STE WILLIAMS

Global cyber-security spending is on track to exceed $60bn for 2011, according to a study by management consultants PwC.

The growing tide of cyber threats, coupled with greater vulnerabilities due to the more pervasive use of technology – particularly mobile devices and cloud computing – are fueling a growth in cyber-security spending. Increasing regulations, particularly those enforcing the requirement to secure personal data, as well as outsourcing, are also having an effect. Spending on cyber security is set to grow 10 per cent year on year for the next three to five years. UK cyber-security spending alone is expected to reach nearly £3bn in 2011.

This, in turn, is driving increased spending in the market by a variety of different players. Investors, defence contractors, IT services, mainstream technology firms and others all want a slice of the action, according to PwC. The United States, Japan and UK are three main deal markets for cyber security.

Cumulative spending on cyber-security deals since 2008 totals nearly $22bn, an average of over $6bn in each year, according to PwC. Notable deals include Intel’s $7.8bn acquisition of McAfee, which completed in February 2011. Other mega deals (with values of $500m or above) since 2009, including Dell’s acquisition of Secureworks in 2011 and Apax Partners’ acquisition of Sophos in 2010. Other notable deals include BAE’s acquisition of Detica, defence contractor Raytheon snapping up Applied Signal Technology, Symantec’s purchase of MessageLabs and HP’s acquisition of security tools firm ArcSight.

Deal value-to-revenue ratios for the numerous infosec sector deals evaluated by PwC between the start of 2008 and the middle of this year came in at a multiplier of between two to three, higher than accounting fundamentals would suggest the acquired firms were worth. These figures are a “clear indicators that acquirers are willing to pay a premium to buy cyber-security companies”, PwC reports.

PwC’s study, Cyber Security MA: Decoding Deals attempts to explains the motives of various players either entering into or expanding their presence in the infosecurity market.

Fewer helicopters, more firewalls

Defence contractors are seeking to diversify away from core defence markets, which are forecast to decline over the next few years. In addition, there is a “structural trend in government spending away from defence and towards security”, as PwC puts it.

“Deal activity in cyber security is expected to continue to grow given the fragmentation of the market and the attractive growth outlook, said Barry Jaber, PwC’s UK-based security industry leader. “Technology and IT companies are making acquisitions to differentiate their offerings while defence firms continue to do deals to diversify away from shrinking defence budgets,” he added.

In most countries, the private sector accounts for the majority of cyber-security spending. However in the US, government spending is almost equal to that of the private sector. The strong US technology industry combined with the fact that US defence and intelligence budgets are significantly larger than in any other country are key market drivers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/01/cyber_security_trends_pwc/

Senator and former late-night funnyman Al Franken has called on Carrier IQ to explain why its diagnostic software, buried in the bowels of 141 million smartphones, isn’t a massive violation of US wiretap laws.

In a letter sent to Larry Lenhart, CEO and president of the Mountain View, California-based software maker, Franken expressed concern the software may run afoul of the Electronic Communications Privacy Act, which forbids the monitoring of communications without the users’ consent, and the Computer Fraud and Abuse Act. The letter was sent after a 25-year-old Android app developer published evidence that Carrier IQ software may secretly log end users’ key taps and text messages.

“It appears that this software runs automatically every time you turn your phone on,” wrote Franken, who is the chairman of the Subcommittee on Privacy Technology and the Law. “It appears that an average user would have no way to know that this software is running – and that when that user finds out, he or she will have no reasonable means to remove or stop it.”

Prior to the posting of a YouTube video by developer Trevor Eckhart, Carrier IQ representatives said their software didn’t log specific key strokes or read the contents of messages. They have yet to square those claims against Eckhart’s demonstration, in which he used a packet sniffer debugging logs to show the software monitoring every alphanumeric key pressed on his HTC EVO handset, even when entered into webpages encrypted with the SSL, or secure sockets layer, protocol.

