to base stations on Earth. Using cheap hardware and small planes, Colby successfully intercepted and decoded data — none of which was encrypted.
He also found that there are no safeguards to check that data is shared only between real trackers and base stations. With that access, Moore was able to decode the transmissions and create fake GPS data.
The result? High-tech thieves could steal a freight truck full of precious cargo without setting off alarms. Rescuers responding to a sinking cruise ship could be redirected far away from the actual wreckage.
Aviation is especially at risk. Lots of planes transmit their location using Globalstar’s system, especially now that the organization that collects pilots’ flight plans, Lockheed Martin (LMT) Flight Service, signed a deal with the satellite company in June.
A spokesman for Lockheed Martin did not respond to a request for comment.
A hacker’s faked plane GPS signals could cause chaos at an airport that expects a plane to land — but can’t spot anything on radar.
Moore will present his findings at the Black Hat hacking conference in Las Vegas next week.
Globalstar (GSAT) did not acknowledge the flaw — or say whether it plans to actually start encrypting its communication.
“This type of situation has never been an issue to date,” said company representative Allison Hoffman. Globalstar said it would know if its systems were under attack. But this hack doesn’t technically attack Globalstar’s systems — it only fools them.
In today’s world, lack of encryption with sensitive communication is unacceptable. Encryption is required in all electronic banking, and it’s expected in email, texting, and even casual Web browsing.
Globalstar’s problem could be a result of old technology. The company had already launched 40 satellites into space by late 1999, when encryption was an afterthought. Plus, encryption adds to the size of data being transmitted — and in space, bandwidth is expensive, especially 20 years ago.
Moore said the only fix would be to add security features to new devices on Earth. But there are currently 649,000 Globalstar customers with devices whose software will be difficult — or impossible — to upgrade.
SAN FRANCISCO — Pen and paper instead of a laptop. Cash instead of credit cards. Face-to-face chats instead of cell phones. That’s the drill for the most cautious at two big computer security conferences taking place this week in Las Vegas.
It’s where security professionals need to be — and why they need to be on their toes, said Richard Blech, CEO of Secure Channels, a digital information security company based in Irvine, Calif.
Black Hat, which begins Tuesday, will fill the Mandalay Bay hotel with upwards of 9,000 security executives, hackers, academics, and government and law enforcement staffers.
It’s immediately followed by Def Con, a more hacker-oriented conference held at the Paris and Bally’s hotels. Last year, Def Con attracted nearly 16,000 people.
Both feature demonstrations, lectures and presentations about the most cutting-edge computer security issues — and are attended by thousands of people with the tools and the knowledge to break into just about any system imaginable. These very skilled attendees sometimes like to show off their skills, others are looking for bragging right. And because it’s an event that brings in high-level government and corporate staff, there’s also plenty of data and networks to entice the nefarious.
It’s one-stop shopping, a place were every major security executive is gathered. “You don’t have to travel around the globe or hunt them down on the Internet — they’re all here,” said Brad Taylor, CEO of security company Proficio in Carlsbad, Calif
That means “the rules are a little different,” said Stan Black, chief security officer forCitrix in Fort Lauderdale, Fla. For example, he’s bringing his schedule printed out on a piece of paper so he doesn’t have to turn on his cell phone to check it.
The most wary will also turn off Wi-Fi, power down Bluetooth and book hotel rooms halfway across town.
The threats include everything from “script kiddies” — unskilled hackers who use other people’s programs to attack dangerous systems — to nation-state actors out to pry loose sensitive information from large international corporations.
“And they’re all staying in the same hotel,” said Steve McGregory, director of threat and application intelligence for Ixia, a security firm in Calabasas, Calif..
Jon Miller, vice president of the security firm Cylance in Irvine, Calif., doesn’t see the hacking at Black Hat as malicious so much as simply intellectually curious. But he still turns off Wi-Fi and Bluetooth on his phone and only logs on to the Internet from his hotel room using a virtual private network.
“And all my communications are encrypted,” he said.
Taylor’s not even sure how safe VPNs will be. “I’m just a little concerned that somebody’s got something they’ve figured out — and this is the time they’ll use it,” he said.
Perhaps the biggest danger is the one most people wouldn’t think twice about — using the hotel or conference Wi-Fi to connect to the Internet. “And that meansStarbucks, too,” Taylor said.
At DefCon, that’s made abundantly clear by what’s known as the “Wall of Sheep.” Most years a self-appointed group of attendees monitor the conference Wi-Fi system and post a continuous stream of passwords, IDs and other information unwittingly transmitted in the open by those not using safe computing techniques.
To guard against having their cell phones hacked, some attendees use “burner phones” instead. These are cheap, pre-paid cell phones that contain none of their personal information. They just throw them away when they’re done with the conference.
With multiple sessions demonstrating how easy it is to read credit card data remotely with an electromagnetic sniffer, lots people leave their credit cards back in their hotel room safe.
“They can just be standing behind you in the line. They come up to you and kind of bump into you and they’re electronically lifting the information, it just takes second,” Blech said.
He counsels staff and clients to keep their credit cards in specially shielded envelopes to or stack them one on top of the other so the signals are jumbled up.
Laptops are such a treasure trove of information that many conference-goers leave theirs at home, bringing only a “sterile” machine that contains nothing but the presentations they’re making. No email. No Web browsers. No personal files.
Even though his machines are encrypted “and have all the security they should have,” Brad Taylor at Proficio only plans to carry a clean iPad.
“If somebody’s got something new and they’re testing it out, I don’t want to be one of the people who gets hit,” he said.
All of this makes Black Hat and Def Con somewhat daunting to attend, but that’s the world these security professionals live in every day.
Having to protect a single laptop isn’t that big a deal, Black said. “We get over 20,000 unauthorized probes on our system every minute,” he said.
ISLAMABAD – Former provincial minister Mian Zahid Hussain – who head Pakistan Businessmen and Intellectuals Forum (PBIF) – has said that the number of internet users in the world has surpassed three billion while another one billion mobile internet would be added to it soon.
Presently, 192 countries are providing 3G services catering for half of the global population, while 102 countries have 4G networks, he said. A recent study suggests that 71 percent of the world’s population would be using mobile internet by 2019, while per capita usage would be three times higher by then.
Hussain said that the available material, programmes, websites and other services of the internet were multiplied every day, revolutionizing the technology being used. So far, one million applications have been developed by manufacturers of different operating systems and usage of apps has exceeded browsing on PCs in many countries.
He said that the mobile apps were of great help to governments, masses, business community, farmers, and students. He said that the internet has played basic role in making world a global village. He said that the internet revolution came to Pakistan after privatisation of PTCL which introduced high-speed internet, new technologies and products.
He said that the government introduced 3G and 4G technologies which helped masses and business community besides generating revenue of over two billion dollars. He suggested that the National Assembly should adopt a Cyber Crime Act immediately.
Go online for five minutes. Visit a few webpages. How many pictures do you see?
In plain speak, this means virtually any picture you view on the web, even without clicking on it or downloading it, could potentially contain malware. Upon viewing the image, the hidden program would automatically load on your computer or mobile device without your consent. That malicious software could then do a variety of nasty things from taking control of your device to stealing data, photos, login credentials, sensitive personal and financial information and more. The best part of all, antivirus and malware detection scanners are not, at this time, equipped to detect these kinds of attacks, rendering your safety net completely useless.
