Monday 24 December 2007

The 12th Breach of Christmas (UK)

On the Twelve Day of Christmas the Information Commissioner disclosed to me...

12 hundred wrongly addressed questionnaires (DVLA Dec 07)
802.11 Wifi WEP is broken (now takes just a minute to crack)
1 to 10 UK companies PCI compliant (Survey by Logic Group in Sept'07 revealed that only one in ten UK companies have the proper security standards to handle our card payments securely)
9 NHS Trust Breaches (Dec 2007)
8 "Significant" HMRC Security Incidents (HMRC revealed further "significant" breaches in Nov/Dec 07)
7 out of 10 websites vulnerable (Cenzic Study Finds Web Applications Vulnerable to attack May 07)
6,000 personal records mislaid (by N.I. Driver and Vehicle Agency - Nov 07)
"Twenty-Five" Million Records Lost (HMRC Nov 07)
4 in 10 WiFi routers unsecure (according to a report by Moneysupermarket.com Apr 07)
3 Million Learner Drivers Lost (by Driving Standards Agency Dec 07)
2 Discs Missing (HMRC discs holding 15,000 Standard Life customers is lost Oct 07)
And a £1 Million fine to the Nation-wide! (Lost a laptop with an unencrypted hard disk holding nearly 11 Million customer records and were fined by FSA in Feb 07)


Merry Christmas Everyone!


PS Lets hope I find it a much harder struggle to write this sort of thing next christmas.

Tis the Season to Discloses Data Breaches

It appears this time of year coupled with the spectre's shadow of the 25 Million unprotected records lost by the HMRC last month, makes an ideal time to disclose data breaches to the UK public. We really need proper California style data breach disclosure laws in this country.

So what's new in the last 7 days...

Well the NHS disclosed 10 (ten) data breaches at various NHS trusts around the country, one of which involved the loss of 168,000 records of which most were children’s records. In a statement they said "extremely high level of security", but typically do not explain any details about the security measures. It would appear it's the old recipe of sending data on discs again. Fair play to the NHS if proper encryption was used, but so far I haven't really seen any details about each of these 10 incidents and when they actually occurred. I suspect the NHS powers that be choose not to disclose these incidents when they were discovered, but have been forced to now in light of the government enquiry into the HMRC breaches. I really don't want to be pessimistic at this time of year, but these are the 10 incidents the NHS are aware of, and knowing the NHS and the generally poor management, budget cutting and bad organisation, especially within IT, I suspect these incidents are probably just the tip of the iceberg.

On the back of the high profile NHS story, on the same day the Post Office admitted to sending over 5000 account details to the wrong pensioners.

The Skipton Building Society lost sensitive personal details of 14,000 customers, thanks to the theft of a laptop. The data includes names, addresses, dates of birth, national insurance numbers and the amount of money invested. There was no hard disk encryption on the laptop, which was owned by an IT supplier. At least the FSA can hold them to account for this breach. It's worth noting Leeds Building Society lost information about it's own workforce in early November, this one went completely under media radar.

And of course last Monday Millions of UK Learner Driver details were lost by the Driving Standard Agency, after a hard disk holding 3 Million UK learner driver records was lost in the US of all places. This information was known to be missing back in May 2007, but was only disclosed to the public on Monday.

I was on BBC News 24 talking about this very issue, and to be completely honest, I had to work to get the newsreader to understand the importance of such breaches. Some people still don't realise the significance of large databases of information, even with populated with information "innocent on the eye" like names, addresses and phone numbers, the so called stuff you can get out of a phone book. Sure there was no bank details, but data included details about paid fees paid and Email addresses. In this case 3 million such records altogether has significant value to unscrupulous marketers and within the underworld. I mean how much would spammers pay for 3 million active Email addresses alone.


While on the BBC News 24, I found myself making an interesting point about the type of data being lost. I stated there was always a big focus and hype when personal bank information is lost or breached, and rightly so, however I can easily change my bank account, but it's not so easy to change my telephone, home address, and it's virtually impossible to change my National Insurance number, as lost by the HMRC.


SOAP BOX TIME: We are now living in the Information Age, in times where identity theft is the UK's fastest growing crime full stop. Now is the time for companies, organisations and us as individuals to wake up and start valuing information, information is an asset and it has value associated with it (Information=Money!), like with everything of value, it needs to be protected.

Friday 14 December 2007

Hidden Flash Cookies

I was speaking to some pals of mine who where asking about deleting Internet history and removing cookies etc from their PCs for privacy. However none of them knew what “Flash Cookies” were and how to find and view them on their systems, let alone change flash settings and remove them, so I agreed to do a post about them.

To recap, a regular cookie is a small text file created by websites via your web browser and stored locally on your PC. The file is tiny, which is probably why it's called a cookie. The information within the file is used to store or reference direct information about your habits and usage on a particular website, such as where you went on the website, and what you did. These cookies allows websites to be smart, so the website remembers who you are and what you like, often personalising or tailoring aspects of the website to make life easier or for directed marketing.

However a lot of people have privacy concerns about having their surfing habits tracked, monitored and recorded in this way, and often like to remove these cookies from their system. Usually this is done via the Internet Explorers settings, Tools or browsing history then “deletes cookies".

To recap on Flash, Adobe "Flash Player" is web browser pluggin which the vast majority people have enabled on their web browsers (it's there by default). Having "Flash" allows for rich web content and high interactivity within the websites, YouTube videos are delivered within Flash Player for example.

However I have noticed more and more websites are using Flash Cookies, even banking sites. Flash cookie perform the same function as a regular cookie, but they aren't stored as a text file in the usual cookies folder, therefore web browsers like Internet Explorer don't recognise them as cookies and they aren't removed with a "delete cookies".

Flash Cookie files tend to have a ".sol" file extension, on checking my system just now; I see I have "soundData.sol" within "C:\documents and settings\Local User name\Application Data\Macromedia\Flash Player\youtube.com\", even though I just cleared all of my Internet history etc. as a test. I guess this particular flash cookie is probably tracking my preferred volume level on YouTube videos.

The good news is there is a way to delete flash cookies in an orderly fashion and configure the settings for their use on your system. Adobe (owners of "Flash" - they bought it from Macromedia a couple of years back) have a Flash Management Application on their website, not surprisingly it is delivered in Flash. Full instructions on it's usage and settings are all on the Adobe website and pretty much self-explanatory so I'm not going to repeat them here, here's the link...

Flash Settings Manager

It's definitely worth checking out if like my pals you haven't come across Flash Cookies before.

Wednesday 12 December 2007

And Yet another UK Government Data Breach

It's the same old recipe...Take one UK Government department, a couple of Discs, copy thousands of records containing sensitive personal data of UK citizens on the Discs unencrypted and then post.

Don't these people ever learn!

This time it was the turn of Driver and Vehicle Agency (DVA) in Northern Ireland who dispatched two discs by Parcelforce on either 20th or 21st November. The discs holding around 6,000 people's personal details, never arrived at the intended destination, namely the DVLC Headquarters in Swansea.

The head of the DVA said the information was not encrypted and included the details of 7,685 vehicles and more than 6,000 vehicle keepers. The data included the keeper's name, address, registration mark of the vehicle, chassis number, make and colour. The DVA also said they were not optimistic that the discs would ever be found.

I'm not even going to post any more on this, in fear of repeating myself, just read my last post made last Friday... http://blog.itsecurityexpert.co.uk/2007/12/uk-government-infosec-is-systemically.html

Friday 7 December 2007

UK Government InfoSec is Systemically Broken

I don't really like knocking my own government, but their approach to protecting our personal information is like a banana republic.

This week another government department, namely the Driver and Vehicle Licensing Agency (DVLA), posted over 100 questionnaires holding people's details including their dates of birth and "Motoring Offence History" to the wrong addresses. The DVLA said it was caused by human error, as if to say it makes this breach acceptable. So this is another government violation of the government's own Data Protection Act, however it pretty pointless fining these government departments isn't it, as it would be like fining yourself. There is just no "stick" to push information security in these organisations, it's not like the private sector where companies are heavily fined and breach publicity has a serious impact on a business brand, which is always important in competitive marketplaces. In my view there definitely needs to be a "big stick" from the top down to drive good security practice and culture within these organisations, otherwise no one will be bothered or has the time.

Meanwhile the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. I thought that's sounds a bit dodgy, as just who is deciding if an incident was significant or not, and how many minor incident are there. Again I think this underlines the need for disclosure laws in the UK (no they don't have to tell us about these data breaches), or even a disclosure policy for the government department would be a good start.

While on HMRC a reward of £20,000 is being offered for the return of two lost CDs containing the personal details of 25 million people. The Liberal Democrats valued the data on the CDs at £1.5 Billion the other day, so it's not much of a reward is it? I mean a good fraudster could pilfer £20,000 out of just one record, let alone 25 million records.

