Security Bullet In
Communiques from the security front, sir
Thursday 29 May 2008, 5:25 PM
Online backup insecure, says Heise
Some online backup services are easily fooled, according to the folks over at Heise security.
An undisclosed Heise employee hacked into some online backup services by intercepting the connection between client and the backup server, bypassing the encryption used. A basic man-in-the-middle attack.
"Attackers can read and even change the data being backed up or restored when it's transmitted over the internet," said the Heise article.
Heise pretended to be the backup server to the client, and the client to the backup server, using fake certificates. For the vulnerable systems, neither client nor server checked the certificates for authenticity, said a source at Heise.
There was no need to hijack the connection,
as the client was on a network that Heise controlled, said the source. They added that in the real world, an attacker would either use a Trojan, or attack the router to change the DNS entry for the server to their own IP address.
There was no need to actually forge the certificates by reverse engineering or the like, as the services did not check them, said the source. Heise just generated its own using standard utilities, while the signatures on them were "obviously fake", said the source.
Wednesday 28 May 2008, 4:49 PM
NERC gets Aurora slap on the wrist
A major US energy overseer has been boxed around the ears by a US policy maker over its handling of a vulnerability in US critical national infrastructure security.
US Representative James Langevin, chair of the House Subcommittee on cybersecurity, took the Federal Energy Regulatory Commission (FERC) to task over its efforts to mitigate a cyber vulnerability known as 'Aurora'.
Aurora is still proof of concept, but is basically using computer systems to overload and blow up electricity systems -- the remote destruction of power generation equipment through cyber attacks.
Langevin got upset at both FERC and the Department of Homeland Security. In a Statement on Electric Grid Cyber Vulnerabilities made to the subcommittee last Wednesday, Langevin said:
"I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security. Everything about the way this vulnerability was handled – from press leaks, to DHS’s failure to provide more technical details to support the results of its test, to NERC’s dismissive attitude, to the industry’s half-hearted approach towards mitigation – leaves me with little confidence that we are ready or willing to deal with the cybersecurity threat."
"As time passes, I grow particularly concerned by NERC, the self-regulating organization responsible for ensuring the reliability of the bulk power system," Langevin continued. "Not only did they propose cybersecurity standards that – according to the GAO and NIST – are inadequate for protecting critical national infrastructure, but throughout the Committee’s investigation they continued to provide misleading statements about their oversight of industry efforts to mitigate the Aurora vulnerability. If NERC doesn’t start getting serious about national security, it may be time to find a new electric reliability organization."
Langevin also criticised security controls put in place (or rather, not put in place) by the Tennessee Valley Authority (TVA), the largest US public power company. In a report released this month by the US Government Accountability Office (GAO) the TVA was roundly criticised:
"TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures," commented GAO. "Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA’s corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA’s critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats."
It's a tricky one, that. I suppose it all comes down to an organisation's appetite for risk, together with a balanced assessment of the likelihood of a successful attack.
Tuesday 20 May 2008, 2:05 PM
Privacy International director launches 80/20
Simon Davies, who has been involved with campaigning on privacy issues for a number of years, is launching a privacy consultancy firm called 80/20. Half of all profits will be donated to overseas civil liberties causes.
Davies, who is also a visiting fellow at the London School of Economics, is trying a new tack to raise the profile of privacy issues. Instead of berating companies whose practices he believes are suspect, Davies instead will work with them to sort through problems.
"I've fighting privacy issues for 20 years, and the idea of 80/20 has been gestating for 10 years," Davies told me on Monday. "Instead of the usual polemic around privacy, this is an attempt at direct engagement."
80/20, a company Davies will head, will instead sell services including privacy impact assessments of new technologies companies are planning to implement, and privacy training. "This is a way to focus assistance on companies who want to find solutions," said Davies.
