UK Government battles tech firms over encryption

network SECURITY

www.networksecuritynewsletter.com

Featured in this issue: When advertising turns nasty

I

n this ever more commercialised world, it’s maybe not surprising that one of the most pervasive social phenomena, advertising, has its dark side.

‘Malvertising’ – the distribution of malware and other forms of cyber-attack via adverts on websites and embedded in

mobile platform apps – is becoming an increasingly severe problem. One of the chief problems is that the malware delivery mechanism operates within a trusted environment. So what can you do about it? Steve Mansfield-Devine finds out. Full story on page 5…

Counting the security cost of cheap calls

T

he decision to move to SIP trunking appears straightforward: reduced costs, greater scalability, improved disaster recovery options and access to the productivity benefits enabled by unified communications.

But is it secure? This issue is too often overlooked by companies wanting to

move to SIP. The result is a ticking time bomb for businesses, with threats ranging from denial of service to toll fraud (also known as call jacking); and the liability lies squarely with the business, not the provider, as Paul German of VoipSec explains. Full story on page 9…

Connected cars – the next target for hackers

D

riverless and crash-proof cars are no longer science fiction but fact. They promise a revolution in car safety, saving hundreds of thousands of lives a year. But most of these cars will be sharing data via the web.

This raises real security concerns. But just how real is this car hacking threat

and how much is hype? Tim Ring finds out, and reports on what security researchers are doing to push car makers to accelerate their drive to take car security seriously. He also asks what car drivers can do to protect themselves and their passengers. Full story on page 11…

UK Government battles tech firms over encryption

T

he UK’s Conservative Government seems to be gearing up for another battle with tech firms over the use of end-to-end encryption in their products and services.

Earlier this year, Prime Minister David Cameron provoked the wrath – and in some quarters derision – of technology companies and security specialists when he complained of the inability of intelligence and law enforcement bodies

to intercept Internet communications. Because of the growing use of end-toend encryption, many communications channels could not be intercepted, “even in extremis, with a signed warrant from the Home Secretary,” he said. And he called for a ban on encryption products. Now the Government is trying again. It’s believed to be pushing for agreements with any company doing business Continued on page 2…

Contents NEWS UK Government battles tech firms over encryption

1

Ransomware defeated but new forms emerge

2

FEATURES When advertising turns nasty 5 ‘Malvertising’ – the distribution of malware and other forms of cyber-attack via adverts on websites and embedded in mobile platform apps – is becoming an increasingly severe problem. One of the chief problems is that the malware delivery mechanism operates within a trusted environment. So what can you do? Steve Mansfield-Devine investigates. Counting the security cost of cheap calls 9 SIP trunking offers some serious business benefits, but its security is often overlooked. The result is a ticking time bomb for businesses, with threats ranging from denial of service to toll fraud (also known as call jacking); and the liability lies squarely with the business, not the provider, as Paul German of VoipSec explains. Connected cars – the next target for hackers 11 Driverless and crash-proof cars are a reality and promise a revolution in car safety. But with automation come vulnerabilities. So how real is the car hacking threat? Tim Ring finds out, and reports on what security researchers are doing to push car makers to accelerate their drive to take car security seriously. The business risks of using smartphones 16 It seems that a lot of businesses are still unaware of the risks involved with employees using their own smartphones for business purposes. While many firms are now enthusiastically adopting Bring Your Own Device (BYOD) policies, not enough of them are putting sufficient thought into the security risks, says Phil Beckett of Proven Legal Technologies. Key trends in information security 18 Hacking has been with us for a long time. But as fast as we come up with countermeasures, the technology we use develops and moves into new areas of our lives and our businesses. Bradley Maule-ffinch of Cyber Security Europe looks at how organisations need to make themselves more difficult targets. REGULARS News in brief

