Perhaps I am being a little naive but I would of thought all MOD laptops would be deployed with hard disk encryption, but apparently not so, as the MOD laptop stolen last week from a parked car in Birmingham didn’t have any hard disk or file level encryption, despite holding masses of private data. This MOD laptop held 600,000 records of military personnel, personal data including passport numbers, national insurance numbers, drivers' licence details, family details, doctors' addresses and bank details, which is probably why we know about this breach, I'm sure the MOD would rather this incident to be kept out of the public eye.
Organisations which use thousands of laptops in the field (should) accept and understand that a certain percentage of laptops will be stolen. Sure you can try to reduce the numbers stolen and the risk by educating users, but it inevitable that a minor quantity of laptops will be stolen, it's the way of the world. This is nothing new either, the theft of laptops has been common place since their introduction 20 years ago. Most large organisations in the private sector understand this and the risk of data breach associated with such laptop thefts, and as a matter of course enforce the encryption all of their laptop hard disks across the board. And the cost of buying the software to properly encrypt laptop hard disks and secure the information held on them? Well it, is around £20 to £50 per laptop, which is around 5% of the cost the laptop, so there’s really is no excuse for these types breaches today.
The other question I have with this particular breach, is why is there so much sensitive data being held in a laptop in the first place, it’s probably laziness or incompetence, but nether-the-less no one should or need to be walking around with that amount of information on a laptop, hard disk encrypted or not.
On the back of the MOD breach news story, I noticed yet another government agency, namely the Department of Work and Pensions (DWP) disclosed another data breach, in that hundreds of documents containing sensitive personal data of citizens were found on a public roundabout in Devon. It appears this is not the first time this has happened as well. And on the same day the Stockport Primary Care Trust released that they lost 4,000 patient records.
It appears to be a growing trend to announce data breaches on the back of bigger breaches, I’m sure there are press officers just sitting there reading news reports, “oh there goes a seriously big breach, quickly release our breach, they won’t notice”…
Tuesday, 22 January 2008
Tuesday, 8 January 2008
HMRC Breach a Fuss about Nothing? Not Really
BBC TV Top Gear presenter Jeremy Clarkson who writes for the Sun newspaper, was so convinced the HMRC Data breach in his own words "was a fuss about nothing" published his own bank account and sort code details in the newspaper, and I quote "All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing," he told Sun readers
However when he next checked his bank statement he saw someone had set up a direct debit which automatically removed £500 from his bank account, apparently transferring the money to a charity, now that's what I call ethical hacking!
To quote Clarkson further after discovering this, "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again. I was wrong and I have been punished for my mistake."
I think it just goes to show that there are many people who just don't care that their personal information and their banking details are being lost, and could be in the hands of fraudsters. I'm planning a post on encryption next, but after that I'll try to explain what exactly the bad guys could do with your personal information and your banking details, and hopefully show how this sort of information has real value associated with it and therefore must be protected by those organisations entrusted in holding it.
Finally to quote Clarkson further "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." - I'm with him on that!
However when he next checked his bank statement he saw someone had set up a direct debit which automatically removed £500 from his bank account, apparently transferring the money to a charity, now that's what I call ethical hacking!
To quote Clarkson further after discovering this, "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again. I was wrong and I have been punished for my mistake."
I think it just goes to show that there are many people who just don't care that their personal information and their banking details are being lost, and could be in the hands of fraudsters. I'm planning a post on encryption next, but after that I'll try to explain what exactly the bad guys could do with your personal information and your banking details, and hopefully show how this sort of information has real value associated with it and therefore must be protected by those organisations entrusted in holding it.
Finally to quote Clarkson further "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." - I'm with him on that!
Monday, 7 January 2008
HMRC: Update with my Grievance
I said I would blog about my own progress in obtaining answers and info on the improvements with the initial incident with HMRC when they lost the Standard Life CD with my data on it on 8th November, two weeks prior to the 25 Million record breach. I wrote several letters at that time to the powers that be and I have received several replies so far.
