Category Archives: CYBER ATTACKS

Telstra launches Sydney cybersecurity centre Australia

Telstra now has security operations centres live in Sydney, Melbourne, and Canberra, and is also launching its learning initiative to help businesses educate staff members on cybersecurity.

Telstra’s Sydney SOC

(Image: Corinne Reichert/ZDNet)

Telstra has launched its Sydney-based cybersecurity centre, with the telecommunications provider also announcing a new “secure internet initiative”.

With the latest security operations centre (SOC) officially open for customers from Thursday, Telstra now has centres live in Sydney, Melbourne, and Canberra ahead of launching more across the globe, Telstra CEO Andy Penn told ZDNet.

“There will be more [centres] in the next year or two,” the chief executive told ZDNet during the Sydney SOC launch on Thursday afternoon.

“The thing to bear in mind, though, is that they’re virtual; this centre is virtually connected to the centre in Melbourne, and every future centre that we’ll have will be virtually connected as well, plus they’ll have 24/7 capabilities.

“So in that sense, these centres once established have the capacity to service thousands of customers and as our business grows — particularly internationally with our submarine cable network where we have about 400,000 kilometres of submarine cable network where we’re doing all the data transmission services for international customers — we’ll build out more centres as that demand requires, but we certainly have plans for a small number of extra centres internationally.”

According to Penn, Telstra’s position as Australia’s largest telecommunications service provider gives it the responsibility and obligation of delivering services that will protect its customers domestically and globally.

“Today, we’re announcing a new initiative that will add significantly to our existing capabilities … it is the creation of a new network of security operations centres,” he said.

“These centres support our global network of more than 500 cybersecurity experts, and will uniquely position Telstra to better monitor, detect, and respond to security incidents for all of our customers. The security operations centres will provide enterprise customers with access to our world-class security teams and increase visibility and insight for managing their business cyber risk.”

Telstra built the security centres to an Australian Security and Intelligence Organisation (ASIO) T4 standard, with all cables colour coded and physically separated according to what level of intelligence is carried across them, and the centre’s entry guarded by a time-sensitive airlock equipped with biometric security including facial recognition, gait recognition, and a retina scanner that can read from up to 10 metres away.

Under the T4 security standard, audio and video cannot be recorded inside the SOCs, and all mobile devices are required to be locked away prior to entering the centre.

The Sydney centre took seven months to build, with Telstra saying it took “an agile approach to both software and facilities”. In this regard, Telstra used open-source project Apache Metron, around which it built managed services applications and capabilities in order to remove the cost of developing commercial software, which it said meant more money spent on analysts.

Telstra’s SOC management platform is run on Microsoft Azure, with the centres also utilising the capabilities of software development company Readify and advanced security analytics technology Cognevo, both of which were acquired by Telstra last year.

“The future of security is machine intelligence coupled with human expertise,” Penn said.

“With the volumes of data we are seeing today driven by technology innovation, it is impossible to see the patterns and trends without machine learning. These new centres and our dynamic security offerings give us exactly this capability.”

Available 24/7, the Sydney and Melbourne centres “have the ability to aggregate data in a central point where it can be analysed for hostile intent”, Penn explained. The two SOCs are identical, with each housing 14 analysts at all times to support thousands of customers.

If one centre has an outage, services can be immediately switched over to the other, Telstra said.

While Penn would not disclose how much the centre is worth, he said it is “a fair bit bigger” than Optus’ AU$7 million centre unveiled last year.

Telstra additionally announced the establishment of a learning and development program to increase knowledge of cybersafety within organisations.

“Cybersecurity is a team sport,” Penn said, adding that Telstra fully supports the federal government’s cybersecurity strategy.

“The security operations centres and the secure internet initiatives reinforce Telstra’s commitment to working with the government and industry to create a cybersecure Australia.”

Minister Assisting the Prime Minister for Cyber Security Dan Tehan welcomed the arrival of Telstra’s new SOC, saying it demonstrates that as a telco provider, Telstra is “incredibly well placed” for dealing with cybersecurity.

