Reference Library – USA
Telstra has announced that it will be launching a new suite of managed security services and two new cybersecurity centres in Melbourne and Sydney. According to Neil Campbell, Telstra’s director of Security Solutions, the offerings will be ready for customers by July 19, with the aim to make the cybersecurity challenge easier for organisations to deal with.
Latest Australian news
“We’re taking this opportunity to rethink and reinvent really our product portfolio very much with that mindset of ‘it’s not enough to offer point solutions, it’s not enough to focus on today’s problem’,” Campbell told ZDNet.
“We need to help our customers and help the community to improve its cybersecurity resilience, to be more ready for attacks, more resilient against them, and therefore be more profitable, have more confidence in using the internet, and that confidence and reduction in interruption will play right across the entire spectrum through consumer and small business to enterprise, and should ultimately result in better gross domestic product outcome.”
Telstra said its new managed security services depart from traditional approaches, which Campbell labelled as being “slow and cumbersome and reactive”.
“Our new managed security services technology platform is built on open source, in part so that we can democratise that kind of SIM layer — security, information, management layer — we’re trying to make technology more available to a broader part of the market at a more cost-effective rate so that we can help to raise that base level of security, not just in enterprise but pushing down into the mid-market, who wouldn’t previously have been able to afford services like this,” Campbell said.
“The first set of offerings will be what you think of as traditional managed security services — managed firewall, managed intrusion prevention — and it will be that full stack … it will give us the ability to manage the vast majority of security infrastructure that a customer needs to operate.
“Using an open-source platform in a very much more cost-effective way giving the customer the kind of transparency they need, but also using technologies like big data to prepare ourselves on behalf of our customers for the kind of massive event flows that we will see as we see a greater uptake of Internet of Things connecting to their network.”
Telstra made its announcements off the back of the release of its annual cybersecurity report, which revealed that the rate of “business-interrupting” cyber attacks have doubled in the past year in the Asia-Pacific region. Telstra’s Cyber Security Report 2017, released on Wednesday, showed that 59 percent of organisations in both Australia and the wider Asia-Pacific region surveyed reported one security breach at minimum on a monthly basis during 2016.
Campbell said the results being mirrored in APAC show that it is not merely an Australian problem.
“This is very much an industry challenge,” Campbell told ZDNet. Of the respondents to Telstra’s report survey, 42.2 percent were from Australia; 16.7 percent from India; 14.4 percent from Singapore; 13.6 percent from Indonesia and the Philippines; and 13.1 percent from Hong Kong. Distributed denial-of-service (DDoS) attacks have also grown significantly over the year, with Telstra’s report citing Imperva experiencing 100 percent growth of network- and application-layer attacks and Akamai reporting a 71 percent increase in total global DDoS attacks.
According to the report, ransomware was the most downloaded malware in the Asia-Pacific region during the year, with around 60 percent of Australian businesses experiencing at least one incident in the 12-month period. Of those that experienced a ransomware incident, 42 percent paid the ransom. However, nearly 33 percent of organisations facing a ransomware demand never recovered their files, despite paying up.
(Image: Screenshot by Corinne Reichert/ZDNet)
Telstra reported the top ransomware botnet in the region as being Locky, which carried out 74 percent of all attacks, followed by CryptoWall, at 14 percent; Cerber, at 11 percent; TorrentLocker, at 0.5 percent, CryptXXX and TeslaCrypt, both at 0.04 percent; VirLock, at 0.03 percent; and Cerberus, at 0.00005 percent of all ransomware demands.
“Obviously, ransomware is big business now, a big focus for cybercriminals,” Campbell said, adding that businesses can avoid getting themselves in a situation where they are susceptible to ransomware demands.
“The absolute most important thing is backup, backup, backup, and then backup again. And make sure that your backup strategy runs frequently enough and has enough layers in it that it is a combination of on-premises and off-premises storage,” he said. According to Campbell, SMBs do not back up their files as diligently as larger organisations, with ransomware attackers relying on the “sweet spot” in the market where information is business-critical, but where businesses are far less likely to have a strong backup regime.
Businesses also need to implement a better security system to begin with, Campbell said.