I had a reply from my local Member of Parliament, David Borrow, who said "I am looking into the points you have raised and I will contact you again as soon as I have more information.
I had a letter receipt acknowledgement from Michael Wills MP, the government minister for Data Protection.
I've also had an interesting response from The Information Commissioner’s Office (ICO)...
"Thank you for your correspondence dated 8th November 2007 regarding the security breach by HM Revenue and Customs which involved the loss of a computer disc containing Standard Life customer details.
The Information Commissioner’s Office (ICO) is responsible for administering the Data Protection Act 1998 (the Act), which is concerned with the processing of personal data. The Act requires, amongst other things, that organisations which process personal data employ appropriate safeguards in order to ensure the security of that data. If an organisation fails to take appropriate steps to ensure the security of the data they hold then it is likely that that organisation will have breached the requirements of the Act.
HM Revenue and Customs has reported this serious breach to the ICO, and as you may be aware, as a result of a further security breach the Chancellor has announced an independent review of HM Revenue and Customs. The Chancellor has agreed that the full report will be made available to the ICO and we will then decide what further action is appropriate. The ICO will release a statement as soon as he has considered the findings of the independent review.
As we have already been made aware of the breach, and as we will be provided with the full report following the independent review of HM Revenue and Customs, we do not require details of individual complaints. However we will keep a copy of the information you have provided on file as evidence should it be required in the future.
The Information Commissioner's Office is aware that you may have concerns about the security of the lost data; If you would like some practical guidance about avoiding identity theft you may wish to view pages 30 - 33 of our Personal information toolkit.
I hope this information is useful. If we can be of any further assistance please contact our Helpline on 08456 30 60 60, or 01625 545745 if you would prefer to call a national rate number, quoting your case reference number. You may also find some useful information on our website at www.ico.gov.uk
Yours sincerely
Sharon Boot
Senior Customer Service Officer"
I had a reply from my local Member of Parliament, David Borrow, who said "I am looking into the points you have raised and I will contact you again as soon as I have more information.
I had a letter receipt acknowledgement from Michael Wills MP, the government minister for Data Protection.
I've also had an interesting response from The Information Commissioner’s Office (ICO)...
"Thank you for your correspondence dated 8th November 2007 regarding the security breach by HM Revenue and Customs which involved the loss of a computer disc containing Standard Life customer details.
The Information Commissioner’s Office (ICO) is responsible for administering the Data Protection Act 1998 (the Act), which is concerned with the processing of personal data. The Act requires, amongst other things, that organisations which process personal data employ appropriate safeguards in order to ensure the security of that data. If an organisation fails to take appropriate steps to ensure the security of the data they hold then it is likely that that organisation will have breached the requirements of the Act.
HM Revenue and Customs has reported this serious breach to the ICO, and as you may be aware, as a result of a further security breach the Chancellor has announced an independent review of HM Revenue and Customs. The Chancellor has agreed that the full report will be made available to the ICO and we will then decide what further action is appropriate. The ICO will release a statement as soon as he has considered the findings of the independent review.
As we have already been made aware of the breach, and as we will be provided with the full report following the independent review of HM Revenue and Customs, we do not require details of individual complaints. However we will keep a copy of the information you have provided on file as evidence should it be required in the future.
The Information Commissioner's Office is aware that you may have concerns about the security of the lost data; If you would like some practical guidance about avoiding identity theft you may wish to view pages 30 - 33 of our Personal information toolkit.
I hope this information is useful. If we can be of any further assistance please contact our Helpline on 08456 30 60 60, or 01625 545745 if you would prefer to call a national rate number, quoting your case reference number. You may also find some useful information on our website at www.ico.gov.uk
Yours sincerely
Sharon Boot
Senior Customer Service Officer"
Monday, 24 December 2007
The 12th Breach of Christmas (UK)
On the Twelve Day of Christmas the Information Commissioner disclosed to me...