“Cyber risk is there and it’s growing — we’re seeing cyber espionage, we’re seeing cybercrime, and we’re seeing hacktivism,” Tehan said during the SOC launch in Sydney, adding that there needs to be a “whole-of-community approach” to dealing with it.

Tehan and Penn

Tehan said the Australian cybersecurity centre’s unclassified-level stage one is “nearly ready” to be online, with the entire centre aiming to be fully operational next year.

The federal government has been moving towards a greater focus on cybersecurity, with Prime Minister Malcolm Turnbull initially pledging AU$30 million through to 2019-20 in December 2015 as part of the government’s AU$1.1 billion National  Science and Innovation Agenda to establish the Cyber Security Growth Centre.

The government announced in November that it would be launching the AU$4.5 million Academic Centres of Cyber Security Excellence with the aim of improving Australia’s cybersecurity through education and research, with Turnbull and Tehan receiving cyber defence education at the Australian Signals Directorate.

The government in February also pledged AU$1.9 million to universities delivering specialised cybersecurity training in a bid to combat the skills shortage in cyber-related fields.

During the 2017 Federal Budget, the government further pledged AU$10.7 million over four years to establish the Cyber Security Advisory Office (CSAO) to work with government agencies to manage cyber and digital risks and vulnerabilities to “provide strengthened central governance and assurance for cybersecurity and broader project vulnerability across government”.

Having launched its own managed security services earlier this year, Penn last week told ZDNet during Telstra’s FY17 financial results call that Telstra has “deep” skills in cyber.

“We’ve got deep, deep, deep skills in cyber because of our own need to protect our networks, but also we provide a very significant dynamic service for our enterprise customers, and this is really a significant investment in really building that service for our enterprise customers,” Penn told ZDNet.

The chief executive also told ZDNet that Telstra will likely upgrade its existing SOC in Canberra.

Henry Sapiecha

Telstra launching cybersecurity centres internationally

Telstra is utilising its ‘deep, deep skills in cyber’ by launching security operations centres in Sydney, Melbourne, and across the globe, as well as likely upgrading its existing facility in Canberra.

Telstra will be opening cybersecurity centres internationally following the launch of its security operations centres (SOCs) in Sydney and Melbourne over the next few weeks, CEO Andy Penn has announced.

Speaking during Telstra’s FY17 financial results call, Penn said Australia’s incumbent telecommunications provider is currently looking at locations for international SOCs, but would not disclose the sites.

However, he added that the two new Australian centres will be launching “very soon … in the coming weeks”.

“There’s no doubt that large enterprises and even smaller enterprises today are becoming increasingly concerned by cybersecurity risks that they face,” Penn told ZDNet.

“There’s virtually no technology innovation that’s happening today that isn’t intended to be connected. That means it’s across a network, and what’s critical is those innovations and that technology is protected from a cyber perspective.

“We’ve got deep, deep, deep skills in cyber because of our own need to protect our networks, but also we provide a very significant dynamic service for our enterprise customers, and this is really a significant investment in really building that service for our enterprise customers.”

Penn told ZDNet that Telstra will also likely upgrade its existing SOC in Canberra.

“We have a dynamic product offering which is integrated with some of the best data analytics globally and the best access to data globally, so that’s actually the fundamental offering, and then the security operations themselves actually enable ourselves on behalf of our customers, or our customers, to monitor 24/7 effectively the cyber activity on their networks,” Penn told ZDNet.

“You need the data analytics and you need the artificial intelligence and the machine learning capabilities to process what’s actually happening deeply at the network level, and you need the sensors deep within the network, and that’s the dynamic security offering that is already launched. We’ve already got customers on that who are very pleased with that offering, and then we’re supporting that with the security operations centres.”

Penn said Telstra has the “smartest” network in Australia, with the telco currently also upgrading its fibre-optic network to allow for terabit capacity.

“We have commenced the rollout of our next-gen optical fibre and transmission network; Tasmania was the first state to benefit from this upgrade,” the chief executive said.

