STE WILLIAMS

The next time you need to pay for parking, it might be best to have a handful of coins ready for the meter.

That’s the advice from researchers at NCC Group, who recently dissected 6 mobile apps being used as alternatives to paying with coins or cards at parking meters.

Their findings: nearly all were affected by security vulnerabilities, “some more serious than others.”

One serious vulnerability has to do with badly implemented encryption.

While the app makers all recognized the need for some form of encryption – after all, these apps send sensitive data such as credit card details and passwords to the server – they’re not necessarily doing it right.

NCC Group says that most of the apps used Transport Layer Security (TLS). The problem: none of the apps verified the certificate used by the server.

That leaves the apps – and users’ digital devices – susceptible to man-in-the-middle attacks by attackers who use intercepting proxy tools.

The researchers managed to leverage that vulnerability to launch a “far more serious” attack against one of the apps – one that ultimately resulted in unauthorized access to a phone.

Another serious problem was found in the app from a vendor that chose to forego TLS and instead rolled its own encryption.

Bad idea, NCC Group said, unless you have serious chops when it comes to developing cryptographic algorithms and implementing them in software.

The do-it-yourselfer’s scheme to “encrypt” credit card data and passwords used keys that were stored in the application code. Those keys were “easily retrieved” by decompiling the app, the researchers said.

The decryption routine was also retrievable from the app, which would allow an attacker to recover credit card details from network traffic they may have intercepted during the registration process.

Another vendor chose to confirm the username and password selected by users via email.

NCC Group said that in most cases, the “typical lack of encryption for SMTP email” means that an attacker on the same network as the user could intercept and recover these details.

Beyond encryption gotchas, some of the apps had more subtle security vulnerabilities.

One example was an auto-login feature offered by many of the apps. That feature allowed a password or PIN to be stored locally on the device.

That’s not a good idea, the researchers said, given the potential for unsafe storage.

Sure enough, that’s what they found on one vendor’s app: it stored the password for the system (unencrypted) in the application’s private data directory on the phone.

The subtle problems continue on up to the man-in-the-middle attack, wherein an attacker could inject a malicious payload into a web page requested from the server or could actually take control of a device – all in spite of the use of SSL/TLS, given the lack of security controls such as Certificate Pinning.

NCC Group focuses its research on Android apps, so it only looked at Android parking apps. The half-dozen apps it looked at are those that its consultants have used themselves.

As far as the vendors go, the company didn’t name names, in keeping with its policy on responsible disclosure.

It’s reached out to those vendors whose apps are suffering serious vulnerabilities and offered full details on what it’s found.

The apps represent a pretty good cross-section of parking apps available, NCC Group says, from those with a smaller install base of 5000 to 10,000, up to larger apps with between 500,000 and 1 million registered users.

NCC Group said it’s important to note that many of the attacks it’s described would depend on where the apps are used, particularly in terms of what network a phone’s connected to:

Man-in-the-Middle attacks occur when the attacker has some control over the network to which the vulnerable device is connected, the most common example being unsecured public Wi-Fi. Since most of the time parking applications will be used when connected to mobile data connections the likelihood of these attacks may be reduced (although it is possible for an attacker to create a fake GSM base station).

But it’s not hard to see how that notoriously risky beast – public Wi-Fi – could insert itself into scenarios where people use parking apps, NCC Group said, such as when extending a parking stay from a restaurant or coffee shop.

In its post, the group gave a list of recommendations for the app developers to try to remediate these problems.

We’ve written before about mobile apps that don’t take security as seriously as their desktop counterparts – let’s hope that research and disclosures like NCC’s will help to give mobile app developers a change of heart.

Follow @NakedSecurity

Follow @LisaVaas

Image of car park courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3CXaA3uWS6M/

The next time you need to pay for parking, it might be best to have a handful of coins ready for the meter.

That’s the advice from researchers at NCC Group, who recently dissected 6 mobile apps being used as alternatives to paying with coins or cards at parking meters.

Their findings: nearly all were affected by security vulnerabilities, “some more serious than others.”

One serious vulnerability has to do with badly implemented encryption.

While the app makers all recognized the need for some form of encryption – after all, these apps send sensitive data such as credit card details and passwords to the server – they’re not necessarily doing it right.

NCC Group says that most of the apps used Transport Layer Security (TLS). The problem: none of the apps verified the certificate used by the server.

