Monthly Archives: February 2018

Iranian and Chinese hackers target Australian universities and NGOs

Cyber activity in China is increasing big time, despite cyber non-aggression treaties, and Iran is on the cyber search for intellectual property.

Australian universities have been targeted by hackers with connections to Iran in recent months, and “a number of investigations” are in progress, according to cybersecurity firm CrowdStrike.

“There are a lot of things that are happening geopolitically that are driving a lot of attacks,” the company’s vice president for technology strategy Michael Sentonas told journalists in Sydney earlier this month. “There are things happening in China, in Russia, in Iran, there are things happening in North Korea, that [are] directly having an impact to all of us on the internet.”

CrowdStrike has called out this blurring of cyber tradecraft with what they’re calling “cyber statecraft” in their 2018 Global Threat Report, released on Monday.

“Obviously Iran has a specific interest in Saudi Arabia. There’s a number of diplomatic disputes. Iran, heavily embargoed, want access to a lot of intellectual property they may not necessarily be able to get. There are groups that are linked [to Iran] and are seeking for a lot of that intel,” Sentonas stated.

“There’s been quite a number of universities in Australia, over the last several months, that have been targeted, with adversaries looking to get intellectual property that would be of benefit to certain groups and government departments in Iran. We’ve been directly impacted by that, and there’s a number of investigations going on across the country.”

CrowdStrike has also seen an increase in cyber activity originating from the Chinese republic, even though Australia and some other western nations had signed what were essupposedly cyber non-aggression treaties with China in 2015 and 2016.

“In 2017, we saw a lot of action again, activity targeted at what I would call a soft target. An NGO. A think tank,” Sentonas said.

“They’re great people to target, because you have people that were once in government. You have academics. You have people researching economic policy. They’re working on defence projects. They are in technology and medical advancement. That would be interesting to a particular group or country that maybe doesn’t want to do that research. Or if you’re a think tank that is working on, for example, Chinese economic policy, what if you want to know what that think tank is researching?”

The Russian cyber actor Fancy Bear, which was active in the lead-up to the US election in 2016, has also been busy.

“That group is continuing to be very, very active, and they are looking at essentially destabilising our democratic institutional legitimacy. They are trying to do misdirection etc,” Sentonas said.

The rise of such cyber disinformation was predicted by David Irvine, former director-general of the Australian Security Intelligence Organisation (ASIO), and former head of the Australian Secret Intelligence Service (ASIS), in later half of 2016.

CrowdStrike reports that ransomware will continue to be a major trend for nation-state and criminal actors. They also point to a cyber trickle-down effect.

“These techniques are recycled. Once they’ve been used once, they do get used again, and they get shared, and it adds complexity to the average organisations around the world,” Sentonas said.

Flinders University Australia

Related Coverage

Australian Home Affairs thinks its IT is safe because it has a cybermoat

For a department that is focused on protecting borders, it seems virtual border protection is missing in action.

Australian decryption legislation will not undermine ‘legitimate encryption’: Home Affairs

Calling government proposals to seek decryption of communications a “backdoor” is a cartoon-like assumption, according to Secretary of the Department of Home Affairs Michael Pezzullo.

ASD gives Dimension Data protected-level cloud certification

The multinational is the first overseas player awarded the certification from the agency responsible for foreign signals intelligence and information security in Australia.

US-CERT recently issued a major cybersecurity warning for the Olympic Games (TechRepublic)

Hackers may capitalize on the Olympics to spread messages and steal personally identifiable information. Fans and athletes must remember that they are responsible for their own cybersecurity.

Unsecured Amazon S3 buckets are prime cloud target for ransomware attacks (TechRepublic)

Thousands of S3 buckets are incorrectly configured as being publicly writable, making them a cinch to exploit.

Henry Sapiecha

The online certificate security issue & the parties involved

Google is angry. Each time Google is enraged, Chrome, the market leader among browsers, is readied for war. This time, it’s about certificates, a cornerstone of the Internet and data security. With the upcoming versions 66 (scheduled for April) and 70 (October), Google seeks to make the web more secure – and tries to settle a few scores in the process.

Read on to learn why many sites will soon be flagged as “insecure” and disappear from the top search results!

Google is trying to make the web a safer place, perhaps out of self-interest to some degree (i.e. product maintenance) but also because there’s a real need for tighter security. Since the Internet is international and decentralized, there is no single regulatory body. That’s why, every now and then, companies team up with states to effect change, or IT giants (in this case: Google) use their dominance to shove things through on their own initiative. First, sites without HTTPS encryption will come under fire. HTTPS encryption is essential to exchange data securely.

Without encryption, anything sent through the Internet is readable as plain text by anyone with network access – a perfect opportunity for man-in-the-middle attacks. HTTPS allows web servers and clients to establish an encrypted connection that is hard to crack while giving users the certainty that the sites they visit are authentic. This is indicated by a padlock symbol next to the URL in the address bar. Clicking the lock reveals additional details about the certificate and its owner.

In the past, HTTPS certificates were like status symbols and only used by large online stores, banks and government institutions while the rest could only pray and hope for the best. Certificates were expensive and hard to set up which is why smaller sites either shunned the effort or simply couldn’t afford it. Over the past few years, HTTPS certificates have dropped in price and campaigns like “Let’s Encrypt” even gave them out for free now. Does that mean all is OK?

