Security Bullet In
Communiques from the security front, sir
Tuesday 24 November 2009, 5:23 PM
Symantec website breached
Security company Symantec has said that one of its websites was successfully breached.
Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday.
Unu claimed to have cracked the Symantec server using a blind SQL injection attack, and to have accessed customer information and passwords.
Symantec on Tuesday confirmed the crack.
"A SQL injection vulnerability was identified at pcd.symantec.com," said the company in a statement. "Symantec has remediated the website vulnerability, resulting in little to no customer impact. The website facilitates customer support for users of Symantec's Norton-branded products in Japan and South Korea only. This incident did not affect Symantec customers anywhere else in the world. The incident pertained only to customer support in Japan and South Korea and did not affect the safety and usage of Symantec's Norton-branded consumer products at all. Symantec is still investigating the incident has no further details to share at this time."
Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday.
Unu claimed to have cracked the Symantec server using a blind SQL injection attack, and to have accessed customer information and passwords.
Symantec on Tuesday confirmed the crack.
"A SQL injection vulnerability was identified at pcd.symantec.com," said the company in a statement. "Symantec has remediated the website vulnerability, resulting in little to no customer impact. The website facilitates customer support for users of Symantec's Norton-branded products in Japan and South Korea only. This incident did not affect Symantec customers anywhere else in the world. The incident pertained only to customer support in Japan and South Korea and did not affect the safety and usage of Symantec's Norton-branded consumer products at all. Symantec is still investigating the incident has no further details to share at this time."
Monday 23 November 2009, 1:15 PM
Campaigners criticise '£10bn NHS IT overspend'
The National Health Service's flagship IT project has been criticised by a tax campaign group for running billions of pounds over budget.
The NHS National Programme for IT (NPfIT) has overspent by £10.4bn, the Taxpayers' Alliance said in a statement on Friday.
"These [government] projects are so poorly planned at the outset," Taxpayers' Alliance policy analyst John O'Connell told ZDNet UK on Friday. "NPfIT costs have spiralled out of control."
O'Connell said that the original government costing for NPfIT had been £2.3bn, but that this figure subsequently ballooned to over £12.5bn in a 2008.
A spokesperson for Connecting for Health, which administrates NPfIT, told ZDNet UK on Friday that the £2.3bn figure had originally been put forward in 2002 as projected costs over three years.
The spokesperson added that the Taypayer's Alliance had been "incorrect to pull that figure of £2.3bn out and say that was the projected cost of the entire programme."
However, when NPfIT was first started in 2002, ZDNet UK has found there were no public projected cost figures for the programme.
The Connecting for Health spokesperson told ZDNet UK on Friday that £2.3bn over three years was first put forward in the Comprehensive Spending Review (CSR) for 2002. This is not correct. CSR 2002 makes no mention of this figure.
When challenged by ZDNet UK to give documentary evidence that the £2.3bn figure was for three years, the spokesperson pointed to a document from February 2004. Aside from being two years after NPfIT started, this document, New NHS IT, states that the £2.3bn was over the first three years, but makes no reference to any government documents from 2002, apart from the 2002 Wanless report, which recommended a doubling of NHS IT funding at the time.
E-Health Insider reported in January 2003 that the £2.3bn was for the first three years of the project, calling the news "long-awaited official confirmation" of the figure.
The NHS National Programme for IT (NPfIT) has overspent by £10.4bn, the Taxpayers' Alliance said in a statement on Friday.
"These [government] projects are so poorly planned at the outset," Taxpayers' Alliance policy analyst John O'Connell told ZDNet UK on Friday. "NPfIT costs have spiralled out of control."
O'Connell said that the original government costing for NPfIT had been £2.3bn, but that this figure subsequently ballooned to over £12.5bn in a 2008.
A spokesperson for Connecting for Health, which administrates NPfIT, told ZDNet UK on Friday that the £2.3bn figure had originally been put forward in 2002 as projected costs over three years.
The spokesperson added that the Taypayer's Alliance had been "incorrect to pull that figure of £2.3bn out and say that was the projected cost of the entire programme."
However, when NPfIT was first started in 2002, ZDNet UK has found there were no public projected cost figures for the programme.
The Connecting for Health spokesperson told ZDNet UK on Friday that £2.3bn over three years was first put forward in the Comprehensive Spending Review (CSR) for 2002. This is not correct. CSR 2002 makes no mention of this figure.
When challenged by ZDNet UK to give documentary evidence that the £2.3bn figure was for three years, the spokesperson pointed to a document from February 2004. Aside from being two years after NPfIT started, this document, New NHS IT, states that the £2.3bn was over the first three years, but makes no reference to any government documents from 2002, apart from the 2002 Wanless report, which recommended a doubling of NHS IT funding at the time.
E-Health Insider reported in January 2003 that the £2.3bn was for the first three years of the project, calling the news "long-awaited official confirmation" of the figure.
Friday 20 November 2009, 5:12 PM
Climate research centre compromised
One of the UK's leading climate change research centres has had a security breach.
The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information, a UEA spokesperson said on Friday.
"We are aware that information from a server used for research information in one area of the university has been made available on public websites," said the spokesperson in a statement. "Because of the volume of this information we cannot currently confirm that all of this material is genuine."
"This information has been obtained and published without our permission and we took immediate action to remove the server in question from operation," the spokesperson continued.
