Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar | Reuters

By | June 22, 2015
0 Comment

My piece on what Deep Panda looks like in action: Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar | Reuters:

Security researchers have many names for the hacking group that is one of the suspects for the cyberattack on the U.S. government’s Office of Personnel Management: PinkPanther, KungFu Kittens, Group 72 and, most famously, Deep Panda. But to Jared Myers and colleagues at cybersecurity company RSA, it is called Shell Crew, and Myers’ team is one of the few who has watched it mid-assault — and eventually repulsed it.

Myers’ account of a months-long battle with the group illustrates the challenges governments and companies face in defending against hackers that researchers believe are linked to the Chinese government – a charge Beijing denies.

‘The Shell Crew is an extremely efficient and talented group,’ Myers said in an interview.Shell Crew, or Deep Panda, are one of several hacking groups that Western cybersecurity companies have accused of hacking into U.S. and other countries’ networks and stealing government, defense and industrial documents.The attack on the OPM computers, revealed this month, compromised the data of 4 million current and former federal employees, raising U.S. suspicions that Chinese hackers were building huge databases that could be used to recruit spies.

China has denied any connection with such attacks and little is known about the identities of those involved in them.  But cybersecurity experts are starting to learn more about their methods.

Researchers have connected the OPM breach to an earlier attack on U.S. healthcare insurer Anthem Inc (ANTM.N), which has been blamed on Deep Panda.

RSA’s Myers says his team has no evidence that Shell Crew were behind the OPM attack, but believes Shell Crew and Deep Panda are the same group.

And they are no newcomers to cyber-espionage.CrowdStrike, the cybersecurity company which gave Deep Panda its name due to its perceived Chinese links, traces its activities to 2011, when it launched attacks on defense, energy and chemical industries in the United States and Japan. But few have caught them in the act.

    SHELL CREW IN ACTION

In February 2014 a U.S. firm that designs and makes technology products called in RSA, a division of technology company EMC (EMC.N), to fix an unrelated problem. RSA realized there was a much bigger one at hand: hackers were inside the company’s network, stealing sensitive data. 

‘In fact,’ Myers recalls telling the company, ‘you have a problem right now.’Myers’ team could see hackers had been there for more than six months. But the attack went back further than that.

For months Shell Crew had probed the company’s defenses, using software code that makes use of known weaknesses in computer systems to try to unlock a door on its servers. Once Shell Crew found a way in, however, they moved quickly, aware this was the point when they were most likely to be spotted.        SPEARPHISHING

On July 10, 2013, they set up a fake user account at an engineering portal. A malware package was uploaded to a site, and then, 40 minutes later, the fake account sent emails to company employees, designed to fool one into clicking on a link which in turn would download the malware and open the door. 

‘It was very well timed, very well laid out,’ recalls Myers.

Once an employee fell for the email, the Shell Crew were in, and within hours were wandering the company’s network. Two days later the company, aware employees had fallen for the emails – known as spearphish – reset their passwords. But it was too late: the Shell Crew had already shipped in software to create backdoors and other ways in and out of the system. 

For the next 50 days the group moved freely, mapping the network and sending their findings back to base. This, Myers said, was because the hackers would be working in tandem with someone else, someone who knew what to steal.

‘They take out these huge lists of what is there and hand it over to another unit, someone who knows about this, what is important,’ he said. 

Then in early September 2013, they returned, with specific targets. For weeks they mined the company’s computers, copying gigabytes of data. They were still at it when the RSA team discovered them nearly five months later. 

Myers’ team painstakingly retraced Shell Crew’s movements, trying to catalogue where they had been in the networks and what they had stolen. They couldn’t move against them until they were sure they could kick them out for good. 

It took two months before they closed the door, locking the Shell Crew out.  But within days they were trying to get back in, launching hundreds of assaults through backdoors, malware and webshells.

Myers says they are still trying to gain access today, though all attempts have been unsuccessful.  

‘If they’re still trying to get back in, that lets you know you’re successful in keeping them out,’ he said.

