Friday 20 November 2009, 5:12 PM
Climate research centre compromised
One of the UK's leading climate change research centres has had a security breach.
The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information, a UEA spokesperson said on Friday.
"We are aware that information from a server used for research information in one area of the university has been made available on public websites," said the spokesperson in a statement. "Because of the volume of this information we cannot currently confirm that all of this material is genuine."
"This information has been obtained and published without our permission and we took immediate action to remove the server in question from operation," the spokesperson continued.
"We are undertaking a thorough internal investigation and we have involved the police in this enquiry."
At the time of writing, the UAE spokesperson declined to comment further. It was unclear whether the breach was internal or external.
Professor Phil Jones, who is involved with climate research at the facility, was not available for comment at the time of writing.
Sophos senior technology consultant Graham Cluley blogged on Friday that details of over 1000 emails and 3800 documents were leaked onto a Russian FTP server:
"A 61MB zip file containing information stolen from one of the world's leading climate research centres, was posted onto an anonymous FTP server in Russia, accompanied by a note saying:
'We feel that climate science is, in the current situation, too important to be kept under wraps'," wrote Cluley.
Wednesday 18 November 2009, 5:39 PM
Government web-monitoring plans on hold
Government plans to compel ISPs to process and store details of all web communications have been put on hold until after the next election.
The Home Office told ZDNet UK on Wednesday that the plans, called both the Interception Modernisation Programme [IMP] and Mastering the Internet, would very likely not be put into law until after the next general election in May 2010.
"It would be fair to say that [IMP] is not in the legislative programme for this session," said a Home Office spokesperson.
ZDNet UK approached the Home Office following the Queen's Speech at the official opening of parliament on Wednesday.
The speech, which is written by the incumbent government, made no mention of plans to bring forward IMP provisions in legslation.
The plans would see Facebook, IM and gaming communications monitored, and the information made available to public authorities. Email and telephone records would also be made more available to public authorities, including local government. This data sharing would be enabled by amendments to the Regulation of Investigatory Powers Act.
The Conservatives may win the next election. The Conservative Party was unable to respond to a request for comment on whether it planned to continue with IMP at the time of writing.
Tuesday 17 November 2009, 2:42 PM
Watchdog reveals illegal sale of phone users' data
The Information Commissioner's Office is preparing a prosecution file against a mobile operator's employees who allegedly sold on thousands of customers' details to a competitor.
The Information Commissioner, Christopher Graham, said in a statement on Tuesday that his office was highlighting the case in order to argue for custodial sentences for those who sell on personal data without permission.
According to the statement, ICO investigators have been working with the unspecified mobile operator, who suggested that "employees allegedly sold details relating to customers' mobile phone contracts, including their contract expiry dates".
This information was allegedly sold to the company's competitors, whose agents then used the details to cold-call those customers whose contracts were about to expire, offering them alternative contracts.
"The ICO has investigated and it appears that the information has been sold on to several brokers and that substantial amounts of money have changed hands," the statement read. "The ICO has obtained several search warrants and attended a number of premises, and is now preparing a prosecution file."
Graham said he wanted to "close down the entire unlawful industry in personal data", but would only be able to do so if the perpetrators faced prison sentences rather than fines.
"The existing paltry fines for Section 55 offences are simply not enough to deter people from engaging in this lucrative criminal activity," Graham said. "The threat of jail, not fines, will prove a stronger deterrent."
Graham added that a custodial sentence would also give a perpetrator a criminal record and "open up the possibility of extradition in appropriate cases".
The government is currently consulting on a new £500,000 maximum fine for organisations that breach the Data Protection Act — the current maximum fine is just £5,000 — while upcoming European telecoms laws make it mandatory for organisations to report data breaches to the relevant regulators.
UPDATE: It's T-Mobile who got hold of the ICO. A statement reads:
T-Mobile takes the protection of customer information seriously. When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner's Office.
Working together, we identified the source of the breach which led to the ICO conducting an extensive investigation which we believe we will lead to a prosecution. While it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry.
