Friday, 20 December 2013

Printicy: 3D Printer Design Piracy

The sun is rising on the exciting and limitless age of 3D printing. 3D printing technology is really starting to pick up the pace, the latest evolutions of the technology means 3D printers are not only becoming more affordable, but the objects 3D printers can produce are becoming more sophisticated, allowing for all manor of potential object capability and application.


Anyone can have their designs 3D printed through online services already, and in the coming years we can expect to see 3D printers within many households. Perhaps as part of your weekly shopping visit to your local supermarket, you'll pick up your 3D printed objects from a supermarket 3D printer counter, just as you might do with photograph prints today.


3D Printers for the Home

Exciting as the 3D printing is, I foresee the technology will be blighted with piracy problems, along the lines of what we saw with illegal music downloads pre music stores like Apple iTunes, and music streaming services. Just like MP3 files, 3D print designs are creatively owned digital property, and just like MP3 files, 3D designs will be easily proliferated online.  As with music, the potential number of original 3D print designs is infinite, so we can expect an explosion of 3D print designs as the technology enters the mainstream, mushrooming into perhaps hundreds of thousands of individual designs, these will include commercial designs, made by individuals and companies, creating 3D designs for sale.



The question is whether this new 3D print industry will have learned from the problems encountered with the digital revolution of music and eBooks, will we see the building of 3D print stores to control the distribution of 3D designs?  I’d be very surprised if the likes of Apple, Amazon, Google, and even supermarket chains like Wal-Mart and Tesco are not looking at this potentially highly profitable new market. I believe the extent of 3D printer piracy will be dependant on the price point of commercial designs within such 3D design stores. If designs prove over expensive, you can bet a black market of 3D print designs to be strong, if designs are cheap, like most Smartphone Apps are today, perhaps the amount of piracy will be low enough for a commercial 3D print design market to flourish.


There is another piracy issue with 3D printers which I expect to rear its ugly head, namely the ability to use 3D printers to reproduce goods illegally. The technology will presents an ability to reproduce identical copies of legitimately produced objects or copyrighted/trademarked designs. Let’s say I invented a new type of plastic coffee cup holder, that’s unique, and people happen to really like it.  So I patented my original design, put it into production and push out to retail. All the counterfeiters need to do is buy one, 3D scan it, at which point they will have the 3D design, from this point they have the ability to effortlessly reproduce identical copies of my coffee cup object with a 3D printer. These copies could even be even mass produced; there are already commercial 3D printer factories in existence, which have 100s of 3D printers in situate, mass producing objects 24/7. This counterfeiting could even be taken a step further, by merely sharing the design online, it allows anyone in the world to reproduce my cool coffee cup holder perfectly. Counterfeit goods are already a huge enough problem, fuelled by the lack of enforceable international wide copyright laws, it just takes a quick search for cheap Dr.Dre headphones on eBay, or a browse at your local street market to see the extent of existing counterfeit market. 3D printing will take this black market to a whole new next level.


Shapeways: 3D Printing Factory

It looks like the 3D print market will be huge, so the importance of protecting 3D print designs will be a key part to how this exciting new market will commercially prosper. But even with 3D design stores selling object designs at low prices, I fear we’ll see a new type of digital piracy, no matter what security steps are taken by 3D print stores, such is the way of our digital world.  I’m off to work on my cool coffee cup holder design!

Wednesday, 30 October 2013

Big Data Intelligence Driven Security at RSAC

A constant theme from this year’s RSA Conference Europe, is the idea of security intelligence collaboration, namely the capture, sharing and data mining of “Big Data’, to detect and prevent security incidents and attacks, but will it ever take off?
The concept of gathering and using big data is nothing new, from Google to your supermarket loyalty card; big data mining has been very successfully used commercially for at least a decade, not to mention the alleged big data mining said to be conducted by the NSA.

This collaborative led intelligence approach has potential and I believe it could be effective if conceived and built smartly, however I fear the issue will be with the data sharing. Most of the existing big data models in use are covert, and organisations aren’t collaborating, so they do not share their big data analytics. This is a fairly obvious approach, as the whole idea of mining big data in their case is for commercial advantage and gain. So I imagine there aren’t many examples of big data collating and sharing models for the security sector to build a system upon.

Who are we going to trust to manage the security big data? A vendor, a government department? Who has access to the data? Can that body use the data for their own commercial gain?  Trust is a huge real issue in building any security big data model.

