Name: Fox Files, DataDiode, InTell
Text: NR 1 MARCH 2013
The Hypocrisy of Ethical Hacking
lt seems such an interesting idea: 'ethical' hackers who guard
our vulnerable data bases containing privacy-sensitive data .
Surely there is no objection to that?
The Netherlands' so-called 'Lektober' (literally, leaky October) in
2011 witnessed a number of incidents and demonstrated that data
security needs to be improved in our country. lt was a wake-up call.
After that, Robin Hood stories about hacks moved from tech news
to the front pages.
Fortunately the appreciation for ethical hackers has grown.
However, they still run the risk of being prosecuted . Even if a
hacker himself believes he is engaged in ethical work, the affected
companies and the law often hold a different view.
Two issues recently hit the headlines. At two medical institutions
in the Netherlands, the 'Groene Hart' hospital and 'Diagnostiek
voor U', patient details became accessible to hackers, who sought
publicity through the media. ln both instances the Public Prosecutor opted to institute legal proceedings. On first glance, this
appears to turn the world upside down: if someone made a mistake
here, then surely it was the organizations which were negligent in
safeguarding the details of their clients?
There is certainly something to be said for that. But on doser examination the hackers appear to be less ethical than thought. ln the
case of the hospital, the hacker went straight to the media rather
than to the hospital itself. Ethical hackers raised a number of questions about the time between discovery and notification, the means
used and the volume of data which was stolen. At 'Diagnostiek voor
U', Dutch MP Henk Krol broke into an Electronic Health Record
using a stolen password. He looked up friends in the data base,
and soon after notifying the organization he approached the media .
gallery of the court, not from the otherwise well -informed media.
1learned the significant reasons for prosecution from the public
PO Box 638
The media's pillorying of companies which have fallen victim to
2600 AP Delft
hacking, without any reasonable discussion about the ethics of the
+31 (0)15 284 79 99
hacker, misses the point. lt is time for ail of us to take a good hard
marketing@fox- it.co m
look in the mirror. And there, alongside the ethics of hackers and
companies, are also the ethics of the media.
Concept and design
Ronald Prins, CEO FOX-IT
Interviews and articles
Fu ll Circle Commun icatio ns
Register on fox-it.com
lndia approves DataDiode
The Fox Data Diode has met lndia's highest security
standards. Governmental authorities can now deploy
the product in lndia to protect their high-security
networks and critical infrastructures.
Mobil e Digital Tracks
lnvest igators in the Netherlands have equipped
a police van w ith Tracks lnspector. Thi s way, the police
can conduct digital tracks investigation directly at the
12 Actionable Intel ligence
If an enterprise's Information Security team is unaware
of a new cyber threat, they cannot defend against it.
Fox ln TELL helps companies to protect their customers
CCO alongside the CEO
Ad Scheepbouwer, the former CEO ofTNT and KPN,
has joined FOX-IT. He suggests introducing a new
specia list to the boardroom of major organizations:
the Chief Cybersecurity Officer.
A selection of products and services FOX-IT offers
i nternationa lly.
Short news about Red October on mobiles, FOX-IT's
detection of the NBC.com hack, the FOX-IT Digital
Forensics Academy and upcoming trainings and events.
WORKING WITH TRACKS INSPECTOR
The Specialist Investigation Vehicle (SIV) also incorporates
Fox-1r's Tracks Inspecter, software with which tactical
investigators can read digital evidence material relatively
easily. With Tracks Inspecter the tactical investigator has
direct access to the digital information and can apply
relevant findings immediately in the investigation at the
crime scene. Cooperation with the Specialist Investigation Vehicle in Twente thus also appeared to be a good
combination. Tracks Inspecter is user-friendly, intuitive
and runs in a web browser. This is exactly what the tactical
investigator needs to be able to conduct digital investigation easily himself
G / > 'i
If an enterprise's information security team doesn't know about a
new cybe r t hreat, t hey ca n't defend against it. Fox lnTELL provides
a way to see into the dark underworld of cybercrime so companies
can protect their customers and their brands from cybercriminals'
pending exploits and targeted atta cks.
