Earlier this morning I took part in RTE Radio 1′s Morning Ireland show. I was invited onto the show to talk about the arrest of an alleged member of Anonymous and Lulzsec. The person arrested is an 18 year old teenager called Jake Davis, also known by the online alias Topiary. He was arrested by the London Metropolitan Police on the Shetland Islands off the coast of Scotland last Wednesday. He appeared in court yesterday and has now been released on bail on condition that he wear an electronic tag, is not allowed to access the Internet either directly or indirectly and must obey a curfew between 10:00 p.m. and 7:00 a.m.
He is not the first person alleged to be a member of the Lulzsec or Anonymous groups that has been arrested. Earlier this summer UK police arrested a young man called Ryan Cleary in Essex. They have also recently arrested 17 year old boy in Lincolnshire.
The interview can be found on the Morning Ireland podcast and starts approximately 26 minutes and 20 seconds into the podcast. The interview was shorter than planned due to the issues surrounding the presidential campaign for Senator Norris.
There are a number of people in the infosec industry who can be classified as an industry leader. Mikko Hypponen, who works with the Finnish anti-virus company F-Secure, is one of those people.
Mikko recently gave a talk titled “Fighting Viruses; Defending the Net” at the prestigious TED Conference held in Edinburgh last week. Have a look at the below video for an excellent insight into the computer crime industry.
If you enjoyed the above you should follow Mikko on Twitter at @mikkohypponen
They claim to be highlighting how weak the security of these organisations is and to teach them a lesson in how to secure their systems. By any logical reasoning this is not a valid argument. If you were to equate this to real life it would be similar to someone breaking into your house and leaving a note on your kitchen table to tell you that the lock on your front door was weak and while they are at it, taking some private information and posting it on a noticeboard for everyone to see.
Lulzsec has been getting a lot of publicity with many people acting as cheerleaders as they cause havoc across the web. Many see them as a group that is finally forcing organisations to sit up and take notice of their lax security practises and argue that this is for the greater good. However, in most countries what Lulzsec is doing is against the law and the actions they are taking are criminal acts. There is also the matter that in a number of cases Lulzsec has posted the personal information of the customers of the sites that were breached onto the Internet which now poses a security threat to those individuals. There are more ethical and acceptable ways to make companies aware that their security is not up to scratch and does not involve putting innocent people at risk.
Tonight may be the time when Lulzsec overreached themselves. It appears they launched a Distributed Denial of Service (DDoS) attack against the CIA website, www.cia.gov. At the time of writing the CIA website is not reachable.
I suspect that they may have tried to breach the website but were unable to do so and as a result have simply blocked all traffic to the site. This may not expose any sensitive information or breach the security of the site, but it does present a very embarrassing situation for the CIA. This action, I am sure, will not go down well with the authorities to be and the CIA, and by extension the US Government, have a lot more resources open to them to track down the source of the attackers than say Sony or any of the other systems that they have attacked.
In addition to the CIA, Lulzsec have also drawn the ire of another infamous hacker called th3j35t3r. Th3j35t3r appears to be pro-western hacker and has been responsible for a number of attacks against websites supporting extremist terrorism. In the tweet below he tells Lulzsec “re your last hit. Gloves off. Expect me.”
It promises to be an interesting few days ahead for the members of Lulzsec and those of us looking on.
UPDATE 16th June 2011
Thanks to a very interesting discussion with attrition.org on Twitter a number of items have been pointed out to me;
In the third paragraph I state that there is no “logical reasoning” behind Lulzsec attacking certain companies to highlight “how weak the security of these organisations is and to teach them a lesson in how to secure their systems.” As was pointed out to me, just because I do not agree with their methods does not mean there is no logical reasoning behind it. This is a very valid point. While I do not believe breaking into a system and publishing the information found there is the correct way to show how ineffective an organisation’s security is, does not mean that it is not a way to demonstrate it. I also fully accept that the more ethical, legal and perhaps, as some would argue, naive way is not always effective as companies can, and in some cases will, choose to ignore the findings they are presented with. But does this justify breaking into their systems and publishing their information or that of their customers? How do we determine what is the right way in this situation? Who or what gives individuals the right to break the law and hack into a system and expose sensitive data?
What are your thoughts on the issue? What is the most effective way to get organisations to address issues with the security of their systems without having to break the law or put innocent users at risk?
The SiliconRepublic.Com and RTE both report today that the Garda Bureau of Fraud Investigation is investigating a number of incidents where businesses in the west and midlands of Ireland have been targeted by online criminals. Apparently the criminals have accessed the computer systems of the affected businesses and encrypted important business information belonging to those businesses thereby making it unavailable to them. The criminals are looking for a sum of $700 to provide the victims with the key to decrypt their information.
The Gardai have asked that any businesses that have suffered this attack to make themselves known to the Gardai.
