It’s all too much…

January 11, 2008

As you have probably noticed I haven’t updated the blog for around a week and quite a few high impact things have happened. Just goes to show how fast things move in security, OK first things first.

It seems that the manifestation of cyber actions in the real world is now a reality. Today (here) ElReg reported that a teenage hacker (why are they always reported as teenage?!) managed to take control of the Polish tram system and effectively changing the points to force the tram to go the opposite way which the driver intended. This is interesting because of two reasons. Firstly it is the only documented and successful hack of a public transport system. Granted the hack had to be performed locally and does seem to be a kind of replay attack which isn’t particularly sophisticated. Secondly, this is the scenario which people have been worrying about for sometime, the ability to take control of a cyber apparatus and make a physical thing happen. This is very similar in nature to the warnings and advice that CPNI have been giving us for sometime (here). Looking at the following news report it doesn’t seem inconceivable that a much more serious problem may just be over the horizon (here). In my experience of safety critical systems I very much doubt that the engineers at Boeing did not take security into consideration when designing the dreamliner, it took me 3 years to get a LINUX server past initial testing phase on a non-safety railway system. safety engineers are taught to be risk adverse, remember if these systems fail people could die.

Next!

Trojan 2.0, this is what the infosec tabloids are calling the recent spate of facebook, myspace malware infections. I suppose this is the natural evolution of virus/worm/Trojan attack vector, criminals move to where the money is. Pickpockets go-to Trafalgar sq, ID thieves go-to facebook – makes sense to me. The interesting part of this story is the amount of time it has taken to start writing code in a web 2.0 way and using social networking to exploit weaknesses.

Finally..

This week the CPS published guidelines on the amendments of the Computer Misuse Act 1990 by the police and justice Act 2006 – namely:

The introduction of a denial of service amendment to CMA Section 3. This amendment deals with “Unauthorised acts with the intent to impair the operation of a computer” which to my mind is a welcome change, that is not necessarily the case for the next amendment PJA Section 37 which inserts a new section 3A into the CMA. Section 3A deals with the making, supplying, obtaining articles to commit a section 1 or 3 offence (Those of you who are not familiar with the offenses under the CMA a section 1 offence is the unauthorised access of computer material and section 3 is the unauthorised modification of computer material). It is possible that legitimate security professionals whom make tools to test systems for companies may, if not correctly represented by there legal team face criminal charges. I wait to see what will happen here.

Longer than usual but definitely interesting times.

Paul

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: