Monthly Archives: June 2015

Australian NSW Police want warrantless bank data access

Police want access to banking data without judicial oversight.image
Police want access to banking data without judicial oversight.

We are not prepared for Cybergeddon

The NSW Police Force would no longer require a judge’s sign-off to gain access to the bank statements of people they suspect are engaging in criminal conduct under a police proposal before the NSW government.

The proposal would change the status quo, which requires a magistrate or registrar of a court to sign off on a “notice to produce” before police can force banking institutions to hand over documentation, such as a suspected criminal’s bank statements.
Detective Superintendent Arthur Katsogiannis image

Detective Superintendent Arthur Katsogiannis. Photo: Dallas Kilponen

The proposal would instead allow a senior police officer to sign off.

Detective Superintendent Arthur Katsogiannis, head of NSW Police’s Fraud and Cyber Crime Squad, revealed the proposal in a lunch interview with Fairfax Media (read the full interview here).

Detective Katsogiannis said it was being floated following the imminent trial of a new information retrieval (IR) system which would help automate some manual processes for collecting intelligence from banks.

“If we want documentation from the banks … we still need to go to a court and see a chamber magistrate to be able to get a notice to produce to get that documentation so it can be admissible as evidence in a court,” he said. “We’ve recently put a submission up to government seeking an amendment to that [so] that a commissioned officer would be able to authorise notices to produce.”

Detective Katsogiannis said the computerised system would enable officers to “go online and request banking documentation, statements, affidavits and the like” and get it “a lot quicker and more efficiently”. The next step – allowing a senior officer to sign off on access to banking information – would make it even faster.

He likened the proposal to the way telecommunications metadata – such as the time a call was made, to whom, and for how long – is sought from telcos, which requires only the sign-off a senior officer before companies, such as Telstra or Optus, divulge such information.

Asked about the NSW Police Force proposal, a spokeswoman for NSW Deputy Premier and Minister for Police, Troy Grant, said it was examined last year as part of a review into the Law Enforcement (Powers and Responsibilities) Act 2002.

“… Changes were made to streamline the process but fell short of allowing all commissioned officers with the authority access [to] people’s bank statements,” Mr Grant said. “The review attempted to balance the needs of police to get on with the job and having appropriate safeguards of people’s personal information.”

But as the new Minister for Police, Mr Grant said he had requested a full briefing to examine “if further improvements can be made”.

NSW Police’s submission to last year’s review was never made public. Mr Grant’s spokeswoman said this was because it was provided to the review in confidence as it contained “operational matters”.

However, in the review’s final report, handed down by the NSW Department of Attorney-General and Justice, and Ministry for Police and Emergency Services, the authors paraphrased submissions made by the NSW Police Force and NSW Police Association.

The review said both entities wanted senior officers rather than parties outside the police force to be given the power to sign off on access to banking information. NSW Police stated, the report said, that this “would represent a reduction in red tape by delivering significant benefits for police in savings of resources, paperwork and unnecessary travel”.

Both parties also wanted the range of entities that have to comply with notices to produce to be expanded.

But the report did not recommend the notice to produce laws change to the extent a judge wasn’t needed, saying “it would be inappropriate for a senior member of police to be given the authority” to issue the notices.

“…There are significant privacy implications,” the report concluded

“The independent issuing authority is a necessary safeguard to ensure that civil liberties are not unnecessarily impinged upon.”

The report also shot down the possibility that notices to produce apply to other entities, such as casinos, bookmakers and currency exchanges.

David Shoebridge, a Greens MP in the NSW Legislative Council, said he had concerns.

“Bank records contain a cornucopia of personal information that should be protected from casual access by the NSW Police,” he said. “If police have a reasonable basis to believe that access to someone’s bank account details can help them solve a crime then they can already get the information by a warrant.”

When recently asked, none of the big four banks would disclose how many times they have handed over banking information.

While banking information is highly personal and can reveal spending habits, including where you shop and what time, some don’t see it as that private. Sydney-based start-up Pocketbook, for instance, has some 150,000 users who voluntarily hand over their banking information in return for a useful service that organises their spending into categories such as clothes, groceries and fuel – showing where money is being spent.

Fairfax Media recently reported that NSW Police made 166 requests for Opal smartcard data, which doesn’t require a warrant to access.

Henry Sapiecha

Metadata spying by local councils with its constituents on the increase


infra red binocs with man image

Government agencies made more requests for citizens’ metadata in 2013-14 than ever before.

An increasing number of local councils spied on residents by requesting access to their phone metadata without a warrant last financial year, with the number of requests from government agencies hitting an all-time high.

The Australian Federal Police also shared data and further disclosures to foreign countries, including Russia, in the period, the figures from the Attorney-General’s department, released this week, reveal.

The telecommunications data available to government agencies under federal law, often referred to as “metadata”, includes phone and internet account information, outward and inward call details, phone and internet access location data, and details of Internet Protocol addresses (though not the actual content of communications).