That leaves the apps – and users’ digital devices – susceptible to man-in-the-middle attacks by attackers who use intercepting proxy tools.

The researchers managed to leverage that vulnerability to launch a “far more serious” attack against one of the apps – one that ultimately resulted in unauthorized access to a phone.

Another serious problem was found in the app from a vendor that chose to forego TLS and instead rolled its own encryption.

Bad idea, NCC Group said, unless you have serious chops when it comes to developing cryptographic algorithms and implementing them in software.

The do-it-yourselfer’s scheme to “encrypt” credit card data and passwords used keys that were stored in the application code. Those keys were “easily retrieved” by decompiling the app, the researchers said.

The decryption routine was also retrievable from the app, which would allow an attacker to recover credit card details from network traffic they may have intercepted during the registration process.

Another vendor chose to confirm the username and password selected by users via email.

NCC Group said that in most cases, the “typical lack of encryption for SMTP email” means that an attacker on the same network as the user could intercept and recover these details.

Beyond encryption gotchas, some of the apps had more subtle security vulnerabilities.

One example was an auto-login feature offered by many of the apps. That feature allowed a password or PIN to be stored locally on the device.

That’s not a good idea, the researchers said, given the potential for unsafe storage.

Sure enough, that’s what they found on one vendor’s app: it stored the password for the system (unencrypted) in the application’s private data directory on the phone.

The subtle problems continue on up to the man-in-the-middle attack, wherein an attacker could inject a malicious payload into a web page requested from the server or could actually take control of a device – all in spite of the use of SSL/TLS, given the lack of security controls such as Certificate Pinning.

NCC Group focuses its research on Android apps, so it only looked at Android parking apps. The half-dozen apps it looked at are those that its consultants have used themselves.

As far as the vendors go, the company didn’t name names, in keeping with its policy on responsible disclosure.

It’s reached out to those vendors whose apps are suffering serious vulnerabilities and offered full details on what it’s found.

The apps represent a pretty good cross-section of parking apps available, NCC Group says, from those with a smaller install base of 5000 to 10,000, up to larger apps with between 500,000 and 1 million registered users.

NCC Group said it’s important to note that many of the attacks it’s described would depend on where the apps are used, particularly in terms of what network a phone’s connected to:

Man-in-the-Middle attacks occur when the attacker has some control over the network to which the vulnerable device is connected, the most common example being unsecured public Wi-Fi. Since most of the time parking applications will be used when connected to mobile data connections the likelihood of these attacks may be reduced (although it is possible for an attacker to create a fake GSM base station).

But it’s not hard to see how that notoriously risky beast – public Wi-Fi – could insert itself into scenarios where people use parking apps, NCC Group said, such as when extending a parking stay from a restaurant or coffee shop.

In its post, the group gave a list of recommendations for the app developers to try to remediate these problems.

We’ve written before about mobile apps that don’t take security as seriously as their desktop counterparts – let’s hope that research and disclosures like NCC’s will help to give mobile app developers a change of heart.

Follow @NakedSecurity

Follow @LisaVaas

Image of car park courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3CXaA3uWS6M/

After a many-months-long search for a new executive director, the Tor Project announced last week that it has hired Shari Steele, former head of the Electronic Freedom Foundation (EFF), to lead the organization.

Steele spent 15 years at EFF, including the last eight as its executive director, helping to grow the organization into one of the world’s foremost privacy advocates.

In her new role, Steele will be the main voice and face of the Tor Project, tasked with raising its profile, securing new sources of funding, and expanding the use of its anonymity software and tools to the broader public.

The Tor Project, founded by Roger Dingledine and Nick Matthewson in 2006, develops and maintains free software and tools that support anonymous communications on the Dark Web.

The Tor network uses layers of encryption to shield your location and the location of any hidden services you use.

Although it was originally developed by the US Navy, and is largely funded by the US government, the Tor network has come under attack by law enforcement and intelligence agencies including the FBI and the NSA.

One of Steele’s biggest challenges is changing the perception of Tor, which has become something of a safe haven for criminals, terrorists and child abusers.

Although it’s inevitable that Tor will be used to conceal illegal activities, it’s also a useful tool for protecting people who need anonymity to do dangerous but beneficial work, like whistleblowers, journalists and human rights activists.

In a post on the Tor Project blog, Steele said that her mission is to grow the organization by fostering “greater adoption of Tor products by mainstream internet users.”

Despite the rapid growth of people using Tor in the wake of revelations of NSA surveillance by leaker Edward Snowden, it is far from “mainstream.”

