European Telcos join forces to combat cyber crime

ETIS – The Global Association for Telecommunications has joined forces with Proximus, KPN, Swisscom and A1 Telekom Austria, in an initiative to professionalise the exchange of cyber threat intelligence among European telecoms providers. With the support of Dutch innovation body TNO, these telcos established a technical platform to automate the exchange of cyber threat intelligence in real time. This project will enhance the efficiency of the community as well as the quality of the actual threat intelligence shared. The pilot project was recently concluded and laid the foundation for a more elaborate operational setup, potentially involving 20+ European telcos.

The cyber threat landscape is rapidly evolving with increasingly severe vulnerabilities emerging at a tremendous pace. What’s more, present day cyber attacks are more sophisticated than ever and the attackers are very well organised. Due to these dynamics, telcos cannot passively rely on traditional measures to stay safe. To avoid unnecessary damage, they must continually stay on top of the latest threats, vulnerabilities, attack methods and attacker campaigns. To this end, organisations are in need of relevant, timely and actionable threat intelligence.

In early 2013, ETIS established the CERT-SOC Telco Network, a community of cyber security specialists from its member telcos across Europe. A key activity of this group is the exchange of threat intelligence and sharing of best practices. This new platform has enriched their efforts with the ability to exchange standardised, automated and real time threat intelligence. This greatly enhances the speed at which threat intelligence can be shared. Moreover, it facilitates better alignment with the operational security processes of individual organisations, thus enabling a more effective course of action upon reception of threat intelligence events.

‘What makes this project unique is that it is purpose set-up by the telcos, for the telcos and the ETIS Community provides the vital trust required to run such a platform. Our Members value trusted partnerships, collaboration and proactive intelligence sharing far more than the latest off-the-shelf security products.’ Fred Werner, ETIS Communications & Programme Director

Andy De Petter, Cyber Security Intelligence & Incident Response, Proximus and Chairman of the ETIS Information Security Working Group had the following to say about the project. ‘This project allows us to actively and securely exchange cyber threat intelligence, in order to faster detect, prevent and mitigate cyber security incidents. I am confident that this platform will help us to harness the power of our Members’ collective security knowledge to help our industry stay abreast of the latest cyber security threats on the horizon.’

The pilot participants concluded that the new setup for their threat intelligence exchange is a major step forward as it showed tangible evidence that participating telcos were able to increase their cyber resilience based on the intelligence received from their peers. Work is underway to expand the new environment with more telco participants such as TDC, Telenor and Deutsche Telekom set to join.



Tripwire Study: Energy Sector Sees Dramatic Rise in Successful Cyber Attacks

The results of a study conducted for Tripwire by Dimensional Research has been released. The study, which was carried out in November 2015, assessed cyber security challenges faced by organizations in the energy sector. Study respondents included over 150 IT professionals in the energy, utilities, and oil and gas industries.

When asked if their organization had experienced a rise in successful cyber attacks in the last 12 months, seventy-seven percent of the respondents in Tripwire’s study replied, “yes.” In addition, more than two-thirds of the respondents (sixty-eight percent) said the rate of successful cyber attacks had increased by over twenty percent in the last month.

“It’s tempting to believe that this increase in attacks is horizontal across industries, but the data shows that energy organizations are experiencing a disproportionately large increase when compared to other industries,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “At the same time, energy organizations face unique challenges in protecting industrial control systems and SCADA assets.”

Additional findings from the study include:

•Energy executives were more than twice as likely to believe their organization detected every cyber attack (forty-three percent) than nonexecutives (seventeen percent). 
•In the last 12 months, seventy-eight percent of the respondents said they experienced a cyber attack from an external source, and thirty percent have seen an attack from an inside employee. 
•Forty-four percent of the respondents indicated they have not gathered enough information to identify the sources of cyber attacks on their organizations. 
•Nearly one-fourth (twenty-two percent) of the respondents admitted their organizations do not have business processes to identify sensitive and confidential information. 

“Detecting attacks successfully is the midpoint of the overall process,” Erlin continued. “Energy organizations need to invest in greater prevention and forensic tools to decrease the rate of successful attacks and fully investigate those they can’t prevent.”