Underlyi ng FOx-1î's network security and breach mitigation services
ally gather, proces s and leve rage actionable intelligence, both to
is expert cyber intelligence. lt's ingrained in so many things that
fulfill client-spec ific requests and to innovate new products and
the compa ny does, offering Fox ln TELL as a sta ndal one produ ct
services. ln addition toits own Internet monitoring, Fox today
first in Europe and now in the U.S. was inevitable.
work s with a network of partners doing their own monitoring
as wel l as intelligence, security and law enforcement agencies
For years, FOX-IT has grown a world-class organization to co ntinu -
FOX FILES # 1
F' C T W
KDM . S R P / 3 R K 9
KENF,N>S . C-OE62IMS D
/ U 2 H + Z 2 9 < = 64
"J F > V C - J 6 6 7 L X 8 U 4 0 W
E61KX5 • >,R27Y4WTYW44KL9
C6M44W'='C .H ,NUAOXL4F . G A F - L Q O I Z 0 F 20ROB • LD
ZV1 4 A 0 6 + G F 2 = 4 P T F - < , 0
53< > 0>069SOOC38X57>7MR.
H>BW44 T 2MRLAJ4PX6BOL7EKW Q 2QFMOSTYT
-JOT88RN=70+GH4 ~ MQRUNDDH,H4Y-TH83WKTM27IS
8 D , l . S P F S 1 R R R Q . 8 . H 6 0 / 1 9 •(,J
.3<8E5AZONEOTC = A 6 P B Z I N . 0 9
J N , /K2LWCCGOZEQ6+80D3XY
65, 7FJ6DT/MIEJDMG3LUEA9+6W9V2B J6UH =Q
ME+PUZJS .. ,lAAE+S+KGCLJ
Z S J < Q T + X = > I I D 5 4 J , 2 8 W T ERBRBB7X J Q•<
OHSVG9W7B2K>WSX = ZRHTZS
L lPSDF20VD3S = B
KXP2,Z ,, 5 < - 2 • FC0::cOSOQ7LIOl-MDXIIO
E = 6 2 2 Y S C Z I L - 0 1 5 B K D B V L F 4 H S 7 5 l > N S DJG5/5G
H47W OXZKO < O>EA5CT+P8NLSWN
VBE+ = X,F,QMXBF
70VLL P RJC4RULWEN+-S>9>9<8HKO
S U.OT9L]ALO T
FKVWPN ., > R L C , H 9 7 0 / J 5 2 R VSHT2GJV3Ql • .F'MHCLZNN
BV0 ,.4 2 N F E E 6 S P I J B P + U
5<2Q-:WVG60IK3E=ORBSW8 • • >W-OV
' ND, I+P3FDA
1< >=900UVRA f',
EHDV8XP45,H=- . D,DVXDU=.8>.NX G - + 7 L / . Y8RUIG-G.QHC06X
F / X . lF'XS7LAHAAWHPIQLOHQDPLPWWlJ2W7VF'/BX l
/ N+JHMIN Q YAVL<
/ SSF . 8 >.Z-HTYVS72
p J 7 H X / p W K X B 6 H T
l P W V H 0 K 0 N 0 6 M > > B F' W
AG AB I H V Q 0 FM H, l 8 N 9 Q X R 4 G G > F F + K l - 6 l 8 6 3 - = G MX L
~MT>TJLWAZUMA6 • 8BI
lT.VEZYDL0 • NY9A60WAB2201IJO
D 3YQ8J.B-RS4PXJlUAT Q WRUPEUIEOBEJXF2L64KHE-7D
+ , R , J • WWSZ68M>WZF95>48-6T28-QKZQD>JM-580MWEZUOG
8J+LL>9EL4QRU> • W,F''
P• 6 9 8 B 5 - Z 6 = E • 9BS8>AR,MA9<>+0ZB N Z Q> / , , 9 / V > O l 6 R Z G B E T 1 L G - Q D .Q 4SR+A7174VK]E/SVTZWYAG9HBIL/Y=O
C 6 S S M 1 4 3 / - U + Q C L U N 3 C / K M 1 I G 5 A S 7 1 9 , Q K L 2 / < 0 6 . 86K.+4H37B=C3EIQF'OG6S+F'3K
152W4 . 0DNY8ZP,3SYANE9EBKVEC'"'.D • U 9 Z + V S Z Z 6 G P N V H + = S + K , 9 P . C . > E 7
Through Fox ln TELL, the information gathered by FOX-IT internally
and from across the cyber intelligence community is made available
to any enterprise on a subscription basis. The value to subscribers'
r,... t l r 1r !V
information secu rity (lnfoSec) teams is an early warning of
emerging threats and even pending attacks targeting their organi-
cort ro c; J nd 11 J rie ') , me_
le-s, cri 11
zation. With Fox ln TELL, financial institutions, e-tailers and other
high -profile enterprises can dramatically improve their cyber intel-
careers that protect society today. For them, fighting cybercrime is
ligence position, which enables situational awareness, deploying
not just a job but a lifelong passion.