In the abscense of knowing the details of how the criminals were able to gain access to the affected systems I recommend the following steps to protect your company falling victim to the attack;
Ensure you have a robust firewall installed on your network to protect it from unauthorised access from the Internet.
Ensure your anti-virus software is up to date and has the latest signatures.
Make sure all your software have all the latest security patches installed.
Educate your users so they do not fall for online social engineering scams and they do not open attachments or click on links in emails that they are not expecting.
Check your critical security logs for any suspicious behaviour.
Ensure users only have access to data that they absolutely only need access to.
Make regular backups of your software and data. In the event you fall victim to the attack you can recover your information from a recent backup.
Regularly test your backups to make sure that they are working and that you can restore from them
Ireland’s economy is now more than ever dependant on information technology and the Internet. Both have enabled consumers and businesses alike to better access and deliver services, create new markets, exchange information rapidly and process information in more efficient means. Technology and the “knowledge economy” are now seen as a strategic path by the Government to get Ireland’s economy back on track again. Indeed the Minister for Communications, Energy and Natural Resources, Eamonn Ryan TD recently unveiled the Government’s smart economy strategy to create Digital Ireland. The plan, titled “Technology Actions to Support the Smart Economy” looks to develop over 30,000 jobs in areas such as ICT, green technology, cloud computing and energy efficient datacentres.
However, this increasing reliance on information technology brings with it numerous risks and threats that if not properly addressed could result in significant negative impact on Ireland’s economy and potentially on the country’s national security.
The recent Eircom outages resulting from attacks by unknown hackers highlight those very risks that are posed against the Irish Internet space. Eircom have admittedthat these attacks were the result of DNS poisoning but we still have no further details as to the vulnerabilities exploited by the attacker(s). Nor do we have any insight into the motivation behind the attacks. Speculation has ranged from the same hackers that attacked US and South Korean sites, to Russian mafia gangs to disgruntled Eircom customers.
Eircom is the largest ISP in the country providing Internet services for their own customers but also many other telcos and ISPs that piggyback on the Eircom infrastructure. By default then Eircom can be classified as being part of our Critical Network Infrastructure.
Eircom admit in their own press release that they had to patch some of their systems to deal with the attack. They even acknowledge that some of their remediation steps may have caused additional outages for their customers. This to me is something extremely worryingand raises questions such as;
Why is a key provider of our Critical Network Infrastucture not applying patches in a proactive manner?
Why did it take an attack to ensure that the appropriate patches and fixes were applied?
What incident response capabilities and pre-planning were in place to ensure that the source of the attacks and systems affected were quickly identified, remediated with minimum impact and systems fully recovered?
The main concern I have is what is being done to ensure that the organisations who make up our Critical Network Infrastructure, whether they be private or government entities, are properly securing those systems? What reassurances do we have that all ISPs have applied the appropriate security patches to their DNS servers and indeed other key elements of their infrastructure?
Industrial and state espionage is not a new thing and with the introduction of information technology it has become even more prevalent. Countries like the US, UK, France, Belgium and Indiahave all raised concerns about foreign nation states targeting high tech resources in their respective countries. As recently as late July a German counter intelligence official claimed that Germany is losing an estimated €50 billion and 30,000 jobs a year as a result of industrial espionage. Some of the key industries included renewable energy and communications, the very industries outlined in Irish Government’s smart economy strategy to create a Digital Ireland.
A number of the countries, such as the US and the UK, have learned from their experiences and are quickly appointing people to ensure their nations’ digital assets are protected.
Indeed in the United States this whole issue has even gotten the attention of the President.
Listen to the above speech and see how the U.S. is taking this issue seriously and then compare it with the below answer given by our Minister of Defenceto a question posed to him on what steps Ireland has taken against the “cyber risks and threats”;
Cyber security, cyber crimeand internet security represent challenges that are constantly evolving and require vigilance and appropriate responses. Cyber security is multi facetted. The nature of the threat and the potential impact also varies considerably depending on the approach and objective of those with malicious intent.
In the first instance, each State agency, business and individual should take every precaution with regard to their security. Awareness of security, the risks and available safeguards, can be seen as the first line of defencefor the security of information systems and networks. I am aware of considerable activity in this regard. My colleague the Minister for Communications, Energy and Natural Resources has undertaken a number of awareness campaigns aimed at individuals, SMEs, the education sector, the public Sector and business. My colleague the Minister for Justice and the Garda Siochana are also active in areas such as cyber crimeand cyber bullying. The legislative programme includes the Criminal Justice (Cybercrime) Bill, being prepared by the Department of Justice. This Bill gives effect to the Council of Europe Convention on Cybercrime as well as to the EU Framework Decision on attacks against Information Systems.
