Internet Security

Lancaster University Hit By “Sophisticated and Malicious Phishing Attack”

Lancaster University, which offers a GCHQ accredited cyber-security course and has its own Cyber Security Research Centre has been hit by what it has described as a “sophisticated and malicious phishing attack”, resulting in the leak of the personal data of new university applicants.

12,000+ Affected?

On the University’s website, even though it states that only “a very small number of students” actually had their records and ID documents accessed as a result of the attack, other estimates published by IT news commentators online, and based on statistics compiled by UCAS suggest that possibly over 12,000 people may have been affected.

Who?

The attack appears to have been focused on the new student applicant data records for 2019 and 2020.

What?

According to the university, the new applicant information which may have been accessed includes names, addresses, telephone numbers, and email addresses.

There have also been reports that, following the attack, fraudulent invoices have been sent to some undergraduate applicants.

Why?

Although very little information has been divulged about the exact nature of the attack, universities are known to be particularly attractive targets for phishing emails i.e. emails designed to trick the recipient into clicking on malicious links or transferring funds.  This is because educational institutions tend to have large numbers of users spread across many different departments, different facilities and faculties, and data is moved between these, thereby making admin and IT security very complicated.  Also, universities have a lot of valuable intellectual property as well as student and staff personal data within their systems which are tempting targets for hackers.

When?

Lancaster University says that it became aware of the breach on Friday 19th July, whereupon it established an incident team to handle the situation and immediately reported the incident to the Information Commissioner’s Office (ICO).

A criminal investigation led by the National Crime Agency’s (NCA) National Cyber Crime Unit (NCU) is now believed to be under way, and the university has been focusing efforts on safeguarding its IT systems and identifying and advising any students and applicants who have been affected.

US Universities & Colleges Hit Days Before

Just days before the attack on Lancaster University came to light, The U.S. Department of Education reported that a vulnerability in the Ellucian Banner System authentication software led to 62 colleges or universities being been affected.

What Does This Mean For Your Business?

For reasons already mentioned (see the ‘Why?’ section), schools, colleges and universities are prime targets for hackers, and this is why many IT and security commentators think that the higher education sector should be looking to take cyber-security risks very seriously, and make sure that training and software are put in place to enable a more proactive approach to attack prevention.  Users, both students and staff, need to be educated about threats, and how to spot and what to do with suspicious communications by email or social media.  Students, for example, need to be aware that during summer months when they are more stressed, and when they are awaiting news of applications they may be more vulnerable to phishing attacks, and that they should only contact universities through a trusted, previously tried method, and not rely upon the contact information and links given in emails.

For Lancaster University, which has its own Cyber Security Research Centre and offers a GCHQ approve cybersecurity course, this attack, which has generated some bad publicity and may adversely affect some victims, is likely to be very embarrassing and may even deter some future applicants.

Lancaster University has advised applicants, students and staff to make contact (via email or phone) f they receive any suspicious communications.

Security Flaw Discovered In NHS Anaesthetic Machines

Cybersecurity firm CyberMDX has reported the discovery of a security flaw in some Internet-connected GE Healthcare anaesthetic machines which could leave them vulnerable to hacks.

Security Flaw

The security flaw has been described as the exposure of the configuration of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks. This could potentially mean that when the devices are connected to the Internet, they could be remotely targeted by hackers who could modify the parameters of the anaesthesia devices. According to CyberMDX, this could mean that hackers could silence device alarms and even adjust anaesthetic dosages or switch anaesthetic agents.

Johnson & Johnson

The threat discovered in GE Healthcare anaesthetic devices may not sound too unlikely when you consider that back in October a security vulnerability was discovered in one of Johnson & Johnson’s insulin pumps (the Animas OneTouch Ping insulin pump) that a hacker could exploit to overdose diabetic patients with insulin.  Even though the company described the risk as “extremely low”, it still led them to take the precaution of sending letters outlining the problem to 114,000 people, doctors and patients, who used the device in the US and Canada.

Affected Machines

The affected GE Healthcare anaesthetic machines are reported to include Aestiva and Aespire versions 7100 and 7900.  It has been reported that some are used in NHS hospitals.