12 hundred wrongly addressed questionnaires (DVLA Dec 07)
802.11 Wifi WEP is broken (now takes just a minute to crack)
1 to 10 UK companies PCI compliant (Survey by Logic Group in Sept'07 revealed that only one in ten UK companies have the proper security standards to handle our card payments securely)
9 NHS Trust Breaches (Dec 2007)
8 "Significant" HMRC Security Incidents (HMRC revealed further "significant" breaches in Nov/Dec 07)
7 out of 10 websites vulnerable (Cenzic Study Finds Web Applications Vulnerable to attack May 07)
6,000 personal records mislaid (by N.I. Driver and Vehicle Agency - Nov 07)
"Twenty-Five" Million Records Lost (HMRC Nov 07)
4 in 10 WiFi routers unsecure (according to a report by Moneysupermarket.com Apr 07)
3 Million Learner Drivers Lost (by Driving Standards Agency Dec 07)
2 Discs Missing (HMRC discs holding 15,000 Standard Life customers is lost Oct 07)
And a £1 Million fine to the Nation-wide! (Lost a laptop with an unencrypted hard disk holding nearly 11 Million customer records and were fined by FSA in Feb 07)
Merry Christmas Everyone!
PS Lets hope I find it a much harder struggle to write this sort of thing next christmas.
12 hundred wrongly addressed questionnaires (DVLA Dec 07)
802.11 Wifi WEP is broken (now takes just a minute to crack)
1 to 10 UK companies PCI compliant (Survey by Logic Group in Sept'07 revealed that only one in ten UK companies have the proper security standards to handle our card payments securely)
9 NHS Trust Breaches (Dec 2007)
8 "Significant" HMRC Security Incidents (HMRC revealed further "significant" breaches in Nov/Dec 07)
7 out of 10 websites vulnerable (Cenzic Study Finds Web Applications Vulnerable to attack May 07)
6,000 personal records mislaid (by N.I. Driver and Vehicle Agency - Nov 07)
"Twenty-Five" Million Records Lost (HMRC Nov 07)
4 in 10 WiFi routers unsecure (according to a report by Moneysupermarket.com Apr 07)
3 Million Learner Drivers Lost (by Driving Standards Agency Dec 07)
2 Discs Missing (HMRC discs holding 15,000 Standard Life customers is lost Oct 07)
And a £1 Million fine to the Nation-wide! (Lost a laptop with an unencrypted hard disk holding nearly 11 Million customer records and were fined by FSA in Feb 07)
Merry Christmas Everyone!
PS Lets hope I find it a much harder struggle to write this sort of thing next christmas.
Tis the Season to Discloses Data Breaches
It appears this time of year coupled with the spectre's shadow of the 25 Million unprotected records lost by the HMRC last month, makes an ideal time to disclose data breaches to the UK public. We really need proper California style data breach disclosure laws in this country.
So what's new in the last 7 days...
Well the NHS disclosed 10 (ten) data breaches at various NHS trusts around the country, one of which involved the loss of 168,000 records of which most were children’s records. In a statement they said "extremely high level of security", but typically do not explain any details about the security measures. It would appear it's the old recipe of sending data on discs again. Fair play to the NHS if proper encryption was used, but so far I haven't really seen any details about each of these 10 incidents and when they actually occurred. I suspect the NHS powers that be choose not to disclose these incidents when they were discovered, but have been forced to now in light of the government enquiry into the HMRC breaches. I really don't want to be pessimistic at this time of year, but these are the 10 incidents the NHS are aware of, and knowing the NHS and the generally poor management, budget cutting and bad organisation, especially within IT, I suspect these incidents are probably just the tip of the iceberg.
On the back of the high profile NHS story, on the same day the Post Office admitted to sending over 5000 account details to the wrong pensioners.
