Cyber Security Weekly Podcast
Summary: Without trust, society stagnates, economies decline, and businesses fail. This podcast series keeps abreast of the latest trends and challenges in cyber and physical security with interviews, event updates, industry suppliers & government initiatives.
Karan Khosla, Director of Privasec provides case study insight into the Privasec’s red-teaming operations. Hosting a Cyber Risk Meetup round-table luncheon in Sydney, the cybersecurity specialists exposed a number of large enterprise executives to a broad range of red-teaming vulnerabilities, where physical and information security systems were readily breached or circumvented to achieve the ‘capture the flag’ goal. In this case, proof was shown by applying a Privasec sticker at the target location, be that access to senior staff offices, server rooms and including achieving full network administration level access. Despite four case studies being presented, we’re just going to focus on one - a critical infrastructure operator in the utilities sector. Calling in Privasec to assist determine what a local disrupter could do in terms of disrupting services or cause actual harm. The mission was to access ten (10) sites to identify and locate a SCADA based control room, how it can be accessed and then what could be done once there. Following 15 – 20 days reconnaissance and site surveys during the day and night, the team established daily or predictable patterns and how could they be manipulated. Drones were flown over the site to identify any other potential areas of access or activity. The red team then began the process of attacking, be that to blend in and appear to have a legitimate reason for being onsite. This may include appearing as maintenance personnel, with readily available apparel bought from a local hardware store. Other potential entry points include fire exits and using an ‘under the door’ tool, allowing doors to be readily opened. Access was gained in this manner. On entry, there were uniforms available, as well as access cards and the team was able to look exactly like an employee. The next mission was to find the control room – but rather than do it the hard way, once inside the red team simply ‘asked’ other staff where it was and they were directed and kindly escorted to the control room. A sneaky cover was that a security assessment was actually being conducted. Just no-one actually bothered to have this verified. Indeed, a security officer was finally alerted to these ‘sneaky auditors’ however, with the production of a fake letter on company letterhead, the security officer took this as verification and went further by escorting the team around, pointing out security issues he had observed but were not being fixed. The exercise is a clear learning outcome to alert staff to remain aware and to have confidence in challenging for correct credentials whilst in the workplace. There is a responsibility of safety on all staff to remain vigilant and aware. A culture of security compliance and ‘looking out for each other’ is a good standard to reach for. Complacency will allow or indeed, facilitate security breaches, should it be allowed to creep in. Some case studies involved red teams breaching security within 15 minutes and demonstrated a poor and 'unreasonable' security posture. Organisations should focus on making it hard for an attacker, not about making impossible. Having a holistic, protective security approach is the best way. For more information visit https://privasec.com.au/ For future Cyber Risk Meetup events in Sydney, Melbourne and Singapore visit www.cyberriskmeetup.com
In this interview, Morry Morgan talks with Stuart Coggins, Sales Consulting Director of Oracle, who demonstrates Oracle’s ability to collect real time data, apply analytics, and engage IoT systems, within the cloud, by using the kids’ car racing game, Anki Overdrive. With a customised Oracle dashboard, a Rasberry Pi processor equipped with Bluetooth, Stuart and his team were able to demonstrate real time data collection of speed, battery power, distance and even each car’s wear-and-tear. While the example on display at the IoT Festival is a children’s toy, the scaled up version has obvious applications for autonomous vehicles, smart cities, and multiple integrated IoT services, such as logistics and emergency services. YouTube Video link https://www.youtube.com/watch?v=QD5v7Fgh3Tk (https://www.youtube.com/watch?v=QD5v7Fgh3Tk) Recorded at the IoT Festival, Melbourne, 4 June, 2018
On location at National Manufacturing Week, Sydney Olympic Park, Nigel Brown, Director of Autonomous Technology provides insights into running a certified drone operation, with a particular focus on the mining and resources sector in Western Australia. As a recent client of Konica Minolta’s 3D printing technology, Nigel Brown provides discussion on the application of 3D printed parts and payloads and how the application of fast-developing 3D printer systems provides new business opportunities with developing smaller and lighter payloads. Full briefing provided at http://drasticnews.com/nmw-insights-mir200-robot-briefing/ Recorded at National Manufacturing Week, Sydney Olympic Park, 10 May 2018.
This weekly podcast catches up on recent industry events, including CIVSEC 2018 in Melbourne, CeBit Australia in Sydney and NetEvents Global Press and Analyst Summit in San Jose California. We also attended the launch of the Cyber Deterrence Report by Chris Painter of the Australian Strategic Policy Institute (https://www.aspi.org.au/report/deterrence-cyberspace) and sponsored by the Australian Computer Society. We highlight recent interviews, including with @austcyber, @jasklabs, @apstrainc, @NETSCOUT and @MEF_Forum, along with @FergusHanson The Australian Security Magazine, June/July edition is scheduled for release this month and upcoming events include the Cyber Risk Meetups (https://www.cyberriskmeetup.com/) in Singapore & Sydney, IoT Festival and Security Expo (http://securityexpo.com.au/), each in Melbourne and the AusSec Conference (https://events.publicsectornetwork.com.au/event/ausec-2018/) in Canberra. For upcoming partner events, visit https://australiansecuritymagazine.com.au/events/ (https://australiansecuritymagazine.com.au/events/) Next up is Nigel Brown of Autonomous Technologies discussing Drones & 3D Printing
There is not a serious crime committed today that is not tech-enabled. Technology has transformed a whole range of different crimes and new avenues for terrorists to explore, including exploitation of social media platforms, as seen by the Islamic State. We are always racing against criminals to a certain extent but have great potential on the policing side. Rob Wainwright, former Executive Director at Europol, gave an earlier presentation at Cebit Australia. His presentation, ‘Data – the new oil in the network economy fighting crime and terrorism’, highlighted a different age to come. Rob termed this ‘International Policing 2.0’, along with the AI race with crime, security by design and privacy by design. “Threats rise along with innovation and capability”, Rob assured. Islamic state showed it was prepared to engage in online disruption and created a virtual califate, using over 100 social media platforms. The new bank robbers, like the Carbonak and Cobalt hacker group, now rob banks and score over $1.2billion. Exploitation of new technology, plainly being seen now with cryptocurrency, will always occur. Cryptocurrencies are an ideal target as there is no central authority and crypto-jacking is rife. Criminal enterprise is much more sophisticated and today, sustains a burgeoning trade and crime as a service sector. Even bi-spoked criminal services are increasingly becoming a competitive industry, amongst the criminal community itself. This is a dangerous trend. Bad actors are converging with terror and a crime nexus forms in firearms, travel documents and any other activity with a common link. State actors are upskilling and upscaling the criminal sector, with Russian capabilities shown to be able to take control of cyber ecosystems, including US Federal Elections. The seeping out of cyber-military skills and capability into the wild is also a dangerous trend. Police are having some success but the threat will be sustained. The way police use data to identify modern crimes, that are essentially transnational in nature, needs to better targeted and better tracked across disparate information systems. Europol has been instrumental in transforming into a transnational intelligence unit, with over 1,200 law enforcement agencies now part of Europol. Europol has experienced an exponential rise over the last seven years, with a four fold increase in intelligence reports and six fold increase in cross border operations. Recorded at Cebit Australia, Sydney 15 May 2018 #CEBITAUS For the full CeBit Report - visit https://australiancybersecuritymagazine.com.au/episode-70-optimisation-paradigms-for-ai-and-protocols-for-the-point-of-singularity-liesl-yearsly-akin-com/
It is clear we weren't sure where to start or close this conversation, but Liesl Yearsley, CEO & Founder of akin.com (https://www.akin.com/), grabbed it and has created a profoundly informative and eye opening discussion about Artificial Intelligence (AI). Liesl provides the highest level of insight. This is a live body of work that we will develop more, with reports from a number of events and interviews in Australia, Silicon Valley and LA. Liesl's podcast will be followed by a podcast with Rob Wainwright, former Executive Director at Europol (https://www.europol.europa.eu/). We discuss the risk of getting the commercial and consumer use of AI wrong, adding risk of military, crime, terrorism and the power of creating AI crime and attacks, as seen with autonomous malware and ransomware. The current situation is that we are in a Cyber War with machine learning and AI driven machines attacking and defending against each other over networks. Now lets add robots and autonomous machines to the mix - technology is inevitable to evolve but at a pace we may not know what society will look like in 20 years and may not be what 'we' intended or anticipated. At a societal level, and for the consumer and commercial enterprise, at CeBit Australia (http://www.cebit.com.au/), Liesl Yearsley confirmed her research had identified relationships being formed between humans and AI avatars. One relationship, called ‘James’ and ‘Lisa’, with Lisa being a female AI avatar, concerned researchers and determined James was spending a detrimental amount of time engaging with ‘Lisa’. He had formed an emotional relationship, yet knowing Lisa was not a human. Researchers decided to wipe ‘Lisa’ and re-engaged her into the community of hundreds of other avatars. Yet indeed it turned out James then spent six months re-locating ‘Lisa’ and knew when he had found her despite her in a different role. With the advent of robotics in human form, able to be produced, on mass, in the form