In our trustworthy browser poll back in October 2015, only 6% said Tor was the browser they trust the most, which suggests that the Tor Project has a steep hill to climb to get to mainstream acceptance and adoption.

Still, if anyone is up to the challenge, Steele seems like an excellent choice.

As Dingledine noted in his blog post announcing the hire, Steele has been a long-time supporter of Tor, having led EFF’s choice to fund Tor.

Steele also has the experience of growing an organization with a similar focus to Tor’s, and successfully launched EFF’s privacy tool HTTPS Everywhere, developed in collaboration with the Tor Project.

Dingledine said the move will allow him and co-founder Matthewson to get back to their old roles of “actually doing technical work,” while Steele takes over the organizational side of things:

Tor’s technical side is world-class, and I am excited that Shari will help Tor’s organizational side become great too. She shares our core values, she brings leadership in managing and coordinating people, she has huge experience in growing a key non-profit in our space, and her work pioneering EFF’s community-based funding model will be especially valuable as we continue our campaign to diversify our funding sources.

The Tor Project faces technical challenges too, in fending off attacks and closing vulnerabilities, such as one discovered by researchers at Carnegie Mellon University that was reportedly used by the FBI to bust a number of Dark Web markets including Silk Road 2.0.

If the Tor Project is going to grow and thrive, it will certainly need to secure more funding, build a more sustainable infrastructure and generate better public awareness – those are not going to be easy tasks.

But maintaining its own security is perhaps the most essential task of all.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of infinite computer screens inside computer screens courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P0Rb_YQ-hyE/

After a many-months-long search for a new executive director, the Tor Project announced last week that it has hired Shari Steele, former head of the Electronic Freedom Foundation (EFF), to lead the organization.

Steele spent 15 years at EFF, including the last eight as its executive director, helping to grow the organization into one of the world’s foremost privacy advocates.

In her new role, Steele will be the main voice and face of the Tor Project, tasked with raising its profile, securing new sources of funding, and expanding the use of its anonymity software and tools to the broader public.

The Tor Project, founded by Roger Dingledine and Nick Matthewson in 2006, develops and maintains free software and tools that support anonymous communications on the Dark Web.

The Tor network uses layers of encryption to shield your location and the location of any hidden services you use.

Although it was originally developed by the US Navy, and is largely funded by the US government, the Tor network has come under attack by law enforcement and intelligence agencies including the FBI and the NSA.

One of Steele’s biggest challenges is changing the perception of Tor, which has become something of a safe haven for criminals, terrorists and child abusers.

Although it’s inevitable that Tor will be used to conceal illegal activities, it’s also a useful tool for protecting people who need anonymity to do dangerous but beneficial work, like whistleblowers, journalists and human rights activists.

In a post on the Tor Project blog, Steele said that her mission is to grow the organization by fostering “greater adoption of Tor products by mainstream internet users.”

Despite the rapid growth of people using Tor in the wake of revelations of NSA surveillance by leaker Edward Snowden, it is far from “mainstream.”

In our trustworthy browser poll back in October 2015, only 6% said Tor was the browser they trust the most, which suggests that the Tor Project has a steep hill to climb to get to mainstream acceptance and adoption.

Still, if anyone is up to the challenge, Steele seems like an excellent choice.

As Dingledine noted in his blog post announcing the hire, Steele has been a long-time supporter of Tor, having led EFF’s choice to fund Tor.

Steele also has the experience of growing an organization with a similar focus to Tor’s, and successfully launched EFF’s privacy tool HTTPS Everywhere, developed in collaboration with the Tor Project.

Dingledine said the move will allow him and co-founder Matthewson to get back to their old roles of “actually doing technical work,” while Steele takes over the organizational side of things:

Tor’s technical side is world-class, and I am excited that Shari will help Tor’s organizational side become great too. She shares our core values, she brings leadership in managing and coordinating people, she has huge experience in growing a key non-profit in our space, and her work pioneering EFF’s community-based funding model will be especially valuable as we continue our campaign to diversify our funding sources.

The Tor Project faces technical challenges too, in fending off attacks and closing vulnerabilities, such as one discovered by researchers at Carnegie Mellon University that was reportedly used by the FBI to bust a number of Dark Web markets including Silk Road 2.0.

If the Tor Project is going to grow and thrive, it will certainly need to secure more funding, build a more sustainable infrastructure and generate better public awareness – those are not going to be easy tasks.