While using steganography to convey hidden messages is nothing new, the attack method Shah has developed is, and in his opinion, could be the future of online attacks.
What is Steganography?
Steganography is a hidden messages technique where the message itself appears to be part of something else, like an image, article, shopping lists, or other cover text. A simple example might be a hidden message written in invisible ink between the visible lines of a friendly letter.
Many times throughout history, stenography has been employed along with cryptography to convey secret messages to the “right” people. The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny.
As Shah explains it, steganography is all about “hiding things in plain sight.” With his technique and “Stegosploit” tool Shah takes the stenographic approach to a new level where exploits are delivered not only in plain sight, but also “with style.”
Hiding In Plain Sight
Shah’s steganographic adventure in hacking with pictures began five years ago when the avid photographer decided to see just what could be done when he combined his two passions into one.
“I really love photography and I had been looking into jpeg files and image files just because I could,” Shah told iDigitalTimes. “It was then that I began to wonder if non-image data could be encoded inside an image itself. Of course, Steganography in images has been around a long time and a lot of research has been done with encoding text on pictures, but with classic steganography you are just adding text into an image and both the text and the image are passive. What I wanted to do was encode active code into the image pixels so that when it was decoded, it isn’t viewed as an image, but rather, executes.”
Over the last several years, Shah has worked on his technique and discovered executable code can in fact be embedded within an image and executed in a web browser, evading detection of even the most scrupulous malware scanners.
Shah first demonstrated his method at SyScan in March. At the time, the technique required using two images – one to contain the executable code, and the other one to decode it. But since that time Shah has managed to embed both the executable code and the decoder within the same image. This technique is possible with both PNG and JPEG images.
The combining of both the executable code, and the decoder make this new technique a ripe playground for unethical hackers. As long as the file remains the same size, it could be added to any webpage – for example, Instagram, Twitter, Imgur, dating profiles and more. Unsuspecting victims who view the photo online would find themselves instantly compromised without ever clicking or downloading the photo at all.
While there are no yet known cases of this technique being used in the wild, Shah is confident, they are coming.
“I can’t be the only guy that thought this up,” said Shah. “When I think of something I want to bring it out into the light and say ‘here’s a technique that’s very difficult to do but have at it. Use your creative thinking and find out some defenses against, because this thing is coming.”
SAN FRANCISCO – The hackers who got access to over 100,000 personal records through the Internal Revenue Service’s Get Transcript site didn’t need all that much information to break in, say experts.
The IRS said Tuesday that cybercriminals used personal data obtained from elsewhere to get into the transcript service, which allows users to view tax account transactions, line-by-line tax return information and wage and income reported to the IRS.
To access that information, a legitimate user–or a thief–required a name, Social Security number, date of birth, filing status (single, married, etc) and a street address.
Next they needed to answer several personal identity verification questions “that only you can answer,” in the words of the IRS site.
Those included information such as a prior address or phone number or car or home loan information. Users had to supply the correct answer to four such questions.
The problem is, that type of data is readily purchased on the Internet underground, where vast databases containing fully built-out portfolios on tens of thousands of people can go for as little as a dollar a record.
Far from being questions “that only you can answer,” the verification queries used by the IRS were easy enough that the hackers tried to break into 200,000 accounts and got information out of 100,000.
“That’s pretty staggering, it’s a 50% success rate,” said Morey Haber, vice president of technology at BeyondTrust, an Phoenix-based computer security company.
It also wouldn’t have been hard to automate, said Robert Hansen, a vice president at WhiteHat Security, a Santa Clara, Calif-based security firm.
“Robotic submissions are extremely easy to do,” he said.
Literally dozens of tools are available, often used by spammers, that map out variables such as name, Social Security number, etc. and insert them one after the other in the correct order, Hansen said.
The IRS attack highlights a problem that security researcher have long worried about –once you’ve got some information about someone, the easier it is to gather more.
With sites increasingly using information beyond name and password as a way to confirm identity, this has opened a potential door for clever hackers.
“The attack on the IRS web application took serious foresight and expertise,” said Trend Micro Global threat communications manager Christopher Budd.
But once the attackers had accumulated and compiled stolen data, they were able to “successfully breach the system and obtain the more valuable information they were after,” he said.
Source: USA Today
Wombat Security wants us to know that whether you’re taking a personal holiday or a business trip, traveling by car or by plane, planning a quick jaunt or preparing for an extended stay, make sure your cyber security best practices are coming along for the ride. Hackers and scammers don’t take vacations.
In fact, they feast on tourists and travelers, taking advantage of people when their guards are down or when they’re distracted by other pursuits. We’ve pulled together four essential tips from our security awareness and training materials that you can use to stay safe when you travel:
1. Stick to the Basics
Many travelers think about packing light when it comes to clothes and toiletries. Well, this advice applies to your mobile devices and personal data as well. Here’s how to streamline:
- Leave data-packed business devices and materials behind whenever possible. If you don’t think you’ll use it, don’t take it. Ask yourself, “Is this business critical?” If the answer is no, it shouldn’t make the trip.
- Limit the credit cards and personal identification items you take with you; pare down to the things you know you’ll need. Before you go, make a note of what you have and any relevant customer service numbers. Store that in a safe place so you’ll have a quick reference in case your wallet is lost or stolen.
- Explore the possibility of using a “disposable” phone and laptop when traveling, particularly if you are an executive, manager, or business insider who deals with highly confidential data. This approach allows you to maintain connectivity without exposing the contact lists, files, and sensitive information that are stored on daily-use devices. If your organization doesn’t support this type of service, make the case for building a small repository of devices that can be issued prior to travel and then be wiped clean afterward.
2. Get Physical
Relatively simple physical security measures can be the difference between keeping data safe and suffering a breach. Whether you’re talking about personal data or business information, dealing with the aftermath of a breach is time consuming, frustrating, and (often) incredibly costly. Remember these basic tips to help keep your devices (and the data they contain) secure while you’re on the go:
- Don’t leave your devices unattended in public, not even for a few moments. It can be tempting to put you smartphone off to the side while you check your bags at the airport or to leave your laptop sitting on the table while you got to the café counter to get a refill. Thieves are opportunistic; they can snatch up your device in a second while you’re not looking.
- Keep your devices concealed as often as possible, particularly when in a crowded place. Many smartphones – particularly iPhones and newly released devices – are coveted by criminals, and there have been known instances of particularly brazen thieves swiping phones right out of unsuspecting users’ hands and disappearing into crowds. Keep your smartphone tucked safely in an interior pocket of your jacket or bag when not in use, and consider using a wireless headset if you are “walking and talking.”
- Securely store your devices if you leave them behind. Naturally, your safest bet is to keep items with you, but sometimes that’s not practical while traveling. Remember that a hotel room is not secure; many people have access, and staff members often enter your room while you’re not there. A hotel safe is a better choice than leaving items out in the open or barely concealed in a suitcase (though even these safes shouldn’t be trusted to adequately secure devices that hold highly confidential data).
