Categories
End User online safety security

Should you worry about your own personal information security – yes – notes from Infosec2012

crimepack - toolkit for cybercrimeI spent a day at Infosec2012 this week. I could easily have spent another day there as I only met a fraction of the people that would have been good to talk to. It’s not often I say that about a trade show.

I stopped by the Sophos stand for a looksee.James Lyne of Sophos - top cybersecurity guy James Lyne, Director of Technology Strategy of Sophos does a magnificent talk on security. He prefaces the talk with a warning not to visit any of the websites he mentions yourself because of the certainty of picking up malware. I’d take his advice.

James picks up malware for a living!  On any given day the Sophos labs identify 185,000 new discrete pieces of malware. Yes you did read that right. One hundred and eighty five thousand different pieces of malicious code designed to try and penetrated your computing device with a view to stealing your cash, new every day.

This malware is computer generated and churned out in crimepack control panela wholesale manner. The whole game is run by organised crime and is big business. Customers get access to a control panel that they use to organise criminal “campaigns”. This control panel (screenshot inset – hacked by JL) gives them feedback on their successes – how many machines infected with what, for example. They can also use it to pick their “threat vector” ie what sort of virus/trojan/malware they want to use for their particular spamshot/offensive.

These platforms even have APIs so that crooks can build them into their own resources or add their own specific features!

The gangs involved collaborate. They collate data on anti-malware products produced by Sophos, McAfee et al and can tell in real time whether these companies can detect specific threats. In real time! They also collectively contribute to produce a blacklist of IP addresses used by security products manufacturers so that they block access to their online resources from these addresses.

Many people get caught out. Very many people. They must otherwise these guys would not be in business and I’m sure that most of us know someone who has lost cash or had their PC compromised.

What on earth can you do to protect yourselves in the face of such criminal activity? Sometimes there is nothing you can do as many devices have known vulnerabilities. I saw James Lyne tap into an iPad using a fake hotspot and steal some data. He used a known iPad vulnerability. I switched off the WiFi on my own iPad and even considered wiping all those hotspot credentials stored on my pad that make it easy for me to log on the next time I visit!

It does make sense to make sure that all your software is patched up to date, especially applications such as Adobe. It might sound obvious too but don’t click on a link you aren’t sure of. It doesn’t seem to matter whether you use Microsoft, Apple or Linux. Use sensible password policies. It also makes sense, if you can, to have one separate PC that you only use for banking or ordering stuff online.

I left the show with my head buzzing and thinking I didn’t stand a chance in the big bad world of the interweb. I certainly will be reviewing our home cyber security defences. Stay safe now.

PS you should take a look at Sophos, a British company turning over £600m with 2,000 staff! Not bad.

 

Categories
Business security

Infosec Europe – the stuff you really need to know

waiting travelers at London Kings Cross StationEn route to Earls Court yesterday for the Infosec show the Echoworx shoeshine stall at Infosec EuropeI had a bit of time on my hands whilst waiting for a work colleague’s train to turn up so I took the header photo with my Samsung Galaxy S2. It’s interesting to see how people naturally spaced themselves out so that there was an equal gap between them and the people in different directions  around them.

I’m going to write two posts on the visit to Infosec. This one covers all the essential things you need to know. The second will take a little more serious look at some of the learningsDennis Webster of Pangea with Trefor Davies and add some thoughts.

The essential information is presented here in pictorial format. The first inset photo is the shoeshine stand at the Echoworx booth. I say booth but all it really was was a space with a popup and two shoeshine chairs, one of which I sat at – I like to look after my shoes me (Timberland – none of this Hush Puppy stuff). The downside is that for 5 minutes as a captive audience I had to sit through a sales pitch for Echoworx. It’s fair enough. I got my shoes done and they got their message across. Bloomin’ hard work for the sales guy though – twelve 5 minute elevator pitches every hour. Wow.

