radiofree.asia

Category: cyber security

  • Reserve Bank investigates cyber attack – latest in NZ digital breaches

    The NZ Reserve Bank says it is investigating the breach, which may have exposed “commercially and personally sensitive information”. Image: Alexander Robertson/RNZ

    By RNZ News

    A cyber security expert says attacks like the latest on the Reserve Bank could be due to the type of data systems they are using.

    The Reserve Bank revealed yesterday a third party file sharing service it uses, which contains some sensitive information, had been hacked.

    It is the latest after a string of cyber attacks in the past year targeting several major organisations in New Zealand, including the NZ Stock Exchange – which had its servers knocked out of public view for nearly a week in August.

    Titanium Defence cyber security expert Tony Grasso, who was the cyber lead at the Department of Internal Affairs, told Morning Report file sharing systems could weaken security.

    Grasso said there were still lots of questions about the breach to be answered.

    “The question that will be on my mind, and I’m sure this will be what they’re looking at is, who got in, how did they get in, and more importantly, what information has been taken from this file share, but more interestingly than that, have they got from the file share onto the bank systems internally?”

    However, he said it would be hard to say who could be behind the breach at this stage.

    Foreign intelligence agency?
    “You have to always keep in mind it may be a foreign intelligence national agency whenever something as big as the Reserve Bank … any government department within reason, you always have to have that at the back of your mind,” he said.

    “It would be interesting to find out how they were caught. Our detection systems here are good, if it’s one of those systems that have come from another government agency, a more sensitive government agency, that may indicate it was a foreign actor, or these days criminal gangs are getting together and they’ve become an industry on their own and are really good at getting into organisations.

    “Imagine the ransom you could put on the Reserve Bank if you encrypted all their data, for example.”

    Grasso hoped for a more detailed report from the Reserve Bank on who it could be.

    “The Americans are very good at saying ‘it was definitely a foreign government’ and they normally name them as well. It would be good to know if it was that, if it was a criminal organisation or if was it a just a lone wolf – we have loads of these in our industry.”

    The Reserve Bank said sensitive information “may” have been breached.

    The type of information exposed would depend on who the third party was, Grass said.

    Third party may be IT provider
    “A third party could be just an IT provider and they’re just sharing architecture documents, that would be bad of course. But it could be information around covid for example.

    “If they were working with external agencies about the recovery of the company from covid … it could be papers around how we’re planning for our recovery, I mean who knows.

    “I would hope that sensitive stuff like that isn’t held in a third party file server, I’m fairly sure it wouldn’t be.”

    He said even if its own systems were very secure, having a third party who was insecure connecting to the systems could bring a threat.

    Yesterday, Reserve Bank Governor Adrian Orr said they were investigating the breach with experts and authorities.

    “The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.

    “It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational.”

    The Reserve Bank declined a request for an interview with Morning Report.

    This article is republished under a community partnership agreement with RNZ.

    Print Friendly, PDF & Email

    This post was originally published on Radio Free.

  • What to do about global spyware abuse?

    Mohamed EL Bashir, a Public Policy & Internet Governance Strategist, wrote a lengthy but informative piece about the persistent problem of commercial spyware Abuse: “Reshaping Cyberspace: Beyond the Emerging Online Mercenaries and the Aftermath of SolarWinds“, in CircleID 5 January 2021.

    The piece starts of with some concrete cases such as Ahmed Mansoor [see https://humanrightsdefenders.blog/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/] and Rafael Cabrera, [see: https://www.nytimes.com/2017/06/21/world/americas/mexico-pena-nieto-spying-hacking-surveillance.html]. In 2018, a close confidant of Jamal Khashoggi was targeted in Canada by a fake package notification, resulting in the infection of his iPhone.

    ..Citizen Lab has tracked and documented more than two dozen cases using similar intrusion and spyware techniques. We don’t know the number of victims or their stories, as not all vectors are publicly known. Once spyware is implanted, it provides a command and control (C&C) server with regular, scheduled updates designed to avoid extensive bandwidth consumption. Those tools are created to be stealthy and evade forensic analysis, avoid detection by antivirus software, and can be deactivated and removed by operators.

    Once successfully implanted on a victim’s phone using an exploit chain like the Trident, spyware can actively record or passively gather a variety of different data about the device. By providing full access to the phone’s files, messages, microphone, and video camera, the operator can turn the device into a silent digital spy in the target’s pocket.