3. Share Smart
Would you comfortable broadcasting on the radio that your house will be empty for a week while you’re on vacation? Would you hand you smartphone’s contact list to a complete stranger. Travelers often do the equivalent without even realizing it. Here’s how to keep your private information on lockdown:
- Turn off automatic check-ins and location tracking. In this age of social sharing, people often think nothing of revealing their favorite haunts and places to visit. The problem with automatic posts is the lack of control. Before long, your routines and habits are spelled out for the world to see. These activities can reveal where you are (a confidential business trip or meeting, perhaps), but they also reveal where you aren’t. Scammers and criminals like to tap into schedules because it gives them more information about who you are and what you do.
- Save the vacation posts until you’re back home. As with check-ins, the social updates you post while you’re out of town make it clear that you’re not at home and you’re not at your office. Many people have hundreds of social connections and followers, and a vast number of those online relationships are superficial. If you’re 1,000 miles away and you’ve let everyone know that you’ll be off the clock for a week, this creates a window of opportunity for a criminal to climb through. Though it’s tempting to detail your travels in real time, it’s important to consider the potentially negative ramifications of sharing this information.
- Be careful about Bluetooth connections. You may think nothing of pairing your smartphone to rental cars and other convenience devices. But did you know that information is sometimes stored after you terminate the connection? That means that your contact lists and other data could be left behind on, for example, a car that doesn’t belong to you. Before you turn in your keys, make sure your data has been deleted.
4. Be Cautious of Open WiFi
Many people set their phones to find and connect to accessible WiFi networks. While this approach can help reduce your mobile data consumption, it can also expose you to significant risks. Open WiFi – whether paid or free – must be approached with caution. Why? Because any WiFi network not protected by a password is vulnerable to attack. Here are some important tips to remember:
- Check before you connect. Did you know that names of WiFi networks are manually created? This means that anyone can name a network anything they want. Scammers set up “rogue” and “evil twin” networks with names that sound trustworthy – Airport WiFi, for example – or that are similar to legitimate nearby networks – Official Café Wireless instead of Café WiFi, for example. Once connected to a scammer’s network, your data is in their hands. To be safe, check with an employee or another trusted source before you access an open WiFi network.
- Use https or a virtual private network (VPN) to protect your data. A VPN adds a layer of encryption and security that is valuable when using any unknown connection. If you can use one, do use one. At a minimum, you must ensure that https is present in a web address before accessing a secure site (i.e., webmail, social media, or any site that requires a login). And whenever possible, hold off on doing any financial transactions on WiFi, including checking your bank balance or making ecommerce purchases. It’s safest to handle these activities to known, secure networks.
- Consider traveling with a personal hotspot. If you use a mobile hotspot leased from your service provider, you can be confident that you are getting a secure connection. This is particularly valuable advice for business travelers, given that it’s often necessary to network on the go and that security is a must for business-related activities.
Growing inclination towards cloud storage, introduction of public clouds and growing emphasis on digitization are propelling the need for cyber security across the globe. North America and Europehave been the leading revenue contributors, capturing major shares in the market in 2014. Moreover, Asia-Pacific is rapidly emerging as a potential market for cyber security solution providers, driven by emerging economies such as China, India and South-East Asian countries, wherein, rising cyber espionage by foreign countries is inducing the need for safeguarding cyber space.
Over the last few years, cyber security has become extremely vital for public as well as private enterprises as cyber-attacks have become more organized and sophisticated. In addition, the number of state sponsored attacks across the globe has surged. The prime motives steering cyber-attacks are monetary benefit and access to secret information of an organization. Banking and financial services sector has been the prime taret of cyber criminals over the last five years, followed by IT & telecom, defense and Oil & Gas sector. Thus, companies and governments across the globe are increasing their budget allocation towards cyber security.
Countries such as the US, the UK, Japan, Singapore and South Korea have a dedicated cyber security policy in place. Therefore, investments on cyber security by these countries are expected to witness a rapid increase over the next five years. In addition, venture capital investments, and mergers and acquisitions in these countries, are also contributing significantly towards industry growth and consolidation.
Global Cyber Security Market Forecast & Opportunities, 2020 discusses the following aspects of cyber security market across the globe:
- Rising Venture Capital Funding
- Ongoing Mergers & Acquisitions
- Next Generation Firewall
- Internet of Things
- Ongoing R&D in Cyber Forensics
- Big Data Analytics & Greater mobility
- Bring Your Own Device (BYOD)
- Investments in Exploit Mitigation
Key Topics Covered:
1. Research Methodology
2. Analyst Views
3. Global Cyber Security Market- Introduction
4. Global Cyber Security Market- Market Overview
5. Global Cyber Security Market Outlook
6. North America Cyber Security Market Outlook
7. Europe Cyber Security Market Outlook
8. Asia-Pacific Cyber Security Market Outlook
9. Rest of the World Cyber Security Market Outlook
10. Global Cyber Security Market Outlook – By Security Type
11. Global Cyber Security Market Outlook – By End User
12. Market Dynamics
13. Market Trends & Developments
14. Competitive Landscape
15. Strategic Recommendations
- Symantec Corporation
- McAfee Inc.
- Trend Micro Inc.
- Sophos Plc
- BAE Systems Inc.
- Booz Allen Hamilton Inc.
- FireEye Inc.
- Dell SecureWorks Inc.
- Check Point Software Technologies Ltd.
- Northrop Grumman Corporation
- International Business Machines Corporation
- Computer Science Corporation
- Lockheed Martin Corporation
- Palo Alto Networks Inc.
- Fortinet Inc.
- RSA Security LLC
- Cisco Systems Inc.
- Thales Group
- Barracuda Networks Inc.
- Kaspersky Lab
For more information visit http://www.researchandmarkets.com/research/gpt8b2/global_cyber
Media Contact: Laura Wood , +353-1-481-1716, [email protected]
Source: TMC News
Few business people outside IT departments have any knowledge of current information security threats, according to BH Consulting founder and chief executive Brian Honan.
This lack of familiarity of the continually changing threats to information security is one of the biggest challenges to raising the cyber literacy and security awareness of non-technical executives, said Honan.
“To many people in the business side of things, cyber security is something that is in the background, or something they pay attention to only for regulatory compliance reasons,” he said.
Despite the growing importance of information security to business, added Honan, there is still not a good understanding of the issues by the business.
“Information security professionals struggle to engage the business on the topic because they tend to focus only on the technical aspects using terms and concepts unknown outside IT,” he said.
“This makes information security a mysterious part of the organisation that is associated with telling people in the business that they cannot do things because of security.”
Consequently, information security professionals tend to be viewed in a negative way by the business, presenting further challenges to improving awareness and understanding of security issues.
“Information security professionals need to communicate better with the business in a way that is not too technical or difficult to understand,” said Honan.
One approach to this long-standing problem, he said, is to translate security topics into business terms and metrics so that non-technical executives can see value and benefit in security.
“For example, instead of talking about the number of spamemail messages a filtering system is capable of blocking, we need to express that as time and cost savings,” said Honan.
Information security professionals should also talk to the business more in terms of business risk, he said, because that is a more familiar and meaningful concept.
“For example, when talking about things like bring your own device, we should not say ‘you can’t do that’ but instead say ‘yes you can do that, and the business risks are as follows’,” said Honan.