Although thousands of these authorisation requests were made by criminal law enforcement agencies, including police, a long list of other government agencies have also accessed metadata without a warrant to chase fines or to protect revenue, including a growing number of local city councils, Australia Post, the RSPCA, racing bodies and more. The data is also used by agencies to investigate leaks to the media.

In the year ending June 30, 2014, two new councils jumped on the bandwagon in an attempt to access citizens’ metadata, including The Hills Shire council, covering the northern Sydney suburb of Castle Hill and surrounds, and Darebin City Council, in Melbourne’s trendy inner north.

In a statement, the The Hills Shire council said it made a request to track down a roof cleaner who “left some hoses running in a resident’s downpipe”.

“As a result, a nearby creek turned orange,” it said.

“Throughout investigations, council staff were only able to track the contractor’s mobile phone number.

“As a result, council requested a telecommunications company provide the contractor’s name and address so that a caution could be issued.

“However, before the request could be approved, Council identified the business and issued a caution.”

A total of six local councils across the eastern states are now digging up residents’ metadata to chase minor infringements including unauthorised advertising, unregistered pets and littering.

The list also includes Bankstown council in Sydney; Knox and Wyndham councils in Melbourne; and Ipswich city council, south-west of Brisbane.

Darebin and The Hills Shire made only one metadata request each, however Ipswich made 21 requests in the year – more than any other council – up from six requests in the previous period.

In 2011-12, only two councils  – Bankstown and Wyndham – were accessing metadata.

However, councils and other non-criminal law enforcement agencies’ access to citizens’ metadata may be curbed in the current financial year thanks to mandatory data retention laws that passed in March.

Now, these agencies must first gain authorisation from the Attorney-General before they can begin accessing metadata.

The Attorney-General must consider a range of criteria when granting a request, including whether the agency has a binding privacy scheme, and whether the functions of the agency include investigating “serious contraventions” of the law.

Police, however, retain the same level of access, and have been criticised in the past by privacy advocates for scooping up innocent people’s data when requesting large blocks of data from mobile phone towers – known as a “tower dump” – when scrambling for leads.

Meanwhile, officials at Queensland Police began accessing the private metadata of cadets to determine whether they were sleeping with one another or faking sick days. This access was labelled by the state’s police union as “disturbing” and “potentially unlawful”.

The latest figures on telco metadata collection also reveal the Australian Federal Police shared metadata with Russia and a dozen other countries in the past financial year for the purposes of enforcing laws in those countries.

In 2013-14 the AFP authorised 19 metadata requests, followed by 17 more disclosures to foreign law enforcement bodies in France, Germany, Greece, Hong Kong, Hungary, India, Italy, Japan, Lithuania, Norway, Poland, Russia, Sri Lanka and Singapore.

Government agency requests for citizens’ metadata from their telco providers leapt by 10,590 overall in the period, to an all-time high of 349,820.


Henry Sapiecha

FBI: Surveillance flights by the book, rarely track phones

FILE - In this May 26, 2015, file photo, a small plane flies near Manassas Regional Airport in Manassas, Va. The plane is among a fleet of surveillance aircraft by the FBI, which are primarily used to target suspects under federal investigation. The FBI assured Congress on June 17, in an unusual, confidential briefing that its plane surveillance program is a by-the-books operation short on high-definition cameras, with some planes equipped with binoculars. (AP Photo/Andrew Harnik)

FILE – In this May 26, 2015, file photo, a small plane flies near Manassas Regional Airport in Manassas, Va. The plane is among a fleet of surveillance aircraft by the FBI, which are primarily used to target suspects under federal investigation. The FBI assured Congress on June 17, in an unusual, confidential briefing that its plane surveillance program is a by-the-books operation short on high-definition cameras, with some planes equipped with binoculars. (AP Photo/Andrew Harnik)

In this May 26, 2015, file photo, a small plane flies near Manassas Regional Airport in Manassas, Va. The plane is among a fleet of surveillance aircraft by the FBI, which are primarily used to target suspects under federal investigation. (AP Photo/Andrew Harnik)

The FBI assured Congress in an unusual, confidential briefing that its plane surveillance program is a by-the-books operation short on high-definition cameras — with some planes equipped with binoculars — and said only five times in five years has it tracked cellphones from the sky.The FBI would not openly answer some questions about its planes, which routinely orbit major U.S. cities and rural areas. Although the FBI has described the program as unclassified and not secret, it declined to disclose during an unclassified portion of a Capitol Hill briefing any details about how many planes it flies or how much the program costs. In a 2009 budget document, the FBI said it had 115 planes in its fleet.

The briefing Wednesday to Senate staff was the first effort in recent years — if ever — to impose oversight for the FBI’s 30-year aerial surveillance program that gives support to specific, ongoing investigations into counterterrorism, espionage and criminal cases and ground surveillance operations. While it withheld some details, it offered assurances that the planes are not intended to perform mass surveillance or bulk intelligence collection. However, there is still no formal oversight regimen for the program.

