Finding the Needle in the Lawful Intercept Haystack

Modern encryption techniques have resulted in Law Enforcement and Intelligence Agencies losing the benefits that came from carrying out Lawful Intercept activities. Indeed the time required to investigate a lawful intercept PCAP file for relevant and useful information is now such that should any artefact be found, it is almost certainly found long after the time when the information could have been at its most useful.

Communications channels have gone way beyond the simple calls and text messages of the past. The proliferation of messaging apps (WhatsApp, Signal, Telegram etc.), the ability to send messages via social media platforms (Facebook, Nextdoor, Instagram etc.) and the use of video communication platforms (FaceTime, Zoom etc.) has resulted in a very complex environment to investigate and analyse when looking for that particular artefact that will break the case, or that specific piece of intelligence that will lead the investigators to where they need to go, and this is before you add the problem that all investigators have when these communications are encrypted.

Additional information and intelligence you may want to know is which websites have been visited, when, with what frequency, for how long, etc. Another thing that Wireshark won’t do for you here, but a good LEA workflow will, is categorise each website into a category; is it Ads, Shopping, Food, Travel, Furniture, Pornography, Social Networking, Political Ideology, Terrorism, etc.

What is required is a tool that examines the lawful intercept network data (most likely a PCAP) and synthesises the output into a clear website profiling view. When that kind of analysis takes seconds and can be immediately reflected from a large collection of PCAPs, then we’re really cooking on gas. 

Today Lawful Intercept of data services can still be an effective tool against communication apps. What is being said is lost to unbreakable encryption, but that is not what is often needed to progress an investigation. Each call leaves a digital footprint in the packet captures, and that is clearly visible to the right tool, regardless of if that app is WhatsApp or some obscure dialler you have never heard of. Some of these applications are quite challenging to ‘fingerprint’ within the network noise, but the right application of machine learning can classify these applications with high confidence. 

If you would like to find out more about how to find that Needle in the Lawful Intercept Haystack and work in Law Enforcement or Intelligence, then subscribe to Digital Forensics Magazine and read the full article, and join Sandvine for a Live Demonstration of Digital Witness.

Digital Witness Webinar Registration (



2021 To See More Successful Security Attacks

In the period of 2021 more successful security attacks and compromise will be encountered, with many high profile organisations, in multiple sectors falling on their own sword of insecurity, and will thus pay the price of the reactive style of a supposed security posture. Sadly, 2021 will not be the year we see real steps taken toward Cyber Resilience – but it will be the year in which we finally see a more serious mindset toward addressing cyber insecurity with a proactive security posture.”

Developed back in the 1830/1840’s by Samuel Morse and other collaborating inventors, the telegraph revolutionized long-distance communication. It worked by transmitting electrical signals over a wire laid between stations, and changed the nature of communications forever – in fact it was commented by one authority:

The new technologies will bring every individual into immediate and effortless communication with every other, and will practically obliterate political geography, and make free trade universal. Thanks to technological advance, there are no longer any foreigners, and we can look forward to the gradual adoption of a common language.”

Powerful words, linked to positive aspiration. However, stepping forward to the invention of the Internet by Sir Timothy John Berners-Lee, not only may we track our all encompassing technological progress, but equally may note that the outcomes have not always been so positive, with the advent of cyber insecurity.

From the Genesis period of the Internet Revolution there was always a very real concern that such a multi-faceted world on interconnectivity should dictate a very firm need for security in the uncontrolled space of the World Wide Web (WWW) – it did not. In fact such early concerns were around the area of the Internet naming and numbering authority – or, to put it bluntly the root authority. In that era, John Postel was, like many are today, fighting to prove the dangers of lacklustre controls, and on 28 January 1998 decided to take action, and took control, sidestepped Network Solutions and demonstrated that he could transfer root authority whenever he chose to – this made those in control sit up and take note.

So just what has the histrionics of the Internet got to do with the WWW today – answer, the simplicity of John Postels early concerns are now maximised to an unprecedented level with complex interwoven connectivity, with potentially millions of domains across the world being maintained in a vulnerable and exposed profile.

