Friday, 11 March 2016

Ofcom suffers major security breach

Ofcom has had the biggest security breach in its history after an ex-employee was caught offering confidential data on TV companies to his new employee, a major broadcaster.
The incident forced the media watchdog to send out dozens of letters explaining the breach to TV companies holding an Ofcom licence. It is believed the former employee managed to download as much as six years’ worth of data, according to the Guardian.
In a statement, an Ofcom spokeswoman said: “On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee. This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom.
“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner. The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties.”
It is believed that Ofcom was informed of the breach by senior executives at the unnamed broadcaster. The broadcaster is not thought to have exploited the data, which would have been quite useful from a competitive standpoint.
As no personal data was involved, it is not compulsory for the Information Commissioner’s Office (ICO) to be notified, although it is understood that Ofcom informed the watchdog of the incident anyway.

Friday, 4 March 2016

IoD says Businesses are covering up #cyberattacks

British businesses are consistently failing to take their own cyber security seriously enough, and many are actively covering up cyber attacks, according to a study conducted by the Institute of Directors (IoD) and Barclays.
The IoD surveyed 1,000 of its members in December 2015 and discovered that only 28% of cyber attacks were being reported to the police, even though half of attacks were causing disruption to business operations.
The Cyber-Security: Underpinning the Digital Economy report warned that the scale of security threats facing businesses was being widely underestimated, with 70% of respondents saying they had received bogus invoices via email in a phishing attack attempt.
The IoD’s report reinforced the findings of a recent survey by security firm Carbon Black, which claimed that UK CIOs tended to be over-confident about their cyber security arrangements.
The IoD found that only 57% had a security strategy in place, despite 91% saying security was important, and only 20% were insured against the possibility. Awareness of services set up to help tackle cyber criminals was also worryingly low, with 68% unaware of the existence of the Action Fraud Aware crime reporting service.

Tuesday, 1 March 2016

Peeling Back the Onion Part 1: Mapping the #DarkWeb

Guest Blogger: Stuart Peck Pre-Sales Manager at ZeroDayLab Ltd
The Dark Web is no longer a place for criminals and cyber criminals to hide, with the launch of the first dark web map powered by a ZeroDayLab key partner, and threat intelligence service Intelliagg.

The dark web is officially defined as 'websites that cannot be accessed or reached without the use of specialised software', the most widely-used and common of which is the TOR browser (The Onion Router).

The core principle of Tor, 'onion routing', was developed in the mid-1990s by the US Naval Research Lab with the purpose of protecting U.S. Intelligence communications online. In 2006, the TOR project was founded and made free for all to use. This initially led to a rise in use by journalists to protect their identity in countries without freedom of speech, then a rise in whistle-blower sites such as Wikileaks.

However the privacy benefits of TOR have led to a unchecked rise in illegal activities, where criminals use Tor to create and run hidden online marketplaces from child pornography to drugs, leaked data, credit cards, fake documentation and weapons; all can be purchased using normal currency or Bitcoins.

Finally the growth of TOR usage is from Cyber Criminals and Hackers, where leaked data, zeroday vulnerabilities/malware are traded on private marketplaces or through brokers for huge profits.

What I have noticed through own research conducted at ZeroDayLab, is that over the past couple of years there has been a huge rise in Malware-as-a-Service/Crime-as-a-Service marketplaces, leading to a rise in attacks such as Ransomware, where now the technical barrier to entry is all but removed for criminals to enter the Cyber Crime Market.

ZeroDayLab's partner Intelliagg, released today a whitepaper on the Dark Web, which over a sample period monitored over 30,000 top level sites or .onion (Hidden Services).

Through compiling the hidden service address list from different sources, such as spidering, private link lists and monitoring the Tor network itself, Intelliagg interrogated hidden services over port 80 and 443 using a mixture of human and machine-learning information gathering techniques.

Key findings from the research include:

  • 46% of the 30,000 hidden services analysed were active at the time of the assessment (the other 54% of sites could be attributed to C2 servers, or other temporary uses such as onion shares, ricochet chat)
  • 76% of the sites were in English, unsurprisingly Chinese and German as second and third languages
  • 48% of the sites were classified as illegal 
  • Via manual classification of over 1,000 sites, it was deemed 68% of the content was illegal according to US and UK law.
  • File sharing (29%), leaked data (28%), and financial fraud (12%), were the top classification of hidden marketplaces. Surprisingly hacking only made up 3% of the sites interrogated .
  • Interestingly, 39% of sites interrogated were unlinked, meaning they were extremely difficult to find. 

In addition to the research conducted, Intelliagg has provided a interactive map, found here which I highly recommend viewing and exploring the vast ,and now visible dark web (30,000-odd sites at least).

But this brings me to my previous point, why is this map so important? Until recently it had been difficult to understand the relationships between hidden services and more importantly the classification of these sites.

As a security researcher, understanding hidden services such as private chat forums and closed sites,  and how these are used to plan and discuss potential campaigns such as DDoS, ransom attacks, kidnapping, hacking, and trading of vulnerabilities and leaked data; is key to protecting our clients through proactive threat intelligence.

Mapping these sites back to Threat Actors (groups), is even more crucial as this helps us build a database on the Capability, Infrastructure, and Motivations of the adversary.

The more we understand about the dark web, and the criminals that use TOR and hidden services to publish and trade threats, the more we as a community can flush out the undesirable services and market places, making what made TOR great in the first place, protecting privacy for good, not evil.