better security controls, and making more informed risk decisions
to protect their customers and their brandon li ne.
There is no formai classroom for their sk i li sets, only years of computer time exploring code and researching exploits and intrusions.
SK ILL SETS THAT AREN'T TAUGHT IN SCHOOLS
As the use of viruses, worms, Trojans and botnets grew, so did
Long before governments began hiring hackers to strengthen their
their expertise. At FOX- IT, their job is to infiltrate the underworld
cyber security defenses, FOX-IT had already pioneered the concept.
of cybercrime for surveillance, reconnaissance, counterintelligence
ln their younger years, many Fox ln TELL experts were already
and pre-emptive threat mitigation. 'To work here is an enormous
demonstrating their computer savvy and out-of-the-box thinking.
is one of the few places in the world where they cou Id
channel their unguided curiosities and talents into productive
rush,' says a Fox ln TELL operative. 'We monitor so much of the
dark corners of the Internet, 1learn so much that almost no one
#l 2013 113
PORTAL- BASED ACCESS TO CLIENT-SPECIFIC PROTECTION
KNOW YOUR ENEMY
Fox ln TELL is delivered to subscribers through a secure web portal
Countries cannot properly defend themselves without intelligence,
accessible from any web-capable device. Quarterly reports caver
whether it's conventional or cyber warfare. Neither can enter-
the most relevant threats and underworld trends over the last three
prises in today's world. Fox ln TELL gives lnfoSec teams the precise
month period. When Fox ln TELL reveals an urgent threat, alerts
intell igence they need to properly defend against threats that they
are issued via email and RSS feed, as wel l as an ad hoc report via
otherwise could not see coming.
the portal to each affected client with specific information for their
organization. Subscribers can follow threat evolution in real time
through the portal, instead of receiving lengthy reports with delay.
For brand protection, Fox ln TELL scours the Internet with its unique
client-specific threat monitoring and tracking feature. Fox ln TELL
Fox ln TELL is designed to meet each client's precise threat
analysts scour the Internet looking for any appearance of the
protection needs. Features include:
client's brand in malware configurations, command and contrai infrastructures, spamming emails and underworld forums. Confirmed
threats are followed to see if and how they develop, while Fox
lnTELL's cybercrime and security experts stand ready to assist the
client with appropriate countermeasures.
PORTAL- BASED COLLABORATION INCREASES PROTECTIVE AGILITY
The Fox ln TELL portal includes a Collaboration area, which has
prove n to be an important feature for client interactions with each
other as well as with Fox ln TELL experts. Community discussions
on new threats and countermeasures raise questions and provide
answers on issues faster than intelligence reports can be gener-
- Access to the Fox lnTELL Portal
- Quarterly reports on malware and underworld developments
- A knowledgebase for ad hoc searches into information
about past and ongoing threats
- Alerts and ad hoc reports for clients susceptible to a
specific threat detected
- Client·specific threat monitoring and tracking
- Portal collaboration, where subscribers can share information with peers
- Access to real-time threat evolution monitoring
ated. A Fox ln TELL subscriber could well be experiencing or ha s
experienced an identical situation and post valuable information
before anyone else.