Along the path to exploiting what is referred to as the Super Highway, multiples of global organisations, and governments have embraced this easy to empower technology to their own singular advantage. However, as this eager embracement grew, it would seem in the majority of cases, those who were chasing the benefits of the Internet were unaware of the Genie of Insecurity which was gradually creeping from the lamp and entering their domains.

As of 2020 there are around 2 billion websites running on the net, so just imagine if 10% are insecure – that amounts to 200,000,000. However based on what has been discovered from a number of sample surveys conducted with WHITETHORN SHIELD that number would seem to be very much on the low side – with 25% being a more realistic percentage, the end number of insecurity is now scarcely significant.

What really changed the world of cyber was the appreciation and practice of OSINT (Open Source Intelligence) which goes well beyond the element of the IP address to discover titbits of unknown unknowns which can expose even the most secure of sites – titbits gathered from multiple sources may then be leverage to paint a aggregated big picture, Cuckoo Egg style off-line acquisition of dark intelligence metrics which may be used to further expose and exploit further insecurities.

In 2020, much work has been done by Cybersec Innovation Partner with their cutting edge WHITETHORN SHIELD engine, and findings gathered from both commercial and government sites are to be observed with the question – how can this be? The findings not only suggest there is a potential for cyber insecurity to exists on multiple site, but goes well beyond and prove that these discoveries are fact. The problem seems to be, nobody is willing to listen – that is until such time they are compromised!



The global capital markets are highly vulnerable to cyber attack…and Greece could be the warm-up

By: John Edge

Because my roles have always involved new technologies applied to existing markets, I’ve been trained to think about technology related governance and risk; now as I look to a future of affordable mass compute power and artificial intelligence driven threats, I can’t help but think of where the weak points may be.  And my hunch leads me to places where both manpower and system power may be depleted.  And there’s an obvious one right now.  The Greek capital markets.  My gut tells me that Greece could be the warm up for an attack on the system integrity of capital markets.

I know that this is an odd statement to make, given that capital markets do not have systemic risk weak points and are designed to be resilient to cyber attacks – theoretically invulnerable to all comers.  But, instinctively, we all know that this cannot be the whole story – that risk cannot be entirely eliminated and that where there is human life, things can go wrong.  So, the question is – how bad could it get?

The truth is: bad, very bad.  In theory, global collapse of hitherto unseen proportions.

Automation of the capital markets infrastructure started in the 80’s, as technology evolved.  Both performance and price created the opportunity to splice automated functions into what were once manual processes. This concept of splicing is essential to understanding where we are today, in that we did not design for an end goal, we designed for what worked in the here and now.

As such capital markets grew organically from a technology point of view, with layer after layer of systems being built, duplication and overlap were created, whereby systems ran out of capability and were patched back together or replaced, often partially,

Throughout the 90’s and early 2000’s the rate of adoption of technology accelerated, driven by the relentless hustle to hit quarterly targets. Machines were built to trade millions of times a second, competition for trading flow at the exchange level was opened up, so exchanges were driven to advance their technology to stay competitive, which meant more machines were built. The cycle has continued at this pace and now extend to retail and commercial banking, with digital demand from customers driving the transformation of these markets.

Then we introduced cloud computing, which offered the opportunity to increase performance and scalability whilst reducing cost. So markets took a complex organic system and started to distribute it, across internal and external data centers plus service providers. Vendor technologies exploded in popularity; the age of ‘FinTech’ was born, bringing substantial advantages to market participants. Marvelous progress indeed.

However, much as it’s a downer – sometimes the ‘bear view’ needs to be considered.  What does the bear view show us?

Starting with the basic truth that old code often has holes in it and modernizing code is essential to system health.  Ah ha – you say – simple.  Just modernise the code, and everything will be fine.  But here’s the rub: Modernising code costs money.  Which eats into quarterly returns, making it somewhat unattractive to those who make the decisions. “Heigh-ho,” they may say.  “Let’s just hope the thing doesn’t break down on my watch.”

The next layer up is the compilation of the systems and the architectures in place; were they designed for entities with malicious intent? Entities armed with, thanks to a Mr. Moore and his law, low cost massive computer power?  The answer is, of course not.  Some of the newer types of cyber attack couldn’t have been conceived of when these systems were build.  That’s criminal ingenuity for you.