“This will increase Telstra’s network capacity to 1 terabit per second, and has already done so on each of Telstra’s two subsea cables running across the Bass Strait. We’re already rolling this out to the rest of the country, and there is future potential to increase the capacity to 100 terabits per second.”

In addition, Penn spruiked the company’s Cat-M1 Internet of Things (IoT) network, built in conjunction with Ericsson and switched on earlier this month on the 4GX network.

“Cat-M1 will give us the platform for the significant growth we expect to see in IoT,” Penn said.

Telstra currently has more than 8,600 mobile towers, 5,000 telephone exchanges, 200,000 switches and routers, 240,000km of optical fibre cable, and 400,000km of submarine cable.

Telstra TV 2

Penn also announced the launch of the Telstra TV 2, saying that Telstra remains “committed to Foxtel” despite its dropping revenue and is in discussions with co-owner News Corp on how best to structure and arrange Foxtel in future.

“We’re about to dial it up again,” Penn said, detailing that the Telstra TV 2 will include all streaming and catch-up TV services along with a linked mobile app, making it “a real Australian first”.

“Access to the best content is critically important to us as demand for media continues to grow. At the same time, the media market is changing with new participants and increased competition,” Telstra added.

Telstra’s media revenue grew by 8.2 percent to AU$935 million thanks to uptake of both the Telstra TV and “Foxtel from Telstra”. Foxtel from Telstra made AU$777 million in revenue, growing by 8.1 percent due to 57,000 additional subscribers, and there are now 827,000 Telstra TV devices in the market.

Underpinning Telstra’s SOCs is its suite of managed security services announced in March and launched in July, Penn said, in addition to the company’s 500 “cybersecurity experts”.

The Telstra TV originally launched in October 2015.

WannaCry researcher denies in court about creating banking malware

The security researcher rose to fame for curbing the spread of the WannaCry ransomware recently

A security researcher who helped curb a global outbreak of the WannaCry ransomware earlier this year has told a court he is not guilty of charges of allegedly creating a notorious banking malware.

Marcus Hutchins, 22, said he was not guilty during a hearing at a Las Vegas court after he was arrested and detained earlier this week.

The news was confirmed by his attorney Adrian Lobo, speaking on Facebook Live to local reporter Christy Wilcox, at the court house.

Hutchins was granted bail on a bond of $30,000 during a hearing at a Las Vegas court.

But he will “not be released today lawyers says could not get bail in time,” according to Wilcox in a tweet.

He will not be allowed access to devices with an internet connection, said Wilcox, and he will be tagged to be monitored at all times.

Hutchins, also known as @MalwareTechBlog, stormed to fame earlier this year after he found a kill switch in the malware, known as WannaCry, amid a global epidemic of ransomware in May.

By registering a domain found in the code, he stopped the spread of the malware.

The Justice Department announced Thursday that it was charging Hutchins with malicious activity, unrelated to the WannaCry cyberattack.

The security researcher, a British native, was arrested shortly before boarding a flight home. He had been attending the Def Con security conference late last month. He was briefly detained in a federal detention facility in Nevada, then later questioned by the FBI at its field office in Las Vegas.

Hutchins was later indicted, along with an unnamed defendant, on six charges relating to allegations that he created the Kronos malware, a trojan that can steal banking usernames and passwords from victims’ computers.

He was also charged with five other counts, including wiretapping — thought to relate to the interception of passwords; and violating the controversial Computer Fraud and Abuse Act, which serve as the basis of US hacking laws.

Hutchins will appear at a court in Wisconsin, where the case was filed, on August 8.

Developing… more soon. www.crimefiles.net

Henry Sapiecha

Global cyber-attack: Security blogger halts ransomware ‘by accident’

 

A UK security researcher has told the BBC how he “accidentally” halted the spread of the malicious ransomware that has affected hundreds of organisations, including the UK’s NHS.

The 22-year-old man, known by the pseudonym MalwareTech, had taken a week off work, but decided to investigate the ransomware after hearing about the global cyber-attack.

