Friday 28 February 2014

GCHQ Privacy Disregard Touches the Optic Nerve

The latest GCHQ revelation courtesy of The Guardian and Edward Snowden, is arguably the most privacy damming of them all. A GCHQ surveillance program called 'Optic Nerve', collected more than 1.8 million webcam imagines from Yahoo chat accounts between 2008 and 2010. The program saved one webcam image every five minutes from unknowing Yahoo users using private webcam chat.  One of the stolen GHCQ memos made no bones that the service struggled to keep the large store of sexually explicit imagery collected from the eyes of its staff.

The fact these images were collected on mass and indiscriminately without the knowledge of Yahoo's users, the vast majority of which are law abiding, is a real privacy invasion. Most worryingly is that such an undertaking could be "green lighted" by senior officials, this beggars belief, pointing to a general lack of human morality and to the uncontrolled power our security agencies have. This is what happens when covert security agencies are given a high degree of trust and power, but are held completely unaccountable for their actions.  

This has parallels with hackers, credit card fraudsters and even online cyber bullies, when certain people believe they are not accountable for their actions online, namely they feel they can get away with it, certain people will commit dark acts without the fear of any recourse and do dastardly things they certainly wouldn't repeat in the more accountable real world. Take the example of Curtis Woodhouse, a professional boxer who turned the tables on his cyber abuser by offering a £1,000 reward on Twitter is anyone who could identify his abuser. Duly enough he received a name and an address, and proceeded to travel across England to meet his abuser face to face, tweeting his progress along the way. As he reached the doorstep of his troll he received a full apology from him on Twitter. Just in the nick of time, and to Curtis' great credit he resisted demonstrating his boxing prowess to his abuser, but instead has used his cyber bully and the whole experience to raise awareness.

Back to the GCHQ privacy abuse, it is high time the UK government got a stronger grip with GHCQ, by holding them to account by introducing an independent privacy protection oversight function with all of their covert digital operations, and perhaps even direct GCHQ into helping to protect the UK's national cyber assets and critical infrastructure. The latter is especially important given this week we heard UK energy companies security is so weak, they can't obtain any cyber insurance.

The UK government needs to get its cyber priorities straight, and tackle the UK cyber defence problem, which is often talked about, but little is ever done. If the UK lost power or water due to a cyber attack, it would be national crises. As with their handling of GCHQ, the UK government are doing a poor job into holding profit hungry energy and utility companies to account for their security, even though their services are crucial to UK citizens and businesses alike.

Friday 21 February 2014

Has your Website Account been Hacked?

The relentless stream of data breaches by big business continues, with the likes of VodafoneTesco, Sony, Adobe and Yahoo, all losing their customer's personal data on mass due to their inadequate security. How do you know if your username, email address and password have fallen into the hands of a cyber criminal due to these breaches?

There is one website that seeks to provide some assurance to that question,  https://haveibeenpwned.com appears to be have acquired the stolen data from the Internet's criminal underworld and allows anyone to freely search it for their own username and email, the website returns a response which states if the account is known to have been compromised or not, namely listed within the stolen database. The website says it has over 161 million stolen accounts that are searched, all this data has been compiled from several of the high profile data thefts.

Although the hacked businesses are responsible for their poor security leading to these data thefts, we as website users must recognise we have a security responsibility to protect ourselves as well, and be much more savy in creating and managing our website passwords. Website users should be creating long complex randomly formed passwords, including using special characters such as !,",£,$,%,^. In addition users should adhere to a policy of using a unique password on every different website, so if one account is compromised, multiple website accounts are not compromised as well. This is not as impossible as it might seem, as a password vault solution such as LastPass, can help provide and manage both unique and highly complicated random passwords on each website, so the user does not have to remember and even think up new complex passwords.

The password problem is nothing new, I posted advice back in January 2009, however the message is still not getting through to many website users, this is evidenced by reviewing the top most common passwords found in Adobe breach's stolen data.

Top 20 Passwords from Adobe Data Breach

123456
123456789
password
adobe123
12345678
qwerty
1234567
111111
photoshop
123123
1234567890
000000
abc123
1234
adobe1
macromedia
azerty
iloveyou
aaaaaa
654321


I think business and the security industry needs to do much more to tackle the password problem as well, certainly providing two-factor authentication provides a high level of protection to the user, so even if the bad guys have the username and password, they still can't access the account without possessing the user's hardware token or mobile phone, which are typically used a second factors to authenticate the user along with a username and password. The likes of Google and Twitter offer two-factor authentication, but these are almost provided as hidden options for their users, I have previously posted about the excellent Google two-factor authentication, read it if you wish to know more about it, I certainly recommend enabling it if you are a Gmail user.

As for the security industry, for years various vendors have been beavering over potential password replacement solutions, and certainly more noises are being made about password solutions at the moment, however nearly every solution proposed involves the trust of a third party to oversee it, even using LastPass requires trust of a third party. But I think trust, especially post Snowden, will be a major barrier in seeing the password problem truly solved.

Wednesday 12 February 2014

How Microsoft will help Hackers attack Windows XP

Yesterday was Patch Tuesday, as usual Microsoft released a series of monthly security patches for its software.


