Monday 12 May 2008, 3:36 PM
DWP downplays security breach
The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material.
An email that was leaked on the 'Dizzy Thinks' blog on Thursday from DWP said:
"I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. However, once the data and the separate password are received, staff are then forwarding the data and password on together, this defeats the purpose of the security measure entirely.
Could I ask you to remind staff of the heightened security surrounding data transfer and ensure that data and passwords are sent separately."
DWP kind of admitted that security procedures had been breached in an email statement they sent to me:
"We take the security of individuals’ data extremely seriously. We have carried out a major review of procedures around the transfer of data to ensure the security of customer information. We expect all managers to monitor the application of our security controls and ensure that the correct action is taken in all cases."
When I rang up to get some clarification, a DWP spokesperson downplayed the blog post, telling me that the leaked memo was a standard email to remind staff of security procedures, and that it wasn't in response to a large security incident.
When I asked whether there had actually been an incident, I was told there may have been a couple of isolated incidents at local level.
I pointed out that even one incident is enough to disclose large amounts of personal information, and the spokesperson said that DWP was making sure that the security of individual data was being taken seriously.
Honestly, even if the government has the best will in the world, it simply is unfeasible to expect buy-in not only across Whitehall, but at local level too, for all of the security procedures that would be needed to keep citizen data safe. As there is more government data sharing, there will be more data breaches and leaks, it's as simple as that.
Thursday 8 May 2008, 11:28 AM
How many headshots does one chairperson need?
We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with its chairperson Natalya Kaspersky, Natalya herself wasn't very happy with the picture of her we were sent to go along with the interview. To remedy the situation, the PR dutifully sent no less than seven alternatives of Natalya in a variety of thoughtful poses.
Number 1
Number 2
Number 3
Number 4
Number 5
Number 6
Number 7
Tuesday 6 May 2008, 4:17 PM
Google sponsors open source security project
Google has announced it is to sponsor oCERT, an open source computer emergency response team.
In a blog post on Monday, Google security engineer Will Drewry said that one of the problems with open source security was getting fixes out quickly to everybody using a particular piece of open source software.
"It has been unclear how to best resolve this issue. There is no centralized security authority for open source projects, and operating system distribution publishers are the best bet for getting updates to the highest number of users," wrote Drewry. "Even if users can get updates in this manner, how should a security researcher contact a particular project's author? If there's a potential, security-related issue, who can help evaluate the risk for a project? What resources are there for projects that have been compromised, but have no operational security background?"
So, Google will donate some sponsorship to the oCERT project, to try to address some of these issues.
It's a shame Drewry declined to wade into the long-running debate about which is more secure, open source, or proprietary software.
Tuesday 6 May 2008, 12:38 PM
Indian officials accuse China of cyber attacks
China is actively engaged in mapping India's computer networks, according to the Times of India.
China is mounting "almost daily" attacks against Indian Government computer systems, including scanning networks for possible vulnerabilties to exploit in the event of conflict, said the TOI. According to the article, over the last two months China has attacked the Indian National Infomatics Centre, and the Ministry of External Affairs.
The Chinese are also compromising Indian computers to create botnets for possible future Ddos attacks, and installing keyloggers for espionage purposes, the article claimed.
While this wouldn't surprise me, it also wouldn't surprise me if all major countries with sophisticated IT infrastructures were doing the same thing. I've talked to UK politicians before who have told me, in a head scratching way, that a scan of their computers (it was by guys from Trend Micro) revealed that there were over 30 pieces of malware installed, including keyloggers, on their computers in the Houses of Parliament.
Who has subverted those systems? Why, probably everybody who could.
The Times of India claim echoed comments made to me at the recent Infosecurity Europe 2008 by Alan Paller, the director of research for the SANS Institute, who said that 25 countries were all engaged in some form of cyber intelligence gathering, while countries including China and France also gather commercial intelligence on private sector organisations.
"My guess is there are 25 countries being involved in this at some level or another," said Paller. "The commercial side of it seems to be more China and France."
Monday 5 May 2008, 3:27 PM
Poor Mobile Banking
Poor Mobile Banking
By: Eric Everson, Founder MyMobiSafe.com
In reading the news this morning an interesting article from Fox Business News titled Mobile Banking to Transform Microfinance caught my eye. In short, the article discusses the capacity of mobile banking to penetrate the shortcomings of financial institutions as a vehicle of the poor. This article if nothing else makes me think that if mobile banking offers so much potential in terms of driving the flexibility of a mobile lifestyle, then why isn’t more being done to secure mobile banking?
As I’ve declared in the past, mobile banking’s greatest security vulnerability resides at the handset level. This means that the lack of security that most mobile handsets have lends them to incredible risk as a financial instrument. Lending from this article, how much more does targeting the lowest income demographics compound the security vulnerabilities that reside in mobile banking? By this statement I merely intend to suggest that this demographic is less likely to use the higher-end handset spectrum (which boasts better security) while they are also less likely to seek a third-party software to bolster the security shortcomings of their handsets.
The article suggests, “A new report from the global microfinance body CGAP predicts that, with the right market conditions, mobile banking could reach large numbers of poor people who are outside the formal financial system.” I do not actually disagree with this, but the issue becomes defining what comprise “the right market conditions” to truly penetrate mobile banking to such a traditionally technology adoption laggard demographic.
As a mobile security professional (with a business degree), I see a much greater need to focus on the handset level mobile security vulnerabilities that threaten the macroeconomics of mobile banking as a whole. If the overall environment of mobile banking is threatened by the gaping holes of handset level security coupled with the grave lack of handset interoperability across the global wireless industry, how will mobile banking ever gain the traction needed to become a standard conduit to the financial industry?