Within Europe the potential of sharing any personal data under a security umbrella cause will be highly unpalatable, especially to an EU parliament seemly bent on an online privacy revolution. Then there is a growing number of EU citizens, who in the backwash of the Snowden and Wikileaks, are increasingly becoming apathetic about what they are seeing as an Owellenian big brother online society. We’ll see what plays out, as usual this is my two (euro) cents.

Tuesday, 29 October 2013

RSA Conference: Anonymity is the Enemy of Privacy

‘Anonymity is the Enemy of Privacy’ was a point stressed by Art Coviello, the Executive Chairman of RSA, in the opening keynote of the RSA Conference Europe 2013.  This point is controversial to say the least, especially to a European audience, with mainly Europeans still rocking in the wake of the massive NSA covert internet surveillance allegations against European leaders, and millions of EU citizens.


Many privacy advocates hold a polar opposite view to Art, believing anonymity online is a fundamental ingredient for online privacy. Art's perspective also highlights the difference in attitudes towards privacy harboured between the United States and Europe. The European Union was built on its citizen rights, including the right to privacy, a right the EU wishes to see exercised online, whereas the US view tends to be 'privacy is dead', believing the right to online privacy has been given up and the privacy fight lost.

Monday, 28 October 2013

Identity Theft & How to Protect Yourself from ID Theft

HotSpot Shield have created an Identity Theft InfoGraphic which I'm happy to share. InfoGraphic explains the malicious actors behind ID theft, some of the techniques they use and how to protect yourself.  

Sunday, 13 October 2013

RSA Conference Europe 2013 Preview

The keynote speaker at this year's RSA Conference Europe is certainly of interest. Sir Seb Coe was widely applauded as delivering an outstanding Olympic Games in London last year.  The security of the games was always a great concern from the day after it was announced London was to receive the games back in 2007, but it is the cyber security aspect of the games which interests me. The games were subjected to cyber threats, including a specific cyber threat aimed at taking down power supplies to the games stadiums, so it will be fascinating to learn more about the planning, preparation and the testing of the London 2012 cyber defence.

I always recommend the RSA Europe Conference to fellow UK security professionals, especially those new to our busy and complex sector.  It’s a great event to learn about the emerging threats, defences and the latest security thinking, with plenty of quality sessions to choose from. The conference is also a great place to network with fellow security professionals from around the world, including the speakers at the event, who I have always found to be an approachable and an amicable bunch of fellows.

Wednesday, 18 September 2013

2000 to 2013: The Moving Sands of Information Security

I am been in the information security game for a very long time, many of the fundamental security controls haven’t really changed a great deal, and continue to remain best practice, such as deploying anti-virus, patch management and decent firewall management, the business environment where these security controls are applied has radically shifted, especially over the course of the last decade.
 
So lets take a trip down memory lane back to the year the 2000, the world has just found out that the Y2K bug was a complete none starter, aside from making IT contractors a bob or two. Meanwhile the Internet is starting to find its way into mainstream business, even so secretaries were still being asked if they had any experience in using the Internet during job interviews. And if you had a job title with the word “Cyber” in it, people assumed you were some sort of a Dr.Who extra.

Policies
Starting with the cornerstone of all good information security management, the information security policy, what’s changed? 

Back in the year 2000 the responsibility of information security within a typical UK business sat within the mystic realm of the IT department. The policy document would be called the “IT” Security policy, and it tended to be a single document, only a few pages in length and only understandable by the techno geek who wrote it. Today information Security policies are typically spilt into an array different documents, often breaking down into frameworks of standards and guidance, 100s of pages in length, and they are no longer owned by the IT department, rather they are used to instruct IT. Well this is true in many UK businesses that are serious about their InfoSec. Indeed risk and information security has finally become a separate business governance function, sitting at the very top of many businesses. But there is still a way to go with the InfoSec revolution in the UK, as still too many businesses are lacking decent information security management, and as result struggle deliver airtight security best practices.

Personal Device Usage in the Workplace
In the year 2000 a typical policy would warn employees against using the company's 128K Internet access for personal usage, and not to connect their own devices to the network, a rule insisted upon by the business management not based on rational risk or a threat, but based on concerns about staff productivity and hogging the limited bandwidth. There wasn't the proliferation of personal devices we see today, although I recall there was the odd Palm Pilot around. In 2013 users are permitted to use the Internet for personal usage, and are actively encouraged to bring their own devices into the workplace in many businesses in the UK. The business cost saving Bring Your Own Device (BYOD) culture has risen from nowhere in recent years, and has taken a grip up and down the land as business desire to cash in on the benefit of not having to provide expensive smart phones and laptops to their staff.