“Backup is — you’re kind of treating a symptom. You also need to take on the cause, which is the malware arriving on your network in the first place,” he explained.
“So a better approach to end-point security, a better approach to perimeter security, will always stand you in good stead. You don’t apply security in single, thin layers; you apply security in depth.”
Telstra’s new cybersecurity offerings will also enable organisations to battle the ransomware problem, Campbell said.
“When you think about managed security services, that service will enable organisations to more rapidly detect attacks, both attempts and successful, and be in a better position to respond to those attacks and eradicate the cause of the attack before any significant damage is done.”
Telstra’s new offerings were partly inspired by the Australian government’s own cybersecurity initiatives — beginning with its cybersecurity strategy launched in April last year — according to Campbell.
“I’m really heartened by how the government has been driving cybersecurity in Australia,” he said.
“I think it’s fair to say that that in part has been an inspiration, certainly an input to our strategy. I think the government has it right in that this is a societal issue: You can’t address cybercrime by going to each individual affected party and trying to fix the symptom of cybercrime one by one. You have to take a far more systemic or national … approach to it.”
Campbell hailed the government for backing up its policy with action by opening its first Joint Cyber Security Centre in Brisbane last month. The government also opened its Cyber Security Growth Centre opened in December and announced AU$1.9 million in funding for universities to deliver specialised cybersecurity training and become Academic Centres of Cyber Security.
Telstra is also satisfied with the “massive increase” in the level of involvement now being seen from C-level executives across Australia, Campbell said, which shows that companies are focused on driving progress.
“Cybersecurity within an organisation has to be a top-down focus,” he said.
“We need to see executives recognising the importance, incorporating cybersecurity into their risk-management programs and then driving improvement through the organisation, and tracking it as rigorously as they would any other significant risk.”
While Telstra is backing the effectiveness of its new system, Campbell said it is imperative that businesses accept that some cyber attacks will be successful; otherwise, they won’t be prepared for when an attack does succeed.
“An attack will be successful,” he said.
“The whole industry needs to get over that.”
Following the news that Amber Rudd s Call for Whatsapp Messages to be Available to security services. IT security experts from Avast, CipherCloud, DomainTools, AlienVault, Tenable Network Security, Tripwire, Comparitech.com and FireMon commented below.
We understand why governments want to be able to access the content in these messages but, unfortunately, banning encryption in order to get to the communications of a select few opens the door to the communications of many, and renders us all less secure and our lives less private.
If you build a back door, it s there for everybody to access. And if you store that data you collect, even in encrypted form, how secure is it? All these data breaches we hear about show our privacy is regularly being breached by hackers, so the action suggested by the Home Secretary would only open us all up to further invasions of privacy.
A lot of these terrorist organisations are already well resourced. It would be na ve of us to think that by removing the public methods of encryption which we use to protect our identity, our freedom of speech and to keep us safe from persecution, that those terrorist organisations will not develop alternative methods to encrypt their communications. If this were to happen, we d only be pushing these people further underground, presenting a greater challenge to security intelligence services.
As we have seen with past terrorist incidents in Paris and Brussels, in the wake of the attack in London the debate over security and privacy has been ignited again, this time between UK government officials. The predictable clash between intelligence gathering and civil liberties is once again on display. Each time the topic of government access to end-to-end encryption is raised it is worth reviewing some of the reasons why backdoors that dilute encryption strength are an ineffective response:
Encryption is less of a technology and more of a concept or idea. Ideas are hard to control. Bad and good actors have used encryption over the course of history to communicate securely. Governments and businesses need to keep secrets too. Encryption is a highly effective way to protect legitimate rights and interests.
Controlling encryption is equivalent to controlling math. Modern encryption schemes (such as AES-256) are publicly available and can be implemented with skills of a college-level math major. If providers of secure messaging in western countries are forced to install backdoors, then bad actors will get their secure apps from regions where UK and US government enforcement do not reach. Preventing clever people anywhere in the world from applying readily available encryption or developing their own encryption schemes is impossible.