So, with aging code bases and system architectures not designed to resist the kind of power modern cyber threats at large have, we at least have well trained teams operating in a coordinated fashion globally to manage this fragile ecosystem. Oh wait, nope… we don’t have that either.

For a “mini” taste of how things can go wrong, there’s the bankruptcy of Knight Capital, caused by a rogue algorithm, a human ‘non malicious’ error that went undetected, which turned the largest trader in US equities into rubble in a little under a week.  Then there were the SIP issues with NASDAQ that shut off that market, and all other markets, for a large part of a trading day. Most recently we have seen glitches with NYSE.

All three of these crises, which were nothing on what could happen on a global scale, were created by human error and are in practice being addressed through Reg SCI. These incidents are indicative of what occurs when critical systems fail in capital markets. The elephant in the room is the possibility of a malicious attack.  Because that’s going to be worse than anything human error could cause.

Let’s, for a moment, create a nightmare scenario.  How could that come about and what would be the effect?

Imagine a powerful group looking to insider trade, which is trading with non-public information.  This group decides to create the non-public information by shutting down a stock exchange for two days. The night before the attack the group buys options contracts that will pay off, if the market moves down. When they shut down the market for two days, panic ensues and the market “sells off”.

Of some comfort is that the fictional baddies might be deterred by the fact that if the plan could go horribly wrong for them – the futures position may go against the intent and lose the monies deposited as margin.

Currently, all businesses in Greece are suffering a high amount of disruption. What we know is that often it is human error that causes problems, rushed code releases and poor processes creating production issues. The duress being suffered by business operators in countries such as Greece could increase the likelihood of human error.

But on top of this, opportunistic criminals could use these markets as a training ground – a ‘cyber attack gym’.  The functional layout of capital markets is roughly the same everywhere, although the volumes change significantly between countries. Could the current Greek crisis present an opportunity for practices attacks, and would the operators, in the current state of chaos, even know this was occurring?

There are global automated market places that have not trained enough people to operate information security defenses. Systems have been developed to aid humans in the management of security perimeters, however standards and processes have not yet been developed for many smaller market places.

On top of these challenges there is the issue of system re-engineering, the moving from the organic spaghetti infrastructure to an infrastructure designed for today’s environment. Which all comes down to budget.

Chewing the fat with my friend and colleague Alexei Miller, a managing director at global technology consulting firm, DataArt, he pointed out that chaos always begets criminal creativity and that Greece was that chaos. Cheaters, he said, will look for ways to circumvent capital controls.  He noted that if the Greek situation were happening in certain other countries (and he didn’t say which) and Europe was sending massive checks to keep them afloat, the biggest question would be how much of it would be stolen.

It is true that technology fosters spending accountability.  But when it is left to tick along, in the way the global capital markets technology often is in many places and organisations, it can be a force for evil.

Sleep tight.  Don’t have nightmares, now

 John Edge is an innovator and social entrepreneur in the digital economy, with a recognized expertise in financial technology and a track record of creating breakthrough business models by harnessing network capital to identify patterns created by market needs, inefficiencies and new technologies. With the mission to create value for individuals, corporates, investors and society.  He is an advisor to global technology consulting firm, DataArt.



How the Energy Industry can Survive Targeted Attacks

The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently reported that it received 245 incident reports from asset owners and industry partners in the fiscal year of 2014. Like the previous year, the largest number of these incidents occurred in the Energy sector with 79 incidents.

The incidents reported to the ICS-CERT included the following:

• Unauthorized access of Internet facing Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices
• Exploitation of zero-day vulnerabilities in control system devices and software
• Malware infections within air-gapped control system networks
• SQL injection via exploitation of web application vulnerabilities
• Network scanning and probing
• Lateral movement between network zones
• Targeted spear-phishing campaigns
• Strategic web site compromises (a.k.a., watering hole attacks).
Not only is the energy sector being hit the hardest, energy companies are also especially vulnerable since they possess valuable intellectual property and provide critical services that can be targeted by hacktivists and foreign state actors for sabotage purposes. In addition, the energy industry uses legacy systems that were not built with cyber-attacks in mind, and downtime for system upgrades is virtually impossible due to their critical nature.
How can the Energy sector prepare and defend against cyber attacks? Here is an 8-step plan for addressing cyber security in the Energy industry:

1. Air-Gap Networks
In a recent cyber attack on a South Korean nuclear facility, the nuclear plant remained safe because the control system was separated from the external network. It is important that Industrial Control Systems are air-gapped (i.e. separated from the network), so that even if attackers gain access to the network, they will not be able to reach the Industrial Control System and the damage can remain limited.