(Additional reporting by Joseph Menn; Editing by Rachel Armstrong and Mark Bendeich)”

Moleskines Redux

By | June 15, 2015
1 Comment

Moleskin ® redux

Of course, I claim a lot of the credit for this decade-long trend Why Startups Love Moleskines: 

“The notion that non-digital goods and ideas have become more valuable would seem to cut against the narrative of disruption-worshipping techno-utopianism coming out of Silicon Valley and other startup hubs, but, in fact, it simply shows that technological evolution isn’t linear. We may eagerly adopt new solutions, but, in the long run, these endure only if they truly provide us with a better experience—if they can compete with digital technology on a cold, rational level.”

I have returned to Moleskines recently, partly because I realised I have a cupboard full of them, and partly because of exactly this problem: there’s no digital equivalent experience. 

  • easier to conceptualise on paper
  • you can doodle when the speaker is waffling; those doodles embellish, even turn it into Mike Rohde’s sketchnotes
  • you can whip it out in places where an electronic device would be weird, or rude, or impractical;
  • there’s a natural timeline to your thoughts
  • there’s something sensual about having a pen in your hands and holding a notebook
  • pen and moleskine focus your thoughts and attention
  • the cost of the book acts as a brake on mindless note taking (writing stuff down without really thinking why) 
  • no mindmap software has ever really improved the mindmapping experience. 
There’s probably more to it. But maybe the point is that this isn’t a fad. People have been using these in the geeky community for more than a decade, suggesting that they have established themselves as a viable tool. Being able to easily digitise them — for saving, or processing, as I did this morning with a chart I sketched out which my graphics colleague wanted to poach from — is a bonus, and saves us from the fear of losing our work. 

(Via.Newley Purnell)

Connected cows, cars and crockery prod chip mega mergers

By | June 9, 2015
1 Comment

My Reuters piece attempting to place the recent chip mergers in a longer timeline. Yes, I hate the term internet of things too. 

Connected cows, cars and crockery prod chip mega mergers | Reuters:

SINGAPORE/TAIPEI | BY JEREMY WAGSTAFF AND MICHAEL GOLD

Chip companies are merging, signing $66 billion worth of deals this year alone in preparation for an explosion of demand from all walks of life as the next technological revolution takes hold: the Internet of Things.

As cars, crockery and even cows are controlled or monitored online, each will require a different kind of chip of ever-diminishing size, combining connectivity with processing, memory and battery power.

These require makers to pool resources and intellectual property to produce smaller, faster, cheaper chips, for a market that International Data Corp said would grow to $1.7 trillion by 2020 from $650 billion last year.

By comparison, chip markets for personal and tablet computers are stagnant or in decline, and even smartphones are near peaking, said Bob O’Donnell, a long-time consultant to the chip industry.

‘We’re very much done in terms of growth of those traditional markets,’ said O’Donnell. ‘That’s why they are looking at this.’

Last month saw the biggest-ever chip merger with Avago Technologies Ltd agreeing to buy Broadcom Corp for $37 billion. That eclipsed the $17 billion Intel Corp agreed last week for Altera Corp, and the $12 billion NXP Semiconductors NV offered in March for Freescale Semiconductor Ltd.

On Friday, Lattice Semiconductor Corp said it was open to a sale.

 

CONNECTED COWS

The Internet of Things relies on chips in devices wirelessly sending data to servers, which in turn process the data and send results to a user’s smartphone, or automatically tweak the devices themselves.

Those devices range from a light bulb to a nuclear power plant, from a smartwatch to a building’s air-conditioning system. This range presents both opportunity and a challenge for semiconductor companies: their potential customer base is huge, but diverse, requiring different approaches.

Qualcomm Inc, for example, is used to selling chips to around a dozen mobile phone manufacturers. The Internet of Things has brought it business from quite different players, from makers of water meters to street lights that sport modems and traffic-monitoring cameras. All have their own needs.

‘You can’t think the new market is just like the old one,’ Qualcomm Vice President of Marketing Tim McDonough said in an interview.

