Category Archives: SECURITY

New cybersecurity inquiry launched

australian-government-logo-in-blue image

The Joint Committee of Public Accounts and Audit has launched an inquiry into Cybersecurity Compliance as part of its examination of Auditor-General reports. The Committee’s inquiry is based on the 2016-17 Auditor-General Report No. 42 Cybersecurity Follow-up Audit.

Committee Chair, Senator Dean Smith, said that, as Parliament’s joint public administration committee, the JCPAA has an important role in holding Commonwealth agencies to account.

“Cybersecurity is integral to protect Government systems and secure the continued delivery of Government business. Government entities are required to implement mitigation strategies to reduce the risk of cyber intrusions. The Committee is continuing its oversight of entities’ compliance with the mandated strategies with the launch of this Inquiry,” Senator Smith said.

The JCPAA is a central committee of the Parliament and has the power to initiate its own inquiries on the Commonwealth public sector. The Committee examines all reports of the Auditor-General tabled in the Parliament and can inquire into any items, matters or circumstances connected with these reports.

The Committee invites submissions to the inquiry by Thursday 27 April 2017, addressing the terms of reference. Further information about the inquiry can be accessed via the Committee’s website.

Media enquiries:
Chair, Senator Dean Smith, Joint Committee of Public Accounts and Audit
(08) 9481 0349 (Electorate office)
(02) 6277 3707 (Parliament House)

Committee Secretariat
(02) 6277 4615

Interested members of the public may wish to track the committee via the website. Click on the blue ‘Track Committee’ button in the bottom right hand corner and use the forms to login to My Parliament or to register for a My Parliament account.

Media release issue date: 7 April 2017


Henry Sapiecha

Machine learning can also aid the cyber enemy: Says NSA research chief

Smart cyber adversaries are starting to turn machine learning algorithms against the defence. But adversaries could be frustrated by deliberate cyber deception.

data-stealing-hand-representing-rookieai image

Machine learning is one of the biggest buzzwords in cybersecurity in 2017. But a sufficiently smart adversary can exploit what the machine learning algorithm does, and reduce the quality of decision-making.

“The concern about this is that one might find that an adversary is able to control, in a big-data environment, enough of that data that they can feed you in misdirection,” said Dr Deborah Frincke, head of the Research Directorate (RD) of the US National Security Agency/Central Security Service (NSA/CSS).

Adversarial machine learning, as Frincke called it, is “a thing that we’re starting to see emerge, a bit, in the wild”. It’s a path that we might reasonably believe will continue, she said.

As one example, an organisation may decide to use machine learning to develop a so-called “sense of self” of its own networks, and build a self-healing capability on top of that. But what if an attacker gets inside the network or perhaps was even inside the network before the machine learning process started?

“Their behaviour now becomes part of the norm. So in a sense, then, what I’m doing is that I’m protecting the insider. That’s a problem,” Frincke said.

“What’s also interesting in the data science, is that if you are using a data-driven algorithm, [that algorithm] is what feeds the machine learning technique that you disseminate. Unless you keep that original data, you are not going to know what biases you built into your machine learning approach.

“You would have no way of that needle in the haystack, because you threw away the haystack, and all that’s left are the weightings and the neural networks and so on.”

Machine learning has other limitations too.

In 2016, for example, Monash University professor Tom Drummond pointed out that neural networks, one of the fundamental approaches to machine learning, can be led astray unless they’re told why they’re wrong.

The classic example of this problem dates back to the 1980s. Neil Fraser tells the story in his article Neural Network Follies from 1998.

The Pentagon was trying to teach a neural network to spot possible threats, such as an enemy tank hiding behind a tree. They trained the neural network with a set of photographs of tanks hiding behind trees, and another set of photographs of trees but no tanks.

But when asked to apply this knowledge, the system failed dismally.

“Eventually someone noticed that in the original set of 200 photos, all the images with tanks had been taken on a cloudy day, while all the images without tanks had been taken on a sunny day,” Fraser wrote.

“The military was now the proud owner of a multi-million dollar mainframe computer that could tell you if it was sunny or not.”

Frincke was speaking at the Australian Cyber Security Centre (ACSC) conference in Canberra on Wednesday. While she did point out the limits of machine learning, she also outlined some defensive strategies that the NSA has found to be effective.

Organisations can tip the cybersecurity balance of power more in their favour by learning to deceive or hide from the adversary, for example.

By its very nature, network defence is asymmetric. That imbalance is usually expressed as the defender having to close off every security vulnerability, while the attacker only has to be right once.

“On the face of it there should be something we should be able to do about that. You’d think there’d be some home-court advantage,” Frincke said.

Traditionally, organisations have tried to make their data systems as efficient as possible. It makes the network more manageable. But from an attacker’s point of view, it’s easy to predict what’s going on in any given system at any given time.

Taking a defensive deception approach, however, means building an excess capacity, and then finding ways to leverage that excess capacity to design in a deceptive or a changing approach. That way, an attacker can’t really tell where the data is.

If you process data in the cloud, then one simple example might be to duplicate your data across many more nodes than you’d normally use, and switch between them.

“If you’re trying to do an integrity attack, changing that data out from under me, you don’t know which of, say, those hundred nodes I’m using. Or I might be looking at a subset of those nodes, say three, and you don’t know which ones I’m using. So you could try to change them all at once [but] that’s a lot harder,” Frincke said.

The RD’s research has shown that this approach increases the attacker’s cognitive load and plays on their cognitive biases.

“We can try to lead them into making wrong decisions. In other words, we’re frustrating them. We’re trying to make them work too hard, to gain ground that they don’t need. And that will make it easier for us to find them,” Frincke said.

“It’s a little bit like the old honeypot [or] honeynet writ large, but designed into the system as an integral part of the way that it works, and not an add-on.”

The downside to defensive deception is that it’s harder to manage.

“Now I have to do more work as a system manager, and as a pro designer, I need to be sure I know which one of those three of the hundred I should use, otherwise I could end up shooting myself in the foot, especially if I’ve [been] deploying some kind of misleading changes for the adversary,” Frincke said.