2. Identify and Encrypt
Identify the most important information and intellectual property that needs to be protected and make sure that it is encrypted and only accessible by a highly restricted group.

3. Use Multiple Anti-Malware Engines
By using multiple anti-malware engines to scan files, web traffic, and email attachments, you can significantly increase the malware detection rates and thwart any attempts to bypass a specific engine’s limitations. Since not every engine addresses the same threats in the same time frame, by using multiple anti-malware engines you can also ensure faster protection against new threats.

4. Implement USB Security
Files still need to be transferred to high security, air-gapped networks to perform system upgrades, maintenance, etc. To ensure safety but still enable file transfer, portable USB devices should first thoroughly be scanned with multiple anti-malware engines before being allowed to connect to the air-gapped network.

5. Improve Email Security
A common entry point for cyber attacks is spear phishing attacks. Most email security systems can detect and stop phishing attacks, but spear phishing attacks are harder to detect since they are only sent to a small number of people, and significant effort has been put into making them look legitimate. To detect more malware and counter threats that are targeted towards specific antivirus engines, companies need to strengthen their existing email security systems by using multiple anti-malware engines for scanning email attachments. Since spear phishing attacks often make use of malicious email attachments that exploit zero-day vulnerabilities that may not yet be known, it is also important to sanitize email attachments by converting files to another format to diffuse any possible embedded threats.

6. Defend Against Advanced Persistent Threats
Since Advanced Persistent Threats can lie in wait for a considerable time, it is important to continually monitor and scan networks and devices for threats and irregular activity. What may have previously gone undetected by anti-malware engines, could suddenly appear on the radar after an engine update. By centrally monitoring the company’s devices, you can ensure that anti-malware and other programs are updated and that malware scans are run regularly.

7. Train Employees
Train employees on USB security, how to detect spear phishing attacks, and to immediately report any devices that are stolen or lost. Make sure that employees update their anti-malware programs frequently and regularly perform full system scans.

8. Third Party Company Security
It is important to ensure that even if security is breached at one of the company’s suppliers or contractors, only limited access can be gained to the company’s central system. Also, when exchanging confidential files with external contacts is important to use a secure file transfer system that ensures that files are encrypted and can only be opened by the intended recipient.
With this survival guide, companies in the energy sector can effectively prepare for a possible cyber-attack, knowing they have the right defense weapons in their arsenal.

This blog post was provided by Deborah Galea, Product Marketing Manager at OPSWAT. For more about Deborah click here



Offender profiling is taking a different shape, as investigators grapple with increasingly ‘social’ criminal activity

Mobile forensics has changed the methodology when it comes to offender profiling. The frequent use of mobile devices has provided investigators with another source for profiling criminal suspects, as well as an insight into their habits and personalities.

This is not just because of the volume of user voice calls and SMS texts; the amount of rich data that can be extracted from Instant Messaging (IM) and social media applications gives forensic investigators the paint and brushes to develop a detailed picture of a suspect and a criminal case. A suspect’s social media personality can offer a more tailored overview of the character, his or her likes and dislikes and a reflection of ‘who’ they really are, beyond their alleged actions. A victim’s presence on social media can also be used to find a common link to possible suspects.

Recent research from Cellebrite found that 77 per cent of respondents believed that mobile apps were a critical data source in criminal investigations. While this clearly indicates that mobile apps offer a vital source of evidence, it’s not a suggestion that investigators should solely look at mobile-based apps when building the investigative picture – evidence should be extracted from all other items of phone-based data as well.

The widespread use of mobile apps makes them a critical data source for law enforcement, both in terms of evidence and investigative leads. The value to both prosecuting and defence counsels, in a court of law, makes the neglect of such data a potentially severe barrier to solving a case.