    These attacks and many others that are unreported show that spyware tools and the intrusion business have a significant abuse potential and that bad actors or governments can’t resist the temptation to use such tools against political opponents, journalists, and human rights defenders. Due to the lack of operational due-diligence of spyware companies, these companies don’t consider the impact of the use of their tools on the civilian population nor comply with human rights policies. [see: https://humanrightsdefenders.blog/2020/07/20/the-ups-and-downs-in-sueing-the-nso-group/]

    The growing privatization of cybersecurity attacks arises through a new generation of private companies, aka online mercenaries. This phenomenon has reached the point where it has acquired its own acronym, PSOAs, for the private sector offensive actors. This harmful industry is quickly growing to become a multi-billion dollar global technology market. These newly emerging companies provide nation-states and bad actors the option to buy the tools necessary for launching sophisticated cyberattacks. This adds another significant element to the cybersecurity threat landscape.

    These companies claim that they have strict controls over how their spyware is sold and used and have robust company oversight mechanisms to prevent abuse. However, the media and security research groups have consistently presented a different and more troubling picture of abuse…

    The growing abuse of surveillance technology by authoritarian regimes with poor human rights records is becoming a disturbing new, globally emerging trend. The use of these harmful tools has drawn attention to how the availability and abuse of highly intrusive surveillance technology shrink already limited cyberspace in which vulnerable people can express their views without facing repercussions such as imprisonment, torture, or killing.

    Solving this global problem will not be easy nor simple and will require a strong coalition of multi-stakeholders, including governments, civil society, and the private sector, to reign in what is now a “Wild West” of unmitigated abuse in cyberspace. With powerful surveillance and intrusion technology roaming free without restrictions, there is nowhere to hide, and no one will be safe from those who wish to cause harm online or offline. Not acting urgently by banning or restricting the use of these tools will threaten democracy, rule of law, and human rights worldwide.

    On December 7, 2020, the US National Security Agency issued a cybersecurity advisory warning that “Russian State-sponsored actors” were exploiting a vulnerability in the digital workspace software developed by VMware (VMware®1Access and VMware Identity Manager2 products) using compromised credentials.

    The next day, on December 8, the cybersecurity firm FireEye announced the theft of its “Red Team” tools that it uses to identify vulnerabilities in its customers’ systems. Several prominent media organizations reported an ongoing software supply-chain attack against SolarWinds, the company whose products are used by over 300,000 corporate and government customers — including most of the Fortune 500 companies, Los Alamos National Laboratory (which has nuclear weapons responsibilities), and Boeing.

    A malware called SUNBURST infected SolarWind’s customers’ systems when they updated the company’s Orion software.

    On December 30, 2020, Reuters reported that the hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code. This new development sent a worrying signal about the cyberattack’s ambition and intentions.

    Microsoft president Brad Smith said the cyber assault was effectively an attack on the US, its government, and other critical institutions, and demonstrated how dangerous the cyberspace landscape had become.

    Based on telemetry gathered from Microsoft’s Defender antivirus software, Smith said the nature of the attack and the breadth of the supply chain vulnerability was very clear to see. He said Microsoft has now identified at least 40 of its customers that the group targeted and compromised, most of which are understood to be based in the US, but Microsoft’s work has also uncovered victims in Belgium, Canada, Israel, Mexico, Spain, the UAE, and the UK, including government agencies, NGOs, and cybersecurity and technology firms.

    Although the ongoing operation appears to be for intelligence gathering, no reported damage has resulted from the attacks until the publishing date of this article. This is not “espionage as usual.” It created a serious technological vulnerability in the supply chain. It has also shaken the trust and reliability of the world’s most advanced critical infrastructure to advance one nation’s intelligence agency.

    As expected, the Kremlin has denied any role in recent cyberattacks on the United States. President Vladimir Putin’s spokesman Dmitry Peskov said the American accusations that Russia was behind a major security breach lacked evidence. The Russian denial raised the question of a gap of accountability in attributing cyberspace attacks to a nation-state or specific actor. Determining who is to blame in a cyberattack is a significant challenge, as cyberspace is intrinsically different from the kinetic one. There is no physical activity to observe, and technological advancements have allowed perpetrators to be harder to track and to remain seemingly anonymous when conducting the attack (Brantly, 2016).

    To achieve a legitimate attribution, it is not enough to identify the suspects, i.e., the actual persons involved in the cyberattacks but also be able to determine if the cyberattacks had a motive which can be political or economic and whether the actors were supported by a government or a non-state actor, with enough evidence to support diplomatic, military, or legal options.

    A recognized attribution can enhance accountability in cyberspace and deter bad actors from launching cyberattacks, especially on civilian infrastructures like transportation systems, hospitals, power grids, schools, and civil society organizations.

    According to the United Nation’s responsibility of States for Internationally Wrongful Acts article 2, to constitute an “internationally wrongful act,” a cyber operation generally must be 1) attributable to a state and 2) breach an obligation owed another state. It is also unfortunate that state-sponsored cyberattacks violate international law principles of necessity and proportionality.