Henry Sapiecha

Public hearing on Australian Cyber Security Centre relocation and fit out

aust gov logo white on black

The Parliamentary Standing Committee on Public Works will hold a public hearing in Canberra tomorrow to examine the proposed relocation and fit-out of the Australian Cyber Security Centre (ACSC) by the Department of Defence.

The proposed works will enable the personnel of the various agencies to be co-located, as well as providing additional space to facilitate joint initiatives between the ACSC, industry and academia. The estimated cost of the project is $38 million (excluding GST).

Full details on the project are available on the committee’s website:

NB the Parliamentary Standing Committee on Public Works is neither involved in the tendering process nor the awarding of contracts. Enquiries on those matters should be addressed to the Department of Immigration and Border Protection.

Public Hearing Details: 1:30pm to 2:30pm, Friday 10 February, Committee Room 1R3, Parliament House, Canberra

Members of the public are welcome to attend to observe proceedings. The hearing will also be webcast at

Media enquiries:
Office of the Chair, Mr Scott Buchholz MP (Greg Birkbeck): 0427 421 132

For background:
Parliamentary Standing Committee on Public Works
(02) 6277 4636,,

Interested members of the public may wish to track the committee via the website. Click on the blue ‘Track Committee’ button in the bottom right hand corner and use the forms to login to My Parliament or to register for a My Parliament account.


Henry Sapiecha

Thousands of security threats happen every five minutes

hooded-hacker-with-laptop image

The pace at which businesses now find themselves operating has allowed for the files on a network to be encrypted and beyond an organisation’s reach in just five minutes.

In just five minutes, files on a company’s network can be encrypted and beyond its reach, according to Rik Ferguson, vice president of Security Research at Trend Micro.

Trend Micro has seen a lot of development around ransomware capabilities targeting businesses rather than consumers, Ferguson said during his keynote speech at Cloudsec Australia 2016 in Sydney on Thursday, with 1,800 new threats released out into the wild every five minutes.

Additionally, he said that more than 800,000 people are exposed to malicious URLs, exploit kits, phishing websites, malware, spam, and threats every five minutes, with almost 7,000 records on average being exposed in the same timeframe.

“Just so we can measure the speed of things, the fastest trains today … can reach top speed of about 450km/h. That means in five minutes, you can travel close to 40 kilometres. That’s an incredible distance to be able to go in a very, very short period of time,” Ferguson pointed out.

“It gives you an idea of really how short that time is. In five minutes, [aside from] propelling you across the surface of the earth, it can also result in a number of other things.

“If you were hit by a crypto ransomware attack, within five minutes, all of the files on your computer or the files, god forbid, on all of the computers on your network … can be encrypted and beyond your reach unless you paid criminals some money.”

Ferguson said that universities, corporations, individuals, and healthcare organisations are all being targeted by ransomware that is being developed with specific capabilities to target enterprise.

“Ransomware used to be a consumer thing that would go after your computer, your things, and encrypt all that knowing that if you wanted to get all the files back, you were going to pay the ransom,” he said.


“Over the course of the last calendar year, we saw 29 new families of ransomware, which was already a huge jump on the 13 in the year before that. In the first half of this year, we’ve already seen 79 new families of ransomware, which is a massive increase.”

He said that criminals are investing time, money, and expertise into creating new tools, tool kits, and delivery mechanisms to get ransomware out there, because “this stuff pays dividends”.

“One of the Trend Micro competitors out there, a startup, is offering a ransomware guarantee — but their guarantee is not you’ll never get hit by it; it’s that if you do get hit by it, they’ll pay the ransom for you. That’s a cybersecurity company offering to give money to criminals,” he said.

Over the last few years, Trend Micro has also seen an uptake in what Ferguson called business email compromise, or CEO fraud, which he said is a basic scam that pays criminals a lot of money.

“It’s really simple. It’s a criminal doing the research upfront, identifying the target organisation, looking at who fulfills which role, and then sending a fake email into that company or compromising a mailbox that belongs to an employee of that company,” he said.

“[The criminals] target an email of the right victim, quite often the CFO or someone responsible in the finance department of the business, with requests from a known colleague to pay outstanding money or wire transfer money to a third-party supplier, often abroad, who is fictitious.”


He said this practice has been hugely successful, with $2.3 billion lost to CEO compromise or fraud between 2013 and 2015, with an estimated 79 different countries being affected.

“A certain Australian government department, local council, lost over AU$200,000 to this scam by paying fake invoices. That’s AU$200,000 of your money, I guess, at the end of the day,” he said.

“Australia is not immune. You have the — I don’t know if it’s the good fortune or the misfortune — to speak one of the most simplest and widespread languages on the planet, and it’s the most-targeted language when it comes to cybercrime globally.”

Aside from being a VP with Trend Micro, Ferguson is also special adviser to Europol, project lead with the International Cyber Security Prevention Alliance, vice chair of the Centre for Strategic Cyber Security and Security Science, and an advisor to various UK government technology forums.

Also speaking at Cloudsec Australia 2016, Timothy Wallach, Supervisory Special Agent Cyber Taskforce with the FBI, said the two most significant increases the FBI has seen over the last couple of years has been ransonware or extortion, and business email compromise.

“This is probably the reason why we are seeing a decrease in the number of records stolen, because these schemes are much easier to monetise than compromising a network, stealing information, getting it to the dark web, and eventually on an online market,” he said.

When it comes to consumer ransomware, Wallach said the requested amount is somewhat affordable, at around $450 to $500. However, this is a lot different in an enterprise environment, as the ransom is usually based on the number of endpoints or the servers that are compromised.

“If an organisation has 30,000 endpoints in its network and potentially that many endpoints have been struck with ransomware, it’s generally 30,000 times one bitcoin,” he said.

“The FBI does not recommend paying your ransom. That’s a business decision an organisation has to make.

“When organisations pay ransom, they’re involved in the criminal activity. It’s encouraging the scheme to continue.”

Additionally, Wallach highlighted that paying a ransom does not always mean that you are left with a clean system, or that everything an organisation had initially lost has been recovered.

“Whatever infected your organisation in the first place is still there,” he said. “What we do recommend is prevention, business continuity, and remediation.