Laptops
In 2000 the idea of encrypting a laptop’s hard drive would be considered a crazy notion from the realm of a James Bond plot. Laptops of the day tended to really struggle performance wise, and yet even though laptop theft by shell suit clad spotty teenagers was just as common as it is today, businesses were not over concerned about the loss of data via laptop theft. The business was more concerned about the cost of replacing the laptop, meanwhile employees were only concerned about the cost of fixing their smashed car windows. 
Today most UK businesses are no longer over concerned about the laptop replacement cost, but are more anxious about the potential regulatory fines and the media embarrassment that awaits with any loss of a laptop that is not encrypted. The Nationwide fine of £1,000,000+ in 2007 by the FCA (then FSA) marked a sea change in laptop encryption adoption in the UK, and after which many businesses decided to take no chances and increasingly adopted an enforced mandatory hard disk encryption across their entire laptop estate.

Storage Media
Back in the year 2000 the storage media everyone had floating around their desks was CD-Rs, the idea of encrypting them was pretty much unheard of in most UK offices. Main stream business got a wake call when one day in 2007, the HMRC lost a couple of unencrypted CD-Rs which held millions of UK citizen’s personal data, a huge media storm ensued highlighting the government’s bad security practices, and to this day those HMRC CD-R have never been recovered. But the HMRC breach served to wise up many UK businesses to the huge potential reputational damage that losing those circle pieces of silicon could generate. MDs in boardrooms quaffed “look how stupid the government (HMRC) are” then asked their executives “we encrypt all our CDs, don’t we?”
Just like with laptop encryption, businesses took a “take no chances” approach and most now enforce encryption on all media, including USB storage devices, which had exploded onto the scene in mid 0s.

Automated Security Management
IT Security controls have become easier to implement since 2000, no longer is applying anti-virus and software patches a manual 'walking on eggshells' task, but can be done with confidence, centrally managed and fully automated. It doesn’t stop there either, system monitoring and alerting has improved leaps and bounds, with security managers now having access to a NASA style mission control suite of screens brimming with real time stats and turnkey reporting metrics.

The Crown Jewels that doesn't tour, now on tour
The security doctrine of 2000 was all about protecting the important data within the onsite network, a castle and moat approach to security was taken. Great care was taken with remote access, securing perimeter firewalls and with any connectivity to third parties who you dared to share your network and sensitive data with. Those were the security battlefields, with firewalls rule-sets and VPNs the weapons of the day. 

Although perimeter security is still equally as important today, a momentous shift has occurred, in that the crown jewels of the important data has moved to the outside of the business physical site fortress, and can be found in often blindly trusted third party data centres and unvetted cloud service providers. In 2000 placing trust in a third party would have seemed a dubious idea at best, if it had to be done, great care and checks was taken. I think this is one area where a backward step has occurred.

One of the reasons marketing use the word ‘Cloud’ so much, is it makes something that is in reality highly complex, sound very simple to the service user. However businesses need to take a good look under the bonnet of the simple ‘cloud’ front, properly assess and vet the security of third party service provider, applications and infrastructure, ensuring their third parties are aligned to their business risk appetite, and have at the very least the same appropriate level of security controls as their business's internal infrastructure and systems.


Security Awareness
I think it is fair to say there hasn't been a vast improvement in staff security awareness in since 2000. Of course we seen some changes with the introduction of Computer Based Training Courses and employees signing declaration forms, but nothing ground breaking has really happened. Security awareness still tends to be a flash in pan campaign and a tick box assurance, and is often a poorly done afterthought rather than a sustained process. Yet for me it would appear we are coming full circle, and we are placing security control and trust firmly back into the hands of employees, with personal cloud solutions and personal device usage making it more easier than ever for employees and contractors to bypass the once clever endpoint castle moat extending security controls.

The Biggest in the last Decade
Finally, and perhaps the biggest evolution over the years has been with the humble information security professional. Back in the day I remember it being a struggle to be even recognised as a information security profession in the UK, hence why this blog which I started in 2007 is called “IT Security Expert” not “Information Security Expert”. 
Not only is there an ever increasing army of information security professionals, but the quality of how these professionals practise their trade has much evolved for the better. We have seen security professionals go from a ‘health and safety’ mentality of blurting “No” all the time to the businesses they serve, to a business conscious “can do” attitude, having the knowledge and expertise to devise solutions to fit their business needs and risk appetite, well the successful information security professionals are doing this.