The briefing came two weeks after the FBI confirmed to The Associated Press for the first time its wide-scale use of the aircraft, after the AP traced at least 50 planes registered to fake companies back to the FBI. The AP investigation identified more than 100 flights in 11 states over a 30-day period this spring. The planes since June 1 have flown more than two-dozen times over at least seven states, including parts of Texas, Georgia and the Pacific Northwest.

The ubiquity of the flights, combined with few details about the surveillance equipment aboard the planes, raised civil liberties concerns over Americans’ privacy.

The AP had reported that, in rare circumstances, the FBI equipped the planes with technology capable of tracking thousands of cellphones using a device known as a “cell-site simulator.” These can trick pinpointed cellphones into revealing identification numbers of subscribers, including those not suspected of a crime.

The FBI said that technology has been used on its surveillance aircraft only five times since 2010, according to one Senate staffer present at the briefing. The FBI would not say how often it has used the technology in ground surveillance operations.

Staffers shared details with the AP on condition of anonymity because they were not authorized to speak publicly about them.

The FBI said 85 percent of the aircraft have commercially available infrared still and video cameras. The remaining 15 percent use binoculars for surveillance missions. The FBI said there were only eight high-definition cameras in the fleet, though it would like to have that technology for more of its planes.

The FBI, like the Drug Enforcement Administration, said it hides its aircraft behind fake companies so that it can discreetly conduct surveillance and protect the safety of the pilots. The FBI said most surveillance flights — some 64 percent — are part of national security investigations. It was unclear over what time period those flights took place.

Senate Judiciary Chairman Chuck Grassley, R-Iowa, pressed for answers about the FBI’s aerial surveillance program after The Washington Post reported in May that an FBI surveillance plane was used over Baltimore during rioting that erupted following the death of 25-year-old Freddie Gray, who sustained grievous injuries while in police custody. In that instance, the FBI was helping local police with aerial support.

Despite government concerns that publicity about the planes might impede surveillance, the number of flights has remained consistent since the AP first reported on the program, according to an AP review of flight records and radar data. Flights since June 2 have occurred a few times each day over cites across the United States, including San Francisco, Phoenix and Orange County, California. They are generally flown without a warrant, which the FBI says is consistent with the law.

Two senators proposed changing that Wednesday.

Sen. Dean Heller, a Nevada Republican, and Sen. Ron Wyden, an Oregon Democrat who has been outspoken about government surveillance, introduced a bill that would limit what the federal government can record from the skies and require a warrant to conduct surveillance from planes and drones.

“Technology has made it possible to conduct round-the-clock aerial surveillance. The law needs to keep up,” Wyden said in a statement. “Clear rules for when and how the federal government can watch Americans from the sky will provide critical certainty for the government, and help the unmanned aircraft industry reach its potential as an economic powerhouse in Oregon and the United States.”

The FBI said it does not comment on pending legislation, but maintained that a warrant was not necessary for the type of surveillance being conducted from its planes.

Courts are grappling with balancing constitutional protections against evolving technologies, as laws have not kept pace with technological advancements.

Among other reasons, the surveillance planes were exposed as belonging to the FBI because one of its fake companies shared a post office box with the Justice Department, creating a link between the companies and the FBI through publicly available Federal Aviation Administration records.

The FBI told Senate staffers it was working with the FAA to restore some cover to preserve operational security, but it did not plan to spend the money required to operate under “deep cover.”


Henry Sapiecha

Federal cybersecurity efforts need clear responsibility, urgency and leadership

Federal-cybersecurity-efforts-need-clear-responsibility-urgency-and-leadership-700x357 image www.inte;

Enemy nation-states, terrorists, and cyber gangs are striking the federal government’s cybersecurity Achilles heel, taking advantage of a disorganized bureaucracy that continues to leave government networks susceptible to attacks. Patience should be running thin as we watch the country become more vulnerable, despite years of languishing promises of strengthened security. Where is the sense of urgency, and whose feet should be held to fire?

Sadly, the recent hack perpetrated on the Office of Personnel Management (OPM) was just a glimpse into what will be the new normal, if the government does not act fast and put real solutions in place. As OPM acknowledged, an estimated 4 million federal government employees had their personal data hijacked; when the relatives, friends and colleagues listed in many of these files are taken into account, the number quickly swells to 8 million—or even 12 million—individuals affected. Each one is a victim of what may be the biggest espionage heist in history.

The full extent of the harm remains to be seen, but we know home addresses, social-security numbers and other personal information were stolen by enemy intelligence services. The perpetrators now can use this sensitive information to establish hit lists, to exploit the victims, or to build upon it in future attacks, further chipping away at the nation’s security.

This startling attack was entirely preventable; OPM’s database was improperly secured and inadequately encrypted. The security measures in place are comparable to a “beware of the dog” or “this house is secured by ADT” sign, and they did not seem to intimidate or slow the Deep Panda hackers as they waltzed through front door and into OPM’s vault of information with the hubris of Danny Ocean’s crew. Even more startling is a report by the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) that, in fiscal year 2014, more than 640,000 cyber-related incidents impacted federal government agencies.