But maintaining its own security is perhaps the most essential task of all.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of infinite computer screens inside computer screens courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P0Rb_YQ-hyE/

By default, anyone can look you up on Facebook via your email address or phone number. You can change your privacy settings to limit who’s able to search for you. Here’s how:

1. Click the little “down” arrow at the top right of any Facebook page and choose Settings.
2. Select Privacy on the left. Under the Who can look me up? section, you’ll see a setting for your email and a setting for your phone number.
3. Use the dropdown menu next to each setting to select who can look you up using that info: the options are Friends, Friends of friends or Everyone.

Note: You can remove your mobile phone number altogether but note that if you do that it means Facebook can’t send you login approvals, which ensure that you don’t get locked out when using an unrecognized computer or mobile device to log in.

While you’re sorting out your Facebook settings, make sure you lock down your profile so only your friends can see your posts. That was actually our third advent tip – Set your Facebook posts to ‘Friends only’

You can also keep up to date on all the latest Facebook-related news by liking our page.

Follow @AnnaBrading

Follow @NakedSecurity

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SAGqLOOKz8c/

By default, anyone can look you up on Facebook via your email address or phone number. You can change your privacy settings to limit who’s able to search for you. Here’s how:

1. Click the little “down” arrow at the top right of any Facebook page and choose Settings.
2. Select Privacy on the left. Under the Who can look me up? section, you’ll see a setting for your email and a setting for your phone number.
3. Use the dropdown menu next to each setting to select who can look you up using that info: the options are Friends, Friends of friends or Everyone.

Note: You can remove your mobile phone number altogether but note that if you do that it means Facebook can’t send you login approvals, which ensure that you don’t get locked out when using an unrecognized computer or mobile device to log in.

While you’re sorting out your Facebook settings, make sure you lock down your profile so only your friends can see your posts. That was actually our third advent tip – Set your Facebook posts to ‘Friends only’

You can also keep up to date on all the latest Facebook-related news by liking our page.

Follow @AnnaBrading

Follow @NakedSecurity

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SAGqLOOKz8c/

Even if you don’t have a Mac, you’ve probably heard of MacKeeper.

If you do have a Mac, you’ve probably seen the company’s promotional material, whether as clickable ads in third-party websites, or as popup warnings, or as pop-under dialogs. (Pop-unders are those annoying windows that are left behind when you close or move your main browser window.)

With slogans such as “Clean your Mac”, “100% performance boost” and “Increase security level”, the company’s aggressive advertising pitches its utilities as a personal technical assistant that helps with anti-virus protection, data encryption, junk file cleanup and performance optimisation.

Unfortunately, the company is in the news for all the wrong reasons at the moment, following a Reddit posting entitled Massive Data Breach by a security researcher calling himself FoundTheStuff.

Forbes identified the researcher as Chris Vickery, and says that he was able to access a MacKeeper company database of more than 13,000,000 customer records, apparently including names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information and more.

What’s worse is that it sounds as though the stored password items were just the straight MD5 hashes of each raw password, without any salting or stretching.

Salts are random characters added to each password before it’s hashed, so that even if two users pick the same password, they end up with a different hash, so they stand or fall alone.

Stretching is applying the hashing function repeatedly in a loop, to make each password guess take longer, thus slowing down password guessing attacks.

Storing passwords as straight MD5 hashes is better than using plaintext, but not a whole lot better.

Modern password cracking machines can compute hundreds of billions of MD5 hashes per second, each of which can be directly compared with an unsalted password database to see if anyone picked that password.

MacKeeper itself hasn’t yet confirmed or denied any details of what was stolen, advising only that “[a]ll customer credit card and payment information is processed by a 3rd party merchant and was never at risk,” and that the company “[does] not collect any sensitive personal information of [its] customers.”

Vickery, it seems, simply did some internet searches using a server-searching tool called Shodan to see if he could find publicly accessible databases running database software called MongoDB.

When he dug into the results, he found that MacKeeper’s databases were directly online with no authentication at all, meaning that he didn’t need to know any usernames or passwords.

According to MacKeeper, he was the only outsider who connected to the databases recently, and the company affirms that he looked, reported what he’d found, and did nothing more with the data that was openly accessible.

If true, that means MacKeeper has sort-of dodged a data breach bullet…

…but it’s still a bad look for a system utility company to let 13 million customer records get openly published on the internet.