According to the Department of Homeland Security, the energy sector faces more cyber attacks than any other industry. Despite these escalating risks, the energy sector faces serious challenges responding to security threats effectively. For example, the results of the North American Electric Reliability Corporation’s (NERC) GridEx III “cyberwar games” revealed significant challenges with the cyber threat intelligence practices of grid operators. 

In addition to this study, Tripwire conducted a survey of 200 security professionals attending RSA Conference 2016. When asked if a cyber attack would cause physical damage to critical infrastructure in 2016, eighty-three percent of the respondents replied, “yes.” In addition, seventy-three percent of respondents to this second survey said critical infrastructure providers are more vulnerable to ransomware attacks than other organizations. 

For more information about the survey please visit:



The National Childbirth Trust Hit by Data Breach – expert comments

The BBC broke the news that a childbirth charity has apologised to 15,000 new and expectant parents after their registration details were accessed in a “data breach”.

The National Childbirth Trust (NCT) sent a message saying their email addresses, usernames and passwords had been “compromised”. The incident has been reported to police and the UK’s data watchdog. The NCT stressed no other information had been accessed.

A spokesman confirmed 15,085 users were affected and said: “NCT has suffered a data breach which, regrettably, has caused some users of our website to have their registration details compromised. @DFMag obtained several comments from cyber security experts on this news story;

Simon Crosby, CTO and co-founder, Bromium:

“This incident at The National Childbirth Trust will be a wake-up call for people. But it’s not the first. Certainly it will provide a clear message to chief execs that if something like this happens then they can expect to be paraded in front of a voracious media – and they’d better have some good answers to some tough questions. Businesses have no excuse that they were not aware nor prepared for such attacks. They’ll need to prove that they took all reasonable steps to protect themselves. How they respond may be the difference between a damaging incident, and fatal disaster.

When we hear about attacks that have persisted on a compromised system for weeks or even months before detection, it is unlikely that hackers were waiting to take advantage of the breach, but far more likely that existing detection-based systems failed to properly respond to the attack. Organisations invest in a broad array of security solutions with the promise of actionable security insight, but the reality is that they are swimming in a sea of false alerts. Understanding hacker behaviour is as difficult as looking for a specific needle in a haystack that is 50 feet tall and made of other needles. When a hacker breaches a system, they will squeeze it for anything of value, including compromising endpoints for botnets, servers for bandwidth and of course the imminent threat of lost intellectual property or financial information. For end users and security teams this manifests as a noticeable decrease in system performance and unusual network connections, among other factors. If organisations are serious about keeping hackers out of their systems, they need to embrace proactive protection as the foundation of their security architecture. For example, hardening and isolating systems prevents data breaches, eliminating the need for costly detection and response.

Richard Cassidy, technical director, EMEA at Alert Logic:

“The breach at The National Childbirth Trust highlights the challenge all organisations face in today’s cyber threat landscape and reiterates the fact that a fundamental change in our approach to data security is required across the board. Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through monitoring systems 24×7 and being able to distinguish normal from abnormal, organisation can identify and act against sophisticated attackers.

In reality it is becoming a great deal easier for hackers to exploit vulnerabilities on key data platforms, given the wealth of resources and information sharing on the cyber criminal underworld. In many respects organisations need to shift their focus to the view of “when” and not “if” a data breach or attack will occur. CISOs and CTOs need to learn from the wealth of information available on past high-profile breaches, and align their Cyber Security Strategy accordingly.

We can no longer rely on our point security tools to remain effective in isolation against the proliferation of threats and exploits we are seeing today. Security strategy needs to be intelligence driven, combining big-data analytics poised to detect indicators of compromise combining the wealth of data across all security toolsets, identifying both “sledge hammer” and “needle-in-haystack” breach styles. Equally importantly how well organisations protect their “data at rest” will go a long way in helping give customers the assurance that the best was done to protect their data and limiting the collateral damage in the aftermath of such a breach. As organisations we can only do so much, but unfortunately not many are doing enough. Boardrooms need to put cyber security risk and strategy back at the forefront of their agendas.”