The shoeshine guy was really interesting. Turns out he is a Seamus McDonagh, former cruiserweight boxer who was once a contender and was matched with

Categories
Business online safety Regs security

Government surveillance in a free society?

Time was when MI5 (or whatever they are called) wanted to listen in on your conversation they sent someone round to the local telephone exchange with some wires and a couple of bulldog clips.

The breadth of things that could be monitored was actually fairly large. I remember once, many years ago, being shown satellite photographs of the lake at the Chernobyl nuclear plant in the days running up the announcement that there was a problem with the reactor. The thermal imagery of the lake showed it warming up substantially over a few days. The information showing that there was a problem was being collected by our “security forces”.

The fact is whilst the data was there nobody saw it as it was buried in so much other information, photos etc, that you had to specifically been looking for it to see that something was wrong. The amount of personal information that they could gather about you was fairly limited and the number of people they could do this to was not huge. It was not a scalable system.

Nowadays the game has changed.

Categories
End User nuisance calls and messages Regs security

The Telephone Preference Service seems no longer to be effective

We used to get junk phone calls, I’m talking years ago now. Double glazing, that sort of thing. My favourite was from people trying to call “Service Washing Machines”. These weren’t trying to sell me anything. The company had misprinted an advertisment with our number instead of theirs so we would get their calls. It did get a bit tedious after a while though.

Once (and you might not like me for this) I was at home during the day showing a builder around to get a quote. The phone rang and I said “watch this”

Categories
Business online safety Regs security

Codes of practice and regulation of tinterweb – Home Affairs Committee report on radicalisation

When I was a kid my dad asked me what I wanted to be when I grew up. I of course said I wanted to be the CTO of a fast growing ISP with prospects 🙂 Dad was somewhat confused with this and told me not to be a silly boy because the internet hadn’t been invented yet and I should learn to be a doctor or a judge or pursue some similarly respectable form of employment.

Some days it feels as if dad will end up having his own way and I will end up as a judge. In the news this morning is yet another report suggesting that ISPs should put together a code of practice in respect of taking down websites that do something we aren’t supposed to like.

There is a lot of this going on. If it isn’t the movie and music industry rightsholders wanting us to block sites promoting copyright infringement it’s Nominet in cahoots with the police trying to suspend domains allegedly supporting criminal activity.  Today its a Home Affairs Committee reporting on radicalisation suggesting that ISPs need a voluntary code of practice that supports the  taking down of websites containing violent extremist material.

Glancing through the report the committee did cover the issues

Categories
Engineer mobile connectivity security social networking

McAfee quarterly threats report Q3 – a worthwhile read

Tinterweb is a wonderful place full of  great things that can change our lives. Of course we all know it is also full of pitfalls, dangers, threats, hazards, risks, problems, exposure, troubles and perils 1.

I have just discovered the McAfee quarterly “Threats Report” . If you haven’t read it you need to rectify the situation. It is an amazing compendium of the threats to which we are exposed when we reach out into the land of the hypertext transfer protocol.

For the convenience of the busy reader I have selected some extracts for your delight.

  • In Q2 the Android mobile operating system became the most “popular” platform for new malware.
  • By Q3 Android has become the exclusive platform for all new mobile malware.

Look out that your phone doesn’t start texting premium rate numbers or broadcasting your personal data or even, as is the case with Android/NickiSpy.A and Android/GoldenEagle.A, start recording your telephone conversations. Don’t give any banking information over the phone will you. The malware stays on your phone for an extended period of time to make sure it catches the right phone conversation!

I’m not a worrier but I have started to think more about protecting myself and my family when communicating. There are some security solutions on the market and I will give them a go over the next few weeks and report back.

The McAfee report has tons of interesting stuff in it – Botnet growth by region, Social Media threats, new “bad reputation” URLs per day (hits 40,000 some days!!!). There are currently over a quarter of a million Active Malicious URLs. The report even tells you the going rate for Crimeware tools – $1,500 for Linux exploit tool LinuQ (with private exploit) – if you are unfamiliar with this don’t ask – it’s a need to know job and I don’t know.