3

Reviews

4

Events

20



ISSN 1353-4858 November 2015

Come and visit us at

www.networksecuritynewsletter.com

ISSN 1353-4858/15 1353-4858/10 © 2015 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: Tel:+44 +44(0)1865 1865 843239 843973 Web: www.networksecuritynewsletter.com Publisher: GregDeborah Valero Logan Publishing Director: E-mail: [email protected] Editor: Steve Mansfield-Devine Editor: Mansfield-Devine E-mail:Steve [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Senior Editor: Sarah Gordon International Editoral Advisory Board: International Advisory Board: Dario Forte, Edward Editoral Amoroso, AT&T Bell Laboratories; Dario Forte, Edward Amoroso, AT&T BellJon Laboratories; Fred Cohen, Fred Cohen & Associates; David, The Fred Cohen, Fred Cohen & Communications; Associates; Jon David, The Fortress; Bill Hancock, Exodus Ken Lindup, Fortress; BillatHancock, ExodusLongley, Communications; Lindup, Consultant Cylink; Dennis QueenslandKen University Consultant at Cylink; Queensland University of Technology; TimDennis Myers, Longley, Novell; Tom Mulhall; Padget of Technology; TimMarietta; Myers, Novell; Mulhall; Padget Petterson, Martin EugeneTom Schultz, Hightower; Petterson, Martin Marietta; Eugene Hightower; Eugene Spafford, Purdue University; WinnSchultz, Schwartau, Inter.Pact Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas Production Support Manager: Lin Lucas E-mail: [email protected] E-mail: [email protected] Subscription Information Subscription Information An annual subscription to Network Security includes 12 An annual issues and subscription online accesstoforNetwork up to 5 Security users. includes 12 issues and online access for up to 5 users. Prices: Prices:for all European countries & Iran 1351 1112 forfor allall European & Iran and Japan US$1512 countriescountries except Europe US$1244 countries except Europe and Japan ¥179 300 for for all Japan ¥147 525 foruntil Japan (Prices valid 31 December 2015) (Prices valid until Subscriptions run 31 for November 12 months,2015) from the date To subscribe send payment to the address above. payment is received. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: Email: [email protected], http://store.elsevier.com/product.jsp?isbn=13534858 or via www.networksecuritynewsletter.com Subscriptions 12 months, dateGlobal payment is Permissions mayrun befor sought directly from from the Elsevier Rights received. postage paid at Rahway, 07065, Department,Periodicals PO Box 800, Oxford isOX5 1DX, UK; phone:NJ+44 1865 USA. Postmaster send853333, all USA email: address corrections to: Network 843830, fax: +44 1865 [email protected]. You Security, 365 Blair Road, Avenel, NJthrough 07001,Elsevier’s USA home page may also contact Global Rights directly (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions be sought directly Global & permission’.may In the USA, users may from clear Elsevier permissions and Rights make Department, PO Box Oxford OX5 1DX, UK;Inc., phone: +44 1865 payments through the 800, Copyright Clearance Center, 222 Rosewood 843830, fax: +44 1865 853333, email: [email protected]. You Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 may 4744, also contact Global Rights directly throughLicensing Elsevier’sAgency home Rapid page 750 and in the UK through the Copyright (www.elsevier.com), selecting 90 firstTottenham ‘Support &Court contact’, then ‘Copyright Clearance Service (CLARCS), Road, London W1P & permission’. In (0)20 the USA, permissions and Other make 0LP, UK; tel: +44 7631users 5555;may fax: clear +44 (0)20 7631 5500. payments through the Copyright Clearance Center, Inc., 222 Rosewood countries may have a local reprographic rights agency for payments. Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 Derivative Works 750 4744, and in reproduce the UK through Licensing Subscribers may tablesthe ofCopyright contents or prepareAgency lists ofRapid artiClearance Service (CLARCS), 90 Tottenham Court Road, W1P cles including abstracts for internal circulation within theirLondon institutions. 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Permission of the Publisher is required for resale or distribution outside countries may have a local reprographic rightsisagency for for payments. the institution. Permission of the Publisher required all other Derivative Works derivative works, including compilations and translations. Subscribers may reproduce tables of contents or prepare lists of artiElectronic Storage or Usage cles including for internal circulation within theirelectronically institutions. Permission of abstracts the Publisher is required to store or use Permission of contained the Publisher is required resale orany distribution any material in this journal,for including article or outside part of the article. institution. Permission of above, the Publisher for all other an Except as outlined no partisofrequired this publication may derivative works, including compilations and translations. be reproduced, stored in a retrieval system or transmitted in any form Electronic Storage or Usage or by any means, electronic, mechanical, photocopying, recording or Permission without of the Publisher is required to store or Publisher. use electronically otherwise, prior written permission of the Address any materialrequests contained this journal, any article or part at of permissions to:inElsevier Scienceincluding Global Rights Department, an article. Except as outlined above, no part of this publication may the mail, fax and email addresses noted above. be reproduced, stored in a retrieval system or transmitted in any form Notice or by any means,is electronic, photocopying, or No responsibility assumed bymechanical, the Publisher for any injury recording and/or damotherwise, without prior written permission of theliability, Publisher. Address age to persons or property as a matter of products negligence permissions Global Rights Department, at or otherwise,requests or fromto: anyElsevier use orScience operation of any methods, products, the mail, fax or andideas emailcontained addresses in noted instructions the above. material herein. Because of Noticeadvances in the medical sciences, in particular, independent rapid No responsibility is assumed the Publisher for anybe injury and/or damverification of diagnoses andbydrug dosages should made. Although ageadvertising to persons or property a mattertoofconform productstoliability, all material is as expected ethicalnegligence (medical) or otherwise, or fromin any or operation of any methods, products, standards, inclusion this use publication does not constitute a guarantee instructions or ideas in theof material herein. of or endorsement of the contained quality or value such product or ofBecause the claims rapid of advan the medical sciences, in particular, independent made it byces its in manufacturer. verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 12987

