The Results are in!
March 6, 2008
After a long hard few months we are finally at the end of the EPAC selections, the consortia panel session was yesterday and all presentation went very well. A Decision has been made around which ideas will go forwards and receive funding for the next few years. The funding meeting is tomorrow and once the ratio fundings have been decided then consortia will know early next week.
I would just like to say a big thank you to all whom have been involved over the past months and watch this space for updates and announcement about our new competitions and activities in the coming months!
Google Health
February 29, 2008
Google is in the news this week with it’s soon to be released ‘health platform’. This is essentially a database of all your personal details that can be used to help diagnose possible illnesses. It can organise your medical records and suggest possible side effects to treatments. I hope the security is up-to-scratch. How difficult is it to remove your data from facebook? I wonder how difficult it would be to remove your health records from google?
Pakistan removes itself from the internet
February 26, 2008
Pakistan recently has removed itself from the Internet
The Pakistani government recently ordered the censorship of blasphemous material on youtube. The way which the main ISP within Pakistan decided to do this was by re-routing traffic from youtube to essentially anywhere. The first thing which happened was that youtube disappeared of the Internet for a few hours, and the second was that Pakistan caused an denial of service attack against itself.
Paul
Professional e-crime…
February 24, 2008
It looks like the house of lords is to debate again the report it submitted to the government last summer. This is in the shadow of these news articles which shows that the on-line environment seems to becoming a more organised and sinister place. We have heard about the shift from the hobbyist hacker to the organised criminals well it looks as the professionalisation of this move has shifted up a gear. Websites and adverts are now starting to appear advertising (quite blatantly) for people with language skills to help target phishing emails and make them more believable. The three languages are Russian, Mandarin and Portuguese.
Finally ISP’s have been asked by the Dept of Culture Media and Sport to tackle the problems around the illegal downloading of copyrighted material. I wonder how this is possible to do, IDS, deep packet inspection or just a random sampling. It is very easy to obfuscate traffic especially further up the Internet hierarchy you go.
Thanks
Paul
I Told you so!
January 30, 2008
I have now been working in information security for the past 8 years. In that time I have been of the opinion that once we start networking and connecting up normal household appliances we will be in the age of ‘it just is’. This is the age of ubiquity where we no longer see a computer but a table, chair or door.
Now we see that appliances such as toasters and picture frames are being hacked and infected by malware. A few weeks ago I saw this article about hacking toaster on the net (here), more recently the infection of a picture frame which can have uploaded photos and they cycle through slide-show style. This does raise a point around security of embedded devices (here) and what the wider implications are.
Imagine how much latent CPU power is available in your house for appliances to perform a DDoS Attack – would your toaster turn against you?
Paul
Interesting Tool
January 28, 2008
Here is an curious little tool which (I don’t know how) calculates how much your social network is valued at. My Network Value seems to provide some interesting numbers.
Thanks
Paul
Another week, another web 2.0 security issue.
January 18, 2008
Not a week goes by without a web 2.0 breach/hack/infestation/buyout*
This week two issues have surfaced around the 2.0 ethos. The first is concerned with myspace.com, a ‘back door’ resides within the myspace architecture that allows access to private profiles – including those whom the law considers to be a minor. This is interesting as myspace, as recently as Monday, announced measures to protect minors in a joint press statement with with 49 attorney generals in the US. (link)
(*delete as appropriate)
The second, deals with code malicious mobile code propagating from legitimate sites around the Internet. dubbed the ‘random JS toolkit’ the code attacks in two stages. Stage one infects the website with an iFrame exploit, installing itself on the legitimate website, stage two in the normal infection stage of client machines via malicious code and installation of trojans/spyware/adware.
It’s interesting to note that the evolution of attack vectors, are they following the trends of mainstream IT. Could this maybe considered the first client/server malware…
Thanks
Paul
It’s all too much…
January 11, 2008
As you have probably noticed I haven’t updated the blog for around a week and quite a few high impact things have happened. Just goes to show how fast things move in security, OK first things first.