I encourage you to read the report to which I link again here.

1 My thanks to Roget’s Thesaurus for this contribution

Categories
Engineer online safety security spam

Akismet is a seriously good spam catcher

Akismet is a seriously good spam catcher. I just took a look at the comments it has trapped recently. Not clicked on any of the links but there is a wonderful range of products being pushed:

pre-workout supplements, SEO, LA Weightloss (to offset the pre workout supplements presumably), healthy food ideas, free online background checks, pharmaceutical delivery service, wedding photography, kitchen appliances, custom cabinet design!, Scottish mountain biking, a bar in London for stag nights.

Some of the comments appear to be quite carefully crafted responses the the post – as if they really are relevant. Anyway I’ve just deleted 103 of them. Sorry if yours was a genuine comment and is not approved. Keep em coming 🙂

Categories
Business dns internet scams security surveillance & privacy

Nominet – judge and jury of the world wide web?

We, the world, are still finding our feet on the internet, or more accurately the world wide web. The www is a great place to be and at the same time full of pitfalls and nasties. Much like real, physical life really. I taught my kids not to take sweeties from strangers – that applies on or offline.  In recent years I’ve added “don’t click on links you aren’t sure of” and probably a few other words of advice specific to tinterweb.

That’s a piece of wisdom relating to the www that had he but known it shows Charles Darwin’s theory of evolution in action. Survival of the fittest and all that.

It isn’t just the consumer that is still trying to understand the landscape of the www. Government is, business is, as I said we all are.

The good folks at .uk registry Nominet are also trying to understand where they fit into all this. Nominet has come under scrutiny in recent years over its corporate governance.

Categories
Engineer internet online safety security

Vint Cerf, Internet 2, Project Phoenix, Twitter, BYOD & #ITDF

Jonathan Radford our CFO is one of the least techy guys you could hope to meet.  He is often also the source of ideas for this “technical” blog because technology now reaches absolutely everyone on this planet one way or another.

Today he came up for a chat about Internet 2 and Project Phoenix and left me with a newspaper clipping from the FT (I said he wasn’t a techy – anyone else would have sent me a link). The point is though that the technology related article interested him because he could understand its implications for him personally.

The article concerned internet pioneer Vint Cerf’s comments re the need to start again with internet security. The internet is an open network currently running on the basis of trust. Starting again Cerf says he “would have put a much stronger focus on authenticity or authentication” and quoted Ori Eisen’s Project Phoenix as an example of the way forward (see original FT article for more on this).

You only have to note the recent spate of

Categories
Business Cloud mobile connectivity security

Mobile Working Report — CoIT and BYOD Trends

mobile,working,report,CoIT,Consumersiation,IT,BYOD,Bring,Your,Own,Device,TimicoThe mobile communications market has for years been characterised as a commodity space. Selling mobile services was largely a matter of who offers the best price.  The rise of the smart phone and the pursuant growth in mobile data is changing this.

Price is still important but these devices are so expensive that the amount of hard cash people (consumers) are willing to spend on their mobile contract has grown considerably. I know this from first hand experience having a 19 year old student son who spends not an insubstantial amount of his monthly budget on an iPhone4 contract.

This in turn is a source of angst for businesses who have not traditionally provided the bulk of their staff with top of the range handsets. Unless you have been in a media vacuum over the last six months you will know that this has led to a phenomenon known as Consumerisation of IT and the Bring Your Own Device (BYOD) revolution.

I have written about this before. As a provider of mobile services

Categories
dns Engineer online safety security servers

Telegraph Register and UPS DNS servers hacked

The Register DNS hackedIf you have been trying to access the telegraph online or TheRegister tonight you might come in for a bit of a surprise as the sites look as if they have been hacked.  More specifically it looks like some  Domain Name Servers have been hacked, diverting traffic to other pages.  Many people will not notice.

Click on the header to see more of what the Register site currently looks like. At this point in time the hack is less than 30 minutes old so I don’t have any more info but if I get a chance I’ll update the post as news comes in. Or just Google it. I saw it first on Twitter.

Categories
Cloud End User security

The Pocket Cloud (Innovation #1259) – Security Issues Answered

The Pocket Cloud…business critical data storage in a secure USB-connected non-wireless device.

the pocket cloud

the pocket cloud

The fiendishly clever engineers at my place of work have come up with a new innovation, The Pocket Cloud (pat pending TM applied for etc), a highly innovative means of storing important business critical content in a totally secure manner.

Built in security features include an USB connection – this is a totally wireless free device which completely eliminates drive by data theft.

The Pocket Cloud comes with “uber” portability as it fits neatly into your pocket and can easily be removed from an office location whenever there is a flood/fire/earthquake (delete as appropriate – other forms of disaster are available). It should be incorporated into every Disaster Recovery plan.

At times of Disaster The Pocket Cloud also has a secondary role as a cloud based stress ball thereby satisfying Health and Safety requirements as well as those of IT.

If you have any questions or are desirious of acquiring a Pocket Cloud please get in touch.

Categories
Business online safety piracy Regs security

SilkRoad FTTC and Bitcoin!

Interesting to note that 8 out of the top ten keywords for visitors to this blog over the last month have been related to either FTTC or silkroad with 4 each.

I can understand the FTTC interest and I was an early writer on this subject so get decent Google rankings. As far as SilkRoad goes either there is not much written out there about the subject or there are huge numbers of people trying to find out more about it – human nature I guess!

As far as Bitcoin goes the underground currency seems to have recovered following the Mt. Gox crash. My original source for info seems to have stopped publishing at the time of the crash – 19th June. However it is now visible elsewhere and is trading at not far off the levels seen at Mt.Gox before the crash (for what it’s worth!).

PS whilst the two subjects seem totally separate FTTC and SilkRoad do obviously inhabit the same online universe. People will be using FTTC to access Bitcoin trading sources. I’m not sure that we will ever see the day when BT accepts payment for FTTC using Bitcoin though.

Categories
security

Dan Dan the cybersecurity man @Dantiumpro

Dan Summers UK Cybersecurity Champion

Meet @Dantiumpro aka Dan Summers, UK National Cybersecurity Champion.  Dan came to stay with the Davies family on Saturday night and we went out for a few beers to belatedly celebrate his win.

I met Dan through Twitter and, believe it or not, this was our first physical meeting.  In fact we only decided to do it that lunchtime via Twitter – he had the day off on Sunday. Dan currently works as a postman for the Royal Mail in Wakefield but following his victory, in which he beat off 4,000 contenders, he is moving departments to look after Information Security for the Royal Mail Group.

It’s a great story and clearly Dan is no ordinary postman. The competition involved cracking ciphers to break through different layers of security. I’d tell you more but it’s on a need to know basis:)  Dan is no one trick pony.  He is also a poet and has started contributing to philosopherontap under the pseudonym Dantiumpro which happens also to be his Twitter handle.

It’s good to know that the Royal Mail is going to be secure in his hands. Note they are making him deliver the mail right up until next Saturday after which he gets one day off before starting the new job.

It’s also good to know I have a very understanding wife who puts up with these spur of the moment houseguest decisions:)

 

Categories
Business internet online safety piracy security

Psst wanna buy a racehorse? #silkroad #bitcoin #torproject

silkroadmarket

Yesterday I read a flurry of reports on a new web service called silk road. This is a “totally anonymous” website that looks like it has initially been set up to facilitate drug deals. Payments are made using Bitcoin, a “virtual” digital currency that allows “untraceable” transactions to be made using distributed Peer to Peer technology.

A quick Google search for Silk Road last night revealed nothing but changing search terms this morning I found it.The first result took me to the following post:

Hi everyone,

Silk Road is into it’s third week after launch and I am very pleased with the results. There are several sellers and buyers finding mutually agreeable prices, and as of today, 28 transactions have been made!

For those who don’t know, Silk Road is an anonymous online market.

Of course, it is in its infant stages and I have many ideas about where to go with it. But I am turning to you, the community, to give me your input and to have a say in what direction it takes.

What is missing? What works? What do you want to see created? What obstacles do you see for the future of Silk Road? What opportunities?

The general mood of this community is that we are up to something big, something that can really shake things up. Bitcoin and Tor are revolutionary and sites like Silk Road are just the beginning.

I don’t want to put anyone in a box with my ideas, so I will let you take it from here…

-Silk Road staff

This is a fairly astonishing post in itself. It was published on 1st March and has since then attracted 36 pages of responses and comments.You can see for yourselves.

Categories
End User internet online safety scams security

Internet scam awareness

I’m very proud of my wife. She got one of those phishing calls yesterday saying that a problem had been reported with a virus on her PC.

She is one of least technically savvy people going but told the caller (who was, from his accent, not from ’round here) where to go without batting an eyelid.

She said we have Radio 4 to thank as she had heard an item regarding such scams on the Today programme sometime recently. Good old Radio4, good old Mrs Davies.

Categories
Engineer mobile connectivity security

Android security flaw

If nobody else reads this blog then at least I have the staff at Timico who are always throwing up suggestions for posts. This morning it was about an Android security flaw where, according to the University of ULM, older versions of the OS are vulnerable to hacks that can steal your data.

Sky News reports that only the latest phones with system version 2.3.4 have had the leak plugged, meaning that 99.7% of handsets could be targeted. I parked the idea until I had finished my slides for next week’s AGM then lo and behold my own Android phone offered me a firmware upgrade. I am now safely running version 2.3.4 thanks to HTC and Android. Good timing I thought:)

It is worth thinking about though as the consumerisation of the workplace gathers pace. How many Android phones are used by staff in your office that might have this vulnerability? It would seem that the case for managing personal smart phones in the offices grows daily. This isn’t something you will necessarily want to leave to chance.

Categories
Business internet online safety security social networking

Consumerisation of the workplace – part 2 #TREF @EmpireAve

This morning I joined Empire Avenue and got the ticker symbol TREF – v important I’m sure you agree. I did it because people I interact with on Twitter have done so and being a sheep I followed. I hooked my Empire Avenue account up with Linked In, Facebook, Twitter and YouTube and then bought 100 shares in eBay.

Whether this was a sensible thing to do I know not – the account hook-ups not the eBay purchase which I don’t care about either way. I am really trusting the application.

After a bit of a browse I decided not to waste any more time and left. TREF was secured. At this point the responsiveness my wireless keyboard and mouse began to slow down significantly and I was hit with anti virus messages on my screen. Uhoh.

To cut a long story short thanks to Michael our IT guy I eventually got rid of the screen and am running full system scans using AVG and malwarebytes.

The last time I picked up a virus it wiped me out for a week and we had to rebuild my machine. That was the week I really road tested the iPad and found it deficient. So this time you can imagine what was going on in my mind. I can’t afford to be without a PC for any length of time.

I write all this because I am also currently thinking about device security

Categories
Apps Business mobile connectivity security

Big endorsement from RIM re consumerisation of the workplace “problem” #iOS #Android

RIM has announced plans to extend its BlackBerry Enterprise Solution to the support of non RIM devices. This means that Android and Apple phones and tablets will be able to be incorporated in the RIM device management and security environment.

This is a timely announcement and follows a piece1 that I wrote a few weeks ago regarding the problem of consumerisation of the workplace.  RIM also says that it is responding to requests from its enterprise customers and that its target market is enterprises and government organisations.

There is a huge market outside these sectors. RIM has highlighted the problem but by focusing on big business is leaving the door open for others to play in the small and medium sized enterprise space.

It is interesting that RIM does not mention Microsoft in its press release. Presumably it sees Windows as a totally separate/mutually exclusive  environment.  I wouldn’t bet on that.

1 I’m not of course saying that the RIM announcement is in response to my article – we are clearly just thinking along the same lines:)

PS the RIM PR seems to have disappeared from their website for some reason. I happen to still have the copy which I have, for your delight and delectation, replicated below:

Categories
Cloud Engineer security

Cyber Security: A Never-ending Unwinnable War

USAF General William Lord in cyber security briefing
header photo Gen William T. Lord courtesy of USAF

The words Hague cyber warfare Treaty appeared fleetingly in my twitter stream this morning.

This really intrigued me. It brought visions of uniformed generals sat around a table at the United Nations signing fancy bits of paper. Over their shoulders were clouds filled with botnet armies – millions of compromised computers waiting for the command to strike, glaring ferociously at their opposite numbers.

There is a wonderful wealth of information out there on cyber warfare and security. For example according to Lt. Gen. William T. Lord, the US Air Force chief information officer, cyberattackers have shifted their tactics from trying to breach firewalls to penetrating applications and said the service has serious application vulnerabilities. “We have over 19,000 (information technology) applications in the Air Force,” he said, noting that Electronic Systems Center’s IT Center of Excellence at Maxwell Air Force Base-Gunter Annex, Ala., examined about 200 of them. “All of them had over 50 vulnerabilities.”

The incredible pace of introduction of new technologies is a serious problem to the military which likes to take years to develop and test anything it buys. It used to be that the army would be first to get advanced technologies that would one day filter down to peaceful applications. These days it is the other way round. The army must presumably end up using applications that have had little or no security testing but are considered worth the risk (I’m not speaking from personal knowledge or experience here).

The United Nations has in fact been giving this some due consideration – it would be negligent of them not to, fair play. Last week the UN published a document updating its position re disarmament and cyber warfare was covered in pages 12 – 20 (out of 42).

In the document the UN discusses possible solutions:

  1. The security of confidential as well as less significant information and networks
    A. Security updates should be applied to all systems
    B. A comprehensive disaster recovery planning should take place, which includes provisions
    for extended outages.
  2. The creation of an international treaty which includes:
    A. A concrete definition of cyber warfare which is ratified by all signatories
    B. A limitation on the usage of cyber weapons
  3. The establishment of an annual international platform, in which experts in the computer and
    cyber field from different countries may foster dialog with one another regarding the issue of
    providing measures to regulate cyber warfare
  4. Increased effort in raising awareness about the cyber warfare and the threats it poses for the
    world in its entirety

Most of this, treaty apart, is obvious stuff and to be honest suggests that the UN doesn’t really know what to do about it. Does anyone?  I would be hugely surprised if many government really signed up to it.  After all why would a government (naming no names) want to deny itself the ability to attack Iran’s nuclear programme using bloodless electronic means?

In any case nobody would trust anyone else not to develop cyber warfare tools – it would be nigh on impossible to police. This is unfortunately in my view a battle war that is being fought but that nobody can win. I bet the proposed annual international conference would be a very interesting one to attend though maybe not as interesting as the meetings that they don’t tell us about.

We’re all doooomed!

Categories
Apps End User Regs security surveillance & privacy

how to get round your school’s web filter #deappg #DEAct

Somewhat a contentious title for a post? Provocative? It is topical though with all the discussion in the media regarding the government’s review on whether web blocking really works or is cost effective (re Digital Economy Act), and also MP Claire Perry calling on ISPs to implement filtering to stop kids reaching online porn.

I just did a Goole search on “bypassing school proxy”. It came up with 847,000 results including a link to “answers.yahoo.com”. I followed one of the links and found a ton of advice on how to get around a school’s filter system. These ad-funded sites are very youth orientated. One of the posts had 198 discussion comments!

My(oft repeated)  point is that blocking ain’t going to work and anyone that naively thinks that most kids will not know how to go about circumventing a block on websites, whatever their flavour, needs to spend some time in a playground.

PS the answers.yahoo.com discussion had been deleted but most of these sites do not have the integrity or the corporate image to uphold. All most of the 847,000 sites (pages) are interested in is your money.

DEAct

Categories
Business security

Peter Robbins to leave the IWF

Peter Robbins, OBE today resigned his position as Chief Executive of the Internet Watch Foundation (IWF). He is staying on until July to give the IWF time to find a successor.

He is quoted as saying:

“It has been an absolute honour and privilege to lead the IWF since 2002 through a period of unprecedented change. I have been exceptionally fortunate to have worked with dedicated staff and very talented Board Members over the years. I must place on record my gratitude for the exceptional support afforded me by extremely professional individuals, organisations and institutions in the UK and abroad as together we have built enduring partnerships from across the public and private sectors to enable the IWF to thrive.”

I don’t know him personally but many people have a great deal of respect for him and his work.  Running the IWF is not an easy job.

A lot has been written on this blog re the IWF – you can just do a search. This post gives an overview of the job that it does. At this time I don’t know whether Peter is just retiring, has somewhere else to go to or just feels his time has run its course at the organisation.

Categories
End User online safety scams security

Phishing by”Microsoft” engineers

I’m getting reports of increased levels of phishing attempts on broadband customers. People get a call from someone purporting to either work for Microsoft or on their behalf. The flavour of the calls go something like this:

  • “We are working on a password security breach”
  • “We are working with Microsoft and your ISP to increase your broadband speeds
  • “We have identified a problem with one of your servers and can fix it for £250”

By and large they want you to click on a link and then of course “you’ve been had”. Unfortunately as in many aspects of life on the internet the only real way to avoid being had is by being internet savvy. There is no quick fix.

Categories
Business security UC voip

#ITSPA winter workshop tomorrow – life beyond POTS and #VoIP #security Gigaset Magrathea

If you can you should make it to the Internet Telephony Service Providers’ Association (ITSPA)Winter Workshop being held tomorrow at The King’s Fund, 11-13 Cavendish Square. Sponsored by Gigaset and Magrathea two main topics are being discussed:

  1. Life beyond POTS and
  2. VoIP security

Both are interesting areas. The first looks at whether we really have moved beyond just using the telephone for simple voice conversations. The second addresses the wave of VoIP fraud that has been going on in 2010, directed in the main at unsecured open source PBXs. We will be discussing an ITSPA developed position paper on the subject which will include advice on best practice for securing your VoIP service.

The event is between 2 and 5 pm tomorrow with drinks afterwards. If you want to come please contact the ITSPA secretariat at [email protected] or 020 7340 8733. I am moderating both panel sessions.

Categories
Business Cloud internet piracy Regs security

The Futility of Blocking Websites #deappg #wikileaks #censor

Mirrors, and the sheer hopelessness today of blocking websites.

A retweet by Guardian Technology Editor Charles Arthur caught my attention this morning:

RT @AustinHeap “#Wikileaks is averaging 13.9 new mirror sites per hour, or one new mirror every 4′ #censor” So that shutdown went well, eh?

Unless you have no access to media, and in which case you won’t be reading this post, you will have noticed the ongoing wikileaks furore. This is not a post about that subject. Wikileaks’ website is, however, coming under heavy Denial Of Service attack by persons unknown, and the response of its wide community of supporters is to mirror the site to provide alternative access to the content. According to the Wikileaks mirrors website (also blocked but available via IP address) as of 21.55 GMT last night there were 1005 such mirrors.

This does two things. Firstly it shows the futility of trying to block websites (prevention of inadvertent access aka IWF excepted). Secondly it shows the resilience of the internet, a network designed by the US Government to survive nuclear attack. Whilst the source of the DoS attack is probably a matter of conjecture, for those persons who question of the US Government’s approach to law and order it is somewhat ironic that it is this very built resilience is preventing the site from being taken down, or at least keeping the information live.

There are lessons here when we start to consider whether blocking should be applied in other areas such as sites promoting copyright infringement…

Categories
Business dns Regs scams security

Nominet and the pseudo-judicial roles of ISPs

I met with the Police Central eCrime Unit last year as part on an ISPA group that wanted to understand the issues that police have in fighting internet related crime and to see whether there is anything that we could do to help.

The police’s biggest problem is the speed that things can happen at over the internet versus the amount of time it takes the judicial system to crank their mechanical organisational cogs. PCEU staff can, for example, be following a suspect criminal, either physically or electronically, and sometimes have very little time to pounce. A gang might be planning a fraud using online resources – facebook pages, gmail, skype etc. Access via a service provider to look at these resources takes a court order (RIPA) which takes time to organise and by the time it has been effected the crooks are often long gone.

If the police did not require judicial consent to access these data then the whole process could be speeded up and more criminals prevented from harming us. The problem is that even if it was clear to everyone concerned that providing the police with what they ask for was the right thing to do the act of doing so puts the ISP in breach of data protection laws. If the suspect criminal happens to be innocent (or otherwise) this potentially leaves the ISP open to legal action. We can’t have ISPs being asked to perform the role of the judiciary because they don’t have the same legal protection or training.

Now enter Nominet stage right. I have coincidentally just written about Nominet after attending the .uk registrar’s recent 25th birthday party. Nominet is proposing to change its

Categories
Engineer security

Cyberwarfare and network security

Cyberwarfare has been in the news this week with the discussions around defence spending cuts. This is hugely topical and hugely important.

The debate of course hinges specifically around national defence. We don’t want the Trident missile system being hacked. Warfare doesn’t just extend to weapons though.

France is currently grinding to a halt due to their seasonal batch of strikes – oo lalaa, whose turn is it this time lads?!

Categories
Business security

EC proposals to improve cybersecurity

The European Commission today unveiled two new measures as part of its fight against cybercrime.  The first measure proposes new criminal offences relating to

  • the use of malicious software (botnets etc) for committing offences,
  • illegal interception of informations systems

and strengthens penalites for such crimes. The EU also proposes an improvement of European criminal justice/police cooperation by strengthening the existing structure of 24/7 contact points, including an obligation to answer within 8 hours to urgent request and the obligation to collect basic statistical data on cybercrimes.

The world is in dire need of general improvement in respect of international cooperation. The UK has it’s own Police Central eCrime Unit but the

Categories
Business internet security

Facebook and CEOP collaborate on child protection

The Child Exploitation and Protection Centre (CEOP) and Facebook announced an initiative that gives Facebook users direct access to CEOP’s advice and reporting centre from their Facebook homepage.

The initiative is not based on a standard panic button solution but on a CEOP Facebook App and a CEOP Facebook page. This means that only users who install the app will have direct access to CEOP.

I have met CEOP CEO Jim Gamble during the course of meetings between CEOP and the ISPA and understand the hugely difficult nature of their job. CEOP volunteer staff have to spend much of their time looking at horrendous photographic evidence of child abuse. It isn’t something that a person can do for too long due to the mental stresses involved.

The success of the whole Facebook initiative depends on whether or not the CEOP app becomes viral. To facilitate the distribution of the app, Facebook has agreed to support the initiative via an advertising campaign.

CEOP deserves your support.

Categories
End User mobile connectivity scams security

sms #phishing

Had a couple of sms phishing attempts in the last couple of days:

“FREEMSG: Our records indicate you may be entitled to 3750 pounds for the Accident you had. To claim for free reply with YES to this msg.  To opt out text STOP.”

The each appear to come from a different mobile number.  Needless to say anyone getting one of these should just delete them.  I wouldn’t reply STOP. I don’t think there is anything we can do other than deleting them.  Unless you start gettign a lot of these message s it is probably too small a problem for the networks to take onboard. 

I wouldn’t be tempted to reply STOP.