He managed to bring the spread to a halt when he found what appeared to be a “kill switch” in the rogue software’s code.

“It was actually partly accidental,” he told the BBC, after spending the night investigating. “I have not slept a wink.”

Although his discovery did not repair the damage done by the ransomware, it did stop it spreading to new computers, and he has been hailed an “accidental hero”.

“I would say that’s correct,” he told the BBC.

Cyber-attack scale ‘unprecedented’

NHS ‘robust’ after cyber-attack

“The attention has been slightly overwhelming. The boss gave me another week off to make up for this train-wreck of a vacation.”

What exactly did he discover?

The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer.

But the web address it was trying to contact – a long jumble of letters – had not been registered.

MalwareTech decided to register it, and bought it for $10.69 (£8). Owning it would let him see where computers were accessing it from, and give him an idea of how widespread the ransomware was.

By doing so, he unexpectedly triggered part of the ransomware’s code that told it to stop spreading.

Analysis: How did it start?

What is the ransomware?

This type of code is known as a “kill switch”, which some attackers use to halt the spread of their software if things get out of hand.

He tested his discovery and was delighted when he managed to trigger the ransomware on demand.

“Now you probably can’t picture a grown man jumping around with the excitement of having just been ‘ransomwared’, but this was me,” he said in a blog post.

MalwareTech now thinks the code was originally designed to thwart researchers trying to investigate the ransomware, but it backfired by letting them remotely disable it.

Does this mean the ransomware is defeated?

While the registration of the web address appears to have stopped one strain of the ransomware spreading from device-to-device, it does not repair computers that are already infected.

Security experts have also warned that new variants of the malware that ignore the “kill switch” will appear.

“This variant shouldn’t be spreading any further, however there’ll almost certainly be copycats,” said security researcher Troy Hunt in a blog post.

MalwareTech warned: “We have stopped this one, but there will be another one coming and it will not be stoppable by us.

“There’s a lot of money in this, there is no reason for them to stop. It’s not much effort for them to change the code and start over.”

Henry Sapiecha

Massive international cyber attack hits computers across Europe, Asia and Russia

London: A huge cyber attack struck computers across Europe and Asia on Friday, crippling health services and closing emergency rooms in Britain.

The attack involved ransomware, a kind of malware that encrypts data and locks out the user. According to security experts, it exploited a vulnerability that was discovered and developed by the National Security Agency (NSA) in the US.

The hacking tool was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen NSA hacking tools online since the beginning of last year. Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets – particularly hospitals – had yet to update their systems.

The malware was circulated by email; targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.

Employees of Britain’s National Health Service (NHS) were warned about the ransomware threat early on Friday, but by then it was too late.

As the disruptions rippled through hospitals, doctors’ offices and ambulance services across Britain, the NHS declared the attack a “major incident” and patients were asked to only seek assistance for serious medical emergencies.

Hospitals and telecommunications companies across Europe, Russia and Asia were affected, according to MalwareHunterTeam, a security firm that tracks ransomware attacks.

Spain’s Telefonica and Russia’s MegaFon were among the telecommunications targets.

Attacks were being reported in Britain and 11 other countries, including Turkey, Vietnam, the Philippines, Japan, with the majority of affected computers in Russia. The computers all appeared to be hit with the same ransomware, and similar ransom messages demanding about $US300 to unlock their data.

The attack on the NHS seemed perhaps the most audacious of the attacks, because it had life-or-death implications for hospitals and ambulance services.

Tom Donnelly, a spokesman for NHS Digital, the arm of the health service that handles cybersecurity, said in a phone interview that 16 organisations, including “hospitals and other kinds of clinician services,” had been hit. Officials later updated that number to at least 25.

Hospitals and doctors’ surgeries were forced to turn away patients and cancel appointments as the attack crippled computer systems.

The Spanish government said a large number of companies, including telecommunications giant Telefonica, had been infected. Portugal Telecom was also hit but no services were impacted, a spokeswoman for the company said.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from the National Cryptology Centre of “a massive ransomware attack.” It said hackers used a version of a virus known as WannaCry that targets Microsoft Corp’s widely used Windows operating system.