Most notable in February's patch list, are the several 'Critical' patches, which resolve Remote Code Execution vulnerabilities in all versions of Microsoft Windows. This includes a specific security patch download for Microsoft Windows XP systems, demonstrating Windows XP vulnerabilities still keep on coming, but there is another really interesting point with these monthly Microsoft Security Bulletin announcements, which is they will aid hackers in attacking the Windows XP operating system.

How Microsoft will help Hackers attack Windows XP
Post 8th April 2014, Microsoft will be advertising to hackers a list of Windows XP vulnerabilities which will remain unpatched. As every time Microsoft announce fixes for newly discovered vulnerabilities within multiple versions of Windows operating systems, as Microsoft did yesterday, they will be in effect listing these new vulnerabilities are present and will remain unpatched on Windows XP indefinitely. We can expect new XP vulnerabilities to be targeted given the huge number of XP machines still in circulation worldwide, which are in the hundreds of millions according to many recent surveys.


Why this is a problem for non-XP usersThose of us not running XP should not be too smug about this, as the end of Windows XP security patching is grave concern for everyone. More compromised Windows XP systems equates to their usage in targeting everyone, regardless of operating system. Compromised systems are often placed into large botnets of devices, allowing the bad guys to systematically direct phishing attacks, send spam and conduct DDoS attacks.

Does Microsoft have a moral duty to carry on patching XP?
So given this, does Microsoft have a moral and security responsibility to keep on patching Windows XP post April? On the one hand I understand their commercial aspect and the advantage of standardising on less versions, however on the other hand given the mass numbers of Windows XP systems still in use, I think Microsoft does have a moral duty to keep on security patching Windows XP after April, and play its part in protecting everyone.

UK Government Windows XP AdviceThe UK government recently released its Window XP advice to UK organisations. This CESG guidance urges the retirement of WIndows XP and Office 2003 before 8th April 2014, but provides some short-term mitigation advice for organisations that will struggle to meet the deadline.

CESG Windows XP End of Support: Reducing Risk During Migration

Tuesday 4 February 2014

Why isn’t the GCHQ & NSA Privacy Invasion Socially Accepted?

Post Snowden it is easy to jump on the media bandwagon, cry foul that GCHQ and the NSA have gone too far, forsaking our Privacy for Security. Yet if you take a walk through any city or town in the UK, and your image and actions are recorded by hundreds of CCTV cameras, no permission is ever sort, and you have no idea who is watching you without your knowledge, yet this invasion of privacy is socially accepted. 

Millions of people in the UK willingly give up their privacy on social networks, sharing almost every aspect of their private lives. This private information is commercially exploited through targeted advertising, this invasion of privacy is socially accepted. The same is true with smart phones where considerable user privacy is given up, just read Apple’s agreement and your mobile phone contract to see the extent, it goes well beyond personal details, phone calls and text messaging. These companies track the applications you use, the websites you browse and where you physically are in the world with your smart phone, huge aspects of people's personal lives are tracked and recorded. No one ever seems to complain that a US based smart phone manufacturer and German mobile phone companies are able to know exactly who we are, and track a history of our movements over time, so this level of privacy invasion is socially accepted.

Actual Mobile Phone Contract Example
We collect such information as:
your name;
billing address;
installation address;
delivery address;
telephone number;
your use of products and Services including but not limited to phone numbers and/or email addresses of calls, texts, MMS, emails and other communications made and received by you and the date, duration, time and cost of such communications, your searching, browsing history (including web sites you visit) and location data, internet PC location for broadband, address location for billing, delivery, installation or as provided by individual, phone location;

Then there is the UK ISPs, all of them track and record every website we visit, every network connection we make, in fact they have been instructed to do so by our government, the law was passed and this is socially accepted.

And of course the UK government already keeps track of many elements of our private lives, including our earnings, our medical details, and they even know the type of car we own, all private information which can be easily strung together to form a profile of our private lives.

So we already significantly trust the UK government and foreign land based businesses with considerable amounts of our private lives, so is it really correct to concluded GCHQ and the NSA have gone too far in abusing our privacy as well?  Their intent is to protect our society, preventing terrorists and criminals from delivering their dastardly acts. This is the role of such agencies in the modern age, they are usually the first in the firing line of politicians when terrorist actions are successful. 

Nether-the-less both GCHQ and the NSA are in powerful positions, which in my view requires policing and oversight to ensure such agencies do not abuse their powers, especially behind the closed doors of their operations. Such operations must remain covert for their success, this prevents the sort of public scrutiny we see with other UK government agencies. In the absence of the desired public scrutiny I believe their needs to be an independent body watching over GCHQ and the NSA within their perspective countries, a body which has public creditability and trust, and the power to investigate and where necessary hold secret service agencies to account when they are found to have strayed too far from our society’s Privacy Vs Security balance.  The Privacy Vs Security balance can never be solidified, and must be subjected to public debate which is open ended, so as a society we can keep pace with the rapid information technology revolution, and the inevitable increased storage and exploitation of our private data which comes with it, only then can we as a society come to a general agreement to what is a socially accepted level of privacy invasion.

Finally the big question I have is who is suppose to be holding to account the commercial giants, many have compiled huge amounts of our private information. Yes we have Information Commissioners for data privacy enforcement, but the truth is these bodies are toothless tigers, shackled by ancient data protection laws which are pre-social networking and pre-cloud computing. They are pretty much useless when it comes to tackling the large tech giants, giants which are motivated by exploiting our private information for profit, a far less noble purpose than GCHQ’s and the NSA’s intent.