Android Lollipop Security Features

Google is reportedly offering data encryption in its upcoming Android platform – Android L(ollipop), by default. Though Google has been providing data encryption capability since past three years, it had been kept optional. The company assures users that keys/passcodes are not stored online or anywhere off your device, so Google has no way to share them. It is, however, widely accepted that majority of the users were unaware of this option. Hence, now users don’t even have to bother about turning it on, with default settings in place. The new security strategy comes hot on the heels of Apple announcing that users' data on iOS 8 is protected by passwords that even Apple cannot access. Expanded deployment of encryption by Google and Apple, however, will have the most direct impact on law enforcement officials, who  have long warned that restrictions on their access to electronic devices make it much harder for them to prevent and solve crimes. Google does not have the ability to deliver its updated operating system, called the “L-release,” quickly to most users. Several different manufacturers make smartphones and tablets that use the Android operating system, and those devices are sold by many cellular carriers worldwide. This results in what experts call “fragmentation” – meaning there are hundreds of different versions of Android worldwide, many several years old, making it difficult to keep them current with the latest security features. The newest Android devices will likely ship with default encryption in a few days, but it will take many months and probably years before most Android devices have encryption by default.


The latest version of the mobile OS has amped up its deployment of Security Enhanced Linux (SE Android) in order to bring security policy enforcement to the kernel level, and has also switched device encryption on by default.
“You can authorize apps with high-level permissions and deep down they’re being granted a lot more access than necessary. With SE Android, Google is expanding and getting more fine-grained controls and containment,” said Zach Lanier, senior security researcher with Duo Labs, the research division of Duo Security. With SE Android, you’re much closer to having a real sandbox.

SE Linux has been in Android since version 4.4, but now all application enforcement is being pulled into the OS kernel. Google lead security engineer for Android Adrian Ludwig said this makes security auditing and monitoring easier on the device.
“With Android 5.0, SELinux Enforcing mode is required for all applications on all devices,” Ludwig said. “Multiple vulnerabilities have been prevented since we first introduced SELinux last year; by strengthening it even more, Android becomes a top choice for enterprise customers that have really strict security standards, such as the government.”

There are also rumors about multiple accounts per device, that would allow users to separate business form personal functions. The new Android for Work solution (which incorporates Samsung KNOX features) will address these issues by creating an encrypted storage and a virtual environment, basically, a smartphone inside a smartphone. After launching Android for Work, a user will see a “business home screen” with company-approved apps and can perform his/her duties using encrypted data and an encrypted Internet connection. One click ― and his/her personal home screen and apps are back. Private and work-related apps and data are fully isolated, e.g. the company email app cannot read users’ personal address book or photo library, and vice versa.

Google developers briefly mentioned something called Universal Data Controls, a centralized tool helping a user identify items like which apps, what kind of his/her personal data and what should be blocked for an individual’s smartphone. Unfortunately, there are few details on the subject. We will have to wait a few more days to take a closer look at this function.

If you're buying a Nexus 6 or Nexus 9, you can get Android Lollipop from November 3rd (if you're in the UK, you'll be able to pre-order in November and receive your phablet or tablet within a few weeks). But if you already have a Nexus 5, 7 or 10 you should get it in a free over-the-air update in the "coming weeks" according to Google's blog. 

Read More

Biggest ever cyber security exercise in Europe

More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Union Agency for Network and Information Security (ENISA).

In Cyber Europe 2014 experts from the public and private sectors including cyber security agencies, national Computer Emergency Response Teams, ministries, telecoms companies, energy companies, financial institutions and internet service providers are testing their procedures and capabilities against in a life-like, large-scale cyber-security scenario.

#CyberEurope2014 is the largest and most complex such exercise organised in Europe. More than 2000 separate cyber-incidents will be dealt with, including denial of service attacks to online services, intelligence and media reports on cyber-attack operations, website defacements (attacks that change a website's appearance), ex-filtration of sensitive information, attacks on critical infrastructure such as energy or telecoms networks and the testing of EU cooperation and escalation procedures. This is a distributed exercise, involving several exercise centres across Europe, which is coordinated by a central exercise control center.