Saturday, 14 September 2013

Security by Staff Responsibility instead Enforced IT Controls

Today IT security controls are enforced on the end user without prejudice, all for the purpose of migrating the human risk. These controls, especially endpoint security controls, are typically applied because it is best practice to do so, and not as a result of a risk assessment. 
What if the application of technically enforced security controls was taken as an action of last resort? Can human responsibility be be just as affective as an enforced control? Can it be more advantageous in managing the same risk?  These our my thoughts.

Lets take a English FA Premier League football match, there is a risk that spectators in the stands will invade the pitch, and impacting on the match and threatening safety  Yet spectators rarely invade football pitches at English matches, even though they aren't fenced in. A fence is an example of an enforced control meant to prevent fans from accessing the pitch. 

My argument is the fans are self responsible and trusted, meaning the control of fences is not required, further that the risk of pitch breach is less than when the fence control was in place.


No fences at English Football Grounds

In comparison to the English game, it is a very different story at most football matches on the European continent, where fans are fenced in from accessing the pitch.  It use to be that way at English football grounds, I remember attending football matches all around the country in the late 1980s, and as a fan I was fenced in from accessing the pitch at every ground, Chelsea FC even had an electric fence, now that's what I call a enforced control. But even with the fencing I recall there were many pitch invasions during that period of time than today, either on mass or by the sole persons.
European football ground fencing example

One of the darkest days in the English game occurred at Hillsborough in 1989, when 96 Liverpool fans died after being crushed, this was partly due to presence of the pitch side fences, which prevented the fans from escaping. After the disaster, and quite rightly, all the fences were removed from all football grounds in England.

Q. How did English football clubs manage the pitch invasion risk without using the enforced control of fences? 

It was achieved by placing responsibility onto the fans.
  • Firstly a law was passed, providing a deterrent, making it a criminal offence for fans to encroach onto the pitch, along with lifetime bans from matches for doing so.
  • Then fans were educated, so they clearly understood the new rule and why the rule was required. There was a consensus amongst the majority of fans at all clubs, that the rule was for their benefit, their safety, so was righteous.
  • It was strictly enforced, so fans knew there was a conscience for breaking the rules.
  • There was a perceived threat that the fences (the control) would come back if the fans didn't follow the rule they agreed with. This led to a peer pressure against anyone that broke the rule by the general mass of the fans.  So when a fan ran onto a pitch, a chorus boos and abuse from stands would occur, followed by cheers when a steward or police officer would apprehend the pitch invader. Back in the 1980s, when the fences were in place, they would be a chorus of cheers by crowd with such infractions, followed by boos once the police intervened.
  • The absence of a pitch side fence was regarded as responsibility and luxury by the fans, as the lack fences meant unrestricted viewing for the first few rows in the stands, and allowed fans to get closer to action. There was high degree of trust and responsibility placed on the fans, as there was nothing to prevent them invading pitches but their own self control and self regulation.
The point I am making, to mitigate risk, it may not always be the right and most effective solution to reach for the IT control, but to first consider whether staff can be trusted and be self responsible to managing the risk. Affording responsibility can be regarded as a privilege, a privilege staff will actively seek to protect, as they seek to avoid the inconvenience that some security controls cause them. Group peer pressure of metaphoric boos can be effective against any minority of individuals that seek to stray from the rules, as they threaten the benefit and trust afforded to the majority.

I am not saying this will give 100% security, nothing will, not even the strongest of enforced IT controls, but there are many additional benefits in having business staff onside, responsible, trusted and security sharp, rather than fencing them in like sheep with IT controls.