I think there needs to be major shakeup and "investment" on how the government secure our private information, I think there is a appetite for this at the moment, I just hope it doesn't wavier away as media move onto other stories. After speaking and advising many people about these incidents, it is clear these incidents have severally shakened any confidence most UK folk have in the government and the civil service, even I have changed by view point on national ID cards. Meanwhile on the politics front, the opposition parties are having field day with the government of day, but I'm not so sure these incidents wouldn't happen under their governmentships anyway.

Tuesday 4 December 2007

The Power of PlayStation

I was fascinated to read about a New Zealand Security guy called Nick Breeze, who conducted brute force password cracking experiments using the processor at the heart of the Sony PlayStation 3. He stated he was able to brute force 8 character passwords using the PS3 processor and a password cracking application in just hours; usually it would take days on a regular desktop PC. This type of password cracking typically defeats the type of protection you find on a password protected Zip file (*cough H-M-R-C missing CD cough*).

The PS3 multi-core processor, called the “Cell Processor”, was developed by Sony, Toshiba and IBM a couple of years back. The Sony version of the processor can calculate 256 billion calculations per second, which is faster than 4GHz PC. It manages this speed due to having 7 cores within the processor, so can carry out 7 calculations at the same time, so trying 7 brute force passwords at the same time.

Imagine the type of processing power than could be gained by installing a Linux OS and networking PS3s together and combining the processing power, as done with the old PS2, you could be talking a low budget super computer. Such possessing power could have all sorts of positive actions to just password cracking, such as with research projects like the human genome. I must have a search on the net, to see if anyone else is using their PS3 to do things other than playing games.

Monday 26 November 2007

HMRC: CDs should be treated the same as the Server Room

This is rapidly turning into the HMRC data breach blog! I post a lot about this issue at the moment because I have personal vested interest as do many others, there are further developments almost on a daily basis, and for anyone who cares about the security of personal information in the UK, this is still a huge issue which frankly still gives me great cause for concern, and provides much thought about data security in general, which I feel compelled to write about.

Anyway, I was in discussion with several people today in regards the missing HMRC CDs, one view was that HMRC regarded the internal mail as "private" postage, a view which doesn't sit with me at all.

The way I think about it is like this, if you were to copy the company's entire database, "The" Crown Jewels of the organisation to a piece of media. Shouldn't you be applying the same security measures as to the live database, as held on the Servers? Think about all the physical security aspects of a server/comms room for instance, and the logical security within the IT Systems controlling the database. Would any IT professional ever consider removing the hard disks holding the database and posting them in the mail?

As for the "private" mail, well for a start HMRC use third parties for that, but even if they did it in house, personally I would still regard any internal mail as an untrusted medium, therefore I would insist on encryption of any sensitive or classified data send through it as a matter of course.

Sunday 25 November 2007

HMRC: More Discs Go Missing, Is it Foul Play?

Yet more CD/DVDs have gone missing within HMRC's internal postage system, this time a batch of 6 "discs" have disappeared in transit in between Preston and London. This incident was spotted by HMRC on 30th October and apparently held customer complaint conversations, which I certainly would regards as personal information.

This is the third HMRC postage containing sensitive CDs which has gone missing within the same month, October 2007. Don't forget the CD which HMRC sent(lost) to Standard Life, which held 15,000 records, as reported on 2nd November, I can't forget that missing disc, as my personal details were on it!

So I have to ask whether there could be foul play? I can't answer that for certain as I don't work for HMRC or know all the facts, however I'm going to have a go at speculating since two of incidents involve my peronal information.

Organised criminals have been know to target large intuitions just for their data, going through external bins for info, using social engineering techniques, web hacking and even infiltrating organisation internally, there was a Scottish credit card call centre which was found to be deliberately infiltrated by a gang earlier in the year for money laundering purposes. It's too much of co-incidence for three packages containing CDs to have gone missing in the same month, I had period on Ebay where I sold loads of DVDs once, never had any packages go missing within the public postage system. It's not exactly hard to guess by the size and shape of the packaging that it holds a disc.

Interestingly if HMRC actually ships loads of CDs around their organisation all the time (which is bad) then you would have to say the stats wouldn't point to foul play at all. I do understand HMRC is a large and complex organisation, so it could be possible there are shed loads of CD/DVDs flying around HMRC, if there is, then there has to be a better and more secure methods of sharing that information.

To sum up my own conclusion on this, either HMRC sends CDs within the post unprotected as a matter of coarse OR HMRC send only a few CDs around which would indicate possible foul play, OR it's just a big co-incidence!

A lot of fraud, particularly identity theft does start in the mail system, HMRC mainly use TNT to deliver their mail between sites and organisations. In relation to the 25Million record discs, TNT are stating they don't think that missing package has even entered their mailing systems, but as it's unrecorded delivery they can't be certain, and I understand TNT are searching for it. A spokesman for HMRC recently said "All the evidence points to the fact that these discs are still on our premises," - Well if you keep searching and searching (I'm sure no stone is being left unturned) and they don't turn up, I think there is only one likely conclusion to be reached.

Thursday 22 November 2007

HMRC: Emails Confirms Poor CD Password Protection

NAO have released details of their Email correspondence with HMRC leading up to the HMRC data breach, and answers a couple more questions I had with incident.

Click Here for NAO Emails

From the NAO Emails it is very clear to understand the HMRC data was zipped (compressed to make the data files smaller), likely with an application called Winzip. The so called password protection of CD we are told about is just a Winzip password, which wouldn't be very hard to defeat. See http://www.zipcure.com/ for instance.

On analysing what was said in the Emails further and ignoring the political spin about them...

NAO rep. states "I do not need address, bank or parent details in the download - are these removable to make the file smaller?" - Clearly NAO were not asking for the removal of the sensitive data for security, it appears the NAO wanted to receive a smaller database on the grounds of it being easier to manage on a single CD, i.e. a single zip file. This is contrary to the media reports which state NAO advised HMRC not to send sensitive information on security grounds.

So the NAO wanted the data to fit zipped on a single CD-R, in response this request the HMRC rep. states "I must stress we must make use of data we hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department."

In my view I think this an attempt to fob off NAO, rather than for a genuine financial reason. As running a report to filter out the unnecessary data doesn't have too much cost associated with it, it just takes a little time to organise. So I am guessing the HMRC rep. knew this and didn't want to go through the hassle of extracting the information out the HMRC IT systems again. Sure I could be wrong in assumption, I'm just going from pass experiences with requesting stuff from busy IT bods.

These are my own views on reading the Emails, please let me know your views, and of course the content of these Emails makes absolutely no excuse for HMRC failing millions of people in not protecting our private information.

Wednesday 21 November 2007

HMRC: Who asked for the data and why?

I have now found out the answer to one of my burning questions in relation to the HMRC data breach. Which was, Why on earth would HMRC have any requirement to send the entire database outside their organisation?

The lost HMRC CDs were destined for The National Audit Office (NAO), a body which scrutinises public spending on behalf of Parliament.

http://www.nao.org.uk/
“The role of the National Audit Office (NAO) is to audit the financial statements of all government departments and agencies, and many other public bodies. We also report to Parliament on the value for money with which these bodies have spent public money. As well as providing accountability to Parliament, we aim to bring about real improvements in the delivery of public services.”

As part of the preparations for the 2007/08 audit of the HMRC by the NAO, the NAO instead of requesting the usual sample of data to audit, requested a full copy of client benefit data. No doubt because the funding and costs of child benefits has been a political hot potato in recent months.

However the NAO requested HMRC filter the information before sending it, removing details of parents, addresses and bank information. At this stage I was able to find out whether NAO requested the data to be shipped on CDs unencrypted or not, but nether-the-less HMRC are still 100% responsible for sending the data in that fashion, and thus fully responsible for the breach.

But I can't help but wonder if someone within government instructed NAO to carry out a comprehensive audit of the HMRC. HMRC's own rules on data protection were bypassed, proper channels were not used, it's no excuse but could government pressure been a factor?

Timeline of events
2 October 2007: The NAO formally asks HMRC for files on child benefit claimants.

18 October: HMRC tells the NAO that the CDs have been sent

24 October: The NAO informs HMRC that the discs have not arrived. The NAO asks for a second set to be sent – it needs them urgently to ensure an audit of HMRC’s accounts is not delayed.

25 October: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.

5 November: HMRC confirms that the first set of CDs is still missing.

8 November: The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. It is only at this point that HMRC’s senior management is informed – but not the Chancellor of the Exchequer Alistair Darling who is responsible for HMRC.

10 November: HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs. Only now is Alistair Darling, the Chancellor, informed.

11 November: HMRC and the police search the NAO’s offices. Nothing is found.

20 November: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.

21 November: HMRC issues an apology.

HMRC: The Identity Theft Risk

Just to confirm what data was on those missing HMRC CDs (unencrypted):

Full Name
Full address
National Insurance Number
Date of Birth
Partner's details Names
Sex and age of children
Bank/savings account details

If those CDs fall into the wrong hands then half of the UK population are at increased risk at identity theft.