Then as a follow up, he added, information security professionals can tell the business what security investments need to be made to mitigate that risk or manage it down to an acceptable level.
Honan believes that information security professionals should ensure they are continually providing meaningful metrics to the business to ensure that security is constantly on the radar of executives.
“These metrics can include things like the proportion of staff that have completed security awareness training, the proportion of mobile devices that are encrypted, the number of security incidents, the mean time to resolving security incidents, and how these metrics are trending over time,” he said.
However, Honan warned that metrics in isolation may not provide any great insights into how well a security programme is working. “You have to tie them in to other metrics and things that might be having an influence on the business, such as a planned acquisition or product launch,” he said.
According to Honan, the ISO 27001 information security standard provides a useful way of understanding potential deliberate and inadvertent risks to information security in a business.
“The standard has been useful in helping to engage the business, but it is key as an information security professional to understand the business you are dealing with,” he said.
“One industry sector is not necessarily concerned about the same types of risk as another, which means that when talking to a business, it is important to understand what risks it cares about.”
Understanding the business better makes it easier to communicate the impact of particular security threats in a much more relevant and effective way, said Honan.
It is also useful to talk to managers to find what they are struggling with from a security point of view, he said. For example, sales teams may be finding security too cumbersome for accessing systems remotely.
“When people find security too difficult, they try to go around by copying data onto USB sticks or private cloud storage, which has huge risk implications for the business,” said Honan.
In one organisation where he encountered this problem, Honan said he worked with the sales manager to propose an enterprise cloud-based customer relationship management system.
“A similar proposal for a cloud-based email service was also adopted and rolled out to the whole business because it was secure, easier and less expensive,” said Honan.
“This is an example of a project driven in partnership with a business unit with security seen as an enabler rather than an inhibitor.”
All orgnisations are targets
According to Honan, another useful way for information security professionals to engage with the board and c-level executives is to demonstrate how cyber criminals are attacking every business size and type.
“Many organisations believe that cyber attackers are interested only in banks or payments processing companies, but they need to understand that all organisations are now targets,” he said.
“Businesses need to understand that criminals are not only after financial data, they are also seeking personal data of employees and customers, and to hijack IT infrastructure for criminal use.”
Boards may also need to be made aware that because of all the personal data their company holds, they have personal legal obligations for ensuring it is protected adequately.
“Information security professionals can help board members to understand their obligations form a regulatory compliance, governance and even ethical and moral point of view,” said Honan.
He believes that information security professionals should be proactive about engaging with the business and demonstrating the potential value of security to achieving long-term business goals.
“By taking the initiative and engaging the business regularly and consistently, executives will quickly learn what is important to them and what questions they should be asking,” said Honan.
Source: Computer Weekly
Data breaches can cost companies hundreds of millions of dollars, erode shareholder value, and indelibly tarnish corporate reputations. Yet, chief executives and other top brass at organizations that suffer such incidents have remained largely immune from the fallout.
That may be changing.
A new survey of 200 directors of public companies conducted by security firm Veracode and the New York Stock Exchange Governance Services shows that corporate boards have become much more serious about data breaches and are willing to hold top executives accountable for them.
More than four in 10 of the directors in the survey felt that a company’s chief executive officer should take the rap for a data breach. When asked to prioritize who should be held accountable for such incidents, corporate boards ranked the chief executive officer first, followed by the chief information officer, and then the entire executive team.
Chief information security officers, often the fall guys in a data breach situation, ranked fourth in the list – suggesting that directors get it that security executives can do only as well as the support and the resources they get from top management.
Security has also become a growing priority for boards. In fact, 81 percent of the directors in the survey said information security matters have become a topic for discussion at most or every board meeting. Still, two-thirds professed being uncertain of their company’s ability to avert a data breach, while more than 70 percent said they were significantly concerned about security risk from third-party software in the supply chain.
The numbers reflect a major shift in attitudes toward cybersecurity within corporate boards. Until the recent spate of mega breaches at Target, Sony, Home Depot, Anthem, and elsewhere, information security was hardly, if ever, a top item on the corporate risk-management agenda.
“Legal, regulatory, shareholder, and professional bodies are increasingly charging board members to become more accountable for this area of risk,” said Martin Whitworth, an analyst at Forrester Research.
“Whilst this attention can only be a positive thing, it has to be balanced by the lack of confidence expressed by these same board directors in their companies ability to properly mitigate against cyberrisk,” he added.
The report shows boards need help in understanding the level of risk they face and the available options for dealing with them, Mr. Whitworth said.
Board members and chief executives have generally tended to view cybersecurity as a tactical mission best handled by the technology group. Accountability has been rare, and often restricted to the executives directly in charge of the security or technology function.
When Target suffered its massive data breach, the only top executive to pay a price for the incident, at least publicly, was Chief Information Officer Beth Jacobs. The CEO, Gregg Steinhafel, quit the company a few months after the breach, but his exit is believed to have had more to do with a botched expansion in Canada than just the breach.
The same was true in previous incidents: When someone has been held accountable after a data breach, it was usually from the technology side. In 2012, when hackers broke into a Medicaid server at the Utah Department of Health and accessed some 24,000 records containing sensitive data, it was the executive director of the state’s department of technology services who had to quit. In 2014, the Maricopa County Community College District in Arizona fired the longtime director of its information technology department for a breach that exposed Social Security Numbers and other sensitive information on more than two million people.
But growing concerns about brand damage, loss of intellectual property, and financial losses have changed how corporate boards view data breaches, says Chris Wysopal, chief technology officer of Veracode. Many appear willing to spread the blame around more evenly, he said.
“One of the key takeaways here is that they see the CEO as the one that is ultimately responsible” for cybersecurity, Mr. Wysopal said. “As breaches have gotten bigger and bigger [corporate] boards are beginning to see that security is ultimately not an IT problem relegated to a technology specialty but a much more broad based problem.”
Liability concerns may be another factor driving the change of heart within corporate boards. Big breaches often spawn lawsuits from consumers, banks, and other affected parties. Target, Home Depot, and Anthem, for instance, were all hit with literally dozens of lawsuits in the aftermath of their breach disclosures. Typically, such lawsuits tend to get consolidated and then later dismissed by the courts or settled for relatively modest sums.
But some of the lawsuits have started raising thorny questions for companies. Last December, a Minnesota federal court ruled that Target could be sued for negligence because it failed to heed warnings about the breach from a security alerting system. Some have said the ruling could set in motion new legal standards for bringing negligence claims against organizations that suffer data breaches.
In May 2014, Institutional Shareholder Services, a company that advises shareholders on governance risk issues called on Target shareholders to vote against seven of the 10 directors belonging to the company’s Audit and Corporate Responsibility Committee for failing to provide enough risk oversight. Though all of the directors were reelected at the company’s shareholder meeting last June, the incident should put companies on notice: Some stakeholders may have started running out of patience with corporate boards’ attitudes toward cybersecurity, too.
Source: The Christian Science Monitor
Ransomware is a real pain. It’s a type of virus that infects a target’s computer, encrypts their files, and keeps them locked out until the victim pays a hefty lump sum, often in bitcoin.
For this, a blackmailer would usually either make their own ransomware program, or buy one ready-made from a forum or marketplace. Now, one dark web hacker has taken a crowdsourced approach to generating income: ‘Tox’ has released their own free ransomware for anyone to download and distribute. Users just have to cut the creator in on any profits.
