IT Security Expert

Security is a Process, not a Product

2008-07-09T20:13:00.005+01:00

Back in the year 2000, I remember reading an article by Bruce Schneier (a security hero of mine), he said "Security is a Process, not a Product". Bruce talked about whether this would be ever understood. It really struck a chord with me at the time and I've been quoting Bruce saying that ever since in my own presentations. Well 8 years have gone by since I first read it, and Information Security has certainly come to the fore in that time, but Bruce's statement rings truer than ever.

http://www.schneier.com/crypto-gram-0005.html

I don't want to come across as knocking the security industry because they do provide many great security products and services, but in the industry’s push to sell products and solutions, I think they are help driving the concept, that the answer to all information security problems is to simply buy a product off the shelf.

The number of times I've been at security events and conferences, where the “punters” are repeatedly told, “buy our product and your security problem will go away overnight, but if you don’t buy, something nasty will definitely happen”.

I have to say part of the problem is down to the punters going out impulse buying “off the peg security products” tend not to understand what information security is about in the first place. Often they are looking to the security industry, and those pesky sales guy for security advice. In fact the sales tactic is to often host a “free security advice/awareness” session, to draw in the punters. I show up to some of these events to gage where the market and how threats are perceived to be moving, but it really makes me cringe at times, especially as the message is increasingly to buy this and you will be secure! And it gets worst, as some companies are clearly jumping on the security bandwagon to make a quick buck. At InfoSec Europe this year, I heard one (so called) security organisation openly presenting about PCI Data Security Standard to a bunch folk who gauging from their questions really didn’t know anything about the standard, other than it effected their business. This company were out and out misleading those listening, and it was clear to me the presenter didn’t even know the proper facts about PCI DSS. In fact I was so outraged in what I overheard, I stopped, blended in with punters, and at the right moment asked a question about requirement 6.6 to deliberately trip them up, I asked “so which is best on requirement 6.6 in your expert opinon a code review or an application firewall? and why?” – they didn’t have a clue, anyone knowing and working with PCI DSS would instantly know and understand the issue around Req. 6.6 in mid 2008.

I think the answer is for the “punters”, namely the organisations which lets face, many of whom are just really waking up to the issue of information security, is to train and invest on security a department and personnel. So they are correctly advised on the proper solution processes from the ground up, as well as to understand when and where they should buy products off the shelf to help reduce security risk along the way.

The NHS just doesn't "do" Information Security

2008-07-01T19:15:00.000+01:00

I said this before, and I'll probably say it again a few more times, "The NHS just doesn't "do" Information Security".

The latest in a catalogue of NHS breaches involved a Senior Manager who had his laptop stolen, but the laptop held over 21000 records of Essex patients.

The same old problem with a laptop breach...

1. No Hard Disk Encryption - Password Protection is almost no protection, it's very easy to bypass Windows passwords, pretty much anyone who can type into Google can manage to achieve it.
2. Poor Information Management. We have a vast amount of Sensitive Data which has been allowed to be "copied" from a central IT system to a laptop.
Should the Manager have access to that much information? Should he be allowed to export that much information from the host system? Probably not. Who else can access and take a copy of this data? What's to stop someone putting it onto a £6 flash drive?

I have friends who work in the NHS, they tell me the NHS has no culture or awareness towards protecting the vast amount of personal and lets face it, highly sensitive information which the NHS holds and processes. I'm not saying keeping people alive is less important than investing in information security, but that's the problem, a lack of investment (money) and that's why there will continue to be serious data breaches involving the NHS . But consider this, soon the NHS will be storing our DNA profiles on their systems as well...

I'll finish on a positive note with this data breach, as I'm being far too negative lately, good for the NHS for disclosing and letting the people who are affected know in a decent time frame, well they had plenty of practice - right?

Mod Data Breaches & the Human Security Element

2008-06-19T19:30:00.000+01:00

In the last few days we have seen a gulch of data breaches by the Ministry of Defence and the UK Government, all involving employees leaving highly sensitive and top secret documents on trains. These documents included details about terrorists, wars and organised crime. When analysing these separated cases it is clear the documents in each breach should not of been removed from their secure environments by the employees in the first place, let alone left in a public environment.

These breaches are the classic internal human data breach examples, and shows even the most security conscious bodies such as the Ministry of Defence are always struggling to deal and contain the human security factor. Sooner or later in the process security tends to be reliant on a human being, it is extremely difficult, expensive and can also introduce highly inconvenient trade offs to secure the human interaction, especially when it comes to preventing the removal of physical documents from a site. Even drilling in security awareness to staff offers little guarantee, as there are always individuals who either don't grasp the importance of the message or share the organisations appetite to taking risks. If you think about it, there are just some people in our society who are naturally big risk takers, I'm talking about those people who strap elastic bands to their feet and jump off cliffs, or that boy racer driving a Vauxhall Nova 1.0 who insists on barely over taking you on busy single carriage in the face of oncoming traffic, and pretty much anyone who rides 500cc+ motor cycle.

Part of the security defence against the human element is having a deterrent, so in each of these recent cases we know the employee in question has been suspended (likely pending firing), I'm sure the deterrent in these organisations are well know, if you work the Mod and responsible for a serious data breach, I know your MoD career is pretty much over. But this only goes to prove deterrent is not enough, as deterrent can't actually physically prevent someone from making the decision and physically walking off site with the secret docs.

There are always security measures that can be introduced to prevent these particular action, such as restricting sensitive documents to a need to know basis, but we must accept taking risks and bad judgement is just part of the human condition, and will always be an insolvable security problem facing any organisation, because you simply cannot take the human element out of the equation and there is always a point when apply security measures where cost and trades offs become too great.

Cotton Traders: Where’s the PCI DSS Compliance?

2008-06-11T20:33:00.001+01:00

A couple of days ago a Manchester online clothing business, Cotton Traders, announced a data breach, which was brought about by a web application level "hack" on of their website. The breach resulted in the compromise of customer personal details and credit card details. The Cotton Traders data breach underlines two significant issues in the UK, one is the lack of UK breach disclosure laws, and the other is that companies are still avoiding or ignoring PCI DSS Compliance.

Lack of Disclosure
Although the breach was announced yesterday, the breach actually occurred way back in January 2008, and was suppose to be fixed in a matter of hours, so there was no reason to keep it from the public right after the breach occurred. That’s 6 months after breach it was announced to the public, don't we have a right to know? What’s more there has been a lot of smoke and mirrors about this data breach, in one statement it’s 38,000 credit card details were stolen, in another statement it was just one credit card, then another it was only customer names and addresses, this is pretty bad considering they had six months to figure out what went on and how, why can't they provide the clear facts of the matter? The upshot is the public can’t be certain to what data (especially if is their own) was compromised.

Furthermore there are no actual details of the cause of the breach; although it does appear to be an attack at the web application layer, I'd wager it was an SQL Injection attack. Whatever the type of the successful web application attack was, the real cause of the breach is not just the hacker, but it was Cotton Trader’s bad web application (web site) code and/or poor web site hosting. Think about it, it you left your windows open on your house before going on a two week holiday and then returned to find it burgled, you’d rightly blame yourself for not taking the security of home serious enough, same applies to companies writing web application code and hosting web application.

Another example of the smoke and mirrors is Cotton Traders stating “all of its customers' credit card information was encrypted on the website”, which is misleading, as this web application breach is not about the web site using session encryption (https), but whether the card details are encrypted on the backend database, and the specific type of encryption employed on the card storage and process arround it (key managment). Far too often companies think they can use “it was encrypted” as kind of a get out of jail card, without telling the public what the actual details around the encryption used was. Encryption is not the magic security bullet! For example using an https (encrypted) web session offers very little protection against web application level attack which is against the web site code and the backend database.

