Category Archives: GROUPS CLUBS ASSOC.

IBM to set up cyber centre in Canberra

Led by a former federal police assistant commissioner, the new centre is intended to bring together business and government to tackle security issues.

IBM-Logo-in-blue image

IBM has announced that it will create a National Cyber Security Centre (NCSC) in Canberra, to be headed by Kevin Zuccato, a former Australian Federal Police assistant commissioner and head of the Australian High Tech Crime Centre.

The company said the NCSC would allow access to IBM’s threat-sharing platform used by more than 2,000 businesses around the world, provide emergency response teams for security incidents, and would be partnering with its Australian Security Development Lab on the Gold Coast.

“With the establishment of the IBM National Cyber Security Centre in Canberra, we will provide a destination for government and organisations to proactively collaborate on strategy and policy,” said Kerry Purcell, IBM ANZ managing director. “The NCSC will drive a culture of innovation and openness, essential if we are to tackle this growing issue for every organisation.”

IBM did not specify the timing of the centre’s opening, nor the number of employees it would have.

The new centre will align with the federal government’s cyber strategy, IBM said, and will look to support both government and business in improving information security capabilities.

Announced in April, the AU$240 million Cyber Security Strategy had as its centrepiece the sharing of threat information between business and government, using the existing Australian Cyber Security Centre (ACSC) and new portals in capital cities.

As part of the package, the government said it would create two new roles: Minister assisting the prime minister on cyber security, and special adviser on cyber security within the Department of Prime Minister and Cabinet — the latter of which was filled by former e-safety commissioner Alastair MacGibbon.

In its Defence White Paper, launched in February, the Australian government said it would spend between AU$300 million and AU$400 million over the decade to the 2025-26 financial year on its Cyber Security Capability Improvement program


Henry Sapiecha


Wendy’s Says More Than 1,000 of it’s Restaurants Affected by Hackers

wendys-restaurant image

Wendy’s says hackers were able to steal customer’s credit and debit card information at 1,025 of its U.S. restaurants, far more than it originally thought.

The hamburger chain says hackers were able to access card numbers, names, expiration dates and codes on the cards. Some customer’s cards were used to make fraudulent purchases at other stores.

In May, it said malware was found in fewer than 300 restaurants starting in the fall of 2015. About a month later, it said two types of malware were found and the number of restaurants affected was “considerably higher.”

There are more than 5,700 U.S. Wendy’s restaurants.

Wendy’s said Thursday it would post a list of affected restaurants on its website. As of Thursday morning, the list wasn’t posted because of “technical difficulties.”


Henry Sapiecha

Dozens of government agencies request access to citizen metadata without warrants

man peeps behind blind image

Nearly all the agencies which accessed citizens’ private information in the past have applied for continued access. Photo: Louise Kennerley

Nearly all of the government agencies which last year snooped on citizens’ phone and internet records without warrants have reapplied to access the data following the introduction of legislation which was meant to reduce the scope of access.

Sixty-one non-law enforcement federal and state agencies, including organisations such as Australia Post and Sydney’s Bankstown City Council, have applied to access citizens’ metadata for pursuing criminal activity or protecting public revenue.

The telecommunications data may include information such as phone numbers and addresses of people who called each other, or email addresses and the times messages were sent.

Attorney-General George Brandis image

Attorney-General George Brandis has yet to decide which agencies may have access to telecommunications metadata.

By comparison, the latest official government report on metadata access, covering a period before new mandatory data retention legislation came into effect in October last year, showed 69 agencies accessed metadata. At that time they were automatically authorised to access this data, however following the legislation, non-law enforcement agencies must now apply directly to federal Attorney-General George Brandis for temporary approval to access metadata for up to 40 parliamentary sitting days.

No warrant is required to access the data.

A spokesperson for the Attorney-General’s department said Mr Brandis had not temporarily approved metadata access to any agencies who requested access.

The list of agencies was revealed in a Freedom of Information request filed by former Electronic Frontiers Australia vice chair Geordie Guy, and released to the public on Monday.

More agencies may have requested metadata access since Mr Guy’s FOI request was filed in November last year.

Digital rights group Electronic Frontiers Australia has called on Mr Brandis to reject most of the agencies’ applications.

EFA executive director Jon Lawrence said “only two or three” agencies would have legitimate reasons to access the private information.

