Cyber espionage and foreign interference pose serious threats to Australia’s national security, the federal attorney-general says.
‘The next ten years will undoubtedly see a marked intensification of this activity,’ Robert McClelland told a Sydney summit discussing the decade since the attacks of September 11, 2001.
Mr McClelland pointed to recent prominent cyber attacks such as Ghostnet, which infected computers belonging to the office of the Dalai Lama and Stuxnet which brought Estonia to a virtual standstill.
‘These attacks and the threat to critical infrastructure such as banking, telecommunications and government systems is not something we can be complacent about,’ he said on Tuesday.
The Australian government has made cyber security a top national security priority and is investing to significantly enhance Australia’s cyber security capabilities, he added.
The global and interconnected nature of the internet means the threat extends beyond nations.
‘For this reason it is critical that laws designed to combat cyber threats are harmonised, or at least compatible to allow for international co-operation,’ Mr McClelland told the conference hosted by the United States Studies Centre.
The government is seeking to strengthen international arrangements by moving to accede to the Council of European Convention on Cybercrime.
This is the only binding international treaty on this ‘significant threat’, he said.
‘(Accession to the convention) will help Australian agencies to better prevent, detect and prosecute cyber intrusions.’
The most frequent comment I see on stories reporting some new dramatically successful phishing attack is from an overly nearly well-informed technophile who thinks people who fall for phishing schemes are just stupid.
Despite a success rate so high it’s become standard operating procedure for Chinese military and government cyber-espionage groups, people who respond to phishing e-mails are treated like they’re one walker-assisted step above the elderly shut-ins who send money to help Nigerian princes and ministers of finance mysteriously down on their luck.
If only the stupid fell for phishing scams the successful attacks against companies with sophisticated security — Google, Lockheed Martin, HB Gary, PayPal, various other U.S. military and intelligence agencies — would have been able to shut down the breaches quickly. Others with security at least as good — CitiBank, Bank of America, AOL, Western Union — wouldn’t have to send out alerts every 10 minutes warning people that they weren’t sending out alerts, so don’t mail in your usernames and passwords.
Phishing works, for the same reason grifting works — given a set of facts that seem to fit all their expectations and experience, and the opportunity to either help out a co-worker or profit from something that’s very little trouble for them, most people will take the risk. (See also “4 Security Tips Spurred by Recent Phishing Attacks on Gmail, Hotmail, and Yahoo”).
Phishing e-mails are addressed to far too broad an audience to really fool anyone into thinking an e-mail is from a friend or coworker.
Spear-phishing is different. Spear phishers use the same kind of research, target identification and individually designed approach spymasters use in trying to identify, approach, and successfully recruit foreign nationals into betraying the interests of their country.
The goal isn’t to find a weakness and exploit it — through blackmail, bribery or what have you. It’s to find some specific person and present them with an e-mail that has all the information they need to support their assumption that it’s a perfectly legitimate request from someone they know.
Spear-phishers “first look for who could be the high-value targets of an enterprise — Human Resources personnel who might have access to passwords or personal data, a system administrator who is listed on LinkedIn with a detailed resume describing what he does for the company,” according to Manoj Srivastava, chief technical officer at security-software company Cyveillance.
“Then they go to Facebook, MySpace, Twitter — any social network or forum or other site that could give them information about that person that could be used against them. If they can find pictures the person, or a friend of the person posted on Facebook, the e-mail could look like it came from a friend named in the pictures and be labeled ‘Pictures from the picnic,’ with a malicious payload in the attachments or at the URL the picture links point to,” Srivastava said.
“With enough research on someone with some amount of information about themselves online, an email can very convincingly look like it came from a friend. The idea is not to raise any suspicions,” he said.
Often just the research is enough to turn up enough information to open the firewall a crack — spoofing the e-mail of an employee well enough to get someone inside the firewall to open the message and launch a file or click a link that turns out to contain malware that lets the cracker in.
Antivirus designed to catch malware coming in through email might not catch it being downloaded from a link clicked from inside, a fake application “update” or other vector, according to a March report from NSS Labs showing even good antivirus systems fail when the malware tries to come in through several different entry points.