I think the information would be difficult to use break into online bank accounts directly, although it's worth noting some people do use their children’s names as passwords and there are the odd password reset process which ask for your date of birth and mother's maiden name, but the fraudster would need to compromise the account holders Email account or PC.

The real risk with this information is with Identity Theft, which is the UK's fastest growing crime.

What is Identity Theft? - Simply put, it is when a someone assumes your identity and racks up credit\loans in your name with no intent of paying it, and/or commits to other fraudulent and criminal activity in your name.

For instance a fraudster could easily use the HMRC information to purchase an expensive mobile phone on contract, with the victim being billed long after the purchase event. Fraudsters could use the information to setup credit and financial agreements without your knowledge too. There have even been ID Theft cases with fraudsters assuming children’s identities which can go unnoticed for years.

I would expect fraudsters to use such information in targeted attacks, for instance phoning you or Emailing you, and impersonating a representative from your bank, in an attempt steal access to your bank account online. Example being, "Hi, it's X bank here, just to confirm you are MrsX, your post code is X and Date of Birth is X, we need to reset your online banking password to protect against fraud with HMRC breach, it will only take a minute of your time..." It wouldn't be hard to find your phone number, knowing your full name and address, while the HMRC CD would provide bank name, your name, post code and Date of Birth.

In some cases the fraudster could even guess your online verbal password, as more often than not, it's the name of the son/daughter, and even if it's not, it's possible to fool someone into forgetting they had set it as such. This information is all held on the HMRC CD.

So what can we (yes I'm a victim too) do to protect ourselves?

The most important thing to do right now is to be extra vigilant, lifting advice from my recent ITSEeducing_your_Risk_of_Identity_Theft Guide

Q. What are the tell-tale signs that I’m might be a victim of Identity Theft?

A. There are several signs to look out for:

• You are unexpectedly rejected with loan or credit card applications, even though you have a good credit history
• If you receive debt collecting mail from companies and solicitors for debts you know nothing about • Missing post, expected bank and credit card statements, and especially replacement credit cards and cheque books do not arrive
• You receive bank and credit card statements that you haven’t setup or hire purchase agreements or mobile phone contracts you know nothing about
• You receive bills, invoices or receipts addressed to you for goods or services you haven’t used or asked for.

Also I would like to add, if you use one of childrens names as password for your online bank account, change it.

Personally, I know which bank details HMRC hold in my case, so I'm going to close down that account and open another account with a different bank. I am not saying everyone needs to take such action, as to be honest it's a major hassle to do, but it's my own personal action to reduce my own risks, as I'm particularly careful about my own personal information security.

Also take note of the following advice by the UK government
• Mr Darling said people should check their bank accounts for any "irregular activity"
• He said there was no need for people to close accounts as the details would not be sufficient to allow fraudsters to access them
• But people should not give out personal or account details "requested unexpectedly" by phone or by email
• Banking industry body Apacs advised people who bank online to monitor accounts and change passwords if they are a child's name or date of birth
Contact your bank immediately, but only if you spot something suspicious as banks are expecting to be overwhelmed with calls
• Banks also warn customers to be on the lookout for signs of ID theft and fraud - such as regular post like bank statements going missing, bills for items you have not bought, or letters approving or denying you credit you know nothing about

Tuesday 20 November 2007

HMRC: UK's Biggest Data Breach Ever

The lost of two CDs holding 25 Million personal records by HMRC, is the biggest data breach in UK history, it's almost half the population. The data lost included children's names, full addresses, dates of birth, National Insurance numbers and where relevant bank and building society account details.

How did this breach occur?
In October, a junior HMRC employee downloaded the entire HMRC database and placed all the data onto two CDs, and then put the CDs in Jiffa bag and stuck it in the internal post for the attention of NAO, who requested it. This package never arrived at the destination NAO, so on finding out the same junior HMRC employee downloaded the entire database and placed the data on CDs again, but this time sent it by recorded mail, this did arrive. The lost CD is described as password protected by HMRC, however I would like to make it very clear the data on the CD is NOT encrypted, therefore is far from secure being read, and I understand the password system can be easily defeated.

My first question I have here, is it shouldn't even be possible for any junior employee (or senior employee for that matter) to extract all of the data from the HMRC system, clearly there are no controls in place within the databases and IT Systems at HMRC. I have also heard from a source that the IT systems at HMRC are a bit of mess, which the lack of basic security controls for me confirms as fact.

My second question is over how the data of transferred, clearly in this data and age there are many secure and more cost effective methods of sending sensitive data to third parties, it's a completely unacceptable practice to send any sensitive information on unencrypted media, never mind 25 Million records. Clearly the junior employee doesn't even have a basic information security awareness, therefore this points to a lack of a security culture within the HMRC, which I would of thought would of been a priority considering the sensitive of data with HMRC.

Thirdly, HMRC are in clear breach of the Data Protection Act, will they get punished? Is it even worth it considering fining them, as they are public operated, it would basically fining yourself. So just where is the drive to improve information security within HMRC going to come from?

Finally, this isn't the first incident involving HMRC in recent times, are they investigating incidents and learning from the mistakes? Clearly I think not.

So typical records on the missing CD include a full name, full address, Date of Birth, National Insurance number, children's names and even full bank account details. In the wrong hands this information could literally ruin lives. I'll blog more about the risks and consequences of this information being used for identity theft tomorrow.

How does this incident affect me personally? Well two weeks ago I got comprised with the missing CD sent by HMRC to Standard Life, today I find that my Wife's bank account and my children's details are compromised two, so a real clean sweep by HMRC in my house hold.

Shambolic HMRC loses yet another CD

It’s well documented on this blog, on how the UK Government department, Her Majesty's Revenue & Customs (HMRC), failed to protect my own and 15,000 others personal information,losing a couriered unencrypted CD a couple of weeks back, and then there was the incident with an unencrypted HMRC laptop going missing a couple weeks before that.

Now they have completed the hat-trick big time, this time losing a bunch of CDs holding 15 Million children benefit records, which I understand held names, address, date of birth and bank account details for around 7 million British families.

Apparently the CD went missing after being couriered between HMRC headquarters in Washington, Tyne and Wear and London, when exactly how this happened isn’t clear yet, however ministers have known about the problem for 9 to 10 days. I understand another HMRC internal investigation is underway, while the police are still investigating.

So yet again the CD was sent unencrypted and yet again I wish to highlight there are more efficient, cheaper and secure ways of sending personal data, as well as the totally unacceptable and irresponsible practice employed HMRC.

So this time the HMRC chairman, Paul Gray, has resigned over this issue, and to quote him directly “I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. I am extremely proud of what all of you in the organisation have achieved during my time as deputy chairman and chairman."

The issue is being raised in parliament as I type, with Tory MP Nigel Evans saying "He should have told the public straight away in order that they could have taken precautions against anyone's information being used by ID fraudsters."

And for the Liberal Democrats, Chris Huhne told the BBC: "It is a horrendous problem; it's one of the biggest failures in a major government department that I can remember. It's an enormous delivery problem and I think that clearly that's been recognised by the head of HMRC when he resigned... I would be surprised if we did not see ministerial heads rolling as well."

I wouldn’t be surprised either, meanwhile with my own case with HMRC, I have written letters to my local MP, the Information Commissioner and the Minister responsible for data protection, I’ll report back any responses and further development. Although I expect from this point on, my issue will be completely over shadowed by this very significant incident, involving millions of peoples records.

Monday 19 November 2007

UK WiFi Theft is Rife

A recent UK survey by Sophos revealed 54% of those surveyed had used someone else’s wireless Internet access without permission. Many within the media are calling this practice “WiFi Piggybacking”, and I’ve even seen quotes from liberal academics backing the practice. In my view this is plain and simple WiFi Theft, its wrong and it’s completely illegal in the UK.

The offence is under section 125 of the Communications Act 2003, which states that "a person who (a) dishonestly obtains an electronic communication service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”. The maximum penalty is six months in jail and/or a fine of up to £5,000. There have been several prosecutions under this act. In fact I'm aware of the arrest of a 39 man in August, who was spotted using on his laptop in the street, accessing an unsecured WiFi connection within someone’s home in Chiswick, London.

I have heard some people say, they don’t care if their neighbours use their WiFi for Internet access. Well first of all, every UK ISP I have encountered has a clause within the contract, which clearly states you aren’t allowed to share your WiFi Internet connection with your neighbours. Secondly if you leave your WiFi broadband open, it allows the potential for anyone (even your neighbours) the ability to browse illegal and unsavoury websites, commit online fraud, download illegal movies, and even host illegal movies and unsavoury material. All of this activity is done in the name of the WiFi owner, some people still don’t realise the Internet is far from being anonymous usage, everything can be easily traced back via your ISP, back to you. So if someone uses your Internet bandwidth illegally, it will be your doorstep the authorities will darken. Thirdly, someone connecting to your WiFi connection can eavesdrop on your Internet activity, reading your Emails, building up a profile for identity theft and gathering any non-encrypted website username and passwords. Fourthly, many ISPs provide bandwidth limits, especially the cheaper deals out there, so your Internet usage is quite literally a limited resource, so you certainly shouldn’t want others stealing and using it.

How many unsecured home WiFi connections are they in the UK? Well the answer is about 1 in 4 residential wireless routers are unsecured, according to Moneysupermarket.com, who commissioned an amateur hacker to test the quality of wireless security in the streets of Liverpool, Manchester and Chester earlier this year. About 88% people secure their home PCs from the Internet with Anti-Virus and Firewalls, but it seems significant numbers are neglecting to secure the WiFi Routers. It’s possible for bad guys to compromise an unsecured WiFi router and bypass the security on home PC. Particularly if you think about the consequences of changing DNS settings and routing on the WiFi Router, so keeping the default WiFi Router name and password and leaving your WiFi unsecured isn’t such a great idea,

Friday 9 November 2007

Frank Abagnale's advice to me Re:HMRC

I know all about the various methods and processes in which HMRC could of protected my private information, but now my info could be in the wild and in the hands of bad guys, who better to give me some advice than Frank Abagnale. If you haven't heard of Frank, he's the guy the "Catch Me If You Can" movie was based on, after serving his time Frank provided consultancy to several banks, helping them to beat fraudsters, and he went on to be known and respected as a leading expert in Identity Theft. Here is his advice to me...

"Sorry that this happened to you.

Most of the time when identities are lost/stolen in this method, the people who steal the information sell it to a buyer who sits on it normally for about 2 -3 years. Unlike stealing credit card data where the credit card issuer can cancel the cards, you can't change your name, date of birth, National Insurance Number/Social Security Number, etc. So the longer they sit on the information the more valuable it becomes to the buyer when he decides to become the seller.

I would recommend a service that is now available in Great Britain called PrivacyGuard (http://www.privacyguard.co.uk/). Over 6 million Americans use PrivacyGuard including myself. PrivacyGuard monitors all three credit bureaus and notifies their customers in real time by e-mail or text message (not by a letter) if someone is attempting to get credit or open an account in their name. Typically over here, when information has been lost by the fault of a company or government agency, they provide the potential victims the monitoring service for free for one year. I would demand three years to protect oneself thoroughly."

Interesting point about how bad guys sit on the info and sell it on down the line, I'm going to take his advice and check out PrivacyGuard and post what I find out next week. Still there's going to be a charge to use this service, I wonder if I should try and get HMRC to foot the bill?

Thursday 8 November 2007

Lack of Data Discloure Laws

Well I lodged a complaint about HMRC with the Information Commissioner today, basically the guys who enforce the Data Protection Act, as I am still far from happy about the bad practice which led to my personal details being lost by HMRC, the time it took for disclosure and then being misled about the data encryption of the CD. I'll post up the response when I get it.

Meanwhile I noticed my involvement with this was discussed on Martin McKeay's (and Rich Mogull's) excellent Network Security Podcast, by the way I heartily recommend this podcast for anyone who is interested in learning more about Information Security and the latest topics within the field. One interesting point was made about our lack of disclosure laws we have in the UK compared to the US, which I have to say is true, we don't have any clear laws on breach disclosure within the public and private sectors, we rely and trust companies and organisation ethics. I think it would of been a very dangerous game for HMRC to sweep such a data breach under the carpet, due to the important of transparency placed on government and the UK media reaction etc.

So, we need to have clear breach disclosure laws in the UK, so I checked the Prime Minister's website to see if there was an online partition, and there was one, but it had closed at the end October 2007, so I couldn't sign it.

"We the undersigned petition the Prime Minister to review exisiting data protection legislation and improve the reporting of information security breaches in the public and private sectors".

It was signed by 339 people. So perhaps I'll look into setting up and promoting another petition further down the line, well not unless this one proves successful! Actually perhaps I should try it the old fashioned way and lobby my local MP or the Minister responsible for Information Technology.

http://petitions.pm.gov.uk/fulldisclosure/

Wednesday 7 November 2007

HMRC Data Breach CD was NOT Encrypted

I phoned HM Revenue & Customers (HMRC) again today to obtain further clarification on whether their missing CD was encrypted or not, as on Monday I was categorically told by a HMRC representative the CD was encrypted, although he couldn't say what type of encryption was used, in fact I repeated the question three times to be sure. After reading conflicting press reports about encryption of the CD, I decided to phoned HMRC again today. This time I was told by HMRC the CD wasn't encrypted after all, so I was completely mislead by them on Monday then.

This just goes from bad to worst.

And get this, I was then told not to worry as although the names were readable within the files in the CD, my National Insurance, Date of birth and pension reference details would be "difficult" read! In other words the data was in an unformated state. I explained to the HMRC rep. that is was actually something to worry about, as it probably wouldn't take too long to render the "Unformated" data into a nice neat table of 15,000 records.

Just to recap the main point, this means NO ENCRYPTION was used on the CD (otherwise the names wouldn't be readable), this is a cardinal sin (and a crime?) to send people's personal data on a CD completely unprotected through public channels i.e. the courier/post system. In this day and age there are many more secure (and cheaper) ways than posting people details unprotected on CD media.

If HMRC think the data being a little hard to read is the equivalent of it being encrypted, well I'm afraid to say they really are in a bad state of affairs information security wise.

I went on to asked whether anyone had issues with ID theft & unusual access to National Insurance records and was told none as yet, but since the victims (including me) are stuck with the same NI number, name and DoB for the rest of our lives, I guess there is plenty of time for that.

Monday 5 November 2007

HMRC Data Breach Update - I'm vulnerable!

I'm vulnerable to Identity Theft thanks to HMRC Update

It turns out I’m one of 15,000 Standard Life customers to be at risk of fraud after personal details were lost by HM Revenue & Customs (HMRC).

I had confirmation in addition to the letter I received on Friday. The CD holding my info (including National Insurance Number, Date of Birth and info about my pension) was sent from the Revenue office in Newcastle to the Standard Life’s HQ in Edinburgh, however the CD never arrived, apparently lost by the courier firm.

Also I heard a rumour that second CD containing data on some customers from an unnamed second company has also gone missing, which if true might suggest something more sinister is afoot.

HMRC have been quoted in saying the incident happened at the end of September, a whole month before any notification, which isn't good as they should be notifying much quicker than that.

And on the data encryption front, HMRC won't say whether the information was encrypted or not "on security grounds" – to me that statement implies the data wasn't encrypted, however I called them up and spoke with an operator about this issue, and he said the data was encrypted, and can only be read by Standard Life and HMRC. Which begs the question why aren't HMRC providing any assurance in stating this in the letter and on press releases? So I asked what type of encrpytion was used, but the HMRC call operator didn't know. Then I asked to speak with someone senior who could answer my questions, he said they wouldn't know either as they are still investigating the incident.

I’m still gathering further information, and I’ll post more details and my findings when I get more answers.

Friday 2 November 2007

I'm vulnerable to Identity Theft - Thanks a lot HMRC

When I arrived home today and I was greeted with a brown letter from Her Majesty's Revenue & Customs (HMRC). Did I owe them tax? No, much worst than that, HMRC have exposed me to Identity Theft big time, just less than a week after I posted up a guide on "Reducing your risk of ID fraud" too.
ITSEeducing_your_Risk_of_Identity_Theft
So here we have a top UK Government department which has dropped yours truly, into serious risk of Identity Theft, at no fault of my own. To quote from the HMRC letter...

"At the end of September HMRC sent a CD to your pension provider, X (I've X them out as there not the ones at fault) with your surname, national insurance number, date of birth and plan reference number included on it. We are very sorry to tell you that the CD was lost after it had been collected from HMRC by HMRC's external courier and before it was delivered to X. This means that there is a possibility that your personal data could be accessed by someone other than HMRC or X."

My blood is really boiling!
(I've had to go through this post and delete out all the swearing!)

1. It might be just a coincident, but it’s little bit convenient sending me such a letter to arrive on a Friday or Saturday, when the HMRC offices are closed over the weekend. I’m concerned and I want answers now!
2. ENCRYPTION - This is the biggy - Why the hell did they not encrypt the data on the CD?
3. In this day and age, there are plenty of better ways of sending such sensitive data in a completely secure manor, rather than couriering media around the place, have they ever heard of PGP and VPNs?
4. The Data Protection Act, have they broken the law?
5. How many other peoples details were on that CD, I've not read anything about it in the press. Or how many other CDs have gone missing?
6. This breach occurred in September, its November now…When exactly in September did it happen? How long before they knew CD was missing? Why has it taken between 1 and 2 months to notify me?
7. Has it the incident been investigated? What's the result of the investigation? Do HMRC recognise they have a security hole within their business processes? Has it been corrected?
8. Now my personal details could be in hands of bad guys, how are they going to protect me?
9. What steps should I be taking to protect myself now?