Tuesday, 10 September 2013

iPhone 5S "Touch ID" Fingerprint Security

Apple announced the new iPhone 5S today, the introduction of a new fingerprint recognition access system on the smartphone, called "Touch ID", grabs the security attention.
Fingerprint reader is the main button

Security of the Fingerprint Reader
The fingerprint reader is not like the traditional readers you see on laptops, and is actually part of the main button on the phone. The reader is no security gimmick as it is not a outdated optical reader, which works by taking and comparing a picture of your fingerprint, it is a capacitance reader,which is a more advanced and secure technology. Capacitance readers uses an electrical current to map your fingerprint, measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, which makes it very difficult to defeat. I don't like to advocate the security of anything without inspecting, researching and testing a device myself, but I will say this reader has certainly been designed with security in mind.
Apple has faith in Reader's Security
Apple have a lot faith in the security of reader, which is a good sign, stating it will not only be used to unlock the iPhone, but to verify user's Apple IDs to make account purchases. This method of device authentication, if proven, makes an interesting development for within the mobile device payments space, and perhaps could be a viable alternative to website passwords.

The Phone Lock Benefit
Given how fast the authentication works in comparison to using a passcode or password, then I see additional security benefit to be had with the account lockout time-limit. Setting the phone lockout timeout to 5 minutes or even 1 minute of inactivity becomes more viable, as the current trade off in accessing the phone with a slowly entered passcode/password is replaced by near instance touch authentication and access.

Increased Access Control Security with Two Factor Authentication
For security aficionados, the fingerprint reader may allow two factor authentication, namely combining the fingerprint reader with a passcode/password to authenticate, this would really ramp up the access control security on the device.

In all a very interesting and innovative security addition by Apple, so much kudos to them. Now I need to get my hands on an iPhone5S to test it.

Monday, 9 September 2013

Square Enix Final Fantasy XIV Accounts Security Warning

Last week I posted on How to keep your Final Fantasy XIV Online Account Safe & Secure

Today (9th Sept), Square Enix posted an urgent security warning concerning account security for the game. Confirming a "third party" was using account names and passwords, which they believe to have been obtained from security breaches of other companys' online services.

Square Enix's advice mirrors my own, setup and use their one-time password system, or ensure your password is unique to your Square Enix account

Since my post I have been asked... 
Why would anyone be interested in hacking gaming accounts like FFIX?


1. For the Money. Rare in game items, which it can take many hours of gameplay and luck to obtain, can be sold off in game auction houses for a great deal of game currency. Players over the course of time built up lots of such items and lots of in game currency (gold/gill), these rewards for sometimes hundreds of hours of gameplay have a value. This in game currency can be transferred out of the character/gaming account and then sold on for real currency online. Some gamers buy in game money from third party operators, this is already available in FF14, just google it. Typically $8 will buy you 100K gill (in game money), $500 will buy $6M, the latter allows you to operate a reseller, using the in game chat systems to sell it. Yes this is strictly against the game rules, but it goes on in every game of this type. The bottom line, access to your gamer account = Cash to the bad guy.

2. Good old fashioned Revenge. People piss other people off within the game, as a way of getting back at a player, some will try to hack other player's gamer account. If successful, they strip the character of items, steal all their gaming money, lock them out from playing, and even delete their character.

3. Personal data is always of value, names, home address, email address, DoB, account password, password reset question etc.

Sunday, 8 September 2013

GCHQ Cracks SmartPhone Codes, Privacy Outrage or Lifesaver?


The Edward Snowden fallout continues with the steady trickle of classified revelations released by the media.  The latest appears to be confirmation of GCHQ ability to crack or bypassed the encryption on Blackberry and Android smartphones.

This news isn't really that shocking given cracking encryption is a core part of what GCHQ has done for decades. It is also important to understand that nowhere does the released documentation say GCHQ have been breaking into everyone’s smartphones and harvesting our private data on mass, I doubt they’ll have resource and funding in the UK to do that.

My assumption is breaking smartphone encryption is a necessary GCHQ tool for gathering information on specifically targeted bad guys, for example suspected and known terrorists.  Several terrorist plots have been foiled since the 7/7 atrocities, so what if GCHQ's ability to access encrypted smartphone electronic messaging and call information, had played a key part in preventing terrorist plots from succeeding, then it could be argued GCHQ actions are not only in the UK public interested, but may have actually helped saved innocent lives. Further it makes sense that GCHQ wouldn’t want to advertise their capabilities to the general public and to the bad guys. There is an argument that the release of such classified information by the media for their own ultimate purpose of profit (selling papers), is not only immoral, but could be placing lives at risk.

It is easy and desirable to jump on the privacy bad wagon for the purpose of bashing the government of the day, even though most of us give up vast amounts of our personal information to the likes of Facebook and Google.  But we need to consider the full picture of why we want our government to e-spy in the first place.  We can’t have our cake and eat it, either we want to engage our security services in stopping terrorism at our privacy expense, or not. It is worth remembering the likes of GCHQ are usually the first to be blamed when a terrorist plot succeeds for not doing enough, ironically by the media. 