Henry Sapiecha

Hidden ‘backdoor’ in Dell security software gives hackers full access

The critical flaw gives an attacker ‘full control’ of all connected devices

backdoor-black-white i9mage

Security researchers are warning Dell security management software admins to patch their systems after finding six high-risk vulnerabilities.

One of the highest-rated “critical” flaws involves a hidden default account with an easily-guessable password in Dell’s Sonicwall Global Management System (GMS), a widely-used software used to centrally monitor and manage an enterprise’s array of networked security devices.

The vulnerability could allow an attacker “full control” of the software and all connected appliances, such as virtual private networking (VPN) appliances and firewalls.

The flaws were detailed in an advisory posted by researchers at Digital Defense, a Texas-based firm that has a commercial stake in the vulnerability scanning business.

However, there’s no evidence to suggest the flaws have been actively exploited by attackers, the researchers said.

Dell acknowledged the flaws affect the most recent versions of the GMS software — versions 8.0 and 8.1 — and issued patches. In a security advisory, the company said it “highly recommends” that admins install the hotfix, available from its support pages.

A Dell spokesperson was unavailable for comment.


Henry Sapiecha


How to crack Android encryption on millions of smartphones

Qualcomm is working on a fix, but it might not be possible

hacker-in-golden-tech images

Android’s full disk encryption can be broken with brute force and some patience — and there might not be a full fix available for today’s handsets.

This week, Security researcher Gal Beniamini revealed in a detailed step-by-step guide how it is possible to strip away the encryption protections on smartphones powered by Qualcomm Snapdragon processors, which means millions of mobile devices could be vulnerable to attack.

Android’s Full Disk Encryption (FDE), first implemented in Android 5.0, randomly generates a 128-bit master key and 128-bit salt to protect user data. The master key, also known as the Device Encryption Key (DEK), is protected by encryption based on the user’s credentials, whether this is a PIN, password, or touchscreen pattern.

The now-encrypted DEK is then stored on the device.

In order to prevent successful brute-force attacks against this process, Android introduced delays between decryption attempts and data wipes after a number of failed attempts (in the same way as Apple). To prevent off-device, brute-force attacks, the key is bound to the device’s hardware — and this is where a security flaw in Qualcomm systems has caused a problem.

The binding is performed through Android’s Hardware-Backed Keystore, called KeyMaster. The module runs in a Trusted Execution Environment (TEE), which is considered the “secure world”, while the Android OS is considered the “non-secure world”.

The reasoning behind that is KeyMaster can be used to generate encryption keys and perform cryptographic functions without revealing this information in the main operating system

android-keymaster-sketch image

Once keys are generated, they are encrypted and returned to the main OS, and when operations require these keys, an encrypted block of data — the “key blob” — must be provided to KeyMaster. The key blob contains a 2,048-bit RSA key that runs inside a secure portion of the device’s processor and is required for cryptographic processes.

“Since this is all done without ever revealing the cryptographic keys used to protect the key blobs to the non-secure world, this means that all cryptographic operations performed using key blobs must be handled by the KeyMaster module, directly on the device itself,” the researcher says.

However, KeyMaster’s implementation is down to the hardware vendor. Qualcomm’s version runs in the Snapdragon TrustZone, which is meant to protect sensitive functions, such as biometric scanning and encryption, but Beniamini found it is possible to exploit an Android security hole to extract the keys from TrustZone.

Qualcomm provides a Trusted Execution Environment, called QSEE (Qualcomm Secure ExecutionEnvironment), which allows small apps, known as “Trustlets”, to run inside of this secure environment and away from the main Android OS. And one of these QSEE apps running is KeyMaster.

But you can exploit an Android vulnerability to load your own QSEE app inside TrustZone, which can lead to privilege escalation and hijacking of the full space, as well as the theft of the unencrypted blob containing the keys generated for full-disk encryption.

The only thing Android has to fear is Android itself

Once this step is complete, a brute-force attack is all you need to grab the user password, PIN, or lock, and you have both parts of the puzzle needed to strip away Android’s FDE.

A deeper look into the decryption process can be found here. The full source of the exploit is located on Github.

As noted by The Register, the researcher has been in touch with the developer of hashcat, used to crack hashes, to implement the function being brute-forced, which would speed up the cracking process.

“As we’ve seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement),” the researcher noted. “[… ] However, I believe a concentrated effort on both sides can help the next generation of Android devices be truly “uncrackable”.

Beniamini has also contacted Qualcomm concerning this issue but says that “fixing the issue is not simple” and might even require hardware changes. So, until handsets are upgraded or switched to newer models, the problem will remain.


Henry Sapiecha

Revealing the shadowy tech brokers that deliver your data to the NSA

These so-called “trusted third-parties” may be the most important tech companies you’ve never heard of. ZDNet reveals how these companies work as middlemen or “brokers” of customer data between ISPs and phone companies, and the U.S. government.

third-party-phone-reveal image

NEW YORK — Picture two federal agents knocking at your door, ready to serve you a top secret order from the U.S. government, demanding that you hand over every shred of data you own — from usernames and passwords, phone records, emails, and social networking and credit card data.

You can’t tell anyone, and your only viable option is to comply.

For some U.S. Internet service providers (ISP) and phone companies, this scenario happens — and often. Just one ISP hit by a broad-ranging warrant has the potential to affect the privacy of millions of Americans.

But when one Atlanta, Georgia-based Internet provider was served a top-secret data request, there wasn’t a suited-and-booted federal agent in sight.

Why? Because the order was served on a so-called “trusted third-party,” which handles the request, served fresh from the secretive Washington D.C.-based Foreign Intelligence Surveillance (FISA) Court. With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.

Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government. Under the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), any company considered a “communications provider” has to allow government agencies access when a valid court order is served. No matter how big or small, even companies whose legal and financial resources are limited do not escape federal wiretapping laws.

On a typical day, these trusted third-parties can handle anything from subpoenas to search warrants and court orders, demanding the transfer of a person’s data to law enforcement. They are also cleared to work with classified and highly secretive FISA warrants. A single FISA order can be wide enough to force a company to turn over its entire store of customer data.

