Risk Management with Stuart King and Duncan Hart

Welcome to my Computer Weekly security blog! This is the first post of many and it’s polite to begin with an answer to the who, what, and why questions.

I’m Stuart King and I work for the Reed Elsevier Group in a role that encompasses the online product and risk side of information security. Summing up my role in a few words is no easy feat. In fact, just coming up with a job title that correctly identifies my role to the rest of the world has been the subject of many hours of heated discussion. The problem is that if you tell someone you work in information security they are likely to make an assumption that you are either a) a hacker or b) the techie who configures the firewall. I’m neither of those although I do have a good knowledge of the tricks of the trade of both. My focus is very much on looking at the risks associated with putting increasingly complex products onto the Internet, then deciding how best to address those risks within an organisation that produces literally hundreds of web products as the output of development groups across five continents.

It's nearly Christmas so I'm going to get my soapbox out again and comment on the news that for the national ID system information "will be held on three existing, separate databases" as reported by the BBC in an article that you can read here.

Hands up all of you who are not slightly worried, a little bit cynical, or very concerned about this. I know that David Lacey is: he commented on this story yesterday.

As all of us who have ever worked on developing systems of any sort know, trying to shoe-horn new solutions into an existing product and infrastructure is nearly always an exercise in futility. It wont work and the consultant who has suggested this as a low risk solution should go and actually sit in a development environment for a few days.

The original database and systems were developed for a specific purpose. Modifying them for the national ID card system will be a security nightmare because that is not what the systems were made for. And if a politician tells me that this is not the case then I wont believe him anyway because let's face it, the government does not exactly have a good record when it comes to the development and execution of software systems.

Here are a couple of examples just to push home my point:

http://www.computerworld.com/governmenttopics/government/itgovernment/story/0,10801,97853,00.html

http://www.ft.com/cms/s/d8aca40c-ef49-11da-b435-0000779e2340.html

http://news.independent.co.uk/uk/politics/article271415.ece

For a system such as an ID database, security must be an integral part of the design from the outset. Jury-rigging it up so that it uses existing resources means that security services are bolted on, and, here is my message to the product managers and government in my loudest and most arrogant voice - the security will break!

As to the actual question of whether or not we should have and support a national ID scheme, well, I'm agnostic on the matter. But if we must have this new intrusion on our privacy dictated onto us (ok, maybe not quite so agnostic) then the least the government should do is spend a few quid over and above the cheapest tender on making sure that it is done properly!

Soapbox now safely away. Have a good Christmas.

I came across this gem of advertising here: http://www.cioview.com/products/ISECOM_landing.html

"According to the University of Texas School of Management, security incidents could cost your organization $2.9 million simply in the five minutes it takes to read this page and download SecurityNOW! "

This is very similar in style to another message that I received by email which stated: "A recent University of Michigan study found that 70 percent of corporate theft incidents can be traced to an insider"

Please can some-one find me the reference points here because I've tried locating both with little success. I don't mind vendors quoting statistics but I'm a tenacious bugger and I do like to see the sources.

Anyway, if it could cost my organisation " $2.9 million simply in the five minutes" then whilst writing this blog entry we've probably already gone out of business...so I'm off to put the kettle on.

According to this blog, http://blog.casescontact.org/ , the following is true of a typical information security blog:

..the archetypal information security blog favors:

d) group-think behavior instead of careful analysis before making a decision

I probably, and occassionally, fall into all the above categories but I'm not sure that this is such a bad thing. From my perspective, a blog is more than a professional, dry, commentary on life. It's an opportunity to express opinions, often unstructured, and enable others to comment in a similarly unstructured manner. Too many rules and too much rigidity would make it more of an academic exercise and we'd all quickly lose interest. So, lighten up CyTrap! And by the way, your info on Word metadata is very interesting - I wonder how many people are aware of how much information they might be giving away when they send out Word documents and also that such metadata can also be discoverable in the event of legal action. More food for thought...

Operational risk management today takes me to Dayton, Ohio. I'm there to give a presentation on eProduct risk management as well as to make personal acquiantance with a number of people I usually only correspond with via email.

The last couple of days have been mostly taken up with sorting out the implementation of our new online risk assessment software. The new version is up and running but as with any new custom-built solution there is going to be a "bedding-in" period. Anyway, I take my hat off to the developer at Aldex Software who has been dealing with the bulk of my many requests for change, and for the great solution that they have delivered to us.

Sitting in my in-box this morning is an interesting email thread regarding one of our data vendors who accidentally sent an email to one of my colleagues. My colleague picked up on the carelessness of this fact and has suggested we take a closer look at their security processes. We have a very indepth and diligent process in place for assessing our vendors - I'll discuss it here sometime.

Accidental emails can sometimes cost vendors business. One well remembered incident here involved a vendor commenting by email to one of his colleagues on the lack of hair follicles of a senior manager within my organisation. Unfortunately he hit the send button a bit too hastily and before he'd realized said hairless-person's address was auto-filled in. Needless to say, the vendor wasn't considered for further consideration. It's a lesson I think we have all learnt the hard way in the past. I mitigate this particular risk by putting all my email into the outbox first and then having to manually send it. Some might say I mitigate the risk by never replying to email but I couldn't possibly comment on that....

I've been reading an interesting article, linked from Bruce Schneiers blog, about Internet usage entitled "Kids, the Internet, and the End of Privacy: The Greatest Generation Gap Since Rock and Roll" by Emily Nussbaum. If you have kids and they have MySpace or similar accounts then you'll find this enlightening.

I was browsing through job listings looking for examples of advertised jobs within information security. A number of adverts had me scratching my head. Read this one then ask yourself: What is the agency really looking for?

Are you a Security Specialist? Are you CISSP qualified or have commercial experience to that level? [agency] client require a Security Specialist (CISSP) with excellent understanding and practical use of security principles (CIA, AAA etc). As the Security Specialist you will be the lead in the design and implementation of 3rd party clients Security solutions - you will be required to have extensive experience of Solaris, AIX, Cisco devices, Networks and Microsoft Windows. As the Security Specialist you will be responsible for creating and maintaining a 2-year security technology roadmap and define projects to deliver the roadmap - therefore you must possess a strong understanding of the software development life cycle and development languages including C++, Java and .NET. Apply now for immediate consideration!!!

A change of employment and a relocation to warmer climes means that entries on this blog may become sporadic over the next few weeks.

Change can be positive and I'm a strong believer in the importance of not stagnating within a role. New challenges bring new experience and I'm looking forward to making a difference for a new employer.

Thanks to everyone I've worked with over the past few years for making my work such a positive experience.

Blogging business as usual shall be resumed shortly - let me know if you have any specific topics you'd like me to cover.

I've noticed that no-one reads this blog on a Saturday which begs the question of why I'm writing anything. However, given the technology I could have actually written this last Tuesday and scheduled it to be published on Saturday. In fact, right now I'm sipping coffee in Starbucks reading this blog so that the stats will show at least one person read it today....

I have subscribed to a new, free service from an online organisation called Garlik. In fact I note that David Lacey also mentioned this service some months ago on his blog. As well as providing a view of your credit file it also looks for associations that you have based on your name, location, and Internet presence. Take a look for yourself because, like me, you might get one or two little surprises.

Enough comment already about the whole TJ Maxx credit card affair. We can all snort our indignation at how such a thing could happen over such an extended period of time but the focus of effort must now be to learn the lessons and for everyone who manages valuable data to make sure the same thing isn't happening or about to happen to you. It would be a benefit for everyone in the industry to learn exactly how this incident happened and remained undetected for so long. Fair enough? I notice that one, obviously morally and intellectually superior, commenter on this story stated "I trust the security manager has been sacked." (http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article1536335.ece). Hmmm, maybe, maybe not. If we sacked all the good people everytime something went wrong within their area of responsibility then we'd never have the chance to benefit from their experience.

I shared this story about the "world's first hacker proof encryption technology" with a colleague.

Quick as a flash he emailed me back: "I wonder if it is criminal and idiot proof also ;)"

Touché!

Salesforce.com ushers in a new era of on-demand success with the industry’s first platform as a service (PaaS). With the Force.com platform, you can build any application, any database, any logic, and run it all on demand on our trusted, secure infrastructure. Now salesforce.com allows customers to create and run any application and even any user interface imaginable—all entirely on Force.com.

If you do not already know, Salesforce.com is the worldwide leader in on-demand customer relationship management (CRM) services. I'm not going to go into detail here and recommend that you spend some time browsing their website.

