Recommended UK Security Awareness Training Videos

I specialise in information security awareness, so I am often asked about simple awareness techniques. One easy and free way to delivery security awareness training, especially to those in the dark, whether they are at home or in the workplace, is to use online videos. These are often free, simple to deliver anywhere, and can be a highly effective awareness tool, as long as they are of a decent standard.  By a 'decent standard' I mean videos which aren't going to bore folk to death, of amateur (blogger!) quality, or cringely cheesy to watch.

Here are some of my recommended UK favourites:

UK ICO; as you might expect these are personal Data Protection focused, but the ICO have done a good job with these videos, especially with "The Lights are On"  http://www.youtube.com/icocomms

UK CPNI; recently released security awareness videos, interesting watch as well http://www.youtube.com/user/UKCPNI

If you know of any other 'decent' free online videos, please lets everyone know via the comments.

The Right Anti-Cyberbullying & Internet Safety Strategy

Social networking are getting hammered by the press following several high profile cyber-bullying cases on Twitter and Ask.fm. Politicians and parents are being vocal, wanting to ban social networking usage, and pass laws to regulate the internet, both of which are pointless and rather concerning exercises.

The answer is education, and "privacy on" default settings.  

It should be mandatory for all UK primary school children to be properly educated on how to use the internet safety,  learning about their online privacy and how to use social networking safely.This should be akin to the cycling proficiency test, as with kids riding bikes, all kids are online. Indeed many UK primary school aged children are using social network sites despite the teenage age limits, the problem is some parents are complete luddites, and are alien to such communication technologies, so cannot teach their sons and daughters even the very basics of online safety.

Default privacy settings on social networking sites are part of the problem. Any company, such as Ask.fm, which doesn't provide a default settings of privacy protection upon sign up, should be ridiculed by the media, users must turn off privacy themselves, which ensures they consider and accept the risk it posses to them. Perhaps such companies will eventually bow to public pressure and change their default privacy settings, as seen with twitter, they responded to such pressure with the abuse reporting this week, but in the past without the media spotlight, they just ignored their user's complaints. Many social networking sites desire to have user privacy set as off, as it is a fundamental ingredient to allow them to grow vast number of subscribers, which means bigger advertisement revenues, meaning more profit.

As teacher, parent or child, if need further information on internet safety  or even find yourself in a jam, you can get all the help you need at http://www.saferinternet.org.uk/

When Hacking can Kill

Luddites say we over egg the seriousness of poor security practises and security breaches, as nobody actually dies, well that's not always the case, sometimes lives are put at stake when information security is poorly managed.


A couple of security engineers at Twitter and IOActive said they were able to hack and take control of a Toyota Prius. The engineers described how they could control every aspect of the car, including the steering and were even able to disengage the brakes, so breaking wouldn't work in the car. They even went onto say they could remove their hacking device, eliminating all evidence of their control over the car.

This hacking example highlights the concerns with the security of our increasingly smart and connected cars. Cars are rapidly having more sophisticated and complex computer systems, and more external connectivity, which is the age old recipe for security vulnerabilities. Security testing of car computer systems needs to run hand-in-hand with the rest of the European comprehensive car safety checks, which all car manufacturers must adhere to, yet currently there is nothing in place to force the security testing of car computer systems. 

Hacking ring responsible stealing over 160 Million credit cards charged

A global credit card hacking ring consisting of four Russians and an Ukrainian, have been indited in the US with stealing and selling over 160 million credit and debit cards. That's a vast number of card numbers, which led to millions in fraud. Two of four were identified as sophisticated hackers by the US prosecutors, stating they specialised in the hacking of multinational corporations, financial institutions and payment processors, including NASDAQ, Citibank and PNC Bank.

According to the indictment, US credit card numbers sold for about $10 each; Canadian numbers were $15 and better-encrypted European ones $50. Interesting that the more secure European cards fetch 5 times the amount of US cards.

This will be an interesting court case to watch as it unfolds, especially as more comes out about the hacking techniques used, and perhaps the poor security which these guys took advantage of.

Having a Nice Cyberwar?

Cyberwar makes a great sound bite, so it can be of no great surprise it is a term relentlessly cited by the media at the moment, but is it really the appropriate term to use?  

Recently I was invited to hear 'Security Rockstar' Bruce Schneier talk about his thoughts on Cyberwar, he made some intriguing points about the term.  Bruce explained Americans like to band around words like "war" when they aren't actually at war, and avoid using the 'war' word when they are at war. For example "the war on terror", "the war on drugs", and now "cyberwar". I recall that in the first Gulf 'War' the American media focused on titles like 'The Gulf Crisis', 'Crisis in the Gulf', and 'Desert Storm', so certainly some truth there. In the last couple of years US politicians have increasingly been using the term "Cyberwar" in their rhetoric, phrases like 'Cyber Pearl Harbour', 'Cyber 911' and 'Cyber Armageddon', are capturing the US media attention, and reporter's imagination.