For Cbeyond, a Nasdaq stock exchange-listed ISP based in Atlanta, Georgia, data requests can be put almost entirely out of mind. The company generates more than $450 million in revenue each year and serves more than 50,000 business customers — primarily small to medium-sized companies — in more than a dozen U.S. states.

The ISP’s legal resources are razor thin, according to an executive at the company, who did not want to be named for the story. As a result, the company does not always directly handle government data requests.

The company outsources a good portion of its legal and compliance responsibilities to Neustar, which bought its way into the wiretapping business following its 2005 acquisition of compliance firm, Fiducianet.

Cbeyond can receive as many as five to ten subpoenas per week. These data requests are regularly forwarded to Neustar, which acts as the ISP’s “custodian of records.” They are validated, and — more often than not — data is handed over to the requesting law enforcement agency.

But on the rare occasion Cbeyond receives a top-secret FISA warrant — two per year on average, according to a senior staffer, who has direct knowledge of the matter, Neustar pulls the data from the ISPs networks and hands it to the requesting government agency.

These warrants can allow the FBI or the NSA to collect an unknown but potentially limitless amount of data on millions of Americans and foreigners.

“Hidden, but not visible”

Created by its namesake law, the Foreign Intelligence Surveillance Act in 1978, the FISA Court issues more than a thousand classified warrants a year for Americans’ data. One former NSA analyst likened it to a “kangaroo court with a rubber stamp,” as it keeps very few records, of which many are kept in the utmost secrecy and away from public scrutiny.

Only documents leaked by former U.S. intelligence contractor Edward Snowden have helped lift the lid on the shadowy world of these secret so-called FISA warrants. Signed off by the court, these warrants give the FBI and the NSA wide-ranging access to American data, in spite of Fourth Amendment protections designed to protect against overreaching domestic government surveillance.

The first classified document leaked by the former U.S. government contractor showed how the Obama administration forced Verizon to turn over its entire store of metadata on a rolling basis to the NSA.

FISA warrants are designed to be issued on individuals, or customers who store data belonging to those people who, according to the Office of the Director of National Intelligence, “are or may be” engaged in espionage, sabotage, terrorism (or aiding a terrorist), or take orders from a foreign government.

FISA-warrants-issued-by-year-since-2001 chart image

FISA warrants issued by year since 2001 (Source: Justice Dept., via Electronic Privacy Information Center)

When these secretive FISA orders are issued, there is little indication to Cbeyond, or any other local or major ISP or phone company, what the requested data may be used for. It could be for a terrorism case, or it could be a small part of an undisclosed NSA program. That also poses a problem for the companies wanting to fight back — and some companies have found the process notoriously difficult — not least because it requires an attorney with top-secret security clearance.

One of those attorneys, who declined to be named for the story because the person holds top-secret security clearance, explained that although hundreds of lawyers have the same clearance — including those serving terror suspects in Guantanamo Bay — very few have been in front of the FISA Court to defend their clients. These clearance-holding lawyers have been in high demand over the past year representing major Silicon Valley companies implicated in the NSA’s surveillance programs.

For the majority of smaller companies (as well as larger ones,  who have refused to comment  on challenging such warrants), complying with data demands may be their only option. The vast majority, however, do not have the resources to handle such requests.

“If they don’t have an internal lawyer [reviewing FISA warrants], they could use a third-party service. That third-party can’t provide legal advice, but it can create a system for reviewing the data, pulling, and processing the data,” the security clearance-holding attorney said

Enter the trusted third-party, which facilitates the data request between the two.

Neustar’s business is wide-ranging. Many industry insiders know it as a phone number portability company and the owner of top-level domain names. But its dedicated — and widely-unknown — legal and compliance division, dubbed “fiduciary” services, handles subpoenas and warrants on behalf of their customers, provides technical assistance in the lawful interception of data, and the services to carry out the surveillance demanded by the court or law enforcement agency.

“It’s not hidden, but not visible,” according to a former Neustar executive who worked in the division and who declined to be named, because the customers whose activities the division supports are ones that customers “don’t publicize very much.” These services are stigmatized particularly in the wake of the Snowden disclosures. The person said that ordinary people do not want to know that their data is up for grabs.

BuzzFeed in 2012 profiled Neustar in some depth, disclosing the scope of its legal intercept unit. The piece led the company to disclose for the first time transparency figures (more on that later).

Neustar works primarily for small to medium-sized businesses. The company said two years ago that it serves about 400 of the “thousands” of U.S. phone companies — including smaller firms like Cbeyond and Grande Communications, but also larger firms like Bright House Networks, and also Cricket, which disclosed its relationship with Neustar to Congress in May 2012 — to handle and respond to the court orders they receive. Neustar does not always act as the first go-to point for its customers.

The fiduciary division can also be held on reserve as an “overflow” in cases where its larger corporate giants may be inundated with more demands for data than usual, the former Neustar executive said.

To the degree that the company performs overflow functions for companies such as Verizon, Neustar chief privacy officer and deputy general counsel Becky Burr explained, it is “only non-criminal information,” such as civil subpoenas, often generated in bitter divorce and custody disputes.

Neustar data request figures

Neustar transparency report (August 28, 2014)
Order type 2012 2013 2014*
Administrative subpoena 19,236 28,941 16,315
Other subpoenas 10,615 9,274 3,956
Total subpoenas 29,851 38,215 20,271
Exigent circumstances 2,793 3,131 1,164
PSAP** Emergency — 911 11,368 11,041 4,638
Total emergency 14,161 14,172 5,802
Tower search 1 114 132
Court order 7,778 8,375 3,609
Search warrant 1,538 1,956 971
Total court order 9,317 10,445 4,712
Criminal — full contents 307 332 163
Criminal — pen/trap 1,971 2,596 1,249
Total intercepts 2,278 2,928 1,412
NSL orders, FISA demands/targets 0-249/0-249 0-249/0-249 n/a ****
* through August 15, 2014
** stands for “public-safety answering point” — such as 911 emergency call centers
*** per Justice Dept. requirements, only the range of FISA warrants can be issued
**** the last six months are not available as per the Justice Dept. delayed publication rule
Source: Neustar

Neustar came under fire in 2012 for withholding from the public any details on wiretap or data requests it receives on behalf of its clients.