PaaS, and SaaS (Software as a Service) are exciting concepts. For an example of SaaS, look no further than Google Docs, a fully featured suite of office applications that allow you to create, edit and store your documents and spreadsheets without having to install any software packages on your own desktop. Now imagine if it was easy to build your own applications that also run on the Google platform. Potentially you could run everything you need for your business to function off of somebody elses resources. This is where Salesforce are heading, wanting to create a platform that anyone can build on, making it easy to integrate on-demand services and messaging features, create mash-ups, and develop custom applications to do just about anything.

Kendall Colins of Salesforce says "You can be anywhere in the world, log in, write code that saves on our servers, tests and runs on our servers, and share that anywhere in the world."

It's exciting stuff and I reckon it'll catch on because, face it, where's the fun in purchasing a disk-space and resource intensive operating system only to install onto it more diskspace and memory intensive applications that most people only use a small fraction of the functionaility of, when we could all be using zippy, lightweight systems that connect to online platforms where all the weight of the processing and storage requirements are taken care of?

So, what of security in the future business world where we no longer store our own data and rely totally on external service providers for availability of all our business functions? Will there ever be a time when we could move all our eggs to the PaaS basket.

If you're familiar with the Infosec Europe show, held annually at Olympia, then you'll know that it always attracts an impressive line-up of expert speakers over the course of the three days. It's always seemed a shame that there hasn't been anything between events to engage the interest of those who attend the show. So I'm pleased to see that the organisers are now presenting a monthly podcast that you can download from the event website at www.infosec.co.uk.

The first in the series is on the subject of Wireless Security – Top Tips to Mitigating Threats and is presented by Paul Lawrence, VP & General Manager, EMEA, AirTight Networks Inc.

An excellent article on the perils of social networking with LinkedIn in the latest edition of [in]secure magazine.

Good read on Apple's update strategy for the iPhone here: http://www.emergentchaos.com/archives/2007/10/apples_update_strategy_is_1.html

And so what Apple is doing has an important side effect: creating a fear of their patches. That fear will last long after a reasonable resolution of this incident.

Forget BS7799 and ISO27001, the one we really need to know about is BS6008: "Tea — Preparation of liquor for use in sensory tests." This is a six page, 5000 word guide to how to make a cup of tea. Section 7.2.1 states:

Preparation without milk
Fill the pot containing the tea with freshly boiling
water1) to within 4 to 6 mm of the brim
(i.e. corresponding approximately to 285 ml in the
case of the large pot and 140 ml in the case of the
small pot described in the Annex) and put on the lid.
Allow the tea to brew for 6 min....

The document does not identify what type of tea to use, nor the colour of the pot. I'm not sure if these are considered important. Although if they are going to go to the trouble of producing the document you'd have thought that someone would also have considered other aspects such as whether to slurp or sip...

I'm all for a nice cup of tea, so I'll be printing out this standard and putting it on display next to my latest security awareness poster.... :-)

An interesting resource that I read about here: http://www.vnunet.com/vnunet/news/2199328/security-experts-launch-tool

Threat Expert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.

After nearly a year of on and off blogging, I have been shown how to add an image to my blog (thanks James...) ! So, I wanted to share with you the following picture, which I shot whilst driving around the Texan countryside early last year:

Some-one should give a prize for the best security related caption to go with this picture...any takers?

I wrote a short while ago (Sep 22) about SalesForce.com (SFDC) and their Force.com PaaS service offering. I believe that this is the way that enterprise development is heading and I wouldn't be at all surprised if, in a few short years, it's the norm rather than the exception.

SFDC are not the only players. Amazon have also entered the PaaS market with their EC2 (Elastic Compute Cloud) PaaS. The advantage of Amazon's model is that they charge per CPU time. You only pay for capacity used and there are no fixed costs. Therefore, if you have a service offering where there are spikes in traffic at key points of the year and it's relatively quiet at other times, this model would appear to well serve your interests. This allows full freedom to compete on ideas rather than resources.

EC2 appears to offer more flexibility for developers than Force.com. In the article "The Perils of Platform as a Server" Robert Warfield writes that "the beauty of Amazon’s approach is they get to tap into any ecosystem (say open source components, for example) that runs on Linux. That’s powerful!"

However, all is not perfect in paradise. If you're putting data onto the EC2 platform, what happens to it within a particular instance of a server when it is no longer required? It's true that you can get a new server allocated in minutes, but are the hard drives wiped every time the server is requested? I read a comment somewhere that said it's the equivalent of "throwing away a hard drive full of data (into a dumpster) and assuming that the data will never again see the light of day."

EC2 is also suffering some teething problems.A recent outage in the service resulted in lost data.

"We lost almost all our data due to the erroneous instance termination from Amazon, and we are in a very bad shape as a company," wrote one unhappy EC2 user, who wanted compensation from Amazon.

Regardless, virtual data centers and flexable pay-per-CPU computing models make great business sense. Service providers must give assurances around data security. There's a lot of experimentation going on right now and that's not a good environment for confidential or high loss impact data. I don't however, have any doubts that we'll all be looking at how to take advantage of this model.

.

Congratulations to linkedIn who have achieved one million UK members on their social engineering...I mean, social networking site.

I think LinkedIn will persist and grow. The forthcoming API will enable other companies to tap into the service and I can see the potential for organisations such as Salesforce.com to add LinkedIn functionality or vice-versa. Businesses will also be able to integrate LinkedIn with their own CRM or business development systems. Powerful stuff.

Security and privacy will remain a concern and it would be great to see LinkedIn - or whatever the next, next best thing is - being innovative in addressing this. The opportunity is there...

Dayton, Ohio, has a couple of things to recommend it: it is home to one of the best steak restuarants that I have ever been to, (The Pine Club). Actually, that's about it. However, it is also home to the Daycon Hacking/Security Conference. This might not be the best known event in the calendar, but it certainly attracts some very talented speakers, including my good friend Angus Blitter (he and I gave a presentation together at InfoSec Europe at couple of years ago). I wasn't able to attend however, there is some content available to download including:

There's an interesting interview with ex-fraudster Frank Abignale online here. Frank's message is that it's far easier today to commit the sort of crimes that he became famous for.

A world of too much information and the technology make it very easy to do today what I did 40 years ago.

A panel session at the RSA conference has suggested that "it is just as important to recruit on the basis of personality as it is to find someone with the right technical qualifications" for information security jobs (See article in Computer Weekly here)

Some might argue that if this were the case then I'd have ended up in marketing. Joking aside, I think that the panel is making a good point. Never has it been more important to understand and appreciate how the business works, the management, objectives, strategy, culture and financing. Having the security team working in a silo, issuing edicts is a thing of the past - or it should be. Let's, for example, take a business that has decided on a strategy of utilising a PaaS (being my current favorite subject) for managing essential data. It's no good trying to shoe-horn existing policies based on traditional systems and processes into this. That is not being agile and it's not serving the needs of the organisation.

To get there, we need to have a good understanding of what management is trying to accomplish, ensure that appropriate risks are understand and managed whilst also ensuring that in doing so we're not putting unnecessary barriers in the way. It's a tough trade-off and achieving success requires character and personality as well as traditional security skills and knowledge.

A similar point was made on this blog here earlier in the year. Dan Morrill says that we need to

1. Hire for technical ability, creativity, and socialization skills. I am well aware that this will cause problems in the ability to find these people, they are rare

2. In the interview ask "how would you solve this problem" and see what their responses are, is it purely technical, is it part technical part social, does the solution make sense to the company, how well do they communicate the solution?

Personality alone wont win the job. Qualifications and experience are important. In my case I worked my way through an MBA and can't recommend highly enough the value of going down that particular path. My CISSP certification was useful years ago when I was starting out but probably less so now that my career has become established. The new Institute of Information Security Professionals (IISP) is also looking to play a part in validating the professionalism of individuals within the industry.

So, bottom line: personality is important, so too is training and education.

In Futurama, Fry wakes up in the year 3000 and finds himself in a strange new world where the technology is baffling, yet exciting. That's sort of how I felt wandering around the Microsoft campus today as a guest of Mark Curphey. There are gadgets galore, gaming machines, nice coffee and great merengues. If Carlsberg did work environments then this one is pretty close to how it would look.

Most impressive of all is Mark's vision for the Oxygen Security Platform. He describes this as "ERP for Information Security, the security management equivalent of what Visual Studio Team System is to software development or in more general terms an information security specific Governance Risk and Compliance platform." It's a unique and exciting venture and I for one am looking forward to seeing it come to life - so good luck to Mark on making it happen.

