Cyber wrap
10 Aug 2016|

Image courtesy of Flickr user wbeem

Las Vegas was the place to be last week, with the world’s largest annual hacker conferences, Black Hat and Defcon, taking over the town. The events unearthed lots of cyber gossip, but it was the world’s first machine-only hacking competition that stole the show. DARPA’s Cyber Grand Challenge pitted seven ‘cyber reasoning systems’ against each other to assess their ability to detect software vulnerabilities and write new security patches without human assistance. The automated computers were confronted with modified versions of historic bugs, including Heartbleed, Sendmail crackaddr and the Morris Worm. Carnegie Melon’s ‘Mayhem’ won the US$2 million prize, and even briefly held a lead on a human team in a separate hacking event—before eventually coming last. This sort of artificial intelligence isn’t intended to replace human analysis, but the success of the Challenge confirmed the utility of automated network defence and the assistance that such systems can offer in network protection. Other highlights from the desert include flying laptops, the return of the Jeep hackers, the rise of automated spear-phishing Twitter bots, and how to hack your way into first class airline lounges.

It was at the Black Hat conference that Apple announced its first ever bug bounty program. Ivan Krstic, Apple’s head of security engineering and architecture, revealed that Apple will start offering up to US$200,000 to hackers who report undiscovered security vulnerabilities in Apple’s software. After years of refusing to pay independent researchers and relying instead on internal security efforts, Apple will start the program next month on an invitation-only basis. In doing so, it joins the ranks of many other large tech companies that offer rewards for cybersecurity detective work, including Google, Microsoft and Facebook. Fancy yourself a white hat hacker? Well, check out Bugcrowd’s up-to-date inventory of live bug bounty programs. Happy hunting!

Rumours are circling that the Obama administration is planning to elevate the powers of the Pentagon’s Cyber Command. There are preparations to separate Cybercom from the NSA into a separate and more influential Unified Combatant Command. Rejigging the organisational structure appears necessary to improve Cybercom’s performance, as the shortcomings of its current online campaign against ISIS are drawing criticism from military leaders. Standby for confirmation of this change from the White House.

Cyber continues to bubble up in the US elections. The recent hack of the Democratic National Committee’s network has generated concerns over the security of the electronic voting technology. The Obama administration is considering the possibility of designating the electronic ballot-casting system as ‘critical infrastructure’. Doing so would allow the Department of Homeland Security to take more robust measures to protect the system, which Secretary Jeh Johnson described as part of the US’ ‘vital national interest’. Those discussions join a long election dialogue on cybersecurity that has included Clinton’s email misdemeanours, the DNC hack, Trump inciting Russian hackers and the respective policy positions of both candidates. Cybersecurity expert and founder of both Black Hat and Defcon, Jeff Moss, has publicly endorsed Clinton, despite her online blunders—better the devil you know. But then again, who could go past Trump’s profound value-add last month when he announced, ‘I am a fan of the future, and cyber is the future’…

As the host of the 2016 Summer Olympic Games, Rio has needed to up its cybersecurity game. Large scale sporting events bring with them an increased volume of online activity and are naturally attractive to cybercriminals. A report from security firm Fortinet reveals a spike in malicious online activity such as online payment fraud, in sync with the opening of The Games. Over the last month, Brazil has experienced an 83% rise in the number of malicious URLs, in comparison to a 16% increase globally. The major threats are expected to be phishing scams, unsecure public Wi-Fi connections and ATM skimmers. Luckily, US-CERT has published some handy tips to keep you cyber secure at The Games.

Speaking of cybercrime, Australia has set up a new cyber-intelligence unit to track terrorism financing, money laundering and financial fraud. Justice Minister Michael Keenan indicated that this unit would be stood up within the Australian Transaction Reports and Analysis Centre to crack down on organised criminal activities online. The unit will tackle job recruitment scams with IDCARE and identify criminal patterns in cooperation with ACORN, the Australian Cybercrime Online Reporting Network.

The Australian Bureau of Statistics suffered an embarrassing denial of service last night, just as millions of Australians logged on to complete the national census. This comes after widespread privacy concerns over the increased time period that individuals’ information would be stored and security worries over the fortitude of the website’s encryption. So much so, that several senators openly committed to boycotting this week’s survey, despite hefty fines. So last night’s debacle is an awkward development, with questions being raised by the media on the origin and motivation of the incident, and its implications for the integrity of personal data. While you’re waiting for the census website to come back online, check out #bettercensusquestions for some comic relief.

Finally, Pokémon Go’s rise to become the most successful mobile game in history has led to the creation of malicious apps masquerading as the real thing. These knock-off games have popped up on the Google Play store and are smuggling malware onto people’s Android mobile operating systems. Check out Dell’s analysis of these exploits here. Getting ahead of the game, Iran has banned Pokémon Go before its even been released, on the grounds of security concerns. So, thanks to the country’s High Council of Virtual Spaces, Iranians will never be able to catch ‘em all – but at least they will be safe from cybercriminals.