If you’re a MacKeeper user, set a new password, don’t use a password you’ve already used somewhere else, and pick your new password properly!

Follow @duckblog

Follow @NakedSecurity

Image of MacKeeper robot courtesy of MacKeeper.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/j91hqOUNtFk/

Even if you don’t have a Mac, you’ve probably heard of MacKeeper.

If you do have a Mac, you’ve probably seen the company’s promotional material, whether as clickable ads in third-party websites, or as popup warnings, or as pop-under dialogs. (Pop-unders are those annoying windows that are left behind when you close or move your main browser window.)

With slogans such as “Clean your Mac”, “100% performance boost” and “Increase security level”, the company’s aggressive advertising pitches its utilities as a personal technical assistant that helps with anti-virus protection, data encryption, junk file cleanup and performance optimisation.

Unfortunately, the company is in the news for all the wrong reasons at the moment, following a Reddit posting entitled Massive Data Breach by a security researcher calling himself FoundTheStuff.

Forbes identified the researcher as Chris Vickery, and says that he was able to access a MacKeeper company database of more than 13,000,000 customer records, apparently including names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information and more.

What’s worse is that it sounds as though the stored password items were just the straight MD5 hashes of each raw password, without any salting or stretching.

Salts are random characters added to each password before it’s hashed, so that even if two users pick the same password, they end up with a different hash, so they stand or fall alone.

Stretching is applying the hashing function repeatedly in a loop, to make each password guess take longer, thus slowing down password guessing attacks.

Storing passwords as straight MD5 hashes is better than using plaintext, but not a whole lot better.

Modern password cracking machines can compute hundreds of billions of MD5 hashes per second, each of which can be directly compared with an unsalted password database to see if anyone picked that password.

MacKeeper itself hasn’t yet confirmed or denied any details of what was stolen, advising only that “[a]ll customer credit card and payment information is processed by a 3rd party merchant and was never at risk,” and that the company “[does] not collect any sensitive personal information of [its] customers.”

Vickery, it seems, simply did some internet searches using a server-searching tool called Shodan to see if he could find publicly accessible databases running database software called MongoDB.

When he dug into the results, he found that MacKeeper’s databases were directly online with no authentication at all, meaning that he didn’t need to know any usernames or passwords.

According to MacKeeper, he was the only outsider who connected to the databases recently, and the company affirms that he looked, reported what he’d found, and did nothing more with the data that was openly accessible.

If true, that means MacKeeper has sort-of dodged a data breach bullet…

…but it’s still a bad look for a system utility company to let 13 million customer records get openly published on the internet.

If you’re a MacKeeper user, set a new password, don’t use a password you’ve already used somewhere else, and pick your new password properly!

Follow @duckblog

Follow @NakedSecurity

Image of MacKeeper robot courtesy of MacKeeper.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/j91hqOUNtFk/

Organisers are praising the success of a multi-nation exercise – hosted by the UK – that aimed to test response to serious cyber crime.

Exercise Silver Shadow, which was run by the National Crime Agency (NCA)’s National Cyber Crime Unit (NCCU), funded by the Foreign and Commonwealth Office and supported by the Home Office, saw officers from eight different countries come together to assess their collective response to a simulated cyber attack on a fictitious international petroleum company.¹

The exercise took place over a week, starting on Monday 30 November at the Cabinet Office’s Emergency Planning College in North Yorkshire and tested how investigators and prosecutors would work together in the event of a complex criminal incident spanning several different legal jurisdictions.

The exercise was made as realistic as possible by limiting communication between teams, perhaps as if the attack had also affected communications or just to replicate nigh-on inevitable language and logistical barriers.

One aim was to stress test people by putting them through a life-like scenario. Silver Shadow also offered an opportunity to develop stronger operational partnerships between investigation teams and prosecutors. Exercise Silver Shadow follows a pilot event, Exercise Silver Pilot, to test and develop the interoperability between the UK’s cyber crime units, and cyber units within the Regional Organised Crime Units (ROCUs), Police Scotland and the Police Service of Northern Ireland (PSNI) back in October.

In a statement, Jamie Saunders, director of the NCA’s National Cyber Crime Unit, said: “Together, Silver Pilot and Silver Shadow form an important part of the NCCU’s efforts to prepare the UK response – at regional, national and international levels – to the ever-changing cyber crime threat.”