Anyway, I'm back off to my own third-world-in-comparison office. Boss, can we have a games room please?

I've heard some words of indignation expressed at the invitation of Frank Abagnale to speak at this years RSA conference. I understand the point of view - why should this convicted fraudster be able to make a living off the noteriety of his crimes? Mind you, there are worse ways to find fame. Mr Abagnale has yet to appear on Celebrity Big Brother, and neither has he stepped out of a limosine wearing a short skirt and no pants. Therefore he still retains some credibility in my book - at least until he declares himself a supporter of the Labour party, at which point I'd immediately demand that they stick him back in prison.

I also think that we can learn a lot from his words of wisdom because people are still falling for the old scams - just in new ways. This one's a good'un!

Red-faced accountants from one of the biggest supermarket chains in the US are frantically trying to regain control of more than $10m lost after falling victim to online fraudsters.

Evidently, no one at Minnesota-based Supervalu bothered to confirm the authenticity of emails sent in late February. Purporting to come from two of the company's suppliers, the messages instructed Supervalu to wire all future payments to new bank accounts. One email purported to come from representatives of Frito-Lay and the other from American Greetings. Both suppliers have established relationships with the grocery chain.

The emails were phony, but within two days, Supervalu began moving money into the accounts. Over the course of a week, the company transferred $10,128,941.94 in nine separate payments

Infosecurity Europe are compiling a list of who they "consider to be the brilliant minds in the history of the information security industry. " Read the details online here: https://www.infosec.co.uk/page.cfm/Action=Form/FormID=9/t=m

I think it's a compelling list and I was wondering who you would nominate and why....

It was my privilege to be invited to chair this years Infosec Europe Steering Committee meeting yesterday. The event team presented lots of plans and ideas that suggest next years show will be the best yet.

What surprised me was the range of key information security related issues identified by the committee (which included senior representatives from financial, industrial, pharmaceutical and government sectors) as being of current importance within their own organisations. Surprising because I recall the focus of discussion at the previous years meetings were on compliance and malware. This time around, nearly everyone brought a different subject to the table. These included identity management, content management, wireless security, risk management, social networking, compliance, outsourcing, and data classification.

Nobody mentioned malware as their number one issue. Does this indicate that we've beaten the threat or that we no longer perceive malware as being such a high priority? That's a subject I'll focus on for this blog shortly!

“ Crime pays, and it also has an excellent benefits package. ”

So went the signature of John K Schiefer, the security consultant who has just "admitted to using massive botnets to illegally install software on at least 250,000 machines and steal the online banking identities of Windows users by eavesdropping on them while they made financial transactions. " (See SecurityFocus at http://www.securityfocus.com/news/11495).

Apparently, most of the bot programs were spread using using AOL Instant Messenger. In order to spread, the victims would have to first click on a link that would have been messaged to them. Anyone who took the bait had a Trojan program downloaded to their machine.

"I don't think anyone should feel sorry for me," Schiefer said. "What I was doing was wrong [and] stupid, and I got caught." (see http://blog.washingtonpost.com/securityfix/2007/11/security_pro_admits_to_hijacki.html?nav=rss_blog)

From the US Department of Justice:

John Schiefer, 26, of Los Angeles (90011), has agreed to plead guilty to four felony counts: accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud....Once he pleads guilty to the four counts, Schiefer will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million.

I've been looking back at the recent history of data breaches. This resource at http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm shows that of 126 private sector incidents, 40% were the result of laptop theft, and a further 30% alluding to human incompetence or insider "Malfeasance."

For further statistical analysis of data breaches, this web site has some good data: http://etiolated.org/. The top two incidents listed in terms of number of compromised records, CardSystems and TJX were apparently the result of vulnerabilities in systems used for hosting the data. Of the rest, five out of eight had fraud or theft as the cause.

More detailed data can be found here: http://attrition.org/dataloss/dataloss.csv. If this is accurate then since records began being collated 7 years ago, more than 300million individual personal and private records may have been comprimised. That, incidentally is equal to the population of America. Of the 832 incidents catalogued,

- 42 were the result of data disposal processes
- 11 were through email
- 53 were the result of fraud
- 168 were the result of hacking
- 75 were because of lost laptops, documents, or disk drives
- 304 were because of stolen computers, stolen tapes or other media
- 125 were because of web based attacks

Only 2 incidents resulted from malware, affecting fewer than 3000 records. Nearly a quarter of all incidents are listed as being the result of "accidental" causes rather than being deliberate.

This data tells us a lot. The fact that the majority of data breaches are the result of malign causes rather than malicious intent shows us that we must tighten up technical controls over access to data, management processes around handling and access, and education around what to do with and how to dispose of data. Still, more than a quarter of breaches were the result of hacking so web security and perimeter device security remains incredibly important.

What about malware? We spend a fortune on anti-malware controls so is this data an indication that a) the controls are working and valid or b) we're not at as much risk of having our systems compromised through malware as we think we are? Or is there a c) the extent of malware related compromise simply isn't known?

Back to the list of incidents, in only 37 (4%) is the data known to have been recovered with a resulting criminal prosecution. That's only 6% of the data records supposedly compromised leaving a whopping 280million records still at large...

This is the 200th entry on this blog! I'm certainly not in any danger of running out of things to talk about. We're in a very dynamic environment where the risk equation must be continually reviewed for each of the bad outcomes that we are concerned about.

My prediction for the next 200 blogs? Probably more of the same because the same old topics keep on cropping up. We seem to have ever more ingenious ways of relearning common mistakes. 10 years ago we talked about change control and process and moaned that we needed to tighten up. Today we still moan about both. Only now, you're far more likely to find yourself on the front pages when it all goes wrong.

More reliance on platform based services such as Salesforce.com means that controls around data access, integrity and availability become more important than ever. Reliance on strategic web products and associated web 2.0 services raises further issues. PCI compliance is being gradually tightened up, as too are European data protection regulations.

Anyway, as we're getting towards to the end of year, I'm going to join in the old game of trying to predict what's coming up next year. That's coming later...

The FBI are continuing their fight against the botnets. They have announced the second phase of Operation Bot Roast together with good news about successful indictments against a number of online criminals.

You can read more about it at http://www.fbi.gov/pressrel/pressrel07/botroast112907.htm.

An interview with Lord Erroll entitled "The Politics of Security" caught my eye in the latest edition of Information Age. Erroll was behind the recent House of Lords Scientific and Technology Committee report on “Personal Internet Security." In this latest interview, he adds some further context to the conclusions of said report.

It is illegitimate, says Erroll, for titanic software houses to sell a product to small businesses on the basis “that it’s a wonderful solution that will protect their business, and then when it doesn’t say, ‘Oh, I’m terribly sorry but it was your decision to buy it’”. Equally, he continues, a small provider offering downloadable freeware cannot be expected to compensate users if the product has flaws.

Eroding Microsoft’s dominance on the desktop would help improve the dynamics of security software development and delivery, he argues. If there were a large number of competing operating systems, the user could choose between high- and low-risk options. The point, he says, is that users do not have that choice and as a result are unable – and indeed offered no incentive – to make a risk assessment for themselves. “We’re just beyond the Model T Ford stage where IT security is concerned,” he adds.

We don't buy a car and then expect the manufacturer to pay up when it gets broken into.

I agree with Erroll: vendors have a duty of care and I, for one, support the outcomes of the report.

Last week, the US "State Department approved technology that will allow passport cards, which can be used by U.S. citizens instead of a passport when traveling to other countries in the western hemisphere, to be read from up to 20 feet away. "

You can read more about it here.

News about the likely introduction of RFID passwords is nothing new and Bruce Schneier expressed his thoughts on this subject over three years ago here.

Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.

There is more detail on the concerns posed by the "US Center for Democracy & Technology" that you can download in pdf format here. Here are some of the best bits...

Long-range RFID technology like that used in the GEN-2 protocol was never meant for human identification. Rather, it was designed for the tracking of things...security of the UHF RFID system, while important, was not a top priority....a technology meant to track products cannot be retrofitted with the level of security that is necessary for identifying people.

It sounds so good that I'm surprised our own Government haven't proposed something similar yet..oh, they have?

Do you find this blog to be "seductively immediate, vividly worded and apparently candid"? If so, then according to Gartner, you should exercise "care and caution" before using it as a reference.