Suggestions

Some of the suggestions offered by GE in response to reports of the possible vulnerability (which may not be exclusive to just GE machines) are for hospitals/users to use secure terminal servers with strong encryption, and to use a VPN and other features to protect against hacks.

Also, GE suggests that organisations should use industry best practices and secure deployment measures e.g. network segmentation, VLANs and device isolation.

What Does This Mean For Your Business?

Where any device has an Internet connection e.g. IoT devices, there is now a risk of a possible attack, but the fact that these are medical machines which could lead to serious human consequences if remote hackers were able to tamper with them makes this story all the more alarming.

If, as GE and the US Department of Homeland Security have pointed out, all equipment is correctly isolated wherever possible, unnecessary accounts protocols and services are disabled, and best practice is followed, the risk should be very low indeed.

This story does, however, highlight how all businesses and organisations should take the security of smart/IoT devices seriously, particularly where there could be a clear human risk.

Microsoft Criticised By UK’s Cyber Security Agency Over Dmarc

The UK’s National Cyber Security Centre (NCSC) has complained that it has been unable to compile meaningful statistics and draw meaningful conclusions about email security in its latest report because Microsoft stopped sending Dmarc reports two years ago.

What Is Dmarc?

Domain-based message authentication, reporting and conformance (Dmarc) is a protocol, developed by the Trusted Domain Project, to help provide greater assurance on the identity of the sender of a message, and it builds upon the email authentication technologies SPF and DKIM developed over a decade ago and the work on a collaborative system pioneered by PayPal Yahoo! Mail and later Gmail.

Dmarc allows email and service providers to share information about the validity of emails they send to each other, including giving instructions to mailbox providers about what to do if a domain’s emails aren’t protected and verified by SPF and/or DKIM e.g. moving a message directly to a spam folder or rejecting it outright. Information about messages that have passed or failed DMARC evaluation is then fed back to a DMARC register, thereby providing intelligence to the sender about messages being sent from their domain and enabling them to identify email systems being used by spammers.

Dmarc works on inbound email authentication by helping email receivers to determine if a message “aligns” with what the receiver knows about the sender and if not, Dmarc includes guidance on how to handle the “non-aligned” messages e.g. phishing and other fraudulent emails.

Why Were Microsoft’s Dmarc Reports So Important?

Microsoft’s email platforms form one of the biggest receivers of email, and data from Microsoft about the number of emails failing Dmarc gives a good indication of the number of suspicious emails being sent.  The lack of this data in the NCSC’s Mail Check service means that the NCSC’s ability to monitor and report on email security driven by Dmarc adoption has been hampered. This blind spot could have a knock-on negative impact on email security for everyone.

Public Sector Uptake – Good News

The NCSC’s latest report contains good news, however, about a significant uplift in the public sector adoption of email security protocols.  For example, public sector domains using Dmarc more than tripled from December 2017 to December 2018 to 1,369, and the number of domains with a Dmarc “quarantine” or “reject” policy (to prevent suspicious emails being delivered to inboxes) also tripled.

What Does This Mean For Your Business?

Having a collaborative intelligence sharing and effective protocol and process such as Dmarc that is being widely adopted by many organisations has significantly improved email security.  This is particularly valuable at a time when businesses face significant risks from malicious emails e.g. phishing and malware, and email is so often the way that hackers can gain access to business networks.

Sharing intelligence about the level and nature of email security threats and how they are changing over time e.g. in the trusted NCSC report, is an important tool to help businesses and security professionals understand more about how they tackle security threats going forward.  It is, therefore, disappointing that one of the world’s biggest receivers of email, which itself benefits from Dmarc, is not providing reports which could be of benefit to all businesses and organisations.

Facebook Launches Martin Lewis Anti-Scam Service

Facebook has launched a new anti-scam service using the £3m that it agreed to donate to the development of the programme in return for TV consumer money champion Martin Lewis dropping his legal action over scam ads.

What Legal Action?

Back in September 2018, MoneySavingExpert’s (MSE) founder Martin Lewis (OBE) took Facebook to the UK High Court to sue the tech giant for defamation over a series of fake adverts bearing his name.  Many of the approximately 1000 fake ads, bearing Mr Lewis’ name appeared on the Facebook social media platform over the space of a year, could and did (in some cases) direct consumers to scammer sites containing false information, which Mr Lewis argued may have caused serious damage to his reputation, and caused some people to lose money.

In January 2019, Mr Lewis Facebook came to an agreement with Facebook whereby he would drop his lawsuit if Facebook donated £3 million to Citizens Advice to create a new UK Scams Action project (launched in May 2019) and if Facebook agreed to launch a UK-focused scam ad reporting tool supported by a dedicated complaints-handling team.

How The New Anti-Scam Service Works

Facebook users in the UK will be able to access the service by clicking on the three dots (top right) of any advert to see ‘more options’ and “report ad”.  The list of reasons for reporting the ad now includes a “misleading or scam ad” option.

Also, the Citizens Advice charity has set up a phone line to help give advice to victims of online and offline scams.  The “Scams Action Service” advisers can be called on 0300 330 3003 Monday to Friday, and the advisers also offer help via live online chat.  In serious cases, face-to-face consultations can also be offered.

What To Do

If you’ve been scammed, the Citizens Advice charity recommends that you tell your bank immediately, reset your passwords, make sure that your anti-virus software has been updated, report the incident to Action Fraud, and contact the new Citizens Advice Scams Action service: https://www.citizensadvice.org.uk/scamsaction/

What Does This Mean For Your Business?

It is a shame that it has taken the threat of a lawsuit over damaging scam ads spread through its own platform to galvanize Facebook into putting some of its profits into setting up a service that can tackle the huge and growing problem of online Fraud.  Facebook and other ad platforms may also need to take more proactive steps with their advertising systems to make it more difficult for scammers to set up adverts in the first place.

Having a Scams Action service now in place using a trusted UK charity will also mean that awareness can be raised, and information given about known scams, and victims will have a place to go where they get clear advice and help.

Visa Adopts Blockchain For Cross-Border, Bank To Bank B2B Payments

Visa is integrating blockchain technology with its core systems to enable participant businesses to make direct, cross-border, bank to bank payments to other corporate participants.

B2B Connect

The news system called Visa B2B Connect is being built using the Hyperledger Fabric framework from the Linux Foundation, and will mean that, rather than paying another corporate by cheque, automated clearing house or wire transfer, all of which require intermediary banks and exchanges, payments can be made directly and instantly from bank to bank of corporate customers.

This will mean cost and time savings, and the ability to pay and get paid 24-hours a day, regardless of location, local time differences, and other problematic traditional banking anomalies such as data truncation, payment delays and compliance issues.

Suite of APIs

The Visa B2B Connect system essentially provides a suite of Application Programming Interfaces (APIs) which allow participating banks to automate B2B, cross-border and cross-currency payments, by developing an end-to-end B2B payments solution to onboard customers, set up their suppliers, check Visa B2B Connect foreign exchange rates and submit payments. Alternatively, banks can choose to integrate just a subset of the APIs to address more specific needs e.g. checking on the status of certain payments through the Visa B2B Connect site.

Expansion Plans

Although the new system will only work for those corporates signed-up as participants to Visa’s pilot scheme, there are already plans to expand it so that it will cover more than 30 global trade corridors and 90 markets by the end of this year.

Benefits

The benefits that the blockchain-based B2B Connect system offers include cryptographically secured B2B transactions, transaction transparency and predictability, and the peace of mind and security of operating within a trusted network where all parties are known participants on a permissioned blockchain operated by Visa.

Blockchain Lacking Functionality

Recent research by Gartner showed that Only 11% of CIOs have deployed or are in short-term planning with blockchain, partly because of the fact that, at the moment, blockchain is a technology and not a complete, ready to use application, and therefore, lacks business-friendly features like a user interface, business logic, data persistence and interoperability mechanisms.

What Does This Mean For Your Business?

For corporates, Visa’s B2B Connect system appears to unlock some of the long-promised benefits of blockchain in terms of fast and easy cross-border payments, security, transparency, and the reassurance of a trusted name in the payments world.  Also, the fact that a suite of APIs are available to participants means that the system can be set up relatively easily, thereby tackling the issue (as highlighted by the Gartner research) of confusion among corporate tech heads about how best to incorporate blockchain and worries about there being few ready to use, complete applications available.

For smaller businesses the hope of being able to use blockchain to add value, reduce costs and gain competitive advantages is being boosted by a growing Blockchain as a Service (BaaS) market which offers the chance to deploy distributed ledgers without the cost or risk of deploying it in-house, and without needing to find in-house developers.  The cloud-based CRM platform ‘Salesforce’ for example, is adding a low code, blockchain-powered service that will allow enterprise users to share data with third parties in a secure, transparent, and auditable way.

Google’s reCAPTCHA v3 System Prompts Privacy Criticism

The widely used Google  reCaptcha V3 bot-detecting login system has come in for some criticism after two security researchers claimed that one of the ways that Google determines whether you’re a malicious user depends on whether you have a Google cookie installed on your browser, which could also mean that the privacy of your browsing habits may also be at risk in using the system.

What Is reCaptcha V3?

Google’s reCaptcha V3 is the latest version of Google’s bot-detecting login system, introduced last autumn, that can detect abusive traffic/malicious user-behaviour on your website without user friction i.e. without the need to tick an ‘I am not a robot’ box, or identify items in pictures.  With this version of the reCaptcha system, background monitoring assigns a risk score to a user, which then enables the system to decide how to handle that user e.g. if a user with a high-risk score tries to log in, they may then be required to use two-factor authentication. From Google’s point of view, the idea is to give users a better experience and avoid the kinds of interactions that can inhibit users from intuitively and painlessly reaching their goals within a digital interface. With reCaptcha V3, Google may be happy with the trade-off between the possibility of some inconvenience for legitimate users versus greater protection for websites.

Widely Used

It has been reported that 650,000 websites already use reCaptcha v3, including 25% of the top 10,000 sites.  This makes any concerns about the system a potentially serious issue.

What’s The Problem?

The concern suggested by the two researchers, Marcos Perona and Mohamed Akrout, who have studied reCaptcha V3 is that, being a Google product, not only does it appear likely to deem a user less of a risk if they have a Google cookie on their browser i.e. they have a Google account and are signed in, but that cookies like these can also pass on data which is unnecessary for login, about a person’s browsing habits, thereby posing a possible threat to privacy.

The research found, for example, that those who went to a website with reCaptcha v3 while logged into their Google account were given a low-risk score by the system, whilst those who visited using private browsers such as Tor or a VPN were scored as high risk. Also, the research found that to make the risk-score system work properly, web admins need to embed reCaptcha v3 code on all pages on the website.  This will enable reCaptcha to learn about how website users act on the site over time, thereby assisting the machine learning algorithm to generate more accurate risk scores. Unfortunately, installing reCaptcha v3 every page of a website could mean that those signed into their Google account are unwittingly passing on data about every web page they go to that has embedded reCaptcha v3, thereby potentially having their privacy compromised to an extent.

What Does This Mean For Your Business?

It should be remembered that these are the conclusions of pieces of research which may or may not have valid points, but it certainly wouldn’t be the first time that Google has been accused of potentially causing concern in matters of user privacy. For example, a microphone was discovered in Google’s Nest Guard product that was not listed in tech spec (which was put down to an erroneous omission by Google), and in December last year, research by Internet Privacy Company DuckDuckGo reported evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Users and businesses appreciate the value of frictionless interactions and positive experiences with websites, as well as both appreciating the need to keep introducing new versions of products with improved security to stay one step ahead of attackers.  Privacy, however, is also an important issue, both legally and personally, and the heightened concerns about it may mean that Google gets a little bad publicity where users feel that data may be unnecessarily gathered, or is collected in a way that doesn’t appear to be made entirely obvious.

Suspected Russian Disinformation Campaign Rumbled

An investigation by the Atlantic Council’s Digital Forensic Research Lab (DFRLab) claims to have unearthed a widespread disinformation campaign aimed at influencing online conversations about several topics, that appears to originate in Russia.

Facebook Accounts

Sixteen suspected Russian fake accounts that were closed by in early May 2019 led researchers to an apparent campaign which stretched across 30 social networks and blogging platforms and used nine languages. The campaign appeared to be focused away from the main platforms such as Facebook and Twitter and was played out instead on blogging sites, subreddits, and online forums.