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

Reuters

www.scamsfakes.com

www.crimefiles.net

Henry Sapiecha

Ransomware: These four industries are attacked the most frequently.

Ransomware is a threat to all sectors — but these are the ones most under attack, states a new study

A ransomware attack against any business could be potentially devastating, but there are some sectors which are more at risk from file-encrypting attacks than others, as cybercriminals prey on industries which can’t afford to not have access to their networks.

Ransomware has boomed over the last 18 months, growing from an annoyance which targeted home PC users with moderate ransom demands, to a billion-dollar industry, with cybercriminals holding high-profile or deep-pocketed targets to ransom for tens of thousands of dollars.

While some cybercriminals might be attempting to compromise any organisation possible with a generic attack, professional threat actors will create specially tailored attacks in order to make them look as authentic as possible — even by making the message look like it comes from a colleague.

Ransomware is most often delivered via a phishing email, which arguably provides an explanation as to why NTT Security‘s Global Threat Intelligence Report lists business and professional services as the sector most likely to be targeted by ransomware.

Given that opening financial spreadsheets, job applications, and other email attachments is at the very heart of this modern sector, it makes sense that over a quarter of ransomware attacks (28 percent) were directed at business and professional services firms over the course of a year.

Meanwhile, 19 percent of ransomware attacks were targeted at government and government agencies. Healthcare is the next highest-profile target for cybercriminals, accounting for 15 percent of attacks. It was a ransomware attack against an LA hospital which infamously highlighted the problem, taking the network offline for days until the hospital paid a $17,000 Bitcoin ransom.

Ransomware attacks against the retail industry account for a further 15 percent of all incidents. All other industries make up the remaining 23 percent, according to the NTT Security report.

Ransomware has become one of the biggest menaces on the web. This ZDNet guide contains everything you need to know about it: how it started, why it’s booming, how to protect against it, and what to do if your PC suffers an attack.

www.crimefiles.net

www.scamsfakes.com

Henry Sapiecha

Lawyers and insurers set for data breach payday

Soon, in Australia, Europe, and the UK, organisations that suffer a data breach must be able to show that they’d taken reasonable steps to prevent it. Time is running out.

Australia’s mandatory data breach notification laws come into force in February 2018. Europe’s General Data Protection Regulation (GDPR), which also requires breach notification, becomes law in May 2018. Brexit or not, the UK will also have to comply.

“[GSPR] will continue to apply to all businesses exporting goods or services into the European Single Market, regardless of any future legal and regulatory settlement reached by the UK with the EU,” wrote Peter Wright, managing director of DigitalLawUK, and chair of the UK Law Society’s Technology and Law Reference Group.

So where are we all up to here?

My reading is that we only have hints as to what’s required, and that we won’t really know until the lawyers get to work.

Wright has some security advice for UK law firms that really should be standard practice everywhere.

“Make sure that whatever medium you are using to either store or transmit personal data — in particular, data relating to your clients — is secure and encrypted,” he wrote.

Wright warns against “free cloud-based systems like Dropbox or Google Drive to communicate with clients or receive confidential data” because they’re not encrypted, but that’s no longer the case. Both Dropbox and Google Drive now encrypt customer data at rest, as does Apple’s iCloud.

But Wright’s general point about using unencrypted file sharing services stands. “You are effectively in legal and regulatory breach by using them for client-related activity as their servers are based in the cloud and most likely in the United States,” he wrote. And of course encrypted file storage is irrelevant if a user’s credentials are compromised through a phish.

Wright’s final observation is, to my mind, the most frightening.

“If firms have already not begun work on achieving compliance with the GPDR, they will find it impossible to achieve full compliance by May 2018. At this point, it’s a matter of working out how uncompliant you wish to be. You will have to cherry pick what you can and cannot afford to comply with, and put the rest in place as quickly as possible,” he wrote.

UK and European organisations still have an entire year to get compliant with their new laws. Australian organisations, somewhat less, although it could be argued that compliance with Australia’s laws would be easier. But is that really the case?