Gartner have published a report entitled "Use Care and Caution to Qualify Insights From the Internet" (3 Jan 2008 by Whit Andrews and Carol Rozwell) which I think serves to highlight the fact that many people seem very willing to grab information from any and all online sources and quote it back as bona fide fact with little regard for the credentials and credibility of their sources.

Anyone with even an infrequent experience on the Internet knows three essential truths:

1. Having access to more information does not make that information inherently more valuable.
2. Multiple instances of a piece of information do not vouch for its veracity.
3. Information is made generally available often without regard for its persistence or potential impact.

I have committed a careless act and put lives at risk. Yes, apparently it's true. The voice on the telephone that broke the news to me couldn't have been more serious. It may only have been an Alpen Snack Bar (with chocolate and orange) but it's very presence in my daughters lunch box had the headmistress at the infant school concerned almost in a state of fury!

You see, there are individuals at the school who suffer from a nut alergy. I do not want to in any way play down the effects of this affliction because I fully appreciate the potential consequences. So, was I, through giving the offending snack to my daughter, who for the past three months has avoided the food police removing similar items from her lunch box, putting others at risk?

I assess risk on a daily basis, I've got equations and worksheets, knowledge of the environment, and a good degree of common sense. But what I don't have to deal with is life-threatening consequences because let's be honest, no one is going to die from a computer virus. If we were to add the potential for loss of life into the mix then you can bet that we'd suddenly become a good deal more risk averse. So I fully understand the head-teacher's point of view even though I don't concur with her assessment of the risk.

As it stands, my daughter lost her snack bar and had to make do with a banana instead. Healthier for sure, but not really a treat.

Each of the following quotes is from a news report within the past few days. See if you can spot the common theme..

South Korea's military is warning of cyberattacks against its personnel using phishing e-mails, and one account says they come from Chinese hackers. (see here)..

WASHINGTON, Dec. 31 (UPI) -- Chinese hackers took down a U.S.-based Web site that hosts dissidents' blogs over the holidays, apparently as part of a pre-Olympic propaganda campaign. (see here).

In a string of recent incidents, Chinese computer hackers have allegedly broken into high-security networks in the U.S. and other countries. (see here).

The link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords. (see here)..

You can see the international pressure beginning to mount on Beijing in regards to Chinese hackers. The US. France, Germany, Japan…and the now the Brits have made it a part of their rounds to complain to Beijing. (see here)..

The question I ask myself is whether all this is indicative of a concerted effort from China to hack into foreign networks. If so, I wonder what the full extent of it all really is. The quotes above are simply the result of five minutes on Google. As such, I reckon it's the tip of the iceberg. We shall see...

I've been reading an interesting blog that focuses on the subject of Chinese hackers and a PRC government run organization of eight Chinese hacker groups dedicated to cyber espionage. This is a theme I've been harping on about for a little while now and I'm just wondering when the apparent seriousness of what seems to be state sponsored hacking is going to make the mainstream news.

Read The Dark Visitor blog here: http://www.thedarkvisitor.com/

Today I'm in Sao Paulo. It's a city that I was warned was a dangerous place before I came but which my colleague, Fabio, quickly put me right about on my arrival. His words of wisdom were that if I wore a Rolex watch whilst walking through the slums alone then I'd probably end up a victim of crime. As I don't own a Rolex nor have any inclination to wandor alone through the slums I feel as safe walking around the various sights of the city here as I do just about anywhere else in the world. And anyway, with personal security, follow similar rules as you do with your information security - you have to try to minimize the risk of being a target.

Later on in the week I'm heading onwards to Buenos Aires. It's a tough job sometimes but some-ones got to do it...

I signed up for the iris scanner service at Heathrow airport. The theory is that passing through passport control should now be a breeze because all you need do, once registered, is walk up to the scanning device and pass through security in an instant. Unfortunately, the scanner is proving to be quite popular and is not always very efficient. Which means the queue for physical passport checks was moving much quicker this morning than the queue for the scanner. Hence, much grumbling and complaining to be heard from the crumpled suits lining up in the fast line.

Mind you, I am a big advocate (that word again...) of biometric controls and the iris scanner - when it works - is great technology and practically impossible to cheat.

My own organisation has biometric controls in a couple of locations too. In one we have fingerprint access to the office. That system is tied in with the local HR department who use the access and exit data to prepare the payroll. All employees must put their finger on the pad each time they arrive and leave the office. While sounding a bit draconian, it's actually very efficient and replaced an old punch-card system. It's also designed to conform to local employee workplace regulations. So win-win for everyone. Some might argue that there is a privacy trade-off for the sake of conveniance. I'm not going to disagree which is why it's vital to have the right safeguards around the database. Ideally, biometric data should be kept strictly separate from personal information.

Whilst standing in the queue at the airport this morning, I was wondering about how we might be able to make better use of biometrics for the mobile workforce. A recent article by Richard Farnworth (see full citation below), states

biometric-based processes can not only provide fail-safe ID checks for business critical applications, they will also ensure immediate and accurate security across mobile business applications.

Biometrics are not necessarily always foolproof. This podcast here discusses how some systems might be spoofed using PlayDoe. It makes for interesting listening (once you get past the first couple of minutes of chat), especially the conclusion that while there may be potential vulnerabilities it's probably still a more secure solution than the one you're probably using now.

Citation for above mentioned article:
Richard Farnworth, Enhancing security for the mobile workforce, Biometric Technology TodayVolume 16, Issue 1, , January 2008, Page 8.
(http://www.sciencedirect.com/science/article/B6W70-4RNS8DX-H/2/964beea5e82fa331ded1928002dd6a6d)

It was my privilege yesterday to be invited to give a presentation in support of the Infosecurity Spain exhibition. This is a sister show to Infosecurity Europe and is due to be held in Madrid during June this year.

My presentation was to a group of Spanish business leaders and industry journalists where I talked about the security issues we're all thinking about at the moment: namely increasing threats from malware, online security, consumerisation, data breaches, and compliance.

The security industry in Spain is a little way behind the UK however, organisations such as (ISC)2 and the ISSA are well represented and their local memberships growing.

Anyone reading this blog who can get to Madrid in June for the show then I well recommend it.

From today's budget speech:

Today I can announce new measures at Heathrow and other airports to ensure that a greater use of biometric technology speeds up the time it takes passengers to get through immigration control.

The prospect of behavorial-based advertising is something we should all be concerned about and something we should all be strongly voicing an objection to. Phorm, the company offering such a service as part of their Webwise product, have engaged with BT, Virgin, and Talk Talk for trials of the servcie.

Read about it here.

Personal security and privacy of data are not the only issues here.

The BT spokesman said Phorm offered consumers two benefits.

"Customers will receive more relevant advertising and will get warnings if any of the websites they visits are known to be phishing sites."

Phorm have apparently gone to great lengths to ensure the legality of their "service" having spoken at great length to the Home Office to make sure that its scheme doesn't break RIPA (the Regulation of Investigatory Powers Act). However, surely once you have in place a system that's capable of intercepting traffic for any purpose other than routing between the ISP and the end-user, then in my mind you're also opening up that same system to the risk of abuse.

There's some good commentary on the issues on this blog here.

While Phorm and the ISPs signing up say users will be able to opt out, but they don’t say whether everyone will be opted out or in automatically by default, I strongly suspect everyone will be opted in as a matter of course, here’s why. If you were to ask the users to opt in with this form advertising, I’m pretty sure just about everyone would say no thank you! Which for me answers the question to whether this is a good idea or not, in fact I’ve seen one Virgin forum (cableforum.co.uk) poll that stated 95% of users would want to opt out. I’ve also heard that if Phorm don’t have millions of users signing up, the whole system would not be viable, so we can be pretty sure everyone will be signed up by default.

The thing that puzzles me most about Phorm is their description of the Webwise system, which presents it primarily as an anti-fraud technology. This leaves an impression that its real purpose is somewhat hidden. I suppose this is because nobody really like adverts, especially not the ones intruding with the content of the page we wanted to see.

This week I'm in Moscow. British Airways just about managed to get me here and maintain the 100% lateness record on flights I've taken in the last six months. Todays' escapades were either (according to ground staff) because of the late arrival of the previous flight and the crew being out of hours or (according to captain of the aircraft that eventually got airbourne nearly three hours late) because the first aircraft wasn't fit to fly.

The purpose of my visit here is to review the information security side of things of our Russian office. I've got a well rehearsed process that covers everything from the server room to the filing cabinets. An on-site visit usually reveals issues that would otherwise remain under wraps but it's important to show support and offer constructive guidance rather than criticism. The wrong approach can result in being ring-fenced and subsequently not receiving any information at all.

