Wednesday 29 October 2008

RSA Europe 2008 Review

RSA Europe is said to be the most comprehensive information security forum held in Europe, with world leading expert speakers from the information security industry discussing and debating the hottest topics in security.
It was great to see this year's conference being themed on British cryptographer Alan Turing. Turing was part of a team of code breakers working at Bletchley Park during World War II, whom in complete secrecy quite literally saved thousands of lives by breaking encrypted messages. Today Bletchley Park is a museum open to the public, completely privately funded and yet a vital part of the security industry heritage. So it was really good to see Alan Turing being highlighted by the event, but I will save my thoughts on Bletchley Park for another post, although I do urge anyone interested in general information security, cryptography or history, who has the chance to visit Bletchley Park and/or donate to the cause.

For me the biggest highlight of the RSA Europe event this year was the Tuesday trio of keynote speakers. First up was Bruce Schneier’s, who spoke about The Future of Privacy.
I make no secret of the fact that I am a big Bruce Schneier fan, each time I have the privilege to attend one his talks or discussions, I am always left with at least one profound thought provoking or even view changing moment, which tends to stick with me, and the security guru's talk on privacy was no different. Bruce liken "data" as the industrial pollution of the information age, and rejected the “Security vs. Privacy” argument, citing the improvement in aircraft security since 911 as an example. He said we were simply safer on airplanes today because of two simple security improvements, namely locks on flight cockpit doors, and the fact passengers are now inclined to fight back. All the new privacy eroding so called security measures we have all come to accept at airports since 911, are not really a factor in improving security and safety. Bruce went on to describe the future of privacy, saying we live at a time where we all can see the thousands of cameras and ID checks as we go about our lives, but over the coming 5 to 10 years the cameras will get smaller and become invisible, while ID checks will occur in the background without our direct knowledge, thanks to technologies such as face recognition. Personally I have been debating the “Is privacy dead” issue, as famously coined by Scott McNealy (Sun) in the late nineties, with fellow security professionals for some time, but Bruce’s view is that privacy can be and must be saved. Privacy protection requires much better laws, of the same kind which prevents us today from living in a police state. As we get to grips with the evolution of the information age, new laws should and must follow to protect every one's privacy, we must think of it as a "Liberty versus Control" argument rather than "Privacy Vs Security". Bruce concluded by challenging everyone in the auditorium to not blur Privacy and Security, saying it is our responsibility as security professionals to safeguard privacy, and that generations from now, history will judge whether we were successful or not at this unique early juncture in the information age.

Bruce also announced his entry for a brand new hashing algorithm at the event, which I'll save talking about for another blog entry.

Next up on the podium was Ken Silva, the CTO of VeriSign, who painted a very interesting picture about the rapid expansion of the Internet, distributed denial of service attacks and the ways VeriSign are tackling the rapidly increasing bandwidth demand as result growth in both of these areas.

Ken highlighted not only were huge pools of brand new Internet users will be becoming online from areas such as Africa and India over the coming years, but there will be an explosion in direct Internet devices requiring high and fast bandwidth. For example Internet TVs are around the corner, which basically is a TV with an ethernet jack in back as opposed to an aerial or satellite dish, which will stream thousands of TV channels into the home from Internet. While “Voice Over IP” phones are expected to completely "take over" from traditional phones networks.

Ken produced some mind blowing stats, stating there are around 1.5 billion Internet users at present, which is expected to grow to around 2 billion users by 2011. In contrast to the security problem, there are around 300 million devices (PCs) attached to the Internet which have Spyware/Malware installed and operating. That's around 1 in 5 PCs, with around 150 million devices (and growing everyday) which have "bot" malware operating, a bot is an application controlled by cyber-criminals, which can be used to target unmanageable volumes of Internet traffic at specific websites, this attack is known as a Distributed Denial Of Service (ddos) attack and can shut down and crash web sites.

Finally Hugh Thompson, Chief Security Strategist at People Security, lit up the auditorium with his “Hackernomics” talk.

Hugh unearthed the changing economics of cybercriminal attacks and our security defence, underlining the general theme in the shift in attacks from the network to the application layer. Hugh is a world renowned figure in the world of application security, and I have to say I don’t think I have come across a more entertaining security speaker. I briefly spoke with Hugh offline, and I intend to feature more of him and "Hackernomics" in a separate blog entry.

This year at RSA Europe there was an overall focus on the rising threat trends within web applications and defending with good web application security. There was notable sessions by Fortify, who put together a professionally produced documentary film titled “The New Face of Cybercrime”, while the “Blinded by Flash” presentation by HP opened up the application security issues within Flash applications, which has been traditionally hard to test application security vulnerabilities against. Again I am intend to feature the latest threat within web applications in separate post in the coming days, as this post is getting rather long.

In all the RSA Eruope was as billed, the premier infosec event in Europe, and on personal level, I found the event great for "networking", meeting up and discussing security with new people, and some old faces from around the global with equal enthusiasm and passion about information security.

Thursday 23 October 2008

Credit Crunch causing CyberCrime Shift

The "Credit Crunch" is not only fuelling more cyber crime and online fraud, but the latest malware, phishing and fraud trends show the credit crunch is having an affect within the sinister cyber criminal underworld. It seems the bad guys are having trouble opening new fake accounts, obtaining credit cards with stolen identities, and are even having trouble getting store credit using fake identities.

Why? Well it is because the financial industry have been cracking down and fully vetting credit applications (about time). You really have to ask why it has taken the near collapse of the world's financial system to kick financial institutions into properly checking just who they are actually going to provide credit to, after all that’s what caused all this credit crunch mess in the first place, right?

So this is good news on the identity theft front, but as always in cyber fraud the bad guys just move onto the next lowest hanging fruit, and so are increasingly going after active bank accounts and active credit cards. Which in itself is kind of interesting due to the consumer credit crunch factor, as I guess everyone will be generally be a lot more careful with their money, and therefore will be checking through their bank and credit card statements more often. A lot fraud simply goes undetected due to a particular technique employed by the bad guys, where they embellish small amounts of cash on a monthly basis directly from people accounts. This goes unnoticed by the victims, simply because the victim isn’t scrutinising their statements. According to "ID Theft Protect (Aug07)", 90% of people never check all their transactions on their bank or credit card statements, which underlines why these types of fraud are so successful and can really add up over a long time period.

I mean there are even some legal companies which dupe people into adding a small monthly standing orders on their accounts and credit cards, usually within the small print, or even by illegal means! I had a very popular UK motoring recovery organisation charge a renewal against my credit card without any pre or prior notification recently, even though the account they charged against for was for my wife! I actually had a completely separate account setup with them, they linked the payment details from my account to the other.

So be extra vigilant with those statements, you never know what you might find and save!

Wednesday 1 October 2008

BackUpAnyTime's - Who's Who in Data

Last week BackUpAnyTime interviewed me as part of their "Who's Who in Data" feature. Being choosen for this interview was a real privilege and it was a pleasure to answer their questions. The interview Qs & As are now available.

"This has got to be one of the most enjoyable interviews we have conducted yet. To say that David Whitelegg is a data security expert is an understatement of significance and a clear example of stating the obvious. Davids’ answers range from short and witty to detailed and fascinating. Here is a man who can and will tell you how to best protect your data. Ask him about his family or car and he may consider you a bot seeking personally identifiable information. A riveting and educational read. Dave plans to write a book. Sold!"