It takes only a few seconds to set up an account on the host site (also called Tox), and you don’t need to provide an email or any other identifying information. A user then types in the ransom amount they want to ask for, an additional note such as the name of the target, and clicks “Create”. The custom ransomware—which is designed to work on Windows systems—is then available to download and spread.
“Once you have downloaded your virus, you have to infect people,” writes Tox, who suggests sending the virus to a target as an email attachment, much in the style oftraditional phishing emails.
If a target infects their machine, and pays the ransom, the bitcoin is then transferred to the user’s site account. Here, the user enters a bitcoin address to withdraw the funds to, and Tox takes a 30 percent cut. Not bad for a piece of free software.
“The user list is growing exponentially,” Tox told Motherboard in an email. “I hope to make enough money to travel the globe, but that’s not my focus.”
Over the past three of four days, users have infected over a hundred computers, according to Tox. “Their first targets are pedos and random email accounts.”
The icon of the ransomware file gives the appearance of a normal Word document, and according to security company McAfee, which discovered the site on May 19, “the malware works as advertised.” The researchers added that the virus’s “antimalware evasion is fairly high.” However, Security Zap published a list of nine anti-virus programmes that do detect Tox’s ransomware (this list did not include any of McAfee’s products).
“McAfee guys noticed that it’s not the best malware ever coded, but as long as it works it’s fine,” Tox continued, and claimed to have authored the ransomware. “I’m planning to rewrite it in the future.”
The most novel aspect of this ransomware is the crowdsourcing side: with this arms-length approach, others go out and do the actual infecting of machines on Tox’s behalf. (At the moment, the site FAQ states that Tox still infects machines personally, too).
“This is a revolutionary service,” Tox continued. “Hackers always had problems spreading their virus, me included. So I decided to delegate this part to other people.”
Consumers have a stern warning for banks: Keep our data safe or we’re through.
That’s according to a survey of more than 1,000 Americans conducted for public relations and communications firm Makovsky by market researcher Ebiquity in March. The survey results will be released later Thursday.
Nearly three-quarters of the survey’s respondents said they would likely switch to another financial services provider if their financial or other personal information were stolen by cybercriminals.
“Consumers strongly believe that if their data and personal information is compromised in any way, they probably would pull out their money and move it to another bank,” said Scott Tangney, executive vice president at Makovsky.
That could be bad news for big banks given that there have been more and more high-profile data breaches lately.
Fortunately, financial firms realize that they must do a better job of protecting their customers.
What the bankers say: Ebiquity also surveyed 227 marketing and communications executives at large and mid-sized financial services institutions. More than 80% of them admitted that fighting cybercrime will be one of the biggest issues they face in trying to restore their reputation with consumers over the next few months.
This is the fifth annual survey by Makovsky and Ebiquity about the reputations of banks and other financial firms. It is the first to include the input of actual bank customers.
Tangney said it’s not surprising that many average Americans are still wary of the financial sector.
Reputation issues: The wounds of the credit crisis and Great Recession are still fresh. And many big banks remain in the headlines because they are paying fines for bad behavior from the recent past.
“The industry’s reputation has been stuck in the mud. That’s for sure,” said Tangney. “A sense of trust seems to be lost almost forever for some customers.”
Interestingly, the executives surveyed actually felt that JPMorgan Chase had the strongest reputation of any financial firm. Visa () came in second. Wells Fargo ( ), which had the top reputation last year, fell to third.
But customers said that negative news of any kind about their financial firm was the top reason they would consider looking for another financial provider.
To put that in perspective, consumers cared more about the reputation of their bank than the fees they charge or the type of mobile technology they offer.
That’s a problem for the industry. The financial services executives surveyed estimated that they lost about 17% in revenue last year due to concerns about reputation and poor customer satisfaction.
If there is any good news for banks and other financial firms though, it’s that consumers still think they are doing a better job than other industries of keeping information safe.
Trust is key: Only 13% said they trusted the government (i.e. the IRS, Social Security and the Postal Service) the most with their information.
Just 4% indicated they trusted mobile services like Apple Pay, Google Wallet or PayPal. And only 4% trusted retailers and health care — the two industries that have been the victim of the most high-profile hacks.
But nearly a third of the consumers surveyed said they trust banks, insurers and credit card companies with their information more than other institutions.
Then again, this may not be saying much. Nearly 40% of those surveyed said none of these industries could be trusted.
Source: CNN Money
Security researchers are warning that privacy issues in the Bluetooth Low Energy (BLE) protocol could make users’ smart devices easily trackable from potentially long distances.
Context Information Security announced the findings of new research in a post at the end of last week.
In just half an hour hanging around Canary Wharf Underground station, the team used a specially built proof-of-concept Android app to spot 149 devices, including 26 FitBits, two Jawbones, two Nike products and “a lot of iPhones.”
The problem lies with the fact that although most BLE-supporting smart devices have a ‘random’ MAC address, that address is often fixed, making it easy to identify and track.
BLE was designed for apps which need to constantly beam out signals without running the battery down, with said packets sometimes even containing the device or user’s name, Context claimed.
This isn’t just a privacy risk but could be used by attackers to help with social engineering as part of a targeted cyber attack, or even for a ‘physical’ crime if a criminal knew a victim’s movements, the firm said.
What’s more, although the range of these devices is around 100 meters, with a “high gain directional antenna” it was possible to detect Bluetooth packets at half a mile, the report claimed:
“If I have an easy way to scan for these devices, and can attribute a device to a particular person such as a celebrity, your CEO or the police officer leading an investigation against your company, then I can easily tell when they’re nearby. Many of the available fitness trackers are waterproof and measure sleep, so there’s no need to ever take them off.”
Context also raised concerns about the use of iBeacons – used by retailers, airline providers and other firms to beam out information via BLE in a constant stream to customers walking by who have a related app on their device.
However, the protocol could become far more intrusive if phone manufacturers begin to ship devices with selected iBeacon apps pre-installed. This means they could start spamming out location-based sales and marketing messages ad nauseam, the report claimed.
“Most of what we found is not a bad implementation or mistake, but is inherent to how BLE works. In their designs, the vendors have prioritised the ease of pairing. BLE devices need to broadcast their presence constantly so that they can be detected by the paired smartphone,” researcher Scott Lester told Infosecurity.
“That said, vendors could do more to anonymise devices, for example by not allowing the user to name the device, or by implementing some of the measures in the latest version of the protocol to obscure the device address.”
Source: Info Security
In a report published Wednesday, Morgan Stanley analyst Keith Weiss discussed the results of a cyber-security themed survey he conducted with more than 60 Chief Security Officers (CSOs).
“Growth in security spending is expected to improve in 2015 versus 2014, with respondents reporting an average 12.8 percent growth in network security spending in 2015 versus 10.7 percent growth in 2014,” Weiss wrote.
“This suggests that commercial demand for security is at least stable, if not improving, as supported by generally solid first quarter results for security vendors.”
Weiss also highlighted several other key findings from the survey:
- Firewall refreshes are expected to downtick modestly in 2015 but refreshes remain “relatively robust” as 53 percent of respondents plan to refresh in 2016 and beyond.