If you use any services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider.”

Luther Martin, technologist at HPE Security – Data Security:

“Data thieves are highly effective at finding weak points in security strategies. Protecting the sensitive data within the online environment could have avoided this type of data loss. There’s simply no excuse today not to follow best practices of encrypting all sensitive personal data as it enters a system, at rest, in use and in motion. The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.

Cyber criminals today are motivated to steal enterprise data, intellectual property and employee or customer information. Hackers are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash. There is a definite risk if credit card or account information is obtained. However businesses need to also think about protecting personal information about their customers like name, full address, phone number and email address. Criminals could then use this information to open bogus accounts or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks.

Beyond the threat to sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyberattacks and other attempts to get this information.”



Nest dissolution of Resolv highlights issues with the smart home devices

Nest, a home automation company that designs and manufacturers programmable thermostats and smoke detectors, has announced that it is no longer supporting the Revolv smart hub as of May 2015. The move could have wider implications for the growing Internet of Things and smart home devices

Cesare Garlati, Chief Security Strategist for prpl Foundation commented to @DFMag;

“The recent news that NEST has shut down leaving Revolv home IoT hub users with a useless device highlights a few key problems with this kind cloud dependent “IoT home hub.”

1). Consumers should not buy into IoT that is dependent on the cloud as a middle man. The device, to have true benefit to the consumer, needs to ensure that consumers are in control and not reliant on another service- in other words consumers want to pay for what they own.

2). Privacy is affected when the cloud is introduced. Not only does the provider have access to (and sell) your data, whether it’s location, what time of day you’re turning your heating up- basically any of the information you are sending to the cloud – but you’re also paying the provider for the ‘privilege’.

3). Having a device rendered useless because of a shut down in cloud service highlights the need for open standards in IoT devices. This will mean users aren’t locked into a provider and gives the consumer more control over the way in which they can use the device.”



Trump Hotel Collection has been breached again

News broke earlier today that Trump Hotel Collection has once again been breached through its credit card systems. This is not the first time the hotel chain has been breached, with Trump Hotel Collection confirming in October 2015 that its payment systems had been infected with data-stealing malware in May 2015.

 Andy Green, Senior Technical Specialist at Varonis commented;

“The Trump breach is the latest report of a continuing string of attacks against the hotel industry.  As it turns outs, the attack vector for these hotel breaches is the same PoS malware used against big box retailers. BlackPos and the other RAM-scrapers variants have found hotels a good place to vacation — for months, apparently — and to check out with a haul of credit cards. We know how these attackers get in and how the exploit enfolds. A phish mail containing malware, typically a remote access trojan, lands them on a user laptop, followed by a lateral move to the PoS servers, and then the insertion of RAM-scrapers that search for credit card numbers. We also have techniques and approaches to stopping or mitigating these attacks: employee education, whitelisting of apps on the PoS server, limit networking options on user laptops, and also finally user behavior analytics (UBA).  UBA is a way to monitor file activity and spot unusual behaviours—copying and moving of files – that are atypical for that user.  At some point these RAM-scrapers will have to dump the credit card numbers to a file and transfer to an exfiltration server. Some UBA technologies can spot and alert on these and other file system events.”



Record-breaking DDoS attack against a Chinese lottery website

Imperva Incapsula has spotted a record-breaking DDoS attack against a Chinese lottery website. The website was the target of HTTP POST flood attack which peaked at a substantially high rate of 163,000 RPS. What made this attack stand out was the consuming bandwidth at 8.7 gigabits per second —a record for an application layer attack.

Commenting on this, Alex Cruz Farmer, VP of cloud at NSFOCUS IB, said:

“Application DDoS attacks are the silver bullet today, since volumetric attacks are becoming more and more understood and are proactively being protected against through router level filtering. Organisations need to implement anti-DDoS solutions, which incorporate behavioural algorithms complimented with giant global threat intelligence databases. This type of technology would make combating attacks like this academic. Hybrid anti-DDoS solutions, with Cloud there to back up on premise installations from the larger volumes, are proven to be the best way to mitigate attacks. That way, if the attack is complex, or has a volumetric side to it and overpowers the on-premise installation, there is the fast, convenient and most of all, cost effective way to resolve it.”



