Reason to Secure your Home WiFi

Just the other week I saw “Which? Computing” report which highlighted complaints against video games companies who were going around accusing innocent of people of being file-sharing pirates. In one case Atari accused a couple in Scotland of file sharing the game Race07. The couple were aged 54 and 66, and unsurprisingly had never played a computer game in their entire life, yet they received a threatening letter care of Atari’s lawyers, instructing them to pay a £500 fine or face court action.
In due course the fine and case was rightly dropped, however there were 70 other similar cases dropped, often involving senior citizens who have never heard of peer-to-peer file sharing.
But what caught my attention was the law firm’s response in making these accusations, according to Michael Coyle, an intellectual property solicitor with law firm Lawdit, “more and more people are being wrongly identified as file-sharers. Most commonly problems arise when a pirate steals someone else's network connection by "piggybacking" on their unsecured wireless network” While prosecutors argue that users are legally required to secure their network, Mr Coyle dismisses this. "There is no section of the Copyright Act which makes you secure your network although it is commonsense to do so" he said.

For some time now I have been warning home users about the consequences of not securing their home WiFi properly, or even purposely sharing WiFi Internet access with anyone in range. In this case it was a computer game being shared without the WiFi network owners knowledge, which resulted in a scary letter from a law firm. But what if their neighbours or a complete stranger was using the Internet connection to file sharing illegal pornography, it would probably result in a knock on the door by the police, subsequent removal of all computer equipment from the address and an arrest. Interestingly the lawyers were certainly thinking about blaming the wifi networks owner, I wonder if the network was intentionally by the owner shared whether they could be found liable, regardless of that I don't think it's the smartest move to purposely share your home WiFi network outside your home..

Opening wireless network access up or not ensuring the WiFi is properly secured, opens up many other concerns. For one it’s possible for someone to listen in (snoop) your Internet traffic, learn what websites you visit and in some cases steal personal information. Unless you encrypt your Email, the bad guys can intercept and read your Email, and even adjust the Email contains without your knowledge. And by attacking the wireless router from inside WiFi network, they can even redirect you invisibly to fake websites. For instance it's possible to snoop which bank website you use, adjust the DNS on the wifi router, so the next time you visit your bank website have your computer sends you to fake bank site which has the correct URL in the address bar, in doing this the bad guys could harvest your bank account website logon credentials without your knowledge.
All food for though, whether stealing your personal information, or your neighbours are committing file sharing piracy or worst, you should make sure your home WiFi is secured for just your own usage, and avoid all the inconvenience and hassle.

Web Application Security with HP's Billy Hoffman

The increasing shift in Internet hacking attacks against the (web) application layer is leaving many end customers as victims. Recently I met up with the head of HP Security Labs and Web application Security researcher Billy Hoffman, and discussed why this attack vector is on the rise, and solutions to the problems.

In recent years there has been an explosion in the number of web applications on the Internet, the so called “Web 2.0”. Web applications are becoming more complex, whether they are social networking sites, e-commerce sites or banking sites, the new breed of web applications are increasingly handling high amounts of consumer financial data and personal details. Such information is of commercial value and targeted by cyber-criminals. Many web applications are simply not developed as secure as they ought to be, and as a result are vulnerable to web application hacking and attacks. The bad guys are taking advantage on this situation, with recent research showing 75% of cyber attacks are now carried out at the web application level. So the stakes are high for the end consumers of these web site applications, and the rewards are high for the cyber-criminal, who exploits poorly written web application code to steal data. In essence if the application doesn’t have proper security checks written in the code, the hacker can take advantage and make the web application do something it wasn’t designed to do, this can result in large amounts of consumer information being harvested by cyber criminals. One of the most common attacks is a SQL Injection, which can literally return the whole chunks of the database within the webpage, while another common attack is know as a Cross-Site Script (XSS), which allows the attack to inject malicious code into the webpage, which in turn could steal user login sessions and deliver malware to user desktops, amongst things.