We had been asked before today to keep all information on this case strictly confidential so as to avoid prejudice to the investigation and prosecution. We were therefore surprised at the way in which these statements were made to the BBC today.
ZDNet UK tried to get a comment out of the ICO as to why it publicised the case, but they refused.
Monday 16 November 2009, 5:59 PM
This Crap Site
How utterly stupid - I am ranked #40 in the top 100 - as a member of this site.....
I mean HOW utterly stupid.... I have done sweet FA, I have only rejoined this site after a 3 or 4 year absence.....
And I have only posted about 3 comments so far - and if that is what it takes to become so highly ranked; it really is pathetic.
Monday 16 November 2009, 3:45 PM
Microsoft Security Update: November Patch Tuesday
Apologies for this late update to our core Patch Tuesday update. Here is a summary of the update ....
The November Patch Tuesday update from Microsoft follows the largest patch and security update in Microsoft’s history. This month there are six updates to Office, Active Directory and Microsoft’s Office application suite.
These six updates have a low impact, bar one patch to Excel which may cause compatibility issues for some applications. The main cause for concern here is that Excel is a primary if not essential element to many environments. For example most banking, trading floor and insurance platforms. Therefore any change must be tested rigorously.
Whilst there are few applications in our sample that are affected, the ChangeBASE AOK team recommends that the Excel update (MS09-067) requires particular attention in any environments where there is a significant dependency on this,
We have included a brief snap-shot of some of the results from our AOK Software that demonstrates some of the potential impacts on Microsoft Office deployments with the following picture.
Testing Summary
MS09-063 : : Marginal impact and negligible testing profile
MS09-064 : : Marginal impact and negligible testing profile
MS09-065 : : Marginal impact and negligible testing profile
MS09-066 : : Marginal impact and negligible testing profile
MS09-067 : : Moderate impact and negligible testing profile
MS09-068 : : Marginal impact and negligible testing profile
The full posting of these results can be found on;
http://www.changebase.com/News/NewsPage.aspx?page=20091110-01_PatchTuesday.xml&style=~/Style/PatchTuesday.xsl
Wednesday 11 November 2009, 5:23 PM
DNA details of innocent will be kept for six years
The government has announced that it plans to keep innocent people's DNA details for up to six years.
In response to a consultation it launched last December, the government said in a statement on Wednesday that it would "remove the DNA profiles of all adults arrested but not charged or convicted of any recordable offence after six years".
However, the Times reported on Wednesday that terrorism suspects could still have their DNA retained indefinitely.
A Home Office spokesperson told ZDNet UK on Wednesday that people's DNA deemed to be of "national interest" will be stored for longer than six years. That retention will be reviewed every two years by a senior police officer.
The government was forced to rethink its policy on DNA retention following the outcome of a test case last year. The European Court of Human Rights (ECHR) ruled in December that two people, Michael Marper, and a person identified as 'S', had their rights infringed by the UK government indefinitely storing their DNA.
At the time, legal site Out-Law.com reported that ECHR had not offered guidance as to how the UK government could comply with human rights law with respect to DNA.
Friday 6 November 2009, 4:14 PM
Motorola Droid Drops Today: Happy Droid Day America!
Motorola Droid Drops Today: Happy Droid Day America!
Author: Eric Everson, Mobile Security Expert
If you’re wondering what all of the buzz is about with words like Droid and Android 2.0 circling about, you might think for a moment that there is a new George Lucas film that hit theaters. To the contrary, Motorola’s much anticipated Droid handset hits Verizon Wireless stores today in America. This is a hallmark handset that comes equipped with Google’s Android 2.0 MOPS (Mobile Operating System) and offers what some believe to be Verizon’s answer to the iPhone.
As the official Droid release email from Verizon promotes, “The phone that makes you feel like a four star general with natural charisma, twelve arms and the power of mind control is here and is ready to serve.” Okay so, they might be overselling it a little bit, but this Droid handset certainly pushes the competitive landscape forward within the mobile industry. Having taken some time to tinker with the handset, the quality that stands out the most in comparison to the iPhone is its ability to handle apps (applications). If you’re used to the lag of opening apps on your iPhone, the Droid will feel like a supersonic blast of Star Wars-like hyper-drive in your palm!