The company disclosed, for the second time, its latest transparency figures. Burr said the company has seen a spike in lawful intercept requests since the five-year period ending 2011, thanks to the new business of a larger customer in 2011, which is not named as it was divulged off the record.

These lawful requests are authorized by a court, and can mandate a company to hand over the contents of emails and phone calls — including the time, date, and duration of calls, and the phone numbers themselves, though not the contents of the calls made.

Out of the 2,278 data requests Neustar processed in 2012, about 77 percent came from that one unnamed customer, and accounted for about 76 percent of all Neustar’s processed requests in 2013.

While the division also processes civil requests, and in rare cases handles emergency responses from law enforcement agencies — such as the immediate threat to property or life — it nonetheless handles a significant portion of its customers’ criminal requests.


Neustar’s figures show a spike in warrants since its first transparency report. The figures show that civil requests make up the bulk of Neustar’s fiduciary business, but criminal requests — including court orders and search warrants — make up about one-third of the overall requests.

As per reporting rules set out by the U.S. Department of Justice on disclosing FISA requests and National Security Letters (NSLs), which can be used to compel an ISP or phone company while gagging them from disclosing the fact, the last six-months worth of data is not available. Any requests prior to the six-month reporting rule are disclosed only a numerical range.

Although the range spans from zero, we know from Cbeyond’s case that at least one FISA warrant has been served.

The scope of other existing FISA orders are also shrouded in secrecy, along with the process by which these secret court orders are served on companies. Although U.S. residents are afforded legal protections to limit domestic government surveillance, the Obama administration has come under intense scrutiny for using secret interpretations of surveillance law to acquire Americans’ data.

The process by which FISA warrants are served on companies or individuals isn’t widely unknown, due to the restrictions on whom recipients can talk to.

In reality, it may not involve federal agents showing up at your door at all. It may be as routine as a phone call from an ISP’s third-party provider. That’s when the wiretapping can begin.

“Of what worth is our permission?”

Neustar will typically inform the ISP by phone that a warrant has been received. According to the former Neustar executive, the smaller the carrier, the greater chance Neustar’s staff will see such orders first — though, not in every case.

Despite their secrecy, what is known is that FISA warrants are generally targeted and individualized, but they can also be broad and wide-ranging. While the contents of the FISA warrant are classified, it will state the legal authority under which a wiretap can be placed.

When it’s the latter case, the law says multiple warrants can be served each year on a rolling basis to maintain fresh oversight by judges, or to form a new legal basis to acquire more data.

Companies like Neustar, Subsentio, and Yaana have staff with security clearance, allowing them to see, review, and execute the warrant.

If an order is not valid, or it has deficiencies such as inappropriate language, the third-party’s legal experts may outright reject the order — regardless of the type of order issued by the law enforcement agency.

“Every action Neustar took as an outsourced partner was really governed by the carriers’ policies and procedures,” the former Neustar executive explained. If an ISP or phone company was particularly conscious of its customers’ civil liberties, Neustar can adopt strict guidelines to meet those criteria. That said, if a customer is less than willing to uphold the rights — or was unable to pay to have the order challenged in court — Neustar may near-automatically accept each government data request.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?”
Cbeyond senior staffer

The ISP remains informed along the way, and will be the final arbiter on whether or not a data request will be accepted or rejected — regardless of its policies in directing Neustar how to act.

Neustar, like other trusted third-parties, are granted full technical access to the network of its ISP customer, either by way of the company’s own wiretap equipment or technology provided by the trusted third-party. Then, Neustar will formally request permission from the ISP’s general counsel to execute the warrant. As often is the case, no information about the FISA request is given to the company.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?” a senior staffer at Cbeyond admitted.

Neustar can in many cases execute the warrant from anywhere within the U.S., keeping within the bounds of the country’s surveillance law. But when a wiretap device is needed, they are not hard to come by. Most networking equipment makers sell devices that can be used to collect data, or used to inspect data — so-called deep-packet inspection devices, which can also be used to prevent piracy, the spread of malware, and website access, all at the Internet provider level.

Once a FISA warrant is issued, so-called “tasking” orders, which contain selectors — like a phone number or an email address — are often sent electronically to the ISP. These tell the ISP or phone company, or third-parties like Neustar, exactly where to wiretap and what data to collect to hand back to the requesting authority.

By acting as middlemen, companies like Neustar, Subsentio, and Yaana often liaise with the targeted ISP or phone company, and the law enforcement agency to act as a channel in which intercepted data can flow.

For Cbeyond, the process is relatively straightforward — it’s out of sight and (almost) out of mind. But, that’s not the case for every ISP or phone company. Each company’s infrastructure has unique requirements.

FISA requests also come at a cost on two fronts for the ISP. Neustar’s services are held on retainer, with additional costs for each warrant.

Although financial arrangements were not disclosed between Cbeyond and Neustar, the ISP’s limited annual revenue and legal resources are a driving factor behind why it has not so far challenged a FISA warrant. But, Neustar will also work with U.S. law enforcement agencies to recover costs, which they are entitled to do under the law, for data requests.

Other companies work on a case-by-case basis, or charge a little more each year instead of taking on a retainer fee.

“Maybe we should be thinking about civil liberties more”

Data requests can be refused — it’s not often that it happens, but it does. For the third-party companies, their obligations are with their client and not the law enforcement agency.

But there are limits. If the ISP or phone company decides to fight a warrant, the third-party can stand back and wash its hands of it.


Burr said Neustar “has and will” reject subpoenas that are inadequate for one reason or another. But should its clients choose to fight a FISA warrant or court order it believes to be overboard, Neustar will not join the battle in court.

Other trusted third-parties take a similar approach.

“We’re out of the picture,” said Marcus Thomas, chief technology officer at Subsentio, another trusted third-party company, founded in 2004, and based out of Littleton, Colorado.

The company has “well over 100 customers,” and mostly focused on wireless carriers and cloud providers, Thomas said on the phone. Thomas is no stranger to this field. As a former FBI assistant director, he was responsible for the bureau’s lawful interception operations. He retired in 2011.