European Commission Vice-President Neelie Kroes said: "The sophistication and volume of cyber-attacks are increasing every day. They cannot be countered if individual states work alone or just a handful of them act together. I'm pleased that EU and EFTA Member States are working with the EU institutions with ENISA bringing them together. Only this kind of common effort will help keep today’s economy and society protected."

The Executive Director of ENISA, Professor Udo Helmbrecht, commented: “Five years ago there were no procedures to drive cooperation during a cyber-crisis between EU Member States. Today we have the procedures in place collectively to mitigate a cyber-crisis on European level. The outcome of today’s exercise will tell us where we stand and identify the next steps to take in order to keep improving.”

The #CyberEurope2014 exercise will, among others, test procedures to share operational information on cyber-crisis in Europe; enhance national capabilities to tackle cyber crises; explore the effect of multiple and parallel information exchanges between private-public, private-private at national and international level. The exercise also tests out the EU-Standard Operational Procedures (EU-SOPs), a set of guidelines to share operational information on cyber crisis.

Background

According to ENISA’s Threat Landscape report (2013), threat agents have increased the sophistication of their attacks and their tools. It has become clear that maturity in cyber activities is not a matter of a handful of countries. Rather, multiple countries have developed capabilities that can be used to infiltrate all kinds of targets, governmental and private in order to achieve their objectives.

In 2013, global web web-based attacks increased by almost a quarter and the total number of data breaches was 61% higher than 2012. Each of the eight top data breaches resulted in the loss of tens of millions of data records while 552 million identities were exposed. According to industry estimates cyber-crime and espionage accounted for between $300bn and $1tn in annual global losses in 2013.

The exercise

This exercise simulates large-scale crises related to critical information infrastructures. Experts from ENISA will issue a report with key findings after the exercise ends.

#CyberEurope2014 is a bi-annual, large scale cyber security exercise. It is organised every two years by ENISA, and this year counts 29 European countries (26 EU and 3 from EFTA) plus EU Institutions. It takes place in 3 phases throughout the year: technical, which involves the incident detection, investigation, mitigation and information exchanges (completed in April); operational/tactical, dealing with alerting, crisis assessment, cooperation, coordination, tactical analysis, advice and information exchanges at operational level (today) and early 2015; strategic, which examines decision making, political impact and public affairs. This exercise will not affect critical information infrastructures, systems, or services.

In the Cyber security Strategy for the EU and proposed Directive for a high common level of network and information security (NIS), the European Commission calls for the development of national contingency plans and regular exercises, testing large-scale networks’ security incident response and disaster recovery. ENISA’s new mandate also highlights the importance of cyber-security preparedness exercises in enhancing trust and confidence in online services across Europe. The draft EU-SOPs have been tested over the last three years, including during CE2012.

Read More

PCCW Global acquires Crypteia Networks

PCCW Global acquires Crypteia Networks to address cyber security issues facing most organizations today.

HKT (SEHK: 6823) HONG KONG – October 20, 2014 – PCCW Global, the international operating division of HKT, Hong Kong's premier telecommunications service provider, has acquired Crypteia Networks, a European company offering innovative security-as-a-service solutions. Using patent-pending technology and a non-intrusive approach, Crypteia helps organizations of any size detect and respond to the new breed of cyber threats.

Headquartered in Athens, Greece, Crypteia Networks will continue to operate as a separate brand, while benefiting from PCCW Global's international presence and extended customer base in order to accelerate its global expansion. The company currently has more than 150 customer installations in various countries, including the UK, Germany, and Greece. Its customers range from professional services firms and retailers to financial institutions, public sector and critical infrastructure providers. PCCW Global will offer Crypteia solutions as part of its managed network services portfolio to its customers worldwide.

Mr. Marc Halbfinger, Chief Executive Officer of PCCW Global, said, "Organizations of every size need to adapt their approach to network security in order to combat the new breed of cyber risk, which includes advanced persistent threats, cybercrime, and other forms of attack."

