Security Bullet In
Communiques from the security front, sir
Tuesday 20 May 2008, 2:05 PM
Privacy International director launches 80/20
Simon Davies, who has been involved with campaigning on privacy issues for a number of years, is launching a privacy consultancy firm called 80/20. Half of all profits will be donated to overseas civil liberties causes.
Davies, who is also a visiting fellow at the London School of Economics, is trying a new tack to raise the profile of privacy issues. Instead of berating companies whose practices he believes are suspect, Davies instead will work with them to sort through problems.
"I've fighting privacy issues for 20 years, and the idea of 80/20 has been gestating for 10 years," Davies told me on Monday. "Instead of the usual polemic around privacy, this is an attempt at direct engagement."
80/20, a company Davies will head, will instead sell services including privacy impact assessments of new technologies companies are planning to implement, and privacy training. "This is a way to focus assistance on companies who want to find solutions," said Davies.
However, Davies said he would have "no qualms about affecting the share price of companies" if he thought they were doing the wrong thing. "Constant war is draining, we have to find other solutions," said Davies. "But if companies don't respond and don't care about privacy issues they're going to have to accept a slapping in the press."
80/20 will be invloved in a working group to examine how to achieve "a legally acceptable means of establishing consumer consent for online services such as search engines." Companies involved in the working group include BT, AOL, Microsoft, and Facebook.
Wednesday 14 May 2008, 5:31 PM
Tomorrow is National Working from Home Day
As a journalist, my heart drops when I start receiving press releases about any sort of "Day". This is because the majority of "Days" are Public Relations (PR) exercises dreamed up by clever PR agencies to promote their clients' agendas. I have no problem with that, as long as people recognise that the media they are consuming that is PR generated is mostly advertorial as opposed to editorial.
However, tomorrow's "Day" du jour (geddit?) is "National Working from Home Day", and is being busily promoted by its organisers, Workwise UK. OK, some PRs -- and I don't blame them, good opportunity -- have jumped on the bandwagon and are promoting their clients' interests, but Workwise UK itself doesn't seem to have any ulterior motives.
Some Workwise UK members, such as BT, may obviously benefit from an increase in people working from home (or 'WFH' as it's known at CNET, not to be confused with 'WTF'). However, the majority of members -- Transport for London, the Confederation of British Industry, the Trades Union Congress, the British Chambers of Commerce, the Equality and Human Rights Commission -- do not obviously directly benefit commercially.
I rang up Adam Legresly, who is head of operations for Workwise UK, to find out what all the noise was about.
"We're trying to raise awareness of the benefits of working from home," said Legresly. "We're not promoting shirking of responsibility, it's all to do with business benefits. In the BT Centre they have 4000 staff working in a building that's designed to hold 2000 people -- they're sweating their assets."
I assumed this was due to half of the BT staff at any one time working remotely, rather than them literally being crammed in like sardines, or prisoners in an overcrowded jail, 'sweating their assets'.
"You can bring in the disabled, single working parents -- it's a way of seizing on talent," said Legresly. "Small organisations might especially consider savings that can be made on health and safety requirements, commuting time is cut down, and there's a reduction in CO2 emissions."
I asked Legresly whether he was working from home, which he confirmed.
"I am working from home at the moment," he said. "And I'll be working from home tomorrow. Everybody at the organisations works from home some of the time, otherewise it would be a bit hypocritical."
So, I'd like to know readers' opinions. Does WFH make you or your boss go WTF? Or are you in favour? And will you be working from home tomorrow?
Monday 12 May 2008, 3:36 PM
DWP downplays security breach
The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material.
An email that was leaked on the 'Dizzy Thinks' blog on Thursday from DWP said:
"I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. However, once the data and the separate password are received, staff are then forwarding the data and password on together, this defeats the purpose of the security measure entirely.
Could I ask you to remind staff of the heightened security surrounding data transfer and ensure that data and passwords are sent separately."
DWP kind of admitted that security procedures had been breached in an email statement they sent to me:
"We take the security of individuals’ data extremely seriously. We have carried out a major review of procedures around the transfer of data to ensure the security of customer information. We expect all managers to monitor the application of our security controls and ensure that the correct action is taken in all cases."
When I rang up to get some clarification, a DWP spokesperson downplayed the blog post, telling me that the leaked memo was a standard email to remind staff of security procedures, and that it wasn't in response to a large security incident.
When I asked whether there had actually been an incident, I was told there may have been a couple of isolated incidents at local level.
I pointed out that even one incident is enough to disclose large amounts of personal information, and the spokesperson said that DWP was making sure that the security of individual data was being taken seriously.
Honestly, even if the government has the best will in the world, it simply is unfeasible to expect buy-in not only across Whitehall, but at local level too, for all of the security procedures that would be needed to keep citizen data safe. As there is more government data sharing, there will be more data breaches and leaks, it's as simple as that.
Tuesday 6 May 2008, 4:17 PM
Google sponsors open source security project
Google has announced it is to sponsor oCERT, an open source computer emergency response team.
In a blog post on Monday, Google security engineer Will Drewry said that one of the problems with open source security was getting fixes out quickly to everybody using a particular piece of open source software.
"It has been unclear how to best resolve this issue. There is no centralized security authority for open source projects, and operating system distribution publishers are the best bet for getting updates to the highest number of users," wrote Drewry. "Even if users can get updates in this manner, how should a security researcher contact a particular project's author? If there's a potential, security-related issue, who can help evaluate the risk for a project? What resources are there for projects that have been compromised, but have no operational security background?"
So, Google will donate some sponsorship to the oCERT project, to try to address some of these issues.
It's a shame Drewry declined to wade into the long-running debate about which is more secure, open source, or proprietary software.
Tuesday 6 May 2008, 12:38 PM
Indian officials accuse China of cyber attacks
China is actively engaged in mapping India's computer networks, according to the Times of India.
China is mounting "almost daily" attacks against Indian Government computer systems, including scanning networks for possible vulnerabilties to exploit in the event of conflict, said the TOI. According to the article, over the last two months China has attacked the Indian National Infomatics Centre, and the Ministry of External Affairs.
The Chinese are also compromising Indian computers to create botnets for possible future Ddos attacks, and installing keyloggers for espionage purposes, the article claimed.
While this wouldn't surprise me, it also wouldn't surprise me if all major countries with sophisticated IT infrastructures were doing the same thing. I've talked to UK politicians before who have told me, in a head scratching way, that a scan of their computers (it was by guys from Trend Micro) revealed that there were over 30 pieces of malware installed, including keyloggers, on their computers in the Houses of Parliament.
Who has subverted those systems? Why, probably everybody who could.
The Times of India claim echoed comments made to me at the recent Infosecurity Europe 2008 by Alan Paller, the director of research for the SANS Institute, who said that 25 countries were all engaged in some form of cyber intelligence gathering, while countries including China and France also gather commercial intelligence on private sector organisations.
"My guess is there are 25 countries being involved in this at some level or another," said Paller. "The commercial side of it seems to be more China and France."
Previous