"We are undertaking a thorough internal investigation and we have involved the police in this enquiry."
At the time of writing, the UAE spokesperson declined to comment further. It was unclear whether the breach was internal or external.
Professor Phil Jones, who is involved with climate research at the facility, was not available for comment at the time of writing.
Sophos senior technology consultant Graham Cluley blogged on Friday that details of over 1000 emails and 3800 documents were leaked onto a Russian FTP server:
"A 61MB zip file containing information stolen from one of the world's leading climate research centres, was posted onto an anonymous FTP server in Russia, accompanied by a note saying:
'We feel that climate science is, in the current situation, too important to be kept under wraps'," wrote Cluley.
The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information, a UEA spokesperson said on Friday.
"We are aware that information from a server used for research information in one area of the university has been made available on public websites," said the spokesperson in a statement. "Because of the volume of this information we cannot currently confirm that all of this material is genuine."
"This information has been obtained and published without our permission and we took immediate action to remove the server in question from operation," the spokesperson continued.
"We are undertaking a thorough internal investigation and we have involved the police in this enquiry."
At the time of writing, the UAE spokesperson declined to comment further. It was unclear whether the breach was internal or external.
Professor Phil Jones, who is involved with climate research at the facility, was not available for comment at the time of writing.
Sophos senior technology consultant Graham Cluley blogged on Friday that details of over 1000 emails and 3800 documents were leaked onto a Russian FTP server:
"A 61MB zip file containing information stolen from one of the world's leading climate research centres, was posted onto an anonymous FTP server in Russia, accompanied by a note saying:
'We feel that climate science is, in the current situation, too important to be kept under wraps'," wrote Cluley.
Wednesday 18 November 2009, 5:39 PM
Government web-monitoring plans on hold
Government plans to compel ISPs to process and store details of all web communications have been put on hold until after the next election.
The Home Office told ZDNet UK on Wednesday that the plans, called both the Interception Modernisation Programme [IMP] and Mastering the Internet, would very likely not be put into law until after the next general election in May 2010.
"It would be fair to say that [IMP] is not in the legislative programme for this session," said a Home Office spokesperson.
ZDNet UK approached the Home Office following the Queen's Speech at the official opening of parliament on Wednesday.
The speech, which is written by the incumbent government, made no mention of plans to bring forward IMP provisions in legslation.
The plans would see Facebook, IM and gaming communications monitored, and the information made available to public authorities. Email and telephone records would also be made more available to public authorities, including local government. This data sharing would be enabled by amendments to the Regulation of Investigatory Powers Act.
The Conservatives may win the next election. The Conservative Party was unable to respond to a request for comment on whether it planned to continue with IMP at the time of writing.
The Home Office told ZDNet UK on Wednesday that the plans, called both the Interception Modernisation Programme [IMP] and Mastering the Internet, would very likely not be put into law until after the next general election in May 2010.
"It would be fair to say that [IMP] is not in the legislative programme for this session," said a Home Office spokesperson.
ZDNet UK approached the Home Office following the Queen's Speech at the official opening of parliament on Wednesday.
The speech, which is written by the incumbent government, made no mention of plans to bring forward IMP provisions in legslation.
The plans would see Facebook, IM and gaming communications monitored, and the information made available to public authorities. Email and telephone records would also be made more available to public authorities, including local government. This data sharing would be enabled by amendments to the Regulation of Investigatory Powers Act.
The Conservatives may win the next election. The Conservative Party was unable to respond to a request for comment on whether it planned to continue with IMP at the time of writing.
Wednesday 11 November 2009, 5:23 PM
DNA details of innocent will be kept for six years
The government has announced that it plans to keep innocent people's DNA details for up to six years.
In response to a consultation it launched last December, the government said in a statement on Wednesday that it would "remove the DNA profiles of all adults arrested but not charged or convicted of any recordable offence after six years".
However, the Times reported on Wednesday that terrorism suspects could still have their DNA retained indefinitely.
A Home Office spokesperson told ZDNet UK on Wednesday that people's DNA deemed to be of "national interest" will be stored for longer than six years. That retention will be reviewed every two years by a senior police officer.
The government was forced to rethink its policy on DNA retention following the outcome of a test case last year. The European Court of Human Rights (ECHR) ruled in December that two people, Michael Marper, and a person identified as 'S', had their rights infringed by the UK government indefinitely storing their DNA.
At the time, legal site Out-Law.com reported that ECHR had not offered guidance as to how the UK government could comply with human rights law with respect to DNA.
In response to a consultation it launched last December, the government said in a statement on Wednesday that it would "remove the DNA profiles of all adults arrested but not charged or convicted of any recordable offence after six years".
However, the Times reported on Wednesday that terrorism suspects could still have their DNA retained indefinitely.
A Home Office spokesperson told ZDNet UK on Wednesday that people's DNA deemed to be of "national interest" will be stored for longer than six years. That retention will be reviewed every two years by a senior police officer.
The government was forced to rethink its policy on DNA retention following the outcome of a test case last year. The European Court of Human Rights (ECHR) ruled in December that two people, Michael Marper, and a person identified as 'S', had their rights infringed by the UK government indefinitely storing their DNA.
At the time, legal site Out-Law.com reported that ECHR had not offered guidance as to how the UK government could comply with human rights law with respect to DNA.
Previous