The worldwide Threat Intelligence Security Services market is predicted by IDC to be worth US$1.4 billion by 2018 *.

Cyber threats today can range from data theft and sabotage to attacks carried out by traditional crime organizations and even cyber terrorism targeting critical infrastructure. No organization or company is immune and, in fact, many may already have been infiltrated without their knowledge. In a February 2014 report, Gartner suggested that "organizations must assume they are compromised, and, therefore, invest in detective capabilities that provide continuous monitoring for patterns and behaviours indicative of malicious intent".

"Existing security solutions such as firewalls, antivirus, and intrusion detection systems are insufficient for this new breed of threat," said Mr. Halbfinger. "These traditional perimeter and network security measures rely on the threat having been previously identified and analysed, whereas the new breed of attacker is just that, completely new and never-before-seen."

"At PCCW Global, we believe that organizations may not be able to achieve the necessary level of protection on their own. Building and running real-time predictive security solutions, and monitoring multiple sources of threat intelligence, is complicated. The threats are not isolated and therefore neither can the responses. In addition, increasing regulatory scrutiny and compliance requirements means corporations in many industries must ensure that that they have taken all possible steps to protect and audit the integrity of their IT systems and data," he added.

Crypteia's patent-pending MOREAL reporting and alerting platform with Security Incident and Event Management features and solutions can be cloud-based, and used with any operating environment. MOREAL correlates and analyses customer network data, global network data, and aggregated threat intelligence, thereby identifying potential advanced threats. The service is backed up by Crypteia's Global Security Operation Center.

Mr. Yiannis Giokas, founder and Chief Executive Officer of Crypteia Networks, said, "A key reason that many organizations are currently vulnerable is that most solutions aiming to combat the new threats are highly complex, costly, and time-consuming to administer. Crypteia was designed to be the opposite: lightweight, cloud-based, automated, and affordable. The Crypteia approach is non-intrusive, requiring no additional hardware or software, and uses data logs that most companies are already generating. This means that companies do not have to change the way they are currently operating, nor do they need to make large and costly purchases in order to institute appropriate protection and analysis. We believe such an approach is absolutely critical in ensuring that organizations of all shapes and sizes can protect themselves from the 'unknown'."

Mr. Halbfinger added, "With the acquisition of Crypteia Networks, PCCW Global can further provide a secure communications channel for customers accessing and protecting their most valuable assets via a service chain of managed network transport and connectivity, content delivery, and network security which will become increasingly integrated over time."

Crypteia Networks was founded by Mr. Yiannis Giokas, an entrepreneur from Greece with an MBA from the Athens University of Business and Economics and a BSc in Electrical Engineering from the Athens Technological Institute. The company was recently named a finalist for two prestigious awards: the 2014 MassChallenge, a US based entrepreneurship accelerator, and the European Commission's 2014 European Enterprise Network Awards.

The transaction does not constitute a notifiable transaction of HKT Trust and HKT Limited under Chapter 14 of the Rules Governing the Listing of Securities on the Hong Kong Stock Exchange.

* Worldwide Threat Intelligence Security Services 2014-2018 Forecast, IDC, March 2014

Read More

History of Major Information Security Incidents

Since the early days of communication, diplomats and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of correspondence and to have some means of detecting tampering. Modern computer history is filled with information security incidents. But what are the major incidents that changed our view on staying safe online? It all started in mid 40s...

Read More

Six Notorious Hackers

Robert Tappan Morris - The Pioneer

Morris was born in 1965. His father, Robert Morris, was a computer scientist at Bell Labs, where he helped design Multics and Unix. He later became the chief scientist at the National Computer Security Center, a division of the National Security Agency (NSA)

Morris Jr. attended Harvard University, and later went on to graduate school at Cornell. During his first year there, he designed a computer worm that disrupted many computers on what was then a fledgling internet. This landed him in court a year later.

Morris' worm was developed in 1988, while he was a graduate student at Cornell University. He said it was designed to gauge the size of the Internet. He released the worm from MIT, rather than from Cornell. The worm exploited several vulnerabilities to gain entry to targeted systems, including:

• a hole in the debug mode of the Unix sendmail program,
• a buffer overrun hole in the fingerd network service,
• the transitive trust enabled by people setting up rexec/rsh network logins without password requirements.