The US-CERT is charged with collecting this data and reporting on the thousands of intrusions occurring in the online neighborhood; however, after 10-plus years of mounting data and the skyrocketing number of intrusions, what is the plan to combat these attacks? While the government is taking steps to protect its networks by deploying US-CERT’s early warning system known as “Einstein,” deployment is not keeping pace with our enemies. Coupled with a tight budget environment and the inability of government agencies to procure updated security technologies, the United States is a sitting duck for cybercriminals.

It is distressing that it seems any urgency for increased cybersecurity at federal agencies has been short-lived or for show. Every year, there is a flurry of legislative and regulatory activity, but very rarely does anything get signed into law or enacted. Even if it does, it lacks a clear mandate. Current cyber legislative proposals are geared towards providing liability protection for corporations; while these measures are critically important, they do not address the root causes of the federal government’s inability to secure the its own information.

As we sift through the wreckage, Congress should begin with determining who is responsible for agencies’ cybersecurity. The lack of identifiable leadership has allowed for finger pointing.

View the original content and more from this author here:


Henry Sapiecha

6 critical steps for responding to a cyber attack

6-critical-steps-for-responding-to-a-cyber-attack-700x357 image

So you’ve been hacked? Here’s how to contain and mitigate the consequences of a security breach 

Cyber security affects all businesses and industries and it is now a board-level agenda item, placed at number three on the Lloyds Risk Register (2013). Dealing with cyber attacks is a “whole of business” issue, affecting every team within an organisation. It is also a people and operational issue, rather than just a technical issue.

In today’s modern environment, where every single organisation is reliant to a certain extent upon technology and telecommunications, it is not a case of “if” a cyber security breach occurs, but rather a case of “when”.

When a breach is discovered, it is essential to act comprehensively and quickly, or it may expose the business to greater liability. There are six critical steps the organisation must take to deal with it.

It is important to bear in mind that these steps are not sequential – in practice, it will be necessary to think about most of them in parallel, particularly in the initial aftermath of the breach where the priorities will be to contain it in order to mitigate any risk of further damage or loss of data.

1. Mobilise the incident response team

An incident response team should be formed and include all relevant internal stakeholder groups, such as a technical team to investigate the breach, HR and employee representatives where the breach affects employees, intellectual property experts to help minimise brand impact or recover stolen IP/information, data protection experts where personal data is involved, and public relations representatives. There may also need to be external representatives – for example, where the internal teams do not have sufficient capability or capacity.

The team should also include representatives from the organisation’s legal team and possibly also external counsel. There are a number of legal implications of any cyber attack, and it will therefore be of vital importance to the organisation to seek legal advice as soon as possible after becoming aware of an attack.

As part of this, it will also be necessary to check whether losses from a cyber attack are covered under the organisation’s existing business insurance policies. Where there is insurance in place, the organisation will need to review the relevant policies to determine if insurers must be notified of a breach. Some policies cover legal and remedial costs, but only from the date of notification.

2. Secure systems and ensure business continuity

Following a breach, the first key step from a technical perspective will be to secure the IT systems in order to contain the breach and ensure it is not on going.

This could mean that an organisation has to isolate or suspend a compromised section of its network temporarily or possibly even the entire network. This can of course be extremely disruptive and potentially costly for the business.

It is necessary also to consider how and when the breach was detected, and whether any other systems have been compromised. Organisations should have in place suitable measures to ensure that any network or other intrusions are detected immediately.

3. Conducting a thorough investigation

An investigation will need to be carried out as to the facts surrounding the breach, its effects and remedial actions taken. The organisation will need to decide who should take the lead on the investigation and ensure that they have appropriate resources available to them.

Where there is potential employee involvement in the breach, the investigation will also need to take into account any applicable labour laws, and the investigation team should therefore consult and involve HR representatives as appropriate.

Finally, the investigating team will need to ensure that they document any and all steps taken as these may be required as part of any regulatory notification to be submitted. In practice, investigations are usually iterative: further lines of enquiry will become apparent as the circumstances surrounding the breach become clearer.

Whenever there is a breach, it is important to feed back the conclusions from the investigations into the policies and procedures in place and the incident response plan, and to ensure that employees are given appropriate notice and training on them.  Regulators are often just as interested in what has been done to remedy processes going forward, as in the breach itself.

4. Manage public relations

This will be a key requirement of the incident response team, particularly where the organisation involved is a consumer-facing organisation.

Not all security breaches will become public, but for many it will be inevitable – for example, where customers’ personal data has been compromised and is in the public domain, or where the relevant data protection legislation requires the affected individuals to be notified. Being timely in managing announcements to the public and being accurate, open and honest in the messages given are crucial.

5. Address legal and regulatory requirements

Specific legislation may contain regulatory notification requirements that apply in the event of a breach. Although most jurisdictions do not (yet) have a specific and all-encompassing cyber security law, there is often a patchwork of laws and regulations that have developed in response to evolving threats.