PCI DSS Compliance
Cotton Traders have said nothing about whether they were/are Payment Card Industry Data Security Standard (PCI DSS) Compliant. Any company which takes card payments online in the way Cotton Traders do must be PCI DSS Compliant, which came into force from June 2007. I have to assume Cotton Traders were not compliant at the time of the attack. Why? Well if they were I'm sure they would have stated that fact, and in such circumstances they would rightly hided behind PCI DSS and blame the PCI standard. Also if Cotton Traders were PCI DSS compliant the chance of a web application attack being successful would be very small. Why? Well as part of the PCI DSS compliance requires an annual web application penetration test and web application code review/webapp firewall, which used and acted upon, significantly reduces the risk of hacking vulnerabilities at the web application layer.

I don't know the facts about this breach because they haven't been disclosed, but if Cotton Traders were not PCI DSS Compliant, then many PCI experts would say they were being negligent.

Hacking Trends
The major big ecommerce operators are fully wise to web application security and operate in a secure professional manner, and are PCI DSS compliant. Because of this the hackers are targeting the lower hanging fruit, which are the smaller ecommerce companies like Cotton Traders, some of these don't understand the importance of public facing web site security and the significance of PCI DSS, and will be subject to these types of attacks and breaches.

Why UK Privacy is Dead

2008-06-02T21:30:00.000+01:00

I can’t recall who originally coined the expression “Privacy is Dead”, but whoever it was, I have to say that I agree. A couple of months back I was speaking about companies and the UK government protecting personal data on BBC News 24, when in a typical BBC newsreader style I was put on the spot and asked “…but isn’t this information you say needs protecting available in the phone book anyway?” Which is true, even if you made the effort to go ex-directory and de-list from the public phone book, your name and address (given a rough geographic location), can still be easily found online, because Privacy in the UK is Dead, lets be honest it was never really alive in the first place.

Part of the problem is very simple, when it comes to personal privacy; generally the default stance and settings for privacy is to have it “disabled”. Why? Well the online world and the information age is all about sharing information, and these days many companies are making money out of this information sharing. So in today’s information world it is very much up to the individual to ensure their personal privacy is being protected, yet this in itself can be a real trauma, even banks don’t play ball, don’t believe me? Then close your bank account and try ensuring the bank removes all of your personal details from their systems, here's a tip, use the Freedom of Information Act to check what they are still holding about you post closure. And have you ever tried permanently removing your profile from social networking sites like Facebook?

Going back to the BBC Newsreader question, let’s take “going ex-directory” with British Telecom, which basically means BT will remove your name, address and phone number from the publicly printed and distributed phone book, as well as from their online phone book, called “The Phone Book”. Is there any information within BT’s “The Phone Book” web site or even within the BT web site’s privacy statement about how a member of the public can de-list their private detail? No! Even if you search the main BT website for the terms “ex-directory” or “x-directory”, no results are returned. To go ex-directory you have to phone BT through their general enquiry number, and then specifically ask to go ex-directory. Could it be it is not in BT’s interest to encourage private citizens to ensure their private details aren’t placed in the public domain, because BT make so much money out of the advertising on their phone book web site and within the publicly printed edition, which is circulated nationwide. Yet it is generally accepted unless you asked to opted out, your name, address and phone number will be in there. Make no mistake the BT Phone Book is one of a number of “free” online tools which UK and overseas identity thieves make use of today.

It’s not just private companies that are at fault either, take the UK government who are responsible for managing the country’s electoral roll, again the individual has to tick the box to ensure their full personal details aren’t placed online, these details include not only your name and full home address, but your children’s names as well, all are placed into a public accessible and unmonitored database, which is fully searchable online from anywhere on the planet, and is even printed and stored at your local library. Ever wondered how those marketing mail shots and Indian cold calls in the middle of the night are obtaining your details from? The online electoral role, yet another popular “free” tool used by identity thieves. Just in case you forgot or missed that tick box, I’ll provide full details on how to opt out at the bottom of this post. But even if you do tick that “privacy” box, guess what your personal details can still be easily found online for just a small fee.

Then there is the Social networking web sites, most of them have privacy switched off by default when you sign up, well that's how they make their money be exploiting personal information to direct marketing advertisements. Still too many users don't realise the information they are sharing to the world and to marketing groups, shouldn't they be protected from themselves by setting privacy on by default? Hell even Xbox Live has privacy settings now, again switched off by default.

The lack of privacy of personal information makes life so much easier for identity thieves and fraudsters. Lets say you dropped your bank debit card in the street, which often holds your bank account number and sort number as well as your name. A bad guy finds your card in a street in “X Town”; he can search the “X Town” electoral roll using your name as a guide, from which gain your full address and phone number. Then just a few more clicks away the bad guy can build up a frightening profile on you, all based on information which relatively easily to find. We are talking information like your mother’s maiden name, your date of birth, the place of your birth and even the schools you attended as a child. Why this sort of important? Well think about the typical security questions you are asked when accessing sensitive accounts, resetting passwords….”Can you confirm the first line of your address?”…”What’s you post code?”….”What’s the first school you attended?”…”What’s your place of birth?”…”What’s your mother’s maiden name?”…”What’s your date of birth?”…and it’s amazing how many people use their children’s names as a verbal password! Another even more sinister side of the coin is this information is enough to steal your identity, and to go on to obtain all sorts of credit and products in your name.

What’s worst, you don’t need to be hacker or some kind of fraud expert, it only takes a few minutes, as all this information can be effortlessly gained from the Internet. Furthermore once you have a profile, it’s very easy to obtain fake yet genuine looking documentation to back up the identity theft, from gas bills to fake drivers licenses complete with a picture, even passports and national insurance numbers, all can be purchased online. (Before anyone asks I’m not going to post how or any links). So small wonder Identity Theft is the UK’s fasting growing crime.

So that’s the problem, the answer is to secure all private information, but it’s too late, the horse has well and truly bolted, so privacy is indeed very dead. But surely more can do be done, so how about trying to turn the tide, but it’s down to the Information Commission and UK Government to tighten up in this area and perhaps pass a few laws and actually crack down. Never mind them complaining about the private sector, UK government departments should focus in getting their own house in order first, starting with properly protecting the electoral role information. Another such issue I haven't mentioned yet, is it fairly easy to "con" a full list of an area's electoral role through the proper channels, probably best not to elaborate too much about that one.

What can we do now apart from whinge at the powers that be, well there are some good services out there which can help reduce your "privacy footprint". These include the Mail Preference Service (MPS) to stop junk mail (mail shots) and the TPS (Telephone Preference Service). I have several friends use both these services, give them a month or two to kick in and they will reduce the amount of junk mail and cold calls, however in recent months I've noticed an increasing trend in the number of International (usually of an Indian origin) cold calls despite the TPS service.

To remove your records from all Direct Marketing databases and prevent companies sending unwanted mail or making unwanted telephone calls to you, you can register on with "MPS (Mail Preference Service) and TPS (Telephone Preference Service) database which is maintained by the DMA.

Once registered it is an offence for a company to contact you unsolicited (with a fine of £5,000).

Mailing Preference Service (MPS)

Mailing Preference Service (MPS)
DMA House
70 Margaret Street
London
W1W 8SS

MPS Registration line: 0845 703 4599 Tel: 020 7291 3310 Fax: 020 7323 4226
E-mail: mps@dma.org.uk Web: http://www.mpsonline.org.uk/
Licence Department: 020 7291 3327
Complaints Department: 020 7291 3321

Telephone Preference Service (TPS)

Telephone Preference Service (TPS)
DMA House
70 Margaret Street
London W1W 8SS

TPS Registration line : 0845 070 0707 Tel: 020 7291 3320 Fax: 020 7323 4226
E-mail: tps@dma.org.uk Web: http://www.tpsonline.org.uk/
Licence Department: 020 7291 3326
Complaints Department: 020 7291 3323

Removal from 192.com (Online electoral role)
download a CO1 form or write to 192.com by post and request removal of your details:

The CO1 Requests Administrator
I-CD Publishing (UK) Limited
8-10 Quayside Lodge
London
SW6 2UZ

By fax: 0906 34 34 192 (calls cost £1.50/ min)

Web Application Security: AppScan Tutorial

2008-05-12T19:57:00.000+01:00

Recently I was approached to write a security tutorial for the IBM developerWorks website, specifically about IBM Rational AppScan. AppScan is the leading commercial Web Application (and infrastructure) vulnerability scanning tool, which IBM acquired from WatchFire last year. I ended up writing a fairly lengthy tutorial, 7000 words plus, which goes to explain why my blog entries have been relative sparse in recent weeks.