The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, 14% of the time, no matter what the response to the infection-status interrogation.

This level of persistence was a design flaw: it created system loads that not only brought it to the attention of system administrators, but also disrupted the target computers. During the ensuing trial, it was estimated that the cost in "potential loss in productivity" caused by the worm and efforts to remove it from different systems ranged from $200 to $53,000.

Morris' stated motive during the trial was "to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects [he] had discovered." He completed his sentence as of 1994.

Kevin David Mitnick - The Star

Mitnick was born in 1963 and grew up in Los Angeles and attended James Monroe High School. He was enrolled at Los Angeles Pierce College and USC. For a time, he worked as a receptionist for Stephen S. Wise Temple.

At age 15, Mitnick used social engineering and dumpster diving  to bypass the punch card system used in the Los Angeles bus system. After a friendly bus driver told him where he could buy his own ticket punch, he could ride any bus in the greater LA area using unused transfer slips he found in the trash. Social engineering later became his primary method of obtaining information, including user-names and passwords and modem phone numbers.

Mitnick first gained unauthorized access to a computer network in 1979, at 16, when a friend gave him the phone number for the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. He broke into DEC's computer network and copied their software, a crime he was charged with and convicted of in 1988. He was sentenced to 12 months in prison followed by three years of supervised release. Near the end of his supervised release, Mitnick hacked into Pacific Bell voice mail computers. After a warrant was issued for his arrest, Mitnick fled, becoming a fugitive for two and a half years.

According to the U.S. Department of Justice, Mitnick gained unauthorized access to dozens of computer networks while he was a fugitive. He used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Mitnick was apprehended on February 15, 1995, in Raleigh, North Carolina. He was found with cloned cellular phones, more than 100 clone cellular phone codes, and multiple pieces of false identification.

In 1999, Mitnick pleaded guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication, as part of a plea agreement before the United States District Court for the Central District of California in Los Angeles. He was sentenced to 46 months in prison plus 22 months for violating the terms of his 1989 supervised release sentence for computer fraud. He admitted to violating the terms of supervised release by hacking into PacBell voicemail and other systems and to associating with known computer hackers, in this case co-defendant Lewis De Payne.

Mitnick served five years in prison—four and a half years pre-trial and eight months in solitary confinement—because, according to Mitnick, law enforcement officials convinced a judge that he had the ability to "...start a nuclear war by whistling into a pay phone", meaning that law enforcement told the judge that he could somehow dial into the NORAD modem via a payphone from prison and communicate with the modem by whistling to launch nuclear missiles. He was released on January 21, 2000. During his supervised release, which ended on January 21, 2003, he was initially forbidden to use any communications technology other than a landline telephone. Mitnick fought this decision in court, eventually winning a ruling in his favor, allowing him to access the Internet.

Since 2000, Kevin has been a professional security consultant, public speaker and author. He does security consulting for Fortune 500 companies, performs penetration testing services for the world’s largest companies and teaches Social Engineering classes to dozens of companies and government agencies. He is the author of a dozen books that have been translated into many languages, including "The art of deception" and "The Art of Intrusion".

Adrian Lamo - The Snitch

Lamo was born in Boston, Massachusetts in 1981. He does not have a high school diploma. According to Jennifer Kahn of Wired, Lamo was known as the "Homeless Hacker" for his supposedly transient lifestyle. Lamo has claimed that he has spent much of his travels couch-surfing, squatting in abandoned buildings and traveling to Internet cafes, libraries and universities to investigate networks, and sometimes exploiting security holes. Despite performing authorized and unauthorized vulnerability assessments for several large, high-profile entities, Lamo has claimed he refused to accept payment for his services.

As of March 2011, Lamo was allegedly "in hiding," claiming that his "life was under threat" after turning in Manning.