Even though the scale of the apparent disinformation operation appears to be beyond the abilities of  a small or ad hoc group (the scale has been described as “remarkable”), and that the operation appears to have been working out of Russia,  the DFRLab has pointed out that there is not enough real evidence to suggest that the Russian state / Kremlin is behind it and that the investigation is still ongoing.

What Kind Of Disinformation?

It has been reported that the broad topic areas of the disinformation appear to reflect Moscow’s foreign policy goals e.g. Ukraine, Armenia, opposition to NATO, although conversations have been started and steered around subjects relating to Brexit, Northern Ireland, the recent EU elections, immigration, UK and US relations, the recent turmoil in Venezuela and other issues. Some of the disinformation is reported to have included:

Fake accounts in 2018 of an alleged plot, apparently discovered by Spanish intelligence, to assassinate Boris Johnson.

Shared screenshots of a false exchange between Democratic Unionist Party leader, Arlene Foster, and chief EU Brexit negotiator, Michel Barnier, which appeared to show a secret negotiation behind Theresa May’s back. Also, false information was spread about the Real IRA.

The publishing of a fraudulent letter in French, German, and broken English, featuring a screenshot of a letter allegedly written by Italian-Swedish MEP Anna Maria Corazza was published on various platforms as an attempt to influence the European Parliament elections in May 2019.

Failed and Discovered

The main reasons why the disinformation essentially failed and was discovered were that:

  • Communications were generally not sent via the main, most popular social media platforms.
  • The campaign relied on many forged documents and falsehoods which were relatively easy to spot.
  • So much trouble was taken to hide the source of the campaign e.g. each post was made on a single-use account created the same day and not used again, that the messages themselves hardly saw the light of day and appeared to lack credibility.

What Does This Mean For Your Business?

The fact that someone / some power is going to the trouble to spread disinformation on such a scale with regard to influencing the politics and government of another country is worrying in itself, and the knowledge that it is happening may make people more sceptical about the messages they read online, which can help to muddy the waters on international relations even more.

If messages from a foreign power are used to influence votes in a particular way, this could have a serious knock-on effect on the economy and government policy decisions which is likely to affect the business environment and therefore the trading conditions domestically and globally for UK businesses.  Some have described the current time as being a ‘post-truth’ age where shared objective standards for truth are being replaced by repeated assertions of emotion that are disconnected from real details.  This kind of disinformation campaign can only feed into that and make things more complicated for businesses that need to be able to have reality, truth, clear rules, and more predictable environments to help them reduce risk in business decisions.

Criminal Secrets Of The Dark Net Revealed

Recent Surrey University research, ‘Web Of Profit’ commissioned by virtualisation-based security firm Bromium has shown that cyber-criminals are moving to their own invisible Internet on the so-called ‘dark net’ to allow them to communicate and trade beyond the view of the authorities.

What Is The Dark Net?

The dark net describes parts of the Internet which are closed to public view or hidden networks and are associated with the encrypted part of the Internet called the ‘Tor’ network where illicit trading takes place.  The dark net is not accessible to search engines and requires special software installed or network configurations made to access it e.g. Tor, which can be accessed via a customised browser from Vidalia.

Deeper

Infiltration and closing down of some of the dark net marketplaces by the authorities are now believed to have led to cyber-criminals moving to a more secure, invisible part of the dark net in order to continue communicating and trading.

How?

Much of the communication about possible targets and tactics between cyber-criminals now takes place on secure apps, forums and chatrooms.  For example, cyber-criminals communicate using the encrypted app ‘Telegram’ because it offers security, anonymity, and encrypted channels for the sale of prohibited goods.

Diverse Dark Net Marketplace

Posing as customers and getting first-hand information from hackers about the costs a range of cyber-attacks, the researchers were able to obtain shocking details such as:

  • Access to corporate networks is being sold openly, with 60% of the sellers offering access to more than 10 business networks at a time. Prices for remote logins for corporate networks ranged from only £1.50-£24, and targeted attacks on companies were offered at a price of £3,500.
  • Phishing kits are available for as little as $40, as are fake Amazon receipts and invoices for $52.
  • Targeted attacks on individuals can be purchased for $2,000, and even Espionage and insider trading are up for sale from $1,000 to $15,000.

Corporations Targeted

One thing that was very clear from the research is that cyber-criminals are very much focusing on corporations as targets with listings for attacks on enterprises having grown by 20% since 2016. The kinds of things being sold include credentials for accessing business email accounts.

Specific Industries

The research also showed that cyber-criminals are moving away from commodity malware and now prefer to tailor tools such as bespoke versions of malware as a way of targeting specific industries or organisations.  For example, the researchers found that 40% of their attempts to request dark net hacking services targeting companies in the Fortune 500 or FTSE 100 received positive responses from sellers, and that the services on offer even come with service plans for conducting the hack, and price tags ranging from $150 to $10,000, depending on the company to be targeted.

The industries that are most frequently targeted using malware tools that are being traded on the dark net include banking (34%), e-commerce (20%), healthcare (15%) and even education (12%).

Researchers also uncovered evidence that vendors are now acting on behalf of clients to hack organisations, obtain IP and trade secrets and disrupt operations.

What Does This Mean For Your Business?

The dark net is not new, but some commentators believe that the heavy-handed nature of some of the police work to catch criminals on the dark net is responsible for pushing criminal communication and trading activity further underground into their own invisible areas.  End-to-end encrypted communications tools such as Telegram mean that cyber-criminals can carry on communicating beyond the reach of the authorities.

The research should show businesses that there is now real cause for concern about the sensitive, informed and finely tuned approach that cyber-criminals are taking in their targeting of organisations, right from the biggest companies down to SME’s.  This should be a reminder that cyber-security should be given priority, especially when it comes to defending against phishing campaigns, which are one of the most successful ways that criminals gain access to company networks.

Law enforcement agencies also need to do more now to infiltrate, gather intelligence, and try to deter and stop the use of different forums, channels and other areas of the dark net in order to at least prevent some of the more open trading of hacking services and tools.

GCHQ Eavesdropping Proposal Soundly Rejected

A group of 47 technology companies, rights groups and security policy experts have released an open letter stating their objections to the idea of eavesdropping on encrypted messages on behalf of GCHQ.

“Ghost” User

The objections are being made to the (as yet) hypothetical idea floated by the UK National Cyber Security Centre’s technical director Ian Levy and GCHQ’s chief codebreaker Crispin Robinson for allowing a “ghost” user / third party i.e. a person at GCHQ, to see the text of an encrypted conversation (call, chat, or group chat) without notifying the participants.

According to Levy and Robinson, they would only seek exceptional access to data where there was a legitimate need, where there that kind of access was the least intrusive way of proceeding, and where there was also appropriate legal authorisation.

Challenge

The Challenge for government security agencies in recent times has been society’s move away from conventional telecommunications channels which could lawfully and relatively easily be ‘tapped’, to digital and encrypted communications channels e.g. WhatsApp, which are essentially invisible to government eyes.  For example, back in September last year, this led to the ‘Five Eyes’ governments threatening legislative or other measures to be allowed access to end-to-end encrypted apps such as WhatsApp.  In the UK back in 2017, then Home Secretary Amber Rudd had also been pushing for ‘back doors’ to be built into encrypted services and had attracted criticism from tech companies that as well as compromising privacy, this would open secure encrypted services to the threat of hacks.

Investigatory Powers Act

The Investigatory Powers Act which became law in November 2016 in the UK included the option of ‘hacking’ warrants by the government, but the full force of the powers of the law was curtailed somewhat by legal challenges.  For example, back in December 2018, Human rights group Liberty won the right for a judicial review into part 4 of the Investigatory Powers Act.  This is the part that was supposed to give many government agencies powers to collect electronic communications and records of internet use, in bulk, without reason for suspicion.

The Open Letter

The open letter to GCHQ in Cheltenham and Adrian Fulford, the UK’s investigatory powers commissioner was signed by tech companies including Google, Apple, WhatsApp and Microsoft, 23 civil society organisations, including Big Brother Watch, Human Rights Watch, and 17 security and policy experts.  The letter called for the abandonment of the “ghost” proposal on the grounds that it could threaten cyber security and fundamental human rights, including privacy and free expression.  The coalition of signatories also urged GCHQ to avoid alternate approaches that would also threaten digital security and human rights, and said that most Web users “rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are and only those people”. As such, the letter pointed out that the trust relationship and the authentication process would be undermined by the knowledge that a government “ghost” could be allowed to sit-in and scrutinise what may be perfectly innocent conversations.