Some of these laws will apply universally across sectors, whilst industry-specific legislation is continuing to develop to target the most at-risk sectors – for example, financial services, critical utilities infrastructure and telecommunications.

In the US, the legal patchwork includes: the National Institute of Standards and Technology Cybersecurity Framework, which consists of standards, guidelines, and practices to promote the protection of critical infrastructure; and Executive Order 13636, which, amongst other things, expanded the existing programme for information sharing and collaboration between the government and the private sector.

In the EU, organisations should pay particular attention to data protection legislation. The proposed new Data Protection Regulation in Europe includes a mandatory obligation for organisations across all sectors to inform their relevant data protection authority of any security breaches, including the facts surrounding the breach, its effects and any remedial actions taken by the organisation.

The EU is also proposing a new Cyber Security Directive, which would include a requirement for “market operators” (for example, electricity, oil, gas, transport, financial/banking etc.) to report security incidents to the competent authority.

Some legislation may also require, in addition to a regulatory notification, the notification of individuals whose data have been compromised as a result of the cyber security breach.

Deciding who to notify is not easy – it may not be possible to identify whose data has been affected, as opposed to whose could have been affected. If an organisation has many millions of customers, the prospect of notifying all of them should not be taken lightly.

6. Incur liability

Unfortunately, no matter how prepared an organisation is, it is nonetheless likely to incur some form of liability in the event of a cyber-security breach. There are various ways in which an organisation could incur this liability.

There could be direct non-legal liability as a consequence of a cyber attack. This liability could arise, for example, through blackmail attempts, theft, ransomware and ex-gratia payments that an organisation may choose to make from a public relations and customer relationship perspective. This final category can be a major cost to organisations following a cyber attack but can really help to mitigate any damage to the customer relationship. For example, an organisation for which customer credit card details have been compromised might choose to offer complimentary credit screening for the affected customers for a period of time.

There will very often be regulatory liability resulting from cyber security breaches. From a data protection perspective, current EU law requires organisations to have in place appropriate technical and organisational security measures to protect personal data. If an organisation is found to have failed in its implementation of this regulatory requirement, it could be subject to a penalty. In the UK, the current maximum fine under the Data Protection Act 1998 is £500,000, and Sony was fined £250,000 by the UK Information Commissioner for its PlayStation breach in 2011.

However, if the EU’s proposed new Data Protection Regulation is adopted, this could see the maximum fines being increased to €100 million or 5% of the organisation’s annual worldwide turnover, whichever is the greater.

In certain areas, sector-specific regulation could also apply. In the UK financial services sector, the regulator has historically levied greater fines for security breaches than the Information Commissioner. For example, in August 2010, the FSA fined Zurich Insurance Plc £2.275 million following the loss of 46,000 customer records on an unencrypted backup tape, which was being sent to a South African subsidiary for processing.

Liability for cyber security breaches could also be incurred in litigation for breach of statutory obligations, breach of contract, breach of equitable duties, and negligence. To date, the majority of cases have occurred in the United States. For example, in March this year, Target agreed to pay $10 million in a proposed settlement of a class-action lawsuit related to its 2013 breach.

Although the focus of this article has been on what to do in the event of a breach, it is also important to bear in mind that there are a number of proactive steps that organisations can take in order to mitigate the risk of a cyber attack before it happens.

In particular, organisations should carry out a comprehensive assessment of their existing processes and procedures, identifying what needs to be protected and assessing the specific risks and potential impacts on the business.

Thereafter, a response plan should be put in place including designating a suitable response team and making any necessary changes to policies and procedures to deal with any immediately apparent issues.

In addition, given that many data security breaches happen as a result of employee action or inaction, user education and awareness is crucial.


Henry Sapiecha


Rep. John Katko to FAA: Take steps to prevent cyberattacks on airplanes

Katko1-on airport security image

U.S. Rep. John Katko is calling on the Federal Aviation Administration to address concerns that airplanes are vulnerable to cyberattacks after a Government Accountability Office report found a hacker could access the plane’s controls using its wireless Internet system. 

The GAO report said the FAA has taken action to protect its air traffic control systems, but the agency will continue to face challenges because it hasn’t implemented a model to help identify cybersecurity threats. And while the GAO acknowledges that the FAA has taken some steps to develop such a model, it hasn’t dedicated the funding or time needed to finalize the plan.

A co-requester of the report, Katko, R-Camillus, said GAO’s findings are “troubling.”

“This report exposes an enormous vulnerability in our system — that any traveler could gain unauthorized access to cockpit avionics systems from the cabin,” Katko, chairman of the House Homeland Security Subcommittee on Transportation Security, said in a statement.

“Nearly 14 years since 9/11, terrorists have adapted both to our airport security protocols and to the modern communication systems used in aircraft systems, requiring us to be agile and resourceful in ensuring airport and in-flight security.”

In its report, the GAO recommended that the FAA should assess the cost and time needed to develop a cyberthreat model and add the Office of Aviation Safety to the agency’s Cyber Security Steering Committee.