People now more frequently use mobile devices to access social media apps, rather than using a traditional PC or laptop. Moreover, social media data that is extracted from a suspect’s mobile device provides additional characteristics such as more accurate location-based data and time proximity to another event or situation. For example, by connecting to a specific Wi-Fi network investigators can establish presence in a certain place and at a certain time correlating it with another action, possibly, on social a network.

Criminals will use various communication channels in the course of their mobile activity. For example, a suspect could use an IM app to organise a meeting, but use SMS to contact the victim. Investigators must operate a flexible forensic practice when sourcing evidential data from mobile devices, because the various channels that criminals communicate through means that a one dimensional approach to forensic evidence gathering could lead to the omission of valuable data.

While data points such as SMS text messages and GPS locations may result in an immediate lead in a criminal case, the ‘online social identity’ of a suspect will allow investigators to delve into the personality of the suspect, which in turn could help build out the case.

This social data can be extracted through the social media apps that the suspect has downloaded on their device. Facebook posts, Tweets, ‘shares’ and ‘likes’ can all give critical information to investigators hoping to build the profile of a suspect.

A suspect’s social media identity goes beyond their ‘likes’ and ‘shares’ though; it can also include immediate locational data, such as a recent ‘check-in’ at a restaurant or a shop. Even if this locational data isn’t completely current, it will still help to paint the forensic picture of a suspect in terms of where they regularly go, who they meet with, and what they do when they’re there.

In court, social data retrieved from mobile apps is fast-becoming a major source of evidence in not only building up the profile of the suspect, but also in establishing or demolishing a witness’ credibility. While social or app-based data has become a crucial evidential component to an investigator’s case, it can also act as an important part of the prosecution or defence process in court.

Offender profiling is changing as people use more social applications to communicate with one another. This is providing investigators with another source of information to build up a complete profile of a suspected criminal, which in turn offers a more comprehensive picture of a suspect in a court of law.

The amount of data that is now being consumed and shared is opening up a number of different opportunities for mobile forensic investigators, who are in a constant battle to stay one step ahead of the increasingly connected criminal.

Yuval Ben Moshe Yuval Ben-Moshe, senior forensics technical director at Cellebrite



Waking Shark II & Barclays

Last week, one agency was kind enough to print my controversial opinions on Waking Shark II, which were based on knowledge of standing deficiencies with the security cultures and infrastructures of banking. Many of which have been notified, but those in question have failed to act, or indeed acknowledge!

The recent Barclays breach is interesting, but I would add that this is only known as an insider blew the whistle, otherwise it would be unknown, and the subject public at large would have been none the wiser, and at risk. However, I am aware of many cases of such breaches which did not go public, one of which was the loss of 37,000 Barclays Client record’s, in clear (not encrypted) around 2007, which was not reported, notwithstanding the CISO, and all Executive IT Directors were aware, including one Main Board Member.

By main criticism and observation around Waking Shark II was its real value to serving security – if there were/are so many tolerated holes in place that support insecurity, then those in the security profession who support this situation, by association become part of the problem – in the name of security associations and bodies!

My conclusion is, we are not at a well trodden juncture of insecurity and public/business exposure which, in my opinion needs much more than to just pay lip service to the known, but which demands tangible action to secure the National and Global Economies.

We also need to be aware that the cultures which tolerated the unreported breach, have moved on, in some cases to the world of Outsourcing and Service Management (e.g. First Data), so sadly one may conclude that such attitudes for survival may have evolved into the unknown.
John Walker

John Walker

Professor John Walker is a Visiting Professor at the School of Computing and Informatics, Nottingham Trent University (NTU), owner and CTO of SBLTD, a specialist Contracting/Consultancy in the arena of IT Security and Forensics, and Security Analytics, the Director of Cyber Research at the Ascot Barclay Group.



Authors – Book Reviewers – Product Reviewers – Bloggers – Evangelists

Digital Forensics Magazine is always on the look out for new talent and content and as the number one magazine for all matters Digital Forensics we are looking to expand our list of contributors. If you feel that you have something to contribute to the magazine in one of the following categories, contact us via and join the ever-growing team of international contributors who are leading the discussions.