To do their job well - the way they think the job needs to be
done - Fox lnTELL experts design their own stuff, such as:
- Fully automated tools to initially process the copious
amounts of raw and semi-processed intelligence collected
from internai and external sources
- Malware recovery tools to reverse-engineer threats and
devise mitigation solutions
- Modus Operandi Engines to automatically filter ail the
false positives that choke a company's SIEM strategy
Innovations such as FOx-1î's DetACT for Online Banking
service to stop online fraud before real damage is done and
FoxCERT to rapidly mitigate data breaches and conduct
follow-on digital investigations spring from applying the
ingenuity of Fox lnTELL experts to real-world problems.
14 1 FOX
Ali of the above intelligence is organized within the portal
for quick subscriber access to specific information of interest. Areas dedicated to the Knowledgebase, ongoing Live
Incidents (anonymized), and Collaboration serve ail subscribers. Each subscribing organization also has their own
client-specific space, where confidential information can be
exchanged between the client and Fox lnTELL experts.
Fox lnTELL delivers intelligence according to the needs of
each cybersecurity stakeholder - from C-level management
summaries to the raw data. lnfoSec teams with the interest,
time and resources can perform their own analysis, compare
their findings with Fox lnTELL results and even discuss
methods of analysis and data interpretations with a
Fox lnTELL analyst.
If an actual attack is so new and unique that the threat
evaded the world of cyber intelligence, Fox lnTELL includes
malware recovery from clients to reverse-engineer it. This
feature not only speeds incident mitigation and prevents a
recurrence for the affected client, but helps to protect other
Fox lnTELL subscribers from the same threat. ln addition to
all of the above, FOX-IT with FoxCERT provides the expertise
to assist wlth mitigation and forensic investigation.
OPINION " '
Vacant: the CCO position
Ad Scheepbouwer joined FOX-IT in October 2012 as a member
of the board and as a shareholder. With his experience in the
boardrooms of major exchange-listed companies, he is unrivalled in knowing just how the rabbits run there. Now it is time
that sly foxes enter the boardrooms, he proposes, turning their
eyes and their thoughts to cybersecurity. Where are the Chief
lt used to be sa id of generals that they were always busy with the
previous war. You certainly can't say that about the cyberso ldiers who
protect our computer networks. lt is in fact their ambition to always
be a step ahead of the hackers. How might they be able to infiltrate
our systems? That is the question constantly on the mincis of crimefighters, which is why th ey sense trouble when others sti ll believe
that everything is just hunky-dory. Distrust is second nature to them.
#1 2013 115
" ' OPI NION
to the continuing growth of Internet traf-
He or she could then ensure that security is
Of course that is not the attitude with
fic and the increasingly intensive use of
high on the management agenda, and that
which most of us approach our work. 1do
mobile devices such as tablets and smart-
it stays there until further notice!
not think a little distrust is a bad thing, and
phones. We can do more with the Internet
at certain times 1prefer knowing for sure
year by year, but that also makes us increa s-
lt might be expected of this CCO that
to trusting. Nevertheless: in my career 1
ingly vulnerable. And so, for the time being,
initially, he makes smart choices on the
have particularly had to call on the latter.
there appears to be no end in sight for the
storage of data: the persona! details (of em -
As someone in charge you must ultimately
series of incidents we have recently experi -
ployees and clients) and the critical com-
be able to count on the people around you:
enced in the Netherlands: the malware on
pany data (such as sensitive documents or
the employees, the partners and so on. 1
the major news portal nu.ni, the Diginotar
intellectual property like AutoCAD draw-
would be seriously mistaken if my fellow
hack, the hack of Dutch telecom provider
ings of innovative products). He or she will
board members do not share that approach
KPN, the DDoS attacks on the websites of
guide the IT department, but that is just
to the (corporate) life. To the extent that 1
MasterCard and the Public Prosecutor, the
one component of the job description.
have been able to sense the atmosphere in
Dorifel virus, etc.
it is one of trust.
THE COMPANY'S RESPONSIB ILITY
the CCO would also bear responsibility for
The government is not aloof from ail this.
awareness among employees, because if
Vou simply need to be able to assume
At the end of last year the Dutch Lower
they simply use the Internet unsuspect-
that many things are correctly organized.