of being conveniently and promptly 3D printed, is already a reality. We have remote robot controlled mine sites, rail lines, shipping ports. Humans and robots, even as life and social partners is a reality. The next phase, will be humanoid robots operating emotionally and military and enforcement grade robot systems guarding and protecting us, each with an AI avatar. Today’s robots include a diverse application, from nano-technologies through to driving a renewed capability in multi-planetary space exploration. Confidently, Liesl Yearsley said, “the big thing to get here is that AI is going to be crunching away in the background, it is going to be ambient and ubiquitous, not to the point of thinking about it, just as we have blindly accepted the use of the smart phone. It will become better at discerning of what’s going on for you, you won’t even need to tell it what you want or what you think, it will know. Society will change.” Importantly and admirably, Liesl Yearsley asks some sobering questions. What is the current optimisation paradigms for AI? What will happen to humanity if we have a subservient race in robots and AI? Do we have protocols in place for the point of Singularity? What happens in a world where we have giant corporations that land boxes on your doorstop every night? They are able to exquisitely fine-tune, to know what you want before you know you want it. Their time motivation is to have you addicted to their platform and consuming data and products. All of the tech-titans are paying a lot of lip service to ethics but their key drivers, as seen with Facebook, is to get you addicted to their technology or consuming their stuff.
In this interview, Chris Cubbage talks to Jeff Paine, CEO and Founder of ResponSight, a three year old Australian start-up that elevates enterprises away from focusing on technology alone, and looks at the link between the technology and user. Statistical and telemetry based, ResonSight has a lightweight footprint in its risk analytics and risk profiling outcomes that help enterprises make decisions. Chris and Jeff talk about the three key components, the ResponSight Collector, ResponSight Aggregator and ResponSight Cloud Service, each working in conjunction. By combining large volumes of raw numerical telemetry and selected metrics, it’s possible to build activity and behaviour profiles about users and their devices, without ever knowing who that user is or what that device is. This also provides the ability to profile the organisation's risk at a point in time, and over time. The design philosophy is to not collect private or sensitive data. There isn’t a need for rich and potentially sensitive data for security. It has been proposed security and risk technologies currently collect too much data, often not required or potentially not even valid anyway. Responsight does all of the analytics through analysing the statistical telemetry data that comes from the hardware itself, largely ignoring the operating system. This is a great podcast for enterprises, particularly those in financial services, critical infrastructure, professional services, and government. If you have a large employee or user bases, and are responsible for containing risk in a mobile workforce, then this is the podcast for you. Read the full article (https://australiancybersecuritymagazine.com.au/moving-the-dial-measuring-the-relationship-between-the-user-and-their-activity-on-a-machine-executive-editors-interview-with-jeff-paine-ceo-founder-responsight/) Visit www.responsight.com (http://www.responsight.com/)
On location at National Manufacturing Week, Sydney Olympic Park, Martin Keetals, National Business Manager for Robotics and Marc Brandon, Marketing Manager for 3D Printing & Robotics provided insights into the fast-developing 3D printer systems, including the release of the ‘Figure 4’ scalable DLP system, the convergence of technologies in material sciences, computer processing and market demand for cost saving and high productivity systems, including robotics. Konica Minolta is also introducing the MiR200 robot platform (check out the video briefing (https://youtu.be/NwZ11LEJVfo)) and working closely with a number of universities in material science research and 3D printing applications. Discussion includes application of security robots, 3D printed weapons and the cyber security frameworks, and even the potential application of blockchain. Full briefing provided at http://drasticnews.com/nmw-insights-mir200-robot-briefing/ (http://drasticnews.com/nmw-insights-mir200-robot-briefing/) Recorded at National Manufacturing Week, Sydney Olympic Park, 10 May 2018.
Professor Clive Williams, Centre for Security and Military Law (https://law.anu.edu.au/research/cmsl) at the Australian National University has been a staple provider of research into national security and counter terrorism for many years. Professor Williams provides current insight into terrorism activity in the Asia Pacific, including the Marawi seige (https://en.wikipedia.org/wiki/Battle_of_Marawi) in 2017 where 1,000 insurgents were killed, and provides a chilling warning which rang true about Islamic State fighters returning to their homeland and posing a threat. Bombings in Surabaya (https://en.wikipedia.org/wiki/Surabaya_bombings), Indonesia two weeks (13 May) after this warning proved him correct. We also discuss the use of technology by terrorists, such as drones and Australia’s readiness for terror attacks, with legislation, data sharing and the lack of political will all being major factors of consideration. This is an in-depth and broad interview with one of the country’s leading thought leaders in the security domain. It was a privilege. Enjoy! Recorded May 1, 2018 at the 2nd Annual Security, Safety & Counter Terrorism Forum, Sydney.