Answers to these question and more when the HMRC offices open again on Monday morning, and I try to get some answers. I invite you all to join me in trying to hold the UK Government to account, for this heinous breach of my (and possibly many others) personal data.

Thursday 1 November 2007

Unclever but Lucky People!

I just happen to own the domain “Network-UK.com” which I leased several years back as part of a project I was working on, which really didn’t take off the ground. Anyway for several months now I have been receiving misdirected Email to this domain, almost on a daily basis now, Email which appears to be meant for a London based UK employment agency using a similar domain name, addresses for a variety of individual accounts at the domain rather than one. Which in itself is kind of expected, however it’s the content of these misdirected Email which really concerns me. Due to the way forwarding works to my inbox, I can’t instantly tell if an Email was forwarded or not, and on occasion within my preview panel I can see these Email are about wages claims, and often include Full Name and Addresses, Bank Account numbers with Sort Code and bank name, Full Names and Phone numbers, National Insurance numbers, and even on occasion full colour scanned copies of passports! which as we all know is a really unclever to send to anyone over Email.

Out of courtesy and concern I made several efforts to contact the intended email destination company in question, however so far I had no replies. I can’t help but wonder whether they are encouraging their punters to send such sensitive details by Email in the first place, however lucky for those punters it’s me that receives their sensitive details and deletes on receipt. It really goes to show that there are plenty regular people out there who don't know how to be secure using the Internet.

It looks like I am going to have to put an Email auto-reply to all email received to this domain, as I really want to avoid receiving such sensitive details in the first place, however I would be interested if anyone had any advice to offer to me on this one!

Wednesday 24 October 2007

Identity Fraud Protection Guide Completed

I have completed and uploaded my guide to "reducing personal risk of card & identity fraud", with 20 key tips and some FAQs about Identity fraud/theft.

ITSEeducing_your_Risk_of_Identity_Theft

I had a lot of interest and requests to produce a formal guide by various site visitors and offline friends. I'm aware most of the guide will be just common old sense to any security professional out there, but the guide nor generally my website is aimed at the level.

Monday 15 October 2007

Why do Spammers Spam?

I noticed Microsoft's Eileen Brown was pondering Spam in her Blog, asking “Why the heck do these spammers keep on spamming people?"

http://blogs.technet.com/eileen_brown/archive/2007/10/15/a-lot-of-spam.aspx?CommentPosted=true#commentmessage

Well here’s my response…

It is because out of the tens of thousands of Spam Email they send, which costs practically nothing, there are always one or two gullible people who click through to buy a product or get done, making it a profitable and worthwhile exercise.

“Two years from now the Spam problem will be solved” - Bill Gates, January 2004

Bill got that wrong, it's increased big time since then.

Why the problem? Well Standard Email is just not secure, it is impossible to tell or control who has actually has sent them, not without using Certificates and PGP etc, even the latest Anti-Spam software isn't the silver bullet.

Thursday 11 October 2007

Contactless Cards: Convenience before Security?

I was on national Radio Monday lunch time, taking part in a debate on cashless societies; specifically I was giving my (the security) perspective on the new Contactless Debit/Credit Cards, which will be rolled out within the UK early next year. My points were as follows:

Since the introduction of Chip & Pin in the UK a couple of years ago, there are been a significant reduction in credit card fraud at the high street till (cash register), even the latest figures for the last six months show credit card fraud at the cash register is down by 11%, despite an overall rise in UK card fraud of 26%, which underlines the growing problem with card fraud. The trends show the bad guys are increasingly stealing UK card details to either use online, or to use them in countries where PIN numbers are not required to process transactions, i.e. using the magnetic strip on the back of the card instead of the chip, which I’ll get on to later in this rather lengthy post.

The reason why Chip and Pin is successful is that in principle it uses a two-factor authentication system, in that one factor is the card which is something you have, and the second factor is the PIN number, which is something you know, you need both to authorised the transaction. However to use the new contactless cards all you need to do is “wave” the card about 5 cementers from the contactless (RF) card reader and you’re done, which is single factor system, as all you need is the card in your possession, so if a bad guy gets hold of wallet... It's also worth stating that the contactless RF functionality will go onto existing bank and credit cards, rather than a specially blank card “cash only” card. Visa said it will ask for pin number after every £50 spent or so, and can only be used for transactions under £10, which may rise in the future. In my opinion this is putting Convenience ahead of Security. During the debate I cited the following example, in that I “punished” my kids by taking them through a fast food drive thru over the weekend, at the pay window a chip and pin reader was handed to me (cabled not wireless), and within 12 seconds (yes I timed it), I had pushed in my card, entered my pin, been approved, removed my card, and handed back the chip and pin terminal, this for a transaction of less than £4, so retailers do have the technology to provide quick two factor authentication for small transactions with the regular system. I do understand the convenience of speed with the so called “wave and pay” system, but my argument as a consumer, is I should at least be given the choice to always use my pin with every RF transaction, especially if RF becomes mandatory on future cards.

I brought up the topic of RF skimming, in that for around £100 to £150 I could build my own RF reading device which could activate the passive RF chip within a contactless card and read it when in range. I know it’s encrypted and so not much sense can made of what can be read, which Visa provided assurances over during debate, however the UK passport agency said the same thing about their RF system within UK passports, only for a security professional to break the encryption system, accessing details from a passport without even opening the envelope it was in. Here lies another of my concerns, its fairly common knowledge a lot of credit card fraud and card theft starts within the postal systems in the UK, the fact is I could use my custom RF reader as a contactless card detector, a kind of a credit card metal detector if you like, which would tell me which envelopes had cards in. I only hope they wrap the cards in tin foil or something similar, to insulate the RF when issuing them by post.

Following on from the RF encryption, which by all accounts is better than the UK passport, I followed up by asking when will credit card issuers get rid of the magnetic strip on the back of cards, as most of information on the magnetic strip isn’t encrypted and allows easy card cloning and skimming by the bad guys, no real answer on that apart from it was needed for international purposes, again I would prefer the option of not having a magnetic strip on the back of card, since nearly all of my transactions with cards are made a chip reader.

If only I could customise my own credit/debit card, which I’d be happy to pay a premium for, for a start I would have my picture “etched” onto the card (three factor authentication possibilities!) and no magnetic strip, but the trouble is always the same with good security, it comes down to a decision of Risk Vs Cost, which is ultimately made by the credit card folks, who take the biggest hit on paying for credit card fraud, however they pass that to us within card interest rates. Just to make that clear, if you are victim of fraud by the contactless cards system, you will get your money back according to the guy from Visa Europe, however there is always a hassle factor and stress factor to consider for the card consumer, so perhaps as consumers we really should expect better security.

Other interesting points raised, there are retailers who won’t accept card payments under £10 or will add a surcharge, so I doubt if contactless cards is going to take off with them, as it was kind of the selling point, that you could walk into your local newsagent and use a contactless card instead of money, however most newsagents don’t currently take cards due the transactional costs imposed by card issuers. And what if I had lets say a MasterCard Contactless Card and a Visa Contactless card in my wallet and a wave my wallet at the RF reader, will it work and how do I know which card I paid with?

Another topic that was discussed was payments by mobile phones, again it came down to whether it was a two factor authentication system, i.e. if user had to enter a password or pin, I had no problem, however if it only meant you only needed a phone, then it turns the phone into an instance cash item, which could be really worrying for the younger sections of society, which is where most mobile phone theft (muggings) occur. I have blogged and even Podcasted about poor mobile phone security in past, which could be another attack vector to consider which such payment systems.

Make no mistake, I’m a fan of a cashless society although I think it is still many years away. I like new technology, and I do know nothing can ever 100% secure, I just don’t want to see basic security corners cut and backward steps taken, as I think society in general has a long way to go in getting to grips with Information Security.

Sunday 7 October 2007

Reducing your Risk of Credit Card & Identity Fraud

Here's my 15 tips to help reduce your personal risk of credit card fraud and identify fraud. Oh when I say identify fraud\theft, I mean when someone assumes your identify to rack up credit\loans and other fraudulent activity in your name.

1. Invest in a decent shredder, avoid cheap shredders they are a false economy, they often don’t last long anyway, and can make shredding a real chore. Try to get into the habit of regularly shredding receipts, statements or anything else with financial and personal information.

2. Never ever disclosure your PIN number, login details or passwords. Often fraudsters will “confidence trick” by appealing to either greed or fear. For example if you are told you have won a competition or entry into a free cash draw, but you have never entered the competition, I 99% guarantee it is either a scam or an attempt to collect your personal details for marketing, just remember there is no such thing as a free lunch. Also fraudsters will use fear to by pass your normal cautious thinking, often fraudsters impersonate organisations like your bank or your favourite online auction site, stating they have detected a security breach with your online account, and you must validate your details.

