Tuesday 18 February 2020

The Billion Pound Manchester City Hack

The sport of football is a multi-billion-pound global industry, where the world's top-drawer football clubs push competitive advantages to the extreme, not just for the prestige of winning trophies, as success on the pitch also means a greater slice of jaw-dropping TV, sponsorship and advertising revenues. 

The key commodity in the football industry are football players, elite talent players command transfer fees up to 100 times their weight in gold and receive millions a year in wages.  Investing in recruiting the best football players increases the likelihood of winning matches, titles and lucrative financial rewards. The competition for success is especially fierce between Europe's largest football clubs. This is leading to ever-inflating player transfer fees and wages, rippling downwards throughout football's global pyramid of leagues, with many clubs gambling with financial outlays on recruiting player talent, in hope of achieving the financial rewards which success on the football pitch brings.

Top Ten Football Club Revenues in 2018-19 (change from 2017-18)
1 Barcelona                 £741.1m (+£129.5m)
2 Real Madrid             £667.5m (+£2m)
3 Manchester United £627.1m (+£37.3m)
4 Bayern Munich £581.8m (+£24.4m)
5 Paris St-Germain £560.5m (+£80.6m)
6 Manchester City £538.2m (+£34.7m)
7 Liverpool                 £533m    (+£77.9m)
8 Tottenham               £459.3m (+£79.9m)
9 Chelsea                  £452.2m (-£4.2m)
10 Juventus                £405.2m (-£55.7m)
Source: Deloitte Football Money League

The Deloitte Football Money League illustrates the scale and growth in revenues at Europe's top tier clubs. Most of this revenue is acquired through participation in the UEFA Champions League (up to £150m), club sponsorship deals, and national league TV deals, especially the English Premier League, where clubs finishing in the top six positions are given around £150m a year. The number of bums on seats at stadia doesn't have the financial impact on a club's revenue stream as it once did. Success on the pitch is the greatest driver of a club's revenue, the new model of sustained success in football is recruiting and retaining the best squad of football players.

Such high stakes and large financial numbers are a recipe for pushing and bending football's rules, Real Madrid, Barcelona, Atletico Madrid, Liverpool, Chelsea and Manchester City have all been disciplined for breaking youth player recruitment rules. Football's rules are written and enforced by football’s various governing bodies, starting with country-level governance such as the English Premier League and The English Football Association (The FA), continental level governance such as Union of European Football Associations (UEFA) and finally the global football authority which is Fédération Internationale de Football Association (FIFA).

The Million Manchester City Pound Hack
As football players are the key elements of achieving success, most top tier clubs invest heavily to build intelligence on the best players to recruit. Clubs operate scouting networks on a global scale, utilising applications to gather and record statistical player data, and employ expert analysts to crunch those stats. All to determine which players they should target to improve their squad, when they should attempt to buy, and how much they should spend to achieve a maximum return on their investment.
Manchester City have a rocky relationship with UEFA

The top two rivals competing for success in the English Premier League in recent years have been Manchester City and Liverpool football clubs, with both clubs winning several major titles. At the end of 2011/12 season, it was a different story, Manchester City had won the Premier League title while Liverpool finished in 8th position, outside of lucrative Champions League qualification and 47 points behind City.  At the end of this season, Liverpool 'poached' two of Manchester City's scouting and recruitment leads, Dave Fallows and Barry Hunter, as their head of scouting and chief scout respectively.  14 months after these appointments were made, Liverpool paid Manchester City £1 million as part of a confidential settlement after it was alleged City’s cloud-based scouting application, Opta's Scout7, had been accessed by Liverpool FC staff on hundreds of occasions.  Whether this breach was 'assisted' by Manchester City not removing ex-employee access to their Scout7 app, or involved the hacking of City's accounts remains undisclosed.
Player Scouting App Scout7

The Premier League were not informed about this incident and the settlement until September 2019, when they launched an investigation, but confirmed on 7th February 2020 it would not be bringing any charges.  An FA spokesperson said: “The FA carefully considered the evidence received in this matter, including information provided by both clubs involved, and has decided not to progress the investigation. This is due to a number of factors including the age of the alleged concerns and the settlement agreed by the two clubs involved.  As per standard protocol, should the FA receive further information or evidence, the decision not to progress the investigation may be reviewed.” 