Friday, 6 September 2013

Bullrun & Edgehill: US NSA & UK GCHQ have broken Internet Encryption

I have always suspected this and now according to newly leaked documents by Edward Snowden, the NSA and GCHQ are said to have defeated most of the online encryption used by internet users and the likes of Microsoft, Google, Yahoo and even banks. The usage of supercomputers, court orders and the good old application of pressure to internet service providers, are all said to be tools used to gain access to encrypted data by the government agencies.

"In recent years there has been an aggressive effort, lead by NSA, to make major improvements in defeating network security and privacy involving multiple sources and methods, all of which are extremely sensitive and fragile"

"NSA has introduced the BULLRUN CoI to protect our abilities to defeat the encryption used in network communication technologies"

The US programme name is Bullrun, and is said to have a £150m annual budget, while the UK GCHQ counterpart is called Edgehill. These codewords come from battles in each county's civil wars, not only showing the US-UK collaboration on this, but perhaps is an interesting reflection on the owners of the information they seek to intercept and access.

"It is imperative to protect the fact that GCHQ, NSA and their Sigint partners have capabilities against specific network security technologies"

It appears heavy investment into these covert programme started in early 2000, when the US agencies were told they were legally not allow to place backdoors within online systems.

On the British side, it the documentation says the UK had broken 30 VPN links and stated the UK desired to move away from encryption cracking, and to go after the fibre internet traffic, which matches in with my own theory on the PRISM programme.

A statement made by the NSA within the documentation shows their intent, and perhaps makes a good mission statement for the programme, "Every new technology required new expertise in exploiting it, as soon as possible"

This story is going to run over the next few days, so I'm sure more will come out as the documentation is scrutinised.

Wednesday, 28 August 2013

How to keep your Final Fantasy XIV Online Account Safe & Secure

Final Fantasy XIV, is a new online multi-player role playing game (MMORPG) which was launched on the Sony PlayStation 3 and PC this week by Square Enix. Gaming accounts on such games are actively targeted by cyber thieves, as they look to profit from victims by selling off in game character equipment in exchange for real life money, and to even also harvest personal.


Protection of the Square Enix user account by the gamer, is the key to the games security, and it is much the responsibility of the gamer, not Square Enix, to ensure it is kept secure, which will become clear in the rest of this post.  If a bad guy gains access to this account, he will have achieved his objective, and can go on to steal. Many victims don't understand how their accounts were compromised by hackers, and consider the hackers to be super clever, and the gaming company to be at fault. However the attacks are old techniques and fairly simple, and in the vast majority of cases, it is the gamer at fault, in having poor security habits leaving themselves wide open to attack. There several common techniques used to steal credentials from gamers online accounts, which I'll explain below together with advice to protect against such methods.

1. Phishing Emails
Most online game accounts credentials are typically stolen through phishing attacks. Hackers send a professionally worded fake email to a gamer, typically pretending to be from the company providing the game. The email will include a link to a fake but genuine looking website, and the message will have a reason, based on either fear or greed, to access that site by clicking on the link. For example the email message might say "Urgent your account has been hacked and the password requires resetting" -fear, or perhaps "you won our competition for free access and in game rare items." - greed.

Gamers are duped into entering their account credentials on the fake website, and then are typically forwarded onto the actual website so they don't realise they have been hacked, meanwhile the hacker has harvested the gamers username and password. 
ADVICE: Be wary of any email which appears to be from Square Enix or Sony, and requests for you to click on a link or opening an attachment or form, no matter how real an email looks or what the senders email address is, never access a website through a link in an email.

2. Same account passwords on other sites
Another method is to steal account credentials from other supporting websites, such as fan forums, which often have poor security. Such sites can have their entire databases stolen without the knowledge of their administrators, or have hidden malicious scripts in posts which steal data from PCs accessing it, or even have the data stolen and sold on by dodgy administrators.
ADVICE: Never use your Square Enix account and password combination on any other website or other online account ever.