Australia’s Privacy Act says that the steps taken to protect personal information must be “reasonable in the circumstances”, but there haven’t been enough real-world cases to understand what that might mean.

Well how about the standard set by the Australian Signals Directorate (ASD) with its Essential Eight Strategies to Mitigate Cyber Security Incidents, released in February?

“The eight mitigation strategies with an ‘essential’ effectiveness rating are so effective at mitigating targeted cyber intrusions and ransomware, that ASD considers them to be the cyber security baseline for all organisations,” the ASD wrote.

The Essential Eight includes measures that we know many organisations don’t implement: application whitelisting; getting rid of Adobe Flash; installing ad blockers; disabling untrusted Microsoft Office macros; multi-factor authentication; or even securely-stored daily backups.

If experts like the ASD consider all these to be “baseline”, wouldn’t a lawyer argue that failing to implement the Essential Eight is failing to take “reasonable steps”? I guess it depends on “the circumstances”, right?

I’ve previously written that once we seen the first data breaches being disclosed, the lawyers will follow. What I didn’t consider was the insurance industry.

Cyber insurance is already the fastest-growing sector of the insurance market, according to Nick Abrahams, a partner with law firm Norton Rose Fulbright, and their APAC technology practice leader. Counter-intuitively, better insurance cover means that the lawyers are far more likely to swoop in for the kill.

“We know that the class-action law firms are looking at cyber as their next big opportunity,” Abrahams told the the InnovationAus.com conference Cyber Security — the Leadership Imperative 2017 in Sydney last week.

“If there’s 100,000 people impacted [by a data breach], or a million people, and they can all be awarded $1000 or $2000, that’s a class action,” he said.”

“The US has a massive amount of class actions in relation to privacy breaches, and the reason those class actions occur is because people know that there is insurance there to back it up,” Abrahams said. He expects a “steep rise” in litigation.

While it’s fast-growing, the cyber insurance industry is “quite immature”, especially in Australia, and “all the policies are completely different”, according to Andrew Bycroft, chief executive officer of The Security Artist.

“It’s not even like comparing apples and oranges, it’s like comparing apples and dogs,” Bycroft told the same conference.

“A lot of the insurers are actually taking on a lot of unnecessary risk. For example, they wouldn’t provide home and contents insurance for people who have houses with no doors, but what I’ve seen them doing is actually offering policies to organisations which are pretty poor in terms of their resilience capabilities.”

Bycroft says that insurers might want to work with potential customers to improve their security posture before selling them insurance.

Craig Davies, chief executive officer of the new Australian Cyber Security Growth Network (ACSGN), wasn’t exactly thrilled with that suggestion.

“A marketplace driven by insurers can only be fantastic,” Davies told the conference, to nervous audience laughter. “If I had no ethics I’d certainly invest in buying insurance and selling insurance for cyber right now. You could make a fortune.”

Yes, there’s plenty of money to be made, by insurers, by lawyers, and by the cybersecurity industry that cleans up the mess. Or, ideally, fixes things before there’s a mess to clean up.

Somewhere in there, we might even manage to better protect people’s personal information.

Henry Sapiecha

New cybersecurity inquiry launched

australian-government-logo-in-blue image www.intelagencies.com

The Joint Committee of Public Accounts and Audit has launched an inquiry into Cybersecurity Compliance as part of its examination of Auditor-General reports. The Committee’s inquiry is based on the 2016-17 Auditor-General Report No. 42 Cybersecurity Follow-up Audit.

Committee Chair, Senator Dean Smith, said that, as Parliament’s joint public administration committee, the JCPAA has an important role in holding Commonwealth agencies to account.

“Cybersecurity is integral to protect Government systems and secure the continued delivery of Government business. Government entities are required to implement mitigation strategies to reduce the risk of cyber intrusions. The Committee is continuing its oversight of entities’ compliance with the mandated strategies with the launch of this Inquiry,” Senator Smith said.

