GCHQ's plan for a Great British Firewall
On Tuesday the Director of the UK's new National Cyber Security Centre outlined new plans to scale up DNS filtering to block "known malware and bad addresses" - or as it has been dubbed "The Great British Firewall". The idea remains highly controversial, with similar bills in the US, including the 'Stop Online Piracy Act' failing after hearty debate. If you are writing on this news, please see below for expert comments from NSFOCUS, Bromium and Lastline.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB, says: "Worldwide, the general public who follow the laws of their nations, are all growing evermore weary of cyberattacks - and the criminals behind them. In many cases, the public would like to see service providers step up and help protect them from clearly identifiable malicious websites on the Internet. Today, there are over 325 million registered domain names across all top-level domains (TLDs) and likely billions of unique URLs; many which house malware, exploit kits, ransomware, malvertising, and/or are involved in other criminal activities. Anything that can help protect the public from unknowingly going to these sites (often resulting in infection, compromise, fraud, theft, etc.) is a step in the right direction. However, doing so will result in pundits accusing governments and ISPs of trying to be the Internet police. As a result, it has become every man, woman, and child for themselves - and we wonder why cyber-infection rates are growing exponentially across the globe."
Fraser Kyne, Regional Systems Engineering Director at Bromium, reacts: "Initiatives like this are to be applauded - and are are a useful step in the right direction. However, as the commentary suggests, these kinds of steps can only help against known and simple malware.
Given the polymorphic nature of malware, and the proliferation of targeted attacks, these kinds of steps will only filter out some of the low level noise - without helping much against the really dangerous attacks.
More investment is needed in practical ways of protection that don't rely on detection. Virtualisation based security on endpoints isolates both known and unknown malware; and should be considered as the next layer of defence in any security stack. Without it we're just playing "whack-a-mole" security."
Brian Laing, VP at Lastline says: “Using domain names gives attackers the flexibility of migrating their malicious servers with ease. That is, the malicious “services” that the attackers offer become more “fault-tolerant” with respect to the IP addresses where they are hosted.
As malicious services are often as dependent on DNS services as benign services, being able to identify malicious domains as soon as they appear would significantly help mitigate many Internet threats that stem from botnets, phishing sites, malware hosting services, and the like. Also, the premise is that when looking at large volumes of data, DNS requests for benign and malicious domains should exhibit enough differences in behaviour that they can automatically be distinguished.”
VoIPtalk admits to possible data breach
UK-based IP Telephony service VoIPtalk warned customers of a potential data breach over the weekend. The firm has implemented tighter security controls and advised customers to change their passwords in response to the suspected hacker incident, which is still under investigation.
David Gibson, VP of strategy and market development, Varonis says: “The VoIPtalk attack illustrates that data breaches should be considered a real and inevitable possibility. Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.
When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.
Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly."
Cynthia Leonard, program manager at HPE Security – Data Security, adds: “Hackers will steal anything of value and this story is no exception. We have a saying in security; it’s not a matter of if a breach will happen, but when. Beyond the threat to sensitive data, companies need to be concerned with the impact a data breach can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyber attacks and other attempts to get this sensitive information.
Enterprises need to follow best practices of encrypting all sensitive personal data as it enters a system. Encryption stays with the data whether at rest, in motion or in use, so if an attacker accesses the data, they get nothing of value. The ability to neutralise a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure. Credentials that never need to be recovered in clear form should be strongly protected with state-of-the art methods, for example, strong standards-based keyed hashing.
Users should heed the advice to change their password immediately - for VoIPtalk as well as any other website where they use the same password. It has been widely reported that a high percentage of users admitting to reusing the same passwords over and over again. Attackers will always choose the path of least resistance, and that can mean using a password obtained for one website to access that same user's account on another site that contains a bigger reward for the cyberthief. Even if the final website has impenetrable security, password reuse can allow an attacker to login without raising any alarm bells whatsoever.
While avoiding password reuse is the users' responsibility, the onus for storing the passwords (as well as all other personal information) safely and securely falls squarely on the companies who collect it.”
A cyber attack on biometric data could pose significant risks at border
Canada's Border Security Agency warns that a cyber attack on their facial recognition or fingerprints databases could result in barring innocent travellers from Canada — or letting the wrong people in. Officials said they need to “keep pace with emerging security vulnerabilities” to systems governing who can enter the country. The agency’s growing use of “biometric” data — such as fingerprints, facial recognition, and retinal scans — was cited as an example.