Thomas said that Subsentio, unlike Neustar, is not a formal “custodian of records,” but it interacts with both parties to ensure the correct records and the right amount of data is transferred from the company to the law enforcement agency. The company typically handles pen registers for real-time recording of phone numbers made from a particular line, full-content wiretap orders, and FISA warrants.

Subsentio provides more than simply the legal vetting procedures for determining whether a lawful intercept can go ahead. It’s not unusual for Subsentio to provide the actual wiretap device itself, should its customer need one.

“If they choose not to implement it, they don’t authorize use to implement it,” Thomas said.

Yaana operates under a similar regime. Founded in 2007 and based in the heart of Silicon Valley, it has “dozens” of companies out of the thousands of U.S.-based ISP and phone companies. The firm also serves companies operating with a foreign presence, and supports warrants from a number of European states. Yaana’s focus is compliance in the cloud, which — according to executive vice president for regulatory affairs and standards Tony Rutkowski — the vast majority of technology companies were “slowly but surely” moving towards.

Like Neustar, Yaana acts as legal agent to its corporate customers, Rutkowski said. Thanks to its in-house “rules-based reasoning engine,” law enforcement requests can be triaged and cleared, which are then accepted or rejected by on-call staff. For subpoenas, the system is straightforward and near-autonomous. For court orders under seal — of which many are — these require the direct approval from the ISP or phone provider.

“If they haven’t seen it, we won’t approve it,” Yaana’s chief technology officer David Grootwassink explained on the phone.

However, when handling FISA warrants, there “isn’t a lot of wiggle room” except to ensure that they are valid, Grootwassink said. The FISA warrant requires the approval of the ISP or phone provider to decide whether it will comply or not. Should a company wish to fight the order, the company will not step in to fight on behalf of or alongside its ISP or phone provider client.

“It’s the provider’s problem,” Rutkowski said. “The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.” Grootwassink agreed. “We provide the gears. We don’t get involved in fights between the governments and our clients.”

Except, according to the numerous people spoken to for this article, many of the customers to these trusted third-party firms may not have the legal expertise or resources in the first place to develop policies that are fitting for the Internet and phone customers they serve.

Because Neustar, Subsentio, and Yaana act on behalf of their clients’ best wishes, their clients themselves may be the weakest link in the privacy chain. Many of the companies outsourcing their services to a trusted third-party may not have strong policies designed to first and foremost protect the civil liberties of their customers.

These policies dictate how the trusted third-party will respond to requests ahead of time, without having to face getting dragged into the minutia of each case.

Although some ISPs have wanted to fight tooth and nail, they have not had the money to hire a top-secret cleared attorney to argue their case. Instead, they have invoked their interpretation of the First Amendment — the right to free speech — to disclose that  they have received a FISA warrant , despite the secrecy and gagging clauses that come with them.

“The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.”
Tony Rutkowski, Yaana

Others, like Cbeyond, “haven’t examined simply saying ‘no’ and challenging them,” said the person with direct knowledge of the warrants served on the ISP.

“What we’re doing is what the rest of the American public is doing,” the person said. “We’re trusting in some way that these [warrants] are being handled in a responsible fashion.”

Because of its business clientele, higher management was “not thinking about civil liberties issues,” noting that the company near-automatically approved all requests.

“We don’t have a department designed to resist unwarranted government intrusions or to even figure out if they’re unwarranted or not,” the person said.

The onus of responsibility is with business customers it serves, Cbeyond believes — which the people argued that they likely themselves still do not have the resources to deal with such warrants. The ISP is instead focused on fighting “incessant and unrelenting regulatory attacks” from its larger corporate rivals, one of the people said.

For the end customers or ISPs and phone companies, they are not made aware that their data is being collected. In many cases, a company’s chief executive is kept out of the loop.

U.S. surveillance law restricts who can be told about classified data requests. Although the law does not preclude a company’s chief executive from knowing, Cbeyond’s chief executive Jim Geiger said on the phone he would not be informed of the receipt of any FISA warrants, nor would he know about all of the subpoenas the company gets.

“It’s a wide burden for a chief executive’s involvement of things that would suck time and energy that aren’t necessary,” he said.


“We are not a regulated industry”

Cbeyond’s approach means Neustar will accept almost every government data request it receives on behalf of the ISP — so long as they pass Neustar’s own internal legal review.

In the relationship between ISPs and phone companies and these trusted third-parties, there are few — if any — sticking points. The ISPs devolve a portion of their responsibilities to the third-party, which generates a tidy sum for their services, and the law enforcement agencies receive the data they request.

But despite this data handover process, there remains little regulation or oversight of the trusted third-party industry.

Staff members at these companies hold U.S. security clearance and are therefore legally allowed to handle and remotely execute FISA warrants and directives. They fall within the realm of rules, protocols and laws that the U.S. intelligence community abides by.

But the vast majority of their work goes unsupervised by the government.

“Even though its sounds like [trusted third-parties] are regulated or licensed… the [legal] functions weren’t fully outsourced,” the former Neustar executive said. “You didn’t as a carrier turn over your responsibilities to someone who’s licensed to do those responsibilities. You hired competent staff on an outsourced basis to do your work, and it’s all governed by the policies of the carrier.”

“Everything was just an extension of the [carrier’s] work center,” they said. “Neustar wasn’t doing anything other than work for [its] carriers.”

Neustar says it reviews, validates, and keeps audit trails for its customers. Subsentio and Yaana also audit their activities for their customers’ benefit in order to make sure the companies are not conducting activities beyond their purview.

Thomas said trusted third-parties are “not a regulated industry” and that there is no external party reviewing such work. He said that the company does not undergo any audits that would examine how they do their jobs.

“We sort-of determine our own communication and security requirements,” Thomas said. The only exception is classified work, which he said is “reviewed” periodically by the company.

The only oversight, per se, is from the public. In the wake of the Snowden leaks, many companies have bowed to public pressure and released government data request figures. Cbeyond does not currently have a transparency report, and Geiger said the company has no plans to publish one any time soon. But a company’s size is no excuse for some. Like one Utah-based ISP XMission, which has a staff just shy of 50 employees and one attorney, the company regularly updates its transparency pages — even on one occasion disclosing it had received and fulfilled an FISA warrant for one individual’s data.

