Tuesday, 30 July 2013

When Hacking can Kill

Luddites say we over egg the seriousness of poor security practises and security breaches, as nobody actually dies, well that's not always the case, sometimes lives are put at stake when information security is poorly managed.

A couple of security engineers at Twitter and IOActive said they were able to hack and take control of a Toyota Prius. The engineers described how they could control every aspect of the car, including the steering and were even able to disengage the brakes, so breaking wouldn't work in the car. They even went onto say they could remove their hacking device, eliminating all evidence of their control over the car.

This hacking example highlights the concerns with the security of our increasingly smart and connected cars. Cars are rapidly having more sophisticated and complex computer systems, and more external connectivity, which is the age old recipe for security vulnerabilities. Security testing of car computer systems needs to run hand-in-hand with the rest of the European comprehensive car safety checks, which all car manufacturers must adhere to, yet currently there is nothing in place to force the security testing of car computer systems. 

Sunday, 28 July 2013

Hacking ring responsible stealing over 160 Million credit cards charged

A global credit card hacking ring consisting of four Russians and an Ukrainian, have been indited in the US with stealing and selling over 160 million credit and debit cards. That's a vast number of card numbers, which led to millions in fraud. Two of four were identified as sophisticated hackers by the US prosecutors, stating they specialised in the hacking of multinational corporations, financial institutions and payment processors, including NASDAQ, Citibank and PNC Bank.

According to the indictment, US credit card numbers sold for about $10 each; Canadian numbers were $15 and better-encrypted European ones $50. Interesting that the more secure European cards fetch 5 times the amount of US cards.

This will be an interesting court case to watch as it unfolds, especially as more comes out about the hacking techniques used, and perhaps the poor security which these guys took advantage of.

Sunday, 7 July 2013

Having a Nice Cyberwar?

Cyberwar makes a great sound bite, so it can be of no great surprise it is a term relentlessly cited by the media at the moment, but is it really the appropriate term to use?  

Recently I was invited to hear 'Security Rockstar' Bruce Schneier talk about his thoughts on Cyberwar, he made some intriguing points about the term.  Bruce explained Americans like to band around words like "war" when they aren't actually at war, and avoid using the 'war' word when they are at war. For example "the war on terror", "the war on drugs", and now "cyberwar". I recall that in the first Gulf 'War' the American media focused on titles like 'The Gulf Crisis', 'Crisis in the Gulf', and 'Desert Storm', so certainly some truth there. In the last couple of years US politicians have increasingly been using the term "Cyberwar" in their rhetoric, phrases like 'Cyber Pearl Harbour', 'Cyber 911' and 'Cyber Armageddon', are capturing the US media attention, and reporter's imagination.

What is Cyberwar mean?
The actual definition of a Cyberwar, is a nation state orchestrated computer hacking attack, against another nation state's informational and/or physical assets. If that definition is true, then batten down the hatches as its World War 3!  As pretty much every major powerhouse in the world are conducting offensive cyberwarfare; Israel, Russia, China, US and even the UK are said to have offensive "cyberwarfare" operations in play, whether they openly admit it or not.

So going back to Bruce's point on the usage of the word "war", Cyberwar isn't actually the correct phrase to describe what is happening at the moment.  The UK is not in a state of war with countries like China or Russia, a more apt term is cyber espionage. The cyberwar term should be saved for when there is a state of war between nations, describing a technical theatre of war, which runs parallel with the usual physical theatres of war.

Cyberwar is nothing new
Cyberwar is not a new concept or new problem, its always been there, even in World War II, jamming radar towers, misinformation techniques and cracking enigma codes, all fits the proper definition of cyberwar. Going back to the 1991 Gulf 'war', Iraqi air defence radar stations was electronic taken down by a US virus, after which they were physically destroyed with bombs. When Russia fell out with Estonia, there were mass cyber attacks on the country's infrastructure, the fingers of blame were pointed directly at the Russia secret services. In that case Russia never admitted it and pointed the blame at hacktivists, namely Russian patriotic sympathizing hacking groups, that orchestrated the cyber attacks. This leads to the next question, can hacktivist groups conduct cyberwarfare? In their view they would like to think so, but in reality it isn't cyberwar .Their operations are hacking and digital protesting, not warfare. I'm yet to see any hackivist attack which seriously threatens lives, or critical national infrastructure, government websites being taken offline doesn't count as a loss of critical national infrastructure.

So there you have it, but I'm afraid the term 'Cyber' won't be going away any time soon, as the media clearly loves using the phrase, so you can expect headline seeking politician to continue use the term 'cyber' time and again.