Monday 24 December 2007

The 12th Breach of Christmas (UK)

On the Twelve Day of Christmas the Information Commissioner disclosed to me...

12 hundred wrongly addressed questionnaires (DVLA Dec 07)
802.11 Wifi WEP is broken (now takes just a minute to crack)
1 to 10 UK companies PCI compliant (Survey by Logic Group in Sept'07 revealed that only one in ten UK companies have the proper security standards to handle our card payments securely)
9 NHS Trust Breaches (Dec 2007)
8 "Significant" HMRC Security Incidents (HMRC revealed further "significant" breaches in Nov/Dec 07)
7 out of 10 websites vulnerable (Cenzic Study Finds Web Applications Vulnerable to attack May 07)
6,000 personal records mislaid (by N.I. Driver and Vehicle Agency - Nov 07)
"Twenty-Five" Million Records Lost (HMRC Nov 07)
4 in 10 WiFi routers unsecure (according to a report by Apr 07)
3 Million Learner Drivers Lost (by Driving Standards Agency Dec 07)
2 Discs Missing (HMRC discs holding 15,000 Standard Life customers is lost Oct 07)
And a £1 Million fine to the Nation-wide! (Lost a laptop with an unencrypted hard disk holding nearly 11 Million customer records and were fined by FSA in Feb 07)

Merry Christmas Everyone!

PS Lets hope I find it a much harder struggle to write this sort of thing next christmas.

Tis the Season to Discloses Data Breaches

It appears this time of year coupled with the spectre's shadow of the 25 Million unprotected records lost by the HMRC last month, makes an ideal time to disclose data breaches to the UK public. We really need proper California style data breach disclosure laws in this country.

So what's new in the last 7 days...

Well the NHS disclosed 10 (ten) data breaches at various NHS trusts around the country, one of which involved the loss of 168,000 records of which most were children’s records. In a statement they said "extremely high level of security", but typically do not explain any details about the security measures. It would appear it's the old recipe of sending data on discs again. Fair play to the NHS if proper encryption was used, but so far I haven't really seen any details about each of these 10 incidents and when they actually occurred. I suspect the NHS powers that be choose not to disclose these incidents when they were discovered, but have been forced to now in light of the government enquiry into the HMRC breaches. I really don't want to be pessimistic at this time of year, but these are the 10 incidents the NHS are aware of, and knowing the NHS and the generally poor management, budget cutting and bad organisation, especially within IT, I suspect these incidents are probably just the tip of the iceberg.

On the back of the high profile NHS story, on the same day the Post Office admitted to sending over 5000 account details to the wrong pensioners.

The Skipton Building Society lost sensitive personal details of 14,000 customers, thanks to the theft of a laptop. The data includes names, addresses, dates of birth, national insurance numbers and the amount of money invested. There was no hard disk encryption on the laptop, which was owned by an IT supplier. At least the FSA can hold them to account for this breach. It's worth noting Leeds Building Society lost information about it's own workforce in early November, this one went completely under media radar.

And of course last Monday Millions of UK Learner Driver details were lost by the Driving Standard Agency, after a hard disk holding 3 Million UK learner driver records was lost in the US of all places. This information was known to be missing back in May 2007, but was only disclosed to the public on Monday.

I was on BBC News 24 talking about this very issue, and to be completely honest, I had to work to get the newsreader to understand the importance of such breaches. Some people still don't realise the significance of large databases of information, even with populated with information "innocent on the eye" like names, addresses and phone numbers, the so called stuff you can get out of a phone book. Sure there was no bank details, but data included details about paid fees paid and Email addresses. In this case 3 million such records altogether has significant value to unscrupulous marketers and within the underworld. I mean how much would spammers pay for 3 million active Email addresses alone.

While on the BBC News 24, I found myself making an interesting point about the type of data being lost. I stated there was always a big focus and hype when personal bank information is lost or breached, and rightly so, however I can easily change my bank account, but it's not so easy to change my telephone, home address, and it's virtually impossible to change my National Insurance number, as lost by the HMRC.

SOAP BOX TIME: We are now living in the Information Age, in times where identity theft is the UK's fastest growing crime full stop. Now is the time for companies, organisations and us as individuals to wake up and start valuing information, information is an asset and it has value associated with it (Information=Money!), like with everything of value, it needs to be protected.

Friday 14 December 2007

Hidden Flash Cookies

I was speaking to some pals of mine who where asking about deleting Internet history and removing cookies etc from their PCs for privacy. However none of them knew what “Flash Cookies” were and how to find and view them on their systems, let alone change flash settings and remove them, so I agreed to do a post about them.

To recap, a regular cookie is a small text file created by websites via your web browser and stored locally on your PC. The file is tiny, which is probably why it's called a cookie. The information within the file is used to store or reference direct information about your habits and usage on a particular website, such as where you went on the website, and what you did. These cookies allows websites to be smart, so the website remembers who you are and what you like, often personalising or tailoring aspects of the website to make life easier or for directed marketing.

However a lot of people have privacy concerns about having their surfing habits tracked, monitored and recorded in this way, and often like to remove these cookies from their system. Usually this is done via the Internet Explorers settings, Tools or browsing history then “deletes cookies".

To recap on Flash, Adobe "Flash Player" is web browser pluggin which the vast majority people have enabled on their web browsers (it's there by default). Having "Flash" allows for rich web content and high interactivity within the websites, YouTube videos are delivered within Flash Player for example.

However I have noticed more and more websites are using Flash Cookies, even banking sites. Flash cookie perform the same function as a regular cookie, but they aren't stored as a text file in the usual cookies folder, therefore web browsers like Internet Explorer don't recognise them as cookies and they aren't removed with a "delete cookies".

Flash Cookie files tend to have a ".sol" file extension, on checking my system just now; I see I have "soundData.sol" within "C:\documents and settings\Local User name\Application Data\Macromedia\Flash Player\\", even though I just cleared all of my Internet history etc. as a test. I guess this particular flash cookie is probably tracking my preferred volume level on YouTube videos.

The good news is there is a way to delete flash cookies in an orderly fashion and configure the settings for their use on your system. Adobe (owners of "Flash" - they bought it from Macromedia a couple of years back) have a Flash Management Application on their website, not surprisingly it is delivered in Flash. Full instructions on it's usage and settings are all on the Adobe website and pretty much self-explanatory so I'm not going to repeat them here, here's the link...

Flash Settings Manager

It's definitely worth checking out if like my pals you haven't come across Flash Cookies before.

Wednesday 12 December 2007

And Yet another UK Government Data Breach

It's the same old recipe...Take one UK Government department, a couple of Discs, copy thousands of records containing sensitive personal data of UK citizens on the Discs unencrypted and then post.

Don't these people ever learn!

This time it was the turn of Driver and Vehicle Agency (DVA) in Northern Ireland who dispatched two discs by Parcelforce on either 20th or 21st November. The discs holding around 6,000 people's personal details, never arrived at the intended destination, namely the DVLC Headquarters in Swansea.

The head of the DVA said the information was not encrypted and included the details of 7,685 vehicles and more than 6,000 vehicle keepers. The data included the keeper's name, address, registration mark of the vehicle, chassis number, make and colour. The DVA also said they were not optimistic that the discs would ever be found.

I'm not even going to post any more on this, in fear of repeating myself, just read my last post made last Friday...

Friday 7 December 2007

UK Government InfoSec is Systemically Broken

I don't really like knocking my own government, but their approach to protecting our personal information is like a banana republic.

This week another government department, namely the Driver and Vehicle Licensing Agency (DVLA), posted over 100 questionnaires holding people's details including their dates of birth and "Motoring Offence History" to the wrong addresses. The DVLA said it was caused by human error, as if to say it makes this breach acceptable. So this is another government violation of the government's own Data Protection Act, however it pretty pointless fining these government departments isn't it, as it would be like fining yourself. There is just no "stick" to push information security in these organisations, it's not like the private sector where companies are heavily fined and breach publicity has a serious impact on a business brand, which is always important in competitive marketplaces. In my view there definitely needs to be a "big stick" from the top down to drive good security practice and culture within these organisations, otherwise no one will be bothered or has the time.

Meanwhile the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. I thought that's sounds a bit dodgy, as just who is deciding if an incident was significant or not, and how many minor incident are there. Again I think this underlines the need for disclosure laws in the UK (no they don't have to tell us about these data breaches), or even a disclosure policy for the government department would be a good start.

While on HMRC a reward of £20,000 is being offered for the return of two lost CDs containing the personal details of 25 million people. The Liberal Democrats valued the data on the CDs at £1.5 Billion the other day, so it's not much of a reward is it? I mean a good fraudster could pilfer £20,000 out of just one record, let alone 25 million records.

I think there needs to be major shakeup and "investment" on how the government secure our private information, I think there is a appetite for this at the moment, I just hope it doesn't wavier away as media move onto other stories. After speaking and advising many people about these incidents, it is clear these incidents have severally shakened any confidence most UK folk have in the government and the civil service, even I have changed by view point on national ID cards. Meanwhile on the politics front, the opposition parties are having field day with the government of day, but I'm not so sure these incidents wouldn't happen under their governmentships anyway.

Tuesday 4 December 2007

The Power of PlayStation

I was fascinated to read about a New Zealand Security guy called Nick Breeze, who conducted brute force password cracking experiments using the processor at the heart of the Sony PlayStation 3. He stated he was able to brute force 8 character passwords using the PS3 processor and a password cracking application in just hours; usually it would take days on a regular desktop PC. This type of password cracking typically defeats the type of protection you find on a password protected Zip file (*cough H-M-R-C missing CD cough*).

The PS3 multi-core processor, called the “Cell Processor”, was developed by Sony, Toshiba and IBM a couple of years back. The Sony version of the processor can calculate 256 billion calculations per second, which is faster than 4GHz PC. It manages this speed due to having 7 cores within the processor, so can carry out 7 calculations at the same time, so trying 7 brute force passwords at the same time.

Imagine the type of processing power than could be gained by installing a Linux OS and networking PS3s together and combining the processing power, as done with the old PS2, you could be talking a low budget super computer. Such possessing power could have all sorts of positive actions to just password cracking, such as with research projects like the human genome. I must have a search on the net, to see if anyone else is using their PS3 to do things other than playing games.