Legitimate users will be hurt if government demands backdoors. If there are any backdoors to data protection, it is inevitable that hackers will steal and exploit them. The very existence of government backdoors would undermine the confidence in security from firms in western countries. Other countries will quickly fill the gap. Encryption plays a critical role in online privacy, ecommerce and the cloud. Undermining the trust in personal data protection will hurt businesses and users alike. We live in scary times and should never underestimate the challenges we all face in deterring terror. But latching onto simplistic solutions that will not work, does not make us safer. In fact, if we undermine the effectiveness of our critical digital security mechanisms and damage an important industry, we will be handing the terrorists a victory. For these and many other reasons, this idea simply won t work and will have no impact on those seeking to commit acts of terror.
The idea of having a perfect end-to-end encryption solution with backdoors embedded only for police sounds great, in theory. However, in practice, it s not possible. If a backdoor is embedded into an application or service, it s present for anyone to find and use. The only difference between police and criminals at that point is awareness of the backdoor and intent. The ultimate victims are the end user and the organization required to comply with embedding vulnerabilities to allow for backdoors. Having embedded vulnerabilities leaves the end user vulnerable to criminals who leverage the backdoor that the organization willingly put into place. You can t necessarily control who finds or uses this vulnerability once the application is distributed and used.
Today, as we stand with technology and encryption deployment, backdoors simply aren t possible. It s an all or nothing approach. If backdoors are built in, then they could be exploited by anyone, not just authorised bodies.
As the computational power, complexity and value of these devices increases, the probability they ll be targeted by cyber criminals to monetize security flaws will also rise. Smartphones are a particular weak spot, with cherished photos being stored and rarely backed up.
As with traditional IT equipment, it s important connected devices are kept up to date, applying fixes the vendors release in a timely manner.
You can have true end-to-end encryption that nobody but the participants can read, or you can have a system where a central authority can decrypt any message they want. It doesn t make any sense to suggest that you can have both. It is either one or the other. It is a reasonable policy position to believe you should have a government backdoor in messaging systems, but this always worries security experts because that same backdoor you create for the government inevitably creates the potential for misuse, abuse, and being exploited by others.
Westminster gets tough on terrorists. MPs clampdown on encrypted communications. Amber Rudd foils imminent attack while chatting on WhatsApp.
Great headlines the lot of them, especially for politicians who like to curry favour with the electorate by pandering to, well, anything of note really.
In this case, however, we find the Home Secretary seriously out of her depth with her suggestion that a back door should be placed in all encrypted messaging services, a claim made all the more laughable by her assertion that this could be accomplished with hashtags. Perhaps she intends to tweet #no_more_encryption and then sit back and watch the magic happen?
Her crazy idea that a system could feature end-to-end encryption and a back door at the same time (which means it s no longer end-to-end and available to anyone who, good or bad, who can find said backdoor) is almost as baffling as the notion that terrorists would then continue using that service regardless.
Everyone knows that once one service is known to be broken, the bad guys will simply move onto the next. In the meantime, it is ordinary, law-abiding citizens who will be wondering whether their current government, or the next, or the one after that, is spying on their mundane but no less privacy-deserving lives.
Equally, businesses will get the jitters too, wondering whether Amber Rudd wishes to weaken their ability to communicate with clients in other, less paranoid, countries, or unravel all the hard work and funds they have invested into the secure web payments they offer their customers.
Encryption is a topic I am well familiar with; having spent 8 years in the military supporting encryption services and as a CISO. Much debate on this topic arose in the past with the Apple vs. FBI requesting backdoors.
The problem with backdoors is they are essentially a request for access to applications or systems using alternative means than the front door. Many companies spent a lot of time protecting the front doors of their products. Backdoors by design allow those with keys access, but like the analogy, it also means attackers can attempt to penetrate and hack these backdoor systems. In essence, backdoors compromise the security of the products allowing for potential broad exploitation to occur. Those with keys can also lose their keys. Who in the government would be responsible for protecting the keys to these back doors? What if I attack those with these keys? Or more commonly, what if a contract working for a government decides to steal these keys and perhaps flee to Russia? Sounds familiar to other events that have occurred.
Let s turn our attention to WhatsApp. Yes, this communication application has built-in security enabling end to end encryption. If the bad guys feel that this application has been compromised by government officials and backdoors become available, this leads to a simple response by the bad guys, use a different application. WhatsApp is a third party application on a mobile device. Nothing prevents the bad guys from moving to a lesser known third party application. Plus, anyone that is looking to compete with WhatsApp may see this new backdoor feature as an opportunity to compete, promoting the lack of backdoor in their product as a true for the people product.