“Cyber crime is by its very nature international, with many of the criminals and the technical infrastructure they rely upon based overseas, and yet its impact is felt by real people and real businesses in communities across the UK,” he added.

Representatives from Bulgaria; Georgia; Lithuania; Moldova; Romania; Ukraine; the UK, represented by the NCA’s NCCU; and the US, represented by the FBI, were all involved in the exercise. A representative from Europol’s Joint Cyber Action Taskforce (J-CAT) also took part.

The event platform was a specialist Serco service called cybX, designed to prepare both private and public sector organisations for preventing and respond to serious cyber attacks.

A video (below) featuring Saunders summarises the main aims of the exercise.

Russia and Ukraine are often seen as global cybercrime hubs. Ukraine was represented but not Russia, an absence that’s not difficult to understand in the context of international sanctions against the country over the conflict in the Ukraine. Even before then, co-operation with Russia on cybercrime efforts was irregular but not unprecedented, as evidenced by a successful prosecution of Russian nationals for running a DDoS extortion scam against UK bookmakers back in 2006.

Bootnote

¹The scenario of the attack has parallels with one of the worst cyber-attacks ever recorded: the wiper malware-style infections against the enterprise PC networks of Saudi Aramco back in 2012. Iran is the chief suspect is that attack as well as the similar assault on RasGas weeks later. It’s a credible scenario to imagine that hacktivist types or (slightly more of a stretch) ransomware-slinging cybercrooks might also target an oil firm.

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/cyber_crime_war_game/

Organisers are praising the success of a multi-nation exercise – hosted by the UK – that aimed to test response to serious cyber crime.

Exercise Silver Shadow, which was run by the National Crime Agency (NCA)’s National Cyber Crime Unit (NCCU), funded by the Foreign and Commonwealth Office and supported by the Home Office, saw officers from eight different countries come together to assess their collective response to a simulated cyber attack on a fictitious international petroleum company.¹

The exercise took place over a week, starting on Monday 30 November at the Cabinet Office’s Emergency Planning College in North Yorkshire and tested how investigators and prosecutors would work together in the event of a complex criminal incident spanning several different legal jurisdictions.

The exercise was made as realistic as possible by limiting communication between teams, perhaps as if the attack had also affected communications or just to replicate nigh-on inevitable language and logistical barriers.

One aim was to stress test people by putting them through a life-like scenario. Silver Shadow also offered an opportunity to develop stronger operational partnerships between investigation teams and prosecutors. Exercise Silver Shadow follows a pilot event, Exercise Silver Pilot, to test and develop the interoperability between the UK’s cyber crime units, and cyber units within the Regional Organised Crime Units (ROCUs), Police Scotland and the Police Service of Northern Ireland (PSNI) back in October.

In a statement, Jamie Saunders, director of the NCA’s National Cyber Crime Unit, said: “Together, Silver Pilot and Silver Shadow form an important part of the NCCU’s efforts to prepare the UK response – at regional, national and international levels – to the ever-changing cyber crime threat.”

“Cyber crime is by its very nature international, with many of the criminals and the technical infrastructure they rely upon based overseas, and yet its impact is felt by real people and real businesses in communities across the UK,” he added.

Representatives from Bulgaria; Georgia; Lithuania; Moldova; Romania; Ukraine; the UK, represented by the NCA’s NCCU; and the US, represented by the FBI, were all involved in the exercise. A representative from Europol’s Joint Cyber Action Taskforce (J-CAT) also took part.

The event platform was a specialist Serco service called cybX, designed to prepare both private and public sector organisations for preventing and respond to serious cyber attacks.

A video (below) featuring Saunders summarises the main aims of the exercise.

Russia and Ukraine are often seen as global cybercrime hubs. Ukraine was represented but not Russia, an absence that’s not difficult to understand in the context of international sanctions against the country over the conflict in the Ukraine. Even before then, co-operation with Russia on cybercrime efforts was irregular but not unprecedented, as evidenced by a successful prosecution of Russian nationals for running a DDoS extortion scam against UK bookmakers back in 2006.

Bootnote

¹The scenario of the attack has parallels with one of the worst cyber-attacks ever recorded: the wiper malware-style infections against the enterprise PC networks of Saudi Aramco back in 2012. Iran is the chief suspect is that attack as well as the similar assault on RasGas weeks later. It’s a credible scenario to imagine that hacktivist types or (slightly more of a stretch) ransomware-slinging cybercrooks might also target an oil firm.

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/15/cyber_crime_war_game/