My Department and the Defence Forces focus on the risks and threats arising in the context of the roles laid down by Government for the Defence Forces. My Department and the DefenceForces implement a programme of continuous review in relation to ICT security in order to keep up to date with current threat levels. This risk assessment is carried out by a high-level Board comprising civil and military personnel and is supported by sub-groups who carry out specific reviews where a security risk is identified. Detailed policies and guidelines are provided to all users of ICT systems and considerable resources are invested in assessing weaknesses and protecting systems against cyber attack and malicious security breaches.
I would also point out that the Defence Forces take comprehensive measures with regard to the security of their information and communications systems when deployed, in Ireland and overseas. Details of measures taken are not publicised for security reasons, but given the levels of upgrading and increased protection put in place in recent years, the vulnerability to such attacks has been greatly minimised.
I think the fact that Ireland’s CERT (IRISS)is a not-for-profit organisation run by a number of volunteers and depends on sponsorship to survive is another indicator as to how serious the Government appears to view cyber security.
If we as a nation want to seriously become a knowledge economy then we need to take a strategic view on how we protect the digital assets that we are trying to develop. We need to develop a cyber security strategy and ensure that someone is given the responsibility and most importantly the authority to ensure that all organisations that make up our Critical Network Infrastructure and upon whom we rely on to create the new Digital Ireland do so in a secure manner.
RTE‘s Prime Time Investigatesprogram ran a piece on 2nd of July on the extent of Cyber Crime in Ireland. The program is now available online and it has me contributing to it. The segment starts about 18 minutes into the program.
Interesting take aways from the program for business owners;
You have legal obligations under the Data Protect Act to protect your staff and clients’ personal information.
Good security is not difficult to implement
Other areas discussed in the program, and in particular during the panel discussion, relate to the effectiveness of the current Data Protection laws, whether or not we should have mandatory breach disclosure laws (something which I have spoken aboutbefore) and how is Ireland as a nation dealing with cybercime. Items which I shall blog about soon.
Calyx are hosting their Security Seminar on April the 23rd in the Burlington Hotel. I have been invited to be the first speaker of the day and will be discussing “Emerging Threats in Security: challenges and statistics for 2009″. Given the rapidly changing economic and information security landscapes my challenge will be to highlight the relevant items in my talk.
The seminar boasts an interesting line-up and will focus on the following topics:
The changing nature of threats
Virtualisation in the context of Information Security
Cost savings for IT departments
9.45 – 10.00 Registration, tea & coffee
10.00 – 10.05 Welcome & introduction by Calyx Security
10.05 – 10.30 “Emerging Threats in Security: challenges and statistics for 2009″, Brian Honan, BH Consulting
10.30 – 10.55 “Optimising security in a changing threat landscape”, Jonny Wilkinson, Websense
10.55 – 11.20 “Security in virtualised data centre”, Owen Cole, Technical Director, F5
11.20 – 11.35 Tea & coffee break
11.35 – 12.00 “Three Dimensional Network Security: Know your network better than your enemy does”, Leon Ward, Senior Security Engineer, Sourcefire Inc.
12.00 – 12.25 “Leveraging Security as a Service to cope with the current global economic slowdown”, Ray McArdle, Sales Engineer, Trend Micro
12.25 – 12.45 “Cloud compliance: How to manage SaaS risk”, John Ryan, General Manager, Calyx Security
12.45 – 13.00 Panel session
13.00 – 14.00 Buffet lunch
It is free to attend the seminar and if you are interested you can register by either emailing email@example.com or call 01-205 9650.
What is interesting is that 1 in 4 organisations surveyed admitted to having experienced an external intrusion into their systems. While 30% stated they experienced denial-of-service (DoS) attacks.
One figure that struck me was that despite a high number of organisations reporting internal security breaches, only 14% of those surveyed were concerned about employees accessing data they should not, and only 8% rated internal intrusions in their top three security concerns.
Organisations need to wake up that one of the biggest threats to their security is their own staff. If we look at the recent spate of reported data losses here in Ireland the vast majority resulted from lost laptops or mobile devices.
So when it comes to securing your systems and your information, remember those that you trust the most are the ones that can hurt you the most.
The Irish League of Credit Unions has issued a warning alerting people to spoofed emails that are trying to get credit union customers to surrender their personal details. People are advised to ignore the emails. The warning from the ILCU can be found here
The Estonian Government has released a strategy paperon enhancing cyber security. This is an interesting read as we can all learn from the lessons of the cyber attacks against Estonia last year. The report makes for interesting reading and yet it is still sad to see that governments and many organisations only take computer security seriously after they have suffered a major attack.
Do you think this paper would have seen the light of day had Estonia not been a victim to a major Distributed Denial of Service attack last year? I also wonder how many government officials here in Ireland are working on a similar paper to defend the Irish Internet space?