The Tutorial is called; “Create secure Java applications productively, Part 2” has been uploaded on the IBM developerWorks website.

http://www.ibm.com/developerworks/edu/r-dw-r-appscan2.html.

Or you may download a copy directly from here r-appscan2-pdf.pdf

The tutorial follows on from an initial tutorial, which involved the creation of an Internet facing Java Web Application using IBM Rational Application Developer and Data Studio. To briefly sum up my Tutorial there is a Web Application Security Overview, how to install AppScan, how to configure a scan, interrupting the scan results, fixing web vulnerabilities and producing reports.

The importance of using a tool like AppScan to test and check web applications becomes clear when you consider the increasing number of attacks and actual data breaches occurring at the web application layer, as opposed to the traditional attacks at the network layer. For instance today I find most people I speak with have now heard of Web Application vulnerability terms like Cross Site Scripting (XSS) and SQL Injection attacks, as opposed to the situation a couple of years back, yet still these sorts of issues aren't being testing or resolved by web app developers.

In recent times there has been an explosion of web applications (yes so the called web 2.0 - go on I said it!), with many organisations taking advantage of writing web applications not only to save a bundle on development cost, but so their applications can be placed on the Internet to meet an increased demand of sharing and accessing information.

If you are producing an Internet based web application which processes or holds sensitive information, you have a duty of care to ensure your web application is properly tested against as many security vulnerabilities as possible during the development cycle. Although a product like AppScan can never guarantee 100% security (BTW nothing can!), in my view it can significantly reduce the number of web application vulnerabilities within the final web application code and thus reduce the risk of the web application and its information being exploited.

If you are interested in Web Application Security, read the first section of the tutorial or visit websites sites such as http://www.owasp.org/ or http://www.webappsec.org

The Day I met Bruce Schneier at InfoSecuity Europe ‘08

2008-04-24T19:45:00.003+01:00

No matter the profession or walk of life we are all in, we all have our heroes and mentors, for some it is the likes of Einstein, Winston Churchill, Lance Armstrong, Tiger Woods or Richard Branson, for others it’s Elvis or Amy Winehouse. For me it’s Bruce Schneier, who first made a name for himself as a predominant cryptography expert in 1960s and in recent times has evolved into a fresh and forward thinking security guru. Sure this proves that I’m geek for sure, but for those who have ever read any of Schneier’s recent books, blog entries or heard him speak will understand where I coming from.

I can’t say I agree with absolutely everything Bruce says, but what grabs me is his unique approach, perspective and understanding of security and the information security industry. Bruce takes a large step back, then cuts out all the politics, security company marketing and associated sales hype, at which point you are left with the bare bones and the questions on what security is really suppose to be about. Which is, what do you want to protect, what are the risks, how will the security solution mitigate those risks, what risks does the security solution introduce and finally what are the costs, inconvenience and trade-offs around the security solution to mitigate the original risk.

As a security professional you have to careful not to fall into the trap and tunnel vision in chasing perfect security and zero risk, because there is simply no such thing as perfect security and zero risk! Then the other side of this coin is to ensure the security is appropriate for the risk, making sure the security cost and trade-offs are viable against mitigating the actual risk of attack. Let me take a “real world” UK example, I sure someone might of raised this one, but in order to reduce the risk another London Underground bombing, we could impose a security counter measure of searching all passengers and their bags prior to them entering the system, like we do at airports. It might reduce the risk of attack, but when thinking about the trade-offs, which is huge passenger inconvenience and high costs in employing extra staff to carry out all the searches, does this make it a worthwhile security solution in relation to the risk? The rational answer is clearly no, as it’s just not viable, and so we continue to accept this risk of terrorist attack. OK, let’s say we went with that security solution, at the end of the day, there still would be a risk of terrorist attack on the London Underground, and the only real way to completely mitigate that is to completely shutdown the underground system!
With business IT Security the same approach should apply, sure there are areas of Law and Industry compliance which must always be followed, but when dealing with security problems outside these areas, I always try to emulate that great Schneier vision, take that step back, making sure the business trades-offs and costs are balanced against the attack risk, it’s not always that easy, the real difficulty is in quantifying elements, especially the attack risk. Fortunately for me, I utilise some of my own methods and practices which I have built up over the years to mitigate typical business risks, while causing minimal security trade offs and cost.

Anyway, yesterday I attended InfoSecurity Europe, and I was chuffed to pieces, as not only did I get to listen to Bruce Schneier talk about the Security Industry, but I got to briefly meet him and I got a signed copy of his latest book, Beyond Fear. Which is a must read not only for Security Professionals, but for anyone in general who wants to understand what security is about without knowing any of the technical jargon. I also recommend signing up to Crypto-Gram Newsletter run by Bruce at http://schneier.com/.

After the doors shut at InfoSecurity (ISC)2 EMEA held an event which I attended. From my perspective as CISSP member, I have to say EMEA (ISC)2 is progressing well under the leadership of John Colley, the event itself is evidence of this. Amongst the (ISC)2 bigwigs at this event, was former White House Cyber Security Advisor and (ISC)2 Security Strategist for (ISC) Prof. Howard A. Schmidt, who was also a keynote speaker at InfoSecurity Europe, again another guy who I can listen to all day. http://www.isc2.org/

Finally I met several guys from the UK Chapter of ISSA (Information System Security Association), I promised that I would sign up and get involved after learning that whey were planning more events in northern England. http://www.issa-uk.org/

Xbox Live Security Q&A

2008-03-25T22:04:00.001Z

Online gaming is booming at the moment, and judging by the types and number of security related questions I am asked by online gamers, I think there may well be some issues to be raised and addressed. On the face of it, gamers’ accounts hold personal information, and often their payment details, such as bank or credit card details. And then there’s the odd mythical online object, which actually can have a real value in the real world, so the stakes are high enough for concern.

In this post I’ll focus on Microsoft’s Xbox Live service, I’ll deal with World of Warcraft security issues another time, believe me that could be an even longer post than this one. So I am often asked about the security of the Xbox 360 console and the Xbox Live (XBL) service. Typically whether XBL accounts and Gamertags can be hacked, what the privacy issues are, and one of the most common concerns involves the management of payment card details, especially when it comes to users trying to remove their payment card details held within their Xbox Live account.

Before I go into this answering some of the questions posed, let me make it clear, I do not work for Microsoft nor do I have any inside knowledge about Xbox Live.

Q. “Are my credit card details stored on the Xbox 360 console?” - The answer is no, credit card details aren’t held on the Xbox 360 hard disk nor on the memory card, they are actually held on the backend Microsoft Xbox Live Servers. The proof of this is you simply cannot access your Xbox Live account management screen without your console being signed into the Xbox Live Service, let alone manage your account payment card options.

Q. “I’ve sold my Xbox 360…”, “I’ve had my 360 stolen…”, “I’ve changed my credit card…”, “…How do I remove my credit card details from my Xbox Live account” – You cannot remove any credit card details associated with your Xbox Live account through using the console account management, or by signing into your XBL account management on http://www.xbox.com/, and in my view this is an utter disgrace, but more on than later. The only method where you can remove your payment card details is to phone Microsoft support, prove who you are, ironically probably by reading out your payment card details, and then waiting up to 30 days!!!

Q “What can happen if someone were to takeover my Xbox Live account?” “I’ve had my Xbox 360 stolen, and I had setup my credit card details to pay for my monthly subscription, so can they steal my card details as well?” - First let me provide an assurance over the credit card theft question, should your XBL account or Xbox 360 itself be stolen. Within the Xbox Live account management, your credit cards are displayed in a “Payment Card Industry” compliant manner, in that only the last four digits of the card number (aka the PAN) are ever displayed, there is no way of accessing the full number from the system, therefore your saved payment cards information cannot be stolen and used elsewhere. However it is possible to spend against your credit card, by purchasing Microsoft Points (XBL currency) and purchasing subscriptions to the Xbox Live service, so it is certainly an important aspect to be aware of, and I certainly recommend you ensure your payment card details removed should your circumstance dictate. Remember the only way to remove those card details is to phone Microsoft Xbox 360 Support, prove who you are and then wait.

