Archive for March, 2012

Infosecurity Magazine news stories for 22-28 March 2012

March 29, 2012 Leave a comment

My news stories on Infosecurity Magazine from Thursday 22 March until Wednesday 28 March…

Digital Crime: Fourth great era of organized crime
Organized digital crime is growing – but we still know little about the structure of organized digital crime groups. A new report from BAE Detica Systems and the John Grieve Centre for Policing and Security at London Metropolitan University seeks to change this.
28 March 2012

2600 to broadcast interview with Richard O’Dwyer’s mother
2600 is one of the world’s longest running ‘hacker’ publications. Richard O’Dwyer is a UK citizen likely to be deported to the US for operating the website and providing links to ‘copyright infringing’ material.
28 March 2012

Legislation to enforce Google filtering proposed by MPs’ committee
Parliament’s Joint Committee on Privacy and Injunctions has reported: “This could involve giving Ofcom or another body overall statutory responsibility for press regulation.”
28 March 2012

PwC report highlights senior management complacency about security
Financial services are, not surprisingly, increasingly subject to economic cybercrime. According to a report from PwC, cybercrime is now second only to asset misappropriation as the most popular way of defrauding an organization in the financial services (FS) sector.
27 March 2012

Security concerns delay deployment of NGDCs
A survey from Crossbeam Systems shows that 94% of IT personnel identify network security as the main cause for stalled next generation data center (NGDC) deployments.
27 March 2012

The new Oxford Cyber Security Centre
Final proof of the extent to which information security has become embedded within society comes from Oxford university, Home of the Humanities. The university has announced a new Oxford Cyber Security Centre.
27 March 2012

Strong showing for the Pirate Party in German elections
Saarland is the smallest (apart from the city-states) of 16 states within Germany, with a population of just over 1 million inhabitants. Politically it is generally considered to be a conservative area.
26 March 2012

Anonymous launches Operation Imperva
Anonymous has declared a new target: Imperva Inc, a security firm, is now the subject of Operation Imperva.
26 March 2012

Microsoft takes control of 800 domains associated with Zeus botnets
In a major action against the banking trojan Zeus, Microsoft with FS-ISAC and NACHA and research from Kyrus Tech and F-Secure have succeeded in disrupting a number of the most harmful Zeus botnets in “in an unprecedented, proactive cross-industry action.”
26 March 2012

Europe’s first information risk maturity index developed
PwC and Iron Mountain have joined together to develop a risk maturity index for European SMEs; and finds them generally lacking.
23 March 2012

Firefox will use HTTPS by default
Encrypted searching should become available by default for all Firefox users within a few months – a big win for privacy.
23 March 2012

Indian call centers sell UK financial data and DVLA gives access to Indian workers
On the same day that the Sunday Times reported Indian workers offering UK finance details for sale at as little as 0.02p, the Observer reported that IBM contractors in India will have access to the data of 43 million UK drivers held by the DVLA.
23 March 2012

Privacy: the great EU/US debate
The two great western trading blocs are taking personal privacy very seriously. In January the EU published a draft proposal for a new Data Protection Regulation, and in February the White House released its privacy blueprint, including the Consumer Privacy Bill of Rights.
22 March 2012

Almost half of UK educational establishments have had mobile devices stolen
A new survey from LapSafe Products has revealed that that 45% of education establishments have had mobile devices – such as laptops, netbooks, MP3 players, tablets and gaming devices – stolen between 2009 and 2011.
22 March 2012

Dame Fiona Caldicott to review patient data confidentiality
The people currently responsible for protecting the confidentiality of patient information in the UK are known as the Caldicott Guardians, so named after Dame Fiona Caldicott. Dame Fiona will now lead a new independent review into patient privacy.
22 March 2012

Categories: All, Security News

Further example of dumbing down

March 29, 2012 Leave a comment

The life of the journalist would be much harder were it not for the PR companies providing a conduit between journo and vendor. But journalists live by words – and their aesthetic and accurate use is important. It hurts when the PR, who earns much more than the journo, cocks up. It gets personal. It’s an insult.