Since the hack there has been a major resurgence with Liverpool's success on the pitch, under their current manager Liverpool have spent £400 million on recruiting new players, creating arguably one of the strongest squads they have ever had. A squad which won the Champions League last season, while this season Liverpool stands to win the Premier League title for the first time in their history by some distance. The role of this alleged City hack in Liverpool's recent rise to the top can never be understood, a coincidence or not, most football pundits agree Liverpool's player recruitment in recent years has been first class.

As of 25th May 2018 such hacked data breaches are required to be disclosed to the UK's Information Commissioner's Office (ICO), and could theoretically cost Manchester City and perhaps Liverpool millions in fines under the recently updated UK Data Protection Act, which incorporates the European General Data Protection Regulation (GDPR). Given the Scout7 app holds the personal data of European players, and  GDPR fines can be up to 4% of global turnover, this means a potential ICO fine of up £20 million. And accessing or hacking into systems without permission is a criminal offence under the UK Computer Misuse Act.

The Billion Pound Manchester City Hack
On 14th February, UEFA's Chamber of the Club Financial Control Body (CFCB) announced its decision to ban Manchester City from competing in European competition for two years, and a £25 million fine for breaching UEFA’s Financial Fair Play (FFP) rules.  



The revenue from missing two Champions League campaigns could cost the Manchester club around £300 million in total. The Premier League and the English FA are also investigating City on the back of the UEFA investigation, so could follow suit with their own FFP sanctions, with media speculating such investigations could result in City's relegation to England's bottom tier of professional football. Dropping to League Two could potentially cost the club around £1 billion in lost TV revenues alone.  However, Man.City quickly announced they will be challenging UEFA’s findings and disciplinary action through the Court of Arbitration for Sport (CAS), so it remains to be seen if those UEFA disciplinary sanctions will stand. City’s FFP woes all started with a hack of their email system, a hack which could ultimately cost the club over billion pounds.

Is Football 'Wikileaks' Ethical?
UEFA's investigation into City started with the club's hacked internal emails being disclosed to the media, by a hacker through a 'football leaks' website. On 5th November 2018, German magazine ‘Der Spiegel’ (The Mirror) published an article which claimed City and their sponsors had manipulated sponsorship contracts to circumvent UEFA FFP rules, inflating the value of their commercial income. The Spiegel article supported claims of FFP ‘wrongdoing’ by quoting extracts from senior Manchester City club officials stolen internal emails.

Portuguese resident Rui Pinto is alleged to be the hacker who successfully hacked into City's internal email system in 2015. Pinto was arrested and remains in prison awaiting trial on 90 different counts of hacking, sabotage and fraud. Pinto reportedly took 70 million documents and 3.4 terabytes of information from a string of football clubs and high profile players, releasing the data via the 'football leaks' website (https://footballleaks2015.wordpress.com/).  

Pinto told Der Spiegel he was aware of the risks of his work and is quoted as saying “I initiated a spontaneous movement of revelations about the football industry.  So depending on your viewpoint, and likely your football club loyalty, this 'Wikileaks for football' is either ethical on transparency grounds, or it should not be condoned given the information was obtained by illegal means.  Just like the actual Wikileaks, individual views will be polarised on the ethics of leaking private and confidential information into the public domain. Although given the tribal and competitive nature of most football fans, aside from Manchester City fans, most football fans are likely to agree the illegal method was justified.  


Rui Pinto, Criminal Hacker or Whistleblower?

It seems UEFA also agree with the illegal method used, as on the back of the Der Spiegel article and hacked emails, UEFA began its investigation into Manchester City on March 2019, stating “The investigation will focus on several alleged violations of FFP that were recently made public in various media outlets."  

The 'Ethical' Legal Battle Ahead
When police authorities and prosecutors do not collect evidence using legal means in criminal trials, such evidence becomes inadmissible in court. Digital evidence not forensically acquired can also be challenged and dismissed. Hacked emails as text files can be easily doctored. For instance, in 2018 said key documents supporting rape claims against Cristiano Ronaldo, as obtained through the Football Leaks website, were subsequently dismissed by Ronaldo's lawyers as having been fabricated by hackers.