Firewalls do not protect Web Applications
What’s even more worrying about web application attacks is such attacks are often not even being monitored and therefore are going unnoticed by the website administrators. A web application (layer 7) attack completely bypasses the security and monitoring provided by devices such as network Firewalls, Intrusion Detection and Protection Systems and website encryption (SSL/TLS - that golden padlock on the browser). Even network level penetration tests resulting in “not hackable” seals of approval offer no guarantee against a web app hack. So when you see that webpage stating it’s a “secure website”, using encryption (“https”) and displaying an up-to-date anti-hack testing seal of approval by a well known security company, it all has no consequence to the security of the web application, which could be full major security issues despite all those security measures which only operate at the network layer.

The network layer security really does lull some organisations into a real false sense of security. A specific web application layer penetration test can be used to test for web application vulnerabilities; however these are still rarely regularly carried out by medium to small sized organisations, and even some large organisations, mainly because it costs too much to get one done, or the organisation just isn’t aware of the problem.

The Reality of Web App Hacks
A recent UK example highlights the problem, a few months ago Manchester based online clothing outlet, Cotton Traders, disclosed their website users were victim of an web application attack, namely a SQL Injection attack in early 2008. They had firewalls, a “secure” encrypted website and a seal of approval, yet their customers had credit card details stolen through a web application attack. And just last week NetCraft found a cross-site script vulnerability on Yahoo -Netcraft

Why are these Web Application Attacks possible?
It’s quite simple, the developers writing the web application code, either do not know how to code a web application to be secure, such as using proper field validation, or the developers are skipping proper code techniques in a bid to have the application ready and released due to commercial pressures on time. Either way these are needless flaws and yet are too common place, with 8 out 10 web applications on the Internet having a high to medium web application vulnerability going unchecked.

How to combat Web Application Security?
Some vendors will state their or their client’s reputation on installing Web Application Firewall (WAF); however WAFs are still a relative new technology. I have to say I am sceptical about any vendor who says such a product is the silver bullet which will plug all possible web application layer vulnerabilities. The other big problem with a WAF, is throughput, as every packet has to be inspected at the top layer of protocol stack (layer 7), so data packets need to dissembled and analysed, which takes time and results in a performance hit. The answer to the performance hit is to have a large or many WAF devices inline, which can really rack up the cost. I am not dismissing using a WAF, but for me it needs to be a “belt and braces” security approach, which means ensuring the code is developed and tested for web application vulnerabilities prior to release, which for me is the first and key battleground to win ahead of the installing a WAF.

How to Secure the Development of Web Applications
To do this, developers need to be properly and regularly trained to code web applications securely. In addition other controls within the development process are needed to ensure corners are not cut, security coding is not being missed, or mistakes being made. It is surprisingly easy to miss validation on that one field, the more complex the application, the more likely security vulnerabilities tend to slip in. The answer to this problem is to use a web application vulnerability scanning tool as part of the development process, and for testing within live environments.

One of the leading commercial web application vulnerabilities scanning suite of tools is Hewlett-Packard Security Labs’ DevInspect, WebInspect & QAInspect, which was formally under the umbrella of SPI Dynamics, which were acquired by HP in 2007. For further details about these tools and what they can do click here
https://h10078.www1.hp.com/cda/hpms/


Billy Hoffman (HP Security Labs)
I managed to spend quality time with web application expert Billy Hoffman, Head of HP Security Labs. I use the phrase “quality time”, because Billy Hoffman is just one of those guys who I could talk techie security all day long, and I count myself lucky to have spent several hours chatting about web application security with Billy, as well as listening to several fascinating “hacking” stories, which I can’t publicly repeat!

Prajakta Jagdale - Dave W (Me) - Billy Hoffman

Billy is just one of those inquisitive out of the box thinkers, which makes you thankful he is one of the good guys, alas a white hat. However Billy became well known as a bit of a grey hat hacker, known as Acidus. While he was studying at Georgia Tech he famously hacked the university swipe card system, finding a fault with the magnetic stripe data, and it’s fair to say his resulting exposure of the flaw wasn’t fully appreciated by the system owners. Billy went on to graduate from Georgia Tech and joined Atlanta start-up company SPI Dynamics, becoming their Lead Security Researcher. Billy and SPI Dynamics specialised in web application security and web app vulnerabilities scanning products. So Billy is a real web application subject matter expert and is a frequent speaker on the subject at many of the top security conference events around the world. In fact I think the term “Web Application Security Guru” is the more fitting description to use when describing Billy Hoffman.