3. Never ever write down passwords, login details or especially Chip & Pin number.

4. Never send card details or bank details by Email, even if a hotel or online shop requests your card details by Email. My golden rule with Email security is, if you are not happy to write the Email contents on the back of postcard and post it, you shouldn’t be writing within an Email, as Email is no a secure medium. Also when reading your Email, the senders Email address and Name is no guarantee it is from that person or organisation, and of course never accept Email attachments, or click on links within Emails you aren’t sure of or expecting.

5. Never let your debit/credit cards or your card details out of your sight when making a transaction in the real world. Unfortunately low paid shop staff are some of the worst culprits when it comes to card fraud, either collecting card details and selling them on, or committing fraud directly themselves, it only takes them seconds for them to steal the info from your card.

6. When using a Chip and Pin devices or cash machines, use your free hand to shield the number pad as you type in your PIN. This will provide protection against bad guys who “shoulder surf” and hidden cameras.

7. If you can, avoid divulging your card details by telephone. You don’t know who might be listening nor can you see the person collecting details, and what they might doing with them.

8. With online banking, always type in your bank website address directly in the address bar of your web browser. Never click on web links, especially those sent in Emails.

9. At all times, make sure your computer has up-to-date anti-virus software, up-to-date Microsoft Windows Patches, Anti-Spyware and a Firewall installed and Enabled.

10. When Shopping online, make sure the webpage is encrypted before entering any personal and credit card details. Look for a locked golden padlock and “https” at the start of the web site address. You probably wouldn’t give your credit card details to a street trader right? Well consider the same approach when shopping online. If a website looks dodgy and you have never heard of the business, you probably should go with your instincts, as you would in the real world.

11. Always check through your statements, and chase up any anomaly you find, even the smallest unexplained transaction could be a sign of identify theft or account compromise.

12. When filling out forms or being asked for personal information verbally, never be afraid to question what you are supplying, as is it is all too easy to go into autopilot. Let’s say if someone knocks on your front door promoting a new local car wash, and gives you a discount voucher and then proceeds to ask for your your name, Email and phone number. Ask yourself why that information is being collected and question the promoter about what the car wash company will do with it. Don’t be afraid to question organisations as well, about how they are going to protect your personal information, read up on their privacy policies before parting with your personal information, know what you letting yourself in for.

13. Always keep your guard up, it's not as easy as it seems. We are all bombard with requests for our personal information on a dialy basis, whether via a street survey, or a small opt in check box on a form, always try to avoid giving up your personal information unnecessarily, often the people collecting it will sell it on to marketing firms for a profit or even worst.

14. Keep track of your bills, if every month you get a credit card statement, and one doesn’t turn up, chase it up. Also when you receive a new cheque book, check all the cheques are present, one cheque scam committed by fraudsters, is to intercept the mail, open it and steal a couple of cheques from near the back of the book and then cash them, before resealing and sending up the cheque book, its far too late before the victim discovers the missing cheques.

15. If you feel particularlly concerned that you might be a victim of identify theft, arrange a credit check on yourself to make sure. (I plan another blog around dealing with this at a later date)

Tuesday 25 September 2007

A tale of Social Networking sites (yet again)

In my last post the last thing I advised was to be careful what you post up on social networking sites, as it may come back to haunt you, well I had barely uploaded that post when yet another social networking news story broke in the UK.

The British people love their Tennis and particularly Wimbledon, but for decades now we have been really unrepresented in this sport, with only one or two players in the top one hundred, which for a country of over 60 Million and a decent sized middle class, is pretty poor form. To remedy this, the Lawn Tennis Association (LTA), has been ploughing money into supporting young tennis players, which makes good sense really.

Well two of these funded young players were found publicising a lifestyle of partying, drinking and eating junk food on the Bebo social networking site. Pictures included one in a street holding an empty bottle with a the caption “Me Drunk for a change”, and statements saying hates-“hangovers after a good nite owt[sic]” and “wiv the boyz parting and chillin[sic]”

The players had left their social networking sites unlocked for the whole world to view. The LTA and public have taken poor view after seeing what they posted up, which resulted in the LTA taking action and withdrawn their funding for these players and warning several other players.

Putting aside the morals and the rights and wrongs, these young tennis players have seriously jeopardised their careers by their postings online, if they had been more careful in the way they used their social networking space, they probably would of got away with it, after all we were all young once, instead their statements and images are now all over the British media and they have lost their tennis funding.

These young tennis players aren’t the first to have their careers damaged as a result of postings on a social networking site, employers in the UK have sacked several people over postings online. Today I am seeing more and more employers checking social network sites as a background check, before they even decide on employing someone, so just be careful what you post online.

Monday 24 September 2007

Facebook's Privacy Policy

A Facebook enthusiast recently asked me why I "hated" Facebook so much, well I don't hate Facebook at all, I have never posted or said such a thing, however I have to say I am not mad keen on the idea of the site and where it might be heading. Lets take Facebook's privacy policy for instance, it is over 3,500 words length and has the little caveat of “We reserve the right to change our Privacy Policy and our Terms of Use at any time.” Given that statement, you have to ask yourself whether you can trust Facebook with your private data? Their policy is well worth a read if you are a user of the site.

http://www.facebook.com/policy.php

So there are no restrictions or guarantees on how Facebook can use the huge amount of user personal data it has built up in recent times, some might say most of the company’s high value is based on the market-ability of this data.

Then there is the old fundamental flaw of all social network sites, in that there isn’t any identify validation, so anyone can pretty much pretend to be anyone. Just how many people have huge and unmanagable lists of “friends”, “friends” they just don’t know or have ever met? Putting aside the issue of your personal information being available to complete strangers, in July spammers successfully used Facebook to create realistic profiles like ordinary users, and persuaded people to accept them as a friend, and hit their inboxes with spam. I understand Facebook internal spam is on the rise at the moment.

I’m not saying social networking sites are all doom and gloom, they have the use and a place in the business and social worlds, but just be careful how you use them, especially who you accept as a “friend”, and what you post up about yourself, as it could come back to haunt you!

Friday 14 September 2007

Google on Global Privacy Standards

My love / hate relationship of Google is definitely in the loving zone after I heard Google chief, Peter Fleischer calling for Global Privacy Standards. I won’t regurgitate what Fleischer said, as there's a perfectly good report on the BBC News website linked below.
http://news.bbc.co.uk/1/hi/technology/6994776.stm

Also check out this link to a report which I have touched on a couple a months back, you should find it quite interesting if you are into personal privacy online.
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961

I really think a hundred years from now, when history looks back on the last couple of decades, it will be recognised as the start of the Information Age, and when it comes to personal information privacy and information security, we are merely still trying to take our first steps. So it's just so refreshing to see that Google are looking ahead and attempting to take a lead in this area, and lets face it, Google are getting so powerful these days , they certainly could help push us forward, so tonight I salute you Google, who incidentally also do a great job in hosting this blog for me free (not that I'm Google bias of course!)

Anyway I’m about to fly out to Toronto, Canada for the PCI Council meeting next week, so hopefully I might have some very interesting (or not) PCI posts next week.

Friday 7 September 2007

Facebook: Welcome to the World of Google Hacking

To be completely honest, sites like Facebook has the same appeal to me as reality TV, which almost zero! Anyway a friend of mine a couple months back bullied me into setting up an account on Facebook. But being a typical paranoid security guy, I didn’t upload any photos or post any personal information, other than my name and a fake Date of Birth, I guess it’s the most boring Facebook page on the whole site!

The way I understood it, Facebook was suppose to be a private network, where you add links and share your personal information including work and educational history with friends, work colleagues and former class mates etc. Significantly you either had to accept an invite or have your own invite accepted by another party, before your information is shared.

But here’s the big scary change, Facebook are now allowing members personal information to be accessible by everyone, even non-members. We are not just talking private pictures either, but information such as people’s date of birth, which is often used as a typical security question, especially when you are asked to prove who you are or asked to reset a password.

Within the next few weeks, Facebook profiles will be indexed and be fully searchable by search engines like Google and Yahoo. The art of “Google Hacking” is about searching for information about a target (person), for example a fraudster may have already obtained some of your private details elsewhere, they will then use a search engine like Google to fill in all the blanks, building the full picture and completing the profile, this is especially common place when you are talking about identify theft, which is on the rise in the UK.

You might be really surprised what’s searchable on Google about you, just give it go. When demonstrating Google hacking in the past, I have actually found people’s mobile phone numbers and even full home addresses.
Apparently there is a way to prevent your Facebook profile details to going into search engines like Google, but a friend of mine, who is an avid Facebook user, couldn't find the option to do it.

