Monday 30 July 2007

Incident Disclosure is really a No Win Situation

Recently a UK City Council announced a data breach involving tens of thousands of credit cards, I’m not going to name them as I don’t really want to be associated in defending them.

The facts of the security incident and how it was discovered is very different from the press headlines, which basically laid into the Council for having bad security and not being security responsible by putting thousand of it’s users at high risk of credit card fraud by putting these deatils unsecurely online. However after reading through press releases and a bit deeper into some of the news reports, it painted a slightly more responsible picture.

The Council had hired an external Security Expert – no, not me ;) to check and test the security of their systems, this expert found that a data file had accidentally been uploaded to a public website in error by a member of staff. The file held credit card transaction details for thousands of council tax payments and parking fines, however the credit card data was encrypted and the file didn’t include pin numbers and CV2 numbers, so it would be pretty difficult to use it for credit fraud. I understand the names and address were in clear text but I haven’t able to confirm this as yet. It appears the file was downloaded on one occasion from the public web site.

Well I think the Council’s “heart” must have been in the right place to hire an external security expert in the first place, the fact that the credit card data was encrypted and they didn’t have pin/CV2 numbers within the file bodes well, and after all they publicly disclosed the incident within a week of finding out, they said they would of disclosed it earlier but it would of compromised the incident investigation, sure that could be just PR spin, but we’ll give them the benefit of the doubt. As I’m sure a lot of other organisations might have just swept this type of incident under the carpet. I just think the very negative press attack and blatant avoidance of the actual facts within news reports in order to sensitise the story and panic the populous, isn’t exactly going encourage other organisations to voluntary disclosure similar incidents in future. Which is what I would like see, as I would like to bring into the open the scale of general bad security going on within business, punishing organisations that are appearing to be trying their best I don’t think is going to help matters, if anything it could even put off companies from hiring in security experts to test their system security!

Again what was the cause of this incident? You guessed it was a human (on the inside) making a mistake (humans tend to do that). So another example to be chalked up within my security awareness training presentations.

Before anyone comments on my defensive approach to data breach, please don’t as you will be missing my point, I totally agree any data breach is a serious and generally bad thing, especially when it involves public data/credit card data, and its totally right these incidents are aired within the public arena.

Saturday 28 July 2007

Door-to-Door Personal Information Gathering

It's just after lunch time on a sunny Saturday afternoon, it's great to finally have some sunshine for once, it's been a very rainy summer in the UK. Anyway about 5 minutes ago my door bell rang and I was greeted by a smartly dressed young man, who handed me a leaflet, advertising a carpet cleaning or something like that and a free prize draw for a car. According to the leaflet is was by a company called "Total Homecare (lancs)". It's what happened next that really bothered me...


young man>we're new the area I'm just handing out leaflets, we do carpet cleaning, and we having a free prize draw for a new car (car was a cheap Nissan Micra)
me>ok, but most of my house has wooden floors and I already have a car, so I'm not really interested
young man>ok, let me just take your name...
me>hang on minute, I'm not the sort of guy that hands out personal details to people I don't know.
young man>Oh don't worry about that it's all covered by the Data Protection Act
me>oh really, just how is it covered by the DPA?
young man>eerrh, ermm, you know, we'll look after your details
me>Ok, can you please explain how you do that? You understand what the DPA is, right? Perhaps I should explain where I'm coming from, I'm a bit of Information Security Expert...
young man>erm, listen it doesn't matter I don't need to take your details, I'll just leave the leaflet, good bye

I'm not saying this company isn't legit, but they really should be careful how they go about gathering personal details and training their staff, especially about the Data Protection Act, which clearly wasn't understood. I guess a lot of people would have accepted the standard response of "it's all covered by the data protection act". Personally I don't like organisation or strangers that knocks on my front door. So he sure picked the wrong door bell to ring on this occasion.

Tuesday 17 July 2007

Those Darn Google Spin Doctors

The BBC News website hailed a Google response to their recent privacy criticisms, with Google announcing they will now auto-delete their search engine's locally stored cookies after just two years, instead of by the year 2038.