In late 2007 Billy released his first and in my view a much needed book on Ajax Security, appropriately called “Ajax Security”. http://www.amazon.co.uk/Ajax-Security-Billy-Hoffman Today many Web Application are being re-written in Ajax, which gives an application that “real desktop application” feel within the web browser. However poorly written Ajax code produced by developers is introducing a new frontier of web application security vulnerabilities problems which the bad guys are taking advantage of.

Prajakta Jagdale (HP Security Labs) on Flash Security
Also in attendance at the met up was HP Security Labs Security Researcher Prajakta Jagdale, who highlighted issues with Flash application security. In recent times malware has targeted poorly secure Flash web applications, and there have been several cases of successful exploitation of premium website Flash applications by malware and hackers. A common example of such an exploitation is specific malware which automatically embeds advertisements within the application, which known by the term “Malvertisement”. The bottom line is secure Flash application development is really not too different to traditional secure web application development, developers need to code the application so it fit for the purpose of being public facing. We all agreed writing a secure web application isn’t rocket science; most of it is just common scene, such as adding proper validation checks on entry fields, by white listing acceptable characters instead of trying black list. However the “secure” development of Flash application still tends to be overlooked by many organisations, perhaps because Flash applications are more difficult to scan than traditional web applications and perhaps there are less people with the expertise to code review and test them, or perhaps Flash application aren’t on radar with security testers and professionals. Whatever the reason, Prajakta’s research and findings with Flash application security is very interesting, leads me to believe there are many Flash applications on the Internet today which are vulnerable to attack.

Summary
In summary, in the security industry today it is generally accepted the web application security problem is increasing, with the bad guys going after this layer more. It’s not hard to learn how to attack at web application layer either, anyone can do it, and interesting it is not particularly difficult to fix. Speaking with application security experts like Billy Hoffman and Prajakta Jagdale, really underlines the importance of web application security, and the role of the HP Security Labs Dev\Web\QAInspect web application vulnerability tools in tactically the problems. It is clear that the HP Security Labs suite of web app security tools are helping many responsible organisations develop and deliver public facing web applications much securely, which in end protects those organisations end consumers.

If you have any interest in testing your web application, check out the HP Security Labs website and download a 15 day free trial of their tools.
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200_4000_100__

RSA Europe 2008 Review

RSA Europe is said to be the most comprehensive information security forum held in Europe, with world leading expert speakers from the information security industry discussing and debating the hottest topics in security.
It was great to see this year's conference being themed on British cryptographer Alan Turing. Turing was part of a team of code breakers working at Bletchley Park during World War II, whom in complete secrecy quite literally saved thousands of lives by breaking encrypted messages. Today Bletchley Park is a museum open to the public, completely privately funded and yet a vital part of the security industry heritage. So it was really good to see Alan Turing being highlighted by the event, but I will save my thoughts on Bletchley Park for another post, although I do urge anyone interested in general information security, cryptography or history, who has the chance to visit Bletchley Park and/or donate to the cause.

For me the biggest highlight of the RSA Europe event this year was the Tuesday trio of keynote speakers. First up was Bruce Schneier’s, who spoke about The Future of Privacy.
I make no secret of the fact that I am a big Bruce Schneier fan, each time I have the privilege to attend one his talks or discussions, I am always left with at least one profound thought provoking or even view changing moment, which tends to stick with me, and the security guru's talk on privacy was no different. Bruce liken "data" as the industrial pollution of the information age, and rejected the “Security vs. Privacy” argument, citing the improvement in aircraft security since 911 as an example. He said we were simply safer on airplanes today because of two simple security improvements, namely locks on flight cockpit doors, and the fact passengers are now inclined to fight back. All the new privacy eroding so called security measures we have all come to accept at airports since 911, are not really a factor in improving security and safety. Bruce went on to describe the future of privacy, saying we live at a time where we all can see the thousands of cameras and ID checks as we go about our lives, but over the coming 5 to 10 years the cameras will get smaller and become invisible, while ID checks will occur in the background without our direct knowledge, thanks to technologies such as face recognition. Personally I have been debating the “Is privacy dead” issue, as famously coined by Scott McNealy (Sun) in the late nineties, with fellow security professionals for some time, but Bruce’s view is that privacy can be and must be saved. Privacy protection requires much better laws, of the same kind which prevents us today from living in a police state. As we get to grips with the evolution of the information age, new laws should and must follow to protect every one's privacy, we must think of it as a "Liberty versus Control" argument rather than "Privacy Vs Security". Bruce concluded by challenging everyone in the auditorium to not blur Privacy and Security, saying it is our responsibility as security professionals to safeguard privacy, and that generations from now, history will judge whether we were successful or not at this unique early juncture in the information age.

