Security Bullet In
Communiques from the security front, sir
Monday 12 May 2008, 3:36 PM
DWP downplays security breach
The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material.
An email that was leaked on the 'Dizzy Thinks' blog on Thursday from DWP said:
"I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. However, once the data and the separate password are received, staff are then forwarding the data and password on together, this defeats the purpose of the security measure entirely.
Could I ask you to remind staff of the heightened security surrounding data transfer and ensure that data and passwords are sent separately."
DWP kind of admitted that security procedures had been breached in an email statement they sent to me:
"We take the security of individuals’ data extremely seriously. We have carried out a major review of procedures around the transfer of data to ensure the security of customer information. We expect all managers to monitor the application of our security controls and ensure that the correct action is taken in all cases."
When I rang up to get some clarification, a DWP spokesperson downplayed the blog post, telling me that the leaked memo was a standard email to remind staff of security procedures, and that it wasn't in response to a large security incident.
When I asked whether there had actually been an incident, I was told there may have been a couple of isolated incidents at local level.
I pointed out that even one incident is enough to disclose large amounts of personal information, and the spokesperson said that DWP was making sure that the security of individual data was being taken seriously.
Honestly, even if the government has the best will in the world, it simply is unfeasible to expect buy-in not only across Whitehall, but at local level too, for all of the security procedures that would be needed to keep citizen data safe. As there is more government data sharing, there will be more data breaches and leaks, it's as simple as that.
Tuesday 6 May 2008, 4:17 PM
Google sponsors open source security project
Google has announced it is to sponsor oCERT, an open source computer emergency response team.
In a blog post on Monday, Google security engineer Will Drewry said that one of the problems with open source security was getting fixes out quickly to everybody using a particular piece of open source software.
"It has been unclear how to best resolve this issue. There is no centralized security authority for open source projects, and operating system distribution publishers are the best bet for getting updates to the highest number of users," wrote Drewry. "Even if users can get updates in this manner, how should a security researcher contact a particular project's author? If there's a potential, security-related issue, who can help evaluate the risk for a project? What resources are there for projects that have been compromised, but have no operational security background?"
So, Google will donate some sponsorship to the oCERT project, to try to address some of these issues.
It's a shame Drewry declined to wade into the long-running debate about which is more secure, open source, or proprietary software.
Tuesday 6 May 2008, 12:38 PM
Indian officials accuse China of cyber attacks
China is actively engaged in mapping India's computer networks, according to the Times of India.
China is mounting "almost daily" attacks against Indian Government computer systems, including scanning networks for possible vulnerabilties to exploit in the event of conflict, said the TOI. According to the article, over the last two months China has attacked the Indian National Infomatics Centre, and the Ministry of External Affairs.
The Chinese are also compromising Indian computers to create botnets for possible future Ddos attacks, and installing keyloggers for espionage purposes, the article claimed.
While this wouldn't surprise me, it also wouldn't surprise me if all major countries with sophisticated IT infrastructures were doing the same thing. I've talked to UK politicians before who have told me, in a head scratching way, that a scan of their computers (it was by guys from Trend Micro) revealed that there were over 30 pieces of malware installed, including keyloggers, on their computers in the Houses of Parliament.
Who has subverted those systems? Why, probably everybody who could.
The Times of India claim echoed comments made to me at the recent Infosecurity Europe 2008 by Alan Paller, the director of research for the SANS Institute, who said that 25 countries were all engaged in some form of cyber intelligence gathering, while countries including China and France also gather commercial intelligence on private sector organisations.
"My guess is there are 25 countries being involved in this at some level or another," said Paller. "The commercial side of it seems to be more China and France."
Tuesday 29 April 2008, 5:10 PM
XP SP3 out on general release
The third service pack for Windows XP has been released to Windows Update for voluntary dowload.
The service pack, which has been available to manufacturers and volume licence customers since 21 April, mostly seems to be a round-up of previous updates to XP. However, according to the XP Professional SP3 summary document, the service pack also includes "Black Hole" router detection turned on by default, includes a network access policy enforcement platform, and has a "more descriptive" Security Options control panel.
Friday 18 April 2008, 5:44 PM
ISO may change its processes following OOXML debacle
The normally august International Organisation for Standardization (ISO) has said that it may change its fast track processes following the controversy around Microsoft's Office Open XML.
