GCHQ-developed phone security open to surveillance

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls.
In a blog, University College London researcher Steven Murdoch said the encryption process was vulnerable.
GCHQ said it was “totally wrong” to suggest there was a “backdoor” into conversations.
Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system’s security.
The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch’s chief concerns was that the security standard has “key escrow” by design – meaning, for example, that a third party has access to data sent between two people in a conversation.

This, he said, is an example of a backdoor. In this case, it could allow an intelligence agency, or the organisation which is using the standard, to intercept phone calls, Dr Murdoch said.
“I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy – so they facilitate spying,”
Dr Murdoch added that he was aware of two products which use the standard, both of which are government certified. “They could be in use inside government,” he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying).

It works by generating encryption keys that are used to encrypt and decrypt voice conversations. Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this.
Instead, keys are distributed by a third party to the conversation participants – the process known as key escrow – meaning that they are much more vulnerable to interception.
It was up to GCHQ, he said, to make the scope of the protocol clear.
“If you don’t explain how you’re going to use it, what systems it’s going to be used in, what the scope and limit of the escrow facility is, then you’re going to get bad publicity,” he said.
A spokesman for GCHQ said: “We do not recognise the claims made in this paper.
“The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products.”
In a statement, GCHQ added: “Organisations using Mikey-Sakke do not share a common Key Management Server, so it is totally wrong to suggest there is a secret master key or ‘backdoor’ that would allow GCHQ or any other third party to access real time or historic conversations.

The National Cyber Security Centre officially opens for business

The Queen officially opened the National Cyber Security Centre (NCSC) yesterday- the single, central body for cyber security at a national level.

The Queen officially opened the National Cyber Security Centre (NCSC) yesterdayThe NCSC is core to the government’s National Cyber Security Strategy, which was unveiled on 1 October 2016.

Staff in Victoria, central London, will be joined by experts from GCHQ and the private sector to help identify threats.

At the time, Chancellor of the Exchequer Philip Hammond said: “The new National Cyber Security Centre will provide a hub of world-class, user-friendly expertise for businesses and individuals, as well as rapid response to major incidents.”

Hammond said the government’s 2015 Strategic Defence and Security Review classified cyber as a Tier One threat to the UK, and outlined the actions the government needed to take to secure the country.

According to the National Cyber Security 2016-2021 report, NCSC’s role will be to manage national cyber incidents, provide an authoritative voice and centre of expertise on cyber security, and deliver tailored support and advice to government departments, the devolved administrations, regulators and businesses.

“The NCSC will analyse, detect and understand cyber threats, and will also provide its cyber security expertise to support the government’s efforts to foster innovation, support a thriving cyber security industry, and stimulate the development of cyber security skills,” the report said.

There were 188 cyber attacks classed by the NCSC as Category Two or Three during the last three months.

And even though the UK has not experienced a Category One attack – the highest level, an example of which would have been the theft of confidential details of millions of Americans from the Office of Personnel Management – there is no air of complacency at the NCSC’s new headquarters.

Ciaran Martin, the centre’s chief executive, said “We have had significant losses of personal data, significant intrusions by hostile state actors, significant reconnaissance against critical national infrastructure – and our job is to make sure we deal with it in the most effective way possible.”

As well as protecting against and responding to high-end attacks on government and business, the NCSC also aims to protect the economy and wider society.

The UK is one of the most digitally dependent economies, with the digital sector estimated to be worth over £118 billion per year – which means the country has much to lose.

It is not just a crippling cyber-attack on infrastructure that could turn out the lights which worries officials, but also a loss of confidence in the digital economy from consumers and businesses, as a result of criminals exploiting online vulnerabilities.

A sustained effort was required by government and private sector working together to make the UK the hardest possible target, officials say.

Russia has been the focus of recent concern, following claims it used cyber-attacks to interfere with the recent US presidential election.

“I think there has been a significant change in the Russian approach to cyber-attacks and the willingness to carry it out, and clearly that’s something we need to be prepared to deal with,” Mr Martin said.

National Cyber Security Centre (NCSC) launched today

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.The government outlined what the NCSC would do, how it would work and who it would work for in May this year, but had not given a precise date for the official opening of the centre until now.

The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ, and the technical director will be Ian Levy, formerly technical director of cyber security at GCHQ.

The NCSC will be run from new offices in London as well as from offices near Cheltenham, Gloucestershire.

The primary goal of the NCSC is to simplify the complicated cyber security picture across government that made it difficult for organisations to know who to talk to.

It brings together all the key organisations under a single organisational umbrella to provide better support and bridge the gaps between government, industry and critical national infrastructure.

There were four main goals for the NCSC, which began preparatory work and conducted trials and pilot studies over the summer:

  • These are to reduce cyber security risk to the UK;
  • To respond effectively to cyber incidents and reduce the harm they cause to the UK;
  • To understand the cyber security environment, share knowledge and address systemic vulnerabilities and;
  • To build the UK’s cyber security capability, providing leadership on key national cyber security issues.