Cyveillance, among other services that all depend on extensive, real-time examination and analysis of online scams, runs an antiphishing anti-spam service designed to identify potential high-risk e-mail by looking not at the falsified e-mail address, but the request inside the message.
“You have to look at the links and evaluate the level of risk based on whether it is asking that secure information inside the firewall be sent outside using links or sites that may not be secure,” he said.
Successful spear-phishing is not just Google searching and manipulative e-mail-writing, either.
When members of Anonymous hacked HB Gary — the highly regarded security company whose CEO had bragged he was going to bring down the leaders of the hactivist group — they started with a SQL injection attack on HB Gary’s web site, and the low-security content-management system used to run the site.
The SQL injection let Anonymi download the user database from the CMS — including e-mail addresses and hash-encrypted passwords for employees.
If all HB Gary’s employees had used long or difficult passwords, the Anonymi would have been stuck for weeks trying to decrypt the passwords using rainbow tables.
Unfortunately the hashing was relatively simple, as were the passwords used by both the CEO and COO.
Anonymous cracked passwords for the two used them to log into the company’s Google Apps email system and use the CEO’s administrator privileges to reset the passwords for all the other users on the system.
That gave them access to all the e-mail, in which they found passwords and other information they used to create an e-mail that looked, in its lack of capitalization and punctuation, shorthand references to servers and login methods, authentic enough to look to the security specialist in charge of HB Gary’s most valuable data store to ask him to open a hole in the firewall for them to run through.
ArsTechnica’s step-by-step story about the attack includes text of the e-mail chain, which would bore anyone stupid who didn’t know it was Anonymous on one end of the request rather than the legitimate user.
At no point does the security specialist who was taken in look either stupid or stupidly trusting. The request and subsequent exchange are more detailed and technical than most password-repair requests from end users, in fact — requests that are fulfilled in their tens of thousands every day by people in IT.
The amount of trouble the Anonymi went to to crack HB Gary is way out of line with what would make sense for most companies.
Most of us rely for our sense of safety on either anonymity or degree of difficulty. We’re safe from physical or digital attack (mostly) because we’re each one of relatively indistinguishable hundreds of millions online.
We know someone targeting one of us individually could crack us more easily than Anonymous cracked HB Gary, but why go to the trouble?
You and I might not be worth the trouble. Lockheed Martin is. So is each person within it whose combination of online personal data, job description and access to potentially valuable authentication data would make them an attractive potential entry point.
Successful cracks don’t depend on millions of generic e-mails. Ideally they could use just one apiece, directed at just the right person, using just the right amount of corroborating information and context, appearing to come from the right person’s e-mail address or other source.
Why wouldn’t you help someone like that? Perhaps it’s part of your job to do exactly that.
Walk through a couple of spear-phishing exploits and the victims don’t look stupid anymore.
In fact, the attackers look smarter, and the rest of us look a lot more vulnerable.
The office of Victorian Deputy Premier Peter Ryan is refusing to comment on reports an adviser to the minister has been under surveillance by the police watchdog.
A ministerial adviser to Mr Ryan has been named in reports in The Age and Herald Sun newspapers as a target of surveillance by the Office of Police Integrity (OPI).
Mr Ryan, also Police Minister, is on compassionate leave from parliament and was unable to be contacted on Saturday, but his spokeswoman said the OPI operated without influence by politicians.
“Matters to do with the OPI are strictly matters for the OPI,” she said.
“They have the powers they have, they do as they do, we are outside of that process,” the spokeswoman said.
The OPI on Friday admitted they had Sir Ken Jones, one of Victoria’s most senior policeman, under surveillance following complaints.
A media report had earlier revealed the surveillance was underway, and Sir Ken’s wife and supporters had also been targeted.
Sir Ken had a rocky relationship with the police Chief Commissioner, Simon Overland.
Mr Overland forced Sir Ken to go on leave three months early after Sir Ken announced his resignation in May.
Victoria’s Police Association has said Mr Overland used his friendship with OPI’s deputy director, Paul Jevtovic, to influence the OPI to commence the investigation.
It is thought the ministerial adviser allegedly bugged by the OPI was a supporter of Sir Ken.
OTTAWA (AFP) – Canada’s spy chief warned Tuesday that state-sponsored espionage against this country has reached “levels equal to, or greater than those witnessed during the Cold War.”