But here's the thing, the Google cookie "auto-delete date" resets back to two years after each visit! So unless you don't visit google.com for over two years (how likely is that), then they'll never delete anyway!

I have no problem with the Google cookie, as after all if I was super paranoid I could just manually delete their bloody cookie myself after each visit, but what a complete non-story! Those darn Google Spin Doctors, I suppose they were just running out of ideas for their weekly privacy news story.

Friday 13 July 2007

The Best Hacker/Security Movies

It’s fair to say my recent blog entries have been a bit too serious of late, so I guess its time for a more light-hearted security related blog entry, so here's my top three favourite Security/Hacker movies of all time.

3. WarGames
Sure WarGames is an old and dated film by todays standards, but it has a nice example of war dialling, which has pretty much gone into the hacking history books. There's plenty of other realistic hacking techniques, like actually stealing password from the school secretary's draw, (locking draws should be part of a tidy desk policy right?), still the second half of the movie kind of goes completly off the rails.

2. Firewall
This is the movie where the Security guy, not the hacker, is the hero! Sure it might not be the best movie ever made, but it makes my list for one particular scene, which is near the beginning, when Harrison Ford actually enters an Access List on a Cisco Router, “correctly”, although if I was tetchy I would of expected him to be adjusting a signature on a Cisco IPS device. In his defence he makes up for that by babelling on about reducing false positives, which I thought was a nice touch and funny, because it's exactly the sort of thing I babel on about when talking IPS with the techies. The Firewall movie comes in very handy for those party situations when someone asks what you do for a living, you say Information Security Manager, a lot of folks don’t really get it, well now I can follow up with “you know that Harrison Ford movie Firewall...”

1. Hackers
This might be a controversial one, with it's use of graphical animations to portray the hacking rather than the realistic command stuff and realistic hacks, but lets face it, it would be a pretty boring if the movie showed realistic command line hacking. Anyway I just like the movie and it makes the top of my list as the whole movie has a hacking/Security theme, plus it has some good examples of social engineering. I often reference this movie in my management security presentations, to show how the hacker has involved from the sterotypical "teen hackers" as seen in this movie, to becoming more organised and financially motivated.

The worst movie in this genre has to be “The Net”, not just because it’s a really terrible movie, but there's a scene where Sandra Bullock types in an invalid IP address, it was some like “421.643.21.2”, when I first watched this film I remember going absolutely nuts on seeing that, promptly spoiling the film for everyone within “loud ranting” range. It still sends a cold chill down my spine thinking about it today.

There were plenty of other movies I considered, the Matrix series almost got into my top three, especially as there’s a scene in the Matrix Reload, where Trinity uses nmap to scan ports! Other movies included The Lawnmower Man, Sneakers, Tron, Johnny Mnemonic, even Independence Day, with the hacking on the Alien mothership and the introduction of a computer virus! But I kept my list down to the out and out security/hacker themed movies.

If anyone has any other suggestions or recommendations to watch, please comment.

Hack the Planet!

Monday 9 July 2007

Big Brother is already watching You!

Continuing the theme from my last blog entry, in regards to the idea of a “Big Brother” state impeding over individual rights…so what’s the deal with individual privacy erosion anyway? Well as far as I’m concerned that boat has not already sailed, but is over the horizon out of sight, the George Orwell “1984” state is already here!

Let’s look at the evidence in the UK. The UK is the most CCTV intensive country in the world, the average UK citizen is caught on CCTV cameras 300 times a day. However since the general induction of CCTV into urbans and shopping environments, which first appeared in the UK 50 years ago, CCTV has played a vital role in solving many crimes, and now plays a role in crime prevention in all UK city centres.

Moving on, Tesco is the UK’s leading Supermarket, they are probably best described as more of a multi-billion pound corporation, as staggeringly Tesco account for £1 out of every £7 spent in the UK high street. Tesco success is built on data mining, as for many years Tesco has tracked all purchases by individual/household via a club loyalty card. In exchange for fractions of pennies off future items, the vast majority of UK citizens are providing detailed information about our shopping habits to Tesco and other like minded companies. They know know what you like buying, when, where, how often and even how much you spend on average at specific times. Do we care? Well the vast majority of people appear not to.

