SE Labs

Posts filed under 'cybersecurity'

Brexit and Cybersecurity

Is the UK headed for a cybersecurity disaster?

istock-big-ben-parliament-standard-5154835

With Brexit looming and cybercrime booming, the UK can’t afford major IT disasters, but history says they’re inevitable.

The recent WannaCry ransomware tsunami was big news in the UK. However, it was incorrectly reported that the government had scrapped a deal with Microsoft to provide extended support for Windows XP that would have protected ageing NHS computers. The truth is far more mundane.

In 2014, the government signed a one-year deal with Microsoft to provide security updates to NHS Windows XP machines. This was supposed to force users to move to the latest version of Windows within 12 months, but with a “complete aversion to central command and control” within the NHS, and no spare cash for such an upgrade, the move was never completed.

This isn’t the first IT Whitehall IT disaster by a very long way.

During the 1990s, for example, it was realised that the IT systems underpinning the UK’s Magistrates’ Courts were inadequate. It was proposed that a new, unified system should replace them. In 1998, the Labour government signed a deal with ICL to develop Project Libra. Costing £146m, this would manage the courts and link to other official systems, such as the DVLA and prisons systems.

Described in 2003 as “One of the worst IT projects ever seen“, Project Libra’s costs nearly tripled to £390m, with ICL’s parent company, Fujitsu, twice threatening to pull out of the project.

This wasn’t Labour’s only IT project failure. In total, it’s reckoned that by the time the government fell in 2010, it had consumed around £26b of taxpayer’s money on failed, late and cancelled IT projects.

The coalition government that followed fared no better. £150m paid to Raytheon in compensation for cancelling the e-Borders project, £100m spent on a failed archiving system at the BBC, £56m spent on a Ministry of Justice system that was cancelled after someone realised there was already a system doing the same thing: these are just a few of the failed IT projects since Labour left office seven years ago.

The Gartner group has analysed why government IT projects fail, and discovered several main factors. Prominent amongst these is that politicians like to stamp their authority on the nation with grandiose schemes. Gartner says such large projects fail because of their scope. It also says failure lies in trying to re-implement complex, existing processes rather than seeking to simplify and improve on them by design. The problem is, with Brexit looming, large, complex systems designed to quickly replace existing systems are exactly what’s required.

ukba_and_police-7387838

A good example is the ageing HM Customs & Excise CHIEF system. Because goods currently enjoy freedom of movement within the EU, there are only around 60 million packages that need checking in through CHIEF each year. The current system is about 25 years old and just about copes. Leaving the EU will mean processing an estimated 390 million packages per year. However, the replacement system is already rated as “Amber/Red” by the government’s own Infrastructure and Projects Authority, meaning it is already at risk of failure before it’s even delivered.

Another key system for the UK is the EU’s Schengen Information System (SIS-II). This provides real time information about individuals of interest, such as those with European Arrest Warrants against them, terrorist suspects, returning foreign fighters, missing persons, drug traffickers, etc.

Access to SIS-II is limited to countries that abide by EU European Court of Justice rulings. Described by ex-Liberal Democrat leader Nick Clegg as a “fantastically useful weapon” against terrorism, after Brexit, access to SIS-II may be withdrawn.

Late last year, a Commons Select Committee published a report identifying the risks to policing if the UK loses access to SIS-II and related EU systems. The report claimed that then-Home Secretary Theresa May had said that such systems were vital to, “stop foreign criminals from coming to Britain, deal with European fighters coming back from Syria, stop British criminals evading justice abroad, prevent foreign criminals evading justice by hiding here, and get foreign criminals out of our prisons.

The UK will either somehow have to re-negotiate access to these systems, or somehow quickly and securely duplicate them and their content on UK soil. To do so, we will have to navigate the EU’s labyrinthine data protection laws and sharing agreements to access relevant data.

If the UK government can find a way to prevent these and other IT projects running into problems during development, there’s still the problem of cybercrime and cyberwarfare. Luckily, there’s a strategy covering this.

In November 2016, the government launched its National Cyber Security Strategy. Tucked in amongst areas covering online business and national defence, section 5.3 covers protecting government systems. This acknowledges that government networks are complex, and contain systems that are badly in need of modernisation. It asserts that in future there will be, “no unmanaged risks from legacy systems and unsupported software”.