Richard Fadden, director of the Canadian Security Intelligence Service, said in a report presented to parliament on Monday that foreign governments “continue to covertly gather political, economic and military information” in Canada through diplomatic missions, various organizations and by recruiting agents or informants.
A number of state-owned enterprises and private firms with close ties to foreign government or intelligence services have also pursued “opaque agendas” through investments in Canada.
“Canadian interests have been damaged by espionage activities through the loss of assets and leading-edge technology, leakage of confidential government information or applications, and the coercion and manipulation of ethno-cultural communities,” the report said.
Dubious foreign corporate acquisitions, it said, also “pose potential risks” related to critical infrastructure, control over strategic sectors and the illegal transfer of technology.
The report goes on to explain that Canada’s “open society with strong international relationships and advanced industries such as telecommunications and mining — make it attractive to foreign intelligence agencies.”
Its membership in the North Atlantic Treaty Organization and other multilateral and bilateral defence pacts, and close ties to the United States also make the country an attractive target for espionage, it said.
In the post-Cold War world, state actors are compelled to seek ways of remaining competitive both strategically and economically, the report said.
“As a world leader in communications, biotechnology, energy extraction technologies, aerospace and other areas, Canada remains an attractive target for economic espionage,” it said.
Rebekah Brooks, the chief executive of News International and former editor of The Sun, has been shown evidence suggesting her phone was hacked more than 20 times by a private investigator employed by another Rupert Murdoch title, it emerged last night.
News International confirmed the 43-year-old media executive met detectives last week from Operation Weeting – Scotland Yard’s third investigation into phone hacking – to see records showing she was targeted by Glenn Mulcaire, the private detective employed by the News of the World to eavesdrop on the voicemails of numerous public figures.
The alleged hacking took place between 2005 and 2006, when Ms Brooks, who is also a former editor of the NOTW, was in charge of The Sun, and raises the question of whether Mr Mulcaire was at the centre of an effort by Britain’s top-selling Sunday newspaper to spy on its daily stablemate.
The revelation that Ms Brooks was a likely repeated target for Mr Mulcaire was made by Sky News, whose largest shareholder is Mr Murdoch’s News Corp. In a blog, the broadcaster’s City editor, Mark Kleinman, suggested the hacking could also have been done by the private investigator on behalf of a rival newspaper.
Before his arrest in August 2006, Mr Mulcaire was employed on an exclusive contract with the NOTW worth £104,000 a year to supply “research and information services”. No evidence has been produced to show that the amateur footballer-turned-private detective was working for titles outside News International.
The reason why Ms Brooks, who edited The Sun between 2003 and 2009, had her voicemails intercepted was unclear, though she became the subject of media interest in her personal life in November 2005 when she was arrested for an alleged assault on her then-husband, the actor Ross Kemp. She was released without charge.
Sky News reported that legal advisers to the News International chief executive, who has always denied any knowledge of phone hacking, were considering whether to apply for a court order requiring the Yard to hand over copies of the evidence found in Mr Mulcaire’s documents.
A News International spokeswoman said: “We can confirm that Rebekah Brooks was recently shown documents by the police that proved she was a victim of illegal voicemail interception.” It was unclear last night whether Ms Brooks would consider joining the list of high-profile individuals suing the NOTW for breach of privacy.
In a sign that the revelations may be damaging Mr Murdoch’s popularity, it appears his annual summer party is no longer the hot ticket it used to be. As the media mogul stands on the verge of achieving his dream of taking complete control of the BSkyB satellite broadcasting empire, an invitation to last night’s grand bash at the ornate Orangery, in the grounds of Kensington Palace, west London, drew more refusals than acceptances.
The Culture Secretary, Jeremy Hunt, who is set to announce whether the BSkyB deal can go through, has decided not to attend the party for fear that his presence might be misinterpreted. His colleague Ed Vaizey, the Culture minister, is also expected to be give it a miss. Liberal Democrat MPs, who attended in strength with Nick Clegg last year, are also likely to be conspicuously absent as the parliamentary party is attending an annual away day.
The Independent understands the event was also expected to be less star-studded than in previous years. Downing Street would not confirm whether David Cameron was attending, as he did last year with his wife, Samantha.