The JCPAA is a central committee of the Parliament and has the power to initiate its own inquiries on the Commonwealth public sector. The Committee examines all reports of the Auditor-General tabled in the Parliament and can inquire into any items, matters or circumstances connected with these reports.

The Committee invites submissions to the inquiry by Thursday 27 April 2017, addressing the terms of reference. Further information about the inquiry can be accessed via the Committee’s website.

Media enquiries:
Chair, Senator Dean Smith, Joint Committee of Public Accounts and Audit
(08) 9481 0349 (Electorate office)
(02) 6277 3707 (Parliament House)

Background:
Committee Secretariat
(02) 6277 4615
jcpaa@aph.gov.au

Interested members of the public may wish to track the committee via the website. Click on the blue ‘Track Committee’ button in the bottom right hand corner and use the forms to login to My Parliament or to register for a My Parliament account.

Media release issue date: 7 April 2017

SPP

Henry Sapiecha

Machine learning can also aid the cyber enemy: Says NSA research chief

Smart cyber adversaries are starting to turn machine learning algorithms against the defence. But adversaries could be frustrated by deliberate cyber deception.

data-stealing-hand-representing-rookieai image www.intelagencies.com

Machine learning is one of the biggest buzzwords in cybersecurity in 2017. But a sufficiently smart adversary can exploit what the machine learning algorithm does, and reduce the quality of decision-making.

“The concern about this is that one might find that an adversary is able to control, in a big-data environment, enough of that data that they can feed you in misdirection,” said Dr Deborah Frincke, head of the Research Directorate (RD) of the US National Security Agency/Central Security Service (NSA/CSS).

Adversarial machine learning, as Frincke called it, is “a thing that we’re starting to see emerge, a bit, in the wild”. It’s a path that we might reasonably believe will continue, she said.

As one example, an organisation may decide to use machine learning to develop a so-called “sense of self” of its own networks, and build a self-healing capability on top of that. But what if an attacker gets inside the network or perhaps was even inside the network before the machine learning process started?

“Their behaviour now becomes part of the norm. So in a sense, then, what I’m doing is that I’m protecting the insider. That’s a problem,” Frincke said.

“What’s also interesting in the data science, is that if you are using a data-driven algorithm, [that algorithm] is what feeds the machine learning technique that you disseminate. Unless you keep that original data, you are not going to know what biases you built into your machine learning approach.

“You would have no way of that needle in the haystack, because you threw away the haystack, and all that’s left are the weightings and the neural networks and so on.”

Machine learning has other limitations too.

In 2016, for example, Monash University professor Tom Drummond pointed out that neural networks, one of the fundamental approaches to machine learning, can be led astray unless they’re told why they’re wrong.

The classic example of this problem dates back to the 1980s. Neil Fraser tells the story in his article Neural Network Follies from 1998.

The Pentagon was trying to teach a neural network to spot possible threats, such as an enemy tank hiding behind a tree. They trained the neural network with a set of photographs of tanks hiding behind trees, and another set of photographs of trees but no tanks.

But when asked to apply this knowledge, the system failed dismally.

“Eventually someone noticed that in the original set of 200 photos, all the images with tanks had been taken on a cloudy day, while all the images without tanks had been taken on a sunny day,” Fraser wrote.

“The military was now the proud owner of a multi-million dollar mainframe computer that could tell you if it was sunny or not.”

Frincke was speaking at the Australian Cyber Security Centre (ACSC) conference in Canberra on Wednesday. While she did point out the limits of machine learning, she also outlined some defensive strategies that the NSA has found to be effective.

Organisations can tip the cybersecurity balance of power more in their favour by learning to deceive or hide from the adversary, for example.

By its very nature, network defence is asymmetric. That imbalance is usually expressed as the defender having to close off every security vulnerability, while the attacker only has to be right once.

“On the face of it there should be something we should be able to do about that. You’d think there’d be some home-court advantage,” Frincke said.

Traditionally, organisations have tried to make their data systems as efficient as possible. It makes the network more manageable. But from an attacker’s point of view, it’s easy to predict what’s going on in any given system at any given time.