The Skipton Building Society lost sensitive personal details of 14,000 customers, thanks to the theft of a laptop. The data includes names, addresses, dates of birth, national insurance numbers and the amount of money invested. There was no hard disk encryption on the laptop, which was owned by an IT supplier. At least the FSA can hold them to account for this breach. It's worth noting Leeds Building Society lost information about it's own workforce in early November, this one went completely under media radar.
And of course last Monday Millions of UK Learner Driver details were lost by the Driving Standard Agency, after a hard disk holding 3 Million UK learner driver records was lost in the US of all places. This information was known to be missing back in May 2007, but was only disclosed to the public on Monday.
I was on BBC News 24 talking about this very issue, and to be completely honest, I had to work to get the newsreader to understand the importance of such breaches. Some people still don't realise the significance of large databases of information, even with populated with information "innocent on the eye" like names, addresses and phone numbers, the so called stuff you can get out of a phone book. Sure there was no bank details, but data included details about paid fees paid and Email addresses. In this case 3 million such records altogether has significant value to unscrupulous marketers and within the underworld. I mean how much would spammers pay for 3 million active Email addresses alone.
While on the BBC News 24, I found myself making an interesting point about the type of data being lost. I stated there was always a big focus and hype when personal bank information is lost or breached, and rightly so, however I can easily change my bank account, but it's not so easy to change my telephone, home address, and it's virtually impossible to change my National Insurance number, as lost by the HMRC.
SOAP BOX TIME: We are now living in the Information Age, in times where identity theft is the UK's fastest growing crime full stop. Now is the time for companies, organisations and us as individuals to wake up and start valuing information, information is an asset and it has value associated with it (Information=Money!), like with everything of value, it needs to be protected.
So what's new in the last 7 days...
Well the NHS disclosed 10 (ten) data breaches at various NHS trusts around the country, one of which involved the loss of 168,000 records of which most were children’s records. In a statement they said "extremely high level of security", but typically do not explain any details about the security measures. It would appear it's the old recipe of sending data on discs again. Fair play to the NHS if proper encryption was used, but so far I haven't really seen any details about each of these 10 incidents and when they actually occurred. I suspect the NHS powers that be choose not to disclose these incidents when they were discovered, but have been forced to now in light of the government enquiry into the HMRC breaches. I really don't want to be pessimistic at this time of year, but these are the 10 incidents the NHS are aware of, and knowing the NHS and the generally poor management, budget cutting and bad organisation, especially within IT, I suspect these incidents are probably just the tip of the iceberg.
On the back of the high profile NHS story, on the same day the Post Office admitted to sending over 5000 account details to the wrong pensioners.
The Skipton Building Society lost sensitive personal details of 14,000 customers, thanks to the theft of a laptop. The data includes names, addresses, dates of birth, national insurance numbers and the amount of money invested. There was no hard disk encryption on the laptop, which was owned by an IT supplier. At least the FSA can hold them to account for this breach. It's worth noting Leeds Building Society lost information about it's own workforce in early November, this one went completely under media radar.
And of course last Monday Millions of UK Learner Driver details were lost by the Driving Standard Agency, after a hard disk holding 3 Million UK learner driver records was lost in the US of all places. This information was known to be missing back in May 2007, but was only disclosed to the public on Monday.
I was on BBC News 24 talking about this very issue, and to be completely honest, I had to work to get the newsreader to understand the importance of such breaches. Some people still don't realise the significance of large databases of information, even with populated with information "innocent on the eye" like names, addresses and phone numbers, the so called stuff you can get out of a phone book. Sure there was no bank details, but data included details about paid fees paid and Email addresses. In this case 3 million such records altogether has significant value to unscrupulous marketers and within the underworld. I mean how much would spammers pay for 3 million active Email addresses alone.
While on the BBC News 24, I found myself making an interesting point about the type of data being lost. I stated there was always a big focus and hype when personal bank information is lost or breached, and rightly so, however I can easily change my bank account, but it's not so easy to change my telephone, home address, and it's virtually impossible to change my National Insurance number, as lost by the HMRC.
SOAP BOX TIME: We are now living in the Information Age, in times where identity theft is the UK's fastest growing crime full stop. Now is the time for companies, organisations and us as individuals to wake up and start valuing information, information is an asset and it has value associated with it (Information=Money!), like with everything of value, it needs to be protected.
Friday, 14 December 2007
Hidden Flash Cookies
I was speaking to some pals of mine who where asking about deleting Internet history and removing cookies etc from their PCs for privacy. However none of them knew what “Flash Cookies” were and how to find and view them on their systems, let alone change flash settings and remove them, so I agreed to do a post about them.
To recap, a regular cookie is a small text file created by websites via your web browser and stored locally on your PC. The file is tiny, which is probably why it's called a cookie. The information within the file is used to store or reference direct information about your habits and usage on a particular website, such as where you went on the website, and what you did. These cookies allows websites to be smart, so the website remembers who you are and what you like, often personalising or tailoring aspects of the website to make life easier or for directed marketing.
However a lot of people have privacy concerns about having their surfing habits tracked, monitored and recorded in this way, and often like to remove these cookies from their system. Usually this is done via the Internet Explorers settings, Tools or browsing history then “deletes cookies".
To recap on Flash, Adobe "Flash Player" is web browser pluggin which the vast majority people have enabled on their web browsers (it's there by default). Having "Flash" allows for rich web content and high interactivity within the websites, YouTube videos are delivered within Flash Player for example.
However I have noticed more and more websites are using Flash Cookies, even banking sites. Flash cookie perform the same function as a regular cookie, but they aren't stored as a text file in the usual cookies folder, therefore web browsers like Internet Explorer don't recognise them as cookies and they aren't removed with a "delete cookies".
Flash Cookie files tend to have a ".sol" file extension, on checking my system just now; I see I have "soundData.sol" within "C:\documents and settings\Local User name\Application Data\Macromedia\Flash Player\youtube.com\", even though I just cleared all of my Internet history etc. as a test. I guess this particular flash cookie is probably tracking my preferred volume level on YouTube videos.
The good news is there is a way to delete flash cookies in an orderly fashion and configure the settings for their use on your system. Adobe (owners of "Flash" - they bought it from Macromedia a couple of years back) have a Flash Management Application on their website, not surprisingly it is delivered in Flash. Full instructions on it's usage and settings are all on the Adobe website and pretty much self-explanatory so I'm not going to repeat them here, here's the link...
Flash Settings Manager
It's definitely worth checking out if like my pals you haven't come across Flash Cookies before.
To recap, a regular cookie is a small text file created by websites via your web browser and stored locally on your PC. The file is tiny, which is probably why it's called a cookie. The information within the file is used to store or reference direct information about your habits and usage on a particular website, such as where you went on the website, and what you did. These cookies allows websites to be smart, so the website remembers who you are and what you like, often personalising or tailoring aspects of the website to make life easier or for directed marketing.
However a lot of people have privacy concerns about having their surfing habits tracked, monitored and recorded in this way, and often like to remove these cookies from their system. Usually this is done via the Internet Explorers settings, Tools or browsing history then “deletes cookies".
To recap on Flash, Adobe "Flash Player" is web browser pluggin which the vast majority people have enabled on their web browsers (it's there by default). Having "Flash" allows for rich web content and high interactivity within the websites, YouTube videos are delivered within Flash Player for example.
However I have noticed more and more websites are using Flash Cookies, even banking sites. Flash cookie perform the same function as a regular cookie, but they aren't stored as a text file in the usual cookies folder, therefore web browsers like Internet Explorer don't recognise them as cookies and they aren't removed with a "delete cookies".
Flash Cookie files tend to have a ".sol" file extension, on checking my system just now; I see I have "soundData.sol" within "C:\documents and settings\Local User name\Application Data\Macromedia\Flash Player\youtube.com\", even though I just cleared all of my Internet history etc. as a test. I guess this particular flash cookie is probably tracking my preferred volume level on YouTube videos.