If you have an idea for an article, which you would like to discuss, or if you want to become a regular contributor, we want to hear from you. The field of Digital Forensics is vast and with the ever-increasing use of technology in so many aspects of daily life, not previously envisaged, the need for the Digital Forensic investigator to go beyond the hard disk and the mobile phone requires new tools and techniques. If you are involved in Digital Forensics or related research, developing new tools to solve a particular problem (especially new technology), a learning experience from a case study or just want to share your ideas and thoughts we would like to hear from you. It does not matter if you have not written before; we will work with you to craft your idea into a publishable article using our team of experienced authors and editors. If this is you then email us at or submit your article idea via the website

/Book Reviewers
As we see the increasing and innovative use of technology, the need to secure and investigate said technology is increasing. As a result we see an increasing number of books being published that require review and comment. Working with the leading publishers Digital Forensics Magazine obtains these books to allow us to review and comment on. These reviews are then covered in the magazine and carried on the DFM Blog. Once selected you will be sent a list of books available for review, you then choose a title that you like and we will send you the book. You read the book and then fill out a review form to be sent back to DFM. If you would like to become a book reviewer for Digital Forensics Magazine contact us at with a CV to demonstrate that you have the required knowledge and experience to be a book reviewer.

/Product Reviewers
Digital Forensics Magazine regularly carries articles on various supporting investigative technologies and we have a number of companies that have asked us if we would consider reviewing their products. This is not a rubber stamping exercise, this is an in-depth review looking at aspects such as ease of installation, ease of use, information gained, usefulness of the product, supporting documentation etc. etc. To become a product reviewer you will need to be a suitably qualified Digital Forensics Investigator who has knowledge of the disciplines in which the technology operates. If you would like to be a product reviewer contact us at with a CV and a statement of why you believe you have the credentials to become a product reviewer.

The Digital Forensics Magazine blog is an outlet for news, commentary, ideas and even the occasional rant. We are looking for Digital Forensic researchers, investigators or even those with just an interest in the subject to join our growing band of regular contributors to the blog site to provide interesting and stimulating content. The content can be wacky as well as serious, however it must be related in some way to Digital Forensics and will be checked and edited prior to publication. If you would like to become a regular contributor to the digital forensics magazine blog then contact us at

Digital Forensics Magazine is a global magazine printed in English and distributed to over 40 countries including those in South Africa, South America, Australasia, Eastern Europe as well as in the UK and USA. The cost of promotion to such a large audience in all of these geographical areas is beyond the budgets of the magazine, so we are on the look out for evangelists; those people who believe passionately about Digital Forensics and are active in their own communities. DFM Evangelists receive discount vouchers to pass onto their communities as well as having direct access to the marketing team at DFM who will help them promote Digital Forensics related conferences, events and activities in their region. If you are interested in becoming a Digital Forensics Magazine Evangelist contact us at

Digital Forensics Magazine prides itself on not just being a magazine, but also for being a source of quality, valuable, and useful information for the Digital Forensics Profession. Our goal is to bridge the gap between the academic journal and the traditional magazine. We want to hear from you on what is good or bad as well as what you would like us to include so please provide your comments to us via and if you want to get involved in one of the activities outlined we would welcome you to the growing band of professionals who contribute to the growth of the magazine.



Mobile Device Forensic Process v3.0

Cindy Murphy has updated her paper on a process for Mobile Device Evidence and Data Extraction. We at DFM are happy to help get this into the hands of Digital Forensic Investigators globally and whilst it has not been reviewed through our normal technical review process we are happy to help publicise this piece of much needed work. The article is available for download using the link below or subscribers to Digital Forensics Magazine can download the paper from the White Papers Downloads Section of the DFM Website.

Cindy Murphy is a Detective with the City of Madison, WI Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner (EnCE, CCFT-A, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College, and is currently working on her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin, Ireland.

Mobile Device Forensic Process v3.0



Protect Your Business From State-Sponsored Attacks

It has taken some time but we finally have succumbed to the delights of a certain kitchen utensil. Years of resisting George, John, and the seductive talents of Penelope, had left me more determined than ever to resist at all costs. The result; a plethora of appliances – eight at last count – to produce the perfect cup of coffee at the right moment, cluttering kitchen surfaces and cupboards, and never quite getting it right. After all, each appliance needs and produces its own unique type of coffee.  And it’s difficult, when you’re the only serious coffee drinker, to convince ‘management’ at home that such a thing as a CCM (Centralized Coffee Management) system is essential.