- Spending on “next gen security solutions” is likely to accelerate as advanced malware protection and security analytics ranked at the top of the priority list for CSOs.
- 79 percent of respondents indicated they have or will purchase Advanced Malware Protection as part of a larger endpoint or network security suite.
- Spending will continue to consolidate traditional “deterministic” functionalities to free up personnel to focus on “next gen” or “probabilistic” technologies that will provide better security protection.
Investment Themes: Palo Alto Networks Market Share Winner
According to Weiss, Palo Alto Networks Inc (NYSE: PANW) continues to gain share with 13 percent of respondents using the firm’s products and services today for their primary firewall, up from 2 percent in the last survey. Twenty three percent of customers expect to use Palo Alto as their firewall vendor with share gains coming at the expense of Cisco Systems, Inc. (NASDAQ: CSCO) and Juniper Networks, Inc. (NYSE: JNPR)
Weiss continued that security buyers will continue to pay for differentiated functionality including “next gen” threat prevention and more robust monitoring functionalities. This will directly benefit Palo Alto Networks and Splunk Inc (NASDAQ: SPLK) as both firms are “best positioned.”
Finally, Weiss noted that FireEye Inc (NASDAQ: FEYE)’s operating losses “keeps us on the sidelines” despite the company’s “broadening” technology portfolio. Similarly, the analyst also suggested Symantec Corporation (NASDAQ: SYMC) investors stay on the sidelines due to secular challenges and execution issues that have resulted in share loss and limited growth opportunities.
As candidates hit the campaign trail, NPR looks at four major issues the next president will face from Day 1 in office.
When President Obama took office back in 2009, “cybersecurity” was not a word that everyday people used. It wasn’t debated. Then, mega-breaches against consumers, businesses, and the federal government changed that.
The latest came Tuesday, when the Internal Revenue Service said criminals used an online service provided by the agency to access the information of more than 100,000 taxpayers.
Now, the 45th president will have to come into office with a game plan for how to protect us online. The plan could shape up any number of ways because our digital lives — and the attacks against our digital lives — are pretty new. But it’s something people care a lot about.
With Edward Snowden, American citizens learned we’re the target of a mass surveillance program we didn’t know about, and that the National Security Agency, a military agency, is porous, vulnerable to insiders hacking and stealing.
With the Sony attack we saw how security breaches can bring big companies to a screeching, embarrassing halt.
And let’s not forget the new era of garden-variety crime. Credit card fraud, a la Target, set off a credit monitoring frenzy. And Anthem demonstrated that no institution is sacred. Criminal attacks against health care are the new normal, according to a recent Ponemon Institute study.
(How do hackers even make money from stolen medical records?!)
And then of course, there are the digital crimes of passion we’re committing against each other. Take revenge porn, a national concern that some states are taking onindividually.
Is this starting to feel…overwhelming?
When it comes to “cybersecurity,” the next president of the United States has tough choices to make: before even getting to solutions, what are the most important problems? And where should the federal government weigh in, or leave it to states or companies. Turns out Americans don’t have all that much confidence in any of them.
Back in the 1990s, “we didn’t need to worry about security because the market would take care of it,” said Jim Lewis, a senior official at the Departments of State and Commerce during the Clinton era. “Consumers would demand security and companies would provide it.”
Turns out they were wrong, he says. “That hasn’t happened.”
Under Clinton, the Internet went from a Pentagon project to a place for companies to play, experiment. And under Obama, we saw the smartphone revolution. Lewis says we’ve got to step back and, “just as we have energy policy and space policy and defense policy, maybe we need cyber policy.”
It’s very hard to regulate technology that’s unfolding before our very eyes.
Lewis — who’s now a senior fellow with the Center for Strategic and International Studies in Washington DC — names one key issue: consumer protection. And, he says, it’s a foreign policy issue.
Certain countries are sanctuaries for cybercriminals. That’s often where our personal data is flowing. “Finding out that someone in the Russian mafia has all your credit card information and your social security number doesn’t make the average voter happy,” he said.
Cybersecurity expert Bruce Schneier, a fellow at Harvard’s Berkman Center, says another way to protect consumers is corporate accountability.
“What government can do about data breaches is increase the penalties,” he says. “Right now your data is not very well protected because the cost of losing it isn’t very high to the companies that have it.”
Schneier wants to see the next president take on privacy too — what should police be able to access without a warrant, and what should companies be allowed to store. So far, we’ve just kind of assumed the answer is … everything.
For example, the company Uber published a light-hearted blog, called “Rides of Glory,” about people using Uber to have flings. Basically they looked at rides happening at night from point A to point B, and rides happening the next morning by the same person back.
Now, Uber didn’t publish the names of the people. It was aggregate, Big Data (and interestingly, the company took down the post as well).
But Schneier said, without a federal law on commercial privacy, they could have. “Right now under US law they could do whatever they like with that data. And it is just them being nice that makes them not publish it or sell it to people trying to market to you.”
The cybersecurity game plan could tackle any number of topics — data encryption,structural reform of the NSA, the role of Homeland Security. And that’s not even counting lightning-rod issues, like whether the next president’s Supreme Court nominee believes in changing passwords regularly.
A hacker told the FBI last week he has been able to crack aircraft computers on numerous occasions—as a passenger. According to the affidavit, Chris Roberts claims he caused a plane to move laterally and climb while he was connected to its onboard entertainment system.
During an April 15 flight on United Airlines from Chicago to Syracuse, N.Y., Roberts tweeted he might activate the drop-down masks or the plane’s alert systems, all in a bid to identify security risks ahead of malicious hackers.
Though United officials said it was doubtful his hacking escapade was possible, FBI agents questioned him upon arrival. Experts say potential onboard cyber threats should be taken seriously as newer model airplanes are increasingly connected to the internet.
Roberts’ company, One World Labs, specializes in finding such risks.
Before the April flight, Roberts met with the FBI in February and March to highlight vulnerabilities with certain aircraft entertainment systems, the affidavit said. He explained how he managed to breach a plane’s systems between 15 and 20 times during 2011 and 2014, simply by connecting his laptop via ethernet cable to an electronics box beneath his seat.
Speaking through his attorney at the San Francisco-based Electronic Frontier Foundation, Roberts claimed he only wanted to help improve aircraft safety.
Roberts’ hacking trips came to light a month after a report by the U.S. Government Accountability Office, which said some passenger airliners are open to hacking through their wireless networks.
“Modern aircraft are increasingly connected to the internet,” the report noted. “This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”
The proof of such a risk is in passenger-seat video monitors: They visually map the plane’s real-time location as passengers switch between video and television programs and the map, indicating a link between flight control and entertainment networks, said Steven Bellovin, a computer science professor at Columbia University.
And an airplane offering Wi-Fi access to passengers may do so through the same data link pilots use to communicate with the airline, he said.
United Airlines—maker of the ultra-connected Dreamliner—noted Roberts’ claims about being able to manipulate computer systems on board a flight, but spokesman Rahsaan Johnson said airline officials are “confident” Roberts could not access the flight control systems in the way he described.
A Boeing statement said in-flight entertainment systems and navigational systems are not intertwined. Other electronics designers and experts say Roberts’ claim is highly dubious because changes to flight plans loaded into the airplane’s communications systems can only happen with a pilot’s approval, even if a hacker gained entry.