The good news is there is a way to delete flash cookies in an orderly fashion and configure the settings for their use on your system. Adobe (owners of "Flash" - they bought it from Macromedia a couple of years back) have a Flash Management Application on their website, not surprisingly it is delivered in Flash. Full instructions on it's usage and settings are all on the Adobe website and pretty much self-explanatory so I'm not going to repeat them here, here's the link...
Flash Settings Manager
It's definitely worth checking out if like my pals you haven't come across Flash Cookies before.
Wednesday, 12 December 2007
And Yet another UK Government Data Breach
It's the same old recipe...Take one UK Government department, a couple of Discs, copy thousands of records containing sensitive personal data of UK citizens on the Discs unencrypted and then post.
Don't these people ever learn!
This time it was the turn of Driver and Vehicle Agency (DVA) in Northern Ireland who dispatched two discs by Parcelforce on either 20th or 21st November. The discs holding around 6,000 people's personal details, never arrived at the intended destination, namely the DVLC Headquarters in Swansea.
The head of the DVA said the information was not encrypted and included the details of 7,685 vehicles and more than 6,000 vehicle keepers. The data included the keeper's name, address, registration mark of the vehicle, chassis number, make and colour. The DVA also said they were not optimistic that the discs would ever be found.
I'm not even going to post any more on this, in fear of repeating myself, just read my last post made last Friday... http://blog.itsecurityexpert.co.uk/2007/12/uk-government-infosec-is-systemically.html
Don't these people ever learn!
This time it was the turn of Driver and Vehicle Agency (DVA) in Northern Ireland who dispatched two discs by Parcelforce on either 20th or 21st November. The discs holding around 6,000 people's personal details, never arrived at the intended destination, namely the DVLC Headquarters in Swansea.
The head of the DVA said the information was not encrypted and included the details of 7,685 vehicles and more than 6,000 vehicle keepers. The data included the keeper's name, address, registration mark of the vehicle, chassis number, make and colour. The DVA also said they were not optimistic that the discs would ever be found.
I'm not even going to post any more on this, in fear of repeating myself, just read my last post made last Friday... http://blog.itsecurityexpert.co.uk/2007/12/uk-government-infosec-is-systemically.html
Friday, 7 December 2007
UK Government InfoSec is Systemically Broken
I don't really like knocking my own government, but their approach to protecting our personal information is like a banana republic.
This week another government department, namely the Driver and Vehicle Licensing Agency (DVLA), posted over 100 questionnaires holding people's details including their dates of birth and "Motoring Offence History" to the wrong addresses. The DVLA said it was caused by human error, as if to say it makes this breach acceptable. So this is another government violation of the government's own Data Protection Act, however it pretty pointless fining these government departments isn't it, as it would be like fining yourself. There is just no "stick" to push information security in these organisations, it's not like the private sector where companies are heavily fined and breach publicity has a serious impact on a business brand, which is always important in competitive marketplaces. In my view there definitely needs to be a "big stick" from the top down to drive good security practice and culture within these organisations, otherwise no one will be bothered or has the time.
Meanwhile the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. I thought that's sounds a bit dodgy, as just who is deciding if an incident was significant or not, and how many minor incident are there. Again I think this underlines the need for disclosure laws in the UK (no they don't have to tell us about these data breaches), or even a disclosure policy for the government department would be a good start.
While on HMRC a reward of £20,000 is being offered for the return of two lost CDs containing the personal details of 25 million people. The Liberal Democrats valued the data on the CDs at £1.5 Billion the other day, so it's not much of a reward is it? I mean a good fraudster could pilfer £20,000 out of just one record, let alone 25 million records.