The recent NHS WannaCry crisis was probably caused by someone unknowingly detonating an infected email attachment. The Strategy recognises that most attacks have a human element. It says the government will “ensure that everyone who works in government has a sound awareness of cyber risk”. Specifically, the Strategy says that health and care systems pose unique threats to national security due to the sector employing 1.6 million people in 40,000 organisations.

The problem is, the current Prime Minister called a snap General Election in May, potentially throwing the future of the Strategy into doubt. If the Conservatives maintain power, there’s likely to be a cabinet reshuffle, with an attendant shift in priorities and funding.

european-union-flag-std_1-9767927

If Labour gains power, things are even less clear. Its manifesto makes little mention of cyber security, but says it will order a complete strategic defence and security review “including cyber warfare”, which will take time to formulate and agree with stakeholders. It also says Labour will introduce a cyber charter for companies working with the Ministry of Defence.

Regardless of who takes power in the UK this month, time is running out. The pressure to deliver large and complex systems to cover the shortfall left by Brexit will be immense. Such systems need to be delivered on time, within budget and above all they must be secure – both from internal and external threats.

Back from the Dead

email-1932571Forgotten web sites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for web sites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

The friendly, well written message was a refreshing change from the usual approach, which most often demands immediate, unthinking action. The sender, however, could only call me “J” as he didn’t have my forename. There was a protected file attached, but the sender had supplied the password. It was a contract, he said, and he looked forward to hearing back from me.

The headers said the email came from a French telecoms company. Was someone on a spending spree with my money? My PayPal and bank accounts showed no withdrawals.

Curious about the payload, I spun up a suitably isolated Windows 10 victim system, and detonated the attachment. It had the cheek to complain about having no route to the outside world. I tried again, this time with an open internet connection. A randomly-named process quickly opened and closed, while the file reported a corruption. Maybe the victim system had the wrong version of Windows installed, or the wrong vulnerabilities exposed. Maybe my IP address was in the wrong territory. Maybe (and this is more likely) the file spotted the monitoring software watching its every move, and aborted its run with a suitably misleading message.

Disappointed, after deleting the victim system I wondered which site out of hundreds could have been compromised. I’ll probably never know, but it does reveal a deeper worry about life online.

Over the years, we all sign up for plenty of sites about which we subsequently forget, and usually with whichever email address is most convenient. It’s surely only a matter of time before old, forgotten sites get hacked and return to haunt us with something more focused than malicious commodity spam – especially if we’ve been silly enough to provide a full or real name and address. Because of this, it pays to set up dedicated accounts for registrations, or use temporary addresses from places such as Guerrilla Mail.

Inside the CIA…

cia-ioc-9786148

Who is behind the CIA’s hacking tools? Surprisingly ordinary geeks, it seems.

At the start of March came the first part of yet another Wikileaks document dump, this time detailing the CIA’s hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.

The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware that stands the least chance of detection, analysis and attribution to Langley. We’ve also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).

There’s also a deeper tale to tell. It’s about the personalities behind the redacted names working on these tools and techniques. They don’t seem so different from anyone else working in infosec.

User #524297 says he is a “Coffee addict, Connoisseur of International Barbecues, and Varied Malt Beverage Enthusiast.” Thanks to his comments, we know an ex-boss (nicknamed “Panty-Raider”) was considered “really odd”. Another had a large, carved wooden desk that went with him from job to job.

User #524297 also maintains a page dedicated to some interesting ideas. One is to use the OpenDNS DNSCrypt service to hide DNS requests emanating from a compromised host.

Another fun-loving User is #71473. He has a page called “List of ideas for fun and interesting ways to kill/crash a process“, which enumerates a dozen homebrew techniques and variations. Most are still at the concept stage, but under the list of uses to which they may be put, he includes “Knockover (sic) PSPs” and “Troll people”.

He also describes several proof-of-concept tools for his process crashing techniques. One is called DisorderlyShutdown, which waits a programmable amount of time (plus a random offset to make things seem natural) to select a random process to crash in the hope of leading to “data loss and gnashing of teeth”. Another is WarheadsToForeheads, which attempts to crash processes. About this tool, he says: “Considering making this an infinite enumeration to squash all user processes and make the user experience especially horrific.”