Commenting on this, Robert Capps, VP of business development at NuData Security, said: “Physical biometrics work best when the person being authenticated has physically presented themselves to the authenticating party, which is why fingerprint and iris scanners work well in a border control setting - they are hard-wired, monitored and nearly impossible to spoof. However in a non face-to-face interaction, using a single biometric data point to authenticate a user is no different than adding a second, static password. In a way, in certain scenarios, they could be worse: a stolen or leaked password can be reset, your finger or iris print cannot.
High-quality reproductions of a fingerprint (a static image) or a recorded heartbeat (a set, basic pattern) can be captured and reused, and can be stolen en masse, like the 5.6 million fingerprints stolen from the Office of Personnel Management last year. Even low-tech methods can produce results, like the infamous gummy bear hack for fingerprint scanners. There is also a very real threat of fraudsters going after individuals in person, to garner physical biometrics for nefarious activities - such fears are steering away risk-adverse companies. The sheer breadth of damage that can be done with just one piece of personal, biometric information highlights the sophistication of today’s hacker and shows what security teams must now deal with.
If ANY border service agency was breached, and we have to be clear that there is no indication that it has been a breach, there is a risk. By combining the information stolen from such a breach and other breaches, cyber criminals have the potential to piece together very comprehensive user identities. One frightening example is the “Facebook of Everything” that China’s intelligence service is compiling from the personal data stolen over several high-profile U.S. cyber breaches including OPM. Their stated goal is to compile it into a massive Facebook-like network to build a profile of everyone -- with more details than Facebook.
In other words, they’ve now got a full database of information that could be used for multiple fraudulent and nefarious purposes into generations to come. They are able to use the stolen information and fingerprints to create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more damaging fraud can take place. As an example, if I'm a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. This is true for the millions of stolen fingerprints as well, especially with the increased adoption of touch/fingerprint-based authentication for mobile banking and payment apps. Unlike passwords, fingerprints can’t be changed, last a lifetime, and are usually associated with critical identities.
Identity protection services or credit monitoring aren’t enough when it comes to biometric identity theft. Fingerprints cannot be changed. Spoofing fingerprints is no longer something from a sci-fi movie. It is happening and will increase more as cheaper tools make their way onto the dark web, and even WikiHow has a step-by-step guide.
Fortunately, user behavioural biometrics (BB) can provide the extra layers of protection even after hacks have occurred. Online fraud detection solutions using BB can stop fraudsters in their tracks by identifying suspicious activity, in a completely passive and non-intrusive way. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. Even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at behavioural events, biometrics, device, geography and other layers to determine the real actor behind the device or fingerprint. Without even interrupting a user's experience, fraud can be predicted and prevented from occurring.”
Britons place trust in banks to provide biometric services
Visa has conducted extensive research into consumer attitudes to biometric payments.The results show that Britons place trust in their banks to provide biometric services.
Robert Capps, VP of business development at NuData Security, says: "This study establishes that there is a strong desire on the part of consumers to have a secure user experience when interacting and transacting online. The desire, may not align with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication aren’t fool proof, and there are challenges that may block widespread adoption in non-face-to-face interactions.
The fact that 85% of respondents see banks as the most trusted institution in the provision of biometric authentication isn’t surprising, given that they are part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering outstanding user experience.
Physical biometrics can be part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints, voice and retinal scans can be spoofed. And, unlike passwords, physical biometrics can’t be changed. It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data.
Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en-masse. As stolen data is often traded and consolidated into larger, more accurate profiles that can be re-used for a number of nefarious purposes from espionage, to identity theft, and financial fraud. Selfies and voice biometrics have contextual issues, like, it may not always be appropriate to take a selfie or provide a voice sample to authorise an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place). Beyond social and cultural issues, there are concerns how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day-to-day life.
While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials - effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.
The true strength of behavioural biometrics is in providing trust. While the consumer trusts the fingerprint, or the voice print, retinal scan or any other visible security the bank may choose, that is what they see and how they feel – it’s the guard at the door, if you will. Using passive and invisible behavioural biometrics (BB), the bank can also have full trust in their key objectives, protecting the user account and providing a good customer experience. In this way BB solutions can draw a straight line to a trust-trust relationship between banks and customers.
Another advantage of BB solutions is that they use non-static signals and indicators of human identity - signals that cannot be stolen, reused or replayed for impersonation. It can therefore provide a high degree of confidence in the identity of the user. Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint.
Additionally, with BB, users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving banks and e-commerce companies the unheard of potential to actually improve their brand experience with their security layer.”