Posts

Showing posts from August, 2012

World of Warcraft: Does the Internet have controllable Borders?

Image
World of Warcraft is an online game played by millions of players around the globe since Blizzard launched it in 2004. All you need is a computer, internet connection and a subscription, you play in a fantasy virtual world long with hundreds of other players at the same. This game is fun and highly social, but very addictive with typical players logging hundreds of hours play over a span of years. Players regard their online accounts and characters as very 'precious' due to the number of hours building character skills and abilities, and time acquiring in-game items. Last week ( 22nd Aug 2012 ) Iranian players started to complain on a Blizzard forum that they couldn't access the World of Warcraft servers, unless they went through a proxy server outside of their country.  After many more complaints from Iranian players and several days had past, Blizzard explained they had to take action to block all Iranian World of Warcraft players to due the US's economic ...

RSA Conference Europe 2012 Keynote Line-up

Image
The Premier League Champions of Information Security Conferences, RSA Conference Europe 2012  is just less than two months away. The keynote line-up has been confirmed and it is looking finger licking good with an Advanced Persistent Threat (APT) flavour to it. Jimmy Donal Wales,  Founder of Wikipedia Art. Coviello (RSA) Intelligence-Driven Security: The New Model Francis deSouza  (Symantec)  The Art of Cyber War: Know Thy Enemy, Know Thyself Adrienne Hall (Microsoft) Risks and Rewards in Cloud Adoption Herbert 'Hugh' Thompson  Securing the Human: Our Industry’s Greatest Challenge Philippe Courtot  (Qualys) Big Data : Big Threat or Big Opportunity for Security? Bruce Schneier  (BT) Trust, Security, and Society Joshua Corman   "Are We Getting Better?" Why We Don't Know. What We Can Do About It. Misha Glenny   The Struggle for Control of the Internet I always recommend information security professionals, whether new to the profes...

Security is a Contraceptive, but Ribbed!

Image
During a recent conference presentation, I heard a speaker proclaim 'IT Security is a Contraceptive, it does nothing to improve performance', much to the amusement of the audience. I completely disagree with that statement and regard it as  an uninformed  viewpoint by those who generally do IT and IT Security poorly, as in my experience I have seen how good IT security practises can have many positive effects on business performance.  Consider one of the holy information security trinity (CIA Triad), "availability", which is all about "business availability", and tied to business performance.  When comes to availability security measures is very much part of the performance equation, the threat of  malware  and denial of service attacks should be assessed along with the threat of power outages and hardware failure. For example business critical web services which has not been built with a capacity to withstand denial of service attacks can ...

The Hotel with Assumed Security

Image
It is fair to say most people will automatically place a certain amount of trust in hotel they never have visited before, especially those hotels with a decent star rating. Sure you might read a few reviews on the internet about the quality of the services and standard of the facilities at the hotel, but you would have the hotel complete a self costumed questionnaire before you booked. The type of security a hotel has is rarely considered by guests, instead most would blindly trust the hotel provides adequate enough security which protects their possessions, and themselves. Yet making assumptions that someone else's values will be the same as yours is a dangerous thought of complacency. Think about how a hotel's physical security measures up to your home security, and now consider the additional threats staying at a hotel has compared to your home. This week I checked into a Best Western Hotel in the North East of England. The receptionist duly handed me a room key and I wen...

Olympic Games Security has lessons for Airport Security

Image
The London 2012 Olympics Games were a tremendous success, I know I thoroughly enjoyed the games, and as a Brit I was extremely impressed, moved and inspired by the performances of Team GB, and how well the games were organised. Not being jingoistic, but what a Fantastic Olympics Games I was fortunate enough to attend a few London 2012 events, I can report from the spectator's point of view, the security checks were pretty much on par with what you would expect from passing through airport security, except the staff asking you to remove belts and place loose change into clear plastic bags before being walked through metal detectors and being searched, were way, way more friendlier and civil. Thorough Security with Tiny Queues & Friendly Service Such was the organisation and capacity of the security check points, I witness no queues, this despite tens of thousands of fans passing through at a similar time.  Definitely les...

Cyber-warfare rumbles on with Gauss

Hot on the heals of Stuxnet, Duqu and Flame comes another highly sophisticated "nation state" sponsored malware dubbed "Gauss".  Analysts at Kaspersky Labs de-engineering Gauss are saying it shares many elements of the same source code of the Stuxnet Worm and Flame, therefore have concluded it could only have been made by the same people, and given this new malware's specific purpose, underlines the link to another state sponsored cyber attack within the middle east. I posted who was behind Flame in  flame-culprit-fingered , no doubt it's the same folk behind Gauss. At present Gauss is specifically targeting financial users in Lebanon, stealing web browser history, browser passwords and host system configuration details. However the main purpose of Gauss appears to be that it steals account credentials from specific Lebanese online banks, and from PayPal and CitiBank, probably to monitor and collect details from financial transactions rather t...