In December 2001, Lamo was praised by Worldcom for helping to fortify their corporate security. In February 2002 he broke into the internal computer network of The New York Times, adding his name to the internal database of expert sources, and using the paper's LexisNexis account to conduct research on high-profile subjects. The New York Times filed a complaint, and a warrant for Lamo's arrest was issued in August 2003 following a 15-month investigation by federal prosecutors in New York. At 10:15 am on September 9, after spending a few days in hiding, he surrendered to the local authorities of California. He re-surrendered to the FBI in New York City on September 11, and pled guilty to one felony count of computer crimes against Microsoft, LexisNexis and The New York Times on January 8, 2004.

Later in 2004, Lamo was sentenced to six months detention at his parents' home plus two years probation, and was ordered to pay roughly $65,000 in restitution. He was convicted of compromising security at The New York Times and Microsoft, Yahoo!  and WorldCom.

At his sentencing, Lamo expressed remorse for harm he had caused through his intrusions, with the court record quoting him as adding "I want to answer for what I have done and do better with my life."

In February 2009, a partial list of the anonymous donors to the WikiLeaks not-for-profit website was leaked and published on the WikiLeaks website. Some media sources indicated at the time that Lamo was among the donors on the list.

In May 2010, Lamo reported to U.S. Army authorities that Manning had claimed to have leaked a large body of classified documents, including 260,000 classified United States diplomatic cables. Lamo stated that Manning also "took credit for leaking" the controversial video footage of the July 12, 2007 Baghdad airstrike, which has since come to be known as the "Collateral Murder" video.

Lamo has stated that he would not have turned Manning in "if lives weren't in danger... [Manning] was in a war zone and basically trying to vacuum up as much classified information as he could, and just throwing it up into the air." WikiLeaks responded by denouncing Lamo and Wired Magazine reporter Kevin Poulsen as "notorious felons, informers & manipulators" and said that "journalists should take care."

Lamo has been criticized by fellow hackers such as those at the Hackers on Planet Earth conference in 2010, who called him a "snitch". Another commented to Lamo following his speech during a panel discussion saying: "From my perspective, I see what you have done as treason."

WikiLeaks founder Julian Assange calls Lamo "a very disreputable character", and says that Lamo's monetary support for WikiLeaks amounted to only 20 U.S. dollars on one occasion. Assange says that it is "not right to call [Lamo] a contributor to WikiLeaks", and questions the electronic record associated with the Manning–Lamo chats, because, according to Assange, Lamo has "strange motivations" and "had been in a mental hospital three weeks beforehand".

Lamo has been critical of media coverage of the hacker collective Anonymous, claiming that media outlets have over-hyped and mythologised the group. He also said that Anonymous is not the 'invulnerable' group it is claimed to be, and can see "no rational point in what they're doing."

Gary McKinnon - The Autistic Hacker

Gary McKinnon, born in 1966, is a Scottish systems administrator and hacker who was accused in 2002 of perpetrating the biggest military computer hack of all time, has been diagnosed of Asperger's Syndrome .

McKinnon is accused of hacking into 97 United States military and NASA computers over a 13-month period between February 2001 and March 2002, at his girlfriend's aunt's house in London, using the name 'Solo'.

The US authorities claim he deleted critical files from operating systems, which shut down the United States Army’s Military District of Washington network of 2,000 computers for 24 hours. McKinnon also posted a notice on the military's website: "Your security is crap". After the September 11 attacks in 2001, he deleted weapons logs at the Earle Naval Weapons Station, rendering its network of 300 computers inoperable and paralyzing munitions supply deliveries for the US Navy's Atlantic Fleet. McKinnon is also accused of copying data, account files and passwords onto his own computer. US authorities claim the cost of tracking and correcting the problems he caused was over $700,000.

Raphael Gray - The 'Saint'

Raphael Gray, born in 1982, is a computer hacker who, at the age of 19, hacked computer systems around the world over a period of six weeks between January and February 1999 as part of a multi-million pound credit card mission. He then proceeded to publish credit card details of over 6,500 cards as an example of weak security in the growing number of consumer websites.