Pre-press/Printed by Pre-press/Printed by Mayfield Press Press (Oxford) (Oxford) Limited Mayfield Limited

2

Network Security

…Continued from front page in the UK to get them to provide lawful interception, even for encrypted services – for example, WhatsApp and Apple both provide end-to-end encrypted comms services based in the US – but with little prospect, it seems, of a positive response. “There is an alarming movement towards end-to-end encrypted applications,” said Baroness Shields, the Minister for Internet Safety and Security (and a former European VP at Facebook) in the House of Lords recently. “It is absolutely essential that these companies which understand and build those stacks of technology are able to decrypt that information and provide it to law enforcement in extremis.” The new Investigatory Powers Bill that has just been introduced, and which won’t become law before next year (if then), has stopped short of demanding that tech firms provide backdoors or private keys. There are those, however, who believe that the noises being made by the UK Government over end-to-end encryption are a ploy – a way of justifying greater surveillance powers. With no backdoors available, and with the difficulty of gaining legal access to keys with services that are partly or wholly based abroad, the authorities could argue that they need greater powers to capture comms data and store Internet traffic in order to carry out other forms of snooping, such as traffic analysis. Meanwhile, the new bill is insisting that ISPs keep records on the web browsing and other Internet use of all users and make this available to law enforcement without the need for a warrant. Many security and privacy specialists are concerned that this requirement – which is banned in the US and other European countries – could still lead to abuse, and will also provide rich targets for hackers. “We have countless examples of how organisations’ security systems have failed in the past as a result of insufficient security and access procedures, and as a result sensitive data has been misused,” said Timothy Brown, executive director, security, Dell Software Group. “If organisations are required to store more information on their customers for longer periods of time, there must be appropriate controls and audit measures

in place. People consider their telecommunications and Internet activity to be private and if ISPs and wireless providers are required to store data on their customers, this only creates larger and more attractive targets for hackers and leaks.” The bill would also remove uncertainty about the legality of certain operations by intelligence agencies by specifically giving them the right to hack targets and carry out electronic surveillance – including bulk data acquisition

Ransomware defeated but new forms emerge

K

aspersky claims it has shut down the Coinvault and Bitcryptor ransomware operations. But new forms of ransomware have recently emerged.

The two alleged creators of Coinvault and Bitcryptor were arrested in the Netherlands in September. And Kaspersky, which played a lead role in the investigation, has added 14,000 decryption keys to its Ransomware Decryptor tool, allowing people affected by the malware to get their files back. “We are now able to share a new decryption application that will automatically decrypt all files for Coinvault and Bitcryptor victims,” the firm said. However, Cologne-based organisation Botfrei has warned that it has spotted a ‘scareware’ variant of the Chimera ransomware trojan that threatens to post all your photographs and other personal information online if you don’t pay 2.45 bitcoins (around £450 at the time of writing). There is no evidence so far that this threat has been carried out. Meanwhile, the FBI sparked controversy by admitting that it is advising many ransomware victims to simply pay up. “The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in charge of the FBI’s Cyber and Counterintelligence Programme for its Boston office, at the Cyber-security Summit 2015. “To be honest, we often advise people just to pay the ransom.” Finally, The Cyber Threat Alliance has published a new report giving full details of the Cryptowall ransomware. It’s available here: http://cyberthreatalliance.org/ cryptowall-report.pdf.

November 2015