“If the Attorney-General is serious about the integrity of his legislation and about protecting the civil liberties of all Australians, then he must act swiftly to reject the majority of these applications,” Mr Lawrence said.

In previous years local city councils have come under fire for using information gleaned from residents’ metadata to chase small-time infringers and recoup fines.

Melbourne’s Knox City Council last year accessed call charge records, and name and address details, to prosecute people who damaged property or were guilty of cruelty against animals or illegal signage, a council spokesperson said.

Bankstown City Council in Sydney appears to be the only council so far to have reapplied for access under the new regime.

A Bankstown spokesperson previously told Fairfax media the council used data to catch residents who dumped waste illegally. The agency made 13 information requests in the year to June 2015.

EFA’s Mr Lawrence said such matters were “hardly a national security issue” which might have justified its access to private information.

Other government agencies which have reapplied to access private communication records include Australia Post — which made 625 information requests last year — state racing bodies, the RSPCA and the Tax Office.

Australia Post has previously said that it requests phone records from telecommunication companies so it can chase people who steal phones or SIM cards from its stores, or pursue people who make “serious threats” to staff or engage in corruption and fraud.

The frequency of metadata requests from non-law enforcement agencies grew 9 per cent last year.

Below is the full list of agencies that applied for access to the data, except for four that were redacted in the FOI documents as their disclosure would be “contrary to the public interest”.

1. Australian Financial Security Authority, Commonwealth
2. Australian Health Practitioner Regulation Agency (AHPRA), Commonwealth
3. Australian Postal Corporation, Commonwealth
4. Australian Taxation Office, Commonwealth
5. Australian Transaction Reports and Analysis Centre, Commonwealth
6. Civil Aviation, Safety Authority (CASA), Commonwealth
7. Clean Energy Regulator, Commonwealth
8. Department of Agriculture, Commonwealth
9. Department of Defence (ADFIS and IGD), Commonwealth
10. Department of the Environment, Commonwealth
11. Department of Foreign Affairs and Trade, Commonwealth
12. Department of Health, Commonwealth
13. Department of Human Services, Commonwealth
14. Department of Social Services, Commonwealth
15. Fair Work Building and Construction, Commonwealth
16. National Measurement Institute, Commonwealth
17. ACT Revenue Office, ACT
18. Access Canberra (Department of Treasury and Economic Development), ACT
19. Bankstown City Council, NSW
20. Consumer Affairs, VIC
21. Consumer, Building and Occupational Services (Consumer Affairs and Fair Trading – Department of Justice), TAS
22. Consumer and Business Services, SA
23. Department of Agriculture, Fisheries and Forestry, QLD
24. Department of Commerce, WA
25. Department of Corrective Services, WA
26. Department of Environment and Heritage Protection, QLD
27. Department of Economic Development, Jobs, Transport & Resources (Fisheries), VIC
28. Department of Environment, Land, Water and Planning, VIC
29. Department of Environment Regulation, WA
30. Department of Fisheries, WA
31. Department of Justice and Regulation (Consumer Affairs), VIC
32. Department of Justice and Regulation (Sheriff of Victoria), VIC
33. Department of Mines and Petroleum, WA
34. Department of Primary Industries (Fisheries), NSW
35. Environment Protection Authority, SA
36. Greyhound Racing Victoria, VIC
37. Harness Racing New South Wales, NSW
38. Health Care Complaints Commission, NSW
39. Legal Services Board, VIC
40. NSW Environment Protection Authority, NSW
41. NSW Fair Trading, NSW
42. Office of Environment & Heritage, NSW
43. Office of Fair Trading (Department of Justice And Attorney-General Office of the Director General), QLD
44. Office of State Revenue, NSW
45. Office of State Revenue, QLD
46. Office of the Racing Integrity Commissioner, VIC
47. Primary Industries and Regions South Australia (PIRSA), SA
48. Queensland Building and Construction Commission, QLD
49. Racing and Wagering Western Australia, WA
50. Racing NSW, NSW
51. Racing Queensland, QLD
52. Roads and Maritime Services NSW, NSW
53. Royal Society for the Prevention of Cruelty to Animals (RSPCA), VIC
54. State Revenue Office, VIC
55. Taxi Services Commission, VIC
56. RevenueSA, SA
57. Victorian WorkSafe Authority, VIC