What is Cyberwar mean?
The actual definition of a Cyberwar, is a nation state orchestrated computer hacking attack, against another nation state's informational and/or physical assets. If that definition is true, then batten down the hatches as its World War 3!  As pretty much every major powerhouse in the world are conducting offensive cyberwarfare; Israel, Russia, China, US and even the UK are said to have offensive "cyberwarfare" operations in play, whether they openly admit it or not.

So going back to Bruce's point on the usage of the word "war", Cyberwar isn't actually the correct phrase to describe what is happening at the moment.  The UK is not in a state of war with countries like China or Russia, a more apt term is cyber espionage. The cyberwar term should be saved for when there is a state of war between nations, describing a technical theatre of war, which runs parallel with the usual physical theatres of war.

Cyberwar is nothing new
Cyberwar is not a new concept or new problem, its always been there, even in World War II, jamming radar towers, misinformation techniques and cracking enigma codes, all fits the proper definition of cyberwar. Going back to the 1991 Gulf 'war', Iraqi air defence radar stations was electronic taken down by a US virus, after which they were physically destroyed with bombs. When Russia fell out with Estonia, there were mass cyber attacks on the country's infrastructure, the fingers of blame were pointed directly at the Russia secret services. In that case Russia never admitted it and pointed the blame at hacktivists, namely Russian patriotic sympathizing hacking groups, that orchestrated the cyber attacks. This leads to the next question, can hacktivist groups conduct cyberwarfare? In their view they would like to think so, but in reality it isn't cyberwar .Their operations are hacking and digital protesting, not warfare. I'm yet to see any hackivist attack which seriously threatens lives, or critical national infrastructure, government websites being taken offline doesn't count as a loss of critical national infrastructure.

So there you have it, but I'm afraid the term 'Cyber' won't be going away any time soon, as the media clearly loves using the phrase, so you can expect headline seeking politician to continue use the term 'cyber' time and again.

PRISM, Meta Data & Minority Report: Why you should be conerned

As the privacy debate continues to rage about PRISM, assurances are surfacing defending the US government agencies PRISM approach, namely the covert monitoring of all internet traffic. The arguments put forward are that "we need to have PRISM to combat terrorism", "you have no need to worry if your not a terrorist" and "don't worry its only meta data we keep".  How does PRISM combat terrorism? What is meta data? Should we really be concerned if we are not terrorists?

The definition of meta data is, information about information, still not clear?  Let me explain with an example.  Take a phone call, the meta data is not the actual recording of the call, but is the information about the phone call, so who the call was made to, the length of the call, the date, time of day, and keywords spoken on the call (via voice recognition). This is an example of the meta data most likely kept.

In an email monitoring context, the meta data is the recipients of the email, date/time it was sent, approximate location (via ip address) and whether a defined selection of keywords are present within the text of the email and its attachments. This is the information the security services want to keep hold of on mass. Volumes of such meta data can then be automatically processed (data mined) to build a profile against an individual, or even groups of individuals.  It is the mining of this information which provides the desired result for the secret services, in identifying potential terrorists, that is their argument, and who is to say it doesn't work.   So if you were a potential terrorist plotting a plan, got involved in discussing bombs and the other typical terrorism keywords within your emails "too much", it would pass a threshold and your account/identity would be flagged up for closer scrutiny by the secret security services.

The same would be true with the analysis of internet websites you visited, visit too many terror related websites and you can expect to be flagged up. In fact I wouldn't be surprised if they married the email and web traffic meta data up.

In essence this is just like the movie Minority Report with Tom Cruise, but this is a reality, mining big data sets is used to predict future human behaviour events, in this scenario it is to stop terrorists before they commit an attack.

This type of data mining to predict human behaviour is nothing new, Facebook, Google, Microsoft and Amazon all use similar techniques to direct advertisements at you.  Another example is the Tesco supermarket chain, in the last 15 years Tesco has been extremely successful in growing their business. This success has been party due to Tesco mining their customer's shopping habits, with Tesco gathering information from their customer's Tesco ClubCards over the years. You could even argue Tesco are just as secretive as the US government security services with their data mining of big data.

Whether this type of monitoring of information is right or not, all depends on what side of the privacy fence you sit. But the Minority Report style predictive human behaviour presents a new and interesting privacy angle on big data mining. Especially when used to predict criminal behaviour as in the movie Minority Report, too far fetched I hear you cry, yet LAPD are piloting such as a system with great success. Predictive Policing: The Future of Law Enforcement? Where it will lead is the question...

Man City Hack: When Information is worth more than money

The Manchester City scouting database hack is close to my heart on two counts, it highlights the corporate espionage side of information security, and involves my other passion away from security, the beautiful game, football.

Funny but it's no laughing matter for MCFC

City Scouting Database Compromise is Clouded
What is clear is Manchester City officials believe their confidential scouting database, has been taken a rival club employee, but how this data was compromised is cloudy.  The City scouting data was stored in a cloud based (online) application called ProScout7. Scout7, a Midlands based company, were quick to deny their system had been hacked, and suggested the fault lied with City's scouts password management. In other words that either a City scout had not protected their username and password, or perhaps the PC the scout was using to access Scout7, had been compromised with a keylogger or trojan software, passing on the Scout7 account credentials to a rival scout. The released details on the cause are sketchy, and it is quite possible the ProScout7 system was hacked, but we can only speculate about the cause at this point. But one thing is for certain, the scouting information is very important to Manchester City football club, and it  is of value to their footballing competitors. 