Up to 30 Days to Remove Your Credit Card Details from Xbox Live!
On that, you can add full credit card details, in fact you can add as many credit cards as you like, either via the 360 console or through xbox.com, so I do not see any security reason why Microsoft prevents users from removing “their own” credit cards using the same method. I have used many e-commerce websites which had retained my payment card details within an online account; every one of those online account management systems allowed me, the end user, to the remove my payment card details at will, directly, without the need to phone support up.

Q. “I've read reports about Xbox 360 accounts being hacked and stolen”, “I’ve been threaten to be hacked a couple of times while playing online, can my account be hacked?” I read the same reports as well; recently there was one about celebrity Xbox Live accounts being hacked and taken over.

I think "hacked" is probably the wrong term, as it would appear the attackers are probably just social engineering the Xbox Live Support staff, perhaps using a bit of "Google hacking" to build up a profile in order to impersonate the original account holder, in order to have the target XBL account password reset. Unfortunately if you are famous your address and date of birth etc are fairly easy to obtain, in fact there has been many cases of famous people being victims of identity theft. However I’m sure (hope) Microsoft would have tightened up their helpdesk security procedures, specifically where account holders need to prove their identity over the phone. Tightening of security processes tend to occur following high profile data breaches in similar circumstances, a part from within government departments of course.

The bad guys could also target the Xbox account holder directly and social engineer their password and account details. One such method would be to use a phishing Email, “This Xbox Live Security - please confirm your XBL password…”, or perhaps even using the Microsoft Passport to lure that id and password out of the target, as most 360 users link their Windows Live Messenger account to their XBL id.

Either way, I don’t think Xbox Live accounts are being hacked in the traditional sense of word, however if anyone knows different; I’d be very interested to hear it about.

Q. “Is it true I can get banned from Xbox Live if I "chip" my Xbox 360 to play “backed up” copies of games?” - Yes it’s true, chip your 360 and go online and you can expect to see the following message...

Q. "Is there a Security reason why Xbox Live doesn't have a web browser?" - Yes, I believe security is the reason Xbox Live doesn't have any web browsing capabilities, as Xbox Live is a fairly closed network from the Internet. Having a web browser leads to the possibility of malware being installed on Xbox 360 (which is basically a PC!), account detail being phished/stolen, even Xbox viruses, etc. Having said that I wouldn't be over surpised to see a web browser being released in the future, as competitor game consoles seem to be offering them.

Microsoft are making moves to open the service up more, as I think there is an agenda to make Xbox Live more like the social networking sites. At the end of day, most gamers don't care too much about where the service is going and web browsing capability, as long as all the extra interface software and other extras doesn't slow down their overal online gaming experience. As an online gaming platform, Xbox Live is second to none at the moment, and this is now it's main advantage in it's marketplace, so lets hope they steer well clear of messing it up too much, you what I always say, if it works, don't try to fix it!

Q “How come everyone can see my friends list, that’s an invasion of my privacy” – You are right, following a recent update to Xbox Live, the system by default now allows all XBL users to view your friends list, which concerns some people. You can disable this functionality and other XBL privacy issues by editing privacy settings either through the console or on the Xbox website. For instance you can set it so only your friends to see your friends list or no one at all.

It really bugs me the Microsoft are employing the same old social networking website tactic, in leaving privacy switched off by default, which is concerning as Xbox Live is going down the road of social networking more and more. In my view privacy settings must always be set to be fully enabled by default, so the user takes full ownership for disabling privacy settings and therefore acknowledges the settings and is ultimately responsible for any consequences that follow.

It’s just bad, Phorm

2008-03-18T07:48:00.001Z

Internet privacy controversy in the air at the moment, as adverting company Phorm are engaged on a PR campaign to gain acceptance of their new method of Internet advising, which they plan to roll out at the ISP level with BT, Virgin Media and TalkTalk. In fact today I will be speaking on BBC Radio Coventry and Warwickshire about this very subject.

Who are Phorm? Well they are an “adware” company formally know as 121Media. They were responsible for the “PeopleOnPage” desktop adware application, which gathered information about the host PC and recorded which web sites were visited by the user, before passing this information on to a third party server, in order to direct specific pop-up advertisements. In fact security company F-Secure regarded their app as Spyware, whether it is labeled officially as Adware or Spyware does really matter to me, as I believe such software is an unnecessary nuisance and any company behind duping users into installing it on their PCs should be viewed with utter scorn.

Enough of the history of Phorm and back to the present, although what Phorm are proposing is really the same sort of thing as their “PeopleOnPage” adware, but at an ISP level. Everything you do on the Internet passes through your ISP, website visits, Email and even the search text you submit on search engines. The Phorm plan to collect all individual http traffic within the ISP, including those search engine searches, profile the information based on keywords, then use the profile to direct specific web adverts within websites signed up to Phorm adverting. So let’s say I search for “fast cars” and visited several car based websites, the Phorm software running at the ISP would recognize me, or I should say technically my computer via a Phorm cookie, as being interested in “cars” and direct car advertising within any websites I browsed which used the Phorm advertising.

What could be interesting if lets say I were to let my misses browse the Internet on my shared PC account, when I came to use it I’d probably get bombarded with adverts for shoes and handbags!

Why are Phorm and ISPs eager to get this advertising introduced? The answer is clearly money, Phorm can charge higher for click through rates on their adverts because of higher chance that someone will click through and buy the end product, and the ISPs are interested as they will also take a cut of the cash, unlike traditional internet advertising, which have made millions for web site provides, like Google and MySpace.

So the big controversy is this, this is occurring within the ISP, and specifically whether our ISPs should be exploiting our “private” Internet usage for profit. Some consider this practice a direct violation of our privacy rights. While Phorm and the ISPs signing up say users will be able to opt out, but they don’t say whether everyone will be opted out or in automatically by default, I strongly suspect everyone will be opted in as a matter of course, here’s why. If you were to ask the users to opt in with this form advertising, I’m pretty sure just about everyone would say no thank you! Which for me answers the question to whether this is a good idea or not, in fact I’ve seen one Virgin forum (cableforum.co.uk) poll that stated 95% of users would want to opt out. I’ve also heard that if Phorm don’t have millions of users signing up, the whole system would not be viable, so we can be pretty sure everyone will be signed up by default.

It’s worth reminding that search engines track what we search for, just about all web sites track our visits, through cookies and even by our IP address and what we do on the website. Websites like Amazon use profiling within the scope of their website to direct items of interest to us. And most of us use supermarket club cards and Store Cards, which also track our shopping habits. But for me there is a clear difference, all of these are in the form of an “in house” profiling, rather than tracking everything we might do on the open Internet. I think this form of advertising is a step too far, and at the end of the day we pay for an ISP provided service, our searches and website visits is information created by us and ISPs should not be exploiting this information for extra profit by helping to direct advertising at us. The only way I see the Phorm proposal to be an acceptable practice, would be if an ISP were to offer free ADSL in conjunction with the Phorm ISP advertisement profiling.

Finally I have to ask whether this form of advertising is really needed anyway, what’s wrong with sticking advertisements for Cars, on Car themed websites and the latest Computer Game advertised on Gaming websites, do we really need to profile people’s internet usage in order to target the advertising at them?

A Hard Disk Shredding Story

2008-03-07T00:55:00.004Z

These days most people think nothing of donating their old unwanted PCs to noble and worthy causes such as their local School, charities, or they do the “green thing” by sending their PCs to be recycled at their local rubbish tip or at the supermarket. This is all great and dandy, however I find more often than not personal data security is completely overlooked. So I’m going to explain these pitfalls in the form of a story…

Once upon a time there were three blokes, John, Colin and James who won a regional pub quiz championship sponsored by a major computer manufacturer, each of them won a powerful super quick Windows Vista PCs. The next day all three transferred their personal data from their old dilapidated PCs to their spanking new computers and then decided to do the “green thing” and drop off their old PCs at the local supermarket for recycling or charity donation if suitable.