Thursday 6 September 2007

Web App Sec: With Great Power comes Great Responsibility

Thanks to the explosion of Web 2.0, companies have more power than ever on the Internet, however with great power comes great responsibility. Trends show hackers are targeting web applications increasingly, simply because they are easier to hack and the rewards are greater than traditional hacking, like writing viruses for example. Often companies get the network security level right, with proper DMZs and firewall configuration, but this is merely the foundation of providing web application security and in reality offers very little protection against application level attacks.

The Security of Web Application starts right with the developers, especially if you code in house. Web Application Security training of developers is absolutely key and the use of Development Quality Assurance tools like SPI Dynamics WebInspect and Watchfire’s AppScan in the development cycle also plays a vital role. Sure these tools cost, but you are paying for the tools to be constantly updated by the vendors, who have to keep up with the latest exploits, as web application vulnerabilities are cropping up on a daily basis. QA tools not only ensure secure application development but prove an extremely useful aid in developing coder’s web app security awareness and knowledge, ensuring future development of web applications are project planned (correctly budgeted) and coded securely in the first instance.

Finally once you have your web application up and running, you should ensure the website is vulnerability scanned on a daily basis, followed by periodic full scale penetration tests, to ensure the web application says secure.

Simply put, providing secure web applications costs it is unfortunate a lot businesses want to have their web app cake and eat it for cheap as possible. Away from costs some businesses simply just don’t have the security know how to do it correctly, “but we have a firewall” mentality, or they just don’t have the drive to ensure their web applications are secure, the old “it will never happen to us” mentality. These are precisely the reasons why trends in successful hacking of the new generation of website applications will continue to increase.

Wednesday 5 September 2007

All of the UK must be on DNA database!

To follow up my previous posting on the UK DNA database, which is the biggest in world and growing by 30,000 records a month, I said there were "moves" going on by the UK establishment to have everyone's DNA recorded in the database, well a senior UK judge yesterday was pushing for just that. What they won't tell you is that they don't actually need everyone's DNA in the database. As it only takes a family relative's DNA to provide a close enough match, which is enough to home in on an individual.

http://news.bbc.co.uk/1/hi/uk/6979138.stm

Tuesday 4 September 2007

Off the Shelf Malware with 1 Year Technical Support!

It’s common knowledge within the security industry that you can hire hackers, hire out the use of botnets and even buy zero day exploits, malicious scripts and viruses, but what surprised me recently, is that you can buy packaged Malware, which even comes with technical support. Recently one such package, MPack, a PHP malware kit put together by Russian hackers has been causing problems. MPack can be bought for £500 ($1000), and includes a year of technical support and options of purchasing extra exploitation modules. MPack exploits the latest vulnerabilities in M$ Windows web browsers; oh it is browser aware as well, so Opera and FireFox won’t save you. For the most part an infected MPack website scans your browser and OS for security flaws, and if it finds any it exploits them, as well as storing stats about your system for future reference. The fact the MPack product can be regularly updated by the hackers producing it, is its greatest danger, as it means it can stay ahead of Anti Virus products signature updates (i.e. undetected by Anti Virus) and use the latest discovered zero day exploits.

MPack has been around since December 2006 and has been used to infect completely legitimate websites, most notable in Europe, where Italy’s largest website hosting companies had been infected and MPack embed within legitimate websites, which attacked any computer visiting the infected website. It is believed hundreds and thousands of users were affected by the Italian attack alone.

If you want to stay protected, I suggest keeping your OS Patches and AV signatures up-to-date. Although legitimate websites have been hit by this, I wager the MPack product will be and is being used on “no so legitimate” websites.

Monday 3 September 2007

A Cashless Society

I often wondered how long it would be before there wasn’t any need to carry any physical money, well from today it appears we are well on the way, and even trends backup the move towards a cashless society.

In 2004, card payments over took cash payments for the first time in the UK, while last year £321 billion ($642bn) card purchases were made in comparison to £274bn in cash, with the average Briton putting around £10,000 through card payments. Fraudsters stole around £428 million, which has actually come down slightly thanks to the introduction of Chip and Pin two-factor authentication.

Today the big five UK mobile phone operators switched on “PayForIT”, which allows the payment of transactions up to £10 to be made by mobile phone. I love the idea of not needing to carry any cash, but I am rather sceptical about the use and the potential abuse of mobile phones by criminal elements. To be fair I haven’t had a chance to fully review the “PayForIT” process in great detail, but from what I heard from a spokesman on the radio this morning, it appears convenience has been put ahead of security, which from my point of view always spells trouble.

Personally I think this new payment method will spark an increase in petty mobile phone theft and an increase in mobile phone hacking. I have waffled on about mobile phone security on my blog and Podcast in detail before, so I’ll spare you that today, but with these sorts of payment services becoming common place, the importance of personal mobile phone security becomes even more of a priority. The trouble is the average Joe doesn’t “do” mobile phone security, hence why I think the system will be so open to abuse. And guess what, in a few months time PayForIT can be used for web purchases as well.

It’s worth mentioning Barclaycard have also recently launch their “cashless” payment card, again for all transaction under £10, Barclaycard OnePulse cards requires no signature or pin number, just a simple swipe and you’ve paid, however only a few outlets currently accept the card. I understand the plan is add this “OnePulse” functionality to regular credit cards, which sounds a bit of backward step after the success of chip and pin. Although I tell you what peeves me, is those retailers who insist you spend at least £5 if you use card, or they charge your 50p or a £1 extra. Perhaps the payment card companies should focus more on preventing retailers from having minimum spends and extra costs for low card payments instead of introducing new less secure payment systems, and perhaps they’ll get what they really desire, which namely is all our money directly through their banking systems.

I purchased some Scrumpy Cider from a Cornish Cider distillery just last week, they had a minimum card payment spend of £15, although I have to tell you I had no trouble in exceeding that requirement! *hic*

Tuesday 21 August 2007

The Dangers of Shadow IT

In case you are not aware of the term “Shadow IT”, it basically refers to those users within the corporate user base, who pretty much do their own thing IT wise within the corporate environment. Think about it, gone are the days where the vast majority of corporate help desk calls revolved around user related help like “How do I create a table in Word?”, “How do I do formula in Excel” etc. Why? Because users are more technical savvy these days, especially within younger users, who have grown up with PCs and the Internet all their lives, they tend to solve their own IT problems instead of bother the help desk. If your organisation doesn’t have a good security culture, you’ll find these sorts of users can be up to all sorts of tricks, such as installing their own applications, using unauthorised hardware like USB hard drives, installing network hardware like Switches and Hub, and God forbid wireless access points, as well as using the Internet for all sorts of things which was never envisaged by the business, such as web 2.0 stuff like social network sites.

I mention this topic as a friend of mine was telling me how he re-routed his Internet access away from the corporate provided remote access via a proxy server, to directly from a “self purchased” ADSL router within an a small office site, which he and colleagues had setup without any input from the IT Dept. He said the IT Department still think they are using VPN Client access over 3G cards. Another who works within an IT Department, was just telling me the other week that he come across several users running self purchased and self installed copies of the Windows Vista operating system on their laptops, even though his company were still standardised on Windows XP, and had no plans to move until next year.

It is fairly clear Shadow IT poses many dangers to corporate information security, as a security professional I know it can be extremely difficult to turn around a Shadow IT culture. However if are an IT Manager or Security Manager, it is an absolute must to get a handle on all IT systems and their usage within your corporate environment. Also it is equally important not to forget those users and devices which access the corporate network remotely.

So how would I go about correcting a Shadow IT culture? Well first of all ensure there are (or if not write) company policies to specifically cover all areas affected by Shadow IT such as, employees are not being permitted to install any IT hardware without expressed permission from the IT dept, failure to comply is a disciplinary matter etc. Next is to ensure your polices are enforced, I would first recommend giving the users a chance to get the message, so educate them about the policies, why the polices are important and try to change the culture. Then follow up the user awareness training with IT audits and network scans, and start to clamp down. Finally look into using technology to control the IT infrastructure, this will can be a bit costly, but depending on the budget and staff IT expertise, it is pretty much possible to force control with just about anything IT wise, from preventing users from installing applications, to the use of unauthorised USB devices, to the control of specific devices allowed on the corporate network (NAC).

I should warn you that it may not be as straight forwarded as I painted either, just think of the ultimate Shadow IT act, which affects just about every company on the planet, namely the use of USB memory sticks. You have users who buy or even get for free their own USB memory flash devices, and they just go ahead and use them within the corporate environment without the permission of IT or even their line managers, often copying corporate data and removing it from the environment. In most places the benefits USB memory devices provide against the control of their usage, is a political hot potato, especially when there are clear benefits to the business and their uncontrolled use has been acceptable for a number of years already. However I say you shouldn’t just sweep this issue under the carpet for another day, at the very least you should seek written sign off by someone senior within the business to accept the risk. However if you can persuade the business about the need to reduce the security risks of an uncontrolled USB culture and get the budget, you can go out and buy the specialist software to only allow approved devices and appropriate provide encryption.

Monday 20 August 2007

Expect The Best, Prepare For The Worst

I really have to start letting go of what I do for living when relaxing outside the work place, I just watched "The Bourne Ultimatum", I noted a safe was opened using supposedly secure but a single authentication method using only biometrics, in that it scanned a finger print and had voice recognition (no password). If it had only used dual factor authentication, perhaps with a passcode (i.e. something you know), then Jason Bourne might of found it a lot harder to get it open and steal the contents! Oh I got slightly annoyed that film's heroine said "the firewall" was blocking user level access rights to a file, if the Firewall was blocking she shouldn't of even got close to remote accessing the file in question in the first place, but hey that's hollywood, I really shouldn't be a kill joy.

The thing that stood out the most for me, was when the bad guy CIA director used the phase "Expect The Best, Prepare For The Worst" in regards to a situation, which sums up the stance I take and fellow security professionals take, especially when formulating an overall Information Security strategy within a business.

In fact checking back through my security presentations, I used the term "Expect the Best, but Plan for the Worst".

Still in all The Bourne Ulitmatum is a great film, which I really enjoyed, finally a "triquel" this summer that's good!

Sunday 12 August 2007

The World's Biggest DNA Database

In one of my earlier blog entries about the UK being the ultimate Big Brother state, I touched on the Police's national DNA Database. Well I recently discovered more than 715,000 DNA records were added to the UK national Police database last year, which brings the total number of DNA records to a staggering 4 Million records, making it the world's biggest DNA database.

So what if you are an upstanding UK citizen, do not be fooled into thinking that this DNA database isn’t of concern, as if any of your relatives have DNA on the Police system, then that DNA can lead the Police to your door. There have already been several high profile cases of the Police tracking down criminals through relatives DNA, the most notable was the Yorkshire ripper hoaxer, who was tracked using DNA evidence collected over 25 years ago.

Personally I like the idea of the Police having a national DNA database, as it helps to catch the bad guys and provides a deterrent, especially to serious crimes. Some of the interesting effects of DNA profiling have already seen British prisons overflowing, even though the crime rate has been steadily declining for years. Others say it is leading to lazy policing and lazy courtrooms, in that Police go straight for the DNA evidence rather than use traditional policing methods, with DNA evidence being enough to convict within the courtroom, when DNA evidence isn't fool proof.

It is very clear the UK Police have an agenda to get everyone within the UK on this database, and they recently made noises about wanting to collect DNA from speeding drivers and even litterbugs. If this sort of civil liberty infringement scares you, you might be very interested to learn since April 2004, any child aged ten or above who has been arrested (not convicted) in England or Wales, can have their DNA and fingerprints taken without parental consent, apparently over 100,000 innocent children's DNA is on the database permanently.

From my point of view, I am very interested in the security measures in place to protect data within the DNA database. I will try to dig further into how the Police are securing this clearly very sensitive database. But the Police being the Police, they should already have a good security culture, and due to the very sensitive nature of the database and that the last thing the Police would want is a security breach, as the negatitive publicity could put the brakes on getting everyone "in" the database, I suspect good security will be in place, well hopefully. To be honest I’d be worried if they were to start sharing the database with other bodies like research organisations and the NHS (Medical). And what if the state could tell by persons DNA profile, whether that person was more inclined to criminal activity, think “Minority Report”!

Friday 10 August 2007

UK Personal Internet Security Report

A UK government committee released an interesting report on Personal Internet Security.

Personal Internet Security Report

These government reports can be a bit hard to digest, but to quote directly the reports key recommendations.

“The current assumption that end-users should be responsible for security is inefficient and unrealistic” and then goes on to urge security responsibility to be taken by government and ISPs, and then calls for more laws and industry standards.

“The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless “wild west”"

I don’t quite agree with this report, sure I’m all for more laws and standards for businesses, but when it comes to home users, they should be educated more, rather than trying to apply the nanny state. Protecting people with technology and laws just isn’t going work against most internet attacks, which have social engineer aspects. I also find a home users just aren't aware of risks or security savvy, for example they will send bank account details and passport scans by regular Email, or post too much personal information of social networking sites, there's little laws or technologies can do to protect against that sort of user behaviour.

For me its an absolute MUST children are educated about the dangers of using the internet while at school, I think it should be mandatory. I am always happy to volunteer my own time to educate kids about Internet saftey, I find most adults don’t have the slightest clue what their kids are up to online.

UWB: Broadband Bluetooth

OFCOM (UK regulator) has given the go ahead for Ultra-Wideband (UWB) to be used within the UK, they have deregulating the required radio waves so a license is no longer required to use them. The next step is for Europe to agree the UWB standards which will take a few months, but I understand manufacturers are already developing UWB devices.

UWB uses part of the radio spectrum to transfer large amounts of data, such as media files, over short distances, so it's a kind of broadband Bluetooth. For example in the home UWB can be used for the wireless sending HD video data from a HD Camcorder to a HD TV, or MP3s could be streamed to wireless speakers . As you can imagine there are plenty of data transfer possibilities with this technology.

They say UWB will have a range of around 10 metres; however they said that about Bluetooth when that first came out. We'll have to wait and see the security aspects and security challenges this new technology will bring, but I imagine it will be same type of issues we see with WiFi and Bluetooth.

Friday 3 August 2007

Web 2.0 is Fundamentally Broken

"Web 2.0 is fundamentally broken," says Robert Graham, the CEO of Errata Security . "Using the tools it's easy to hijack other people's credentials. It's a fundamental flaw in Web 2.0". Well I have to say the evolution of Web 2.0 (web apps) is what scares me the most in terms of Information Security today.

At Black Hat 2007 Robert Graham of Errata Security demostrated how easy and quick it was to break into the most common Web 2.0 applications like GMail, HotMail, MySpace and FaceBook. Using Errata's soon to be released & freeware tools "Hamster" and "Ferret", Robert scanned the Black Hat wireless network during his presentation, sniffing out user's URLs until he found a user using GMail. After which he was able to very quickly open up that persons session and display the poor guys GMail inbox on the big screen, thanks to the Errata tools.

This hack works as the Errata application is able to grab the users cookie, from which authentication to the user's web session is gained. I can't speak for the other Web 2.0 services as I don't use them, but if you are a Google GMail user, I always advise to use "secure http" to access it, i.e. https://gmail.google.com, as that ensures all traffic between Google and your web browser is encrypted, including the cookie info, so will defeat this type of hack.

These hacking tools are suppose to be available to download as freeware at some point today, I'm will grab them and give them a try.

Monday 30 July 2007

Incident Disclosure is really a No Win Situation

Recently a UK City Council announced a data breach involving tens of thousands of credit cards, I’m not going to name them as I don’t really want to be associated in defending them.

The facts of the security incident and how it was discovered is very different from the press headlines, which basically laid into the Council for having bad security and not being security responsible by putting thousand of it’s users at high risk of credit card fraud by putting these deatils unsecurely online. However after reading through press releases and a bit deeper into some of the news reports, it painted a slightly more responsible picture.

The Council had hired an external Security Expert – no, not me ;) to check and test the security of their systems, this expert found that a data file had accidentally been uploaded to a public website in error by a member of staff. The file held credit card transaction details for thousands of council tax payments and parking fines, however the credit card data was encrypted and the file didn’t include pin numbers and CV2 numbers, so it would be pretty difficult to use it for credit fraud. I understand the names and address were in clear text but I haven’t able to confirm this as yet. It appears the file was downloaded on one occasion from the public web site.

Well I think the Council’s “heart” must have been in the right place to hire an external security expert in the first place, the fact that the credit card data was encrypted and they didn’t have pin/CV2 numbers within the file bodes well, and after all they publicly disclosed the incident within a week of finding out, they said they would of disclosed it earlier but it would of compromised the incident investigation, sure that could be just PR spin, but we’ll give them the benefit of the doubt. As I’m sure a lot of other organisations might have just swept this type of incident under the carpet. I just think the very negative press attack and blatant avoidance of the actual facts within news reports in order to sensitise the story and panic the populous, isn’t exactly going encourage other organisations to voluntary disclosure similar incidents in future. Which is what I would like see, as I would like to bring into the open the scale of general bad security going on within business, punishing organisations that are appearing to be trying their best I don’t think is going to help matters, if anything it could even put off companies from hiring in security experts to test their system security!

Again what was the cause of this incident? You guessed it was a human (on the inside) making a mistake (humans tend to do that). So another example to be chalked up within my security awareness training presentations.

Before anyone comments on my defensive approach to data breach, please don’t as you will be missing my point, I totally agree any data breach is a serious and generally bad thing, especially when it involves public data/credit card data, and its totally right these incidents are aired within the public arena.