It seems that the manifestation of cyber actions in the real world is now a reality. Today (here) ElReg reported that a teenage hacker (why are they always reported as teenage?!) managed to take control of the Polish tram system and effectively changing the points to force the tram to go the opposite way which the driver intended. This is interesting because of two reasons. Firstly it is the only documented and successful hack of a public transport system. Granted the hack had to be performed locally and does seem to be a kind of replay attack which isn’t particularly sophisticated. Secondly, this is the scenario which people have been worrying about for sometime, the ability to take control of a cyber apparatus and make a physical thing happen. This is very similar in nature to the warnings and advice that CPNI have been giving us for sometime (here). Looking at the following news report it doesn’t seem inconceivable that a much more serious problem may just be over the horizon (here). In my experience of safety critical systems I very much doubt that the engineers at Boeing did not take security into consideration when designing the dreamliner, it took me 3 years to get a LINUX server past initial testing phase on a non-safety railway system. safety engineers are taught to be risk adverse, remember if these systems fail people could die.
Next!
Trojan 2.0, this is what the infosec tabloids are calling the recent spate of facebook, myspace malware infections. I suppose this is the natural evolution of virus/worm/Trojan attack vector, criminals move to where the money is. Pickpockets go-to Trafalgar sq, ID thieves go-to facebook – makes sense to me. The interesting part of this story is the amount of time it has taken to start writing code in a web 2.0 way and using social networking to exploit weaknesses.
Finally..
This week the CPS published guidelines on the amendments of the Computer Misuse Act 1990 by the police and justice Act 2006 – namely:
The introduction of a denial of service amendment to CMA Section 3. This amendment deals with “Unauthorised acts with the intent to impair the operation of a computer” which to my mind is a welcome change, that is not necessarily the case for the next amendment PJA Section 37 which inserts a new section 3A into the CMA. Section 3A deals with the making, supplying, obtaining articles to commit a section 1 or 3 offence (Those of you who are not familiar with the offenses under the CMA a section 1 offence is the unauthorised access of computer material and section 3 is the unauthorised modification of computer material). It is possible that legitimate security professionals whom make tools to test systems for companies may, if not correctly represented by there legal team face criminal charges. I wait to see what will happen here.
Longer than usual but definitely interesting times.
Paul
Data Protection Shakeup
January 3, 2008
Today a influential group of MPs has said that breaches of the Act should include custodial penalties (here). Is this really the answer?
It has long been understood within the world of information security that the majority of mitigations are put in place after the ‘event’ has happened and loss has been incurred. Amendment of section 60 via the upcoming Criminal Justice and Immigration Bill looks like the likely way it will be done. This does seem similar to the way that Sarbanes-Oxley section 404, and payment card industry (PCI) brought in the need for firewalls, anti virus and security patching to mainstream IT. It sharpened the mind when penalties ranging from custodial sentencing to large fines were brought in and more critically the executive were accountable.
However it seems that this type of amendment was mooted a while ago (link)
Paul
Whose data is it anyway?
January 2, 2008
How many of you have a Friends Reunited account? I have. Today I received a email from ITV.com asking me to take part in the beta personalisation service, which was interesting as I don’t recall actually visiting ITV.com let alone signing up for a beta. After digging around it seems that Friends Reunited was purchased by ITV.com back in December 2005. This does bring up an issue around my data which is held within Friends Reunited and the federation of that data to 3rd parties. It makes sense that when I signed up for Friends Reunited I ticked the “I agree” box for the T&C’s and didn’t actually read what it said (like most people) so my details can be shared with others. Which got me thinking….
How many web 2.o services depend upon access to the personal data within facebook, myspace, linkedin to exist – and what would happen if this “open access” was no longer open? Do these internet augury’s have the right to allow or deny access to information of which they are custodians rather than owners? Reading this Wired article on scraping (here) it seems that major information providers are taking a much more serious view on how people – and more importantly who – can get access to the data they hold.
Thanks
Paul