John went through his old PC and very carefully deleted all his personal data files, and Email accounts, thinking it would be really useful to leave the Operating System intact so the PC could be instantly usable should it end up being picked up by a charity. Colin prided himself on being a bit of a techie, so decided to play it safe and formatted the hard drive. Meanwhile James not being so technically minded removed the hard drive from his old PC and smashed it into pieces with a sledgehammer, before dropping off the his PC at the supermarket computer recylcing container.

Several months had passed and all three had met up for their usual drink and quiz at their local pub. Colin asked how the other two were getting on with their new PCs. John always chocked on his pint and went to explain that he recently had fraud committed against his credit card, and was now really worried he could become an identity theft victim, all thanks to the new PC. It had transpired when he carefully removed his personal data files, he failed to remove his internet cache and history, so when his old PC ended up being used in a inner city youth hostel, the little angels were able to automatically log into several of his online accounts, and they attempted to purchase items and completely messed up his social networking site profiles. Colin smugly told John, “I told you should of formatted your hard drive”, before going on to laugh at James for being over the top with his hard disk smashing up.

Another month went by and all three met up at their local pub once again. But Colin wasn’t so smug this time, as he was in dispute with his bank after large sums of money had been removed from his account without his knowledge. It transpired his old PC was picked up by a charity and was sent to West Africa. While in West Africa fraudsters ran a data recovery tool against the formatted hard drive was able to recover 90% of Colin’s personal data files, which including his password document, which detailed the login details to Colin’s online banking. Needless to say James “the sledgehammer” got the rounds in and had the last laugh.

Taking a sledgehammer to a hard disk does do the job, but there is a less dramatic alternative to protecting your personal information before disposing of your old computer, which is to use a hard disk shredding tool. A hard disk shredding tool is a software application which can overwrite the entire hard disk with either 0s, 1s, or random characters. The number of times it overwrites the hard disk is know as a pass, the more passes it does, the less likely the original data can be recovered. The standard minimum is three passes, but most professional organisations will go with 7 passes which is the Department of Defence standard and in my view sufficient. But if you are really paranoid you can do as many passes as you like, or you could always breakout the sledgehammer like James.

There are many free hard disk shredding tools available, simply Googling “Free Hard Disk Shredding” should return plenty, such as http://www.fileshredder.org/. I also have a list of my own recommended free hard disk shredders on my main website.

So whatever method you plan to dispose of your old PC, just make sure you either run a hard disk shredding tool, or remove the hard disk, as there are people out there, especially in places like West Africa who make a living out of recovering personal information from donated computers from the West.

The Cyber Warfare Risk to Business

2008-03-04T01:09:00.003Z

Businesses are relying on the Internet more than ever, whether it’s sales through an e-Commerce website, or low cost “site to site” communications by way of Internet VPNs, Email communications or general web information gathering/distribution, there are many businesses which just can’t “do” without the Internet for a sustained period of time. In my view businesses are very complacent with their reliance on the Internet, and don't have plan B, should worst happen.

Sure the Internet was originally developed to withstand a World War III nuclear attack, but businesses which heavily rely on the Internet to conduct business, should be wary of a new wave of Cyber Warfare threats as we progress into the 21st Century. The fact is there are individuals, criminal gangs and even governments and terrorist organisations which have the ability to take down websites, and effect geographic parts of the Internet, even a slow down of Internet traffic in a specific region can have a financial impact on a business, consider a VPN to an offshore call centre for example.

Recently Pakistan ISPs by the way of the Pakistani government killed the YouTube website to the entire world for two hours on political grounds, which is extremely alarming, considering Google owned YouTube is one of the world’s most visited websites, and has extensive resilient networking infrastructure supporting it, designed to take the heaviest volumes of Internet traffic. This incident was caused by simply messing with the Internet Routers (which direct Internet traffic), namely their dynamic routing tables, which can be achieved due to the security weakness of the BGP routing protocol.

Interestingly in recent weeks we seen several ocean comms cables “going down” in the Middle East region, which is putting a strain on Internet Traffic in that part of world. Some say it's too much of co-incidence and considering the political issues of that region of the world, it wouldn’t be surprising if a government or some sort of foul play was behind it.

Last year we saw the almost state sponsored Cyber Attack on Estonia by Russia which had a dramatic negative effect on Estonia e-Commerce websites amongst things. We also saw the US accusing China of state sponsored hacking on several ocassions, one of these alleged attacks forced the US government to take offline several Internet based systems. Then there are the criminal gangs which have built up huge bot-networks in recent times, these botnets can be used to take down business e-Commerce websites with a Distributed Denial of Service (DDoS) attack.

I’m not going to try to quantify these risks to business, but I can definitely see a trend here, whether such attacks are Politically motivated, Fraud Financial motivated, or an Electronic Jihad, I don’t think it will be too long before there are more examples of these sorts of attacks making the headlines and effecting Internet reliant businesses. In the meantime I think it is a valid and interesting question to pose to any business, what would the impact and financial cost be, should their Internet access be cut for even a few hours.

Happy Safer Internet Day

2008-02-12T07:50:00.000Z

Today is the fifth annual "Safer Internet Day", which has a focus on promoting safe internet usage awareness to children and their parents, a cause which I'm well and truly behind. It still troubles me that some parents don't seem to understand the Internet can be a dangerous place for children. I've seen parents who strictly don't allow their children to watch inappropriately age certified movies, play Cert 15/18 computer games, but when it comes to Internet usage, just leave their kids to it, completely oblivious that their children could be viewing inappropriate material, posting personal info and pictures on social networking sites, or chatting with complete strangers.

http://www.saferinternet.org

WinZip Encryption Password Security

2008-01-23T23:10:00.000Z

Recently I have received several Emails asking about WinZip encryption, and specifically whether it is good enough for business use, especially in light of the current climate of data breaches in the UK, where serious data breaches involving public information are announced almost on a weekly basis. So can WinZip do the job to encrypt sensitive data held on disks posted through public postal systems? Well the answer is Yes, but only if used properly…

With WinZip encryption, it is important to understand older versions of WinZip, pre-version 9, uses its own proprietary encryption, which simply broken. Essentially data archived with WinZip version 8 or below, using “WinZip Encryption” with passwords of any strength can very easily be recovered. WinZip version 9 and above has the option to use an industry strength and NIST approved encryption algorithm, namely AES (Advance Encryption Protocol). The application provides the choice of several strengths (bit length – the longer the stronger), AES-128, AES-192 and AES-256, you may as well pick the strongest bit level AES-256, although AES-128 is currently strong enough to the do the job to industry best practice and standards.

The weakness in using WinZip AES encryption, is it uses “Symmetric” encryption, which means it uses a single private password to encrypt and decrypt the Zip archive. Therefore complexity and strength of the password is “the” protection and weak point, as the bad guys have unlimited attempts at guessing and trying password combinations to decrypt the WinZip archive. One of the password breaking attacks these bad guys use is a dictionary attack, which is as it sounds, tries regular words found in the dictionary as well as commonly used passwords, usually the cracker (the bad guy) has his own specific database of commonly used and known passwords, so passwords like “Pa55word” are extremely weak and just doesn’t cut it.

Another attack to crack WinZip passwords is a “Brute Force” attack; this attack tries every single combination of characters possible e.g. aaaa to zzzz. I carried out some testing for this post on my home PC, I was able to crack a 6 digit password of completely random upper case, lower case and numeric values in 1 hour 15 minutes (see image below). For every digit length of the password the longer it takes to brute force, so when I tried to brute force a 7 digit password it took a several days and I think it would took a couple of months to crack an 8 digit password on my not so powerful home computer. So I would say 8 character passwords just aren’t strong enough for WinZip AES password encryption.

The main factor to consider with the brute force attack is the processing power (the speed) of the computer trying the combinations. The bad guys can increase their processing power by networking several computers and using them in tandem to reduce the time to find the password. I previously posted about using PS3 to brute force passwords, as a PS3’s multi-thread type processor (which is used by the new generation of PCs), can try several combinations at the same time and therefore be very efficient for brute force attacks.

There is another attack which could be used which attack the AES encryption algorithm itself, however AES is so powerful at these sorts of bit lengths, that these sorts of attacks aren’t really a viable option for business security at the moment, and there certainly aren’t any known issues with AES, which used and approved by leading banks and the military, therefore I’m not going to go into further detail within this post.

So with WinZip AES encryption the password strength is the key aspect to the security of the encryption, therefore my own suggestion is for the following password rules provide a business level of strong encryption (Are you reading this HMRC?)

The WinZip password should be…

1. At least 12 characters in length
2. Be random not contain any dictionary, common words or names
3. At least one Upper Case Character
4. Have at least one Lower Case Character
5. Have at least one Numeric Character
6. Have at least one Special Character e.g. $,£,*,%,&,!

There is nothing black and white or anything written down about this, this is my own suggestion and recommendation (jn the year 2008). If you are struggling to create these sorts of complex password, I suggest you check out password generation applications, or look at online sites like GRC.com, which has a free online random password generator, which does an excellent job in generating good strength random passwords.

Most significantly within the password, by introducing at least one “special character”, makes the password extremely difficult to brute force, usually the bad guys don’t even try brute forcing trying any special characters, as it takes an impossibility long time to try all the combinations inclusive of special characters. So if I added special characters to my 6 digit password, the time it takes to successfully brute force increases 12 fold, the longer the password using special characters, the greater the factor of increase.

To give an idea of the numbers we are talking, using the rules I listed as a minimum, roughly we are talking about 475,920,314,814,253,000,000,000 possible combinations to brute force, which equates to around 13,851,104,153,269 hours processing time on a regular PC, bur don’t forget you can use multiple PCs and more powerful machines to conduct a brute force attack, so just divide their number/power by the processing time, however with these sorts of numbers I think it’s more than strong enough protection. You might be thinking I’m going a little too far with 12 character length password as a minimum standard, as I do tend to lean on the side of caution so perhaps you are right, like I said it’s your call. So here’s the numbers for a random 10 character alpha, numeric with special characters for comparison 53,861,511,409,490,000,000 combinations, which equates to 17,179,869,184 hours processing time, 10 characters without special characters is 839,299,365,868,340,000 combinations taking 24,426,825 hours, so you can see the factor effect of using special characters with the password.

Of course these sorts of complex length passwords require good password management and decent business processes in place; it’s no good using a decent length complex password and writing it down on disk you send!

Finally there is one final issue to consider with WinZip, is that even without knowing the password, you are able to browse the AES encrypted WinZip archive and read the file names, so it may be a good idea to Zip the file to a single zip file to hide the file names, and then Zip it again with AES encryption.

So WinZip encryption can be used to protect sensitive information in transit, but given a choice of options, my personal preference would be to use a product like PGP (or the free version GnuPG), which uses Asymmetric encryption, which helps to take the sting out of password management while providing better end-to-end guarantees. I can post specifically about PGP and Asymmetric encryption if asked (please post in the comments). Oh if you found this post useful, please post a positive comment, as it will encourage me to post further “how-to” posts.

MOD Don’t Encrypt All Laptops

2008-01-22T00:15:00.000Z

Perhaps I am being a little naive but I would of thought all MOD laptops would be deployed with hard disk encryption, but apparently not so, as the MOD laptop stolen last week from a parked car in Birmingham didn’t have any hard disk or file level encryption, despite holding masses of private data. This MOD laptop held 600,000 records of military personnel, personal data including passport numbers, national insurance numbers, drivers' licence details, family details, doctors' addresses and bank details, which is probably why we know about this breach, I'm sure the MOD would rather this incident to be kept out of the public eye.

Organisations which use thousands of laptops in the field (should) accept and understand that a certain percentage of laptops will be stolen. Sure you can try to reduce the numbers stolen and the risk by educating users, but it inevitable that a minor quantity of laptops will be stolen, it's the way of the world. This is nothing new either, the theft of laptops has been common place since their introduction 20 years ago. Most large organisations in the private sector understand this and the risk of data breach associated with such laptop thefts, and as a matter of course enforce the encryption all of their laptop hard disks across the board. And the cost of buying the software to properly encrypt laptop hard disks and secure the information held on them? Well it, is around £20 to £50 per laptop, which is around 5% of the cost the laptop, so there’s really is no excuse for these types breaches today.

The other question I have with this particular breach, is why is there so much sensitive data being held in a laptop in the first place, it’s probably laziness or incompetence, but nether-the-less no one should or need to be walking around with that amount of information on a laptop, hard disk encrypted or not.

On the back of the MOD breach news story, I noticed yet another government agency, namely the Department of Work and Pensions (DWP) disclosed another data breach, in that hundreds of documents containing sensitive personal data of citizens were found on a public roundabout in Devon. It appears this is not the first time this has happened as well. And on the same day the Stockport Primary Care Trust released that they lost 4,000 patient records.

It appears to be a growing trend to announce data breaches on the back of bigger breaches, I’m sure there are press officers just sitting there reading news reports, “oh there goes a seriously big breach, quickly release our breach, they won’t notice”…

HMRC Breach a Fuss about Nothing? Not Really

2008-01-08T19:50:00.000Z

BBC TV Top Gear presenter Jeremy Clarkson who writes for the Sun newspaper, was so convinced the HMRC Data breach in his own words "was a fuss about nothing" published his own bank account and sort code details in the newspaper, and I quote "All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing," he told Sun readers

However when he next checked his bank statement he saw someone had set up a direct debit which automatically removed £500 from his bank account, apparently transferring the money to a charity, now that's what I call ethical hacking!

To quote Clarkson further after discovering this, "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again. I was wrong and I have been punished for my mistake."

I think it just goes to show that there are many people who just don't care that their personal information and their banking details are being lost, and could be in the hands of fraudsters. I'm planning a post on encryption next, but after that I'll try to explain what exactly the bad guys could do with your personal information and your banking details, and hopefully show how this sort of information has real value associated with it and therefore must be protected by those organisations entrusted in holding it.

Finally to quote Clarkson further "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." - I'm with him on that!

HMRC: Update with my Grievance

2008-01-07T23:08:00.000Z

I said I would blog about my own progress in obtaining answers and info on the improvements with the initial incident with HMRC when they lost the Standard Life CD with my data on it on 8th November, two weeks prior to the 25 Million record breach. I wrote several letters at that time to the powers that be and I have received several replies so far.

I had a reply from my local Member of Parliament, David Borrow, who said "I am looking into the points you have raised and I will contact you again as soon as I have more information.

I had a letter receipt acknowledgement from Michael Wills MP, the government minister for Data Protection.

I've also had an interesting response from The Information Commissioner’s Office (ICO)...

"Thank you for your correspondence dated 8th November 2007 regarding the security breach by HM Revenue and Customs which involved the loss of a computer disc containing Standard Life customer details.

The Information Commissioner’s Office (ICO) is responsible for administering the Data Protection Act 1998 (the Act), which is concerned with the processing of personal data. The Act requires, amongst other things, that organisations which process personal data employ appropriate safeguards in order to ensure the security of that data. If an organisation fails to take appropriate steps to ensure the security of the data they hold then it is likely that that organisation will have breached the requirements of the Act.

HM Revenue and Customs has reported this serious breach to the ICO, and as you may be aware, as a result of a further security breach the Chancellor has announced an independent review of HM Revenue and Customs. The Chancellor has agreed that the full report will be made available to the ICO and we will then decide what further action is appropriate. The ICO will release a statement as soon as he has considered the findings of the independent review.

As we have already been made aware of the breach, and as we will be provided with the full report following the independent review of HM Revenue and Customs, we do not require details of individual complaints. However we will keep a copy of the information you have provided on file as evidence should it be required in the future.