If all the other top tier football clubs had all their internal emails disclosed to the media and UEFA investigators, how many other clubs would be found to have bent or broken FFP rules as well?  There are many football fans deeply suspicious about the finances and commercial sponsorship deals at many of Europe’s elite football clubs.

The City email hack will have significant ramifications on the football industry, the power of UEFA and its enforcement of FFP will be tested. With millions at stake, Manchester City’s lawyers and UEFA will be fighting it out in the courts in the coming months, the ethics of using data leaks as evidence will be one of the key arguments

Let Him Who Is Without Sin Cast the First Stone
UEFA doesn’t exactly have a good track record on ethics either, former UEFA Chief Michel Platini was banned from all football activity for 8 years by FIFA’s Ethics Committee in 2015. In June 2019 Platini was questioned by Police in regards to his backing of Qatar's bid to host the 2020 World Cup, despite allegedly telling American officials he would be voting for the United States. Then there is the ethics of UEFA fining football clubs multi-millions for breaching FFP, while at the same time fining clubs in the low thousands for breaches of its racism rules.

Friday 7 February 2020

Keys to the Kingdom, Smart Cities Security Concerns

By Sean Wray, VP NA Government Programs, Certes Networks

Smart cities seem inevitable. According to IDC, Smart City initiatives attracted technology investments of more than £63 billion globally in 2018, and spending is estimated to grow to £122 billion in 2022. Similarly, in 2018, the number of major metropolitan cities relying on or developing a comprehensive smart city plan – as opposed to implementing a few innovative projects without an overall smart plan – dramatically increased.

In the US, for example cities like Philadelphia, Newark and Chicago all have goals to upgrade and to become leading ‘SMART’ cities, while UK innovation is being spearheaded by major conurbations such as Bristol, London and Manchester.


A significant investment is being made by cities in data connectivity providing a number of technologies such as Wi-Fi 6, smart grid, and IoT sensor devices, all promising to enhance overall visibility and security. However, as we extend the reach of technology and connectivity, there will increasingly be cyber-risks to take into account. As part of their transformation, smart cities serve as a technology hub and gateway to major institutions such as banks, hospitals, universities, law enforcement agencies, and utilities. This means the storage and transmission of customer data such as social security numbers, addresses, credit card information, and other sensitive data, is a potential goldmine for malicious actors. Not to mention an increasing number of projects monitoring roads, traffic, traffic light and metro services, all of which must be kept secure from threats at all times.

Security Challenges
When connectivity and innovation meet such large city infrastructures, they immediately become vulnerable to cyber threats from malicious actors waiting to bring all that hard work to a standstill. And, the routes in are manifold.


We are increasingly dealing with connected versions of devices that have existed for a long time, such as CCTV cameras, and as a consequence, digital security is not very often incorporated into their designs.

In addition, cybersecurity will have to extend far past personal, or internal corporate networks, to encompass far-ranging technological protection for vast city networks at a scale and a pace many are struggling to respond to.

Moreover, the sheer volume of data being collected and transmitted across a multi-user network, with numerous locations, can be extremely challenging to protect. London’s City Hall Datastore, for example, holds over 700 sets of big data that helps address urban challenges and improve public services, and the rise in cashless payment methods for transport.

It is the complexity that the above factors represent that often overwhelms a network security team’s ability to ensure sensitive data is protected with encryption, especially when network infrastructures can be constructed using different vendor technology, many of whom do not provide strong encryption. This also includes many municipalities who have older Legacy, third party or disaggregated networks.

It is therefore not a matter of if but when sensitive data may fall into the wrong hands. Network security teams have to ensure that any data breach must be detected immediately before the infection spreads from network system to network system, potentially shutting off critical services for thousands of companies, notwithstanding for those who reside in the City itself.

Providing the Keys
Choosing the right encryption solution is critical and can be key in mitigating damage caused by a data breach. Most cities find implementing these solutions disruptive and complex, especially for organisations that operate large and diverse networks. For example, manual configuration of encryption can lead to human error unknowingly exposing risk and managing multiple vendors can be burdensome and inefficient. Most importantly, network visibility is lost with many encryption solutions, which is a significant issue as it reduces the ability for security teams to detect and thwart malicious actors and cyber threats.