Most of all though, I'm looking forward to some good local hospitality and the opportunity to finally do some face-to-face networking with the people over here. До скорого!

What's in it for me? Now, if you ask me that's a perfectly reasonable response any time somebody asks you to give up your valuable time on a professional basis and participate in an event that is being sold to you on the benefits it will have for some large profit making organisation. I don't think it's an unreasonable question.

I'm very selective about what I give my time to - after all I also have a family to keep happy, a full time job, and interests in things other than security (yes - really!).

So, when somebody comes to me and says "we'd like you to participate in our event and give a day and a half of your time a couple of times a year and contribute to our body of knowledge" I'm flattered to be asked and waiting to hear about the benefits and the pay cheque. When they then go on to say that for the privilege of having me they will also expect me to pay a five figure sum of money then I'm afraid I'm out. And the benefit of being able to network with 20 of my peers (the number of other individuals quoted to me by the salesman as being involved) isn't something I need to pay for - networking with industry peers is priceless but I prefer to do that where and when I choose: preferably over a pint at the pub than in a meeting room where our every word is being recorded for the benefit of research.

Some causes I will gladly give my own time to: this blog because I enjoy writing and talking about security; the IISP because it's genuine in its support of the industry that I'm a part of, and one or two others where I get to meet friends and industry colleagues who are similarly enthusiastic about what they do. What I will not do is donate time and spend money (mine or my organisation's) for the benefit of adding to somebody elses business plan and profits when all I get in return is an invoice.

So, I wont reveal here the name of the well known international organisation that made the offer to me today, I know they read this blog because they made a point of mentioning it a couple of times (and I've mentioned them too...), but I hope my answer doesn't require any further elaboration.

While the rest of the security industry is currently living it up at the RSA conference, I'm in Vienna, having completed another local security review, looking out of the window of the airport lounge in hope that my flight home might both arrive and depart on time. Would I prefer to be in San Francisco? Yes!

On saying that, I do like Vienna - it's one of my favorite cities. Friendly people, beautiful architecture, and great food. In fact, here's my latest recommendation for a good meal: Figls.http://www.figls.at.

I usually dislike travelling because, frankly, I'm not really into all the small talk that one is often forced into making with the person in the next seat on the aircraft, or the elbow politics over the centre armrest. I prefer to pick who I sit next to. This trip has not been so bad because my wife has accompanied me and I can just about make small-talk with her! Being ever entrepreneurial I suggested to her that we start a website dedicated to the theme of hooking up like-minded people who happen to have the same travel arrangements so that you end up sitting next to somebody you don't mind having to converse or share personal space with.

However, inevitably the discussion turned to the theme of security and the pitfalls of such a service. How would you prove the online identity of your travel buddy? How would you protect your own (i.e. you'd be telling the world that you're going away from home and potentially leaving your house empty) and so on.

So, that led me to thinking about the whole online identity issue and in turn that brings me full circle back to the theme of the current RSA Conference where Microsoft's Scott Charney has been talking about "Creating a More Trusted Internet." In the accompanying article, Scott states

We need to create a system that allows people to pass identity claims (sometimes a full name perhaps, but at other times just an attribute such as proof of age or citizenship). This system must also address the issues of authentication, authorization, access and audit. Finally we need a good alignment of technological, social, political and economic forces so that we make real progress. The goal is to put users in control of their computing environments, increasing security and privacy, and preserving other values that we cherish such as anonymity and freedom of speech.

The privacy buffs will no doubt claim that such initiatives will see the end of Internet anonymity. But would that be such a bad thing? Scott Charney, himself, states "The fact that anyone can connect to the Internet without paying for the costs of an identification regime has certainly enhanced its growth." And just look at the storm over Phorm at the mearest suggestion that anonymity might be compromised. But I think it's time for this initiative and I'm not unhappy about Microsoft taking the lead - after all I'm writing this blog on a Microsoft powered PC and I'll bet of the millions of you out there reading this that the majority of you are doing likewise.

So, good food for thought...and as it's looks like todays flight is running to schedule, it's time for me to sign off!

Only a week to go until this years Infosec Europe at Olympia. The program this year looks, in my opinion, to be the best yet including input from some well known industry names such as Bruce Schneier, Alan Paller, as well as my fellow bloggers David Lacey ("Locking Down Social Networking Vulnerabilities" on the 22nd) and Philip Virgo ("Why Do We Need an E-Crime Unit?" on the 23rd).

I'll be participating in the "The Mock trial of A.N.Corporate" on the 24th in the Interactive Theatre, where, according to the blurb "The excitement of a real courtroom is brought to Olympia, when a mock trial is conducted where various members of a corporation (It Manager, CISO, CIO and CEO) are put in the dock, and questioned by the defence and prosecution." It should be fun!

There are some exciting new exhibitors on the list for this year including Behaviosec whose product "Behavio identifies unauthorized users within seconds by detecting anomalies in keyboard and mouse behavior."

I'm looking forward to seeing you there.

It was good to bump into many familiar faces around Infosec at Olympia today. In fact, it was a good day, period. I encountered one of the event team soon after arriving who was positively beaming about the great start this years event had gotten off to.

I'm slightly biased, after all, I work for the same organisation that puts on the show, I walk past the event team in the office on a frequent basis, and I'm told they can make even the heaviest stappler aerodynamic however, in my opinion today was good day!

My favorite exhibitor is the Swedish company, BehavioSec. They have a desktop product which can instantly identify unauthorised use of the computer by detecting anomalies in keyboard and mouse behavior. They were giving out free packets of dried reindeer meat on their stand - I'd rather eat the plastic wrapper that it came in however the product (the software, not the meat) is good, and it's innovative. And innovative products is something I wish more vendors would have.

Another product I liked was from Pinoptic. They specialise in "Visual Probabilistic One Time Password Solutions - Authentication security using symbols, pictures and images." It's an alternative to token based two-factor authentication and provides an API for bespoke development (e.g. for website access).

Whether either of the above two products can be put to good practical use at a good price is something to find out. If you've got any experience of them then why not share it on the new Infosec website: http://www.infosecurityadvisor.com/. This is an excellent new industry portal providing product reviews, blogs, expert advice, career guidance, and an online job board. There are too few good online vendor neutral information security resources; this one promises to be a winner and I've got no qualms about encouraging your support.

In September of this year my daughter will be moving schools. The local council need a copy of her birth certificate as confirmation of her identity. This is despite the fact that her birth certificate was originally produced for the same council less than a year ago for the same purpose before she could attend her current school. Anyway, I dutifully posted said document. It has however, failed to arrive - either lost in the post or misplaced somewhere along the way.

In conversation with the relevant admissions department this morning I asked why they actually need a copy of the birth certificate at all. The robot at the end of the telephone advises me that it's for identity and security purposes. So, I ask, why not simply refer to the previous submission. Because, the robot replies, that was for a different process. I don't give up so easily. As the document has clearly gotten misplaced somewhere between the post box and the admissions desk, could the process not be intelligent enough to note that my daughter still has the same date of birth and name as when we previously applied for a school place for her? Apparently not, "it's not the same process" is the response I get.

Common sense and customer service clearly not strengths of Bracknell Forest School Admissions team...

We've spoken about OpenID before on this blog (see entries from 9 Feb 2008 and 7 Feb 2007) and I've been quite enthusiastic about the prospects for this "open, decentralized, free framework for user-centric digital identity."

It seems that the BBC have seen the potential and joined the OpenID foundation. Jem Stone, on his blog, makes the bold statement that "getting identity right is key to our future plans." I couldn't agree more. Managing identity is central to the future and long term success of everything from social networking to eCommerce. For their part, the BBC are currently looking at the concept of "portable identity." Good job if they can make it happen - the trick will be in ensuring that the solution is safe to use on a home PC, public terminal, mobile phone and the myraid of other Internet enabled devices we're now being sold. Two factor authentication is a must but it needn't be based on clunky tokens. Any other out-of-band method will suffice, for example an SMS message with a one-time password on a mobile phone.

Whatever the outcome, it's good to see my licence fee going on something that's innovative and, if successful, having wider benefits.

This is the 300th published entry onto this blog. I thought it might be interesting to do a quick review of how many visitors it's getting, where you are all coming from and what the most popular postings have been over the past 12 months.

Traffic figures are pretty good - weekly page views are generally between 600 and 800. Not too bad for a niche subject. As expected, most readers are from the UK but there's good interest from the US. I also have a small number of regular readers from the far east.