94.5% of Business Overlook Third Party Data Security

Image
egress , specialists in data security and have their very own email and data encryption software, surveyed businesses about data security and have provided the following snapshot of their survey results to share on this blog. You need to Love yourself before you can Love Others This survey echoes the same old information security issues, businesses do not fully grasp and value the confidential information to which they process and store. This leads to a lack of expertise, capability and will to protect such data adequately within the business. It is not surprising then to learn such business are blindly trusting third parties to which they share their most important data, to protect their data sufficiently. They say you need to love yourself before you can love others, same applies to information security and assuring third parties protect business data properly.

Mars Curiosity Communication Security

Image
Curiosity successfully landed on Mars today, and an amazing feat of engineering, many congratulations to all the engineers and scientists involved at NASA for what could prove to be one of the most ground breaking space missions in human history. Curiosity is the latest, biggest and most sophisticated NASA rover to make it to the read planet, and like it's predecessors is controlled from the Jet Propulsion Laboratory (JPL) in California. NASA JPL sends instructions and receiving communications to the Curiosity Rover using either X band (radio waves), and also by relaying communication through one of the two spacecraft in orbit around Mars, the Mars Reconnaissance Orbiter and the Odyssey Orbiter, using UHF Electra-Lite. NASA JPL use the Deep Space Network (DSN), a series of  large antenna  dishes across the Earth, to send and receive these communications directly with Curiosity and with the two spacecr...

Implicit Trust of The Cloud & Third Parties

Image
I find 'Implicit trust' fascinating to observe, equally within business information security and within society. 'Implicit trust" can be defined as having no doubts or reservations, being unquestioning.  For example most people implicitly trust their doctor, just because the doctor wears a white coat, exudes authority and has 'Dr' in front of their name. No one ever asks the doctor to validate their medical credentials. Perhaps we should. Implicit trust can be lost and gained, a decade ago most people would implicitly trust bankers, having someone from the banking profession witnessing legal documents and signing passport applications would be seen as a highly thought of and credible witnesses within society, not so these days, and we all know why. Police is another profession which has very interesting polarisations to observe, implicitly trusted by some and implicitlydistrusted by others. Then there is paradox of politicians, nearly everyone distrus...

UK InfoSec Overview for July 2012

Microsoft patch two critical remote execution vulnerabilities in Internet Explorer http://technet.microsoft.com/en-us/security/bulletin/ms12-044 Yahoo investigating exposure of 400,000 passwords Hacking Group D33DS are said to be behind the attack. Hacking Groups continue to target big business websites, this attack demonstrates even hi-tec companies which have a high focus on IT security can be vulnerable to major data thefts. Patient Data incorrectly placed on Facebook by Northern Ireland’s Health Trusts . Serious lapses in data protection and confidentiality procedures saw highly sensitive information lost, disclosed to the wrong people and even published on the internet. In one alarming case a client’s referral details were revealed on Facebook after a staff member dialled the wrong number and left a message on an answering machine. It was among almost 100 serious data breaches reported by the region’s five health trusts in recent years Anti-Phishing Work...

UK Data Protection Overview for July 2012

ICO imposed a  civil monetary penalty (CMP) of £150,000 on the consumer lender, Welcome Financial Services Limited (WFSL), after the loss of more than half a million customers’ details. WFSL’s Shopacheck business lost two backup tape. The backup tapes contained the names, addresses, dates of birth, loan accounts and telephone numbers of approximately 510,000 of their customers in November 2011. The backup tapes also held personal information of 20,000 current and former employees of WFSL, and 8,000 agents. The backup tapes have not been recovered to date. The lost backup tapes were not encrypted The ICO deemed WFSL to have broken the 7 th principle of Data Protection Act. Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data ICO stated Data Controller did not follow their ...

Burgas Airport Bombing, CCTV does not React

Image
I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included. On the entrance to terminal and within the airport, a Security Notice sign caught my eye and bothered me as I waited to check in. It said " This Area is Protected by Video Surveillance ". Now CCTV can act as a deterrent and is particularly useful for the purpose of recording events and working out the causes of incidents. But even with a team of operators vigilantly watching the CCTV screens in real time, I just don't see how this CCTV would "protect the area" I was entering, as within this crowded space everyone had large bags and many had hats and sunglasses concealing their identity ...

Burgas Airport Bombing Data Breach Parallel

Image
I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later, in between I knew some friends who went through the airport just a fews day after the incident. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included. Burgas Airport Bombing A Side Point Interestingly on way out from Manchester airport to Burgas, the Thomas Cook check in crew we're only focused on making money from excess badge amounts and things like extra leg room seats, it was the first time I've never been asked if I packed my bags myself and whether my bags had been out of my sight at a check-in desk. A sign of the tough financial times as Thomas Cook just posted a £26.5 Million quarter loss, or security complacency, I thought. Airport Security Theatre ...