Qualcomm estimates that the Internet of Things will bring in more than 10 percent of its chip revenue this business year.

And then there are those cows. Instead of monitoring herds by sight, farmers in Japan have tagged them with Internet-connected pedometers from Fujitsu Ltd and partner Microsoft Corp, to measure when they might be ready for insemination. Cows in season, it turns out, tend to pace more.

SPECK OF CHIP

This new business is pushing chip companies together in part to consolidate their expertise onto one chip, a trend forged by mobile phones.

The Avago-Broadcom deal, for instance, brings together motion control and optical sensors from Avago with chips from Broadcom that specialize in connectivity via wireless technologies such as Bluetooth and Wi-Fi.

In the past ‘if you wanted to build a board that has all the components, then you needed to buy three different chips,’ said Dipesh Patel of ARM Holdings PLC, which licenses much of the technology inside mobile phones – and, increasingly, in the Internet of Things.

‘Now you only need to buy one chip. But you’re trying to get more of the same system on the same chip.’

As chips get smaller, they could be tiny enough to ingest, according to Vital Herd Inc. The Texas-based startup’s pill-like sensor, once a cow swallows it, can transmit vital signs, warning farmers of illness and other problems.

Jen-Hsun Huang, co-founder and chief executive officer of graphics chips maker Nvidia Corp, predicts chips will shrink to the size of a speck of dust and find their way into almost anything, from shoes to cups.

‘Those little tiny chips, I think they’re going to be sold by the trillions,’ Huang said in an interview. ‘Maybe even sold by the pound.’

PROCESSING

Installing chips into end products is only one side of the equation. The more things connect, the bigger the number and capability of servers needed to process the vast amount of specialized data those chips transmit.

To meet the demand, Intel could employ chips for its servers designed by new purchase Altera that analyze streams of similar data – specializing in one function, as opposed to multiple functions like chips inside personal computers – industry consultant O’Donnell said.

Combining such strengths is going to be vital, said Malik Saadi of ABI Research, because consolidation is not over yet.

More chip companies ‘will have to make that radical decision to merge,’ said Saadi. ‘This is just the starting point.’ 

(Additional reporting by Liana Baker in New York; Editing by Christopher Cushing)”

Deja Vu or New Dawn? Microsoft’s Acquisition Binge

By | June 3, 2015
0 Comment

I’m not quite sure what to make of these acquisitions. It reminds me of Yahoo’s binge 10 years ago: After del.icio.us, a Directory of Other Things Yahoo! Should Buy. They snagged up a lot of my favourite stuff back then, and Microsoft is doing the same thing with Sunrise etc: 

Welcome 6Wunderkinder! Microsoft acquires Wunderlist – The Official Microsoft Blog: “What’s better than completing that last important task on your to-do list? Doing so with a beautiful and useful productivity app. Today, I am thrilled to announce that Microsoft has acquired 6Wunderkinder, the creator of the highly acclaimed to-do list app, Wunderlist.

The addition of Wunderlist to the Microsoft product portfolio fits squarely with our ambition to reinvent productivity for a mobile-first, cloud-first world. Building on momentum for Microsoft Office, OneNote and Skype for Business, as well as the recent Sunrise and Acompli acquisitions, it further demonstrates Microsoft’s commitment to delivering market leading mobile apps across the platforms and devices our customers use – for mail, calendaring, messaging, notes and now tasks.”

One Microsoft person told me when I complained about little work had been done on Skype that “we’re listening to users who said ‘don’t fiddle’ with it.” All well and good, but they could have fixed the more ridiculous things, like not being able to disable birthday notifications in some versions of the app, and losing the plot on groups. 

Still, this might be a new Microsoft, not the old Microsoft or Yahoo! doing these new acquisitions. They’ve done a lovely job integrating Acompli. So maybe there’s hope. I don’t mind these things getting that kind of treatment so long as they do it to reach out to users, rather than to fence them in. That’s going to take quite a change of attitude up in Redmond. 

Spy in the Sky – are planes hacker-proof?