And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around – and each type will also have several variants. Then there are all the different “utensils” which use the keys, from applications to a myriad of appliances, as well as a host of built-in ‘tools’ to manage each variety.  The result is more management systems than the average household’s coffee machines.

Today SSL and SSH keys and certificates are found littered across virtually all systems, applications and end-user computing devices. In most cases no one knows who caused the ever-proliferating and expanding landscape of encryption “litter,” and since these keys and certificates are used to protect critical systems and sensitive data, ineffective and siloed management means that organisations are increasingly susceptible to failed audits, security risks, unexpected systems outages, compromises to systems applications and most importantly, critical data. Of course, each of these comes with its own costly financial and reputational consequences.

The Dark Side

And just as I’m told that there’s a dark side to my caffeine addiction, there is a definite dark side to the unmanaged and unquantified encryption keys and certificates that we’ve become so dependent on—which now act as the infrastructure backbone of all online trust and security. Today as never before, everyone from governments to private individuals is under attack. The use of malware for criminal, ideological and political aims is growing at an alarming rate. Stuxnet opened Pandora’s Box when the use of valid, stolen SSL certificates as a means to authenticate the malware and allow it to remain hidden and undetected became common knowledge. Since then there has been an explosion of malware using digitally signed certificates.

Can we defend ourselves against state-sponsored attacks?

Today we are faced with cyber-attacks on a scale never imagined, and the question that has to be asked is whether or not there is anything we can do to protect our infrastructure, enterprises and ourselves.

But I believe the reality is that we are responsible in large part for the ease with which cyber-terrorists, regardless of their ideology or motivation, are attacking us. In effect, we are supplying the weapons that are being used against us. The collective failure of enterprises to protect keys and certificates is resulting in these very keys and certificates being used against us.

The Flame attack for example, which masqueraded as a Windows update, was successful because of Microsoft’s continued use of MD5 algorithms, years after they themselves had identified that they were compromised. A surprisingly small amount of money needed to be spent to create a duplicate certificate. Shaboom, which attacked Aramco and RasGas, leveraged a certificate stolen from a company called Eldos, and issued by Globalsign. The fact that it was issued by Globalsign is not the problem; the problem is that the key and certificate were reportedly stolen from Eldos. And it goes on and on. Cyber-Terrorists are literally helping themselves to keys and certificates from global business because they know that no one manages them. When organisations don’t ensure proper controls over trust, business stops. End of story.

So the first step in defending ourselves is to protect our key and certificate arsenal. Having effective management so that access to any key or certificate is controlled is a first step in ensuring that you don’t become the next unsuspecting collaborator. And that management has to be unbiased, universal and independent if it’s going to work—not caring who issues the encryption or in what departmental silos it resides (one cannot be both the issuer and manager of encryption simultaneously—too many inerrant conflicts of interest).  No one wants to have their name associated with a cyber-attack that at the very least results in significant financial loss for the victim, but even more seriously results in the loss of life.

Secondly, enterprises are not responding to the attacks. There is massive investment in perimeter security but when we are told repeatedly that the threat is as much from within as outside, we need to act.

Can we still protect critical infrastructure from attack in the digital age?

If malware is the Cyber-terrorist weapon of the 21st century, then organisations need to reduce the risk as much as possible. At last count there are in excess of 1500 Trusted Third Parties who issue certificates globally. Many of these are in every system in the infrastructure, and the result is that if a system trusts the issuer, it will by default trust the “messenger”, in this case malware.

So like your firewall in the 20th Century, which you used to reduce the access points through your perimeter, effective management of trusted issuers and instruments similarly reduces your risk of malware infection. If a system doesn’t know the issuer, it’s not going to trust the messenger. So although you can never completely remove the risk because you have to trust some people, you will significantly reduce the number of possible attacks. But this requires the determination of an organisation to take steps to protect itself. The management of trust stores in every system becomes an absolute necessity in the fight against cyber-terrorism, regardless of what group, enterprise, or nation state is behind it

According to US Defence Secretary Leon Panetta, the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could have devastating consequences if they aren’t stopped. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyse the nation.”