The GAO also advised that the FAA should develop a plan to implement revisions to federal cybersecurity standards.

“In light of the significant threats we face, I urge FAA to quickly implement the GAO’s latest recommendations to eliminate these vulnerabilities and prevent cyberattacks on aircrafts in flight,” Katko said.

According to the report, the FAA agreed to two of the recommendations. But the agency said the Office of Aviation Safety “is sufficiently involved in cybersecurity” and won’t be added to its Cyber Security Steering Committee.


Henry Sapiecha

Most investors scared by cyberattacks & consider blacklisting of affected companies

cyber hood at keyboard image

Survey finds data breaches cause most investors to consider dumping affected companies


A new survey published Wednesday found that roughly four-out-of-five investors consider blacklisting businesses that are attacked by hackers.

The report, conducted by consultancy firm KPMG, was compiled from a survey of 133 institutionalinvestors from around the globe. The responding investors manage more than $3 trillion in assets.

“Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised,” Malcolm Marshall, the global head of KPMG’s cyber security practice, said in a release.

Digital security has become a growing issue for investors, regulators and the general public in the midst of a series of high profile cyberattacks on companies ranging from Sony Pictures Entertainment to health insurer Anthem. Some appear to be politically motivated and highly sophisticated, like the Sony attack, which has largely been attributed to North Korea. Others, such as the attacks on Anthem and retailer Target, result in the hackers absconding with millions of customer’s personal information.

“Following a number of high profile breaches, we are seeing global investors waking up to the issue of cyber security,” Marshall continued. “The ripple effect of this has seen investor appetite for cyber businesses increase, with the survey revealing that 86 percent of investors see it as a growth area.”

The survey found that the polled investors believed that less than half of the boards of the companies they invest in are adequately prepared for cyberattacks. The investors also believe that 43 percent of board members do not possess the appropriate skills and knowledge to manage risk in the Internet arena.

Essentially, the survey found that the damage to a company’s reputation caused by cyberattacks can be more destructive than the initial hacking. By jolting investors, data breaches can cause long-term pain.


Henry Sapiecha

Cyberattacks Increasingly Rapid and Deceptive: Symantec


In 2014, cybercriminals, using increasingly rapid and deceptive attacks, targeted the financial sector to stole massive amounts of data from major institutions, according to Mountain View, Calif.-based Symantec’s Internet Security Threat Report.

Other highlights: Twenty percent of financial, insurance and real estate companies were at risk of spear-phishing attacks in 2014, similar to the 2013 rate; 30% of finance workers were targeted with spear-phishing attacks, where emails were frequently sent requesting payment by credit card or the completion of a wire transfer; and, financial information was the fourth most common type of information exposed in 2014.

“Attackers don’t need to break down the door to a company’s network when the keys are readily available,” Kevin Haley, director, Symantec Security Response said in a release. “We’re seeing attackers trick companies into infecting themselves by ‘Trojanizing’ software updates to common programs and patiently waiting for their targets to download them—giving attackers unfettered access to the corporate network.”

In a record-setting year for zero-day vulnerabilities, Symantec research revealed that it took software companies an average of 59 days to create and roll out patches. That was up from only four days in 2013. Attackers took advantage of the delay and, in the case of Heartbleed, exploited the vulnerability within four hours.

Meanwhile, advanced attackers continued to breach networks with highly-targeted spear-phishing attacks. What makes last year particularly interesting is the precision of these attacks, which used 20% fewer emails to successfully reach their targets and incorporated more drive-by malware downloads and other web-based exploits.

Email remains a significant attack vector for cybercriminals, but they continue to experiment with new attack methods across mobile devices and social networks to reach more people, with less effort.

In a separate announcement the Department of Homeland Security, in collaboration with Interpol and the FBI, released a Technical Alert to provide further information about the Simda botnet that has compromised more than 770,000 computers worldwide with a self-propagating malware since 2009. A system infected with Simda may allow cyber criminals to harvest user credentials, including banking information; install additional malware; or cause other malicious attacks. The breadth of infected systems allows Simda operators flexibility to load custom features tailored to individual targets.

Recommended actions to remediate Simda infections include use and maintain anti-virus software, change, keep operating system and application software up-to-date, and use anti-malware tools.


Henry Sapiecha

Iran Is Raising its Sophistication and Frequency of Cyberattacks, Report Suggests

multiple communication cable connections image

WASHINGTON — In February, a year after the Las Vegas Sands was hit by a devastating cyberattack that ruined many of the computers running its casino and hotel operations, the director of national intelligence, James R. Clapper Jr., publicly told Congress what seemed obvious: Iranian hackers were behind the attack.