Backdoors can have a negative financial impact to those companies providing these security type products.
- ^ Amber Rudd s Call for Whatsapp Messages to be Available to security services (www.theguardian.com)
- ^ Avast (www.avast.com)
- ^ CipherCloud (www.ciphercloud.com)
- ^ DomainTools (eu.vocuspr.com)
- ^ AlienVault: (eu.vocuspr.com)
- ^ Tenable Network Security (eu.vocuspr.com)
- ^ Tripwire (eu.vocuspr.com)
- ^ Comparitech.com (eu.vocuspr.com)
- ^ FireMon (eu.vocuspr.com)
Hannah Eimers was killed when a Lindsay X-LITE impaled her car, striking her in the head and chest. (Photo: WBIR)
At least four people in Tennessee have been killed in crashes involving a controversial model of guardrail endcap since 2016, per state records. At the center of this controversy is the Lindsay X-LITE guardrail terminal, which TDOT removed from their approved list of devices back in October 2016, citing “concerns about potential long-term performance issues” when struck at speeds greater than 45 mph. Guardrail terminals are designed to redirect the end of the rail away from cars in the event of a crash. However, some are raising concerns that thousands of devices installed on Tennessee roads can malfunction, skewering the car.
Questions of the X-LITE s safety came to light after Hannah Eimers struck one in the early morning hours of Nov. 1. The 17-year-old was driving along I-75 North in McMinn County when her vehicle left the road. The guard rail impaled the car, striking Eimers in the head and chest. She died instantly, according to the Tennessee Highway Patrol crash report.
The bill Hannah’s parents recieved after her death, for the damage to the guard rail on I-75 in McMinn Co. (Photo: WBIR)
“That bill was tasteless,” Stephen Eimers said. “But the real travesty is that TDOT knew that they had a dangerous device on the road. They left it in place and it killed my daughter. And those devices are still on this road today.”
Hannah’s father, Stephen Eimers, recieved a bill for nearly $3000 from TDOT following his daugher’s fatal crash. (Photo: WBIR)
TDOT has apologized for the “processing error,” and said the family does not need to pay the bill. Stephen Eimers told 10News has is now represented by the law firm Cohen Milstein and is considering legal action.
The department estimates about 1,000 Lindsay X-LITEs are installed statewide. At least 3 other people have been killed in crashes where the X-Lite penetrated their vehicle in the last 15 months, according to TDOT spokesman Mark Nagi and data from the Tennessee Department of Homeland Safety and Security. On June 29, 2016, two people were killed on I-40 E in Cumberland County after an X-LITE penetrated their vehicle.
On July 2, 2016, one person was killed near the I-75/I-24 interchange in Hamilton County. Again, an X-LITE terminal pierced the vehicle. In both cases, the damaged rail was replaced with another X-LITE terminal, Nagi said. After Hannah Eimers’ death, and SKT-SP was installed. The X-LITE is not the only guard rail terminal used in Tennessee with a questionable safety record. In 2015, Trinity Industries lost a $663 million lawsuit involved the ET Plus rail endcap. The company was accused of modifying the design without notifying the Federal Highway Administration. Critics said the change made the caps more dangerous, and more likely to impale a car that struck them.
An ET Plus guard rail on I-75. The company that makes the ET Plus lost a $663 million lawsuit in 2015, following claims the devices were not safe. (Photo: WBIR)
This led Virginia to implement a risk-based assessment program to replace terminals that might contribute to more severe crashes. VDOT found four vehicles that had been pierced by modified ET Plus terminals from October 2014 to July 2015. TDOT estimates 21,000 ET Plus endcaps are installed statewide. Any number of them could be the modified design. TDOT has decided to remove any X-LITE devices installed on roads with a speed limit of 45 miles per hour or greater. This is most of the terminals, Nagi said.
The bidding for this contract will begin March 31. Nagi was not able to give a cost estimate or timeline for the project, though he anticipates work may begin in late spring to early summer.
Grieving family billled for guardrail in fatal wreck