The Register has asked Carrier IQ representatives for additional comment, and the request still stands. In the meantime, here’s Franken’s letter:

Next page: Dear Mr. Lenhart,

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/01/al_franken_carrier_iq/

Exclusive Western and Chinese high-tech companies are competing aggressively to sell, install and manage intrusive and dangerous internet surveillance and communications control equipment for the world’s most brutal regimes, a six-month investigation has found.

During 2011, investigators from Privacy International, a London-based NGO, infiltrated a circuit of closed international surveillance equipment marketing conferences, obtaining private briefings and technical product specifications from contract-hungry sales executives. The group will publish its data and document haul on the net today, in conjunction with other campaigners.

The scale and audacity of the proposals in many of the companies’ documents and hand-out DVDs is breathtaking. They describe and offer for unrestricted sale technologies which were in existence a decade ago, but which were held in utmost secrecy by major intelligence agencies such as the US National Security Agency (NSA) and Britain’s GCHQ.

Over 150 international companies now trading in this sector have been identified during the research. The majority of them did not exist or were not offering electronic surveillance products, even in the early noughties.

Companies exhibiting at the shows now openly offer to target and break specific international commercial communications satellites, including Thuraya (covering the Middle East), Iridium satellite phones, and Marlink’s VSAT. Commercial satellite intercept was previously the almost exclusive turf of GCHQ and NSA’s Echelon satellite interception network.

Other companies offer routinely to install malware on phones and PCs, to break SSL encryption on web connections and A5 crypto on mobile phones, or to break into high-capacity optical fibre networks.

Glimmerglass Networks Inc from Silicon Valley presented in Washington last month on “optical cyber solutions”. These include splicing into optical fibres at “submarine cable landing stations”, “international gateways” and POP or peering points. The techniques used for these operations were developed secretly by the NSA in the 1990s, and have hitherto been a closely guarded secret.

Pushing their “Intelligent Optical System” surveillance system last month, Glimmerglass claimed that its customer intelligence agencies “gain rapid access, not just to signals, but to individual wavelengths on those signals. An LEA [Law Enforcement Agency] operator can quickly and easily select any signal from hundreds, send that signal to a de-multiplexer for access to one of the many wavelengths inside, and then distribute the desired wavelengths as needed. The IOS can make perfect photonic copies of optical signals for simultaneous distribution to grooming equipment and probes for comprehensive analysis”.

Their show included “probes and sniffers” that started with “photonic copies” and ended up with huge personal network displays, including personal connectivity analysis from web logs, webmail and Facebook.

To monitor all of everyone’s communications traffic, the company has claimed, “you need to do much of it optically … You can pick some off cell phones. But the top of the [intelligence gathering] funnel is coming through optically … you need to manage that.”

Glimmerglass was formed in 2000. In the same year, long before 9/11 and on the opposite bank of San Francisco Bay, ATT engineers working for NSA were installing optical fibre taps inside a major San Francisco city internet exchange, tapping into US west coast peering points and switches for the global internet.

In European and US shows over the last six months, Hacking Team of Milan and Gamma International, a controversial British company, have offered customers including police and intelligence agencies explicit hacking attacks including “stealth spyware for infecting and monitoring computers and smartphones” and lectures on “applied hacking techniques used by government agencies”.

Next week at the latest ISSWorld show in Kuala Lumpur, Hacking Team will be pushing its “Remote Control System 7 – the ultimate cyber-intelligence solution for covertly monitoring computers and smartphones”. They have also provided “in-depth, live demonstration(s) of infection vectors and attack techniques”.

RCS7 is claimed to be “invisible to most protection systems”, “resistant to system restoration technologies” and “proven” to be able to intercept mail and web traffic including Skype and PGP.

