Category Archives: Government

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Advertisements

The big snooping debate

After announcing that it is considering introducing a new bill that will give the GCHQ unprecedented powers to monitor people’s emails, texts, social media content, phone calls and web browsing history – in real time – the government has had to defend itself from a barrage of condemnation.

Critics of the proposed legislation, which may be included in the Queen’s speech in May, have dubbed it a “snooping bill”, claiming that it is a clandestine way of monitoring the activities of everyday people.

The government, however, has assured the public that there is nothing sinister about the bill, no echoes of an Orwellian future, there will be no centralised database storing people’s information, and all information will remain “invisible”.

“Let’s be clear, this is not about extending the reach of the state into people’s data, it’s about trying to keep up with modern technology,” explained prime minister David Cameron, attempting to assuage opponents.

“We should remember that this sort of data, used at the moment, through the proper processes, is absolutely vital in stopping serious crime and some of the most serious terrorist incidents that could kill people in our country, so it’s essential we get this right.”

Advocates of the bill have asserted that this is its focus – to protect people and curb crime whether it’s tackling cyber criminals or terrorists. Akin to a software update, the new legislation is designed to respond to the significant changes that have taken place by virtue of the digital revolution, which has, in no short way, radically transformed most aspects of society. As Mr Cameron noted, a warrant will be needed to access the private information.

Others, however, are less sanguine. Nick Pickles, director of the Big Brother Watch campaign, sees it as leading to a reality that is comparable to the kind of surveillance that is prevalent in Iran and China, two countries known for having, for example, limited press freedoms.

“This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses,” he stated. “If this was such a serious security issue why has the Home Office not ensured these powers were in place before the Olympics?”

Although details of the proposed bill have yet to be finalised, it is believed that one of the most significant aspects will be for internet service providers and mobile phone companies to keep hold of all data travelling through their respective spheres.

At present, such information is accessible by intelligence agencies, the police and other public bodies, without any external organisations signing off. If the law is to go ahead, there is a desire to see an impartial body set up to monitor requests to ensure that freedoms are being protected and not abused.

“Whoever is in government, the grand snooping ambitions of security agencies don’t change,” Isabella Sankey, director of policy at Liberty, was quoted by the government as saying.

“The coalition agreement explicitly promised to ‘end unnecessary data retention’ and restore our civil liberties. At the very least we need less secret briefing and more public consultation if this promise is to be abandoned.”

Metropolitan Police setting standards in the fight against cyber crime

For now, let us reflect on the good times.

The Metropolitan Police revealed at the start of the month that its Central e-Crime Unit saved the UK economy an astonishing £140 million in just the last six months alone.

With cyber crime costing the country a gargantuan £27 billion a year, its efforts –IT security professionals working in information risk management would agree – are to be applauded.

The ACPO National e-Crime Programme (NeCP), which received a hefty funding boost at the start of the year after the government realised that cyber security is increasingly pushing its way to the top of the list of threats to the UK’s safety and intelligence, is looking to be a frightening force.

That funding by the way, which came to a total of £30 million, has been money well spent. The NeCP is building a sophisticated, tech-savvy and committed team that signals a positive step forward in security. They aim to set standards of pre-eminence and then outperform themselves.

The positive thing is that it is focusing on some of the biggest threats to security going, like distribution of malicious code – aka malware – denial of service (DDoS) attacks and unwarranted computer intrusion.

Detective superintendent Charlie McMurdie, from the Police Central e-Crime Unit said: “The PCeU continues to take action in its continuing efforts to reduce the harm caused to the UK economy and to UK citizens by those making use of the internet to commit crime.”

Security breaches online for example, where many people are choosing to organise their professional lives, their personal lives, the conduit from which they interact and network with one another, statically or remotely, where personal details are passed over the internet highway, is on the rise and will be as prevalent as so-called “regular” crime.

That the government has recognised this and invested in it as well is a positive and proactive move, backed up by the machinery that is putting in place the mechanisms needed to combat rising levels of crime against individuals, businesses and the government itself.

If the Metropolitan Police’s recent successes is anything to go by, then cyber criminals, lurking behind encryptions and clever algorithms, “state-sponsored” criminals to organised crime gangs down to “spotty teenagers sitting in their bedrooms” as Detica’s Martin Sutherland so eloquently put it, are facing a new era of clampdowns.

An eye on data, governments increase Google requests for information

The internet is, without a question of a doubt, a vital part of most people’s existence, from people working in forensics, to those involved in ethical hacking and cyber security professionals who keep on top of threats and/or the latest security measures against such activities.

And Google is, perhaps, the dominant player in this virtual arena, at least from a purely search point of view – the dominant search engine by a long shot. That’s putting it lightly, it is, in any case, a master in other areas, like statistical analysis (Google Analytics); social media, and relevant to this post, in the art of data collection.

The American multinational corporation, which was founded by Larry Page and Sergey Brin, recently released its biannual transparency report, which it does, and I quote, to “ensure that we maximise transparency around the flow of information related to our tools and services”.

The most fascinating thing about this report is that government requests, from the UK to the US to China and all the rest – for Google to pass on data is increasing. With regards to the UK, the tech organisation reported a massive 71 per cent rise in content removal requests from the British government and its police force. The reason for moving such information is down to national security issues, a bid to preserve information security.

A Home Office spokesman explained the government’s action as a response to online extremists or hate content, which it takes “very seriously”.

“Where unlawful content is hosted in the United Kingdom, the police have the power to seek its removal and where hosted overseas, we work closely with our international partners to effect its removal,” the spokesman said.

In response, Google said that it had had fully or partially complied with 82 per cent of these requests.

It’s an intriguing insight into the ‘hidden backroom’ conversations going on all the time between Google and various governments, in what is a very sensitive area. We value information security and risk management as much as any other organisation, but we have to be careful that such actions don’t filter into unjustified censorship.

That’s why Google’s transparency report is such a good thing – it lets the world see what’s going on and what governments are doing. Accountability, transparency and, of course, maintaining high levels of information security with sensitive and private data is inherently important after all.