Futurist Skeeve Stevens provides his technical insights into what he describes as the future of now - or your future. With a technical mindset Skeeve considers not only what criminals or terrorists may plot, with enabling technology, but also lone wolves, the disgruntled or disenfranchised or the student and child. With reference to home-made laser weapons, synthetic drugs and hackable building management systems, Skeeve uses his insights and experience, including as a former hacker, to raise awareness of not just the vulnerabilities of the future but the vulnerabilities of today. We missed the first of his roadshow tour dates in Australia - starting 15 May in Canberra but check out the Australian Computer Society website for upcoming appearances (https://www.acs.org.au/cpd-education/edxn/are-you-cyber-ready.html). Once you meet or see Skeeve present, you won’t be quick to forget the experience. Recorded May 1, 2018 at the 2nd Annual Security, Safety & Counter Terrorism Forum, Sydney. For ACS Roadshow details visit https://www.acs.org.au/cpd-education/edxn/are-you-cyber-ready.html (https://www.acs.org.au/cpd-education/edxn/are-you-cyber-ready.html)
Whilst in Sydney presenting to the 2nd Annual Security, Safety & Counter Terrorism Forum, former NSW Police Deputy Commissioner Nick Kaldas gave insight into his current role as Director of Internal Oversight at the United Nations Relief and Works Agency (UNRWA), covering Lebanon, Syria, Jordan, Gaza and the West Bank. Nick is responsible for audits and investigations on behalf of the agency, as well as ethics, compliance and evaluation programs, all while operating within war and conflict zones. Nick provides specialised insight into the motivations and methodologies of lone wolves, the link to the use of technology and his observations about the application of technology, such as facial recognition, across the world and Middle East region. Recorded May 1, 2018 at the 2nd Annual Security, Safety & Counter Terrorism Forum, Sydney.
Recorded before a live audience at the Australian Cyber Security Centre Conference (https://acsc2018.com.au/), Canberra, 12 April, 2018 this is an in-depth and highly informative panel discussion on Women in Cyber Security. Chaired by Amy Roberts (Department of Home Affairs) and discussion with Professor Elanor Huntington (https://acsc2018.com.au/program/speakers/index.html#EH) (Australian National University), Mike Burgess (https://acsc2018.com.au/program/speakers/index-2.html#MBU) (Australian Signals Directorate), Dr Maria Milosavljevic (NSW CISO), Debbie Platz AC (Australian Federal Police) and Stephanie Robertson (US National Security Agency) Duration 50 minutes
In this interview, Morry Morgan speaks with Mike Bareja, Program Manager - National Network at AustCyber (https://www.austcyber.com/)- The Australian Cyber Security Growth Network Ltd following his presentation at CIVSEC 2018 in Melbourne. Mike outlines AustCyber’s Cyber Security Sector Competitiveness Plan (https://www.austcyber.com/wp-content/uploads/2017/04/Cyber-Security-SCP-April2017.pdf) and the 5 DARPA (https://www.darpa.mil/) Grand Challenges or Knowledge Priorities (https://www.austcyber.com/cyber-security-sector-competitiveness-plan/appendix-industry-knowledge-priorities/), where resources and attention are focused on: · Emerging prevention, detection and response technologies; · Identity, authentication and authorisation in the cyber domain; · Ensuring security, privacy, trust and ethical use of emerging technologies and services; and · Approaches to deal with the increasingly ‘shared’ responsibility of cyber security. Funding of $15M over 4 years is available for industry-led, collaborative projects that address the key issues from the Industry Knowledge Priorities. Recorded 2 May 2018 at CIVSEC 2018 Cyber Pitch event in Melbourne.
In this interview, Morry Morgan chats with Chris Gatford, Director & Founder of Hacklabs, speaking at the CIVSEC 2018 Congress and Exhibition in Melbourne. Chris gave a presentation titled “How to secure your organisation from people like us”, and we quiz Chris on some of the highlights of his talk, as well as learn more about Hacklabs. We talk about Mossack Fonseca data breach, also known as the Panama Papers, and how Chris used basic Google crafted queries to show huge holes in this financial services cyber security, both before and well after the cyber attack. We also discuss Hacklabs and how they conduct Red Team penetration testing, that involves both digital and physical access to sensitive information, and how Australia’s achilles heel is that we are far too trusting.