Tim Erlin, director of IT security and risk strategy at the cybersecurity firm Tripwire, said passenger-to-cockpit computer connectivity may depend on the aircraft model and how old the plane is: “If a system was installed well before these kinds of attacks and tools were conceived of, there would have been no reason not to connect them, and it might have been perceived as extra cost and complexity to keep them separate.”
Whether Roberts’ self-styled “white hat” hacking is truly aimed at improving security, airlines face daily security issues: Four U.S.-bound international airliners received anonymous threats just this week.
You occasionally hear about major security vulnerabilities being discovered before they’re exploited, like the notorious Heartbleed bug last year. Security researchers work hard to weed out those dangerous flaws before they’re found by hackers of more malicious intent. This breed of preemptive hacking is sometimes referred to as white hat, or simply “ethical hacking.”
These hackers work with businesses to probe their networks for security holes, vulnerabilities to social engineering, and more, while considering the mindset of someone who might have criminal motivations. To learn about what such work is like we spoke with Ben Miller, an ethical hacker at Parameter Security.
First of all, tell us a little about your current position and how long you’ve been at it.
I’m an “ethical hacker” at Parameter Security, which means companies basically hire me to try to break into their computer networks in order to figure out how a real criminal would do it. People in this profession use all sorts of tricks to sneak in—you can hack your way in, con employees over the phone or email, use impersonation to walk in, it really doesn’t matter. I’ve never come across a business that couldn’t be compromised. I’ve broken into a wide range of companies and organizations, from banks to hospitals, Fortune 500s, manufacturers, city utilities, government agencies, you name it.
I’ve been hacking full-time for the last five years and it’s really one of the most interesting and challenging jobs anyone can have. It’s also incredibly rewarding, because I know I’m helping to protect companies and institutions from malicious hackers who would otherwise have nothing to stop them from breaking in.
What drove you to choose your career path?
I knew from a young age that I was interested in computers. I grew up on a farm in northeast Missouri, and while I learned early on the value of hard work, persistence, and making your own goals, I also realized as a kid that I had no desire to come home dirty and bloody from farm work every day. Luckily, my insightful father bought a family computer when I was in grade school. It was an IBM-Comptible 286 processor system. I learned neat tricks on Windows 3.1 and MSDOS like “DELTREE” which deleted an entire file structure and how to change colors on the background. I enjoyed teaching the non-damaging tricks at my junior high school and soon I was accepted into a school program to help teachers with their computer problems.
However, it wasn’t until I saw the movie Sneakers that I realized just how much potential there was for my interest in computers. Seriously, that movie had a big impact on me—and I bet others in this field, who were around at the same time, probably felt this way too. That was really my first glimpse into the world of ethical hacking, and I was drawn to it right away. Seeing Robert Redford use social engineering to pull off these incredible feats, and the way “Whistler” never got rattled by obstacles, but instead just used technology and logic to overcome them, that made a big impression on me. I had always been drawn to technology, but seeing the potential of it, maybe also the “coolness” factor too, and how it could be used to do good in the world, that really excited me.
All sorts of people are drawn to ethical hacking, with all types of backgrounds and motivations, but I think in the end most of these people are just drawn to technology early on, and it’s the challenge and creative thinking of figuring out a way to bypass a software control or make a program do something entirely new that constantly pushes them to go further and further with it—until it becomes a career.
How did you go about getting your job? What kind of education and experience did you need?
Ethical hacking isn’t a regular kind of job. You don’t have to have a college diploma or a certification to do it. All you need is a good knowledge of computers, software and programming languages, creativity, and drive.
In my case, I went to college in 1999 and graduated with a degree in computer systems and networking. Unfortunately, the dotcom bubble burst right after I graduated, so I had a hard time finding a good job in this field. I ended up going back to college to study religion, and it wasn’t until 2006 that one of my friends told me about an opening at the county hospital for a network administrator. While I worked there, I spent a lot of time focused on making sure the hospital’s network was HIPAA compliant, so that it wasn’t exposing patient data or vulnerable to hackers who would try to steal it. I knew that if I was going to keep criminals out of the hospital, I’d have to learn their tricks and how they operated, so I took a “Certified Ethical Hacker” course that was being offered by a local company. This course, which was taught by my future boss, focused on the mindset and techniques of the criminal hacker—it basically taught you how to think like a criminal hacker. After the second day, I knew this is what I wanted to do full time and my ethical hacking instructor (Dave Chronister) hired me a year later, once I had proven myself in the field.
Did you need any licenses or certifications?
You don’t have to have any certifications to be an ethical hacker, but it’s always a good idea to get them, as it proves your knowledge and experience in key areas. There are dozens of certifications out there, and whether or not they are worthwhile to your career depends heavily on what types of businesses you want to work for. Do research on a certification or class before you spend your money! However, if you do forensic investigations for clients, most states require a private investigator license.
Problem solving, persistence, and good communication skills are all key traits to have for this job.
What kinds of things do you do beyond what most people see? What do you actually spend the majority of your time doing?
I get to see deep inside critical networks (think banks, hospitals, utilities, major companies), and see just how vulnerable they really are if the right attacker happened to target them. It’s sort of like seeing how the sausage is made, because you see how these really important systems are often running on older software and hardware, or they have vulnerable programs that are still unpatched, or they’re connected to things they shouldn’t be, or default passwords are left in place. The whole network, which might be protecting your money or personal records or helping to keep the lights on and the water running, is a patchwork of problematic systems that aren’t as hard to exploit as we’d like to think.
I also see attacks or hear about attacks on Twitter long before they hit the news.
Much of my time is spent probing or scanning networks, looking for vulnerabilities, etc., but just as much time is spent communicating with the client and documenting what I’ve done in a written report. I tell hacker students and new employees, “You will write more reports as a hacker than you ever did at school!” The deliverable report is the one piece of the engagement that a client will keep and be able to mull over long after the ‘warm fuzzies’ from your personal care have faded. It needs to be just as good.
But clients get to see pretty much everything we do—it’s a very open process so that they can learn and see their network from our perspective as well. The only thing they miss is the look on my face at 2am when I finally pull off an exploit while watching How It’s Made reruns.
What misconceptions do people often have about your job?
Probably the biggest thing is that people think the term “hacker” always means a criminal or [someone] malicious. A hacker is basically someone who likes to tinker with tools and software, figure out ways to solve problems or open up new possibilities for using technology. The ones who do it to steal money or hurt people are just criminals. We shouldn’t have to call ourselves “ethical” hackers—we should instead emphasize that the bad guys are “criminal hackers.”
People also see the attacks we simulate and feel that we are performing magic. Hackers understand the important truth that computers only do what they are told, and many times the actions users take are not in their best interests. Whether they run improperly coded software, or if they click on an email promising them something, users (including IT personnel!) are often unaware of the scary things they end up doing.
Another misconception is that “all penetration tests are the same.” Unfortunately, in an industry as young and steeped in mystery as information security, there is a huge lack of knowledge about what a penetration test (i.e., an ethical hacking test of a company) should include. Efforts such as Pentest-Standard.org are trying to at least teach business and IT persons about what to expect out of a good penetration test from a knowledgeable company.