In Britain in January, at a government invitation-only Farnborough show, Security and Policing 2012, organised by the Home Office’s Centre for Applied Science and Technology (CAST), Gamma Group are billed as presenting their “unique” “FinFisher IT Intrusion products”, which they claim “contain the most comprehensive online research and infection functionality found in any other solution [sic]”.

FinFisher also claim that their “superior training at Gamma’s IT Intrusion Training Institute” differentiates Gamma International as the leading company in the field of cyber surveillance and counter surveillance. In fact, the company appears to be operating from a tiny trading estate warehouse in Andover (Google Earth document).

A little warehouse in Hampshire… Investigators have pinpointed the location of FinFisher’s HQ (Google Earth document).

Since the PI investigation was planned a year ago, equipment, plans and manufacturers’ braggadocio about the power of their kit has have been recovered by Arab insurgents who have toppled governments in Cairo, Tripoli and elsewhere. More revelations are expected as the Arab Spring progresses.

After the collapse of the Mubarak regime in Egypt in April, insurgents broke into the State Security Investigations (SSI) branch. Among the batons and torture equipment recovered was a €250,000 proposal from Finfisher to install its “Finspy” hacker kit.

Next page: Mubarak regime offered ‘full control’ of computers of ‘targeted elements’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/01/security_firms_compete_to_sell_snoopware_to_repressive_governments/

Blogger and iPhone hacker Chpwn believes that the controversial Carrier IQ software isn’t confined to Android devices.

In this blog post, he says a look at the /usr/bin folder reveals Carrier IQ’s agent software, identified as IQAgent in iOS 3, and either awd_ice2 or awd_ice3 on iOS 4 or iOS 5 devices.

At this point, Chpwn believes the daemon does not have access to the UI layer, which means it may not be able to capture the kind of data exposed in Android devices.

While Chpwn states that he is not certain the software is launched except when the phone is in diagnostic mode, the discovery is certain to add further momentum to the fury mounting at Carrier IQ’s surreptitious installation on consumer devices.

After denials by Carrier IQ that it was recording user behaviour in real time, Trevor Eckhart posted a video demonstrating that the company’s software was catching Eckhart’s taps, including searches sent to SSL (secure sockets layer) servers.

The row has Australian carriers putting as much distance between themselves and Carrier IQ as they can, as quickly as they can. Telstra’s Craig Middleton hit the Twittersphere today: “Telstra does not use it. We only use customer data for connecting calls and billing for services”.

The carrier’s New Zealand subsidiary Telstra Clear made a similar, but shorter statement.

Wrapping up the Australian carrier scene, both Optus and Vodafone told News.com.au that Carrier IQ’s software isn’t in use in this country; Vodafone has made the same statement for New Zealand, as has Telecom New Zealand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/01/ios_has_carrier_iq_client/

GCHQ has launched a code-breaker challenge as part of its attempts to unearth fresh talent from unconventional sources.

The signals intelligence agency’s ‘canyoucrackit’ challenge invites would-be codebreakers to crack a visual code at canyoucrackit.co.uk. The campaign will be supported in social media channels, including blogs and forums.

GCHQ traditionally recruits graduates but it is also keen to employ talented self-taught codebreakers and those with an interest in ethical hacking too, an audience traditional recruitment schemes and advertising campaigns might miss. The agency has no interest in recruiting anyone who has even dabbled in criminal hacking.

Individuals simply with an interest in puzzle-solving or cryptography but no interest in working for GCHQ are also being encouraged to attempt to crack the code, as a statement by GCHQ explains.

The challenge is anonymous, GCHQ is not named as the source of the challenge, in order that applying for a career in the department is not the primary reason for the participant to engage.

The desired result of the campaign is to reach those people with the right skills and mindset, and to encourage them to find out more about a career with GCHQ.  Cracking the code is not an assessment, rather a way to connect potential applicants with GCHQ as an employer. There is a level of difficulty to crack the code, but once the code is cracked, wide dissemination of the solution is anticipated in online communities. The discussion this promotes should raise additional interest in GCHQ as an employer and generate future recruitment enquiries.

