Security Bullet In
Communiques from the security front, sir
Thursday 31 January 2008, 5:52 PM
HMRC site goes down, MPs can't file tax returns
Ah, another great day for Her Majesty's Revenue and Customs.
On the day of the deadline for people to file their self assesment tax returns, the HMRC website experienced severe technical difficulties, for six hours.
When I rang up HMRC, they insisted that 104,000 people had actually managed to file their tax returns online today, but admitted that "some" customers had had difficulties.
"The problem affected a minority of our customers," said an HMRC spokesperson. When pressed, the spokesperson couldn't say how many people had not been able to file their assessments. Surely it's difficult to say whether a 'minority' were affected, then?
"I haven't got a figure for that number," said the spokesperson.
Luckily for those people who didn't manage to get their assessments in on time, HMRC has extended the deadline until tomorrow night - midnight of February 1 - so they can avoid the penalty of £100 for late submissions.
"HMRC takes any disruption of service very seriously and to reflect this no-one who files electronically or by paper by midnight Friday 1 February 2008 will face a penalty," said an HMRC statement.
However, what I was really interested in was why the site had gone down in the first place. The spokesperson was unforthcoming, but assured me the site had not gone down due to the number of people trying to file.
"There was no volume problem," said the spokesperson. "We are currently investigating [what caused the outage]."
When I asked to speak to a member of technical staff to talk about the problems, I was told the technical staff were far too busy keeping the site up and running at the moment to talk to the press. O--K. Situation all under control then.
Meanwhile, HMRC put out another statement admitting that some MPs were also unable to file their tax returns, because their taxpayer reference numbers were not recognised on the authentication system. Whoops!
From the statement:
"Some newspapers and broadcast media have claimed that HMRC's online filing systems are not secure because Members of Parliament and a small number of other taxpayers cannot use the Self Assessment service.
This is completely untrue," said the statement. "A small minority of taxpayers, including MPs, cannot currently use online services because the additional internal safeguards on their records mean that their taxpayer reference numbers are not recognised on the authentication system.
This therefore has nothing to do with the security of our online services. HMRC online services use the highest levels of encryption generally available and authentication processes similar to online banks."
Hmmm, these would be the same banks which lost £7.2m to online banking fraud from January to June 2007, according to APACS? And how come HMRC didn't use the "highest levels of encryption generally available" when sending 25 million personal details to the NAO, which were subsequently lost in the post?
I'll leave the last word to Rob Steggles, the UK marketing director for NTT Europe Online, a managed hosting company:
"In both the public and private sectors, if an organisation’s online presence goes down at a critical time, its reputation and revenues will suffer," said Steggles in an email statement. "In the private sector, the commercial damage can be significant, but for a government website, it is those tax payers attempting to abide by the law that are suffering."
Wednesday 30 January 2008, 5:39 PM
Digital photo frames infected
There's a very interesting thread on the SANS Handler's Diary about photo frames that have been infected with malware.
Apparently, US store Best Buy pulled thousands of photo frames manufactured by Insignia after it was discovered the frames were infected with a virus.
Insignia has put up an apology on its site, but doesn't seem to have provided many technical details.
SANS says that this is a possible new attack vector: infection through the supply chain.
A linked idea has been around for a while - as devices become 'smarter' and are hooked up to the internet, they also become a means to subvert computer systems. Your smart fridge could eventually be a conduit to your data...
Friday 25 January 2008, 6:25 PM
Symbian worm in the wild
There aren't that many out there, but there's a new Symbian worm in town.
Mobile phone viruses are few and far between. According to antivirus company F-Secure, what makes this Symbian worm different is that it attempts to propagate using common media file extensions, rather than standard SIS extensions like Commwarrior. Both pieces of malware still rely on social engineering to propagate.
From the F-Secure blog post:
"We have been working on an interesting Symbian worm over the last few days. It affects S60 2nd Edition phones.
The SymbOS/Beselo family of worms is very similar to Commwarrior. In fact at first we actually misidentified Beselo.A as Commwarrior.Y. Like Commwarrior, Beselo worms spread via MMS and Bluetooth using social engineering to trick users into installing an incoming SIS application installation file.
But what makes Beselo interesting is that instead of a standard SIS extension the Beselo family uses common media file extensions. This leads the recipient believe that he is receiving a picture or sound file instead of Symbian application. He is then far more likely to answer "yes" to any questions the phone prompts after clicking on such an incoming file.
The filenames used by Beselo are beauty.jpg, sex.mp3, and love.rm."
However, it's not clear what the worm does if users run the malicious file.
In my opinion, mobile phone malware is currently at an undeveloped stage, where users don't need to worry overly about getting infected - it would be a pain to be infected, but not catastrophic, and the likelihood of infection isn't high. However, you may decide that it is enough of a risk to get some mobile phone anti-malware software.
Friday 25 January 2008, 6:08 PM
Encryption key legal challenge?
The power of the police to force people to hand over encryption keys may be possible to challenge under human rights law, according to an article on OUT-LAW.com.
From the article:
"The Regulation of Investigatory Powers Act (RIPA) was changed last autumn to allow police to force people to hand over passwords or keys to encrypted data. Refusal to do so is a criminal offence carrying a penalty of two years in jail, or up to five years if the issue concerns national security.
One criminal law specialist has told technology law podcast OUT-LAW Radio that the law could be challenged under the Human Rights Act, though he also warned that such a challenge could fail under legal tests set out by the European Court of Justice (ECJ)."
Security expert Richard Clayton has suggested an alternative hypothetical defence for innocent IT professionals unfairly accused: 'forget' your encryption key. It isn't a refusal.
Friday 25 January 2008, 5:55 PM
First virus writer arrested in Japan
Under Japanese law writing malicious code isn't illegal, according to antivirus vendor Sophos. Japanese authorities are therefore prosecuting the alleged writer of a particular piece of code, and two others, as the code was allegedly distributed using unauthorised anime images.
From the Sophos press release:
"It isn't illegal to write viruses in Japan, so the [alleged] author of the Trojan horse has been arrested for breaching copyright because he used cartoon graphics without permission in his malware. Because this is the first arrest in Japan of [an alleged] virus writer it's likely to generate a lot of attention and there may be calls for cybercrime laws to be made tighter," said Graham Cluley, senior technology consultant for Sophos.
Previous