The NCSC has five areas of focus: engagement, strategy and communications, incident management, operations, and technical research and innovation.

In the next six months, the NCSC will test its strategic plan and refine it further based on feedback received.

NCSC- National Cyber Security Centre for cyber expertise

NCSC- the National Cyber Security Centre for cyber expertise review.

NCSC- the National Cyber Security Centre for cyber expertise review.Following on from the Cyber Security Force’s news post yesterday outline NCSC- the National Cyber Security Centre, the UK government plans to make the NCSC the centre of its expertise on what is happening in cyber space, combining the knowledge gathered from incidents and intelligence with that shared with industry, academia and international partners.

The NCSC will aim to use that knowledge to provide best practice advice and guidance and to tackle systemic vulnerabilities to enhance cyber security for all.

The NCSC will support the most critical organisations in the UK across government and the private sector to secure and defend their networks. This will include the provision of bespoke advice and guidance, help to design and test networks and exercise response arrangements.

When a serious cyber incident occurs, the NCSC will work with victims to minimise the damage, help with recovery and learn lessons to reduce the chance of recurrence and minimise future impact.

According to the prospectus, this help will include connecting victims with commercial companies that are recognised as being excellent at cyber incident response, and ensuring that the wider response of government and law enforcement is well co-ordinated.

In the case of very serious incidents, the NCSC’s response may include communicating publicly about consequences and the steps people and businesses should take to protect themselves.

The establishment of the NCSC will bring a new level of coherence and effectiveness to how government does cyber security. It seeks to partner with government agencies and departments, the devolved administrations, and the wider public and private sectors.

The NCSC will also work in close partnership with law enforcement to support their efforts to tackle cyber crime, and with the UK’s security and intelligence agencies and the Ministry of Defence to identify and counter the full range of threats in cyber space.

The NCSC will support the government’s wider security and prosperity agenda by engaging with international partners on incident handling, situational awareness, building technical capabilities and capacity and contributing to broader cyber security discussions.

For organisations that have their own networks, the NCSC will run the Cyber Security Information Sharing Partnership (CiSP). This is aimed at enabling organisations to share information with each other and the NCSC about what they are seeing on their networks, and provide a forum for discussion from beginner through to expert level.

The NCSC will produce tailored advice and guidance to identified sectors and proactively work with companies on this. However, it will initially focus on sectors which form the critical national infrastructure and those of strategic or significant economic importance or tied to the delivery of key public services.

The NCSC will not offer an enquiries line for the general public and Action Fraud will continue to be the first port of call for victims to report suspected cyber crime.

However, when there is a significant cyber incident affecting the UK, the NCSC will have the leading role for government in communicating to the public, to provide reassurance and guidance on what individuals and organisations can do to better protect themselves.

The NCSC’s specialist teams will work with the Ministry of Defence – and other users of very secure communications – to ensure that operational needs are met. It will also ensure the capabilities needed to operate both independently and with the UK’s allies are available in the future.

The NCSC will work with the cyber security industry to help ensure organisations of all kinds can find cyber security products and services that are high quality and meet their needs.

UK gov’s plans for National Cyber Security Centre

The UK government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.

The UK government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.The NCSC is set to open in October 2016 and will be based in London. The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ. The technical director for the NCSC will be Ian Levy, formerly technical director of cyber security at GCHQ.

Chancellor George Osborne announced the NCSC in November 2015 as part of the government’s National Cyber Security strategy for the next five years, supported with £1.9 billion funding.

The NCSC is at the heart of that strategy and will be the “bridge” between industry and government, said Matthew Hancock, minister for the Cabinet Office.

It will simplify the “current complex structures, providing a unified source of advice and support, including on managing incidents. It will be a single point of contact for the private and public sectors alike,” he wrote in foreward to the prospectus for the NCSC.

Hancock said it is “vital” that the NSCS works with industry from the very start, and called on UK businesses to give feedback on the centre’s proposed design.

NCSC CEO Ciaran Martin invited UK industry to engage with his team about what they would like to get out of working with the NCSC.

“The government has set out its intent to address the cyber threat, to put tough and innovative approaches in place, and to be a world leader in cyber security.”

“The National Cyber Security Centre will be at the heart of this approach, bringing together the capabilities already developed by CESG – the information security arm of GCHQ, the Centre for the Protection of National Infrastructure, Cert-UK and the Centre for Cyber Assessment.

“This will allow us to build on the best of what we already have, while significantly simplifying the current arrangements,” he said.

According to the prospectus, the NCSC will have four key objectives:

  • To understand the cyber security environment, share knowledge, and use that expertise to identify and address systemic vulnerabilities.
  • To reduce risks to the UK by working with public and private sector organisations to improve their cyber security.
  • To respond to cyber security incidents to reduce the harm they cause to the UK.
  • To nurture and grow national cyber security capability, and provide leadership on critical national cyber security issues.

Cyber Security Force will detail more information on the NCSC in our next news post.