Month: March 2017

-University of Cambridge cyber competition pits top universities against each other to snare top cyber recruits before they’re tempted into other industries

 -12 UK Universities compete for cyber crown at competition backed by the National Cyber Security Centre (NCSC), Cabinet Office, Leidos and NCC Group

– The top three teams shared prize money of £10,000

Students from Imperial College London have been declared the most talented university pupils in the UK for their cyber skills after beating competition from 11 other top universities, which have been designated as Academic Centres of Excellence in Cyber Security Research, at the Inter-ACE competition.

Over 100 students represented their universities at Inter-ACE, hosted by the University of Cambridge on Saturday, in a capture-the-flag style cyber security competition aimed at showcasing the UK’s future cyber defenders. Students worked with Leidos’s CyberNEXS training platform in a scenario-based competition, featuring penetration testing against mock infrastructure, as well as discrete forensics challenges.

The victorious team QWERTY from Imperial College London were awarded £6,500, with silver going to SU-DON’T from the University of Southampton and PM_ME_FLAGS, also from the University of Southampton, earning bronze. The Silver team scooped £2,500 and the bronze team went home with £1,000.

 Inter-ACE is an annual cyber security competition backed by the National Cyber Security Centre (NCSC), Cabinet Office, Leidos and NCC Group. It is designed to help tackle the huge cyber security skills gap, which latest figures suggest will increase to a 1.8m people shortfall by 2022. Already, more than two-thirds of companies are struggling to recruit the level of staff necessary to defend against major attacks.

Inter-ACE gives budding cyber enthusiasts a platform to test and improve their skills in a real-life simulation, meet like-minded individuals, and learn more about careers in the sector by introducing them to key players in the industry and government.

The Inter-ACE competition was hosted on Leidos’ CyberNEXS platform that enabled the contest to take place on a secure virtual environment to assess network and system attack-and-defend, forensics, and penetration strategies. This environment also gives users the ability to tactically test, evaluate, and train for current and next generation threats.

Individuals from the winning team of the Inter-ACE competition will now be guaranteed a place in the annual Cambridge2Cambridge (C2C) cyber competition later in the summer, which is jointly organised by the University of Cambridge and the Massachusetts Institute of Technology (MIT) Boston, US. This time, the teams competing at C2C will be mixed to include cyber defenders from the best universities from across the UK and US, who will come together to learn best practice in cyber security and demonstrate their ability to become future cyber defenders. The three-day event takes place between the 24th and 26th of July at the University of Cambridge and will be observed by experts from across the cyber security industry.

Dr Frank Stajano, Founder of Inter-ACE and Reader in Security and Privacy at the University of Cambridge, comments: “The cyber security industry requires a range of skills that are not purely technical. From psychology and behavioural science, to leadership and business insights – a variety of skills will be key for the cyber security workforce of the future. Inter-ACE gives pupils the opportunity to implement the skills and theory they have been taught at university in a realistic environment, while learning new ones in the process, which will help grow them in to the cyber defenders of the future. It also teaches them to adapt to their surroundings and think on their feet, priming students to be trained in industry and make a real impact.

“Competitions such as Inter-ACE open the door for a wide range of individuals who may not have thought about embarking on a career in the industry previously. The pupils competing here have had the opportunity to experience the industry first-hand, in a fun but competitive environment, which could hopefully impact their career decisions in the future – inspiring them to pursue a career in the industry and increasing the talent pool in the process.”

Doreen Harwood, Leidos senior vice president, Cyber & SIGINT Solutions, comments: “Leidos is a strong supporter of STEM activities, and sees its importance in attracting and inspiring cybersecurity talent. By introducing students and professionals to CyberNEXS, we hope to increase their interest in this evolving field, and grow the future workforce to support critical global missions.”

Further quotes from Inter-ACE winners team QWERTY:

Luke Granger-Brown, 22, who is studying computing at Imperial College London, comments: “It has been an incredible competition, and I’m surprised we won. We would encourage everyone to participate who can in the next competition, as it’s a great way to put the stuff we have learnt at university into practice.”

For more information on Inter-ACE please visit inter-ace.org 

(135)

In any organization at least one person—and probably more—will click any email link, and sometimes that opens a door for hackers to get to senior management data.

The issue was discussed by two cyberintelligence experts at a Thursday ABA Techshow panel, titled “A Fool and His Data Are Easily Parted: Fundamentals of Data Protection.”

“Last year was the year of law firm hacks. Law firms are soft targets,” said Andrew Tannenbaum, IBM’s chief cybersecurity counsel. “This is the world we’re living in.”

Free Wi-Fi; devices that look like SD cards, but actually tap into secure data, and passwords with meanings can all lead to getting hacked, said Roy Zur, another presenter at the conference.

And if you receive an email that states you need to change a password, don’t do it through the communication, added Zur, a former Israel Defense Forces officer who founded Cybint Solutions, which advises law firms on Internet issues. Instead, visit the website seeking the password change, said Zur, who also works as the Israel national director for the test prep group BARBRI Bar Review.

“Easy hacking methods are not something that require any previous knowledge. They don’t need to be tech savvy to do it,” said Zur, mentioning the website Shodan. A search engine for Internet-connected devices, it can be used to hack into businesses’ security cameras.

“Cameras are connected to Wi-Fi. People think it’s protected, because there’s a Wi-Fi password, but the camera is also connected to the Internet, and most cameras come with some sort of default password,” he added. “I’d say 50 percent of these security cameras are using default passwords. And you’re not just accessing the camera; you can also access the alarm system.”

Indeed, anything connected to the Internet can be hacked. Tennenbaum mentioned CryptoLocker, a ransomware trojan that targets computers running Microsoft Windows. Traditionally, ransomware goes after people’s data, he said, but increasingly hackers use it to shut down things, like key card scanners. Some resort to paying hackers, usually in Bitcoin, to have their data released.

“Of course you never want to be in a position of having to pay,”he said. “The FBI says it’s better if you don’t pay. And the more people pay, the more it can be an effective tool.”

Source:http://www.abajournal.com/news/article/law_firms_can_be_soft_targets_for_hackers_say_cybersecurity_experts/

(78)

It is tempting for the United States to exploit its superiority in cyberwarfare to hobble the nuclear forces of North Korea or other opponents. As a new form of missile defense, cyberwarfare seems to offer the possibility of preventing nuclear strikes without the firing of a single nuclear warhead.

But as with many things involving nuclear weaponry, escalation of this strategy has a downside: United States forces are also vulnerable to such attacks.

Imagine the panic if we had suddenly learned during the Cold War that a bulwark of America’s nuclear deterrence could not even get off the ground because of an exploitable deficiency in its control network.

We had such an Achilles’ heel not so long ago. Minuteman missiles were vulnerable to a disabling cyberattack, and no one realized it for many years. If not for a curious and persistent President Barack Obama, it might never have been discovered and rectified.

In 2010, 50 nuclear-armed Minuteman missiles sitting in underground silos in Wyoming mysteriously disappeared from their launching crews’ monitors for nearly an hour. The crews could not have fired the missiles on presidential orders or discerned whether an enemy was trying to launch them. Was this a technical malfunction or was it something sinister? Had a hacker discovered an electronic back door to cut the links? For all the crews knew, someone had put all 50 missiles into countdown to launch. The missiles were designed to fire instantly as soon as they received a short stream of computer code, and they are indifferent about the code’s source.

It was a harrowing scene, and apprehension rippled all the way to the White House. Hackers were constantly bombarding our nuclear networks, and it was considered possible that they had breached the firewalls. The Air Force quickly determined that an improperly installed circuit card in an underground computer was responsible for the lockout, and the problem was fixed.

But President Obama was not satisfied and ordered investigators to continue to look for similar vulnerabilities. Sure enough, they turned up deficiencies, according to officials involved in the investigation.

One of these deficiencies involved the Minuteman silos, whose internet connections could have allowed hackers to cause the missiles’ flight guidance systems to shut down, putting them out of commission and requiring days or weeks to repair.

These were not the first cases of cybervulnerability. In the mid-1990s, the Pentagon uncovered an astonishing firewall breach that could have allowed outside hackers to gain control over the key naval radio transmitter in Maine used to send launching orders to ballistic missile submarines patrolling the Atlantic. So alarming was this discovery, which I learned about from interviews with military officials, that the Navy radically redesigned procedures so that submarine crews would never accept a launching order that came out of the blue unless it could be verified through a second source.

Cyberwarfare raises a host of other fears. Could a foreign agent launch another country’s missiles against a third country? We don’t know. Could a launch be set off by false early warning data that had been corrupted by hackers? This is an especially grave concern because the president has only three to six minutes to decide how to respond to an apparent nuclear attack.

This is the stuff of nightmares, and there will always be some doubt about our vulnerability. We lack adequate control over the supply chain for nuclear components — from design to manufacture to maintenance. We get much of our hardware and software off-the-shelf from commercial sources that could be infected by malware. We nevertheless routinely use them in critical networks. This loose security invites an attempt at an attack with catastrophic consequences. The risk would grow exponentially if an insider, wittingly or not, shares passwords, inserts infected thumb drives or otherwise facilitates illicit access to critical computers.

One stopgap remedy is to take United States and Russian strategic nuclear missiles off hair-trigger alert. Given the risks, it is dangerous to keep missiles in this physical state, and to maintain plans for launching them on early indications of an attack. Questions abound about the susceptibility to hacking of tens of thousands of miles of underground cabling and the backup radio antennas used for launching Minuteman missiles. They (and their Russian counterparts) should be taken off alert. Better yet, we should eliminate silo-based missiles and quick-launch procedures on all sides.

But this is just a start. We need to conduct a comprehensive examination of the threat and develop a remediation plan. We need to better understand the unintended consequences of cyberwarfare — such as possibly weakening another nation’s safeguards against unauthorized launching. We need to improve control over our nuclear supply chain. And it is time to reach an agreement with our rivals on the red lines. The reddest line should put nuclear networks off limits to cyberintrusion. Despite its allure, cyberwarfare risks causing nuclear pandemonium.

Source:https://www.nytimes.com/2017/03/14/opinion/why-our-nuclear-weapons-can-be-hacked.html?_r=0

http://nationalcybersecurity.com/nuclear-weapons-can-hacked/ 

(83)

An unsecured backup drive is to blame for a massive data leak at the US Air Force. An unsecured backup drive of an unnamed lieutenant colonel was the alleged cause of the leak.

More information: http://www.ibtimes.co.uk/us-air-force-leak-exposes-holy-grail-top-secret-data-including-details-over-4000-officers-1611404

Following this story please see below for comment from Lee Munson, security researcher at Comapritech.com:

“There are a great many things an organisation should be doing to protect its data, all of which boil down to people, process and technology.

“While some aspects within those areas are harder to manage than others, encrypting sensitive data and having an acceptable use policy covering backup drives are not among them.

“This, therefore, begs the question of what a US lieutenant colonel was doing with an unsecured drive full of personal information in the first place.

“Such a leak in the civilian sector would be of serious concern to those compromised, the organisation itself and the appropriate industry regulators.

“Within the US army, such a basic and avoidable mistake is totally unforgivable, especially considering the nature of what it does and the fact that the leaked data is ripe for blackmailing purposes.

“The senior officer responsible will, I suspect, be very fortunate indeed not to appear on the next list of open investigations that find their way onto, what I hope, will be a secured backup drive next time around.”

(79)

Email addresses and personal details belonging to 43,000 British holidaymakers may have been stolen in a cyber attack against Abta’s website.Data for up to 650 members of the Association of British Travel Agents were exposed in the hack which has put tourists at risk of identity theft or online fraud.

The person or group who infiltrated the website had access to holidaymakers’ contact details and encrypted passwords, and private documents submitted to support complaints about travel firms.Abta warned its members and customers to take precautions as it announced on Thursday that it recently became aware of “unauthorised access” to the Abta.com web server.Abta said the vast majority of the 43,000 customers relate to people who have registered on its website or have filled in an online form with basic contact details which are at a “very low exposure risk” to identity theft or online fraud.

The hacker or hackers may have obtained identity information for 1,000 tourists who have uploaded files in support of a complaint about an Abta member since January 11.

Abta said: “This was possible due to a system vulnerability that the infiltrator exploited to access some data provided by some customers of Abta members and by Abta members themselves.”

The organisation said its own IT systems were not hacked, but the web server for the website, managed by a third-party developer and host, was breached on February 27.

It said: “This unfortunately means that some documentation uploaded to the website by Abta members, as well as some information provided by customers of Abta members in support of their complaint about an Abta member, may have been accessed.

The third-party host has fixed the problem.

Abta said it has contacted potential victims, set up dedicate help lines and offered free access to an identity theft protection service from Experian.

Police and the Information Commissioner have been alerted.

Customers and members were advised to change their passwords for Abta.com and other accounts where they use the same password or a variation of it.They should also remain vigilant regarding online and identity fraud by monitoring bank accounts and their email and social media accounts.

Abta CEO Mark Tanzer said: “Having become aware of the unauthorised access, we immediately notified the third-party suppliers of the Abta.com website who immediately fixed the vulnerability.

“Abta immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.”

He added: “We are not aware of any information being shared beyond the infiltrator. We are actively monitoring the situation, but as a precautionary measure we are taking steps to warn both customers of Abta members and Abta members who have the potential to be affected.

“I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of Abta or Abta member who may be affected.

“It is extremely disappointing that our web server, managed for Abta through a third party web developer and hosting company, was compromised, and we are taking every step we can to help those affected.

“I will personally be working with the team to look at what we can learn from this situation.”

Source:http://www.mirror.co.uk/news/uk-news/abta-cyber-attack-leaves-thousands-10037492

(29)

An integration of cutting edge biometric recognition technology and key management systems is offering the very highest levels of security for organisations managing large number of priority keys.

The system is the result of co-operation between ievo Ltd, the Newcastle-based manufacturer of biometric recognition systems, and Keytracker Ltd, the Midlands manufacturer of key management systems.

Andy Smith, General Manager of Keytracker, explained, “We’ve developed our restricted key access systems for a huge variety of sectors ranging from the construction, engineering, property, education and health sectors to the automobile retail trade – anywhere where access to vehicles, plant or different areas is controlled by physical keys. By combining these systems with ievo’s biometric recognition technology and the corresponding software, we have created an ultra-secure solution that ensures and tracks the release of specific keys to specific people.”

The resultant Restricted Key Access System incorporates state-of-the-art hardware with easy to operate administration software restricting access to only those keys the user is authorised to use. The integration of the ievo ultimate™ finger print readers ensure that the potential for fraudulent access via stolen swipe cards or pin codes is completely removed whilst the registration process has been integrated into the existing software allowing direct and simple user control and saving both the end user and installer time and money.”

“We’re already talking to potential clients within healthcare, where areas like drug storage must be kept under strict control, logistics and construction where only licensed personnel are allowed access to specific vehicles and plant, but the possibilities are endless.”

Richard Forsyth, UK Sales Manager of ievo Ltd, added, “We’re delighted to be working with Keytracker to provide the ultimate in key access security systems. By the addition of our biometric recognition system, we’ve created an additional level of security to accessing keys for a variety of purposes. Operators can now very easily establish access to specific keys and the track this for external security and internal administrative purposes.”

ievo ultimate readers use an advanced sensor which employs multispectral imaging (MSI) technology to scan and capture data, using multiple light sources to read not only the surface of the skin, but also data points from the subsurface level (up to 4mm deep) of a finger. The different light sources can penetrate levels of moisture and debris present on the skin to read data points below. This advanced method allows for a high number of uniquely identifiable data points to be recognised and used for a more accurate, reliable and efficient verification process. The readers are also designed for both external and internal use and are equipped with an internal thermostat controlled heater allowing them to operate in conditions as low as -20?C and, being IP65 rated, they also function in levels of heavy rain.

Key Tracker’s latest Controlled Key Cabinet with integrated ievo Ultimate Biometric Reader

(459)

Details of thousands of medical staff in Wales have been stolen from a private contractor’s computer server. Names, dates of birth, radiation doses and National Insurance numbers of staff who work with X-rays were copied as hackers accessed Landauer’s system.

More information: http://www.bbc.co.uk/news/uk-wales-39249975

Following the news, below are some thoughts from Lee Munson, security researcher at Comparitech.com:

“The theft of personal information from Welsh medical staff highlights, once again, how a third party can be responsible for an organisation becoming breached.

“While the details of the attack are not yet clear, compromised staff may be asking whether the Velindre NHS Trust had appropriate access control measures in place, along with an appropriate set of security policies.

“The victims of this attack, at least one of which mistakenly believes they will not be targeted any time soon, despite the fact that it occurred 5 months ago, will need to be on the lookout for phishing attacks and suspicious activity surrounding their bank and credit card accounts.

“Identity theft should also be a real concern and they should already be taking the necessary steps to prevent long-term damage from this breach.”

(50)

WikiLeaks has published  what it described as the biggest ever leak of confidential documents from the CIA detailing the tools it uses to break into phones, communication apps and other electronic devices. In all, there are 8,761 documents that account for “the entire hacking capacity of the CIA”, Mr Assange claimed in a release, and the trove is just the first of a series of “Vault 7” leaks. Already, the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies.

Please see below for a few comments on this from security experts:

Jim Walter, a Senior Researcher with Cylance, explained that early research indicates that efficiency is a top priority. “There are clear instances where the owner of this code is inspired by (and sometimes borrowing directly from) well-known malware. Familiar names like HiKit, Shamoon, and Nuclear EP appear multiple times, so it is interesting to see what threats the owner is taking cues from. Beyond that we have a great deal of analysis to do when it comes to putting this dataset into context with previous dumps pertaining to government techniques, tactics, and procedures.”

Brian Vecci, Technical Evangelist, Varonis

“It’s too easy for data to be stolen, even—allegedly—within the CIA’s Center for Cyber Intelligence. The entire concept of a spook is to be covert and undetectable; apparently that also applies to actions on their own network. According to WikiLeaks, this treasure trove of files was given to them by a former U.S. government contractor. The CIA is not immune to issues affecting many organizations: too much access with too little oversight and detective controls. A recent Forrester study found that 59% of organizations do not restrict access to files on a need to know basis.

“In performing forensics on the actual breach, the important examination is to determine how 8,761 files just walked out of one of the most secretive and confidential organizations in the world. Files that were once useful in their operations are suddenly lethal to those same operations. We call this toxic data, anything that is useful and valuable to an organization but once stole and made public turns toxic to its bottom line and reputation. All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion.

“Organizations need to get a grip on where their information assets are, who is using them, and who is responsible for them. There are just too many unknowns right now. They need to put all that data lying around in the right place, restrict access to it and monitor and analyze who is using it.”

Mike Ahmadi, global director – critical systems security at Synopsys

“Unfortunately, US Government computer systems, policies, and procedures are largely outdated in today’s hostile world of connected technologies.  The moment anything with either external connectivity or mobility (e.g. a USB memory stick) gets near such systems, the game is over.  The software running on legacy government computer systems is so fraught with vulnerabilities that any level of access creates the potential for a security breech.  The government needs to take a closer look at their exposure if they hope to defend against what is becoming an embarrassing regular occurrence.”

Lee Munson, security researcher at Comapritech.com:

“Wikileaks’ disclosure of what it claims are wide-ranging CIA hacking tools is hardly likely to surprise anyone in the post-Snowden world we now live in.

“Whether the alleged cyber weapons exist or not is largely immaterial at a time when I assume most people believe they do.

“What the Vault 7 leaks should do, however, is confirm that, while taking a nothing to hide, nothing to fear approach is hopelessly out of date, most citizens should not be any more concerned about surveillance today than they were yesterday.

“While exploits across a range of devices and the ability to turn on cameras and microphones is a touch chilling, they’re nothing new, and anyone with real concerns should already be going about their business with those possibilities in mind.

“The really interesting aspect to this leak, however, is how the alleged cyber spying tools all appear to have one thing in common – the need to acquire information over the wire.

“That means, for now at least, we can assume that messaging systems with strong end-to-end encryption are beyond the reaches of the security services; a win for everyone who is truly concerned about protecting their privacy today.”

(123)

16th of May 2017 

Millennium hotel London Mayfair 

This annual meeting in its 5th year will be once again a leading platform hosting Security leaders from EU Central banks, as well as UK & US retail and investment banks. The event will discuss the current global economic crime landscape and the impact of the emerging trends of multiple complex incidents, as well as debate preventative responses and solutions.

The event is organised under the Chatham House Rule.

DRMFS audience 2017:

• Heads of Security • Heads of Compliance • Chief Information Security Officers (CISO)
• Chief Security Officers • General Counsel and Chief Privacy Officers • Global IT Compliance and Risk Management Senior Executives • Chief Information Officer (CIO) • Financial Crime Prevention Specialists • Financial Risk Assessors • Information and Technology Risk Senior Executives • Data Risk Management Experts • Technological Crime and Forensics Directors • Risk and Regulatory Change Directors • Risk Auditors • Data Governance Managers

Representing:

• Central Banks • Regulators • Law Enforcement Agencies • Investment Banks and Financial Institutions • Retail Banks • Insurers • Credit Card Providers • Government Agencies
• Data Providers • Industry Associations

Why attend – Network with decision makers representing central banks and world leading financial institutions and companies • Introduce your products and services to a carefully selected audience of C-level security and risk management experts • Win new business • Form new alliances and strengthen existing partnerships

http://www.drmfsummit.com/ 

(25)

May 1-3, 2017 – WEWCC, Washington, DC, USA 

The 4th edition of connect:ID – with its international conference and global exhibition that focus on all aspects of identity technologies and the opportunities for their management in both the physical and digital worlds.

connect:ID unites solutions adopters and stakeholders from around the world to explore the development and fusion of multiple advanced identity technologies – including biometrics, secure credentials and mobile identity systems.

This event is brought to you by Science Media Partners and the International Biometrics & Identification Association (IBIA) and brings together all the players in the international identity market.

www.connectidexpo.com

(37)