Also notable is the 5MP (mega pixel) camera feature which pushes the idea of the camera phone into new territory. While it might not compare to the rumored 12MP Nokia camera phone that is secretly said to be in development, you’ll certainly notice a difference in picture quality compared to the 3.2MP camera of the iPhone. The Droid has the look and also pushes handset design forward with such features as a touchscreen plus QWERTY slider keyboard to the next level. The Droid also comes out of the box with built-in access to Amazon’s MP3 store.
Compared to the thriving Apple App Store and iTunes platform, the novelty of an Android App Store seemingly falls flat, but in all fairness the Android community is still very young. As third-party mobile content developers continue to see opportunities to embrace this new market, they will likewise be motivated to develop more apps. I see a great opportunity here for Google to flex its creative muscle to answer the competitive advantage that the iPhone already has in place.
As your resident mobile security expert, I would be amiss not to acknowledge the undertone of growing security concerns regarding the Android 2.0 MOPS. Are there mobile security vulnerabilities to come? Of course, but as I’ve noted in the past, nobody in the MOPS industry addresses vulnerabilities as well as the Google team. As we uncover new vulnerabilities throughout the MOPS landscape, the Google team is consistently the fastest and most efficient to respond.
If you’re in the market for a new handset or you’re one of many Verizon customers that has been waiting patiently for a smartphone of this caliber to come along, I say to you Happy Droid Day! May the force be with you!
-Eric Everson “The MobileTech”
Eric Everson is a leader in mobile technologies and is the founder of MyMobiSafe.com. If you would like to contact Eric Everson for interview or with consulting related inquiries contact him directly at EricEverson@Hotmail.com
Tuesday 3 November 2009, 6:15 PM
Mobile Security Profile: BlackBerry Storm2
Mobile Security Profile: BlackBerry Storm2
Author: Eric Everson
BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data, the BlackBerry handsets are seemingly everywhere you look around the office. Most recently BlackBerry introduced the Storm2, a second generation touchscreen handset into the market. As the resident mobile security guru, I wanted to take a deeper look at this handset to gauge its real mobile security profile in the corporate environment.
As mobile handsets have become ubiquitous within the business environment, significant levels of proprietary business data has migrated from the security of the computer-based environment into the vulnerable setting of the mobile handset. Simply put, mobile devices have become the weakest link in enterprise security, which is something that the BlackBerry Storm2 does little to address. In fact, the security specifications detailed at BlackBerry.com for the Storm 2 merely include two features: Password protection and Screen lock.
Like every BlackBerry the Storm2 should come with a barebones version of The BlackBerry Enterprise Solution. The BlackBerry Enterprise Solution is a platform that can be purchased “with corporate data security in mind.” (BlackBerry.com; 2009) Essentially this is a security software offering that allows businesses to decide how much mobile security they are willing to pay for rather than a one size fits all security platform. There are pros and cons to this model, but it does allow a tailored approach for enterprise mobile security which many IT professionals enjoy.
If you are looking for a hacker-proof handset, the Storm 2 is built on the BlackBerry OS 5.0 MOPS (Mobile Operating System), which introduces the vulnerability that JavaScript has been enabled by default in the Internet browser. While no direct threat has been identified that exploits this feature, it is a prospective area of concern. From the standpoint of a standard (non-enterprise) user the security features of the Storm 2 will likely be sufficient.
If you’re simply looking for a new handset, many of the business/enterprise users of BlackBerry handsets will likely not find the Storm 2 as an adequate replacement for a handset such as the BlackBerry Tour. Some users have already reported less battery life than what is found on the Tour and many new users of the Storm 2 have complained that the audible clicks from using the touchscreen cannot be silenced. For anyone who “multitasks” on the BlackBerry while in meetings is sure to find the audible clicks as a serious annoyance.
Personally, I love the Storm 2 as a personal handset, but compared to the Tour (or other similar BlackBerry models), the Storm 2 is no enterprise handset. In short, Storm 2 is good for home but not so much for the office. On the bright side, the security profile of the Storm 2 can be tailored to fit the needs of the enterprise environment to the same degree as any other BlackBerry model.
