January 17, 2009

Information Infrastructure Protection: Managing complexity, risk and resilience.



The Technology Strategy Board, The Centre for the Protection of National Infrastructure (CPNI) and the Engineering and Physical Sciences Research Council (EPSRC) have allocated an indicative amount of £6m to invest in highly innovative collaborative research and development projects in the area of Information Infrastructure Protection. Additional funding may be provided by the Economic and Social Research Council (ESRC) for proposals which include relevant work of high quality.

The tools, techniques and services developed will contribute to tackling the ever increasing threat to information systems. This investment targets the increasing complexity and dependency challenges that UK government and businesses face, whilst providing significant market opportunities to a strong UK capability base. The focus will be on the development of technologies and their associated supply chains that will offer significant quantitative improvements in:

•    the understanding, monitoring and subsequent improved management of complex interdependent information infrastructures, within and between organisations, leading to enhanced security in all sectors of the UK economy (SME to Large enterprise)

•    the development of improved business resilience and risk assessment services within the UK to predict and manage risks in next generation information systems, and
•    the acceleration of their deployment to market.

For more information go here


As some of you will know the EPAC call sandpit attendees went on a tour around Terminal 5 at Heathrow airport last Nov, it was impressive. Most of you will also know that things didn’t go according to plan in the opening week. Thousands of bags have been lost or delayed en-route, hundreds or cancelled flights and lots of irate passengers.

But what happened?

Well reports have been range from lack of training, internal staff communications, lift failures, system logins not working and car-park spaces not being available. The question is how much of this could have been prevented and foreseen and how much could not. There is a theory within critical information infrastructure analysis which speaks of major failures starting with a small insignificant event which on its own would not even be noticed. This then snowballs into a bigger event and so on until a major problem develops and a major event occurs.

This is known in scientific terms as a cascade effect or failure.

But was this what happened at T5? Well we know that extensive testing/modelling/dry runs were performed in the months prior to go live, but were assumptions made like baggage handlers being in place on time? All the logins working and users signed in? There we enough car parking spaces!?

In this complex and interdependent world, a small disruption to the supply chain have dramatic ramifications if left uncontrolled and unchecked.  Just-in-time services work well and deliver huge efficiency savings but they are much less resilient than traditional systems.

T5 may well be one of these occasions.


Hackers attack Patients

March 29, 2008

It seems that the actions of hackers have caused users of a website to have epileptic fits. PR stunt or reality? Have a look here

Professional e-crime…

February 24, 2008

It looks like the house of lords is to debate again the report it submitted to the government last summer. This is in the shadow of these news articles which shows that the on-line environment seems to becoming a more organised and sinister place. We have heard about the shift from the hobbyist hacker to the organised criminals well it looks as the professionalisation of this move has shifted up a gear. Websites and adverts are now starting to appear advertising (quite blatantly) for people with language skills to help target phishing emails and make them more believable. The three languages are Russian, Mandarin and Portuguese.

Finally ISP’s have been asked by the Dept of Culture Media and Sport to tackle the problems around the illegal downloading of copyrighted material. I wonder how this is possible to do, IDS, deep packet inspection or just a random sampling. It is very easy to obfuscate traffic especially further up the Internet hierarchy you go.



It’s all too much…

January 11, 2008

As you have probably noticed I haven’t updated the blog for around a week and quite a few high impact things have happened. Just goes to show how fast things move in security, OK first things first.

It seems that the manifestation of cyber actions in the real world is now a reality. Today (here) ElReg reported that a teenage hacker (why are they always reported as teenage?!) managed to take control of the Polish tram system and effectively changing the points to force the tram to go the opposite way which the driver intended. This is interesting because of two reasons. Firstly it is the only documented and successful hack of a public transport system. Granted the hack had to be performed locally and does seem to be a kind of replay attack which isn’t particularly sophisticated. Secondly, this is the scenario which people have been worrying about for sometime, the ability to take control of a cyber apparatus and make a physical thing happen. This is very similar in nature to the warnings and advice that CPNI have been giving us for sometime (here). Looking at the following news report it doesn’t seem inconceivable that a much more serious problem may just be over the horizon (here). In my experience of safety critical systems I very much doubt that the engineers at Boeing did not take security into consideration when designing the dreamliner, it took me 3 years to get a LINUX server past initial testing phase on a non-safety railway system. safety engineers are taught to be risk adverse, remember if these systems fail people could die.


Trojan 2.0, this is what the infosec tabloids are calling the recent spate of facebook, myspace malware infections. I suppose this is the natural evolution of virus/worm/Trojan attack vector, criminals move to where the money is. Pickpockets go-to Trafalgar sq, ID thieves go-to facebook – makes sense to me. The interesting part of this story is the amount of time it has taken to start writing code in a web 2.0 way and using social networking to exploit weaknesses.


This week the CPS published guidelines on the amendments of the Computer Misuse Act 1990 by the police and justice Act 2006 – namely:

The introduction of a denial of service amendment to CMA Section 3. This amendment deals with “Unauthorised acts with the intent to impair the operation of a computer” which to my mind is a welcome change, that is not necessarily the case for the next amendment PJA Section 37 which inserts a new section 3A into the CMA. Section 3A deals with the making, supplying, obtaining articles to commit a section 1 or 3 offence (Those of you who are not familiar with the offenses under the CMA a section 1 offence is the unauthorised access of computer material and section 3 is the unauthorised modification of computer material). It is possible that legitimate security professionals whom make tools to test systems for companies may, if not correctly represented by there legal team face criminal charges. I wait to see what will happen here.

Longer than usual but definitely interesting times.


Data Protection Shakeup

January 3, 2008

Today a influential group of MPs has said that breaches of the Act should include custodial penalties (here). Is this really the answer?

It has long been understood within the world of information security that the majority of mitigations are put in place after the ‘event’ has happened and loss has been incurred. Amendment of section 60 via the upcoming Criminal Justice and Immigration Bill looks like the likely way it will be done. This does seem similar to the way that Sarbanes-Oxley section 404, and payment card industry (PCI) brought in the need for firewalls, anti virus and security patching to mainstream IT. It sharpened the mind when penalties ranging from custodial sentencing to large fines were brought in and more critically the executive were accountable.

However it seems that this type of amendment was mooted a while ago (link)


Whose data is it anyway?

January 2, 2008

How many of you have a Friends Reunited account? I have. Today I received a email from ITV.com asking me to take part in the beta personalisation service, which was interesting as I don’t recall actually visiting ITV.com let alone signing up for a beta. After digging around it seems that Friends Reunited was purchased by ITV.com back in December 2005. This does bring up an issue around my data which is held within Friends Reunited and the federation of that data to 3rd parties. It makes sense that when I signed up for Friends Reunited I ticked the “I agree” box for the T&C’s and didn’t actually read what it said (like most people) so my details can be shared with others. Which got me thinking….

How many web 2.o services depend upon access to the personal data within facebook, myspace, linkedin to exist – and what would happen if this “open access” was no longer open? Do these internet augury’s have the right to allow or deny access to information of which they are custodians rather than owners? Reading this Wired article on scraping (here) it seems that major information providers are taking a much more serious view on how people – and more importantly who – can get access to the data they hold.