8 Highlights: Scottish 'Big Data' Cybersecurity ConferenceCloud Forensics, Fraud, Extortion and Cyber Sociology Dominate Edinburgh Event
What are hot cybersecurity topics in Scotland?
Count securing big data and the internet of things, plus the ongoing prevalence of ransomware and "cyber extortion." Don't forget the true origins of "cyber." And include conducting digital forensic investigations on cloud servers.
Those were just some of the topics that featured at this year's one-day "International Conference on Big Data in Cyber Security."
This year marked the fourth iteration of the conference, hosted on May 31 at Napier University's Craiglockart campus in Edinburgh, Scotland, under the aegis of Professor Bill Buchanan of the university's computing department.
This year's conference served as the kickoff for 24 hours of linked cybersecurity events, with the conference segueing into other events being hosted in Canada, Colombia, Israel, the Netherlands and South Korea, before returning to Edinburgh on Friday.
Here are eight highlights from this year's International Conference on Big Data in Cyber Security.
1. Office 365 Forensics
Does your organization use Office 365? If so, enable "auditing" in the administrator panel and require all users to employ multifactor authentication.
Those were two top takeaways from a presentation by David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements (see Phishing Defense: Block OAuth Token Attacks).
Stubley drew on a real - albeit anonymized - incident that he investigated at a Glasgow-based organization, which lost £140,000 ($185,000) after both its managing director and CFO's Office 365 email accounts were compromised by what appeared to be a group of attackers operating from Nigeria, although an IP address in United Arab Emirates was also implicated in the attack.
Once attackers gained access to the victims' accounts, they watched and waited - for people to be sick, traveling or on leave - to give their attack the best chance of succeeding. They also didn't spoof any messages, but rather sent them from the legitimate accounts, after having created mailbox rules designed to delete the sent messages, so the victims wouldn't see them.
Then they struck.
Stubley said that for organizations that want to better prevent this sort of thing from happening, they should be regularly downloading Office 365 logs, since Microsoft only makes 90 days of data available before deleting it. "So start collecting logs, and keep hold of them," Stubley said.
Also make multi-factor authentication mandatory for accessing accounts, because Microsoft doesn't appear to be limiting outside attempts to access accounts. As a result, attackers can run dictionary attacks designed to brute-force accounts with weak passwords.
2. Police Scotland: We Want to See 'Unusual'
Police in Scotland, as in the rest of the world, are continuing to see a rise in "cyber-enabled" crime. "The threat landscape is a lot more sophisticated than it was two to three years ago," backed in part by "a huge rise is malware proliferation" as well as the easy availability of attack tools, said Detective Inspector Eamonn Keane. He formerly led Police Scotland's cybercrime operations team and in May was indefinitely seconded to the Scottish Business Resilience Center to lead its cybersecurity and innovation efforts.
In April, "we engaged with some young people accused of using WebStresser," Keane said, referring to the arrest of two men in the Lanarkshire region on charges of launching distributed denial-of-service-attacks as part of a global crackdown on the Webstresser stresser/booter DDoS-as-a-service provider (see Police Seize Webstresser.org, Bust 6 Suspected Admins).
Crime continues to evolve, and increasingly to bridge the physical and online realms, Keane said.
One case in point: In January, four armed men broke into the house of a cryptocurrency trader. "The criminals crashed his door, held a gun to his head, for him to reveal the password to his bitcoin wallet," Keane said.
Keane said that in other cases, organized crime gangs have sent people into call centers specifically to harvest customer details.
His whirlwind tour of cybercrime in Scotland was backed by a plea to businesses to notify law enforcement agencies when they are the victim of cybercrime, to help police not only pursue criminals, but also for "enriching the intelligence picture" across law enforcement agencies - thanks to information sharing - as well as for the government to allocate sufficient resources. "You cannot legislate for what you don't know," he said.
What's the threshold for reporting crime, since police don't have the resources to chase every scammer or would-be fraudster? Keane said Police Scotland is keen to hear about unusual behavior, as well as from anyone who is a "victim of significant fraud."
He added: "I'm looking for the unusual, but we also need to know what's going out there."
3. The Quest for 'Human Digital Memories'
Internet of things food for thought: "What if you could store all memories and allow others to experience them?"
That was the question posed by Madjid Merabti, a professor of networked systems at Liverpool John Moores University, who delivered the opening presentation at the conference.
He's long been research "human digital memories," referring to the hypothetical ability to capture and replay memories that could be fully replayed later.
In theory, artificial intelligence and deep learning capabilities could be used to amass, store and replay digital copies of our memories. But as a thought exercise, innumerable questions remain, including how this type of mass storage might get safeguarded, access-controlled and future-proofed.
Then there's the problem of obsolescence. For example, from 1085 to 1086, by order of King William I, the original Domesday Book - a massive record of land holdings in England - was created, and survives today.
In 1986, or 900 years later, the BBC - in collaboration with Acorn, Philips and Logica, created a new version of the Domesday Book, which included material shared by 1 million people. But maintaining the data has presented challenges, not least because of the image format, which involved storing images as video on laser discs. The material is also subject to copyright concerns and getting the material online faces funding challenges.
Could human digital memories, if they come to pass, likewise one day expire?
4. Fighting CEO Fraud by Analyzing Writing Style
Sometimes relatively small, novel-looking technologies offer outsize promise.