Henry Sapiecha

Ghosts in the machine: the real hackers hiding behind the cliches of TalkTalk and Mr Robot

This week’s tabloid headlines about the teenager who allegedly broke into TalkTalk’s website invoked the usual formula: reclusive, antisocial, young, male. But hackers are more complicated than that – and the people pursuing them say the stereotype is a problem

Hackers are usually portrayed either as shadowy criminal masterminds, or little more than digital vandals. image www.intelagencies

The portrait of the hacker as an antisocial, lonesome deviant is pervasive and seemingly indelible. This week, for example, the British tabloids rounded on a child who has been arrested in connection with the hacking of telecommunications provider TalkTalk’s porous servers in order to access customers’ personal data. The Daily Mail’s front page referred to him as “a baby-faced loner who rarely leaves his bedroom”. The Sun described the boy, who lives on a council estate with his single mother in Ballymena, Northern Ireland, and who suffers from learning disabilities and attention deficit hyperactivity disorder, as “reclusive”. He is, they continued, an avid player of video games, as if such a detail distinguishes this particular teenager from any other. The Mirror quoted a neighbour who described the boy as “quiet and shy”. He was often seen, she added, with a skateboard, although there was no mention whether or not his baseball cap was worn in the style of Bart Simpson: anarchically askew.

There are two common stereotypes of the young, usually male, hacker. They are seen either as a shadowy criminal mastermind, able to sift hidden information for gold or, in the case of the teenagers who manage to take the websites of multinational corporations offline for a few hours, little more than digital vandals. As portrayed in the media, the alleged hacker from Ballymena straddles both stereotypes, with added ghost notes to do with class and poverty. He is an undesirable but, unlike the hooligans who throw stones at windows, also possesses arcane skill (at least in the eyes of those without a basic computer science education). The detail of his alleged crime is illegible to all but the cognoscenti. As such, he is presented as a deviant wunderkind, simultaneously astute and base, accomplished yet also somehow pitiful. A second teenager has now been arrested in west London; it will be interesting to see how his character is represented in the days to come.

These cliches have been strengthened and propagated by fictional representations of hackers. Jurassic Park’s Dennis T Nedry is the overweight, sweat-prone, moral-free computer scientist who disables security systems in order to smuggle dinosaur embryos out of the titular park in a hollowed can of shaving foam. His surname is a barely scrambled anagram of “nerdy”. Boris Grishenko, the bespectacled Russian hacker from GoldenEye, is a misogynistic narcissist who is both cowardly and conceited (he dies, pleasingly, in a shower of liquid nitrogen, which hits moments after he declares: “I am invincible!”). Lisbeth Salander, protagonist of Stieg Larsson’s The Girl with the Dragon Tattoo, may be a more contemporary class of elite hacker – lithe, attractive, leather-clad – but the get-up merely disguises a more familiar stereotype: she is highly introverted and struggles to make friends. Another character in the book describes Salander, variously, as “paranoid”, “obsessive” and “psychotic”. She subsists on pizza and fizzy pop. Now Mr Robot, a wildly successful new US drama, follows Elliot Alderson, a brilliant young hacker drawn into an anarchist movement. Elliot is lovable, but he’s also delusional, depressed, addicted to drugs, and beset with social anxiety disorder.

According to Ian Reynolds, a hacker turned security consultant who now works fortifying corporations and governments against the threat of cyber attack, these stereotypes are antiquated and unhelpful. “The common misconception that computer hackers are just spotty-faced teenagers working out of their bedrooms over their parents’ broadband connection is largely inaccurate,” he says. “In reality there is a far wider variety of people and personality types that are attracted to computer hacking. There is no blueprint. With ‘social engineering’ hacks, for example, the ideal personality is an outgoing, impressionable individual who is able to trick people into performing a task or divulging usernames or passwords. Introverts are much less likely to succeed in these styles of attack as they lack the confidence or social skills required.” Corey Nachreiner, chief technology officer at WatchGuard Technologies, which helps combat malicious online attacks, agrees. “Regardless of whether you’re talking about hackers in the positive sense – many non-criminal security researchers may identify with the term – or you’re talking about criminals, the stereotype is totally outdated and misleading,” he says.
Mr Robot: ‘Edward Snowden is a huge fan of our show’
Read more