My top ten blog entries (by unique page view) have been as follows:

1. Building an Information Security Strategy (5 March 2007)

2. What CIOs should be doing about security in 2008 (14 Jan 2008)

3. The 10 deadly sins of Information Security management (31 October 2007)

4. Portable wireless hacking device (9 Feb 2007)

5. HSBC new two-factor authentication system (7 September 2007)

6. Data Protection Act - What's the Damage? (20 September 2007)

7. RFID Passports (6 Jan 2008)

8. Incident definition and response (11 January 2007)

9. Use of Skype (28 March 2007)

10. More on PCI - the audit guide (24 March 2007)

Ironically, those entries where I personally think I've hit the sweet spot and I sit by the phone waiting for the book-deal and television show hosting offers to come in don't do as well as the entries that are more "off-the-cuff."

Your comments and feedback are always welcome.

Those who fall for spam based scams such as the Nigerian 419 emails or fake lottery wins make themselves easy targets for ridicule from those wise enough to be "in the know." However, there is a deadly serious side because many of the scams appear to be very plausible on first read, people do fall victim, and lives do get ruined as a result.

No better example than that reported by the BBC today. Read the full, tragic story here of how a university student killed herself after giving "more than £6,000 in the belief she had won half a million pounds in a lottery after being contacted over the internet."

Some people are vulnerable to scams because of their circumstances, not because they are overly gullable or stupid. If the scam is plausible enough and catches us at the right time in the right circumstances then any of us could get taken in. So, we need to remain vigilant to spam and we need to continue our warnings and security awareness messages.

My mother-in-law is, to give her some credit, an intelligent lady. However, faced with an upgrade from Windows XP to Vista and IE7 from IE6 and you have a situation akin to explaining quadratic equations to a two year old. Both circumstances will result in heavy objects being thrown around in frustration.

So, the idea of Microsoft to provide a range of "Senior PC packages" is, in my mind, borderline genius and something I wish I had thought of first. Computer Weekly mock the idea in this weeks magazine, something I think is very unfair given that I'm sure some of their editorial team are getting on a bit and would probably be able to make good use of the built-in prescription software...

If home computing can be made as easy as taking the PC out of the box, plugging it in and turning it on (not a word from the Mac users please - I know you've been able to do this for years) then that's to be encouraged for everyone, not just the elderly. And if it stops the "support" calls from my mother-in-law then that's priceless!

I spent yesterday in the company of Jo Ellen Gryzyb and Doug Osbourne of Impact Factory on their excellent presentation skills course. The course was a revelation: rather than being a critique of any bad habits, the course focuses on existing strengths and provides a number of tools for making best use of them. I know that the next time I stand up in front of an audience I'll be able to talk with a lot more confidence and to far greater effect.

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

Windows Vista is, apparently, less secure than Windows 2000. An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control feature, Vista isn't doing as good a job as some of its predecessors in keeping hackers at bay. By PC Tools' calculations, based on analysis of 1.4 million computers which accessed its online ThreatFire community, 639 unique threats were found for each 1,000 Vista machines. For Windows 2000, the figure was 586, while for Windows 2003, it was 478

The response from Microsoft to this news is that "in some cases its the user and their lack of knowledge and their implicit "it-wont-happen-to-me" complacency." Michael Kleef goes on to say that we need to do more to educate users about security. "If I, despite all prompting and consent behaviour, choose to go to a (probably dodgy) website, accept the ActiveX control prompts to download (probably dodgy) code and I actually choose to execute that code then I'm hosed" he says.

I disagree with Michael. Vista is far too complex for most home users. I'm willing to bet that few people really understand the implications of most of the security settings or security related messages they are bombarded over the course of a browsing session.

I don't doubt Michael's statement that "Vista's actual vulnerabilities are significantly less than Windows 2000" but if the operating system is more vulnerable because people using it are more likely to allow malicious code to execute then nothing good has been accomplished. It's a bit like driving a car in which every time you try to accelarate asks you "are you sure you want to go faster?" Sure I do, if only I can switch off the annoying message - now, what did it say?

American prosecutors have, in the past week, indicted a 49 year old woman on conspiracy and hacking charges for creating a fake MySpace account. In this particular instance the woman's motives for creating the account were to torment a 13 year old neighbour allegedly leading to her subsequent suicide.

Motive and deed aside - and we can all have an opinion on that - the prosecution is based on "three counts of unauthorized access by violation of MySpace's terms of service and one count of conspiracy." In other words, "criminally accessing MySpace." Read the SecurityFocus article here.

This raises important questions. Some of them here from Bill Thomson, a journalist for the BBC.

We need to be careful that the US legal system, desperate to prosecute someone over the tragic death of a young girl, does not end up establishing a precedent that leads us all to censor ourselves online, just in case.

As Bill mentions, there should be nothing wrong in creating a fake online profile. It's the motive behind the act that's important. We are becoming ever more supervised and watched in our online behaviour and good intentions can be misintepreted, "it creates a degree of uncertainty and may, because of that (prosecution), have a chilling effect on what we do online."

The same is true of the new law reported here on Computer Weekly "that will mean communications companies will have to keep logs of internet usage and make this information available to the police."

Does this mean that every intent to prosecute an individual will see investigators trawling through web logs looking for new ways to indict somebody? Hey gov, we can't get him for murder but he did post an anonymous comment to a Computer Weekly blog. Gotcha!

It's the way we're going and we're getting there because nobody is making a big fuss and complaining about it. That's why there's a CCTV camera every few yards, it's why the BBC and DVLA can push their sinister "we know who you are" commercials warning those who dare not pay their TV licence fee and road tax. Soon it be British Telecom advertising that they know all about your online behaviour...

Bill Thomson, in his article, mentions "In Nineteen Eighty-Four Winston Smith is afraid of the telescreen not because he is being watched constantly but because he might be being watched at any particular moment." It's a good analogy to where we're going.

As you read this blog, I will be reclining my seat on an aircraft flying off towards the far east where I'm spending the next few weeks visiting various of my companies business units and the security managers who report back to me within that region.

One of the big attractions when I applied for my job was the prospects for travel and I still get excited about exploring new places.

I'll be posting blogs from my hotel room(s) for the duration.

I spent some time yesterday with the event director of another of my companies exhibition events: the Japanese Information Security Expo. This show exceeds Infosec Europe in scale, getting well over 100 thousand visitors over three days and covering a vast amount of floor space.

The seminar programme this year had a heavy focus on internal controls and web security with topics including dealing with information leaks, document security, forensics, and identity management.

The picture of the main seminar theatre above gives some indication of the scale of the event.

I was discussing with one of my local colleagues here in Tokyo the reasons why some major vendors were noticeable in their absence from the exhibitor list. His opinion was that many international companies, on first arriving in Japan, focus and prioritise on recruiting english speaking employees without much attention as to whether those people understand the business or market they are being brought into. What is clear is that the European or American ways of doing business do not always translate very well to the Japanese way, and that an understanding of local culture is essential for success. 

My visit to Tokyo is all too brief. I have some sightseeing time over the weekend before heading off to the next stop on my tour: see you in Shanghai!

My first career was as an airman in the Royal Air Force. It was a lowly position working in flight operations. I had no real connection to the Chinooks but I did enjoy the occasional flight with one of the squadrons based in Germany and I recall the absolute professionalism of the aircrew.

I've been following this story reported today in CW with interest, and wanted to blog a couple of points. Software does fail and it's not unheard of for aircraft accidents to have a software problem as one of the factors. Does the fault for the accident lie with the computer or the pilot? Neither in my opinion. If fault is to be pinned on anybody, pin it on the system designers or the people who have responsibility for testing the systems, or the management that allows faulty systems to be put into service.

Don't pin it on the poor souls lumbered with having to learn how to work around problems. At the end of the day, computers don't commit crimes, computers don't crash aircraft. There are human factors every time. Don't blame the pilots. I never met a reckless one - they all want to get home for their supper.

Can anyone guess, from looking at the picture on the right, where I am today? This is the view from my hotel room. As a clue, I'm still in China, about a three hour flight south of Beijing.

I discovered yesterday that "fasten seltbelts" on an Air China aircraft is a euphemism for "walk around carrying food and drinks, occassionally spilling them onto the Englishman, and anyway what use is a seatbelt if we hit the ground at 500mph."