The Information Commissioner's Office is aware that you may have concerns about the security of the lost data; If you would like some practical guidance about avoiding identity theft you may wish to view pages 30 - 33 of our Personal information toolkit.

I hope this information is useful. If we can be of any further assistance please contact our Helpline on 08456 30 60 60, or 01625 545745 if you would prefer to call a national rate number, quoting your case reference number. You may also find some useful information on our website at www.ico.gov.uk

Yours sincerely

Sharon Boot
Senior Customer Service Officer"

The 12th Breach of Christmas (UK)

2007-12-24T18:24:00.000Z

On the Twelve Day of Christmas the Information Commissioner disclosed to me...

12 hundred wrongly addressed questionnaires (DVLA Dec 07)
802.11 Wifi WEP is broken (now takes just a minute to crack)
1 to 10 UK companies PCI compliant (Survey by Logic Group in Sept'07 revealed that only one in ten UK companies have the proper security standards to handle our card payments securely)
9 NHS Trust Breaches (Dec 2007)
8 "Significant" HMRC Security Incidents (HMRC revealed further "significant" breaches in Nov/Dec 07)
7 out of 10 websites vulnerable (Cenzic Study Finds Web Applications Vulnerable to attack May 07)
6,000 personal records mislaid (by N.I. Driver and Vehicle Agency - Nov 07)
"Twenty-Five" Million Records Lost (HMRC Nov 07)
4 in 10 WiFi routers unsecure (according to a report by Moneysupermarket.com Apr 07)
3 Million Learner Drivers Lost (by Driving Standards Agency Dec 07)
2 Discs Missing (HMRC discs holding 15,000 Standard Life customers is lost Oct 07)
And a £1 Million fine to the Nation-wide! (Lost a laptop with an unencrypted hard disk holding nearly 11 Million customer records and were fined by FSA in Feb 07)

Merry Christmas Everyone!

PS Lets hope I find it a much harder struggle to write this sort of thing next christmas.

Tis the Season to Discloses Data Breaches

2007-12-24T02:20:00.000Z

It appears this time of year coupled with the spectre's shadow of the 25 Million unprotected records lost by the HMRC last month, makes an ideal time to disclose data breaches to the UK public. We really need proper California style data breach disclosure laws in this country.

So what's new in the last 7 days...

Well the NHS disclosed 10 (ten) data breaches at various NHS trusts around the country, one of which involved the loss of 168,000 records of which most were children’s records. In a statement they said "extremely high level of security", but typically do not explain any details about the security measures. It would appear it's the old recipe of sending data on discs again. Fair play to the NHS if proper encryption was used, but so far I haven't really seen any details about each of these 10 incidents and when they actually occurred. I suspect the NHS powers that be choose not to disclose these incidents when they were discovered, but have been forced to now in light of the government enquiry into the HMRC breaches. I really don't want to be pessimistic at this time of year, but these are the 10 incidents the NHS are aware of, and knowing the NHS and the generally poor management, budget cutting and bad organisation, especially within IT, I suspect these incidents are probably just the tip of the iceberg.

On the back of the high profile NHS story, on the same day the Post Office admitted to sending over 5000 account details to the wrong pensioners.

The Skipton Building Society lost sensitive personal details of 14,000 customers, thanks to the theft of a laptop. The data includes names, addresses, dates of birth, national insurance numbers and the amount of money invested. There was no hard disk encryption on the laptop, which was owned by an IT supplier. At least the FSA can hold them to account for this breach. It's worth noting Leeds Building Society lost information about it's own workforce in early November, this one went completely under media radar.

And of course last Monday Millions of UK Learner Driver details were lost by the Driving Standard Agency, after a hard disk holding 3 Million UK learner driver records was lost in the US of all places. This information was known to be missing back in May 2007, but was only disclosed to the public on Monday.

I was on BBC News 24 talking about this very issue, and to be completely honest, I had to work to get the newsreader to understand the importance of such breaches. Some people still don't realise the significance of large databases of information, even with populated with information "innocent on the eye" like names, addresses and phone numbers, the so called stuff you can get out of a phone book. Sure there was no bank details, but data included details about paid fees paid and Email addresses. In this case 3 million such records altogether has significant value to unscrupulous marketers and within the underworld. I mean how much would spammers pay for 3 million active Email addresses alone.

While on the BBC News 24, I found myself making an interesting point about the type of data being lost. I stated there was always a big focus and hype when personal bank information is lost or breached, and rightly so, however I can easily change my bank account, but it's not so easy to change my telephone, home address, and it's virtually impossible to change my National Insurance number, as lost by the HMRC.

SOAP BOX TIME: We are now living in the Information Age, in times where identity theft is the UK's fastest growing crime full stop. Now is the time for companies, organisations and us as individuals to wake up and start valuing information, information is an asset and it has value associated with it (Information=Money!), like with everything of value, it needs to be protected.

Hidden Flash Cookies

2007-12-14T18:40:00.000Z

I was speaking to some pals of mine who where asking about deleting Internet history and removing cookies etc from their PCs for privacy. However none of them knew what “Flash Cookies” were and how to find and view them on their systems, let alone change flash settings and remove them, so I agreed to do a post about them.

To recap, a regular cookie is a small text file created by websites via your web browser and stored locally on your PC. The file is tiny, which is probably why it's called a cookie. The information within the file is used to store or reference direct information about your habits and usage on a particular website, such as where you went on the website, and what you did. These cookies allows websites to be smart, so the website remembers who you are and what you like, often personalising or tailoring aspects of the website to make life easier or for directed marketing.

However a lot of people have privacy concerns about having their surfing habits tracked, monitored and recorded in this way, and often like to remove these cookies from their system. Usually this is done via the Internet Explorers settings, Tools or browsing history then “deletes cookies".

To recap on Flash, Adobe "Flash Player" is web browser pluggin which the vast majority people have enabled on their web browsers (it's there by default). Having "Flash" allows for rich web content and high interactivity within the websites, YouTube videos are delivered within Flash Player for example.

However I have noticed more and more websites are using Flash Cookies, even banking sites. Flash cookie perform the same function as a regular cookie, but they aren't stored as a text file in the usual cookies folder, therefore web browsers like Internet Explorer don't recognise them as cookies and they aren't removed with a "delete cookies".

Flash Cookie files tend to have a ".sol" file extension, on checking my system just now; I see I have "soundData.sol" within "C:\documents and settings\Local User name\Application Data\Macromedia\Flash Player\youtube.com\", even though I just cleared all of my Internet history etc. as a test. I guess this particular flash cookie is probably tracking my preferred volume level on YouTube videos.

The good news is there is a way to delete flash cookies in an orderly fashion and configure the settings for their use on your system. Adobe (owners of "Flash" - they bought it from Macromedia a couple of years back) have a Flash Management Application on their website, not surprisingly it is delivered in Flash. Full instructions on it's usage and settings are all on the Adobe website and pretty much self-explanatory so I'm not going to repeat them here, here's the link...

Flash Settings Manager

It's definitely worth checking out if like my pals you haven't come across Flash Cookies before.

And Yet another UK Government Data Breach

2007-12-12T00:16:00.000Z

It's the same old recipe...Take one UK Government department, a couple of Discs, copy thousands of records containing sensitive personal data of UK citizens on the Discs unencrypted and then post.

Don't these people ever learn!

This time it was the turn of Driver and Vehicle Agency (DVA) in Northern Ireland who dispatched two discs by Parcelforce on either 20th or 21st November. The discs holding around 6,000 people's personal details, never arrived at the intended destination, namely the DVLC Headquarters in Swansea.

The head of the DVA said the information was not encrypted and included the details of 7,685 vehicles and more than 6,000 vehicle keepers. The data included the keeper's name, address, registration mark of the vehicle, chassis number, make and colour. The DVA also said they were not optimistic that the discs would ever be found.

I'm not even going to post any more on this, in fear of repeating myself, just read my last post made last Friday... http://blog.itsecurityexpert.co.uk/2007/12/uk-government-infosec-is-systemically.html

UK Government InfoSec is Systemically Broken

2007-12-07T20:20:00.000Z

I don't really like knocking my own government, but their approach to protecting our personal information is like a banana republic.