However, Davies said he would have "no qualms about affecting the share price of companies" if he thought they were doing the wrong thing. "Constant war is draining, we have to find other solutions," said Davies. "But if companies don't respond and don't care about privacy issues they're going to have to accept a slapping in the press."
80/20 will be invloved in a working group to examine how to achieve "a legally acceptable means of establishing consumer consent for online services such as search engines." Companies involved in the working group include BT, AOL, Microsoft, and Facebook.
Wednesday 14 May 2008, 5:31 PM
Tomorrow is National Working from Home Day
As a journalist, my heart drops when I start receiving press releases about any sort of "Day". This is because the majority of "Days" are Public Relations (PR) exercises dreamed up by clever PR agencies to promote their clients' agendas. I have no problem with that, as long as people recognise that the media they are consuming that is PR generated is mostly advertorial as opposed to editorial.
However, tomorrow's "Day" du jour (geddit?) is "National Working from Home Day", and is being busily promoted by its organisers, Workwise UK. OK, some PRs -- and I don't blame them, good opportunity -- have jumped on the bandwagon and are promoting their clients' interests, but Workwise UK itself doesn't seem to have any ulterior motives.
Some Workwise UK members, such as BT, may obviously benefit from an increase in people working from home (or 'WFH' as it's known at CNET, not to be confused with 'WTF'). However, the majority of members -- Transport for London, the Confederation of British Industry, the Trades Union Congress, the British Chambers of Commerce, the Equality and Human Rights Commission -- do not obviously directly benefit commercially.
I rang up Adam Legresly, who is head of operations for Workwise UK, to find out what all the noise was about.
"We're trying to raise awareness of the benefits of working from home," said Legresly. "We're not promoting shirking of responsibility, it's all to do with business benefits. In the BT Centre they have 4000 staff working in a building that's designed to hold 2000 people -- they're sweating their assets."
I assumed this was due to half of the BT staff at any one time working remotely, rather than them literally being crammed in like sardines, or prisoners in an overcrowded jail, 'sweating their assets'.
"You can bring in the disabled, single working parents -- it's a way of seizing on talent," said Legresly. "Small organisations might especially consider savings that can be made on health and safety requirements, commuting time is cut down, and there's a reduction in CO2 emissions."
I asked Legresly whether he was working from home, which he confirmed.
"I am working from home at the moment," he said. "And I'll be working from home tomorrow. Everybody at the organisations works from home some of the time, otherewise it would be a bit hypocritical."
So, I'd like to know readers' opinions. Does WFH make you or your boss go WTF? Or are you in favour? And will you be working from home tomorrow?
Monday 12 May 2008, 3:36 PM
DWP downplays security breach
The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material.
An email that was leaked on the 'Dizzy Thinks' blog on Thursday from DWP said:
"I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. However, once the data and the separate password are received, staff are then forwarding the data and password on together, this defeats the purpose of the security measure entirely.
Could I ask you to remind staff of the heightened security surrounding data transfer and ensure that data and passwords are sent separately."
DWP kind of admitted that security procedures had been breached in an email statement they sent to me:
"We take the security of individuals’ data extremely seriously. We have carried out a major review of procedures around the transfer of data to ensure the security of customer information. We expect all managers to monitor the application of our security controls and ensure that the correct action is taken in all cases."
When I rang up to get some clarification, a DWP spokesperson downplayed the blog post, telling me that the leaked memo was a standard email to remind staff of security procedures, and that it wasn't in response to a large security incident.
When I asked whether there had actually been an incident, I was told there may have been a couple of isolated incidents at local level.
I pointed out that even one incident is enough to disclose large amounts of personal information, and the spokesperson said that DWP was making sure that the security of individual data was being taken seriously.
Honestly, even if the government has the best will in the world, it simply is unfeasible to expect buy-in not only across Whitehall, but at local level too, for all of the security procedures that would be needed to keep citizen data safe. As there is more government data sharing, there will be more data breaches and leaks, it's as simple as that.
Previous