Anyone applying who has hacked illegally will not be eligible to continue in the recruitment process.

The code breaker challenge is occurring against the backdrop of the UK’s new Cyber Security Strategy, published last week, which gives the signal’s intelligence agency a greater than ever role (and budget) to defend both businesses and consumers against cyber threats. Recruitment agency TMP Worldwide is working with GCHQ on the canyoucrackit challenge.

The first phase of the challenge involves making sense of 15×10 grid of what might appear to hexadecimal (base 16) number pairs. Would-be codebreakers have just over 10 days left to come up with a keyword, which will probably allow access to an even more fiendishly difficult puzzler. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/01/canyoucrackit/

The second of the US Air Force’s mysteriously-missioned X-37B spaceplanes is going to continue its clandestine operations in orbit past its intended nine months.

X-37B. Credit: USAF

The spaceship, dubbed a ‘secret space warplane’ by the Iranians, has been in orbit since March 5, although the mission and its cargo are on a need-to-know basis.

“On-orbit experimentation is continuing,” Air Force Major Tracy Bunko, a spokesperson for the secretary of the Air Force, told Spaceflight Now. “Though we cannot predict when that will be complete, we are learning new things about the vehicle every day, which makes the mission a very dynamic process.”

The X-37B is a black-budget-funded, unmanned mini-shuttle whose exact purposes are unknown.

US officials in charge of the winged, reusable craft say its a good way of getting new techs into space quickly because you don’t need to build a satellite to take them. They add that because the planes are reusable, they can test new gadgets and if they don’t work, you’re not writing off a billion- or million-dollar satellite.

However, despite their attempts to make the little ships seem benign, as soon as you slap the word ‘secret’ onto a space project, you inevitably get tons of speculation on the real purpose of it, some of which is fuelled by the Reg here.

The second of the X-37B missions was only designed to last 270 days, but engineers have now decided to extend that.

“This will provide us with additional experimentation opportunities and allow us to extract the maximum value out of the mission,” Bunko said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/01/x_37b_extends_mission/

The Duqu malware that targeted industrial manufacturers around the world may have been spawned by a well-funded team of competent coders, but their command of Linux led to some highly amateur mistakes.

According to a report published on Wednesday by researchers from Kaspersky Lab, the unknown attackers attempted a global cleanup on a dozen or more hacked Linux servers they used to control systems infected with Duqu. The mass purge on machines running CentOS 5.x came on October 20, two days after researchers publicly compared Duqu to the Stuxnet worm that sabotaged Iran’s nuclear program. Speculation is the operators were trying to cover their tracks.

In their haste, the attackers appear to have made some critical mistakes. Servers in Vietnam and Germany contained partial logs of the hackers’ SSH and bash sessions that remained on the / partition.

“This was kind of unexpected and it is an excellent lesson about Linux and the ext3 file system internals,” Kaspersky researcher Vitaly Kamluk wrote. “Deleting a file doesn’t mean there are no traces or parts, sometimes from the past. The reason for this is that Linux constantly reallocates commonly used files to reduce fragmentation.”

The sshd.log files show the attackers logging into the Vietnam-based machine in July and in October just prior to mass purge. The Germany-based system also showed evidence of being accessed on November 23, 2009 and the user receiving error messages indicating that attempts to redirect traffic on ports 80 and 443 had failed. The breadcrumbs may have been few, but they were enough to show that the servers weren’t true command and control channels, but rather proxies designed to conceal the attackers’ true origin.

Using similar techniques, the Kaspersky researchers unearthed evidence that every hacked server had its OpenSSH 4.3 application upgraded to version 5.8. A recovered bash history on the machine in Germany also showed the attackers needed refreshers in basic Linux administration. At one point, they referenced the sshd_config manual, and at another juncture, they needed to check documentation for the Linux ftp client. They also botched the command line syntax for the Linux iptables.