Actually, in fairness the service was good and onboard food not too bad either. Flight out of Beijing was delayed and it always amuses me to hear people complaining to the staff. It's as if they expect a response along the lines of "Oh, so sorry to hear your complaint. I'll just have a word with the pilot and get him to bring the departure time forward for you. I'm sure that'll be fine."

Time for an end of month round up of the most read of my blogs during May. They are:

1. MySpace, Fake Profiles, & Internet Surveillance 

2. Peter Gabriel Web Server Stolen

3. Data Loss Epidemic

4. HSBC lose a server

5. Vista (in)security - it's all your fault

Thanks to all those of you providing feedback both online and offline.

The latest installment in my grand tour of South East Asia is from Bangkok where I've been spending time with a part of the business that organises some very successful exhibitions within Thailand and Vietnam. The photograph is of the traffic queue outside the office block. I was able to bypass the traffic and make use of a river taxi and then connecting with the excellent (and, thankfully, air conditioned) Bangkok Skytrain. A recurring theme of this trip is my being introduced as the "IT Security Director." I've been quick to allay any expectations that I'm only interested in IT related aspects of security and that my role and interests cover the full scope of information security. This has ensured that I've also had an audience with those responsible for HR, marketing, project management, and finance.

Without going into specifics, the biggest risks encountered during this trip to date have been where control of data is outside of company networks. However, that isn't by any means something unique to this part of the world. In fact, I've been very pleased with the effort that has gone into security in most of the locations I've been too. What I have encountered that is different to what is often found in the UK is a pride in getting the job done properly regardless of how menial or unimportant it might seem to be.

Next stop is my favorite place in the world: Hong Kong. See you there!

Two more data breach incidents affecting HSBC. Personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK. Full details here.

That's just about the end of my galavanting around South-East Asia. In fact, as I write this blog I'm sitting in a hotel room in damp and chilly Sydney, Australia recovering from attending the Hair Expo Gala Night! Hair Expo is one of my organisation's more glamourous events and the gala was billed as being "the place to be seen." While I admittedly don't get too excited about hairdressing, one has to admit that it certainly attracts a more glamourous crowd than Infosec - especially as last nights event had Tim Hartley a hairdressing phenomenon and one of the most influential stylists of his generation as the guest star.

By the time you read this I'll be well into my journey home, stopping off in Singapore on the way. It will then just be left for me to write up a report for my management on the observations and recommendations from my business unit visits. This is no easy task: one has to be careful not to overstate risk and, conversely, not ignore it. We need to keep the focus on what's important to the business: money!

I expect that some of my report will prove to be contentious. I'm not averse to sticking my neck out and management expect an honest appraisal. I'd much prefer to bring a difficult subject out into the open for discussion than leave potential risk simmering in an unattended pot.

I've read some rubbish in my time, and probably even been responsible for writing some, however does this qualify as the biggest load of security bullshit of all? I find the most surprising security wisdom in the insect world..It's common to find insect countermeasures that are non-obvious, but nonetheless effective...When two-spotted spider mites attack them, the plants emit a chemical distress signal....Yes, the plants have evolved to call in air strikes against their attackers.

And the pseud guilty of this pompous and pretentious claptrap is....none other than the highly respected but clearly mad Bruce Schneier! Read the complete interview - if you can bear to - in CSO Online here. "...thinking rationally and making intelligent trade-offs. That's what separates us from the rest of the animals. We can override our fear, our fight-or-flight mentality. We can reason. We can think."

Yes, quite. Steady now.

I can't make up my mind about Gary McKinnon. On the one hand he's portrayed by the US authorities as a serious threat to national security, on the other he sells himself as a curious but benign hacker seeking information about UFOs.

Now we hear that he broke into more than 73,000 US government computers, including those of the US Army, Navy and Nasa, and deleted critical data.

The indictment claims that McKinnon caused a network in the Washington D.C. area to shutdown, resulting in the total loss of Internet access and e-mail service to approximately 2000 users for three days. The estimated loss to the various military organizations, NASA and the private businesses is approximately $900,000.

The fact that the American systems were apparently so easy for a hacker to penetrate and damage doesn't seem to have been raised as an issue but that's not so important as the fact that there is no reason why the authorities should believe his stories about searching for evidence of anti-gravity propulsion systems and extraterrestrial technology (among other things he claims to have seen pictures of alien spacecraft on a Nasa system as cited here). So far as they are concerned, an unauthorised individual hacked and damaged a military system. In the mind of the average paranoid Yank, he may just as well have set about burning the Stars and Stripes on the steps of the Supreme Court.

I was reading an interview that McKinnon gave to Jon Ronson of The Guardian back in 2005. I think that Ronson sums up very nicely when he states: he is indeed a complete idiot.

Let the courts decide. We've got more interesting and important things to be concerned about. 

64 bloggers have been arrested in various parts of the world since 2003. A new report reveals that the majority of incidents took place in the Middle East and Asia with some in North America and Western Europe.

In China and Egypt arrests were for things such as taking part in a protest against constitutional amendments or for writing about human rights. Here in the UK a blogger was arrrested for incitement of racial hatred while in the USA one blogger was arrested for videotaping a burning police car and another for terrorism.

Never before has it been so easy to publish thoughts and opinions, and I suppose consequently more individuals will be publishing words considered to be offensive or constituting a crime. 

I hope there will continue to be brave individuals speaking out for human rights just as much as I hope that our own government will continue to come down hard on prejudice and racial hatred. I think the balance is right in this country.

Read the BBC story on the subject here.

Given all the world's problems: famine, disease, war and so on, thank goodness somebody has come up with the answer to it all. Yes, finally, a coffee machine that can be connected to the Internet. Phew, and there I was thinking that we were all goners.

Of course, life's not quite so easy because no sooner have we plugged the damned thing in than somebody comes along and hacks it. So, while an expresso might be just what you need, chances are you'll be lumbered with a tall latte and bang goes another war in the middle east.

I wont be buying a Jura F09. I'm happy enough with my low tech kettle. Call me old fashioned.

A friend of mine is, what I would refer to as, a C list rock star. He's fairly well known in music circles, has released a couple of albums, gets invited to award ceremonies but you're unlikely to see him on a magazine cover. For starters, he's far to ugly. Neither is he rich enough: when his band plays a gig he usually takes the bus to get there.

A few years ago I was invited backstage by him following a concert where his band opened up for another at the NEC in Birmingham. Imagine my disapointment when instead of the groupies, free drink, and all night party that I had visualized, instead there was the backstage equivalent of a creche where various children could be kept entertained while their parents had their alloted 90 minutes of stage time. More Mormon baptism than Roman orgy.

More recently my friend has been bemoaning his lot in life saying that he has lost interest in playing music. "But it's what you always wanted to do" I said. "True, but we should be careful what we wish for" he replied.

What's all that got to do with security and risk? Admittedly not a lot but then today I was expecting to be able to write about an exciting presentation I attended on how ITIL version 3 can make security governance easier, better, faster, and more integrated with the business. Some chance!

In reality it was the least engaging presentation I've ever attended. I recall that the second slide (of about 458) was headed "Be careful what you wish for" and another slide contained the following dead lump of text "It will require the ability to conceptualize, deliniate, and design the risk relevant parts of a business service." The presenter, who may just as well have been a pre-recorded voice-over to go with the slide-deck, also mentioned his "hot buttons" and used the word "architecture" so many times I thought he had a tic.

So, I have wasted a day because of ITIL. I have a sneaking suspicion that many more days have been wasted - and are being wasted across the land - because of it. But that's another story altogether.

I'm a big fan of Curb Your Enthusiasm. If you've not encountered this excellent sitcom, it's about Larry David (left), the co-creator of Seinfeld, who plays himself as he goes about his everyday life with his wife, Cheryl. Larry has a way of saying the things most of us would like to say but would be deemed as being too socially unacceptable. For instance, on one occasion he orders a drink in Starbucks

Larry: This is very good, by the way. Thank you. Is this a cafe latte? What is that? Milk..
Starbucks employee: Milk, uh..
Larry: Milk and coffee.
Starbucks employee: Milk and coffee, yeah.
Larry: Milk and coffee! Who would've thought? Milk and coffee!
Cheryl: You know, we need to go now.
Larry: Oh my god, what a drink! It's milk and coffee mixed together! You've gotta go there! Sit down, have a doughnut! Have a bagel!

I've been accused of being a bit like Larry. I don't think so. For starters I'm not in the slightest bit wealthy, neither am I American. However, I might say things you wont necessarily agree with. For example on web application security I said "we should take a different approach....stick a ruddy great application firewall in front of everything."  Somebody responded to that one saying "It's like recommending Advil for diabetes" and called me insane. Somebody else told me I was "plain mad." (see here).