Bruce also announced his entry for a brand new hashing algorithm at the event, which I'll save talking about for another blog entry.

Next up on the podium was Ken Silva, the CTO of VeriSign, who painted a very interesting picture about the rapid expansion of the Internet, distributed denial of service attacks and the ways VeriSign are tackling the rapidly increasing bandwidth demand as result growth in both of these areas.

Ken highlighted not only were huge pools of brand new Internet users will be becoming online from areas such as Africa and India over the coming years, but there will be an explosion in direct Internet devices requiring high and fast bandwidth. For example Internet TVs are around the corner, which basically is a TV with an ethernet jack in back as opposed to an aerial or satellite dish, which will stream thousands of TV channels into the home from Internet. While “Voice Over IP” phones are expected to completely "take over" from traditional phones networks.

Ken produced some mind blowing stats, stating there are around 1.5 billion Internet users at present, which is expected to grow to around 2 billion users by 2011. In contrast to the security problem, there are around 300 million devices (PCs) attached to the Internet which have Spyware/Malware installed and operating. That's around 1 in 5 PCs, with around 150 million devices (and growing everyday) which have "bot" malware operating, a bot is an application controlled by cyber-criminals, which can be used to target unmanageable volumes of Internet traffic at specific websites, this attack is known as a Distributed Denial Of Service (ddos) attack and can shut down and crash web sites.

Finally Hugh Thompson, Chief Security Strategist at People Security, lit up the auditorium with his “Hackernomics” talk.

Hugh unearthed the changing economics of cybercriminal attacks and our security defence, underlining the general theme in the shift in attacks from the network to the application layer. Hugh is a world renowned figure in the world of application security, and I have to say I don’t think I have come across a more entertaining security speaker. I briefly spoke with Hugh offline, and I intend to feature more of him and "Hackernomics" in a separate blog entry.

This year at RSA Europe there was an overall focus on the rising threat trends within web applications and defending with good web application security. There was notable sessions by Fortify, who put together a professionally produced documentary film titled “The New Face of Cybercrime”, while the “Blinded by Flash” presentation by HP opened up the application security issues within Flash applications, which has been traditionally hard to test application security vulnerabilities against. Again I am intend to feature the latest threat within web applications in separate post in the coming days, as this post is getting rather long.

In all the RSA Eruope was as billed, the premier infosec event in Europe, and on personal level, I found the event great for "networking", meeting up and discussing security with new people, and some old faces from around the global with equal enthusiasm and passion about information security.

Credit Crunch causing CyberCrime Shift

The "Credit Crunch" is not only fuelling more cyber crime and online fraud, but the latest malware, phishing and fraud trends show the credit crunch is having an affect within the sinister cyber criminal underworld. It seems the bad guys are having trouble opening new fake accounts, obtaining credit cards with stolen identities, and are even having trouble getting store credit using fake identities.

Why? Well it is because the financial industry have been cracking down and fully vetting credit applications (about time). You really have to ask why it has taken the near collapse of the world's financial system to kick financial institutions into properly checking just who they are actually going to provide credit to, after all that’s what caused all this credit crunch mess in the first place, right?

