Cyber wrap
20 Jul 2016|

Image courtesy of Flickr user Lee McKusick

Yesterday’s appointment of Malcolm Turnbull’s new ministry has followed through with the commitment made in last year’s Cyber Security Strategy to create a ministerial position for cyber security. Dan Tehan from Victoria has added Minister assisting the Prime Minister for Cyber Security, in addition to his other roles as Minister for Defence Personnel, Minister for Veteran’s Affairs and Minister assisting the Prime Minister for the centenary of ANZAC.

Part of Tehan’s responsibilities will be leading work with the private sector to implement the government’s cyber strategy. The other change relevant to cyber policy and security is Greg Hunt’s move to the Industry, Innovation and Science portfolio. Mitch Fifield remains in Communications, Angus Taylor retains Assistant Minister for cities and digital transformation, and Fiona Nash has kept the regional communications role.

In the US, Department of Defense leaders are apparently ‘frustrated’ by the pace of Cyber Command’s actions to disrupt Islamic State’s online activities. Cyber Command’s campaign against IS is the first time the US has publicly acknowledged that Cyber Command is engaged in operations, but the seven year-old command was established to tackle state actors, and apparently is having difficulty getting the right people and capabilities in place to overcome IS use of the internet for recruitment, operations and propaganda.

A new Joint Task Force, dubbed ‘Ares’ has been established to conduct cyber operations against IS and coordinate with Central Command’s plans and operations in Iraq and Syria. Officials suggested to The Washington Post that possible actions might include disrupting payment systems, chat apps and other online platforms such as IS’ magazine ‘Dabiq’, but that IS was able to counteract this by switching to new servers and other hardware to stay ahead of US cyber operations against them.

The attempted coup in Turkey over the weekend took advantage of the security features of messaging app WhatsApp to coordinate operations across the country. However it seems that despite realising the advantages of encrypted online communications for their planning, the coup’s leaders didn’t take account of the power of the internet and social media to rally resistance, as President Erdogan did via FaceTime from his plane. While they did seize control of two television channels, access to the internet and social media wasn’t significantly disrupted during the coup.

The military did attempt to throttle access to social media but this appears to have been quickly overhauled by the President after only a few hours. Security researcher ‘the grugq’ noted on Medium that by failing to cut access to cyberspace the coup was bound to fail, as Erdogan could still call on supporters to oppose the coup. Grugq goes on to compare the successful coups in Thailand in 2006 and 2014 to the failure in Turkey, noting that the Thai coups succeeded in part because they quickly denied access to mass communication by political leaders by either cutting the power, or detaining them en masse. He concludes that a successful coup plan needs to better incorporate cyberspace into its execution, and within the first hour cut power to main cities, neutralise leadership and take over all telcos, ISPs and TV stations.

And finally, Pokémon Go has literally taken over the world. Its popularity has made it a target for cyber criminals using third party apps infected with malware, and hackers seeking notoriety who brought down  servers for US and European players last Saturday. The DDOS incident was claimed by hacker group ‘PoodleCorp’, who promised more to come. But how can you join in and battle with your friends if you’re a spy and need to protect your identity, location and other sensitive personal information? Luckily the US government has created a guide for employees on how to catch em’ all without breaching operational security, kindly shared by Thomas Rid on Twitter. Some of the advice is good cyber security advice generally, such as avoiding play in areas you don’t want to be geo-tagged and not using personal Gmail accounts. Other tips such as ‘do not attempt to catch Pokémon while driving’ also seem pretty sensible. Wait, is that a Vaporeon?