I think there needs to be major shakeup and "investment" on how the government secure our private information, I think there is a appetite for this at the moment, I just hope it doesn't wavier away as media move onto other stories. After speaking and advising many people about these incidents, it is clear these incidents have severally shakened any confidence most UK folk have in the government and the civil service, even I have changed by view point on national ID cards. Meanwhile on the politics front, the opposition parties are having field day with the government of day, but I'm not so sure these incidents wouldn't happen under their governmentships anyway.
This week another government department, namely the Driver and Vehicle Licensing Agency (DVLA), posted over 100 questionnaires holding people's details including their dates of birth and "Motoring Offence History" to the wrong addresses. The DVLA said it was caused by human error, as if to say it makes this breach acceptable. So this is another government violation of the government's own Data Protection Act, however it pretty pointless fining these government departments isn't it, as it would be like fining yourself. There is just no "stick" to push information security in these organisations, it's not like the private sector where companies are heavily fined and breach publicity has a serious impact on a business brand, which is always important in competitive marketplaces. In my view there definitely needs to be a "big stick" from the top down to drive good security practice and culture within these organisations, otherwise no one will be bothered or has the time.
Meanwhile the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. I thought that's sounds a bit dodgy, as just who is deciding if an incident was significant or not, and how many minor incident are there. Again I think this underlines the need for disclosure laws in the UK (no they don't have to tell us about these data breaches), or even a disclosure policy for the government department would be a good start.
While on HMRC a reward of £20,000 is being offered for the return of two lost CDs containing the personal details of 25 million people. The Liberal Democrats valued the data on the CDs at £1.5 Billion the other day, so it's not much of a reward is it? I mean a good fraudster could pilfer £20,000 out of just one record, let alone 25 million records.
I think there needs to be major shakeup and "investment" on how the government secure our private information, I think there is a appetite for this at the moment, I just hope it doesn't wavier away as media move onto other stories. After speaking and advising many people about these incidents, it is clear these incidents have severally shakened any confidence most UK folk have in the government and the civil service, even I have changed by view point on national ID cards. Meanwhile on the politics front, the opposition parties are having field day with the government of day, but I'm not so sure these incidents wouldn't happen under their governmentships anyway.
Tuesday, 4 December 2007
The Power of PlayStation
I was fascinated to read about a New Zealand Security guy called Nick Breeze, who conducted brute force password cracking experiments using the processor at the heart of the Sony PlayStation 3. He stated he was able to brute force 8 character passwords using the PS3 processor and a password cracking application in just hours; usually it would take days on a regular desktop PC. This type of password cracking typically defeats the type of protection you find on a password protected Zip file (*cough H-M-R-C missing CD cough*).
The PS3 multi-core processor, called the “Cell Processor”, was developed by Sony, Toshiba and IBM a couple of years back. The Sony version of the processor can calculate 256 billion calculations per second, which is faster than 4GHz PC. It manages this speed due to having 7 cores within the processor, so can carry out 7 calculations at the same time, so trying 7 brute force passwords at the same time.
Imagine the type of processing power than could be gained by installing a Linux OS and networking PS3s together and combining the processing power, as done with the old PS2, you could be talking a low budget super computer. Such possessing power could have all sorts of positive actions to just password cracking, such as with research projects like the human genome. I must have a search on the net, to see if anyone else is using their PS3 to do things other than playing games.
The PS3 multi-core processor, called the “Cell Processor”, was developed by Sony, Toshiba and IBM a couple of years back. The Sony version of the processor can calculate 256 billion calculations per second, which is faster than 4GHz PC. It manages this speed due to having 7 cores within the processor, so can carry out 7 calculations at the same time, so trying 7 brute force passwords at the same time.
Imagine the type of processing power than could be gained by installing a Linux OS and networking PS3s together and combining the processing power, as done with the old PS2, you could be talking a low budget super computer. Such possessing power could have all sorts of positive actions to just password cracking, such as with research projects like the human genome. I must have a search on the net, to see if anyone else is using their PS3 to do things other than playing games.
Subscribe to:
Posts (Atom)