The data supports the claim. According to research carried out by the online payments company Jumio in 2013, 43% of criminal hackers are aged between 35 and 50 years old. Only 8% of criminal hackers are under 18. Almost a quarter of criminal hackers are women, and almost half of all criminal hacking traffic originates from Asian-Pacific countries, the majority from Indonesia (14% of all cybercrime, compared to 19% from the US, a country many times its size). Criminal hackers usually do not work alone but are, in Jumio’s term, “fully fledged businesses”, with executives, middle managers and workers. “Even though there are some criminals who fit the stereotypical profile of a hacker, it underestimates the extent and organisation of the wider fraud and cybercriminal syndicates,” says Jumio’s Marc Barach. “Cybercrime is big business, populated by highly intelligent and hardworking people who often times excel at their jobs. If they applied their skills to legal pursuits, they’d probably be amazingly successful.”

Both Reynolds and Nachreiner are eager to distinguish between so-called “script kiddies” – mischief-making teenagers who download distributed denial of service (DDoS) tools and use them to send a vast amount of fake traffic to a particular website in order to cause its servers to fail and go offline – and skilled computer hackers. “Fifteen years ago, it may have been true that many of the internet hacking ‘pranks’ or nuisance malware was created by egotistical script kiddies,” says Nachreiner. “Many of them may have fit the profile of awkward, socially inept loners with strong technical skills. Today, however, the hacker profiles are much more diverse.” Nacheiner says that you need only spend a few minutes roaming the halls of Def Con, the world’s largest hacker convention, which is held annually in Las Vegas, to witness the diversity of people who adopt the label. “You’ll find everyone from guys in trench coats with blue hair, to old greybeards in their 60s, to polished, dynamic professionals.”

The term “hacker” was not coined to describe one particular type of person. Its first documented use in relation to computers was in 1955, when it was recorded in the minutes of a meeting of the Massachusetts Institute of Technology (MIT)’s seminal computing group, the Tech Model Railroad Club. They used it to mean “messing about with machines”. Its definition was formalised four years later by club member Peter R Samson, who, in his TMRC dictionary, defined the word as “something done without constructive end” or, deliciously, “an entropy booster”.

Writing in 2005, Samson claimed that, in those early years, the word “hacking” was neutral, with no suggestion of malice or benevolence. He cites, as one of the earliest examples of a hack, a group project to find a way to play music on one of the university’s room-sized computers. By 1975 the word “hacker”, which was now in widespread usage, was defined in the Jargon File, a glossary for computer programmers, as “a person who enjoys exploring the details of programmable systems and how to stretch their capabilities”. This was, the definition stated, distinguishable from most computer users, who “prefer to learn only the minimum necessary”.
OPM hack: China blamed for massive breach of US government data

Jargon File’s definition is, according to Timo Gnambs, a researcher for the Leibniz Institute for Educational Trajectories, a more accurate description of the hacker mentality than the contemporary stereotype. Gnambs recently published a study in the Journal of Research in Personality, in which he trawled data from 19 previous studies, involving nearly 1,700 people, in order to examine correlations between programming talent and personality type. While he found a strong association between introversion and programming skill, he also saw firm links between intelligence, conscientiousness and, in stark contrast to the cliches, “openness” – a person’s degree of creativity and intellectual curiosity. There was, he found, no link between a person’s agreeableness or neuroticism and their skill as a hacker.

“According to prevalent stereotypes, computer programmers are supposed to lack interpersonal skills, and are frequently characterised as socially inhibited individuals that are single-mindedly focused on computers,” Gnambs says. “My study showed that personality traits that, according to the stereotypes, are typical for programmers, do not differentiate able from less-able programmers. In other words, particularly disagreeable programmers do not create better code.”

Delusional, paranoid, narcissistic, moral-free … screen hackers (from left) Elliot Anderson , Lisbeth Salander, Boris Grishenko & Dennis Nedry in Jurassic Park images www.intelagencies

While there may not be a blueprint for a typical hacker, according to Reynolds, the common denominator is that computer hacking in its purest form attracts highly technical, creative people. “They must get a kick out of taking a non-standard approach to gaining access to a website or environment – circumventing the layer of security that is designed to keep people out,” he says. It’s this puzzle element to hacking – the need for lateral thinking, problem solving, even outsmarting an adversary – that inspired Pete Herzog to co-found Hacker Highschool in 2002, an educational programme that seeks to “capture the fun and magic of hacking”.