For example, Trend Micro's Simon Edwards, in a roundup of various types of exploits, including macro and fileless malware attack - "sending weaponized documents is a really big attack vector" - also touched on tricking out executives into sending money to attackers. Known as business email compromise, aka CEO fraud, this low-tech attack continues to have a high impact on businesses.
To help, he says Trend Micro has been developing technology it dubs "handwriting DNA," which can analyze a CEO's writing style and flag emails that don't emulate it as potentially being fraudulent.
5. FBI: Work With Law Enforcement (Please)
Fun fact: Many Brits think they should report cybercrime via the IC3.gov portal. One wrinkle: It's run not by British police or law enforcement agencies, but by the FBI, for U.S. users.
"U.K. people love to send their complaints over to IC3.gov," Special Agent Efrene G. Sakilayan, the FBI's assistant legal attaché to the U.K., told the conference. "I keep telling them to send them to Action Fraud," which is the U.K. portal for reporting cybercrime (see Don't Be a Money Mule for the Holidays).
The nuances of reporting aside, Sakilayan saluted anyone who attempts to engage with law enforcement agencies, so much so that he said he was breaking from his public speaking training - "never tell the audience that you have just one message for them to remember, or they'll forget everything else" - to say of his talk: "If there's one thing you can get out of this it's to figure out how to work with law enforcement."
Sakilayan also touched on how the FBI's role in domestic U.S. investigations, it work with foreign partners, as well as the top types of online attacks it's seeing.
"The main thing that keeps hitting is ransomware and extortion," he said. "That is the name of the game, that's why there is a billion dollars of bitcoins today," because enough victims keep paying crypto-locking malware gangs and extortionists (see Hackers Demand $770,000 Ransom From Canadian Banks).
"As much as we tell people not to pay the ransom, people pay the ransom," he said.
6. Battling Ebola With Big Data
"Never work with the internet, children or animals," quipped Adrian Smales, a research fellow at Napier University who helped organize the conference, as it kicked off on the morning of May 31. He was warning that planned tie-ups with some locations and remote speakers might not always go completely to plan.
Indeed, technical problems temporarily delayed a Skype chat, piped onto the main hall screen, featuring Rosheen Awotar-Mauree, the program officer for - perhaps ironically - the International Telecommunication Union's Office for Europe. The ITU, based in Geneva, has deep roots; it was formerly known as the International Telegraph Union.
Awotar-Mauree detailed some of the agency's current projects, including efforts to use cultivate more sources of big data.
Anonymized mobile phone data is one such source. "Around 95 percent of the world population is covered by mobile/cellular networks," and that figure continues to increase, she said.
How might this data be used? "[One] aspect for big data that we've tried and tested is [for] emergency response and enhancement," Awotar-Mauree said.
For example, during the 2014 to 2016 Ebola crisis, the ITU tested using anonymized call data records as a "big data" source to derive "visual information on citizens' mobility and their spatio-temporal distribution," to help responders better contain the outbreak, she said.
7. 'Fire Teh Lazer!'
Want to warm the hearts of cybersecurity conference attendees? Dave Lewis (@Gattaca) - at the time of the conference, a global security advocate for Akamai Technologies, who earlier this month became Duo Security's global advisory CISO - took attendees down DDoS memory lane, remembering such greatest hits as the Izz ad-Din al-Qassam Cyber Fighters, whose 2014 to 2016 attacks pummeled banks in the U.S. and Canada.
The group was widely believed to not be independent "cyber fighters" but run by the Iranian government. Lewis, who's Canadian, said that while attackers' beef was with the U.S., they didn't appear to realize that Canada is a separate country, and targeted its banks too.
Another DDoS fun fact: Back in the day - think late 1990s - stresser/booter services were legitimate, Lewis said, and designed to see if websites could function under high loads.
Of course in recent years, such services have become a tool for criminals who threaten to knock businesses offline unless they pay shakedown money; hacktivist or patriot hackers; as well as for unscrupulous competitors who want to deep-six the competition.
The easy availability of these services - despite a number of high-profile arrests of site administrators and power users - continues. Lewis says the monthly subscription price for one widely used stresser/booter site costs less than a daily Americano from Starbucks.
Or in the words of the interface for the High Orbit Ion Canon - successor to the infamous Low Orbit Ion Canon - for anyone who wants DDoS on demand, it's easy to find a cheap - albeit illegal - way to "fire teh lazer"!
8. 'Cyber' May Be News, But It Ain't New
What is cyber? "We know it is a lazy sobriquet" beloved by marketing departments and business types seeking budget for a project, "soon to be replaced by artificial intelligence and machine learning," said Colin Williams of SBL, for Software Box Limited.
Williams delivered an impressive, rapid-fire look at the history, sociology and philosophy of the "cyber" phenomenon.
In brief: We've been here before, just under a different name. Or in the case of "cyber," in fact the same name, since it was first coined in 1948 by Norbert Wiener, who defined it as "the scientific study of control and communication in the animal and the machine."
Seventy years later, Williams highlighted a dangerous disconnect between understanding how our current technological environment is a natural consequence of so many things that have come before, including not just technology but also social change and our collective moral, ethical, political and philosophical fabric.
"When we talk about driverless, autonomous vehicles and we start to talk about driverless carriages, we're in the realm of classic Benthamite 20th-century utilitarianism," he said.
So despite the current prevalence in society to flail about uncontrollably in the face of today's awesome technology and claim that no one, truly, could have predicted the internet of things - and so on - Williams said we collectively need to remember where we have come from, provided we wish to find our way to an acceptable cyber future.
All photos by Mathew Schwartz.