Not quite, since around a third of sites either can’t or won’t participate. Some web hosters only accept expensive certificates issued by commercial providers – maybe because they don’t want to fall out of favor with them. In other cases, site providers simply have no motivation to use HTTPS, and I can understand that as long as those sites are run by private individuals. Anyway, Google has now begun to tighten the reins. Sites that do not use HTTPS will soon be marked “Not secure” in Chrome which may scare off a few users. Firefox will join in the effort starting with version 60 and other browser developers will likely follow suit. And as if that wasn’t enough, affected sites will also be downranked in Google’s search results and we all know that no-one ever looks past page 1 of those results!

In this light, the clash between Google and Symantec feels almost personal. It can be objectively said that Symantec has engaged in some shady practices when issuing certificates in the past. Back in 2015 when three certificates were made out in Google’s name (without their knowledge), Symantec already received a sharp rebuke. In 2017, Google then accused Symantec of having incorrectly issued over 30,000 certificates without proper verification of future holders. Others received certificates for domains they didn’t own. Imagine what criminals could do with a certificate issued in the name of a bank or a big online store!

Again, this trust erosian will carry dire consequences. As of April 17, Chrome will display a warning for certificates created by Symantec before June 2016 and notify users that their connections are insecure and prone to interception. If this happened to an online store, it would be a disaster. In October, these warnings will be further escalated even though there will be no blocking (yet). It’s reasonable to assume that search rankings will also be adjusted accordingly resulting in further downranking. So far, many big names including Tesla are directly or indirectly affected.

As always on the Internet, reactions are mixed. One side praises Google for their security work and accuses Symantec of bringing the “holy grail” of online certificates into disrepute (Whom can you trust once HTTPS is no longer secure?) while others see Google crossing the line. They argue that Google is trying to distract from their own problems like various data security issues in their products. And anyway, who made Google a law unto itself? Yes, they have considerable grunt in the market place but does this give them the right to put millions of web sites at a disadvantage and to harm a company like Symantec with over 11,000 employees? Does the end justify the means in this case?

Henry Sapiecha

How to become a great spy agency in the 21st century: Incubate startups..!!

What results when a top secret intelligence agency turns to entrepreneurs to assist in the building of new tools to protect a nation from cyberattacks? This is it….

Intelligence agencies are great at finding out and keeping secrets, and at working patiently in the shadows. Startups are good at promoting themselves, moving fast, and breaking things—in an effort to build the next big technology. It’s hard to think of two mindsets that are further apart.

However in a world of constantly evolving cybersecurity threats, Britain’s GCHQ spy agency decided to open a startup accelerator to bridge the gap between the two: to see, if it was a little more open, it could help the private sector build tools to prevent cyberattacks in the future..

Britain’s Government Communications Headquarters (GCHQ) has a century-long history of helping to protect the country from threats, both international and domestic.

Although it wouldn’t be known as GCHQ for decades to come, its work began during World War I when a number of intercept stations were established to seize and decrypt messages sent by Germany and its allies. Its most famous incident came in early 1917 when analysts were able to intercept and decrypt a telegram sent by the German foreign minister Count Zimmermann, in which was revealed that Germany planned to reward Mexico with US territory if it joined the war. The release of the message was one of the factors which brought the United States’ firepower into the war.

During World War II, the organisation, then called the Government Code and Cypher School (GC&CS), was located at Bletchley Park where it tirelessly undertook to decrypt Hitler’s “unbreakable” ciphers—work credited with shortening the war significantly.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (TechRepublic cover story)

Following the war and having outgrown its previous site, GC&CS was renamed GCHQ. Its headquarters were moved just outside of Cheltenham, Gloucestershire, in the west of England, where it remains today.

It now has 6,000 staff and an annual budget of £2.6bn, while still being tasked to keep Britain safe from a variety of threats including terrorism, serious crime, espionage, and cyberattacks, as well as providing support to law enforcement and the military when required.

But its work is not without controversy. In 2013, whistleblower Edward Snowden lifted the lid on PRISM, an expansive online surveillance programme by GCHQ, along with the US National Security Agency. The programme collected data on all online and telephone communications made inside the UK.

But while the agency is best known for snooping, it also has a secondary role in providing security advice.

“We’re a security organisation. If you drive past us you see a lot of razor wire and that can sometimes create an internal, introverted culture,” said Chris Ensor, deputy director of cyber skills and growth at the National Cyber Security Centre (also known as NCSC, the cybersecurity arm of GCHQ).

“For the last 100 years, GCHQ has had an intelligence mission and a security mission. It’s the intelligence which is portrayed in the news or in films like James Bond and we’re always the spy centre. But actually we’ve had a security mission for a long, long time,” said Ensor.

Threats to national security evolve over time and today cyberattacks are considered to be among the biggest risks to the country—alongside terrorism, espionage, and weapons of mass destruction.

That means GCHQ’s security mission has extended to protecting the UK from cyberattacks and hackers, particularly those targeting critical national infrastructure. Indeed, the NCSC was set up to tackle cyberthreats, replacing three separate cybersecurity organisations: the Centre for Cyber Assessment, Computer Emergency Response Team UK, and GCHQ’s information security arm.