By | May 27, 2015
0 Comment

My take on aviation cybersecurity for Reuters: Plane safe? Hacker case points to deeper cyber issues:

“Plane safe? Hacker case points to deeper cyber issues

BY JEREMY WAGSTAFF

Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the FBI and accused of hacking into flight controls via his underseat entertainment unit.

Other security researchers say Roberts – who was quoted by the FBI as saying he once caused ‘a sideways movement of the plane during a flight’ – has helped draw attention to a wider issue: that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes.

Through his lawyer, Roberts said his only interest had been to ‘improve aircraft security.’

‘This is going to drive change. It will force the hand of organizations (in the aviation industry),’ says Jonathan Butts, a former US Air Force researcher who now runs a company working on IT security issues in aviation and other industries.

As the aviation industry adopts communication protocols similar to those used on the Internet to connect cockpits, cabins and ground controls, it leaves itself open to the vulnerabilities bedevilling other industries – from finance to oil and gas to medicine.

‘There’s this huge issue staring us in the face,’ says Brad Haines, a friend of Roberts and a security researcher focused on aviation. ‘Are you going to shoot the messenger?’

More worrying than people like Roberts, said Mark Gazit, CEO of Israel-based security company ThetaRay, are the hackers probing aircraft systems on the quiet. His team found Internet forum users claiming to have hacked, for example, into cabin food menus, ordering free drinks and meals.

That may sound harmless enough, but Gazit has seen a similar pattern of trivial exploits evolve into more serious breaches in other industries. ‘It always starts this way,’ he says.

ANXIOUS AIRLINES

The red flags raised by Roberts’ case are already worrying some airlines, says Ralf Cabos, a Singapore-based specialist in inflight entertainment systems.

One airline official at a recent trade show, he said, feared the growing trend of offering inflight WiFi allowed hackers to gain remote access to the plane. Another senior executive demanded that before discussing any sale, vendors must prove their inflight entertainment systems do not connect to critical flight controls.

Panasonic Corp and Thales SA, whose inflight entertainment units Roberts allegedly compromised, declined to answer detailed questions on their systems, but both said they take security seriously and their devices were certified as secure.

Airplane maker Boeing Co says that while such systems do have communication links, ‘the design isolates them from other systems on planes performing critical and essential functions.’ European rival Airbus said its aircraft are designed to be protected from ‘any potential threats coming from the In-Flight-Entertainment System, be it from Wi-Fi or compromised seat electronic boxes.’

Steve Jackson, head of security at Qantas Airways Ltd, said the airline’s ‘extremely stringent security measures’ would be ‘more than enough to mitigate any attempt at remote interference with aircraft systems.’

CIRCUMVENTING

But experts question whether such systems can be completely isolated. An April report by the U.S. General Accountability Office quoted four cybersecurity experts as saying firewalls ‘could be hacked like any other software and circumvented,’ giving access to cockpit avionics – the machinery that pilots use to fly the plane.

That itself reflects doubts about how well an industry used to focusing on physical safety understands cybersecurity, where the threat is less clear and constantly changing.

The U.S. National Research Council this month issued a report on aviation communication systems saying that while the Federal Aviation Administration, the U.S. regulator, realized cybersecurity was an issue, it ‘has not been fully integrated into the agency’s thinking, planning and efforts.’

The chairman of the research team, Steven Bellovin of Columbia University, said the implications were worrying, not just for communication systems but for the computers running an aircraft. ‘The conclusion we came to was they just didn’t understand software security, so why would I think they understand software avionics?’ he said in an interview.

SLOW RESPONSE

This, security researchers say, can be seen in the slow response to their concerns.

The International Civil Aviation Organisation (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them.

Researchers like Haines have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controllers.

And that’s just the start. Aviation security consultant Butts said his company, QED Secure Solutions, had identified vulnerabilities in ADS-B components that could give an attacker access to critical parts of a plane.

But since presenting his findings to vendors, manufacturers and the industry’s security community six months ago he’s had little or no response.

‘This is just the tip of the iceberg,’ he says.

(Additional reporting by Siva Govindasamy; Editing by Ian Geoghegan)”