94.5% of Business Overlook Third Party Data Security

egress, specialists in data security and have their very own email and data encryption software, surveyed businesses about data security and have provided the following snapshot of their survey results to share on this blog.

You need to Love yourself before you can Love Others
This survey echoes the same old information security issues, businesses do not fully grasp and value the confidential information to which they process and store. This leads to a lack of expertise, capability and will to protect such data adequately within the business. It is not surprising then to learn such business are blindly trusting third parties to which they share their most important data, to protect their data sufficiently. They say you need to love yourself before you can love others, same applies to information security and assuring third parties protect business data properly.

Mars Curiosity Communication Security

Curiosity successfully landed on Mars today, and an amazing feat of engineering, many congratulations to all the engineers and scientists involved at NASA for what could prove to be one of the most ground breaking space missions in human history.

Curiosity is the latest, biggest and most sophisticated NASA rover to make it to the read planet, and like it's predecessors is controlled from the Jet Propulsion Laboratory (JPL) in California. NASA JPL sends instructions and receiving communications to the Curiosity Rover using either X band (radio waves), and also by relaying communication through one of the two spacecraft in orbit around Mars, the Mars Reconnaissance Orbiter and the Odyssey Orbiter, using UHF Electra-Lite. NASA JPL use the Deep Space Network (DSN), a series of large antenna dishes across the Earth, to send and receive these communications directly with Curiosity and with the two spacecraft in martian orbit.

The availability of the communication channel to the Curiosity Rover are critical to the £1.6billion mission, hence the resilience with the communication channels.

Curiosity on Mars; it's wheels & shadow, & Sharp Mountain

Data Rates
The data rates directly from Earth to Curiosity goes between 500bps 32kbps, remember the very early days of connecting to the Internet with a telephone modem?  While the data rate relayed via the Mars Reconnaissance Orbiter is can be as high as 2Mbps, basic broadband speed. The data rate to the Odyssey orbiter is between 128kbps to 259kbps, think ISDN for this one. However there will be considerable and changing latency (lag) given the distance between Earth and Mars, which are both in motion.

Encrypted Comms? Not likely
Well I don't know whether the communications to the Curiosity rover are encrypted or not, and I'm trying to find out. But I very doubt if the communications would be encrypted given 'availability' to communicate with the rover is much more critical than any risks from potential threats to communication's confidentiality. By encrypting communications it presents increased risk to the rovers communications availability, should something go wrong with the rover comms, the encryption could be a mission killer. While threat wise against confidentiality; firstly nothing secret is being sent (so they tell us), and it's not as though hackers seeking to take control would have access to arrays of the largest communications antennas on earth, nor is it likely other nation states with the capability would have any motive to disrupt the mission. So NASA would have got their risk assessment right if encryption wasn't used in my view.

If any science boffins would like to shed more light with Curiosity communications and their security, please post a comment, I would be interested to learn more.

Implicit Trust of The Cloud & Third Parties

I find 'Implicit trust' fascinating to observe, equally within business information security and within society. 'Implicit trust" can be defined as having no doubts or reservations, being unquestioning.  For example most people implicitly trust their doctor, just because the doctor wears a white coat, exudes authority and has 'Dr' in front of their name. No one ever asks the doctor to validate their medical credentials. Perhaps we should.

Implicit trust can be lost and gained, a decade ago most people would implicitly trust bankers, having someone from the banking profession witnessing legal documents and signing passport applications would be seen as a highly thought of and credible witnesses within society, not so these days, and we all know why.

Police is another profession which has very interesting polarisations to observe, implicitly trusted by some and implicitlydistrusted by others.

Then there is paradox of politicians, nearly everyone distrusts politicians while at the same time trusting them to run the country.

In the world of information security, businesses which implicitly trust third parties with their information is a hallmark of either complacency or lack of an ability or expertise to properly vet and question. Trust must not be implicitly made but must be earned based on prior vetting and building a trusted relationship through experience. Just because your cloud service provider wears the doctors white coat of Amazon, Google or Microsoft, does not mean they should be implicitly trusted with your business's information and critical IT services.

UK InfoSec Overview for July 2012

Microsoft patch two critical remote execution vulnerabilities in Internet Explorer http://technet.microsoft.com/en-us/security/bulletin/ms12-044

Yahoo investigating exposure of 400,000 passwords

• Hacking Group D33DS are said to be behind the attack.
• Hacking Groups continue to target big business websites, this attack demonstrates even hi-tec companies which have a high focus on IT security can be vulnerable to major data thefts.

Patient Data incorrectly placed on Facebook by Northern Ireland’s Health Trusts.

• Serious lapses in data protection and confidentiality procedures saw highly sensitive information lost, disclosed to the wrong people and even published on the internet.
• In one alarming case a client’s referral details were revealed on Facebook after a staff member dialled the wrong number and left a message on an answering machine. It was among almost 100 serious data breaches reported by the region’s five health trusts in recent years

Anti-Phishing Working Group (APWG) reports for the first quarter of 2012,

• 56,859 unique phishing sites were detected in February, while between 25,000 and 30,000 unique phishing email campaigns are detected each month.
• There has been a number of major data compromised due to phishing attacks, most notable is the RSA data breach of last year.