So this is good news on the identity theft front, but as always in cyber fraud the bad guys just move onto the next lowest hanging fruit, and so are increasingly going after active bank accounts and active credit cards. Which in itself is kind of interesting due to the consumer credit crunch factor, as I guess everyone will be generally be a lot more careful with their money, and therefore will be checking through their bank and credit card statements more often. A lot fraud simply goes undetected due to a particular technique employed by the bad guys, where they embellish small amounts of cash on a monthly basis directly from people accounts. This goes unnoticed by the victims, simply because the victim isn’t scrutinising their statements. According to "ID Theft Protect (Aug07)", 90% of people never check all their transactions on their bank or credit card statements, which underlines why these types of fraud are so successful and can really add up over a long time period.

I mean there are even some legal companies which dupe people into adding a small monthly standing orders on their accounts and credit cards, usually within the small print, or even by illegal means! I had a very popular UK motoring recovery organisation charge a renewal against my credit card without any pre or prior notification recently, even though the account they charged against for was for my wife! I actually had a completely separate account setup with them, they linked the payment details from my account to the other.

So be extra vigilant with those statements, you never know what you might find and save!

BackUpAnyTime's - Who's Who in Data

Last week BackUpAnyTime interviewed me as part of their "Who's Who in Data" feature. Being choosen for this interview was a real privilege and it was a pleasure to answer their questions. The interview Qs & As are now available.

"This has got to be one of the most enjoyable interviews we have conducted yet. To say that David Whitelegg is a data security expert is an understatement of significance and a clear example of stating the obvious. Davids’ answers range from short and witty to detailed and fascinating. Here is a man who can and will tell you how to best protect your data. Ask him about his family or car and he may consider you a bot seeking personally identifiable information. A riveting and educational read. Dave plans to write a book. Sold!"
http://www.backupanytime.com/blog/2008/09/23/interview-with-david-whitelegg-of-itsecurityexpertcouk/

Eugene Kaspersky on the Latest Malware Trends

I was fortunate enough to catch up with the one and only Eugene Kaspersky this week. Eugene is one of the world's leading experts in the information security field, co-founder and CEO of Kaspersky Lab, the international information security software vendor and a technology leader in malware protection. (malware: malicious software such as trojans, viruses, keyloggers) protection.


It was a real privilege and honour to chat with the Moscow based Security Guru about the latest malware patterns, trends and threats being monitored by Kaspersky Lab. I do not use the term “Security Guru” lightly either, Eugene is a graduate of the Institute of Cryptography, Telecommunications and Computer Science and has conducted scientific research in these areas before entering the antivirus industry (before it was an industry) in 1991. This was after his interest in viruses was sparked when his own system was infected by the Cascade virus in 1989.

I remember my Commodore Amiga being infected by a boot sector virus around the same time, if only I had the same kind of vision back then. Actually one of the new trends being observed by Kaspersky Lab was the return of the old boot sector virus. The reason behind this trend is if the “bad guys” can load and execute the malware ahead of the loading of the operating system, OS security protection and antivirus, it makes it much easier to deliver the malware payload and avoid detection, and even actually prevent the security countermeasures from operating properly.

Kaspersky underlined a fact I myself have been preaching for a number of years now, in that the people behind these global malware attacks are becoming more professional, organised and are financially motivated, as opposed to being out to cause system crashes for kudos. The traditional idea of a teenage spotty faced kid sat in his bedroom bringing down TV networks for fun is a myth, these guys are in it for the easy money.

The evidence of this financial motivation can be clearly be seen in the Kaspersky Labs statistics, which shows 90% of Internet malware as being spyware trojans, designed to steal information, whether it be credit card details, login credentials or general personal details. No longer do cyber criminals have any interest in bringing down systems either, which is why only 5% of malware are the traditional “trouble making” viruses. These bad guys actually want their target systems to stay online for as long as possible, so they can be fully exploited. Such is the lucrative nature of these attacks and high rewards of this dark economy, the cyber criminals are even aggressively competing against each other, with malware actually attacking and "killing" other malware to gain supremacy. How much malware is out there to be protected against? Well today Kaspersky Labs are protecting against 1.250 million and rising, which shows the scale of the malware problem. I remember when my AV signature list had a couple of a hundred types of viruses listed in it, you could scroll through the list and look at the names and what they did!