Gray was able to break into the secure systems using an $500 computer he bought in his home town Clynderwen, Pembrokeshire, Wales. After publishing the credit card info on his websites, Gray posted a personal message saying law enforcers would never find him "because they never catch anyone. The police can't hack their way out of a paper bag." He was dubbed the "Bill Gates Hacker", when he sent Viagra tablets to Gates' address and then published what he claimed to be the billionaire's own number.

He was tracked down by ex-hacker Chris Davis who was insulted by Gray's "arrogance". It took Davis under a day to find Gray's information, which he then forwarded to the FBI. "The FBI was actually quite easy to deal with, although technically, they didn't really understand what it was I was explaining to them. The local police were also very polite, but they didn't understand it," said Davis. Gray was arrested when FBI agents and officers from the local Dyfed Powys Police turned up at the door of his home, which he shared with his mother and two sisters, in March 2000.

Aaron Hillel Swartz - The Legend

Aaron Swartz was an American computer programmer, writer, political organizer and Internet Hacktivist. Swartz was born in Chicago, Illinois, in 1986. The eldest son of Jewish parents Susan and Robert Swartz. His father had founded the software firm Mark Williams Company. Swartz immersed himself in the study of computers, programming, the Internet, and Internet culture.

Swartz was involved in the development of the web feed format RSS and the Markdown publishing format, the organization Creative Commons, the website framework web.py and the social news site, Reddit, in which he became a partner after its merger with his company, Infogami.

At age 14, he became a member of the working group that authored the RSS 1.0 web syndication specification. In 2001, Swartz joined the RDFCore working group at the World Wide Web Consortium (W3C), where he authored RFC 3870, Application/RDF+XML Media Type Registration. The document described a new media type, "RDF/XML", designed to support the Semantic Web. Swartz was co-creator, with John Gruber, of Markdown, a simplified markup standard derived from HTML, and author of its html2text translator. Markdown remains in widespread use.

Swartz's work also focused on sociology, civic awareness and activism. He helped launch the Progressive Change Campaign Committee in 2009 to learn more about effective online activism. In 2010 he became a research fellow at Harvard University's Safra Research Lab on Institutional Corruption, directed by Lawrence Lessig. He founded the online group Demand Progress, known for its campaign against the Stop Online Piracy Act. On December 27, 2010, Swartz filed a Freedom of Information Act (FOIA) request to learn about the treatment of Chelsea Manning, alleged source for Wikileaks.

On January 6, 2011, Swartz was arrested by MIT police on state breaking-and-entering charges, after systematically downloading academic journal articles from JSTOR. Federal prosecutors later charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act, carrying a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, restitution and supervised release.

Swartz declined a plea bargain under which he would serve six months in federal prison. Two days after the prosecution rejected a counter-offer by Swartz, he was found dead in his Brooklyn, New York apartment, where he had hanged himself. No suicide note was found.

In June 2013, Swartz was posthumously inducted into the Internet Hall of Fame.

Read More

Online Banking Safety Tips

Internet and mobile banking is very convenient, and allows us to be in complete control of our finances from wherever we are, but we need to be assured that our money is safe. The major banks are committed to investing in the technology to secure these online services, but let’s not forget that we all have a part to play in protecting our accounts and there are some very simple steps we should all take – these are things like only downloading the official banking app, keeping log-in details private and installing security software.

Digital Safety Tips

• Protect your computer, laptop, tablet or mobile device with the latest security software and install regular updates.
• Only visit your bank’s online banking site from a trusted bookmark or by typing the site address in your browser
• Always use official mobile banking apps provided by your bank and only download apps from official app stores
• When using a public wi-fi hotspot, log in or send personal information only to websites you know are fully encrypted.
• Don’t stay permanently signed in to accounts. When you’ve finished using an account, log out.
• Keep your PINs, passwords, bankcard details and authorisation codes to yourself – don’t share them with anyone who phones, emails or calls at your door
• Strengthen your passwords with letters, numbers and symbols and don’t write them down
• Check statements regularly and inform your bank about any odd activity
• Keep your bank updated with your latest contact numbers so it can get in touch if they identify suspicious transactions

Read More