Eric Everson is a leader in mobile technologies and is the founder of MyMobiSafe.com. If you would like to contact Eric Everson for interview or with consulting related inquiries contact him directly at EricEverson@Hotmail.com
Ref: http://na.blackberry.com/eng/devices/blackberrystorm/storm_specifications.jsp
Tuesday 3 November 2009, 5:35 PM
South Korea plans to fingerprint visitors
The South Korean authorities could fingerprint and photograph foreign visitors from 2012, the Korea Times reported on Tuesday.
Barring diplomats and government operatives, all visitors over the age of 17 could have their fingerprints scanned and photo taken, said the article.
The Korean Cabinet has approved the Bill, which will be voted on by the National Assembly this month.
Should the plans go ahead, Korea will discuss sharing the data with the US, which operates a similar system. Japan also collects visitors' biometrics.
Monday 2 November 2009, 8:30 AM
Adobe Reader in the Enterprise
This week I had the pleasure of working with some of the Microsoft Premier Field Engineers (PFE's) in an effort to further understand some of the application compatibility issues that might occur when sequencing for Microsoft App-V (formerly SoftGrid).
Quickly, the topic turned to compatibility issues surrounding Folder Redirection as this appeared to pose a serious compatibility problem for Adobe.
A quick scan of the web, raised a number of forum posting where numerous IT personnel could not get Acrobat or Reader 9 deployed to C# debugging and "file not found" issues.
For a few samples look here:
http://thinmaillist.blogspot.com/2008/08/thin-re-watch-out-with-adobe-acrobat_9472.html
http://www.adobeforums.com/webx/.59b5c03a
It looks like there were some pretty drastic solution paths explored here, especially for Citrix deployments. Yikes... I am really glad that I don't have to do this stuff anymore...
Before I dive too deep into the Adobe deployment problems, let's have a little introduction to Microsoft's Folder Redirection .
The idea of re-directing user local data folders onto the network was introduced with Windows XP and is defined as, "the automated re-routing of I/O (operations) from local standard folders to use a different, storage elsewhere on the network". Translated, this means that some standard user folders (i.e. My Pictures, My Documents) are redirected to store your files on a network server. This greatly increases the chances that your files (and Pictures) will get backed up in the laptop being nicked or knackered.
Windows Vista uses folder re-direction on the following directories; Contacts, Desktop, Documents, Downloads, Favorites, Music, Videos, Pictures, Searches, AppData, Links, Saved Games.
If your browser has a spell checker AppData would appear with a red underline, which is appropriate as the AppData folder is one which caused us and to my great surprise, Adobe quite a lot of trouble.
Through our trouble-shooting exercise it became Adobe Reader and Acrobat 9 were attempting to write user specific data to the AppData folder. This is fine and according to the Microsoft logo application development specifications, this is OK.
So, in an enterprise environment, a user will logon to their desktop or laptop and if their IT department has done their job, the AppData folder will be redirected to something like; \\servername\region\department\username\AppData
And, here is the big issue. As folder re-direction takes place prior to logon- the user will not have any mapped drives. So, the fully qualified path to the final resting place on the target server for AppData will be a UNC path.
Hint: It will be a UNC path.
As you can probably guess where I am going here;
Adobe Acrobat 9 and Adobe Reader can not store their AppData files onto a UNC path. After a little debugging through their code, it appears that there is a failure to "read from left to right" and correctly parse the full path.
Hence, the file not found, app crashes and C# debugger errors that present themselves to users upon application start-up.
So, I did little more digging and loading Flash and version 6,7 and 8 of Adobe Reader. All of these packages use the redirected folder "AppData" in the same way - and I am sure that they will experience the same issue.
I will write more on the Adobe issues in forthcoming posts. And, there will be plenty to write about as it looks like there are over 400 application level conflicts between Adobe Reader 9 and Acrobat 9.
References:
Folder Redirection has a brief mention here: http://en.wikipedia.org/wiki/Folder_redirection
Previous