    Governments need to consider a multi-stakeholder approach to help resolve the accountability gap in cyberspace. Some states continue to believe that ensuring international security and stability in cyberspace or cyberpeace is exclusively the responsibility of states. In practice, cyberspace is designed, deployed, and managed primarily by non-state actors, like tech companies, Internet Service Providers (ISPs), standards organizations, and research institutions. It is important to engage them in efforts to ensure the stability of cyberspace.

    I will name two examples of multi-stakeholder initiatives to secure cyberspace: the Global Commission on the Stability of Cyberspace (GCSC), which consisted of 28 commissioners from 16 countries, including government officials, has developed principles and norms that can be adopted by states to ensure stable and secure cyberspace. For example, it requested states and non-state actors to not pursue, support, or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda, or plebiscites.

    Cyberpeace Institute is a newly established global NGO that was one-year-old in December 2020 but has the important goal of protecting the most vulnerable and achieve peace and justice in cyberspace. The institute started its operations by focusing on the healthcare industry, which was under attack daily during the COVID 19 pandemic. As those cyberattacks were a direct threat to human life, the institute called upon governments to stop cyber operations against medical facilities and protect healthcare.

    I believe that there is an opportunity for the states to forge agreements to curb cyberattacks on civilian and private sector infrastructure and to define what those boundaries and redlines should be.

    SolarWinds and the recent attacks on healthcare facilities are important milestones as they offer a live example of the paramount risks associated with a completely unchecked and unregulated cyberspace environment. But it will only prove to be a moment of true and more fundamental reckoning if many of us, governments, and different multi-stakeholders played a part, each in their respective roles, in capitalizing and focusing on those recent events by forcing legal, technological, and institutional reform and real change in cyberspace.

    The effects of the Solarwinds attack will not only impact US government agencies but businesses and civilians that are currently less secure online. Bad actors are becoming more aggressive, bold, reckless and continue to cross the red lines we considered as norms in cyberspace.

    Vulnerable civilians are the targets of the intrusion tools and spyware in a new cyberspace wild west landscape. Clearly, additional legal and regulatory scrutiny is required of private-sector offensive actors or PSOAs. If PSOA companies are unwilling to recognize the role that their products play in undermining human rights or address these urgent concerns, then, in this case, intervention by governments and other stakeholders is needed. 

    We no longer have the privilege of ignoring the growing impact of cyberattacks on international law, geopolitics, and civilians. We need a strong and global cybersecurity response. What is required is a multi-stakeholders’ courageous agenda that redefines historical assumptions and biases about the possibility of establishing new laws and norms that can govern cyberspace.

    Changes and reforms are achievable if there is will. The Snowden revelations and the outcry that followed resulted not only in massive changes to the domestic regulation of US foreign intelligence, but they also shaped changes at the European Court of Human Rights, the Court of Justice of the European Union, and the UN. The Human Rights Committee also helped spur the creation of a new UN Special Rapporteur on the Right to Privacy based in Geneva.

    The new cyberspace laws, rules, and norms require a multi-stakeholder dialogue process that involves participants from tech companies, academia, civil society, and international law in global discussions that can be facilitated by governments or supported by a specialized international intergovernmental organization.

    Sources and References:

    http://www.circleid.com/posts/20210105-reshaping-cyberspace-beyond-the-emerging-online-mercenaries/

    This post was originally published on Hans Thoolen on Human Rights Defenders.

  • Bridging the public private divide: Cybersecurity

    Cybersecurity threats are having a huge impact on all industries across the public and private sectors – with wide-ranging effects on company trust, the economy, and creating a host of identity and privacy issues. No organisation is impenetrable, but some are better prepared than others.

    InnovationAus asked a leading local cybersecurity policy expert if these threats could be what unites public and private sectors to help build a more resilient Australia in an ever-increasing digital world.

    “Malicious cyber actors are attacking organisations with impunity and without any regard for what type of sector they represent,” said Australian Cyber Security Cooperative Research Centre (CSCRC) head of strategic policy Stephenie Andal.

    Dr Andal spoke with InnovationAus’ James Riley and privileged access management specialist CyberArk’s Australia and New Zealand regional director Thomas Fikentscher as part of the video series Bridging the Cyber Divide.

    Bridging the cyber divide: James Riley, Stephenie Andal and Thomas Fikentscher

    Private and public bodies are being equally be targeted by cyber attackers, whether they be state-backed actors wanting to harm democracy or gain competitive advantage, or cybercriminals driven by profit or malice. However, nuances in the events – and the interpretation of them – can make creating suitable legislation complicated.

    As Australia heads into 2021, the nation is staring down radical legislative changes on all things cyber. There’s the big tech media code targeting Google and Facebook and the Federal Government’s just-released draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

    The critical infrastructure amendment seeks to encompass retailers, supermarkets, banks, law firms and cloud providers in addition to classical critical infrastructure providers such as ports and energy utilities that were captured by the 2018 Security of Critical Infrastructure Act — Australia’s answer to the US Terrorism Prevention and Critical Infrastructure Protection Act of 2017.