3. PC Keylogger
Another method for stealing account credentials is via malware infection of a PC, typically involving the hidden installation of keylogging software. Keyloggers collects your credentials as you type them into the game's login screen or even into the official website, so even PS3 gamers aren't safe. The keyed data is then forwarded on covertly to the hacker.
ADVICE: Ensure anti-virus is installed, definitions kept updated and it is always running.  Ensure your firewall is enabled. Avoid installing any additional unofficial plugins or tools for the game, especially tools which claim to give you an advantage in the game. Sometimes these tools and plugins act as Trojans, provide their function but will steal your credentials and forward them on to the bad guys behind the scenes.

4. Use Square Enix’s one-time password system (two factor authentication)
This is by far the most effective way to protect your Final Fantasy XIV account, sign up to the Square Enix one-time password system.


They have an option of either purchasing a hardware token which generates a one-time password on it (see picture), or a software token, namely an smartphone app which you can install, which like the hardware version, generates the required unique one-time passwords.  You enter the generated one-time password as part of your login into game, the security is that you must have possession of your phone or hardware token to login to the game, so even if someone has obtained your account username or email address and your password, they cannot log into your account. This proven authentication method has been used by industries to protect accounts and online banking.

Wednesday, 21 August 2013

Why Manning had access to vast amounts of Classified Information

A hot topic of discussion amidst security professionals is the Bradley/Chelsea Manning case, the US soldier who was today convicted for 35 years for leaking classified cable documents and media footage to WikiLeaks. The question security professionals are asking, is how come one guy, seemingly at a lower rank level, had access to so much classified information in the first place?  Where was the ‘need to know’ access doctrine? And where was the information access controls?

The answer to these questions is simply 911. As a result of the soul searching in the aftermath of terrorist attacks on the World Trade Centre and Pentagon in 2001, US politicians decreed the military and their various security service agencies had a communication disconnect, and had failed to share vital information between each other, which may of prevented the attacks, as concluded in post 911 reports such as The 911 Commission Report.
In the decade since 911, much of the ‘need to know’ basis access was relaxed in the US military and across US secret services, so information could be shared more freely. It would appear this relaxation on information sharing is what Manning exploited, and allowed him (now her) to steal vasts amounts of information from all and sundry.

The Manning case is not just an example of the rogue internal staff threat, but the case shows there is always an imperfect trade off between the elements of risk/security and function, the very same balancing act applies within business settings..

Thursday, 15 August 2013

Dealing with persistent web based harassment in the UK

Even in 2013 reporting internet crime to the UK police force is a hit and miss exercise, and is certainly more miss unless you are a celebrity, or report the crime in the right way.  Here is my advice on reporting continued (persistent) web based harassment.

If you are aged 16 and under, and are suffering from online harassment, you must tell your parents, teacher or legal guardian.

1. Identify your harasser
If you are subjected to weeks and months of persistent anonymous harassment over the web, 9 times out of 10, it will be by someone you know. You can work out who it is likely to be, by examining the nature of the harassment;  the type of language used, the subjects they harass you about, the websites they harass you on, and your own recent history in disagreeing and falling out with people, these are all clues to who your harasser is. They tend to be people who likely will bare a grudge against you; ex-boyfriends are very typical. In some circumstances once you have identified your harasser, you can confront them and but an end to the harassment.  In some cases ending the attacker's online anonymity, and bringing the issue into the real world is an effective end game.

2. Build an Evidence Journal
The next advice is very simple to do yet important, keep a journal of all the harassment and bully that happens to you.  Log dates and times, take screenshots of any messages you receive and is post about you. This journal not only provides clues in identifying your harasser, but it can be used down the line in police computer forensics investigations, and in court.

3. Secure you PCs, Laptops, Mobile Phones and Web accounts
Securing your online accounts and computing devices are vital to preventing your harasser from accessing your accounts, and then using them to cause significant personal distress. You particularly need to prevent your harasser from accessing any of your email and social media accounts, so use best practice password management, strong unique passwords, and where possible use strong authentication methods, such as Google’s Step two authenticationSee elsewhere in my blog and website for more detailed advice on this. 

4. Reporting the Crime to UK Police

If the online harassment is persistent, report it to your local police, but do NOT report it as a cybercrime, internet crime or e-crime, report it as harassment. Then explain what has happened, who you think it is, and then present the evidence you have collected in your journal.  If you report as an e-crime, you are more likely to be ignored by police, but if you are female and report as harassment by an ex-boyfriend, it goes without saying the police will be far interested in helping you. Finally if the police are of no help, check out some of the websites listed below for further advice, but my advice is to keep going back to the police with your evidence journal, especially if the harassment continues and is causing you distress.