House discussed the National Cyber
ingly and do not pay any attention to risks
Soif people turn up with wild tales of
Security Policy extensively and with
like phishing, then that is just mopping up
cybercrime, about Mafia leaders preparing
considerable knowledge of the issues.
with an open tap.
attacks from Ukraine, viruses which spread
During the debate the possibility of a
themselves rapidly and hard-disks which
'digital tire-brigade' expressed by colleague
ha ve become infected in China, initially
Ronald Prin s was also considered. However
A policy area which should also not escape
the temptation is to take it ail with a pinch
Minister Opstelten misses no opportunity
his or her attention is purchasing policy.
to point out that cybersecurity is in fact the
Many parties are involved in this, both
responsibility of organizations and compa -
internally (IT department, purcha sing, mar-
nies. 'The government is not going to take
keting, sa les, etc.) and externally (among
By now many managers have realized that
this over from them.' So companies cannot
others suppliers, independent consultants
a hack could have dramatic consequences.
evade it: they must take on the responsibil-
and experts). ln an uncoordinated and
However they sti ll cannot imagine that
impulsive purchasing policy, IT security
becomes Swiss cheese. That is why it is
they might also be targets. 'That won't
That is because a cybersecurity policy
encompasses so much more. For instance,
the boardrooms of Corporate Netherlands,
happen tou s - what are the odds?' That
TIME FOR A CCO
up to the CCO to get ail these interested
is probably a very normal or even natural
Right now many undertakings have accom-
parties along the same line and to drive the
reflex, but it is not the right reaction. An
modated the security issue somewhere
discussion. He or she needs to create the
essentially correct but at the same time
within the company. For example with
conditions in which the input of ail parties
fatalistic thought may limp along just be -
officiais with years of experience with the
can be taken into
hind that: 'A hundred percent secure really
police or justice systems. 1believe it is
account without losing a grip on security.
isn't feasible, is it? So therefore .. .'
important to strengthen this as soon as
And so cybersecurity is not given the
possible with specialists in (fighting)
attention it deserves, while the risks
cybercrime. This also introduces the
ln the sa me way that other board mem-
become greater and more plentiful thanks
necessity of more focused guidance.
bers monitor the price trends and sa les
Should cybersecurity not be at the very top
performance of the business units, the new
FOX FI LES
of the CIO agenda? Should it not perhaps
board member can also keep track of ail the
even be desirable to expand the manage-
information on IT security inside and out-
ment or the board of directors by one
side the company. For instance, he will have
member? ln addition to the CEO, CFO and
the opportunity to keep raising the security
CTO should there not also be a position for
policy - or to put it better, the cri sis pre-
a CCO, the Chief Cybersecurity Officer?
vention policy - to a stea dily higher level.
Anyone opting to do nothing will certainly have their turn. An
more current than ever: those who
want pea ce must prepare for war. Com panies which embrace that
the ir work, but who in fact deserve trust precisely because of it. '1
ancient principle is in fact
were appointed distrustfully because of
motto can save themselves and their environ ment a lot of mischief.
And indeed: in a timely manner they w ill draft in th e help of th e
Ad Scheepbouwer, CEO Fox-IT
#l 2013 117
Fox-IT prevents, solves and mitigates the most serious threats as
technology into innovative so lutions that ensure a more secure
a result of cyber-attacks, fraud and data breaches with innovative
soc iety. We develop custom and packaged solutions that
solutions for government, defense, law enforcement, critical
maintain the security of sensitive government systems, protect
infrastructure, banking, and commerc ial enterprise clients
industrial control networks, defend online banking systems, and
worldwide. Our approach comb in es human intelli gence and
secure highly confident ial data and networks.
... and foc us on sectors wn €] s sgç_u ity is essentia I,
working with partners worldwide.
MARKET " '
DetACT prevents fraud by stopping malware, phishing and hybrid
attacks on online channels. Offering real-time detection of
passively monitored payment streams, it empowers lnfosec
teams with behavior analytics on the navigation layer, featuring
unique history profiling and anomaly detection. The combination
of transparent client side detection tooling and world-class cyber
intelligence results in an exceptionally high detection accuracy.
lt's scalable and implementation neither affects the customer
experience and nor the enterprise architecture.