    There is certainly a cost to businesses, especially those now captured by the legislation, that potentially do not have the cyber security maturity that is required to bring it up to speed.

    Beyond broadening cybersecurity obligations in the private sector, the amendment would establish structures for government agencies to assist private sector firms during a hack. On paper, government assistance in these instances looks great but it’s hugely problematic for cloud providers like Amazon Web Services and Microsoft’s Azure division if a signal intelligence and security agency like the Australian Signals Directorate (ASD) intervenes in a cyber security hack.

    It can create serious trust problems for global tech companies that supply essential IT services for government agencies, not just in Australia but across the world. Should Microsoft let an Australian security agency into its network without expecting questions from customers in other jurisdictions?

    At the same time, the line between state-sponsored cyber-espionage is blurring with rough-and-ready ransomware. The WannaCry and NotPetya ransomware outbreaks in 2017 initially looked like the work of cybercriminals but Western governments blamed them, respectively, on the governments of North Korea and Russia.

    On the other hand, Dr Andal points to Verizon’s recently released 2020-2021 Cyber Espionage Report that found the sectors most affected by cyber espionage include financial services, professional services and the public sector.

    “I think what’s really critical to note about these global trends is some of the new sectors that are being encompassed within Australia’s forthcoming legislation,” said Dr Andal.

    “There’s a recognition from the Australian Government that malicious cyber activity happens across multiple sectors, across all parts of our economy and we really need to be doing more and taking a more holistic approach to mitigating these threats,” she added.

    Evidence of Australia’s public sector response can be seen in the consolidation of government cybersecurity functions across the ASD, the Australian Cybersecurity Center (ACSC), and AustCyber, an independent, non-profit Australian cybersecurity growth network that was set up by the Federal Government in 2017 to support Australia’s sovereign cybersecurity capability, she said.

    Dr Andal’s works for the CSCRC, which handles collaboration between industry, government and academia – somewhat emulating Israel’s approach through the Israel Innovation Authority, which has supported its startup tech scene and digital sovereign capabilities since the 1970s.

    Digital sovereign capabilities are a big question for Australia. CyberArk’s Mr Fikentscher believes a lack of understanding about ‘digital risk’ is hampering homegrown companies from expanding into overseas markets.

    He argues there should be a ‘digital board’ that helps inform company directors and government agencies as to how to bring cybersecurity into the broader discussion about company risk management.

    “Digital risk [as an outcome from digital transformation] is something that’s quite new, whereas cybersecurity has long been in that space,” said Mr Fikentscher.

    “I believe some organisations, that have always operated internationally and had that exchange to global markets, are a bit more advanced because they have more depth of experience,” he said.

    “Whereas domestic organisations, that are trying to expand internationally, run into problems around digital risk because they just don’t know where to start and how to structure and manage the approach to market properly.”

    The public-private divide on the digital economy spans questions about how government supports Australian security startups, how boards of large companies manage cybersecurity risks, the regularity framework for cybersecurity, and what instruments the government is building for itself and for the private sector.

    The ACSC ensures Australia remains resilient against cyberattacks against government and industry while helping inform citizens and consumers about risks. The ASD got a A$31 million injection as part of the Federal Government’s $1.35 billion Cybersecurity Strategy announced in June. The Government stressed that the investment was to boost ASD’s capabilities to fight hackers offshore before they breached local networks.

    But then throw in China and international trade discussions into the equation and new questions arise. There are geopolitical rifts happening between China, Australia, the US and Europe that make the question about public-private partnerships a lot more complicated – in a world where existing global supply chains are being disrupted.

    “Really, we’re in a very challenging and fast-moving moment – where, at a global and supranational level, we’re seeing the technological unpicking or decoupling of systems or supply chains as we’ve known it,” said Dr Andal.

    “We’re in the thick of trying to grapple with what that means for us from a digital transformation perspective, from a cybersecurity perspective and then all the way down to citizens and how we will benefit or perhaps not from that.

    “Many nations are grappling with this, not only Australia.”

    However, Australia could be headed down the right path with organisations like the CSCRC, which have a chance to convince larger Australian Government agencies to support early-stage research that could be commercialised, according to Mr Fikentscher.

    “You could actually start a research a project at the very early days and bring in one of the big agencies or a private organisation to collaborate as a public-private project,” he said. “This offers the best of both worlds – where the public sector provides the guard rails and the private sector is driving this on the innovation side.

    “It starts with collaboration. If we do that, we can find and develop a lot of good talent within this country, and as a result we would be less reliant on bringing people and skills in from offshore into Australia.”

    The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

    The post Bridging the public private divide: Cybersecurity appeared first on InnovationAus.

    This post was originally published on InnovationAus.