Revealingly, User #71473 also likes to hack the home pages of other Users: ” Its 11:30… time to deface people’s unprotected user pages…”

User #11628962 was deeply impressed by Subramaniam and Hunt’s “Practices of an Agile Developer”, and went to great lengths to enumerate the principles behind the work for others in his group. 

Meanwhile, we learn that User # 71475 loves to listen to music online and lists several streaming services and YouTube channels. He’s also an avid collector of ASCII-based emoticons. Everyone needs a hobby, right? ¯_(ツ)_/¯

Amusingly, User #20873595 is keen for people understand that his last name does not begin with C, implying that it is in fact Hunt. There was also some debate about what User #72907’s office nickname should be. “Monster Lite” was the apparent front runner.

hearthstone_screenshot-1364834

We also learned from the dump that some of the Users are heavily into the online card game Hearthstone, which unfriendly foreign state actors are likely now feverishly trying to hack.

The public at large has moved on, and the first of the vulnerabilities highlighted in the dump has been patched, but the industrious CIA hackers who originally found them are still beavering away, creating new tools to replace the old ones, finding new zero-days, thinking up new nicknames, trolling each other, and of course playing Hearthstone.

Can You Hear Me?

index-7618371

Are cyber-scammers creating their own fake news stories to exploit? Jon Thompson investigates.

The UK media recently exploded with news of a new phone-based scam. Apparently, all that’s needed for fraudsters to drain your bank account is a recording of you saying “yes”. It runs as follows:

  1. Someone calls and asks if you can hear them
  2. They record you saying “Yes”
  3. They take your ID and money

What doesn’t ring true is the lack of detail between steps 2 and 3. How, exactly, do attackers use this snippet of audio without the rest of your identity? Myth busting site Snopes has the answer: they don’t. A good half hour of searching also failed to turn up a single verified victim of the scam despite a huge number of almost identical news reports warning people about it.

Whether it’s a hoax or not, it’s certainly easy to see how cyber-scammers can take advantage of the generated fear. Your “bank” calls, says you’ve been the victim of this very scam, and asks you to visit a special web site to enter your details and get your money back. Previous cybersecurity incidents certainly provide good evidence that such secondary scams may soon plague a phone near you.

Remember the TalkTalk hack of October 2015 and the scandalised headlines that followed? Four million customers were suddenly at risk, according to some ill-informed reports. The supposed Russian jihadist gang behind the attack was ransoming the purloined data. The Daily Express even reported that they were already raiding the accounts to fund their evil deeds.

The truth was far more mundane. A 17-year-old boy from Norwich had discovered an SQL injection using a vulnerability scanner, and syphoned off about 157,000 account records. However, with this data potentially in the wild, any attempted fraud experienced by TalkTalk customers was suddenly blamed on the hack.

In fact, telephone-based cyber-fraud is a numbers game. The more calls you make, the more likely it is that you’ll hit the right set of circumstances. It’s a brute force attack, and that’s exactly what the scammers started to do. Nearly 18 months later, they’re still finding ways to use the hack as a pretext to call unsuspecting customers.

talktalk_logo_0-9139318

At the time, some customers even reported that their broadband was being deliberately slowed by criminals, who then called them offering to fix the problem in exchange for visiting a phishing site and entering account details to get a special refund. Again, this is a numbers game: for every set of circumstances that make the scam work, there might be thousands of calls to people with the wrong broadband provider or who have no bandwidth problems. It’s never the precision spear phishing attack it’s reported to be by the bemused victims.

So, high profile hacks can subsequently spawn profitable campaigns for fraudulent callers keen to cash in on the chaos and fear. The problem is, juicy high profile hacks come along at random. What’s needed is something more dependable.

This brings us back to the supposed “Can you hear me?” scam. Several reports in the past few days on Who Called and other very active nuisance call sites have mentioned the scam in passing as something else to look out for, but none say that this was the focus of the call being reported. The story has begun to take on a life of its own, but without any direct evidence that the scam actually exists.

Could it be that scammers themselves have concocted and spread a fake news story, which they intend to subsequently exploit with a campaign? It’s not that great a leap of imagination, given the innovations developing in other areas of bulk cybercrime, such as ransomware. Only time will tell, but the next few months should be fascinating for both threat watchers and cyber-criminals alike.