The attackers also left behind traces of changes they made to the sshd-config file. One of them speeds up port directions over tunnels, which is simple enough change to understand. The other enabled Kerberos authentication. The Kaspersky researchers still aren’t sure what the motive is for the latter modification.

So far, the researchers say, they’ve analyzed only a fraction of compromised servers, which among other places, were located in Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea. It will be interesting to see what evidence they’re able to exhume from additional machines. In the meantime they’re hoping Linux admins can help them ponder a few questions, including:

• Why the preoccupation with updating OpenSSH 4.3 to version 5.8 as soon as a machine had been commandeered?

and

• Is there any relationship between the updates and the modification to “GSSAPIAuthentication yes” made to the sshd-config file?

“We hope that through cooperation and working together we can cast more light on this huge mystery of the Duqu trojan,” Kamluk wrote. Tipsters can reach his team at “stopduqu AT Kaspersky DOT com.” ®

Follow dangoodin001

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/01/duqu_linux_goofs/

Computer scientists have discovered a weakness in smartphones running Google’s Android operating system that allows attackers to secretly record phone conversations, monitor geographic location data, and access other sensitive resources without permission.

Handsets sold by HTC, Samsung, Motorola, and Google contain code that expose powerful capabilities to untrusted apps, scientists from North Carolina State University said. These “explicit capability leaks” bypass key security defenses built into Android that require users to clearly grant permission before an app gets access to personal information and functions such as text messaging. The code making the circumvention possible is contained in interfaces and services the device manufactures add to enhance the stock firmware supplied by Google.

“We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today,” the researchers wrote in a paper (PDF) scheduled to be presented at next year’s Network and Distributed System Security Symposium. “Particularly, smartphones with more pre-loaded apps tend to be more likely to have explicit capability leaks.”

The researchers created a diagnostic app dubbed Woodpecker and ran it on eight smartphones from the four vendors. The most vulnerable was HTC’s EVO 4G device, which was found to leak eight functions, including its precise geographic location finder, camera, text message service, and audio recorder. HTC’s Legend came in second with six leaks. Samsung’s Epic 4G contained three leaks, including the ability to wipe data and applications off the handset. Google’s Nexus One and Nexus S contained one leak.

Unlike out-of-the-box iPhones, which allow users to install only apps that have been approved by Apple, the official Android Market performs no security checks on the wares it offers. To compensate, Google built the permission-based security model into the mobile OS to give users control over the personal information apps get to access. Before a new program runs for the first time, it lists the sensitive resources it will access. Users who are uncomfortable with the permissions then have an opportunity to cancel the installation.

The researchers found that the manufacturer-supplied enhancements offer a way to circumvent this permissions-based model. In a video demonstration, they show how an app they designed is able to access audio-recording and SMS functions on an EVO 4G without first getting approval from the user. As a result, the app is able to turn on a recorder that collects nearby audio or phone conversations. The app is also able to send unauthorized text messages.

The researchers said both Google and Motorola have confirmed the vulnerabilities in their handsets, but that HTC and Samsung “have been really slow in responding to, if not ignoring, our reports/inquiries.”

The North Carolina State University scientists are the same team that has uncovered other serious security vulnerabilities in Android-powered smartphones, including the infiltration of at least 12 malicious apps in the Android Market. The data-stealing programs festered there for months and racked up hundreds of thousands of downloads. They were removed only after the researchers alerted Google to their presence.

The researchers say other Android handset models may also be vulnerable to the latest permissions-bypass attack. ®

Follow dangoodin001

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/30/google_android_security_bug/

An engineer and a criminologist are teaming up in a research project that aims to get a better idea of how cybercriminals operate and how to best thwart their mendacious activities.