Sheldon G. Adelson, the billionaire chief executive of Sands, who is a major supporter of Israel and an ardent opponent of negotiating with Tehran, had suggested an approach to the Iran problem a few months before the attack that no public figure had ever uttered in front of cameras.“What I would say is: ‘Listen. You see that desert out there? I want to show you something,’ ” Mr. Adelson said at Yeshiva University in Manhattan in October 2013. He then argued for detonating an American nuclear weapon where it would not “hurt a soul,” except “rattlesnakes and scorpions or whatever,” before adding, “Then you say, ‘See, the next one is in the middle of Tehran.’ ”

Instead, Tehran directed an attack at the desert of Nevada. Now a new study of Iran’s cyberactivities, to be released by Norse, a cybersecurity firm, and theAmerican Enterprise Institute, concludes that beyond the Sands attack, Iran has greatly increased the frequency and skill of its cyberattacks, even while negotiating with world powers over limits on its nuclear capabilities.

Graphic: A Simple Guide to the Nuclear Negotiations With Iran

“Cyber gives them a usable weapon, in ways nuclear technology does not,” said Frederick W. Kagan, who directs the institute’s Critical Threats Project and is beginning a larger effort to track Iranian cyberactivity. “And it has a degree of plausible deniability that is attractive to many countries.”

Mr. Kagan argues that if sanctions against Iran are suspended under the proposed nuclear accord, Iran will be able to devote the revenue from improved oil exports to cyberweapons. But it is far from clear that that is what Iran would do.

When Mr. Clapper named Iran in the Sands attack, it was one of the few instances in which American intelligence agencies had identified a specific country that it believed was using such attacks for political purposes. The first came in December, when President Obama accused North Korea of launching a cyberattack on Sony Pictures. Other United States officials have said that Iran attacked American banks in retaliation for sanctions and that it destroyed computers at the oil giant Saudi Aramco in retaliation for the close Saudi ties with the United States.

The evidence from the Norse report, along with analyses by American intelligence agencies, strongly suggests that Iran has made much greater use of cyberweapons over the past year, despite international sanctions. The attacks have mostly involved espionage, but a few, like the Sands attack, have been for destructive purposes.

In the report, to be released Friday, Norse — which, like other cybersecurity firms, has an interest in portraying a world of cyberthreats but presumably little incentive in linking them to any particular country — traced thousands of attacks against American targets to hackers inside Iran.

The report, and a similar one from Cylance, another cybersecurity firm, make clear that Iranian hackers are moving from ostentatious cyberattacks in which they deface websites or simply knock them offline to much quieter reconnaissance. In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks.

But Norse and Cylance differ on the question of whether the Iranian attacks have accelerated in recent months, or whether Tehran may be pulling back during a critical point in the nuclear negotiations.

Norse, which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods, insists that Iranian hackers have shown no signs of letting up. Between January 2014 and last month, the Norse report said, its sensors picked up a 115 percent increase in attacks launched from Iranian Internet protocol, or I.P., addresses. Norse said that its sensors had detected more than 900 attacks, on average, every day in the first half of March.

Cylance came to a different conclusion, at least for Iran’s activities in the past few months, as negotiations have come to a head. Stuart McClure, the chief executive and founder of Cylance, which has been tracking Iranian hacking groups, said that there had been a notable drop in activity over the past few months, and that the groups were now largely quiet.

American intelligence agencies also monitor the groups, but they do not publicly publish assessments of the activity. Classified National Intelligence Estimates over the past five years have identified Russia and China as the United States’ most sophisticated, and prolific, adversaries in cyberspace.

However, American officials have said that Iran and North Korea concern them the most, not for their sophistication, but because their attacks are aimed more at destruction, as was the case with the attack on Sony Pictures. In addition to the Sands attack last year — about which Mr. Clapper gave no detail in public — Iran has been identified as the source of the 2012 attack on Saudi Aramco, in which hackers wiped out data on 30,000 computers, replacing it with an image of a burning American flag.

American intelligence officials say Iran’s most sophisticated hackers are limited in number, but work for both front companies and the government. The officials are concerned that as destructive attacks become more frequent, the temptation will rise to launch attacks on what the government calls “critical infrastructure,” like railways, power grids or water supplies.

Cylance researchers, for example, noted that Iranian hackers were using tools to spy on and potentially shut down critical control systems and computer networks in the United States, as well as in Canada, Israel, Saudi Arabia, the United Arab Emirates and a handful of other countries. Their targets have included a network that connects Marines and civilians across the United States, as well as networks of oil companies and major airlines and airports.

Norse’s researchers also noted attacks from Iran that were directed at so-called Scada systems — short for supervisory control and data acquisition systems — like the kind that the United States and Israel attacked at Iran’s nuclear enrichment center in Natanz, using code that caused about 1,000 centrifuges to self-destruct.

That strike, often referred to as the Stuxnet attack, may have inspired the Iranians to begin a cycle of retaliation, a recently disclosed memo from Edward J. Snowden’s trove of National Security Agency documents indicates. Norse says it saw evidence that Iranian hackers probed the network of Telvent, a company now owned by Schneider Electric that designs software to allow energy companies and power grid operators to control their valves and switches from afar.