17 Things Spammers Get Wrong


No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why.

ransomware-8145580The headlines say phishing scams are at an all-time high, and ransomware is growing exponentially, but conspicuous by their absence are examples of the emails behind successful attacks. It’s becoming the cliché in the room, but there may be a reason: embarrassment.

Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.

To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.

This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.

With that in mind, what follows is a short list of 17 mistakes I routinely see, all of which immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.

1.    No Subject Header

This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.

2.    No Set Dressing

tesco-6478043

Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.

3.    Generic Companies

generic-1081819

Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.

4.    Multiple Recipients

This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.

5.    Poor Salutation

Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.

6.    No Body Text

Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.

7.    Auto-translated Body Text

paypal2-9354648

Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.

8.    The Third Person

This is a great example of a spam writer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?

9.    Finger Trouble

apple2bicloud2b2-6952704

I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.

10.    Unexpected Plurals and Tenses

Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile.

11.    Missing Definite Article

Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.

12.    The Wrong Word

“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.

13.    Misplaced Emphasis

paypal-1531640

Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.

14.    Tautological Terrors

cps-7972121

“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.

15.    Grandiosity

splayer-6973270

Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway.  Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.

What they really meant was: “To mark the release of our new software”.  The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.

16.    Overly-grand Titles

Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash.

17.    Obfuscated URLs

If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.

Predictions for 2017

golden-2017-new-year-text-with-glowing-glitter-effect-and-fireworksStill dazed from the year that was, Jon Thompson dons his Nostradamus hat, dusts off his crystal ball
and stares horrified into 2017.

Prediction is difficult. Who would have thought a year ago that ransomware would now come with customer care, or that Russia would be openly accused of hacking a bombastic businessman into the Whitehouse. Who even dreamed Yahoo would admit to a billion-account compromise?

So, with that in mind, it’s time to gaze into the abyss and despair…

Let’s get the obvious stuff out of the way first. Mega credential breaches won’t go away. With so many acres of forgotten code handling access to back end databases, it’s inevitable that the record currently held by Yahoo for the largest account breach will be beaten.

Similarly, ransomware is only just beginning. Already a billion-dollar industry, it’s cheap to buy into and easy to profit from. New techniques are already emerging as gangs become more sophisticated. First came the audacious concept of customer service desks to help victims through the process of forking over the ransom. By the end of 2016, the Popcorn Time ransomware gang was offering decryption for your data if you infect two of your friends who subsequently pay up. With this depth of innovation already in place, 2017 will hold even greater horrors for those who naively click attachments.

Targeted social engineering and phishing attacks will also continue to thrive, with innovative

campaigns succeeding in relieving companies of their revenues. Though most untargeted bulk phishing attempts will continue to show a low return, phishers will inevitably get wise and start to make their attacks more believable. At SE Labs, we’ve already seen evidence of this.

It’s also obvious that the Internet of Things will continue to be outrageously insecure, leading to DDoS attacks that will make the 1.1Tbps attack on hosting company OVH look trivial. The IoT will also make ransomware delivery even more efficient, as increasing armies of compromised devices pump out the pink stuff. By the end of 2017, I predict hacking groups (government-backed or otherwise) will have amassed enough IoT firepower to knock small nations offline. November’s test of a Mirai botnet against Liberia was a prelude to the carnage to come.

Bitcoin  btc-mono-ring-orange-6370546recently passed the $1,000 mark for the first time in three years, which means criminals will want even more than ever to steal the anonymous cryptocurrency. However, a flash crash in value is also likely as investors take profits and the market panics in response to a sudden fall. It’s happened before, most noticeably at the end of 2013. There’s also the distinct possibility that the growth in value is due to ransomware, in which case the underlying rally will continue regardless of profit takers.

The state-sponsored use of third party hacking groups brings with it plausible deniability, but proof cannot stay hidden forever. One infiltration, one defection, one prick of conscience, and someone will spill the beans regardless of the personal cost. It’s highly likely that 2017 will include major revelations of widespread state-sponsored hacking.

This leads me neatly on to Donald Trump and his mercurial grasp of “the cyber”. We’ve already delved into what he may do as president, and much of what we know comes straight from the man himself. For example, we already know he skips his daily security briefings because they are “repetitive”, and prefers to ask people around him what’s going on because “You know, I’m, like, a smart person.