Nuix eDiscovery Technology “an Indispensable Part” of Süddeutsche Zeitung and ICIJ Panama Papers Investigation

Global technology company Nuix supplied document processing and investigation technology that was essential to the Panama Papers investigation conducted by German newspaper Süddeutsche Zeitung and the International Consortium of Investigative Journalists (ICIJ).
Süddeutsche Zeitung received an anonymous leak of approximately 11.5 million documents, totaling 2.6 terabytes of data, detailing the activities of Panamanian law firm Mossack Fonseca, which helped clients set up anonymous offshore companies. While these offshore entities are generally legal in the jurisdictions in which they are registered, the investigation revealed that some were allegedly used for unlawful purposes including sovereign and individual fraud, drug trafficking, and tax evasion.  
“This is a huge trove of data by investigative journalism standards—around 10 times the data volume and five times the number of documents of ICIJ’s Offshore Leaks investigation in 2013,” said Eddie Sheehy, CEO of Nuix.
“At the same time, this is only a medium-sized document set in the worlds of eDiscovery or regulatory investigations—some of our customers handle similar volumes of data every day. Nuix is the only technology in the world that can handle this much data and that many documents with speed and precision.”
Süddeutsche Zeitung and ICIJ used Nuix software to process, index, and analyse the data. Investigators used Nuix’s optical character recognition to make millions of scanned documents text-searchable. They used Nuix’s named entity extraction and other analytical tools to identify and cross-reference the names of Mossack Fonseca clients throughout millions of documents. More than 400 journalists in 80 countries around the world then investigated the data before publishing the first set of results on April 4, 2016.
Nuix donated the software to Süddeutsche Zeitung and ICIJ for the purposes of the investigation. A Nuix consultant also advised the investigators on hardware configurations and workflows. Nuix employees never saw or handled any of the leaked data – that task was undertaken by the journalists involved in the investigation.
“Nuix technology was an indispensable part of our work on the Panama Papers investigation, as it has been with Offshore Leaks and many of our other in-depth investigative stories,” said Gerard Ryle, Director of the International Consortium of Investigative Journalists.



Details of nearly 50 million Turkish citizens leaked online

A data leak has appeared online, claiming to host private information on 49,611,709 Turkish citizens, and offering download links to anyone interested.

Hosted on, a Finish IP address, the 1.5GB compressed (6.6GB uncompressed) database was offered for download via P2P, and was streamed by over 650 users. The hacker, who set up the download server, said the data contained the following information: first and last names, national identifier numbers (TC Kimlik No), the user’s mother and father’s first names, gender, city of birth, date of birth, full address, and ID registration city and district.

Commenting on this, Alex Cruz Farmer, VP of cloud at NSFOCUS IB, shared the following with @DFMag: 

“This leak is going to go down as one of the largest data breaches in history for some time. Governments are often the most targeted for cyber attacks and, as we have learned, it only takes one single field on a website to compromise an entire infrastructure. In this case, a relatively small investment in Data Loss Prevention (DLP) security solutions could have significantly changed the outcome of this very sad situation. We remind all communities to be vigilant and alert at all times, and maintain security policies and technologies. Security must stop being an afterthought, and be the first thing any CIOs consider.”



AceDeciever – Malware that infects can Infect all iPhones

AceDeciever is a new malware discovered by researchers that is able to embark on Fairplay Man-in the middle attacks when users purchase an app from the iTunes stores.

Tim Erlin, Director of IT Security and Risk Strategy for Tripwire says, “The security of the App Store is a cornerstone of the Apple ecosystem, but the size and success of that ecosystem makes it a popular target for attacks. 

Apple needs to ensure that Apps installed from their App Store are safe in order to maintain their customer base. Confidence is a key factor in customer retention. 

This latest attack is reminiscent of the VW diesel hack that caused the exhaust system to perform differently when in a lab. In this case, the Aisi Helper behaved differently based on its location in order to bypass Apple’s security.”