This week another government department, namely the Driver and Vehicle Licensing Agency (DVLA), posted over 100 questionnaires holding people's details including their dates of birth and "Motoring Offence History" to the wrong addresses. The DVLA said it was caused by human error, as if to say it makes this breach acceptable. So this is another government violation of the government's own Data Protection Act, however it pretty pointless fining these government departments isn't it, as it would be like fining yourself. There is just no "stick" to push information security in these organisations, it's not like the private sector where companies are heavily fined and breach publicity has a serious impact on a business brand, which is always important in competitive marketplaces. In my view there definitely needs to be a "big stick" from the top down to drive good security practice and culture within these organisations, otherwise no one will be bothered or has the time.

Meanwhile the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. I thought that's sounds a bit dodgy, as just who is deciding if an incident was significant or not, and how many minor incident are there. Again I think this underlines the need for disclosure laws in the UK (no they don't have to tell us about these data breaches), or even a disclosure policy for the government department would be a good start.

While on HMRC a reward of £20,000 is being offered for the return of two lost CDs containing the personal details of 25 million people. The Liberal Democrats valued the data on the CDs at £1.5 Billion the other day, so it's not much of a reward is it? I mean a good fraudster could pilfer £20,000 out of just one record, let alone 25 million records.

I think there needs to be major shakeup and "investment" on how the government secure our private information, I think there is a appetite for this at the moment, I just hope it doesn't wavier away as media move onto other stories. After speaking and advising many people about these incidents, it is clear these incidents have severally shakened any confidence most UK folk have in the government and the civil service, even I have changed by view point on national ID cards. Meanwhile on the politics front, the opposition parties are having field day with the government of day, but I'm not so sure these incidents wouldn't happen under their governmentships anyway.

The Power of PlayStation

2007-12-04T00:12:00.000Z

I was fascinated to read about a New Zealand Security guy called Nick Breeze, who conducted brute force password cracking experiments using the processor at the heart of the Sony PlayStation 3. He stated he was able to brute force 8 character passwords using the PS3 processor and a password cracking application in just hours; usually it would take days on a regular desktop PC. This type of password cracking typically defeats the type of protection you find on a password protected Zip file (*cough H-M-R-C missing CD cough*).

The PS3 multi-core processor, called the “Cell Processor”, was developed by Sony, Toshiba and IBM a couple of years back. The Sony version of the processor can calculate 256 billion calculations per second, which is faster than 4GHz PC. It manages this speed due to having 7 cores within the processor, so can carry out 7 calculations at the same time, so trying 7 brute force passwords at the same time.

Imagine the type of processing power than could be gained by installing a Linux OS and networking PS3s together and combining the processing power, as done with the old PS2, you could be talking a low budget super computer. Such possessing power could have all sorts of positive actions to just password cracking, such as with research projects like the human genome. I must have a search on the net, to see if anyone else is using their PS3 to do things other than playing games.

HMRC: CDs should be treated the same as the Server Room

2007-11-26T23:31:00.000Z

This is rapidly turning into the HMRC data breach blog! I post a lot about this issue at the moment because I have personal vested interest as do many others, there are further developments almost on a daily basis, and for anyone who cares about the security of personal information in the UK, this is still a huge issue which frankly still gives me great cause for concern, and provides much thought about data security in general, which I feel compelled to write about.

Anyway, I was in discussion with several people today in regards the missing HMRC CDs, one view was that HMRC regarded the internal mail as "private" postage, a view which doesn't sit with me at all.

The way I think about it is like this, if you were to copy the company's entire database, "The" Crown Jewels of the organisation to a piece of media. Shouldn't you be applying the same security measures as to the live database, as held on the Servers? Think about all the physical security aspects of a server/comms room for instance, and the logical security within the IT Systems controlling the database. Would any IT professional ever consider removing the hard disks holding the database and posting them in the mail?

As for the "private" mail, well for a start HMRC use third parties for that, but even if they did it in house, personally I would still regard any internal mail as an untrusted medium, therefore I would insist on encryption of any sensitive or classified data send through it as a matter of course.

HMRC: More Discs Go Missing, Is it Foul Play?

2007-11-25T21:35:00.000Z

Yet more CD/DVDs have gone missing within HMRC's internal postage system, this time a batch of 6 "discs" have disappeared in transit in between Preston and London. This incident was spotted by HMRC on 30th October and apparently held customer complaint conversations, which I certainly would regards as personal information.

This is the third HMRC postage containing sensitive CDs which has gone missing within the same month, October 2007. Don't forget the CD which HMRC sent(lost) to Standard Life, which held 15,000 records, as reported on 2nd November, I can't forget that missing disc, as my personal details were on it!

So I have to ask whether there could be foul play? I can't answer that for certain as I don't work for HMRC or know all the facts, however I'm going to have a go at speculating since two of incidents involve my peronal information.

Organised criminals have been know to target large intuitions just for their data, going through external bins for info, using social engineering techniques, web hacking and even infiltrating organisation internally, there was a Scottish credit card call centre which was found to be deliberately infiltrated by a gang earlier in the year for money laundering purposes. It's too much of co-incidence for three packages containing CDs to have gone missing in the same month, I had period on Ebay where I sold loads of DVDs once, never had any packages go missing within the public postage system. It's not exactly hard to guess by the size and shape of the packaging that it holds a disc.

Interestingly if HMRC actually ships loads of CDs around their organisation all the time (which is bad) then you would have to say the stats wouldn't point to foul play at all. I do understand HMRC is a large and complex organisation, so it could be possible there are shed loads of CD/DVDs flying around HMRC, if there is, then there has to be a better and more secure methods of sharing that information.

To sum up my own conclusion on this, either HMRC sends CDs within the post unprotected as a matter of coarse OR HMRC send only a few CDs around which would indicate possible foul play, OR it's just a big co-incidence!

A lot of fraud, particularly identity theft does start in the mail system, HMRC mainly use TNT to deliver their mail between sites and organisations. In relation to the 25Million record discs, TNT are stating they don't think that missing package has even entered their mailing systems, but as it's unrecorded delivery they can't be certain, and I understand TNT are searching for it. A spokesman for HMRC recently said "All the evidence points to the fact that these discs are still on our premises," - Well if you keep searching and searching (I'm sure no stone is being left unturned) and they don't turn up, I think there is only one likely conclusion to be reached.

HMRC: Emails Confirms Poor CD Password Protection

2007-11-22T20:19:00.000Z

NAO have released details of their Email correspondence with HMRC leading up to the HMRC data breach, and answers a couple more questions I had with incident.

Click Here for NAO Emails

From the NAO Emails it is very clear to understand the HMRC data was zipped (compressed to make the data files smaller), likely with an application called Winzip. The so called password protection of CD we are told about is just a Winzip password, which wouldn't be very hard to defeat. See http://www.zipcure.com/ for instance.

On analysing what was said in the Emails further and ignoring the political spin about them...

NAO rep. states "I do not need address, bank or parent details in the download - are these removable to make the file smaller?" - Clearly NAO were not asking for the removal of the sensitive data for security, it appears the NAO wanted to receive a smaller database on the grounds of it being easier to manage on a single CD, i.e. a single zip file. This is contrary to the media reports which state NAO advised HMRC not to send sensitive information on security grounds.

So the NAO wanted the data to fit zipped on a single CD-R, in response this request the HMRC rep. states "I must stress we must make use of data we hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department."

In my view I think this an attempt to fob off NAO, rather than for a genuine financial reason. As running a report to filter out the unnecessary data doesn't have too much cost associated with it, it just takes a little time to organise. So I am guessing the HMRC rep. knew this and didn't want to go through the hassle of extracting the information out the HMRC IT systems again. Sure I could be wrong in assumption, I'm just going from pass experiences with requesting stuff from busy IT bods.

These are my own views on reading the Emails, please let me know your views, and of course the content of these Emails makes absolutely no excuse for HMRC failing millions of people in not protecting our private information.