Taking a defensive deception approach, however, means building an excess capacity, and then finding ways to leverage that excess capacity to design in a deceptive or a changing approach. That way, an attacker can’t really tell where the data is.

If you process data in the cloud, then one simple example might be to duplicate your data across many more nodes than you’d normally use, and switch between them.

“If you’re trying to do an integrity attack, changing that data out from under me, you don’t know which of, say, those hundred nodes I’m using. Or I might be looking at a subset of those nodes, say three, and you don’t know which ones I’m using. So you could try to change them all at once [but] that’s a lot harder,” Frincke said.

The RD’s research has shown that this approach increases the attacker’s cognitive load and plays on their cognitive biases.

“We can try to lead them into making wrong decisions. In other words, we’re frustrating them. We’re trying to make them work too hard, to gain ground that they don’t need. And that will make it easier for us to find them,” Frincke said.

“It’s a little bit like the old honeypot [or] honeynet writ large, but designed into the system as an integral part of the way that it works, and not an add-on.”

The downside to defensive deception is that it’s harder to manage.

“Now I have to do more work as a system manager, and as a pro designer, I need to be sure I know which one of those three of the hundred I should use, otherwise I could end up shooting myself in the foot, especially if I’ve [been] deploying some kind of misleading changes for the adversary,” Frincke said.

www.spydrones.com

CLUB LIBIDO BANNER BRUNETTE I LOVE YOU SIGN

Henry Sapiecha

RUSSIAN HACKERS BUSY WITH ATTACKS ON THE NEW YORK TIMES & OTHER USA TARGETS

The sun peaks over the New York Times Building in New York August 14, 2013.  REUTERS/Brendan McDermid

The sun peaks over the New York Times Building in New York August 14, 2013. REUTERS/Brendan McDermid

The New York Times said on Tuesday its Moscow bureau was targeted by a cyber attack this month but that there was no evidence the hackers, believed to be Russian, were successful.

“We are constantly monitoring our systems with the latest available intelligence and tools,” Times spokeswoman Eileen Murphy told the newspaper. “We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised.”

Earlier on Tuesday, CNN, citing unnamed U.S. officials, reported that the Federal Bureau of Investigation and other U.S. security agencies were investigating cyber breaches targeting reporters at the Times and other U.S. news organizations that were thought to have been carried out by hackers working for Russian intelligence.

“Investigators so far believe that Russian intelligence is likely behind the attacks and that Russian hackers are targeting news organizations as part of a broader series of hacks that also have focused on Democratic Party organizations, the officials said,” CNN reported.

The FBI declined a Reuters’ request for comment. Representatives for the U.S. Secret Service, which has a role in protecting the country from cyber crime, did not reply to a request for comment.

A government official briefed on the inquiry told the Times the FBI was looking into the attempted cyber attack but was not carrying out similar investigations at other news organizations.

The Times had not hired outside firms to investigate the attempted intrusion, contrary to the CNN report, Murphy said.

News of the cyber attack comes amid a wave of similar attacks targeting major U.S. political parties that have surfaced in recent weeks ahead of the Nov. 8 presidential election.

The Democratic National Committee, Democratic presidential nominee Hillary Clinton’s campaign and the party’s congressional fundraising committee have all been affected.

Hackers have also targeted the computer systems of Republican presidential nominee Donald Trump and Republican Party organizations, sources have told Reuters.

A breach at the Times would not be the first time foreign hackers infiltrated a news organization. Media are frequently targeted in order to glean insights into U.S. policies or to spy on journalists.

In 2013, a group of hackers known as the Syrian Electronic Army attacked the Times and other media outlets. Chinese attackers also infiltrated the Times that year.

(Reporting by Dustin Volz, John Walcott, Mohammad Zargham and Eric Walsh in Washington, and Jessica Toonkel in New York; Writing by Susan Heavey and Eric Walsh; Editing by Frances Kerry and Peter Cooney

 

Confirmed_Profile_1_300_250

Henry Sapiecha