I asked Eugene one particular question which has being puzzling me with Antivirus protection for some time…given that most malware is targeted against Microsoft operating systems and applications, which these days tend to offer better protection (arguably), how come malware trends are not shifting to target the lower hanging fruit more, in non-Microsoft operating systems, especially given the recent popularity and rise of freeware (Linux) and Apple systems in recent years. Eugene pointed out there was an increasing trend in the number of malware specifically targeting Apple systems, while on the Linux front, he said with a big grin, that Linux users tended to be more skilled, security savvy and wise, therefore less prone to being successfully breached by malware. In my own summary, the successful malware attacks occur against the "dumb users", who tend to be a Microsoft system, or increasingly an Apple system. This makes perfect sense, as after all the biggest gap in security lies between the keyboard and the back of the chair.

Eugene went on to say there was a shift towards malware specifically aimed at mobile devices. These days there is a lot of valuable information held on mobile devices, while typically they tend not to have good protection against malware, which can be delivered to the device through the Internet connectivity. On top of this mobile devices are being increasingly used for making payment transactions, with payment card information being highly targeted by cyber fraudsters.

Kaspersky also highlighted another very interesting global malware trend, which is being driven through the deployment of cheap hardware and fast Internet access to the developing parts of the world, the $100 laptop for example. New malware threats are increasingly originating from places like Latin American and Africa. However over 50% of malware is still coming from out of China, but the overall problem is still rising. Kaspersky went on to describe a “division of labour” in the malware black market, with cyber criminal groups specialising in different areas and collaborating. Typically groups are dividing and specialising in areas such as writing the malware code, malware deployment, malware management (those bot-herders) and data hijacking/data mining, which really underlines how organised this black market is now becoming. Also Kaspersky Lab has observed general differences in the types of malware targets around the globe, with South East Asia specialising in online gaming fraud, Latin America developing banking Trojans, while Russia appears to be the place where a lot of malicious code is written and sold on.

Fascinating stuff and it goes to emphasize the importance of running antivirus or a complete security suite on your computer systems, and ensuring such systems are automatically kept up-to-date. So there you have it, Eugene Kaspersky, Security Guru and a great down to earth guy, I thoroughly recommend going to hear him speak if you get the opportunity.

You can obtain a Free Trial of the awarding winning Kaspersky Internet Security 2009 http://www.kaspersky.com/homeuser

Credit Crunch to drive UK Cyber Crime

As the effects of the “global credit crunch” starts to take hold in the UK, it is evident to me that UK focused “Cyber Crime” will sharply increase as a result. Over the past ten years the UK economy has been in a honey-moon period, and doing relatively well, with the GDP growth out pacing the rest of EU. The good and steady economic environment has resulted in low unemployment figures for much of the last decade. You really have to go back to the late 1990’s since the last major loll in the UK economy.

In comparison, mass market cyber crime for financial gain hardily existed ten years ago, and certainly was not on the radar during the last major recession in 1990’s. Over the last decade Internet access and usage for the average UK person has radically changed, thanks to the explosion of broadband, which in turn has resulted in providing cyber crime opportunities around every corner.

Within the Security Industry it is commonly known hackers have been increasinly focusing their efforts on attacks which yield financial rewards as opposed to the traditional attacks for the challenge, fun, or kudos. For example the number of original viruses being created for the sake of causing disruption, which often has no financial benefit for the perpetrator has been dropping, while attacks for financial gain for the perpetrator, such web application attacks, phishing Emails and key loggers installations have been rapidly raising in the last few years. On the back of this, the amount of personal information being placed and made available on the internet is increasing, providing a rich gold mine for cyber fraudsters and identity thieves.

There are many analysts and reports stating economic slowdown and raising employment results in increases in crime, and in particularly fraud crime. http://uk.news.yahoo.com/afp/20080901/tpl-britain-politics-economy-crime-5b839a9.html Fraud crime fits cyber crime like a glove. Putting this economy and crime trends together with the trends in security and cyber crime with financial motivation (fraud), since the last major economic slow down in the UK, I can only conclude one obvious outcome, namely the credit crunch will drive a serious increase in cyber crime in the UK. It will be very interesting to see if the future official figures on UK online card fraud reflects this trend. Just about every person I have spoken to about cyber crime fraud in recent months has themselves, or knows a family member, friend, or work colleague, who has been "done" with credit card fraud as a result of something which occurred online during the last 12 months.