Trump’s insistence on cracking down on foreign workers will have a direct impact on the ability of the US to defend itself in cyberspace. The shift from filling jobs with overseas expertise to training homegrown talent has no discernible transition plan. This will leave a growing skills gap for several years as new college graduates find their way to the workplace. This shortfall will be exploited by foreign threat actors.

Then there’s Trump’s pompous and wildly indiscreet Twitter feed. Does the world really need to know when secret security briefings are postponed, or what he thinks of the intelligence presented in those meetings? In espionage circles, everything is information, and Trump needs to understand that. I predict that his continued use of social media will lead to internal conflict and resignations this year, as those charged with national cybersecurity finally run out of patience.

donald-trump-spars-with-univision-journalist-jorge-ramos-6442066

It’s not all doom and gloom, however. The steady development of intelligent anti-spam and anti-malware technologies will see a trickledown from advanced corporate products into the hotly contested consumer market. The first AV vendor to produce an overtly next gen consumer product will change the game – especially if a free version is made available.

There’s also a huge hole in “fake news” just begging to be filled. I predict that 2017 will see the establishment of an infosec satire site. Just as The Onion has unwittingly duped lazy journalists in the past, there’s scope for the same level of hilarity in the cybersecurity community.

However, by far the biggest threat to life online in 2017 will continue to be the end user. Without serious primetime TV and radio campaigns explicitly showing exactly what to look for, users will continue to casually infect themselves and the companies they work for with ransomware, and to give up their credentials to phishing sites. When challenged, I also predict that governments will insist the problem is being addressed.

So, all in all, it’s business as usual.

Happy 2017!

How To Really Stop Phishing

If phishing sites want data, they’ll get it!
phishing-3415461
Running a honeypot, you soon realise there are four types of spam. The first is basically just adverts. Next comes social engineering spam, which is mostly advanced fee fraud. There’s a ton of cash or a pretty girl waiting if you send a small processing fee. By far the largest category is ransomware, but this is closely followed by that perennial favourite, phishing spam.

Phishing works. Its “product” nets huge profits in two ways. First, by direct use of the stolen data. Second, from sales of that data to other criminals. This got me thinking about how to fight back.

Phishing sites tend to be static replicas of the real thing, with a set of input boxes and a submit button. That is their major weakness. Another is that, though the inputs might be scrubbed to remove the possibility of a sneaky SQL injection, the information being entered might not be checked. Who’s to say that the date of birth, password, bank details etc. that you enter are real? What if you were to enter a thousand different sets of bogus information? How about a million, or even ten million?

paypal-6108084
What I propose is that when a phishing site is discovered, it would be fun to deploy a script to flood it with random data of the appropriate format for each input field. Finding real data in the collected noise would become nearly impossible, and so would help protect the innocent. If such poor-quality data is sold on to third parties, then Mr Big will soon want his money back and probably a lot more besides.

Diluting phished data to homeopathic strengths is one thing, but the general idea could be applied in other ways. One of the main tasks in running a spam honeypot is “seeding”. This involves generating email addresses to accidentally-on-purpose leave in plain sight for later harvesting by spammers. If someone were to set up a honeypot with a huge number of domains pointing to it, and with a huge number of active login accounts, those accounts can be leaked or even sold (with all profits going to charity, naturally!) as being demonstrably live and real. If the buyer tests any of them, they’ll work. Set up the honeypot in enough interesting detail, and Mr Big won’t be able to tell he’s been duped for quite some time.

Phishing is popular because it’s easy, relatively safe for the perpetrator, and highly profitable. Frustrating the efforts of criminals, casting doubt on the phished data being sold, and hopefully causing wars between cybergangs is certainly one potentially very entertaining way of fighting back.

Of course, flooding phishing sites with bogus data may already be quietly happening. I certainly hope so…

What is Machine Learning?

machine_learning-1991327… and how do we know it works?

What’s the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy but digital computers find hard, such as driving cars, playing chess or recognising sarcasm. Machine learning is a subset of AI dedicated to developing techniques for making machines learn to solve these and other “human” problems without the insanely complex task of explicitly programming them.