The vulnerabilities and threats associated with trying to protect large volumes of data moving across a vast multi-user network involves a security strategy that is simple, scalable and uncomplicated in order to avoid any disruption of critical infrastructure services provided to businesses or citizens, not to mention be compliant with governmental cybersecurity regulations and / or code of practices

Whereas traditional Layer 2 & 3 encryption methods are often disruptive and complex, a Layer 4 solution enables encryption of data in transit independent of network applications and without having to move, replace or disrupt the network infrastructure. This is a significant savings in resources, time and budget. 

In addition, network blind spots due to problems, outages, and cyber-criminals using encryption to conceal malware, increase network security risk and are potential regulatory compliance issues. According to a recent survey from Vanson Bourne[i], roughly two-thirds, or 67 percent, of organisations say that network blind spots are one of the biggest challenges they face when trying to protect their data.

With network monitoring one of the strongest defences against blind spots, Layer 4 encryption and encryption management tools offer network visibility by keeping a close and constant eye on network traffic. Network visibility tools allows existing applications and net performance tools to work after encryption is turned on without blinding the network.

Finally, adding in network observability allows smart cities to analyse and gain deeper understanding of network policy deployment and policy enforcement by scrutinising every application that tries to communicate across the network, all the while monitoring pathways for potential threats now that each policy is observable in real-time. 

Conclusion
For organisations and teams tasked with implementing smart technology in residential, commercial and public spaces, plans on how to do so will have to be part of the design and planning stage – including how we securely implement and maintain these smart spaces. It is integral that all connected aspects of smart cities have undergone extensive planning and designing, with a smart city architecture for service key management at the core. Defining standards and enforceable policies that can be analysed to help identify network vulnerabilities and thwart potential threats is critical.


Providing better technology is an ever-evolving, fast-paced race and caution should be given to those cities who move so fast that they risk building an infrastructure without equally giving precedence to the protection of data of those who work and live in their city.

Related, my IBM Developer article 'Combating IoT Cyber Threats

Sunday 2 February 2020

Cyber Security Roundup for February 2020

A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, January 2020.

After years of dither and delay the UK government finally nailed its colours to the mast, no not Brexit but Huawei, permitting 'limited use' of the Chinese Telecoms giant's network appliances within the UK's new 5G infrastructure. Whether this is a good decision depends more on individual political persuasion than national security interest, so just like Brexit the general view on the decision is binary, either its a clever compromise or a complete sell out of UK national security. I personally believe the decision is more about national economics than national security, as I previously blogged in 'The UK Government Huawei Dilemma and the Brexit Factor'. The UK government is playing a delicate balancing to safeguard potentially massive trade deals with both of the world's largest economic superpowers, China and United States. An outright US style ban Huawei would seriously jeopardise billions of pounds worth of Chinese investment into the UK economy. While on the security front, Huawei's role will be restricted to protect the UK's critical national infrastructure, with Huawei's equipment banned from use within the core of the 5G infrastructure. The UK National Cyber Security Centre (NCSC) published a document which provides guidance to high risk network providers on the use of Huawei tech.
UK Gov agrees to 'limited' Huawei involvement within UK 5G

UK business targeted ransomware continues to rear its ugly head in 2020, this time global foreign exchange firm Travelex's operations were all brought to a shuddering halt after a major ransomware attack took down Travelex's IT systems. Travelex services impacted included their UK business, international websites, mobile apps, and white-labelled services for the likes of Tesco, Sainsburys, Virgin Money, Barclays and RBS. The ransomware in question was named as Sodinokibi, with numerous media reports strongly suggesting the Sodinokibi ransomware infiltrated the Travelex network through unpatched vulnerable Pulse Secure VPN servers, which the National Cyber Security Centre had apparently previously detected and warned Travelex about many months earlier. Could be some truth in this, given the Sodinokibi ransomware is known to infect through remote access systems, including vulnerable Pulse Secure VPN servers. The cybercriminal group behind the attack, also known as Sodin and REvil, demanded £4.6 million in ransom payment, and had also claimed to have taken 5Gb of Travelex customer data. Travelex reported no customer data had been breached, however, its money exchange services remained offline for well over two weeks after reporting the incident, with the firm advising it expected most of its travel exchange services to be back operational by the end of January.