Michel Cukier, associate professor of reliability engineering, and David Maimon, assistant professor of criminology and criminal justice, both at the University of Maryland, hope their joint research project will spur innovative ideas on possible approaches to depend against hacking and malware. The two academics, both members of the Maryland Cybersecurity Center, are studying cyberattacks from two different angles: one from from the perspective of a user and the other from the perspective of an attacker.

The first phase of the study looked at the relationship between computer-network activity patterns and cybercrime trends. Some of the raw data fed into this phase of the study will include information on attacks against the University’s own networks between 2007 and 2009.

Bringing in an expert on the mind of a criminal onto the study will hopefully yield insights into the social engineering aspects of many cyberattacks that technically focused security researchers might be missing, the two professors hope.

“We believe that criminological insights in the study of cybercrime are important, since they may support the development of concrete security policies that consider not only the technical element of cybercrime, but also the human component,” Maimon explained.

Applying criminological rationale proposed by the “Routine Activities Perspective”, successful criminal incidents happen because of motivated offenders, suitable victims, and the absence of capable guardians at a particular time and place. Applied to the field of cyberattacks, this led the researchers to hypothesise that the campus network was more likely to receive port scans and DDoS attacks during business hours than in the middle of the night or at weekends. The study of the campus data confirmed this (not especially surprising) hypothesis.

Simply by browsing sites on the web, users place the campus network at greater risk of attack. “The study shows that the human aspect needs to be included in security studies, where humans are already referred as the ‘weakest link’,” Cukier said.

Cukier and Maimon said the results of their research so far point towards the need for increased user education on computer security-related risks as a means to help safeguard against future attacks. Secondly they concluded cyber/security defines strategies should “rely on predictions regarding the sources of attacks, based on the network users’ social backgrounds and online routines”.

We can’t help that next/generation application aware firewall vendors, such as Palo Alto Networks, might have thought of this already, but the finding is certainly not entirely obvious – though perhaps not the “game-changing results” that the uber-boss at the university hopes the research might lead towards.

“Michel and David’s research exemplifies the interdisciplinary and comprehensive approach of the Maryland Cybersecurity Center,” said Michael Hicks, director of the Maryland Cybersecurity Center, in a statement.

“Resources are not unlimited, so true solutions must consider the motivations of the actors, both attackers and defenders, as well as the technological means to thwart an attack. Michel, an engineer, and David, a criminologist, are considering both sides of this equation, with the potential for game-changing results.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/30/cybercrime_criminology_study/

Hacktivist group TeaMp0isoN has hacked into the website of the United Nations Development Programme, making off with hundreds of email addresses, usernames and plain-text passwords that were later dumped onto Pastebin.

Individuals working for the UNDP, the Organisation for Economic Co-operation and Development, UNICEF, the World Health Organisation and other groups were exposed by the hack, which revealed lax password security at the agencies. Some of the accounts appeared to have a blank password and many more have easily guessable login credentials. And storing passwords in plain-text (rather than an encrypted form) is an even bigger mistake, of course.

TeaMp0isoN said that it carried out the attack as a protest against what it sees as corruption at the UN. In particular it is upset with the organisation’s handling of the genocide in Rwanda, the break-up of Yugoslavia and the Palestinian-Israeli conflict, among other matters.

Security watchers were skeptical of the UN’s attempt to downplay the significance of the hack.

Jason Hart, managing director of Cryptocard, commented: “The UN is seen as a symbol for security and trust for many millions of people around the world. Hacking their systems is TeaMp0isoN’s way of making a big statement to the outside world.”

“The UN has said that the information exposed is old data, but if you look at the YouTube video released by the hackers on Monday it shows account details and usernames as well as personal email addresses. As we all know, passwords cross personal and professional lives, so these people could well be compromised at work and at home,” Hart added.

TeaMp0isoN recently joined forces with Anonymous as part of Operation Robin Hood, which aims to defraud banks by making donations to charities and other worthwhile causes using stolen credit card details.

More security commentary on TeaMp0isoN’s antics can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/30/un_hack/