A machine is said to learn if, with increasing experience, it gets better at solving a problem. Let’s take identifying malware as an example. This is known as a classification problem. Let’s also call into existence a theoretical machine learning program called Mavis. Consistent malware classification is difficult for Mavis because it is deliberately evasive and subtle.

silicon2bbrain-1881268For it to successfully classify malware, we need to show Mavis a huge number of files that are known to be malicious. Once Mavis has digested several million examples, it should be an expert in what makes a file “smell” like malware.

The spectrum of ways in which Mavis might be programmed to learn this task is very wide indeed, and filled with head-spinning concepts and algorithms. Suitable approaches all have advantages and disadvantages. All that counts, however, it’s whether Mavis can spot and stop previously unknown malware even when the “smell” is very faint or deliberately disguised to confuse it into an unfortunate misclassification.

A major problem for developers lies in proving that their implementation of Mavis intelligently detects unknown malware. How much training is enough? What happens when their Mavis encounters a completely new threat that smells clean? Do we need a second, signature-based system until we’re 100% certain it’s getting it right every time? Some vendors prefer a layered approach, while others go all in with their version of Mavis.

Every next generation security product vendor using machine learning says their approach is the best, which is entirely understandable. Like traditional AV products, however, the proof is in the testing. To gain trust in their AI-based products, vendors need to hand them over to independent labs for a thorough, painstaking work out. It’s the best way for the public, private enterprises, and governments to be sure that Mavis in her many guises will protect them without faltering.

Recovering From Password Fatigue

How do we solve the need for lots of strong passwords?

xkcd2bpassword_strength-2697560Mention password strength online and someone will usually reference the famous XKCD password cartoon. If you haven’t seen it, the idea is that the entropy of the password must be as high as possible, and that this can be adequately achieved by stapling together easily-remembered conjunctions of words
rather than difficult-to-remember strings of meaningless symbols. Some commentators have since pointed out flaws in the logic behind that cartoon.

Entropy is a head-twisting concept. Put simply, it is a measure of the chaos, disorder or unpredictability something contains. In information theory, entropy can be calculated and boils down to how many unknowns there are in a piece of data.

Consider a game of hangman. At the beginning of the game, none of the letters are known. Because there are many different possibilities, we can say that the unknown word contains high entropy. As you reveal each letter, the entropy quickly drops because of the way the English language works. Q is usually followed by U, for example, and not P or S or J. After revealing surprisingly few letters, we can usually infer the full word and win the game.

Passwords need high entropy. There should be no relationship between letters, so that if one character becomes known, it does not compromise the rest. If someone shoulder surfs you and spots you typing something like “M4nch3st” and they know you’re a Manchester City or United fan from glancing at your coffee mug, then your carefully placed capital and number substitutions are all for naught.

Many people still think that strong passwords are required to protect from brute force attacks, but this is largely false. When cybercriminals want passwords, they either take them by the million using attacks such as SQL injections, or have people hand them over in phishing attacks. Because of this, we need lots of passwords to compartmentalise our lives into discrete blocks. Compromise one account and the others stay secure. Re-use them across accounts, and one key fits many locks.

There are lots of strategies for generating and remembering high entropy passwords. One successful technique is as follows:

1: Take a long line from a favourite book, play, song, nursery rhyme, whatever.

2: Take the initial letters from the words in the line and put them together.

3: Change vowels into numbers and other symbols, capitalise others.

Et voila! A long, high entropy password you cannot forget. Here’s an example based on an episode of a sitcom that came to mind just now quite by chance:

In the Fawlty Towers episode The Germans, the Major says something like: “I must have been keen on her; I took her to see India!”

The 13 initials in this phrase are: imhbkohithtsi

Changing some letters to symbols and capitalising others gives: !mHbK0H1ThTsI

password2bstrength-2964104The online password strength meters I tried claim this password is strong or even very strong. Someone would have to know you were keen on that episode of that sitcom, guess the exact line from it, and guess exactly how you’d mangled the initials to stand a chance of recovering the generated password.

Now do that for the dozens of sites you need to log into, even those sites you intend to use very little but for which you must still set up an account. Ideally, each password must be different and unrelated. It’s just not practical, is it? In fact, that sinking feeling you’re probably experiencing has a name: password fatigue.

We could just store all our passwords in our browsers and create a master password to protect them. But what if we want to log in from another laptop, tablet or phone? This problem has led to the rise of the password manager.