However, I am not alone in voicing reasons to be using the technology.

To address identified issues quickly Web application firewall (WAF) technology is getting a serious look. Recent technology advancements enable vulnerability assessment results to pipe straight into a WAF as virtual patches.

This approach lets us mitigate the problem now giving us breathing room to fix the code when time and budget allow.

The quote above is from an article published this week in CSO Online, written by Jeremiah Grossman. Jeremiah also talks about WAFs over on his excellent blog and goes into more detail about their purpose and limitations . For example: 

WAFs don't defend against every logic flaw, or even every crazy form of SQLi or XSS. Just as white/black box scanners can't identify every vulnerability and neither can expert pen-testers or source code auditors.

Back to the CSO article where the point is made that we are sitting on a huge legacy of insecure code and that "we can't rewrite history." So, the arguement is that a web application firewall mitigates the risk - note: does not solve the problem - until the code can be replaced.

How much of the risk is mitigated is open to debate, but there are lots of other things to consider too. For instance the cost of redeveloping code against the cost of purchasing and supporting a WAF. We also need to consider the value and risk profile of the product.

Anyway, back to Larry David and his views on being invited to a dinner party:

Larry: What is this compulsion to have people over at your house and serve them food and talk to them?

An article on the subject of Chinese hackers from Bruce Schneier here.

Bruce makes a case that the hackers are not being sponsored by their government but are, in fact, in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States.

He goes on to state " I also hope that the U.S. government recognizes that these groups are not acting under the direction of the Chinese military... "

I'm wondering where Bruce went to do his research for this article. No references are cited so one can only presume it's all opinion rather than fact. I don't really buy the "fame and glory" approach. 

Surely Bruce's newly pandering approach to the Chinese - given his previous publication of stories suggesting the complete opposite such as this and this - has nothing to do with his parent companys (British Telecom) investment hopes for China and their deal to "provide communications service with China Netcom for the 2008 Beijing Olympic Games." as reported here. How could anyone suggest such a thing? 

I was less than complimentary about Gary Mckinnon on this blog a short while ago and I've not changed my opinion. For obvious reasons, I have little sympathy for hackers regardless of their motives.  So I'll not be shedding any tears over his extradition. However, does the punishment really fit the crime? I'm not going to make this blog a place for political debate however a friend of mine, who through his contacts has become a personal acquaintance of McKinnon emailed me earlier on Wednesday with the following message, and I thought it interesting enough to share with you.

====================================================================

Was what Gary did against UK law at the time of the offence? No - but uniquely in IT you are potentially committing a simultaneous crime in all countries, and subject to their laws? This is like me committing adultery in the UK, and being stoned in Jeddah (see more of this down further). How can this make sense - surely for an international crime you need an international law enforcement agency.

  Particularly when all this does is highlight the fact that the UK does not have the funding, expertise or will to pursue electronic crime; this furthers the case for immediate funding for the e-crime unit, but embarrasses the UK as a thieves haven that is ongoing today. Labour Government support for anti-e-crime, and knowledge in this area is pitiful, with the notable exception of David Blunkett who has a true interest and sensible perspective in this area, and David Cameron's initial support for Gary McKinnon seems to have waned when it appeared that he was getting dangerously close to a policy. How anyone can sleep at night having extradited someone to face trial from a body that has openly threatened to execute him is beyond belief; and against both European and UK constitutions..... He is our criminal, why don't we have the balls to prosecute him. Bear in mind that being unable to work or to contribute to society in any meaningful way means that he has already served 6 years -lets hope that this is factored in when they decide on the sentence. And lets not even get into the asymmetry of the extradition treaty - it is a finest example of kowtowing to the US I have ever seen; special friendship? More like grooming. 

I think it is apposite that today the House of Lords rule that using bribery to win defence contracts in Saudi is fine:_ some joined up thinking there from a body that we used to think made sensible decisions_ we can certainly sell arms to the most volatile area in the world, where terrorist atrocities are committed and terrorists originate; might this not have been a better area to concentrate the 'counter-terror' activities. 

And what about the chap from NZ who just got fined 5000 for doing the same thing? Bizarre,

==================================================================

Sometimes the most unlikely of my musings on this blog become big hits instantly attracting hundreds of page views, while others that I'll sit up considering into the early hours fail to draw the attention. Ironically, one of the most read of my postings is one I slung together in a few minutes back in January on the theme of RFID passports (see here).

The latest news as reported in todays Times about the vulnerabilities present in the e-Passport is a continuation of the story. While we were previously concerned about the chips being read from a distance, the attention is now focused on the apparent simplicity of hacking the chip itself.

The risk of course is that an individual, a terrorist perhaps, could fool the system and pass himself off as somebody else.

Steve Boggan of The Times does a great job of exposing the flaws. The question is not whether the new passports are better than the old ones, or whether the risk of forgery is reduced to a level where it's considered to be acceptable, but whether or not the technology being used is fit for purpose. In my opinion, if it's delivered with easy to find flaws then it isn't.

Of course, the passport is one of many layers of security that travellers are subjected to, but it is the most fundamental. It's also not used solely for travel purposes. Here in the UK, with our lack of a national id card it's also a commonly requested proof of identity.

Criminals, terrorists and the like will be quick to learn how to make the most of vulnerabilities in any technology they can exploit to hide their true identity. So, it's essential the flaws are addressed and fixed. The Times article goes on to state that the Home Office has yet to see evidence of someone being able to manipulate data in an e-passport. This most probably means that they have yet to find somebody doing rather it than an assumption that is hasn't been done.

An acquaintance is one of a team developing a new website - Surfing Safer - providing practical advice on security to home and business users.

It promises to be a useful companion to sites such as GetSafeOnline. For instance, that one recommends you use a firewall, Surfing Safer will provide product reviews on which ones are best to use from people with experience of using them.

Visit the new website here: www.surfingsafer.com

A bank that not only refuses to allow customers to have passwords deemed unacceptable but, more worryingly, allows it's employees to view customer passwords and change them seemingly at a whim. Read about it on the BBC website here.

"Lloyds TSB stressed there was no security lapse in this case"

So, an unauthorised alteration to a customer password is not a security lapse?

An investigation is under way into the disappearance of a computer hard drive containing the personal details of about 100,000 of the Armed Forces.

The information was being held by EDS, which is the Ministry of Defence's main IT contractor.

The MoD said the portable hard drive went missing on Wednesday during a priority audit carried out by EDS....It is understood the drive was not encrypted.

As Oscar Wilde might have said "To lose one unencrypted disk may be regarded as a misfortune; to lose two looks like carelessness" or something like that..

The story in the press alleging that Chinese computer hackers are attempting to gain access to state secrets (see "US Warned of China Cyber Spying") is not new by any means. Newspapers were reporting similar stories well over a year ago (such as this one in the Independant "State secrets under attack from Chinese hackers") and at the start of 2008 I commented on this blog that it would only be a matter of time before the issue made the mainstream.

A recent entry on the Dark Visitor blog remarks that "At this point, it may be easier to list the government organizations that haven't been compromised by Chinese hackers."

Most interesting of all is the article about the Chinese PLA army exercise where malware had a significant impact on the outcome. Apparently "operations were hampered due to a computer virus that left the main attack force without ammunition resupply."

Commander Li further stated, "Due to patches not being installed, the infecting virus led to the failure of the exercise and this sounded alarm bells for us. When you sharpen your sword, you must not forget to cast your shield

Of course, the Chinese are not the only ones at it. Going back to 1999, the Washington Post reported on information warfare against Yugoslavia where "American hackers plundered Yugoslav bank accounts and took other Clancy-esque actions against Slobodan Milosevic's networks and infrastructure.."

Here in the UK the government also employs its own hacker force, although not overtly tasked with attacking foreign resources. They are, as Computer Weekly reported back in July 2000, "ethical hackers" which is government speak for working for us rather than working for them.

Hacking is a relatively safe way for all sides to gather intelligence: James Bond can now gather all his information using nothing more than a cheap Netbook connected to pay-as-you-go broadband. Much less chance of him meeting his demise hacking into Blofeld's network whilst sipping a Martini in an All Bar One in West London than trying to break into a secret installation somewhere inside a volcano. But obviously much less fun..

" ... they wouldn't look out of place in the IT Crowd, ... poor interpersonal skills, ... obsessed by technology, ... the great unwashed, ...  "

Sound like anybody you know?