enicaise, Author at Apalala srl

The belgian ministry of defence recruits 24 cyber security specialists.

enicaise | 2015-06-05 | English, Uncategorized

The Selor, the official recruitment agency for the Belgian federal government, just started a new recruitment campaign for 24 cyber security specialists amongst which 20 with a master degree and relevant experience. Its an ambitions objective and we can applaude the will to increase our capability in fighting the cyber war within the ministry of defence. However, it is a difficult goal to achieve as there is not so many skilled specialists, they don’t have absolutely a master degree and they may not be satisfied with a yearly salary around 42 K€ (gross). However, we should not underestimate the patriotic sense or the desire to step into the military/spy world. Additionnally, it is certainly an interesting choice for some people to make a new step forward in their career.

So, if you have the rights skills, the desire to work in a very stimulating environement fighting the war against the cyber-soliders and cyber-criminals, you have until the 19th of June 2015 to apply here (in French): http://www.selor.be/fr/cyberdefense or here (in flemish): http://www.selor.be/nl/cyberdefense.

Our illustration: Lt. Col. Tim Sands (from left), Capt. Jon Smith and Lt. Col. John Arnold monitor a simulated test April 16 in the Central Control Facility at Eglin Air Force Base, Fla. They use the Central Control Facility to oversee electronic warfare mission data flight testing. Portions of their missions may expand under the new Air Force Cyber Command. Colonel Sands is the 53th Electronic Warfare Group AFCYBER Transition Team Chief, Captain Smith is the 36th Electronic Warfare Squadron Suppression of Enemy Air Defensestest director, and Colonel Arnold is the 36th Electronic Warfare Squadron commander. (U.S. Air Force photo/Capt. Carrie Kessler)

Crime-as-a-Service, the new emerging model of a 300+ billion$ business?

enicaise | 2015-06-01 | English, Information Security

In its 2014 report on Internet Organized Crime Threat Assessment, Europol highlighted the rising of a new business model in the cybercrime community: Caas, Crime-as-a-Service. More and more hackers provide “services”, available through the darknet (like Tor), allowing to rent thousands of infected computers, undected payload for viruses, list of passwords, and so on. For a few years now, you can even pay anonymously using virtual currencies (like bitcoin). They often provide a very good customer service and sometimes even a cash back warranty.

We often underestimated the size and importance of the Cyber Crime market. In its 2013 report on the economic impact of cybercriminality, McAfee estimate the global revenue of the cyber crime activities worlwide between 300 billion$ to 1 trillion$.

1.000.000.000.000 $/Year

With number as huge, it is dfficult to represent the magnitude of this market. In comparaison, the yearly worlwide drug market generate between 300 and 600 billions$ of revenue or bigger than the PIB of some European countries.

Caas is increasingly proposed and used by more traditionnal crime organizations to suport their activities. The Europol report mention a quite interesting figure on a russian underground forum dedicated to hacking having 13.000 members and 4.000 daily visitors. It is hard to find a security professionnal nowadays but on the dark side, they are legions of hackers (when you see the profit they can make, you may understand why they are so many).

Additionnally, the “dark side” is also offering other services, mirroring the “legit” community, as Iaas (Infrastructure-as-a-Service), Data-as-as service, Hacking, or Money-Laundering. The hacker world has developped its own eco-system. As it is more and more interacting with the other “worlds”, it may be soon possible (if it is not already) for everybody to use and pay anonymously for illegal services.

After online drug dealer like Silk Road on Wikipedia, we might soon see service to remove your speeding ticket or to have a preview of exam’s questions. Nor to say, in a more and more digital worl, with eGovernment and the Internet of Objects growing in size, might we soon be able to ask for a new identity, a true diplome we never studied for, or even worse, the death of our worst ennemy in a car crash (assuming he drives one of the new connected cars).

Some forms of cyber criminality are already well established and cost already a lot of money as well as a huge human cost (even more if we talk about child pornography, one of the big beneficiary of the darknet). We could think about hunting these tools and protocols used to create the darknet but they are also used by thousands of honnest people wanting to protect their anonymity, their privacy or to “speak freely” in oppressing regimes. Even more, should you try to suppress it, new technologies would be quicly invented or developped to create even deeper, even darker, networks. With such a big amount of money at stake, the means to create a dark zone on the Internet would be nearly unlimmited. They could even create a parrallel network hiding in plain sight if they once achieve a higher level of organization at a global level.

As always, eventually, our only weapons are the skills and means of the people fighting them and able to differenciate the right from the wrong, the bad from the good. Unfortunately, we don’t have enough skilled professionnal yet. We sure do have already a lot of very talented security professionnals (coder, hackers, network specialist, governance, auditors) but the fight remains inequal as they have to find only one faillure to succeed and we need to close them all to win. So, we definitely need better trainings, better information exchange, better research, higher standards for IT professionnals and better preparation of our future professionnals.

Clearly, we need also to make security more understandable, more user friendly. As Bruce Schneier was advocating a few years ago, security must become a convenience like any household appliance, easy to use, easy to sell, easy and efficient. It is maybe where the dark side is winning the competition at this stage.

Google knows what you did last summer!

enicaise | 2015-03-26 | English, Information Security

Maybe did you forgot what you were doing last week? Even if you do, you probably don’t know exactly what you where doing last summer.

(Un)fortunately, your friend Google can help you. You may already know it (or not) but Google keep track of all you movements (if you use their services and clicked “Yes” when they ask for your permission). If you have activated Google now or Google map using your Google account, George Orwell’s 1984 and his Big Brother seems to be an optimistic view of the actual reallity. But, as nothing is always black or white, especially in risk management, this invasion in your privacy might help you remember where you were last summer. Google does not advertise it so much but you can see all your history of location (if you have allowed them to do so) on the location history map on https://maps.google.com/locationhistory/.

You can use it to relive your hollidays using Streetview , find where you were at a specifi date and time, check the number of kilometers you drove on a specific day.

Of course you can imagine the amount of information you can gather if this system start to keep track also of all the network nearby, the blutotth devices visible at a specific time, the NFC payment you or the sound heard by your phone (yes, remember Google Now wait for you “OK Google” and is thus listening continuously when it run).

Get alarmed or don’t, at least, now, you know it.