Cbeyond’s business clientele were a driving reason behind Birch Communications’ bid to acquire the ISP for $323 million, which closed on July 21. Birch is now said to comply with subpoenas and warrants in-house, ending the long-standing relationship with Neustar.

In June, one month before the deal closed, not knowing what changes the new regime would bring, the senior staffer at the ISP ended the conversation to go back to work.

“We’re not thinking about civil liberties issues. Maybe we should have been thinking about it more.”


Henry Sapiecha

A massive financial crime and terrorism database has leaked

The list contains 2.2 million names of high-risk individuals and organizations — including those thought to be involved in financial crime and terrorism.

NEW YORK - APRIL 17:  The new logo of Thomson Reuters is seen on their Times Square building April 17, 2008 in New York. Thomson Reuters Corporation debuted on April 17 with a new logo as a global information company.  (Photo by Chris Hondros/Getty Images)

NEW YORK – APRIL 17: The new logo of Thomson Reuters is seen on their Times Square building April 17, 2008 in New York. Thomson Reuters Corporation debuted on April 17 with a new logo as a global information company.

A database of heightened-risk individuals and organizations, some of which are thought to be involved in financial crime, corruption, and terrorism, has leaked.

The so-called World-Check Risk Screening database contains 2.2 million names of people and companies, according to Chris Vickery, a security researcher at MacKeeper, who said on a Reddit thread that he acquired the database.

The database dates back to mid-2014, and it contains names, dates, places of birth, and other sensitive information, which is collected from law enforcement records, political information, articles, blog posts, and social media, among other sources.

A smaller category of about 93,000 individuals thought to be involved in terrorism is also said to be in the database.

Access to the database is restricted to vetted individuals under strict European data protection laws.

Financial and information giant Thomson Reuters, which acquired the company for $530 million in 2011, admitted the database had been leaked, but the database is not thought to have come from Thomson Reuters’ servers.

A spokesperson for the company confirmed the security lapse has been plugged.

“Thomson Reuters was yesterday alerted to out-of-date information from the World-Check database that had been exposed by a third party. We are grateful to Chris Vickery for bringing this to our attention and immediately took steps to contact the third party responsible. As a result, we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident,” said the spokesperson.

Many banks and law firms use the database to help “minimize … risk of complicity in terrorist financing or money laundering,” according to an investigation by Vice News.

Vickery has not yet publicly released the data, however, given its sensitivity.

Vickery is known for his security work, including when he revealed the exposure of millions of Mexican voters, over 191 million US voters, and over three million Kello Kitty fans’ data. He also discovered the exposure of 13 million MacKeeper user accounts. MacKeeper fixed the flaw and later hired the researcher.


Henry Sapiecha

Inside the global terror watch-list that secretly shadows millions

The database contains profiles on millions of “heightened-risk individuals,” and is used by dozens of leading banks, governments, and spy agencies

thomson-reuters-times-square image

Thomson Reuters building in Times Square, New York. (Image: file photo)

There is a private intelligence database, packed full of personal details of millions of “heightened-risk” individuals, which is secretly having a devastating effect on those who are on it. Most have no idea they’re under the watchful gaze of some of the world’s largest and most powerful organizations, governments, and intelligence agencies.

But for its worth and value, it wasn’t nearly kept secure enough.

A copy of the database, dating back to mid-2014, was found on an unsecured server hosted by a London-based compliance company, which specializes in “know your customer” profiling and anti-money laundering services.

Chris Vickery, a security researcher at MacKeeper, who found the database, told me that it was stored on a server configured for public access.

This influential yet entirely unregulated database called World-Check lists over 2.2 million corporations, charities, and individuals — some notable, like politicians and senior government officials — which might be connected to illegal activities, like sanctions, violations or financial mismanagement.

Some have been pinned under the database’s “terrorism” category, or are thought to be connected to financing violence.

This data could affect a person’s ability to be lent money by a bank, their employment opportunities, and even influence the people who do business with them — simply based on a designation.

Word of the database first widely emerged earlier this year when Vice News disclosed the existence of the project. It said the database was “secretly wielding power over the lives of millions” who are said to have “hidden risk,” such as those who are violating sanctions or have laundered money or a connection to criminals — which has been linked to account closures and bank blacklisting. As the news site pointed out, simply being a high-profile individual can label someone at risk of bribery.

The report said the database now has over 2.7 million entries — including over 93,000 records relating to those associated with terrorism.

No wonder it’s popular with law enforcement agencies and government departments, which subscribe to the database in an effort to uncover potentially improper conduct. Most of the world’s largest banks and law firms, and over 300 government and intelligence agencies are subscribers, according to a 2015 sales document from its owner, information and finance giant Thomson Reuters, which in 2011 bought the company for $530 million .

Because of the sensitivity of the data, access is limited to a few thousand customers, which have been carefully vetted and are bound by secrecy and non-disclosure agreements.

Vickery reported the leak to Thomson Reuters, but he still went public in an effort to spark a debate on whether these profiling databases are being run appropriately.

“If governments and banks are going to alter lives based upon information in a database like this, then there needs to be some sort of oversight,” he said in an email.

The problem is, there isn’t.

Vickery shared access to the database with ZDNet.

Each profile lists a person’s potential risks such as “narcotics” or “terrorism,” “organized crime,” or “politically exposed person.” Given the list’s potential power to alter a person’s opportunities, many would not approve of their name being on it.

Take one example. Maajid Nawaz ran for the British parliament as a Liberal Democrat in the last election, as profiled by Vice. He is a former member of the radical Islamic group Hizb ut-Tahrir, which calls for its own Islamic state. He was detained in Egypt for five years, but is best known for his publicized and well-documented transition away from radical views. He later set up a think-tank dedicated to challenging the extremist narrative, and advised former prime ministers from Tony Blair onwards on Islamic extremism. And yet, after looking up his profile on the World-Check database, created in 2002, it’s still maintained with a “terrorism” tag and updated as recently as August 2013, despite “no further information recorded,” let alone any connection to extremists or terrorists.

nawaz copy

He called the database “archaic,” and said that the inclusion of his name has had a “material impact” on his life.

