It’s widely expected that next week the government will unveil details of its hugely controversial Snoopers’ Charter, aka the Investigatory Powers Bill. To preempt this and in a bid to influence the debate cyber security firm F-Secure and 40 other tech signatories presented an open letter opposing the act.
The bill most controversially is expected to force service providers to allow the authorities to decrypt secret messages if requested to do so in extremis. This is most likely going to come in the form some kind of order effectively banning end-to-end encryption.
I heard from F-Secure security adviser Sean Sullivan on this to find out why the bill is such as bad idea.
To precis what I wrote in this Infosecurity article, his main arguments are that forcing providers to hold the encryption keys will:
- Make them a likely target for hackers, weakening security
- Send the wrong signal out to the world and damage UK businesses selling into a global marketplace
- End up in China or other potentially hostile states a service provider also operates in also requesting these encryption keys – undermining security further
- Be useless, as the bad guys will end up using another platform which can’t be intercepted
I completely agree. Especially with Sullivan’s argument that the providers would become a major target for hackers.
“End-to-end encryption makes good sense and is the future of security,” he told me by email. “Asking us to compromise our product, service, and back end would be foolish – especially considering all of the back end data breach failures that have occurred of late. If we don’t hold the data, we cannot lose control of it. That’s just good security.”
One other point he made was the confusion among politicians about tech terminology as basic as “backdoor” and “encryption”.
“A lot of UK politicians end up putting their foot in their mouth because they don’t properly understand the technology. They try to repeat what their experts have told them, but they get it wrong. UK law enforcement would probably love to backdoor your local device (phone) but that’s a lost cause,” he argued.
“The politicians (who actually know what they’re talking about) really just want back end access. As in, they want a back door in the ‘cloud’. They want to mandate warranted access to data in transit and/or in the back end (rather than data at rest on the device) and fear that apps which offer end-to-end encryption, in which the service provider doesn’t hold any decryption keys, are a threat.”
Let’s see what happens, but given the extremely low technology literacy levels among most politicians I’ve got a bad feeling about this one.
Huawei has leaped over local rival Xiaomi to take number one spot in China’s much prized smartphone market, according to Canalys. I covered the news for IDG Connect and asked Canalys VP analysis, Rachel Lashford, whether she thought the Middle Kingdom now belonged to domestic players.
She argued that the market has actually decelerated slightly of late (1% from 1H14 to 1H15) which has increased the pressure on all vendors – but Apple and Samsung are still flying the flag for the Rest of the World.
“Apple still has a very powerful brand in China and we expect to see the latest product launches to continue its popularity,” Lashford told me.
Samsung, meanwhile, has dropped from the top spot of a 15% share in 1H14 to fourth place (9%) a year later.
“But it is recovering in the high end and has really focused on investing in localised marketing messages,” Lashford added, by email. “Combined with recent restructuring of its channels, focusing on large retail and operators, it should be well equipped to keep the pressure up on its local competition.”
So what of Huawei and Xiaomi? The former’s rise has come on the back off a steady building out of online channels over the past two years and a focus on its offline channel presence. Aiming squarely at the mid-range ($200-500), it has increased investment in the brand to good effect, concentrated on quality and kept momentum with regular product updates.
Xiaomi, on the other hand, may have taken its eye off the ball by concentrating on wearables, TVs and other smart home kit. It will need a “refreshed flagship” in time for Chinese New Year to wrest back momentum, she claimed.
And what of the two vendors’ plans for international expansion? Well, half of Huawei’s sales already come from outside the massive China market. But Xiaomi will need more help to get it competing beyond the Great Firewall.
“Many vendors are hindered by the lack of patents and having the difficulties and expense of licensing those in order to enter markets like the US and Western Europe where these are adhered to, so this needs to be overcome,” claimed Lashford.
“As does the adoption of a successful channel strategy. Xioami’s focus has been directly online, but it will still likely need the expertise of distributors mobility businesses – like Tech Data and Ingram Micro – in order to navigate the complexities of bringing those products to market.”
As explained in my latest for IDG Connect here, Beijing has, via tightening regulations, antitrust investigations and even more restrictive censorship rules, been making the Middle Kingdom an increasingly hostile place for foreign – especially US – tech companies. It was never easy – foreign firms have always had to team up with a local partner to have a crack at the huge domestic market, with all the risks that entails. But now it’s even more difficult.
So enter India – a nation of over one billion and with the world’s fastest-growing economy. US firms have had a much better time there historically. Foreign direct investment is very much OK, and even in those few industries which are less welcoming – retail, media, telecoms and banking, for example – successful partnerships with local players are possible.
The start-up cash pouring in from Silicon Valley and elsewhere is staggering – dwarfing that in China already, according to Forrester research director, Ashutosh Sharma. In the last quarter this reached $6bn from private equity alone, he told me. What’s more India can boast:
- A suspicion of China matched only by the US
- A nominally democratic political system based on rule of law, making its regulatory environment more predictable, if still overly bureaucratic
- A young, tech savvy, increasingly well educated, and affluent population
On the minus side, however, it has dreadful mobile connectivity and poor broadband penetration.
“The size of the country in terms of populations makes it difficult for any government to strike a right balance between pursuing growth through investments versus leaning towards more socialistic policies,” Sharma told me.
“This dithering on policy initiatives since India liberalised its markets in early ’90s have cost them time which has manifested in poor physical and virtual infrastructures.”