I've been involved in a long and very interesting round of emails between myself, a spokesperson for ISO, and Dr James D. Mason, who until the autumn chaired SC34, the ISO committee in charge of document specifications.
I did also ask Microsoft for its opinion this morning, but most correspondence from me gets sent to Redmond for a response, which is in a different time zone.
I asked the ISO spokesperson whether Microsoft's actions, which included encouraging partners to join the national standards bodies and vote in favour of OOXML, had damaged ISO's reputation, and whether it will prompt ISO to change its processes. According to earlier Microsoft statements, other companies including IBM have also tried the same tactics.
The spokesperson wrote:
"The issue of revising the fast-track procedure, or any other ISO or IEC procedure, is an ongoing process, and the experience with ISO/IEC 29500, along with the results of other standards-development activities, will indeed assist to determine whether further continued improvements should be made,"
So it seems that ISO may be scrutinising its processes. You can read more in the story I wrote about Tim Bray (XML author) and Dr. Mason's comments about OOXML and ISO.
James D. Mason's comments were very interesting. There wasn't enough space to print them in full in the story, so I'll reproduce one of my questions, and Mason's answer here:
Q. As OOXML has now been ratified, would it be fair to say that ISO had its hands tied by its own processes, in that SC34 had to accept the votes of the National Bodies?
A. JTC1 has been concerned about the perceived long time needed to approve standards for a very long time. More than a decade ago, they were worried that they were slower than the IETF. Then they worried about the W3C. The Fast Track process is an outgrowth of those worries, but it is a process that's rarely been used and so wound up getting its first serious test in the ISO 29500 case. It's fairly clear that the process is broken; even some people at Microsoft think that.
But the fundamental problem is with the overall ISO business model and process.
It's supposed to be a democratic process, driven by national standards bodies, each of which can set its own procedures. The recent experience shows that is full of pitfalls: Small National Bodies simply don't have the resources to do an adequate job of participating in lots of committees. They're generally volunteer organizations, and they take all the help they can get. So if Microsoft sends a volunteer, they take him. On the other hand, large national bodies, such as INCITS, which does the JTC1 work for ANSI, are heavily politicized, and that often prevents decisive action. V1, which does SC34 work in INCITS, was at a stalemate, and INCITS cast a U.S. vote that represented political decisions by the board rather than technical consideration of the issues. Something similar happened in Norway.
ISO, and JTC1 in particular, respond to the presence of other standards-making bodies not by looking at their overall business but by knee-jerk reactions, like creating the Fast Track process. I've been saying for more than a decade that JTC1 simply doesn't understand standards making in the Internet age. The IETF and then the W3C were created for the Internet age. One of the keystones of their operations is that they are online, and all texts are freely available. ISO still has a model that (1) requires face-to-face meetings and (2) expects to pay for operations from the sale of paper documents. I can't begin to tell you how many small NBs wrote me, expecting me to send them paper copies of DIS 29500, all 7000 pages of it! We have to remember that many national bodies have built large paper publishing organizations. Indeed, DIN, in Germany, seems to have started as a publishing house in the 19th century and only gradually evolved into a standards-making body in the 20th.
I don't know that the W3C's operating model is more fair or that it produces better standards than JTC1's, but it has different fundamental assumptions. For me, working in a service organization in a government agency, it was much easier to participate in ISO because getting voting membership in the W3C requires joining the consortium, which is very expensive. I also know that there is a whole bunch of people who left SC34 and went to the W3C when XML was getting started and then came back to SC34 because they got fed up with the particular politics of the W3C."
ISO denied that its processes were broken - the ISO spokesman wrote (in part):
"The JTC 1 fast track process is not a new development, it was introduced about 20 years ago. The total number of JTC 1 standards that have been fast tracked is 267, of which 212 are current today.
The ISO process continues to work well, producing about 100 new and revised standards every month. The ISO process continues to deliver voluntary international standards that are broadly accepted in the marketplace and by regulators, consumers, governments and other interests.
ISO/IEC 29500 has attracted a great deal of publicity and pointing out that ISO has a current portfolio of more than 17 000 standards which benefit business, government and society puts this publicity into context. The amount of publicity related to ISO/IEC 29500 on the Internet and in the press is itself an indication of ISO's success in developing standards. Its work for the IT sector has facilitated the growth of important applications, e-business and the overall exchange of information."
Previous