When Information is worth more than money
City's scouting knowledge has a direct cash value, in that rival teams may be alerted and bid for the same players City are interested in, pushing up the transfer price. This easily could result in a transfer increase in the millions.  But there is another value, which is more than the transfer fee, it is that City want to beat rivals like Manchester United, Chelsea, and other European big spenders, in signing the best available players. Signing of players ahead of rivals, can make all the difference, and can decide the winners of titles.  If Robin Van Persie was signed by City instead of United last season, I am sure most footballing pundits would agree City would of won the title.

Case in point, as soon as City found out their database was compromised by a rival club,  they immediately took action, and signed two of their secret targets, Jesus Navas (£24m) and Fernandinho (£30m), before their rivals could muscle in.

 £24Million Navas

£30 Million Ferdandinho

In all, this is an interesting incident, as it highlights the real high steaks value of information, and the reality of corporate espionage in the UK. The incident also poses the usual set of security questions, starting with, when information is known to be a high value business asset, is the business really doing enough to protect that asset?   For example

• Are the scouts using the scouting system adequately managed?
• Are the scouts regularly receiving information security awareness training?
• Does the Scouting application sufficiently protect the scouting database? Especially with access control, ensuring scouts only have access to information on a need to know basis.
• Are the computers used by the scouts appropriately secured? i.e. Anti-Virus, Patch Management, and other end point security technologies
• Is the third party scouting company adequately vetted and managed by City?

Even if the ProScout7 online application was found to be at fault, Manchester City are still responsible for ensuring Scout7, a third party company City entrust with their holy of holies data, are able to protect their scouting information in line with their valuation of it.

PRISM: How I would set up covertly monitor of a Country's Internet Traffic

If I worked for a government intelligence agency, and I was tasked to devise a way to monitor the public Internet traffic data covertly, I would target the source of the Internet connectivity provision. The source of the internet connectivity resides within the telecommunications operators (telcos) e.g BT, Virgin Media. AT&T. Many telcos double as ISPs, but its the telcos who ultimately provide access to the Internet to ISPs. An advantage in monitoring at the source is I don't need to tell or ask the permission to do so from a series of private companies, like Google, Facebook, Apple and Microsoft, as I can simply intercept and record all of the public's sent and received internet network traffic on route to these private companies.

Typically teleco companies provide fast Internet connectivity to their clients (ISPs) over fibre optic cables. If I were to split the light signals sent over these fibre optics cables, I could allow traffic to continue on its merry way completely uninterrupted, while at the same time copy the signal light down another cable, sending the signals to my a secret data centre, where I would simply copy the traffic data, put the data together and then analyse it. Could this splitting of fibre optic light communications be the origin of the name PRISM?

For a government it would be fairly simple to have your teleco operators sign up using secrecy laws, indeed many telcos in the West were originally operated by governments, and continue to be licensed by their government, therefore remain easy to leverage. This approach means the likes of Google, Microsoft, Apple and Facebook would never officially have to be asked and therefore officially know about the monitoring, hence their official denials about PRISM.

The only surprise I have with the PRISM media storm, is that people were actually surprised that this type of monitoring is conducted by their elected governments.  I am not a privacy nut, but its fairly obvious that most governments in the world monitor their citizens online usage.  The lure of big data monitoring of citizens was always going to be too good for government secret services to resist doing.

New OWASP Top Ten 2013 released, actually its gone to a Top 11

Today, OWASP officially released their updated list of the Top 10 Web Application (website) risks.

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organisations to develop, purchase, and maintain applications that can be trusted. The Top 10 list identifies some of the most critical risks facing organisations in web application security, and is a trusted resource and is often referred as the best practice to adhere to in application security within the information security industry.

OWASP update their Top 10 list every three years, this, the latest OWASP Top 10 list was released today on 12 June 2013.

OWASP Top 10 2013
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards

What's Changed?  A Top 11?
In comparison to the last 2010 release, it's actually a Top 11, as added to the list is "A9 Using Known Vulnerable Components", which highlights the risk with developers using third party plugins, which poses a risk of having or introducing vulnerabilities if unvetted, and may even act as malicious trojans, introducing covert data theft and backdoors. This is a risk often associated with website Contain Management Systems (CMS) like Joomla and Drupal, where active communities freely provide thousands of third party modules which developers can snap into their websites, even though most modern CMS systems do a decent job in protecting themselves from such third party modules, they still present a risk which needs to be addressed by developers.

To accommodate this addition, the previously 2010 Top 10 list "A7 Insecure Cryptographic Storage" and "A9 Insufficient Transport Layer Protection" entries, have been merged into a single "A6 Sensitive Data Exposure" entry. So technically speaking nothing has been removed from the list, and there is one addition, hence the Top 11 comment.

Finally the Top 10 list is just that, the 10 most prominent application security risks, other risk are available, see the OWASP website for further details.