The same Sodinokibi criminal group behind the Travelex attack also claimed responsibility for what was described by German automotive parts supplier Gedia Automotive Group, as a 'massive cyber attack'. Gedia said it would take weeks to months before its IT systems were up and running as normal. According to analysis by US cyber security firm Bad Packets, the German firm also had an unpatched Pulse Secure VPN server on its network perimeter which left it exposed to the ransomware attack. Gedia patched their server VPN on 4th January.

Leeds based medical tech company Tissue Regenix halted its US manufacturing operation after unauthorised party accessed its IT systems. To date there hasn't been any details about the nature of this cyber attack, but a manufacturing shutdown is a hallmark of a mass ransomware infection. Reuters reported shares in the company dropped 22% following their cyber attack disclosure.

London based marine consultancy company LOC was hacked and held to be ransom by cybercriminals. It was reported computers were 'locked' and 300Gb of company data were stolen by a criminal group, investigations on this hack are still ongoing.

Its seem every month I report a massive data breach due to the misconfiguration of a cloud server, but I never expected one of leading global cloud providers, Microsoft, to be caught out by such a school boy error. Microsoft reported a database misconfiguration of their Elasticsearch servers exposed 250 million customer support records between 5th and 19th December 2019. Some of the non-redacted data exposed included customer email addresses; IP addresses; locations; descriptions of customer support claims and cases; Microsoft support agent emails; case numbers, resolutions and remarks; and confidential internal notes. It is not known if any unauthorised parties had accessed any of the leaked data.

Cyber attacks against the UK defence industry hit unprecedented highs according government documentation obtained by Sky News. Sky News revealed the MoD and its partners failed to protect military and defence data in 37 incidents in 2017 and 34 incidents in first 10 months of 2018, with military data exposed to nation-level cyber actors on dozens of occasions.

It was another fairly busy month for Microsoft patches, including an NSA revealed critical flaw in Windows 10. January also saw the end of security updates support for Windows 7 and Windows Server 2008, unless you pay Microsoft extra for extended support.

According to a World Economic Forum (WEF) study, most of the world's airports cybersecurity is not up to scratch. WEF reported 97 of the world’s 100 largest airports have vulnerable web and mobile applications, misconfigured public cloud and dark web leaks. Findings summary were:

  • 97% of the websites contain outdated web software.
  • 24% of the websites contain known and exploitable vulnerabilities.
  • 76% and 73% of the websites are not compliant with GDPR and PCI DSS, respectively.
  • 100% of the mobile apps contain at least five external software frameworks.
  • 100% of the mobile apps contain at least two vulnerabilities.
Elsewhere in the world, it was reported a US Department of Defence contractor had its web servers (and thus its websites) taken down by the Ryuk ransomware. Houston-based steakhouse Landry advised it was hit by a point-of-sale malware attack which stole customer payment card data. Stolen customer payment card data taken from a Pennsylvania-based convenience store and petrol station operator was found for sale online. Ahead of the Superbowl LIV Twitter and Facebook accounts for 15 NFL teams were hacked. The hacking group OurMine took responsibility for the NFL franchise attacks, which said it was to demonstrate internet security was "still low" and had to be improved upon. Sonos apologised after accidentally revealing hundreds of customer email addresses to each other. And a ransomware took a US Maritime base offline for 30 hours.

Dallas County Attorney finally applied some common-sense, dropping charges against two Coalfire Red Teamers. The two Coalfire employees had been arrested on 11th September 2019 while conducting a physical penetration test of the Dallas County courthouse. The Perry News quoted a police report which said upon arrest the two men stated, “they were contracted to break into the building for Iowa courts to check the security of the building". After the charges were dropped at the end of January Coalfire CEO Tom McAndrew said, 'With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement”. Adding “We’re grateful to the global security community for their support throughout this experience.”


BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE