January 17, 2009

Information Infrastructure Protection: Managing complexity, risk and resilience.



The Technology Strategy Board, The Centre for the Protection of National Infrastructure (CPNI) and the Engineering and Physical Sciences Research Council (EPSRC) have allocated an indicative amount of £6m to invest in highly innovative collaborative research and development projects in the area of Information Infrastructure Protection. Additional funding may be provided by the Economic and Social Research Council (ESRC) for proposals which include relevant work of high quality.

The tools, techniques and services developed will contribute to tackling the ever increasing threat to information systems. This investment targets the increasing complexity and dependency challenges that UK government and businesses face, whilst providing significant market opportunities to a strong UK capability base. The focus will be on the development of technologies and their associated supply chains that will offer significant quantitative improvements in:

•    the understanding, monitoring and subsequent improved management of complex interdependent information infrastructures, within and between organisations, leading to enhanced security in all sectors of the UK economy (SME to Large enterprise)

•    the development of improved business resilience and risk assessment services within the UK to predict and manage risks in next generation information systems, and
•    the acceleration of their deployment to market.

For more information go here


I Told you so!

January 30, 2008

I have now been working in information security for the past 8 years. In that time I have been of the opinion that once we start networking and connecting up normal household appliances we will be in the age of ‘it just is’. This is the age of ubiquity where we no longer see a computer but a table, chair or door.

Now we see that appliances such as toasters and picture frames are being hacked and infected by malware. A few weeks ago I saw this article about hacking toaster on the net (here), more recently the infection of a picture frame which can have uploaded photos and they cycle through slide-show style. This does raise a point around security of embedded devices (here) and what the wider implications are.

Imagine how much latent CPU power is available in your house for appliances to perform a DDoS Attack – would your toaster turn against you?


Not a week goes by without a web 2.0 breach/hack/infestation/buyout*

This week two issues have surfaced around the 2.0 ethos. The first is concerned with myspace.com, a ‘back door’ resides within the myspace architecture that allows access to private profiles – including those whom the law considers to be a minor. This is interesting as myspace, as recently as Monday, announced measures to protect minors in a joint press statement with with 49 attorney generals in the US. (link)

(*delete as appropriate)

The second, deals with code malicious mobile code propagating from legitimate sites around the Internet. dubbed the ‘random JS toolkit’ the code attacks in two stages. Stage one infects the website with an iFrame exploit, installing itself on the legitimate website, stage two in the normal infection stage of client machines via malicious code and installation of trojans/spyware/adware.

It’s interesting to note that the evolution of attack vectors, are they following the trends of mainstream IT. Could this maybe considered the first client/server malware…



It’s all too much…

January 11, 2008

As you have probably noticed I haven’t updated the blog for around a week and quite a few high impact things have happened. Just goes to show how fast things move in security, OK first things first.

It seems that the manifestation of cyber actions in the real world is now a reality. Today (here) ElReg reported that a teenage hacker (why are they always reported as teenage?!) managed to take control of the Polish tram system and effectively changing the points to force the tram to go the opposite way which the driver intended. This is interesting because of two reasons. Firstly it is the only documented and successful hack of a public transport system. Granted the hack had to be performed locally and does seem to be a kind of replay attack which isn’t particularly sophisticated. Secondly, this is the scenario which people have been worrying about for sometime, the ability to take control of a cyber apparatus and make a physical thing happen. This is very similar in nature to the warnings and advice that CPNI have been giving us for sometime (here). Looking at the following news report it doesn’t seem inconceivable that a much more serious problem may just be over the horizon (here). In my experience of safety critical systems I very much doubt that the engineers at Boeing did not take security into consideration when designing the dreamliner, it took me 3 years to get a LINUX server past initial testing phase on a non-safety railway system. safety engineers are taught to be risk adverse, remember if these systems fail people could die.


Trojan 2.0, this is what the infosec tabloids are calling the recent spate of facebook, myspace malware infections. I suppose this is the natural evolution of virus/worm/Trojan attack vector, criminals move to where the money is. Pickpockets go-to Trafalgar sq, ID thieves go-to facebook – makes sense to me. The interesting part of this story is the amount of time it has taken to start writing code in a web 2.0 way and using social networking to exploit weaknesses.


This week the CPS published guidelines on the amendments of the Computer Misuse Act 1990 by the police and justice Act 2006 – namely:

The introduction of a denial of service amendment to CMA Section 3. This amendment deals with “Unauthorised acts with the intent to impair the operation of a computer” which to my mind is a welcome change, that is not necessarily the case for the next amendment PJA Section 37 which inserts a new section 3A into the CMA. Section 3A deals with the making, supplying, obtaining articles to commit a section 1 or 3 offence (Those of you who are not familiar with the offenses under the CMA a section 1 offence is the unauthorised access of computer material and section 3 is the unauthorised modification of computer material). It is possible that legitimate security professionals whom make tools to test systems for companies may, if not correctly represented by there legal team face criminal charges. I wait to see what will happen here.

Longer than usual but definitely interesting times.


Does anyone read Wired magazine?

Well in this month’s edition an article ran about the ability to send off and get your genome sequenced for $1000; this brings in a whole new security dimension, previously not thought of. It is now economically possible to compare your genetic sequence with known genes that are known to cause disorders such as prostate cancer and Crohn’s disease (23andme.com). What does this mean to the average person on the street?

Once you have “submitted” your sample, (ie produced enough saliva to place in a test-tube) this then gets couriered to California where it is then made into thousands of G.C.T. A sequences that make up your DNA. That’s the easy bit – relatively speaking (my other half is a geneticist so I will get killed when I get home).

Once sequenced the genome is stored in databases to allow searches to be performed against mutations that suggest an elevated risk. We all know about the benefits that scene of crime forensics can give in tracking down criminals. This is only useful if the the genetic markers are on file or database, but this technique is much more advanced than that. Imagine if insurance brokers had access to your genetic sequence, and increased your premiums five-fold because you have a 32% chance of suffering a stroke whilst at the wheel of your car.

Whilst the ability to reduce the risk of fatal disease is obviously a good thing, the security and accuracy of your extremely personal data – your DNA – is of paramount importance.

How do you quantify the impact of getting one letter wrong in your genetic sequence? What would be the consequence of losing your sequence? Would the Data Protection Act apply if 23andme.com lost your code?

Interesting times?

Thanks -Paul

The Day Privacy Died?

November 14, 2007

Day Three: Update One

Reported today on the register encryption key disclosure situation has arisen. For seven years, since 2000, the Regulation of Investigatory Powers Act (RIPA, link here), has technically been law. Section III states that if you have encrypted files on your computer you must hand over the key to unlock if there is reasonable suspicion that these files can be used in the investigation. An anonymous post (here) documents the experience. This is a very interesting and provocative point. Back in 2000 when RIPA received royal assent, section III was seen as the final intrusion into the privacy of the individual. Whilst it is documented in law that you must put the encrypted documents in a readable form, it is not necessary to provide the key if you have already done this. This does raise an worrying idea, if the law enforcement agencies are demanding encryption keys for all data on a specified hard drive, does this means that unrelated information can catalogued and used in evidence against you?


Day Two: Update One 

Is giving the individual the right to choose about their identity a dangerous thing? Everyone has a digital identity, whether we are aware of it or not. Every time we pay for something via credit/debit card or go online we leave a footprint. What if your digital foot print was changed or misused. Is the the lack of security awareness when online a grave concern? 

Will the implementation of a identity management infrastructure to safeguard against the perils of identity theft cause more issues that exist today. If you have one card or one unique identifier that may be stolen, this could, if misused ruin all of your carefully crafted credit ratings.

Who owns the data? The individual…..the State…..the commercial controller? 

The question is always how much freedom do we have to give up in the current climate of fear, security and the information age but maybe the question should be flipped on its head. How much should we technology should be give up to ensure privacy. If we give consent to another entity to use our personal information we should conversely have the right to deny. The term “anonymity” has a bad connotation because it’s used primarily where there’s an expectation of identification. When we talk about anonymity, we generally mean not knowing who I am, whereas when we talk about privacy, we generally mean not knowing things about me.

We all know about big brother, the Orwellian all-controlling state but less is known about the concept of little sister. This is the scenario where separate systems watch over a fragment of a persons identity, but when co-coordinated can reveal all. I.e. superstore loyalty cards.