So I urge everyone in the UK to buckle up their anti-malware software, check their paper shredders, to be eagle-eyed reviewing credit card/bank statements and to keep extra vigilant when online as we sail through the choppy water of the credit crunch.

Security is a Process, not a Product

-->

Back in the year 2000, I remember reading an article by Bruce Schneier (a security hero of mine), he said "Security is a Process, not a Product". Bruce talked about whether this would be ever understood. It really struck a chord with me at the time and I've been quoting Bruce saying that ever since in my own presentations. Well 8 years have gone by since I first read it, and Information Security has certainly come to the fore in that time, but Bruce's statement rings truer than ever.

http://www.schneier.com/crypto-gram-0005.html

I don't want to come across as knocking the security industry because they do provide many great security products and services, but in the industry’s push to sell products and solutions, I think they are help driving the concept, that the answer to all information security problems is to simply buy a product off the shelf.

The number of times I've been at security events and conferences, where the “punters” are repeatedly told, “buy our product and your security problem will go away overnight, but if you don’t buy, something nasty will definitely happen”.

I have to say part of the problem is down to the punters going out impulse buying “off the peg security products” tend not to understand what information security is about in the first place. Often they are looking to the security industry, and those pesky sales guy for security advice. In fact the sales tactic is to often host a “free security advice/awareness” session, to draw in the punters. I show up to some of these events to gage where the market and how threats are perceived to be moving, but it really makes me cringe at times, especially as the message is increasingly to buy this and you will be secure! And it gets worst, as some companies are clearly jumping on the security bandwagon to make a quick buck. At InfoSec Europe this year, I heard one (so called) security organisation openly presenting about PCI Data Security Standard to a bunch folk who gauging from their questions really didn’t know anything about the standard, other than it effected their business. This company were out and out misleading those listening, and it was clear to me the presenter didn’t even know the proper facts about PCI DSS. In fact I was so outraged in what I overheard, I stopped, blended in with punters, and at the right moment asked a question about requirement 6.6 to deliberately trip them up, I asked “so which is best on requirement 6.6 in your expert opinon a code review or an application firewall? and why?” – they didn’t have a clue, anyone knowing and working with PCI DSS would instantly know and understand the issue around Req. 6.6 in mid 2008.

I think the answer is for the “punters”, namely the organisations which lets face, many of whom are just really waking up to the issue of information security, is to train and invest on security a department and personnel. So they are correctly advised on the proper solution processes from the ground up, as well as to understand when and where they should buy products off the shelf to help reduce security risk along the way.

The NHS just doesn't "do" Information Security

I said this before, and I'll probably say it again a few more times, "The NHS just doesn't "do" Information Security".

The latest in a catalogue of NHS breaches involved a Senior Manager who had his laptop stolen, but the laptop held over 21000 records of Essex patients.

The same old problem with a laptop breach...

1. No Hard Disk Encryption - Password Protection is almost no protection, it's very easy to bypass Windows passwords, pretty much anyone who can type into Google can manage to achieve it.
2. Poor Information Management. We have a vast amount of Sensitive Data which has been allowed to be "copied" from a central IT system to a laptop.
Should the Manager have access to that much information? Should he be allowed to export that much information from the host system? Probably not. Who else can access and take a copy of this data? What's to stop someone putting it onto a £6 flash drive?

I have friends who work in the NHS, they tell me the NHS has no culture or awareness towards protecting the vast amount of personal and lets face it, highly sensitive information which the NHS holds and processes. I'm not saying keeping people alive is less important than investing in information security, but that's the problem, a lack of investment (money) and that's why there will continue to be serious data breaches involving the NHS . But consider this, soon the NHS will be storing our DNA profiles on their systems as well...

I'll finish on a positive note with this data breach, as I'm being far too negative lately, good for the NHS for disclosing and letting the people who are affected know in a decent time frame, well they had plenty of practice - right?