Herzog worked with La Salle University in Barcelona to design 12 lessons for teenagers, designed to teach security skills, and ran the course as summer classes, teaching children a foundation in network security, alongside values of respect and empathy. In 2010 Herzog and his team rewrote the lessons, removing the teacher from the equation so, as he puts it, the students “could teach themselves, like real hackers”. The course has proved hugely popular. On average, lessons are downloaded a quarter of a million times every month, in 10 languages.
Inside the secret world of hackers
Read more

There is a big difference between teenagers who experiment with, say, breaking into a telecommunication company network, and organised criminal hackers, says Herzog. “Long-term criminal hackers do it for a living,” he adds. “But most teens who commit illegal criminal acts do it as part of a power struggle, something we all go through. They’re lashing out. Some teens punch, some scream, some have sex and some shoplift. In most cases we assign the behaviour as teenage angst and get them help. With hacking, however, they’re tried as criminals and often go to jail.” Herzog likens his course to boxing clubs, which aim to turn teenage frustration and anger into discipline and passion through sport. “We need to stop punishing teens for carrying out cyber attacks because they got angry at someone. Right now, if a teen hacks into a web server and deletes data, they will likely serve a longer, tougher sentence then if they broke into the server room, knocked out a few employees and set the web server on fire. What does that tell you? That doesn’t create fewer hackers. It just turns more hackers into criminals.”

Many criminal hackers, especially the kind who, in their younger years, staged attacks against corporations out of frustration, have been able to turn their expertise into gainful employment in the way that Herzog hopes his course will encourage. Kevin Mitnick, who calls himself “the world’s most famous hacker”, was certainly one of the most notorious. Prior to his arrest in North Carolina in 1995, he was the FBI’s most-wanted outlaw, after hacking into computers belonging to companies such as Motorola, Nokia and Sun Microsystems. He spent five years in prison, including eight months in solitary confinement, because a federal judge believed, preposterously, that he could “whistle tones into a phone and launch a nuclear missile”.

Now 51, Mitnick, runs a successful and profitable company where he and his team attempt to break into corporations by any means necessary, in order to expose security flaws (work that’s known, alluringly, as “penetration testing” in the business) – much the same things he did as a criminal hacker. GCHQ reportedly hires many ex-criminal hackers, and the idea of the programming wunderkind who is caught by the authorities then cajoled into working for them has become a recurrent motif in drama. The more notorious the hacker, the more likely they are to be hired. In 2011, the 21-year-old hacker George Hotz, who “unlocked” Apple’s iPhone and Sony’s PlayStation 3 console to run pirated software, was hired by Facebook weeks after he settled a lawsuit with Sony. “Knowledge is power, and a reformed criminal knows the industry far better than someone who has never been there and done it,” says Barach. Herzog goes further. “You wouldn’t hire a policeman who’s never thrown a punch or a fireman who’s never set a fire either. So why would you want to hire a security professional who’s never hacked?”
Anonymous plans to reveal names of about 1,000 Ku Klux Klan members
Read more

Some blame for the way hackers are routinely viewed as a monolithic group can be ascribed to the hackers themselves, who often labour, not only under a mask of anonymity, but also one of uniformity. Members of Anonymous, one of the largest collectives of hackers in the world, are known for wearing identical Guy Fawkes masks, the design taken from the graphic novel V for Vendetta. But behind the masks, there’s diversity. “Many of the larger, more well-known hacking groups have people from all backgrounds and walks of life, says Reynolds. “Usually it’s a variety of people united over a common cause.” That cause can be politically motivated, vigilantism, crime or, in the case of state-sponsored hackers, even patriotism. “We should spend much more time profiling the motive of different threat actors rather than the psychologies,” says Nachreiner. “You’ll often find multiple members of the same threat-actor group to all have slightly different psychologies, but a shared motive.”

The stereotype will, however, endure as long as people need a bogeyman they can visualise trying to steal their data. The image of a rotund, washed-up journalist hacking celebrity’s phones for News International doesn’t have the same potency as the hooded, indoorsy miscreant, neither for headline- nor Hollywood writers. “Hacking is the closest thing the general public knows to be an unknown, unexplained power that some people possess, like modern magic,” says Herzog. “So, of course, there will be witch-hunts for those who wield that power. We can’t fight that. But we can teach young hackers humility and empathy.” (8)

Henry Sapiecha