It’s not just individuals who are designated as affiliates with terrorism, despite equally publicly available data to suggest the contrary.

A BBC investigation last year showed the process behind banking giant HSBC’s bid to shut down accounts associated with several prominent British Muslims. A mosque in North London was given a “terrorism” label, despite new management that was installed more than a decade ago.

Other names in the database include diplomats and ambassadors, and senior ranking officials associated with global financial institutes, such as the World Bank, as was previously reported.

Based on how profiles are built, potentially anyone with an internet footprint could be included.

Much of the data comes from law enforcement sources, political information, articles, blog posts, and social media, among other sources. From the records we looked at, the data would often contain names, locations, and dates of birth and details of education. but also in some cases social security numbers, and citizenship and passport numbers were included.

The profiles themselves often have little or no justification for the entry. From our searches, we found high ranking global government officials who were named in the files yet there was no visible or clear justification for why they were there. In most cases there were just a handful of external links to publicly available documents, like speeches, election results or pages linking to official government websites for justification of their presence.

Many of the “reports” list a person’s risk as “to be determined,” suggesting there were no improprieties, illegal activities, or even an apparent reason for a profile, except for their status as a public figure.

The database we examined is two years old, and the records may have changed since, however.

A spokesperson for Thomson Reuters didn’t specifically respond to a question in relation to how profiles are built, vetted, or designated, but pointed me to the World Check privacy policy, which reiterates its effort to get data based on information in the public domain.

This entire market of “know your customer” and profiling remains unregulated and ungoverned — despite being used by some of the most powerful countries and organizations today. This industry is growing at a rapid rate — some say by over $30 billion by the start of the next decade. Even though the service has to stand up to strict European and UK data protection rules, a lack of public scrutiny and accountability makes that task almost impossible.

Those who are named in the database have little or no recourse to have their data corrected or removed.

In Nawaz’s case, Thomson Reuters reportedly removed his profile earlier this year. But given that the contents of the database are shrouded in secrecy, not everyone will have the same luck, let alone know they’re on a database in the first place.

Henry Sapiecha

A day in the life of a cyber security expert

In part two of our three-part Stay Smart Online blog series, we meet Alexis Coupe, a cybersecurity analyst at nbn. Alexis talks to us about the importance of cyber security and shares his top security tip.

This week is Stay Smart Online Week, a government initiative to raise awareness amongst Australians about how they can help protect themselves and their businesses online.

To mark this, we are publishing a three-part blog series about cyber security.

In this post, we meet Alexis Coupe, a cybersecurity analyst at nbn, who talks to us about the importance of cyber security and shares his top security tip.

So Alexis, you’re an nbn Cyber Analyst, what does that actually mean?

A Cyber Security Analyst, to some extent, is like the cyber police.

alexiscoupe-1043-cyber-security-expert image

They help prevent cyber-attacks, primarily through their expertise in identifying a security event as an intrusion attempt or just common network traffic.

It’s the role of a cyber-analyst to understand the links between security and business threats (such as networks, databases, firewalls, web applications, etc) and offer proactive and dynamic solutions to identify threats and incidents.
Through constant monitoring and analysis of the network, we seek to detect the theft of sensitive information, spreading of malware, phishing campaigns, and the occasional network intrusion.

That being said, it’s not like CSI (Crime Scene Investigation): it’s 80 per cent cyber analysis and 20 per cent excitement!

What does a typical day look like for you?

Each day is different and that’s the amazing part of my work.

In theory, we typically cut a day into different sections:

I spend about 10 per cent of my time following the international security news and social networks in order to identify new threats as current phishing campaigns, or zero days which might be exploited on the internet.

dumb-password_600-change-it image sign


It is critical that our security systems are updated to help protect against hackers, and we have access to the latest security toolkits. This is to make sure we know what the bad guys are doing and occasionally, use the tools in our lab to see how they work.

Fifty per cent of my time is spent dealing with current detections and incidents.

We interpret a security event and identify it as either a real attack or normal traffic. Approximately 40 per cent of my time is spent on the detection of new threats and R&D, which I enjoy the most about my job!

We do a lot of internal development and it gives me the opportunity to help build the security operations centre.

If you could give everyone reading this article one cyber security tip, what would it be?

Get a good practice for password management! Passwords with at least eight characters containing a mix of lower-case, upper-case characters, numbers, and punctuation marks are ideal.

Most people register on numerous websites with the same credentials and – believe it or not – even share their passwords with others – a security no-no.

Usually, the same password or a derivative of it is used for online banking access, email address, or other sensitive data.

With multiple websites requiring sign-ons, similar or same passwords, it can make it pretty easy for a malicious person to steal data, sensitive information and even money.

Using different passwords for different websites ensures that even if a website is hacked and your credentials are disclosed on the Internet, there will be no impact to your other accounts.

What’s the coolest part of your job?

The coolest part of my job is certainly the detection of new threats!. To be able to do that effectively, we often need to think as an attacker and get creative.

When hackers decide to steal confidential documents, they try to make sure that they are not  detected by the security team so they can come back in the future.

We try and get ahead in the game by simulating those activities and then trying to detect it ourselves.

We have the chance to play two different roles in one job (attack and defense) which allow the cyber security analysts to enhance their skills.

New security toolkits and techniques are released into market every day. It’s a great job where the term “boring” doesn’t exist!

What’s your cyber security tip for businesses?

A good practice is to understand the threat relative to the business, have the ability to detect a theft or a breach when it happens, and establish an immediate response plan when an incident occurs to minimise the potential loss.

Once an organisation understands this challenge about security, it will be able to invest time and money on an adequate detection and response.

What’s your favourite piece of technology and why?

It’s difficult to answer this question as I’m very addicted to technology! I could say laptop, Raspberry pi, mobile phone, DSLR, Chromecast, but I’ll simply say: The internet!

I couldn’t live without Internet, just like many others. With this technology, we’re able to do anything from connecting with people, researching references in the biggest library in the world, booking a restaurant or a holiday.

It also gave me my job and my hobbies!


Henry Sapiecha