For many years now anyone arrested and charged in the UK, innocent or not, is forced to provide their DNA to the police, this DNA goes into the national DNA database. From my point of view I think it's great how this database is being used to solve a variety of crimes these days, even solving unsolved crimes from decades ago in the past. The "hoax" Yorkshire ripper for example was caught courtesy of this database last year. The hoaxer sent tapes to the police in late 1970s, which messed up the pursuit of the real killer, who was able to kill several times further. So a couple of years ago, the police managed to obtain DNA from the envelope in which the hoaxer sent the tapes. The made a near match on DNA database, from which they were able to conclude the person it matched was a near relative to hoaxer, so after questioning the family, they got their man.

The Police DNA database is ever growing, although the suggested future plans for it’s use is kind of scary, as there has already been calls by a senior policemen to put “everyone” on it, or at least all foreign nationals, I think another decade from now, that won't be too far-fetched an idea.

Car congestion charging cameras monitor our driving activity, with the London scheme area ever growing and new schemes planned in other cities such as Manchester, which doesn't even need it. The UK government has already commissioned a trial into satellite tracked "pay tax as you drive" technology, which is seen as a replacement to the UK tax disc and fuel duty, so all your car movements will be tracked and held. It could even be used to dish out speeding tickets, as it would know if you drove over the limit in specific areas!

The UK National Identity cards are just around the corner, and as everyone has a mobile phone these days, it is possible to track an individual’s general location. I've already blogged about Google's tracking of searches, coupled with ISP monitoring, it just about every covers aspect there is.

You simply cannot survive in the UK without a bank account, there’s hardly a job that doesn’t pay direct into a bank account, even the benefits systems pays directly, therefore “Big Brother” knows your finances as well. In fact most bank’s anti-fraud systems are able to detect out of character purchases (which I also think is great), so our account activity is already being passively monitored.

To sum up, when you actually sit down and think about it, it is staggering how much information on our lives is currently being gathered, monitored and continually held. What “they” do with this information is one concern, another is how they are securing it, either way it is worth noting the UK government has a general “get out of jail free” card in terms of the UK data protection act, on the grounds of protecting national security.

Probably one of the biggest fears I have is with the DNA database, as sooner or later the health service will use one, and lets be honest the UK health service can't do much right at a management level. They can't even enforce basic physcial security at hospitals or even prevent basic infections, so it doesn't look too good for data security. Imagine what a fraudster or even an Insurance company could do with a DNA database?

Welcome to 1984.

Tuesday 3 July 2007

Terrorism Risk Assessment

After reading through news website comments, listening to radio talk shows and general conversations with peeps down the pub, the biggest debate post the failed UK terrorist attacks, isn't about the changing the "foreign policy", or "pulling our troops out of Iraq", it's the old chestnut personal Civil Rights Vs State Security. On scrutiny I found that most of those who sided with the extra security measures for the state over personal rights infringement, tended to because of fear of being a victim. For me as a security guy this isn't rational thinking, as they just aren't risk assessing the situation properly. So what leads people to think in this way? Well as terrible and deplorable terrorist acts are, I think the way the media over sensualises it, not only encourages these acts in the first place, but is helping instilling an irrational fear.

I mean if I put on my "risk managers" hat, I know for a statistical fact that I am more likely to die falling down the stairs than from any terrorist attack, however that's a risk I accept, I certainly don't going around telling everyone they should live in bungalows and panicking every time I have to negotiate a flight of stairs.

Personally I put my own right to live ahead of any terrorist suspect's rights, so I don't mind giving up some of my civil liberties to state security, but that's because I have nothing to fear, rather than because of fear.

I just like to say that I fully applaud the UK security services, UK police and the UK government for the "first class" way in which they have handled these botched terrorism attempts.