Hacking Group Anonymous steals 40GB user data from ISP in Australia and brings down 10 Australian government websites

• Despite a number of arrests, Anonymous remains very active

Two researchers demonstrated how they were able to push a malicious information-stealing app onto Google Play, even while Google's Bouncer custom malware scanner was watching

Tesco has come under fire for emailing users passwords in plain text

• Tesco received consider negative publicity for not protecting their user’s passwords adequately and in line with best practices. Passwords must never be Emailed in plain text!

UK Data Protection Overview for July 2012

ICO imposed a civil monetary penalty (CMP) of £150,000 on the consumer lender, Welcome Financial Services Limited (WFSL), after the loss of more than half a million customers’ details.

• WFSL’s Shopacheck business lost two backup tape.
• The backup tapes contained the names, addresses, dates of birth, loan accounts and telephone numbers of approximately 510,000 of their customers in November 2011. The backup tapes also held personal information of 20,000 current and former employees of WFSL, and 8,000 agents. The backup tapes have not been recovered to date.
• The lost backup tapes were not encrypted
• The ICO deemed WFSL to have broken the 7^th principle of Data Protection Act.
• Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data
• ICO stated Data Controller did not follow their own Information Security Policies.
• Significant impact on reputation of the data controller (WFSL) as a result of this security breach which was publicised in national press.

The ICO issued a penalty of £60,000 to St George’s Healthcare NHS Trust in London after a vulnerable individual’s sensitive medical details were sent to the wrong address.

•  Two letters were sent to the correct recipient old address in May 2011, however the address was incorrect, and was a property where the recipient hadn’t lived for over 5 years
• The ICO’s investigation found that the individual’s current address had been provided to the trust’s staff before the medical examination took place. Additionally the correct address had been logged on the national care records service, known as NHS SPINE, in June 2006. The mistake was made after the Trust’s staff failed to use the address supplied before the examination, or check that the individual’s recorded address on their local patient database matched the data on the SPINE. The Trust had setup a prompt to remind staff about the need to check and update patient information against SPINE; however the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late.
• The ICO deemed the NHS to have broken the 7^th principle of Data Protection Act.
• Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data. There can be significant reputational impact for a data controller as a result of these security breaches. 

The ICO ordered Southampton City Council to stop the mandatory recording of passengers’ and drivers’ conversations in the city’s taxis.

• Since August 2009, the council has required all taxis and private hire vehicles to install CCTV equipment to constantly record images and the conversations of both drivers and passengers
• The ICO has ruled the council’s policy breaches the Data Protection Act, concluding that the recording of all conversations is disproportionate given the very low number of incidents occurring compared to the number of trouble free taxi journeys. An enforcement notice has been issued to the council who now have until 1 November to comply

The ICO publically warn Google following their disclosure of not removing personal data from “Google Street View”.

“The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern”

Burgas Airport Bombing, CCTV does not React

I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included.

On the entrance to terminal and within the airport, a Security Notice sign caught my eye and bothered me as I waited to check in.

It said "This Area is Protected by Video Surveillance". Now CCTV can act as a deterrent and is particularly useful for the purpose of recording events and working out the causes of incidents. But even with a team of operators vigilantly watching the CCTV screens in real time, I just don't see how this CCTV would "protect the area" I was entering, as within this crowded space everyone had large bags and many had hats and sunglasses concealing their identity as well. To assure myself I concluded the words on the sign had got lost in translation, as it is EU law to inform the public of the presence of CCTV cameras.

This is the reason the words on the sign was bothering me; below is a picture of the Burgas bombing suspect caught on the very same CCTV system, entering the very same area just a few days earlier, clearly the CCTV didn't protect the area nor act as a deterrent

Burgas Airport Bombing Data Breach Parallel

I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later, in between I knew some friends who went through the airport just a fews day after the incident. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included.

Burgas Airport Bombing

A Side Point
Interestingly on way out from Manchester airport to Burgas, the Thomas Cook check in crew we're only focused on making money from excess badge amounts and things like extra leg room seats, it was the first time I've never been asked if I packed my bags myself and whether my bags had been out of my sight at a check-in desk. A sign of the tough financial times as Thomas Cook just posted a £26.5 Million quarter loss, or security complacency, I thought.

Airport Security Theatre
It would be extremely irresponsible to point out airport security flaws, but needles to say the amount of additional 'Security Theatre' at Burgas airport post bombing as expected was considerable, but only for about 10 days. I didn't coin the phrase 'Security Theatre', but it's a very apt phrase to what several friends were subjected to at the airport, because the additional security hoops passengers were put through did nothing to lessen the threats to the aircraft. Further these measures didn't do anything to make passengers feel safer, if anything it raised anxiety considerably. However a few days later the additional security measures were all dropped the airport returned to as as it was prior to the bombing.