What Does This Mean For Your Business?

With digital communications in the hands of private companies, and often encrypted, governments realise that (legal) surveillance has been made increasingly difficult for them.  This has resulted in legislation (The Investigatory Powers Act) with built-in elements to force tech companies to co-operate in allowing government access to private conversations and user data. This has, however, been met with frustration in the form of legal challenges, and other attempts by the UK government to stop end-to-end encryption have, so far, also been met with resistance, criticism, and counter-arguments by tech companies and rights groups. This latest “ghost” proposal represents the government’s next step in an ongoing dialogue around the same issue. The tech companies would clearly like to avoid more legislation and other measures (which look increasingly likely) that would undermine the trust between them and their customers, which is why the signatories have stated that they would welcome a continuing dialogue on the issues.  The government is clearly going to persist in its efforts to gain some kind of surveillance access to tech company communications services, albeit for national security (counter-terrorism) reasons for the most part, but is also keen to be seen to do so in a way that is not overtly like ‘big brother’, and in a way that allows them to navigate successfully through the existing rights legislation.

The World Of Ethical Hackers And Bug Bounties

The fact that big tech companies are willing to pay big bucks in ‘bug bounties’ is one of the main reasons why becoming an ethical hacker / ethical security tester is increasingly attractive to many people with a variety of technical skills.

What Is An Ethical Hacker?

An ethical hacker / white hat hacker/ ethical security tester is someone who is employed by an organisation and given permission by that organisation to penetrate their computer system, network or computing resource in order to find (and fix) security vulnerabilities before real hackers have the opportunity use those vulnerabilities as a way in.

Certified

In the US, for example, a person can obtain a Certified Ethical Hacker (CEH) qualification by using the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a system.  CEH exams test a candidate’s skills in applying techniques and using penetration (‘pen’) testing tools to compromise various simulated systems within a virtual environment.

Who?

Ethical hackers can find work, for example, with organisations that run bug bounty programmes on behalf of companies e.g. Hacker One, Bug Crowd, Synack, or they can choose to work freelance.

What Are Bug Bounties?

Bug bounties are monetary rewards offered to those who have identified errors or vulnerabilities in a computer program or system. Companies like HackerOne, for example, offer guidance as to the amounts to set as bug bounties e.g. anywhere from $150 to $1000 for low severity vulnerabilities, and anywhere from $2000 to $10,000 for critical severity vulnerabilities.

Examples of bug bounties include:

  • The ‘Hack The Pentagon’ three-year initiative run by HackerOne which has so far (since 2016) paid $75,000 to those who have found software vulnerabilities in the Defence Department’s public facing websites.
  • Google’s ongoing VRB program which offers varying rewards ranging from $100 to $31,337 depending on the type of vulnerabilities found.
  • Facebook’s Whitehat program, running since 2011, and offering a minimum reward of $500 with over $1 million paid out so far. The largest single reward is reported to be $20,000.

Motivation

Money is often not the only motivation for those involved in ethical hacking.  Many are interested in the challenge of solving the problems, getting into the industry, and getting recognition from their peers.

Training

The UK has a tech skills shortage, but some schemes do exist to help the next generation of cyber-security experts gain their knowledge and skills.  One example is the UK’s Cyber Discovery scheme which had more than 25,000 school children take part in its first year.  The scheme turns finding security loopholes into engaging games while getting children familiar with the tools that many cyber-pros use.  Top performers can then attend residential courses to help them hone their skills further.

What Does This Mean For Your Business?

Ethical hackers play an important penetration testing role in ensuring that systems and networks are as secure as possible against the known methods employed by real hackers. It is not uncommon, particularly for large companies that are popular hacking targets, to offer ongoing bug bounty programs as a way to keep testing for vulnerabilities and the rewards paid to the ethical hackers are well worth it when you consider the damage that is done to companies and their customers when a breach takes place.

Running government programs such as Cyber Discovery could, therefore, be an important way to encourage, spot, and help develop a home-grown army of cyber-security professionals which is a win/win for companies wanting to improve their security, individuals looking for careers in the cyber-security and tech industries, and filling a skills gap in the UK.