The volume and importance of digital information is on the rise
Du ring a cybersecurity emergency, FoxCERT enables you to act
in criminal investigations. Detectives must depend on specialists
quickly, decisively and correctly. FoxCERT provides immediate
unfamiliar with their cases, to process digital information. This
assessment and consultation, an emergency response team
causes delays since there is a Jack of digital forensics specialists
onsite, collaborative action aligned with your incident resolution
and labs to support caseloads. Tracks lnspector offers an
objectives, access to Fox-IT cybercrime and digital investigation
intuitive, web-based, collaborative and scalable solution that puts
resources, assistance with PR, crisis management and law
digital investigations into the hands of detectives.
enforcement. FoxCERT is on-call 2417 at +3115 284 79 99.
The Fox DataDiode is a unidirectional hardware device, used at
If an lnfoSec team doesn't know about a new cyber threat, they
the boundary of two networks. lt allows data to travel - in real
can't defend against it. Fox ln TELL tracks and analyzes cyber
time - only in one direction. To protect sensitive/classified data,
threats and potential attacks in real-time as they are planned
information is passed from a lower to a higher security network,
within the cybercrime underworld. Fox lnTELL's portal-based
but not vice versa. To protect critical infrastructure, information
service improves an enterprise's cyber intelligence position,
can be pushed from a trusted lndustrial Contrai System (ICS) to
which enables better situational awareness, security contrais and
an external network, while the facility remains digitally
risk decisions to protect their customers and their brandon li ne.
inaccessible. lt's highly certified, a.o. CC EAL7+ and NATO Secret.
Collaboration and real-time threat tracking give lnfosec teams
#1 2013 119
RED OCTOBER ON SMARTPHONES
ln january, Kaspersky Lab published its discovery of
the cyber-espionage malware virus Red October
(Rocra). The attacks focused on embassies and
scientific research organizations. Over the course
of five years, information got stol en and networks
explored by using a combination of Chinese exploits
and Russian malware components. Through infected
computers, Red October spread to smartphones,
using Blackberry and Android operating systems.
Fox lnTELL did research on command and contrai
servers and located infected smartphones across
America, Africa, Asia and Europe.
DIGITAL FORENSICS ACADEMY
23 Apr 2013
lnfoSecurity Europe 2013, London, UK
ln digital forensic investigations, the volume and
24 Apr 2013
Expert Meeting: Using intelligence to
complexity of data to be examined is increasing.
Globally, governmental and private organizations
keep ahead of online banking threats,
are struggling to find enough qualified digital
forensic experts to keep up with the demand.
Digital forensics is a field of rapid developments,
keeping up is the challenge.
24 Apr 2013
Forensics Europe Expo, London, UK
01 May 2013
eCrime Congress, Du bai, UAE
19 May 2013
CEIC, Orlando, FL, USA
28 May 2013
AFCEA Tech net International, Warsaw, PL
05 jun 2013
eCrime France, Paris, FR
31 jul 2013
OHM2013, Geestmerambacht, NL
these issues and can help with a complete six-week
Digital Forensics Academy. This way, organizations
get their Jess experienced staff quickly up to speed
and help the experienced staff to keep up to date.
More information? See www.fox- it.com
1NVESTIGATIONS ON THE
1NTERN ET - THE BASICS
FOX-IT FIRST TO DETECT
N BC.COM HACI<
lt sounds simpler than it is: investigating on the
The Fox-IT Security Operations Centre (SOC) was t he
Internet. Participants in this four-day training course
first to discover that the NBC.com website was spreading
learn the basics of Internet Technology and a variety
Citadel malware on February 21. lmmediately NBC was
of methods for searching online. Many professiona ls,
informed, who mitigated the hack of the web server and
ranging from tactical detectives to information desk
stopped the drive-by download attack. A ma licious iframe
staff, have completed this basic training course and
pointed to the exploit kit 'Red Kit', which abused known
successfully apply their skills at work. Our trainers
java and Adobe vulnerabilities to infect visitor's comput-
make the difference: they are ethical hackers and
ers with a version of the Citadel Trojan. The malware is
specialists in the fie ld of digita l forensics and IT
configured for stea ling money from the user's accounts
security, with a teaching background . Visit fox-it.com
by manipulati ng on li ne banking sessions with a number
for more information or mail firstname.lastname@example.org
of American banks.
Document Path: ["651-fox-it-newsletter-fox-files-datadiode-intell.pdf"]