Let’s face it, mobile banking is a newer technology that has some major areas of opportunity with regards to security. As security is only as strong as the weakest link, mobile banking faces serious hurdles at the handset level.
Your mobile security guru,
Eric E
Eric Everson, Founder - MyMobiSafe.com
Article in Reference: http://www.foxbusiness.com/story/mobile-banking-transform-microfinance/
Tuesday 29 April 2008, 5:10 PM
XP SP3 out on general release
The third service pack for Windows XP has been released to Windows Update for voluntary dowload.
The service pack, which has been available to manufacturers and volume licence customers since 21 April, mostly seems to be a round-up of previous updates to XP. However, according to the XP Professional SP3 summary document, the service pack also includes "Black Hole" router detection turned on by default, includes a network access policy enforcement platform, and has a "more descriptive" Security Options control panel.
Tuesday 29 April 2008, 12:36 PM
All the open source security you need?
There's a list of 75 good open source security applications, on eSecurity Planet. OK, some of them are variations or extensions of each other, but that's quite a lot to look through...
The list covers encryption, anti-virus, VPN, remote administration and plenty of other aspects of security.
If nothing else, the list - which we found linked from Linux Today - is a strong argument in favour of open source within security, and evidence of its increasing presence there: a year ago, the site's list of recommendations only reached ten apps.
Friday 25 April 2008, 3:58 AM
Mobile Banking: The Weakest Link
Mobile Banking: The Weakest Link
By Eric Everson, Founder MyMobiSafe.com
For many the prospect of conducting their banking by cell phone either strikes them as totally cool or totally crazy. I tend to put myself in the first camp as an embracer of mobile technologies, but admittedly I am not without my mobile security reservations.
As we all know in digital security, the weakest link is always the most vulnerable point of any topology. In mobile banking this weak link happens to be the very handset that we are expected to entrust with our financial transactions. The adoption of third party mobile security solutions is still very limited across the global spectrum of mobile users, thus the greatest level of threat that mobile banking faces has become the very platform of the transactions.
Let us assume that the mobile phone is the next great platform of the digital future and instantly the security that many take for granted on their cell phone becomes a significant bargaining chip for mobile application developers. It is no surprise that industry titans such as Google are jumping into mobile advertising as the industry demographics are so encouraging to their financial prospects. On the other hand, as mobile users are already beginning to experience mobile advertising on their once sacred mobile space one can not help but exercise concern regarding the origination of the content. Just as viruses are spread so commonly through email in a computer-based setting, the content now arriving on your mobile handset may not be as safe as you might hope.
With the popularity of mobile keyloggers, these applications can be easily embedded in a mobile message. Again touching on the limitations of handset level security that are so common throughout the mobile industry, we start connecting the dots of the handset as the weakest link of mobile banking. You get an unassuming mobile advertising (spam) message delivered to your handset and before you know it your seemingly safe mobile banking is compromised from the inside. Your every keystroke can be remotely monitored, thus passing access to your mobile banking into the wrong hands.
Do not get me wrong, I am not trying to deter anyone from adopting mobile banking as I personally think it is a blessing. If you use your handset the way I do, you should at least consider the value of the information you are putting into your handset… since after all it is still the weakest link. I look for many of the banks to start partnering with mobile security firms to address these mobile vulnerabilities head-on, but until then remember to be on the lookout for your own mobile security.
Your mobile security guru,
Eric E
Eric Everson, Founder
MyMobiSafe.com
Tuesday 22 April 2008, 4:39 PM
Social networking and portability
One of the more interesting speakers at Infosec's "Locking Down Social Networking Vulnerabilities" event today - itself locked down by a power cut just as Facebook's Max Kelly was cutting to the nub of his gist - was Giles Hogben of the European Network and Information Security Agency (ENISA).
Hogben was suggesting, as he did in a report to the European Commission last year, that users of social networking sites like Facebook should be able to export their profiles - a "secure briefcase", in his words - rather than being stuck in the current situation, where it is impossible to get your data off Facebook's servers whether or not you "deactivate" your account. In other words, the social network's servers won't hold your profile - you will, encrypted on a USB key. Which you can then take around different social networks.
I can see his point, but also the obvious flaw. Despite OpenSocial and such initiatives, can you imagine social networks really opening the door for their users to wander off with all their data, not leaving any "stickiness" for the social network? Perhaps I'm being overly cynical, but I think it'll be a cold day in hell before we see the likes of Facebook agree to that. In the words of Hogben, speaking to me after the abbreviated panel discussion: "The social network provider would provide you with a platform, but they wouldn't get to see the data."
Then how would they make any money and stay viable? If the EC takes this suggestion on board then we're in for an entertaining fight.
Friday 18 April 2008, 5:01 PM
Chinese attack on CNN predicted
A contributor to the 'Dark Visitor' blog has predicted an attack on news company CNN.
The blog, which claims to track Chinese hack attacks, has said that the attack will occur on April 19 at 8.00 pm, Beijing time. I can't read Chinese, but according to the Dark Visitor contributor 'Heike', calls for a distributed denial of service attack against CNN's website have appeared on various Chinese language websites.
The call for a Ddos attack is apparently in retaliation for coverage of the recent violence against Tibetan liberation protesters, those vicious Buddist monks.
Meanwhile, on Tuesday security vendor McAfee found an interesting piece of malware. According to McAfee, the file that was being distributed appeared to be a cartoon of a Chinese gymnast doing a vault at the upcoming Olympic games, for which she was given nul points by the judges. There are then images supporting a free Tibet.
However, while the film ran, a keylogger with a rootkit was installed onto a user's PC. The cartoon was being distributed as an email attachment called "RaceForTibet.exe.", while captured information was transmitted to a computer that appeared to be located in China.
Perhaps a way for pro-Chinese supporters to keep an eye on pro-Tibetan supporters?
Previous