A good password manger needs to securely store all your passwords, and to sync across all your devices. It should automatically capture the passwords you enter as it goes, and should contain some nice-to-have features. For example, the option to generate random, very high entropy passwords would be good. Intelligent form filling would also be useful.

There are other potential advantages to password managers. Because they recognise the sites you visit, if you get taken in by a phishing email and click on a link to enter your password, the manager will not recognise it, and should fail to cough up the creds. If you’ve allowed the manager to generate random passwords that you never see, there’s no danger of you overriding it either.

I’m not going to recommend a single password manager, but you should check them out sooner rather than later. Instead I will point you to a comparison chart for you to make your own decision.

There are pros and cons to using password managers, however. Some people, like our own Simon Edwards, have argued that caution is needed. Last year, for example, cloud-based password manager LastPass was hacked and user data spilled (including security questions and encrypted passwords). Malware has also targeted local password managers such as KeepPass that do not use a cloud service.

Because of these weaknesses and attacks, passwords and password managers may not be enough. A good password manager also needs to feature 2-factor authentication. Biometric authentication would be even better as this is substantially harder to subvert.

Trump’s Cybersecurity Policy

trump-3170923What does a Trump presidency mean for global cybersecurity?

Washington is nervous. No one knows if President Trump understands cybersecurity, or whether he’ll listen to those who do.

Some pundits are already suggesting that his first 100 days in office will include a cyber emergency.

How he responds is crucial, but his comments so far have instilled little confidence.

“Cyber is becoming so big today, it’s becoming something that a number of years ago, a short number of years ago wasn’t even a word.”

“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

To be fair, Trump’s campaign site does say that he’ll order a review of “all U.S. cyber defences and vulnerabilities” by a specially assembled Cyber Review Team formed from “the military, law enforcement and the private sector”.

But Washington needs to know if he will implement or even believe the Cyber Review Team’s recommendations. After all, this is the man who, when experts discovered Russian-backed groups attacking the Democratic National Committee, said:

“I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?”

According to The Washington Post, a sense of dread is descending on the US intelligence community. Former CIA director Michael Hayden summed up the mood:

“I cannot remember another president-elect who has been so dismissive of intelligence received during a campaign or so suspicious of the quality and honesty of the intelligence he was about to receive.”

Trump’s policy also places an onus on deterring attacks by state and non-state actors, and he has a has a particular thing about China’s hackers. He seems openly irritated by the country’s refusal to observe intellectual property law. His plan here is to:

“Enforce stronger protections against Chinese hackers … and our responses to Chinese theft will be swift, robust, and unequivocal.”

By this logic, it’s apparently difficult to attribute an attack when it’s Russia, but not when it’s China. This kind of thinking will need to change or it could damage superpower relationships at a uniquely dangerous point in world history.

Part of the danger is that a sufficiently irked President could order a pre-emptive cyber-strike against China to show everyone who’s boss. How will he pick the right target if he doesn’t listen to his advisors? China’s a very big place, and what looks like state-sponsored hacking to some might in fact turn out to be private enterprise. Such actions could be taken as an act of war, and even a limited cyberwar could leave swathes of the internet useless until rebuilt.

Trump also famously likes to abandon the script and simply ad lib during speeches, but national security depends on secrecy. Will he blurt out something in a speech that gives an enemy state a clue about America’s capabilities or, even worse, her vulnerabilities?

gchq-9563617Trump’s view that “torture works” could also irreparably damage the relationship between GCHQ and the NSA. Torture is a no-no for the UK. The Cheltenham Doughnut is expressly forbidden from sharing intelligence with countries that openly engage in torture.

A change in policy by the US would further compromise the flow of intelligence already put at risk by Brexit. The Open Rights Group also believes that Trump will exert a great deal of influence over the UK’s intelligence community.

Retaining skilled infosec talent from abroad is also about to become more of a problem for US companies, because Trump plans a crackdown on H-1B work visas. Taking up the slack means boosting cybersecurity degree courses, but any increase in trained manpower will take time to trickle through. In the meantime, who will fill the skills gap?

Ultimately, Trump is going to have to stop threatening and promising things he can’t deliver, and start listening to his advisors. To do so, he must leave his preconceptions at the door to the Oval Office and think calmly and clearly before acting. Whether that will happen is anyone’s guess, but it’s not hyperbole to suggest that a huge amount depends on it.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press