The company’s systems were breached by Chinese military hackers in 2012. Two years later, Norse said, it witnessed 62 attacks, in a span of 10 minutes, from an I.P. address in Iran on a Telvent system that provides the foundation for all of the company’s Scada infrastructure.

“This activity,” Norse researchers wrote, “might be interpreted as an Iranian effort to establish cyberbeachheads in crucial U.S. infrastructure systems — malware that is dormant for now but would allow Iran to damage and destroy those systems if it chose to do so later.”


Henry Sapiecha

Guarding Against a ‘Cyber 9/11’

hacker at darkened keyboard image

ISIS and other terrorists are more technologically sophisticated than ever.

Two years ago this week, a pair of homegrown Islamic terrorists effectively shut down the city of Boston for two days following an attack with homemade explosives that killed three people during the Boston Marathon. Now imagine the potential loss of life from a terrorist assault on a major U.S. city paired with a cyberattack launched against that city’s police, fire, emergency management, communications and transportation systems.

The Internet provides an easy, low-cost and low-risk means for nonstate actors or terrorist groups to amplify the impact of any attack. But a large-scale cyberattack on critical infrastructure could prove devastating. Whether it’s called “Cyber 9/11” or “Cyber Pearl Harbor,” senior U.S. officials, including the president, have warned of the possibility of attacks launched by foreign hackers that could cripple the country by taking down the power grid, water infrastructure, transportation networks and the financial system.

Islamic State, aka ISIS, recently released a video threatening another 9/11-magnitude attack on the U.S. Clearly well-funded, ISIS has proved to be the most sophisticated terrorist group so far when it comes to utilization of digital media for recruitment and propaganda. Last week a French television network, TV5 Monde, was digitally commandeered by ISIS-inspired hackers who cut the transmission of 11 channels and took over the station’s website and social-media accounts for 24 hours.

A different type of cyberattack occurred in 2010, when Russian-affiliated hackers hit Estonia. The attack consisted partly of “ping attacks,” which overwhelmed servers. There were botnet attacks, which harnessed zombie computers from around the world to flood designated Internet addresses with useless, network-clogging data as part of a distributed denial-of-service (DDoS) attack. Hackers also infiltrated specific individual websites to delete content and post their own messages. Although relatively unsophisticated, these coordinated cyberattacks took down servers and websites related to major government and nongovernment institutions and communications networks—effectively taking the entire country offline for two weeks.

In a major U.S. city, a combined physical and cyber terrorist attack could result in hundreds wounded and killed. It could also impair first responders’ ability to get to the scene of the attack, and the ability of local government to communicate with the city’s population in a chaotic and confusing environment.

Some of these issues arose during al Qaeda’s 2005 suicide bombing attacks in London on three Underground trains and one bus. Cellular networks and radio channels used by emergency responders were severely congested due to the volume of traffic, resulting in delayed responses by medical and security personnel. Adding cyber-enhanced terrorism to the equation could exponentially increase the damage caused by a traditional terrorist attack.

In 2012 Congress took steps to address a long-standing recommendation from the 2004 9/11 Commission report, by mandating the development of a nationwide public-safety broadband network. Three years later, however, the network remains a work in progress.

The threat of cyber-enhanced terrorism must be addressed at the federal and local level. Although federal agencies, such as the National Security Agency, the Pentagon and the Department of Homeland Security, have primary responsibility for countering external cyberthreats, an attack on an American city would also require the mobilization of local law enforcement.

To prepare for the threat of cyber-enhanced terrorism, city governments must gain a more sophisticated understanding of the nature of cyberthreats and their various permutations and implications.

Metropolitan areas also should develop Computer Emergency Response Teams, which can coordinate the responses of local law enforcement and private industry with federal agencies. Intelligence collected at the national level should be shared with metropolitan governments. While federal to local intelligence sharing on counterterrorism has improved markedly in recent years, the sensitivity and difficulty of protecting sources and methods gleaned from cyber-intelligence collection has made this more complicated in the cyberthreat domain.

Perhaps most important, cities should increase their capacity to collect, monitor and analyze threat intelligence—in other words “connecting the dots”—before an attack occurs. The diversity and decentralization of the current terrorism threat, combined with the logarithmic growth in the capabilities of cyber-malefactors, makes doing so more challenging than ever.

But it is possible. For example, actionable intelligence regarding the cyberattack on Estonia—including discussions concerning preparations for the attack—was present in closed forums in the Deep Web and Dark Net in the days leading up to the attack. But that intelligence was never acted on, largely because a plan to counteract such an attack was not in place beforehand.

To successfully prevent future attacks—whether cyber-enhanced terrorism or otherwise—federal and local authorities in likely urban targets will need to increase their cyber situational awareness, preparedness and resilience. Critical to these efforts will be a commitment to the early detection and identification of warning signals from all sources, including the deepest reaches of cyberspace.

Mr. Silber is executive managing director of K2 Intelligence and former director of intelligence analysis for the New York Police Department. Mr. Garrie is the founder and editor in chief of the Journal of Law and Cyber Warfare.


Henry Sapiecha