What are your average work hours?
It really depends on what you’re doing. If you’ve been hired to do a penetration test of a company, then you’re likely to work 8 to 10 hours per day, and jobs can run between
2 and 10 weeks. However, if you’re tooling around with a piece of software, looking for vulnerabilities, then it’s really up to you. I’ve never had a time when I’ve been sitting at a desk going, “When can I go home?” Much more common is my wife reminding me that sleep is a good thing, and I’ll probably be able to pull off whatever I am doing after I’ve had at least a nap.
However, if you’ve been called in to help a company recover from a breach (what we refer to as “incident response”), then all bets are off. That’s when you’re in crisis mode and you can easily pull a few all-nighters trying to stop the attack from progressing, control the damage, and figure out how to get the company back on track.
What personal tips and shortcuts have made your job easier?
Always be listening and reading. You may know a fabulous way to do something, but someone else may know another route that is quicker or easier. Document what you are doing and why and when so that when something goes wrong you can figure out what happened. Banging your head against a wall you should have gone around way earlier is a HUGE time waster.
Also, as my boss is fond of saying, and I’ve learned as well: “No client has ever been mad because you talked to them too much.” In nearly five years, I’ve only had one client say I didn’t need to call or email every day of the week while I was working on their network. People love to know what’s going on, even if what’s going on is, “we’re combing through tool output looking for things to break.”
What do you do differently from your coworkers or peers in the same profession? What do they do instead?
Unfortunately, there are many companies in this field that think ethical hacking is basically just scanning for vulnerabilities on a network. The problem with that type of thinking is that it doesn’t really show the client the full picture. Okay, I know this program and this program are vulnerable, but what does that actually mean? What could an attacker do with this vulnerability? How far could they go?
At our company, we’re extremely goal oriented. We see an ethical hacking test in terms of the real-world consequences for that institution, i.e., what would an attacker want to do (steal your data, perform illegal wire transfers, interfere with computer-based machinery, etc.) and how could they go about doing it? When we find vulnerabilities in a network, we look at the practical consequences of them, and you have to be creative to see the full potential of a security flaw and to put all the pieces together to figure out how a criminal would pull off a data or financial heist.
What’s the worst part of the job and how do you deal with it?
The worst part of this job is when you get clients who don’t really want to know how vulnerable they are. Sometimes it’s because they’re indifferent (many companies still think it’s cheaper to just fix the problem after the company’s been breached then to spend the money ahead of time on better security), but more often than not it’s fear-based. Sort of like when your car starts making a funny noise, but you don’t want to take it to the auto shop because you’re afraid of how much it will cost. Although cost isn’t the only thing they’re worried about—in many cases, you’re dealing with a senior level IT executive who is worried about his or her career; if the report shows too many problems, it makes him or her look bad.
The only way to deal with this aspect of the job is to stick to your guns—do your best, don’t hold back on the penetration testing, and report as clearly as you can exactly where the company is vulnerable and what that could mean. In the end, it’s up to the client to take the right steps to protect itself and its customers, you just have to hope they will.
What’s the most enjoyable part of the job?
This may be the hardest question to answer. To be honest, there is a thrill in knowing that what I do would be illegal except for a legal document that says I’m allowed to do it without getting in trouble. One of my favorite compliments from my former place of work was, “You think like a criminal!” (They didn’t mean it as a compliment.)
I work with amazing people, doing fun, hard work. We learn together and laugh a lot! When my wife and I had our third son, they bought baby supplies and superhero onesies.
I make a difference in the security mindset of businesses and, ultimately, in the lives of thousands of people, which is quite rewarding as well. The pay is also far better than I thought it would be, back when I watched Sneakers.
Do you have any advice for people who need to enlist your services?
Yes—don’t expect me to be a superhero. Often, clients think that when they hire you, you’re going to clean up everything, fix all their problems and make them 100% secure. There is no such thing as 100% secure. That’s not at all how it works. Clients have to be realistic—the goal with this type of work is to figure out what assets your company has that are most critical and what risks they can accept. You can’t prevent every attack from succeeding—no matter how good your security is, eventually someone will always get through. Therefore, ethical hackers are not only helping you prevent an attack, but also figuring out what steps you need to take to limit the damage when a successful attack happens.
You can’t protect what you don’t know exists. Therefore, the best documents to have on hand before hiring an ethical hacker to do a penetration test are a full inventory of systems, people, information, and a risk assessment document that has looked at overall business risks.
The penetration test has the goal of then finding a weakness, exploiting it, showing how a critical, unacceptable risk could be realized (such as sensitive information being taken off of your network and securely placed on the tester’s secure network), which is something you can then work to remediate.
The hard work for the client comes AFTER the test, learning how to do business in a less risky way.
What kind of money can one expect to make at your job?
I’m not one to talk money, but I really believe if you work hard, hone your skills (including soft skills like negotiation!), you can make as much money as you want to make in this field. If you want to make a lot of money straight out of school or fresh from getting a certification, you are going to be working for a company that owns you, forces you to travel a lot, and considers sleep a luxury. If you want to have some life/work balance, you are going to need some years of experience both in “regular” IT and security to start making the big bucks.
Also, location matters a lot, I’m in a good area for cost of living, and that helps.
How do you move up in your field?
This is fairly subjective. Some people become specialists in key areas, like software security (mobile and web apps), industrial control systems (utilities, manufacturing plants, etc.), social engineering (i.e., hacking people), etc. Others learn management skills and end up running teams of hackers.
In both cases, you have to focus on improving your knowledge and gaining as much field experience as possible. Certifications are good, but nothing beats performing these tests, or managing teams, in the field.
Another way to stand out is by conducting original research into security issues and presenting those at one of the many industry conferences that are held every year. It’s also a career booster if you can run a training camp at one of these conferences that teaches key skills.
What do your customers or clients under/over value?
Clients usually undervalue their own part in the process of security. They tend to believe that hiring a super hacker is all they need to keep the boogeymen away. They also tend to undervalue the worth of their assets. I’ve actually heard banks say, “we’re too small to be hacked.” The same is true with hospitals, global companies, etc. They all have a reason to say “it won’t happen to us!” until it actually does.
Companies also make the mistake of comparing themselves with their peers. This question often comes up in board rooms: “How do we compare to other businesses like ours?” No one wants to spend more money on security than their peers, as they feel they’re wasting their money if they do.
However, what is often overvalued by clients is compliance standards. Whether it’s PCI standards for retailers, or HIPAA in the healthcare industry, or anything else, simply meeting compliance standards doesn’t mean you’re actually secure. Compliance standards are just a baseline measurement of what an organization absolutely must do to not be fined or have corporate officers go to jail—companies have to go well beyond them to be truly secure.
What advice would you give to those aspiring to join your profession?
DO IT! We need more people who enjoy the puzzles, breaking things, fixing things, and the communication with people and the awesome experiences.
Love learning! If you cringe at the thought of having to rapidly learn a new skill, operating system, program syntax, or attack technique, you are quickly going to be fed up with the consultant/boutique-style work I do. However, there is hope! Take what you do love, figure out better ways to secure it in a business-feasible way, and work for the “blue teams” (i.e., the defense-focused teams) out there that desperately need more security-minded people as well.
Source: Life Hacker