Data Breach Parallel
My main point here is this very much the same as when a business suffers a major data breach and receives public and media criticism. Often a knee jerk response of security theatre is introduced which does nothing to combat the actual causes of the data breach, but makes good sounds bites within media interviews. Then once the media focused dissipates, the business returns to as it was prior to the breach, including keeping the security complacency and not correcting he existing flaws which led to the breach in the first place.

Olympic Games Breach Disclosure Window Opens

The London Olympic 2012 Games has finally arrived, and will dominate media headlines around the world for the next couple of weeks. This is a great time for sports fans, but also a great time for firms to disclose data breaches. Yes, I know I'm being really cynical but let's see what breach notifications occur during this festival of sport. 

As I write this post Google have just announced they are in breach of a UK Privacy agreement - http://www.bbc.co.uk/news/technology-19014206, admitting to have not deleted personal data gathered as part of their Street View surveys. This personal data should of have been wiped over 18 months ago! But back to my main point with this post today, as with this awkward privacy announcement, the media coverage of it will be swiftly buried within the media's frenzy of Olympic headlines, hence why companies PR teams choose specific dates to publicly announce their data breaches. 

How to Protect Your Gmail Account from Hackers

Hackers target online Email accounts for a reason, they know if they can 'own' a webmail account, they can access it from anywhere and at any time, to use it as a tool and to harvest information of value. Fraudsters will often rifle through compromised Email accounts looking for information which will grant them access to more lucrative web accounts. A quick search of pretty much any Email inbox reveals information about various online accounts used by the user, many of which will have potential fraudulent earning revenue to a hacker. Typically Emails containing information about e-commerce websites and online banking accounts will light up a hacker's eyes. In this post I'm going to explain typical techniques employed by online fraudsters, to highlight the vital importance of protecting your main Email account.

No Account Username, No Problem
As a security feature some website accounts don't use an Email address as a username, but invites account holders to create one instead.  However if the hacker has access to the website account, more often than not there will be Emails containing the website account username. Furthermore with most websites ,a username can be requested over Email, which goes straight into the compromise Email account.

Passwords Finding
With an active lucrative website account identified together with a username, which may well be the Email address of the victim, obtaining the password which goes with it is child's play when the hacker is in control of the victim's Email account. Some websites will Email existing account passwords in plain text to the user, therefore the password can be found within account's Emails, or it can be just a question of requesting the password to be re-sent from the website. It can even be much easier for the hacker if the victim has used the same password with all their different accounts, as knowing their email address and online username together with a commonly used password is enough to steal their entire online life.

Password Resetting
Websites which don't Email passwords are still easy to beat if you control the victim's Email account. Nearly all websites provide a facility to reset a password, most ask for basic personal knowledge questions and then send a confirmation link Email to the compromised Email account, which then allows a new password to be created by the hacker. Those security questions aren't much of a problem, as the answers can be found within the reams of Emails and by accessing the victims social networking accounts. And personal details can be obtained from other weakly protected online accounts. Upon accessing an account the hacker just reviews the account profile for the necessary personal information,  sometimes website account profiles has the hacker bonus of listing security questions with the victims answers, the same typical security questions are asked for and used on most websites time and again. 

Your Online Email Account is essential to Protect, as it is the keys to your online identity

Gmail's Added Security Protection
If you are a Gmail (GoogleMail) user, good news, there is something you can do to increase the security of your Gmail account. It is not common knowledge but Google offers a free two factor authentication service called 2-step verification for all Gmail users. 2-Step verification significantly improves the security and massively increases the protection of your Gmail account from being accessed by hackers.

How to Set up Gmail 2-Step Verification wit your Gmail Account
Visit https://support.google.com/accounts/bin/answer.py?answer=185839&topic=1056283

How Does 2-Step Work? Why is it more Secure?
2-Step security works by requiring you have your mobile phone (registered with Google) in your possession each time you type in a password. When Gmail webmail is accessed for the first time on a PC, and every 30 days there after, Google 2-step forces password entry, which also requests a unique one-time verification code, at this point on your registered mobile phone you will instantly receive a text messaged with a one time code to type in.

This means you cannot log into your Gmail account without having possession of your mobile phone, hence two-factor authentication. So even if a hacker obtains your Gmail account password, the hacker cannot log into your Gmail account unless he or she has your phone as well, or are attempting access from your local PC where the password is required every 30 days.  These are not typical scenarios for the online criminal, they access webmail accounts on their devices.

Great for Webmail, but what about Gmail through Outlook, or on my iPad and iPhone?
Devices such as PCs (Outlook), iPads, and Smart phones which need to continuously access Gmail could be a problem with this system, but fear not, Google have thought of that. The 2-step system is able to create a unique and strong dedicated password for each device you have. Once each setup's password has been initially entered, the system doesn't request a mobile phone authentication every 30 days like the webmail access. However you can fully manage these devices and their passwords online, changing them as often as you would like, and you can even revoke the passwords instantly should your device be stolen. The main security advantage, is even if these unique device passwords become compromised, these passwords can't be used to access your online Gmail account, they can't be used to change your Google settings, nor can they be used to change any passwords.

So if you are a Gmail user and care about your online Email account security, consider their 2-step verification.