A large, “digitally dark” population which doesn’t speak English makes it hard to justify investments in digital media, he said.
“However all indications are that this is temporary because at the pace innovation is happening both in terms of affordability of mobile devices, data connection, and local language solutions it won’t be long before a major part of India is digital,” Sharma added.
As mentioned, the regulatory framework is still over complex and bureaucratic, although this too is apparently changing.
“The pace of simplification and speed of execution has improved since the new government has come in place,” he said.
It will take years before India even comes close to the $600bn in bilateral trade the US and China enjoy. But that trade is massively unbalanced, comprising mainly of Chinese imports to the US. This is not the case with US-India relations.
The winds of change are blowing, and they’re blowing to the sub-continent.
China, Russia, Eastern Europe, the Middle East – the list of hacking hotspots on the radar of most threat intelligence operatives is growing all the time. But what about Japan? For such an apparently technologically advanced nation, you might be surprised to learn its cybercrime underground is still in its infancy.
The security giant claimed that Japanese cybercriminals haven’t yet built up the technical know-how to create malware themselves, preferring to buy from other countries and then share tips on how to use it on many of the local underground bulletin board forums.
These forums also sell the usual suspects of child porn, stolen card data, stolen phone numbers, weapons, and so on.
There were several interesting distinctions Trend Micro uncovered between the Japanese cybercrime underground and elsewhere:
- Cybercriminals accept gift cards from Amazon and the like in lieu of payment
- CAPTCHA in Japanese is used to access the forums, keeping their membership mainly to locals
- URLs for some secret BBSs hosted on Tor and other anonymising platforms can actually be found published in books and magazines
- Japanese cybercriminals are ultra cautious, even using code words when discussing certain contraband, like the kanji character for “cold” when referring to methamphetamine.
So far, the notorious yakuza organised crime gangs have largely stayed out of the game, and that’s the way it’ll stay for some time to come, report author Akira Urano told me. That’s because of a combination of strict cybersecurity laws and the fact that offline scams still work a treat. But it might not be that way forever.
“If ever organized crime groups like the yakuza ever venture into darknets, all they would need is the aid of tech-savvy individuals to engage in criminal transactions,” Urano argues in the report.
I was curious to hear a second opinion on Japanese cybercrime, so I asked FireEye’s local experts.
They hit me with a few stats from the National Police Agency (NPA) which show that, infancy or not, there’s a pretty healthy cybercrime industry in Japan.
Some 88 people were arrested for cybercrimes in the first half of the year, 58% of whom were Japanese. The country is also a major victim of banking fraud – second only to the US, according to other stats.
The country’s public and private sectors also have to withstand a barrage of likely state-backed cyber attacks, launched from outside the country.
Japan’s strengths in advanced technology and engineering, as well as its hand in territorial disputes, have made it a target for China.
Aerospace and defence, transportation, high-tech, construction and telecoms are some of the highest risk industries.
FireEye told me the following by email.
“FireEye observes similar tactics and techniques on Japanese networks as we see elsewhere in the world. However, the key difference is localization: APT actors tailor their phishing e-mails, CnC infrastructure, and even their exploits to Japanese end users. For instance, we have observed threat activity against Japanese targets exploit the Japanese Ichitaro word processing system; zero days against the program are not uncommon.”
However, of particular interest was the stat that education was the most targeted sector in the UK followed by energy/utilities and financial services, as I wrote in this Infosecurity piece.
I get the other two, but education? I asked FireEye threat expert Jens Monrad for more detail.
“If we look into the motive, there are three key types of threat actors who want to target education. Advanced Persistent Threat (APT) groups will likely seek to use a university’s network infrastructure as a staging ground from which to launch cyber operations against targets in other industries, on the assumption that their activity will appear less suspicious if it originates from a reputable university network,” he told me.
“These threat actors may also target educational institutions to gain access to sensitive intellectual property, such as from university research centres for the purpose of economic espionage.”
Aside from APT attackers, there’s also a risk to schools and universities from financially-motivated cybercriminals looking to steal sensitive personal and financial information from students, faculty, and staff, he added.
“And hacktivists could deface and disrupt university websites as a method of protest or way to call attention to a certain cause,” Monrad concluded.
Universities conducting research with a “potentially high economic pay-off” or those supporting sensitive government contracts are most at risk from APT groups, he added.
So what kind of malware have these institutions been facing?
Publicly available remote access tool (RAT), LV /NjRat, for one. This little nasty is capable of keystroke logging, credential harvesting, reverse shell access, file uploads and downloads, and file and registry modifications, Monrad explained.
“This RAT also offers threat actors a ‘builder’ feature, allowing them to create new variants based on configurations of command and control servers, specified filenames, options to spread via USB, designated campaign names for internal tracking, and other customisation options,” he added.
“Additionally, this RAT gathers and sends important information about infected machines to its command and control server, possibly using a custom protocol over port 80, to include NetBIOS name, user, date, locale, and Windows OS name.”
FireEye has seen cases where individual students were targeted, with the attacker taking screen captures when they opened specific documents.
Educational institutions have also been targeted with StickyFingers, aka QUICKBALL. This is a DLL backdoor favoured by Chinese APT attackers to gain reverse shell access to targeted systems.
With the caveat that this is only information gleaned from one security vendor’s customers, there still seems to be plenty for infosecurity bosses at the UK’s universities and colleges to mull over.