The question is: when will start to see individuals and organisations being held culpable for these attacks? In the Cyber-Terrorism war, it is a big business selling valid SSL certificates, whether stolen, lost or sold, to “terrorists” – and it is likely to play a significant be a part of a major incident, and ignorance will not be a defence!

So my advice is, as George Orwell wrote in “1984” –  “If you want to keep a secret, you must also hide it from yourself.”

Calum Macleod Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for developing Venafi’s business across Europe as well as lecturing and writing on IT security.



Digital Forensics Capability Analysis

The ICT KTN, on behalf of the Forensic Science Special Interest Group (FSSIG), is conducting a survey of the UK’s Digital Forensics Capability. This work is being managed by Angus Marshall, of n-gate ltd., to whom any initial queries should be directed. The project team also includes the CyberSecurity Centre at De Montfort University.

To download this survey please visit the following links:

Word format
PDF format


Traditional Digital Forensics activities involve the recovery and investigation of material found in digital devices. Such data is at rest on static devices such as hard drives and in solid-state memory on camcorders, mobile phones, GPS navigation devices etc. The market for this activity was driven by Law Enforcement and other public sector organisations, hence it was necessary for all activities to be conducted in line with UK evidential criteria so that it was admissible in a court of law.

Our digital age has seen requirements evolve. With the ubiquitous use of email came a requirement for a new field of expertise – that known as “e-discovery”. E-discovery refers to discovery in civil litigation, which deals with the exchange of information in electronic format (electronically stored information or ESI). This data is subject to local rules and processes and is often reviewed for privilege and relevance before being turned over to opposing counsel, where the burden of proof rests on the balance of probability.

However our digital evolution has not remained static. The growth of cyberspace, the trend towards mobile devices (BYOD) and cloud services has seen data take on a far more transitory nature, and the physical location of data at rest can be difficult if not impossible to determine. Data is versioned, distributed and stored across differing networks, devices, borders and boundaries.

The traditional digital forensics practice of imaging and extracting information from disparate physical devices no longer suffices for incident investigation in cyberspace. There is an increasing requirement from businesses in the private sector, and emerging capabilities are required to keep pace so that these requirements can be met.

The team will produce a report detailing the current stakeholders, existing capabilities and challenges. This will enable the identification of areas in which there are capability gaps. Attention will then be paid to how these gaps may be reduced and any specific challenges which will need to be overcome in order to do so. Further, a glossary of terms of key digital forensics concepts with simple definitions will be produced to assist with knowledge transfer both within and outside of the FoSci community.

Your involvement

You can assist with this first stage of the survey by completing the attached questionnaire and returning it to no later than Monday, 4th March please. All responses will be treated in strictest confidence and your answers will be anonymised before they are included in the report(s).

Digital Forensics Capability Analysis – Questionnaire

If you are willing to assist with this phase of the project, please complete and return to by Monday 4th March 2013

1) What do you understand by the term “Digital Forensics”. (one or two sentence answer)

2) In which context do you use digital forensics (e.g. law enforcement, civil law, criminal law, private sector, internal investigation, information security)

3) What types of technology do you deal with in the context of digital forensics ?

4a) What is the single greatest DF challenge you, personally,  face in your everyday activities ?

4b) How do you think this challenge could be addressed ?

4c) What is the single greatest DF challenge that your organisation faces in its everyday activities ?

4d) How do you think this challenge could be addressed ?

5a ) What challenges do you think you will face in the near (1-2 years) and medium-term (2-5 years) future ?

5b) How do you think these challenges could be addressed ?

6) When you are looking for solution to digital forensics problems, who do you turn to for

a) off-the shelf solutions ?

b) bespoke solutions/product customisation ?

7) Who would you consider to be the key people or organisations relevant to your experience and usage of digital forensics ?

8) What other innovations, relating to technology, services or any other issues affecting digital forensics, do you think would be beneficial ?

9) May we contact you again for more information ?

(If “Yes”, please also provide your name and a contact phone number or email)


SIG Forensic Science

Forensic Science Special Interest Group

For more information about the FSSIG, and to get involved in the community, please see