Here’s the aesthetic insult:

…went on to say that the informative morning starts off what promises to be a must-see array of informative and thought-provoking series of sessions… covering a variety of informative and topical subjects.

Here’s the accuracy insult:

…including how to align an organisation’s business and IT strategy, focusing on the security GRC (government, risk and compliance) balancing act that most IT departments must now solve.

Frankly, I am offended.

Categories: All, General Rants

Government is getting above itself – it should remember that it is our servant, not our master

March 28, 2012 Leave a comment

In one small paragraph that buggers belief, UK members of parliament show that they are divorced from the reality of public opinion and bereft of internet knowledge.

Google acknowledged that it was possible to develop the technology proactively to monitor websites for such material in order that the material does not appear in the results of searches. We find their objections in principle to developing such technology totally unconvincing. Google and other search engines should take steps to ensure that their websites are not used as vehicles to breach the law and should actively develop and use such technology. We recommend that if legislation is necessary to require them to do so it should be introduced.
Joint Committee on Privacy and Injunctions – First Report: The role of search engines

These people, the cross-party Joint Committee on Privacy and Injunctions, are actually suggesting that Google should be forced, by law, to “develop and use” censorship.

There have been riots in European streets over ACTA’s censorship. The US government has been forced (however temporarily) to backtrack over SOPA’s censorship. The anti-censorship Pirate Party has won parliamentary seats in Germany. So much for being interested in public-opinion. And as for the internet. Almost 20 years ago John Gilmore said “The Net interprets censorship as damage and routes around it.” We’ve had two decades of immune system development since then. If it routed around in 1993, it will shrug off in 2012. All that will happen is that otherwise innocent people will be forced to break or by-pass the law in a natural curiosity about the truth.

But such supreme arrogance from our political master raises two important questions about the nature of democracy in the free democratic West.

  • Do we elect people in order to delegate total responsibility to them, in order to say, ‘here you go, you make up my mind for me in future and just tell me what to do’; or do we elect people to enact what we wish them to enact?
  • Is the rule of law sacrosanct; that is, once these people pass a law, do we have to obey that law under all circumstances?

To the first I say categorically that my elected representative is there to represent me and my wishes. He or she is not there to represent the wishes of business, other governments or anything or person other than me. And I say think again about your current attitude towards internet censorship and copyright protection.

To the second question I say that it is the duty of all citizens to reject the rule of law when their conscience demands it. War criminals are probably not law breakers: they uphold the rule of law in their own lands. You cannot say that the rule of law is sacrosanct here but not sacrosanct there. The rule of law must always be ultimately subservient to the rule of conscience.

So, to all members of government: remember your role. You are there to serve us; you are not there to usurp us.

Categories: All, General Rants, Politics

The crisis of identity at Oxford

March 27, 2012 Leave a comment

Oxford has a new Cyber Security Centre. Dare I suggest, however, that it needs to go back to its roots before it tries something new?

“The Oxford Cyber Security Center is the new home to cutting-edge research designed to tackle the growing threats posed by cyber terrorism and cyber crime…” Cutting-edge research? Cliché! PR hyperbollocks. Almost a trope. Notice also, by the way, that the Centre has suddenly become American.

But it gets worse. “In addition to being a springboard for new research, is an umbrella for current research activity worth in excess of £5m, supported close involvement of over 12 permanent academic staff, and in excess of 25 research staff, 18 doctoral students.” That is a tragic coagulation of words – I hesitate to call it a sentence.

Actually, I think that an Oxford Cyber Security Centre is a good thing; and that the introduction of Oxford thinking into infosecurity will be a great benefit. But I am heartbroken to see that dumbing down has breached Oxford’s city walls.

Categories: All, General Rants

Infosecurity Magazine news stories for 21 March 2012

March 22, 2012 Leave a comment

My news stories on Infosecurity Magazine for Wednesday 21 March…

Two new botnets discovered by ESET and Kaspersky Lab
Kaspersky’s discovery is centered in Russia; ESET’s discovery is centered in Georgia. Both shed new light on the ingenuity and intention of cybercriminals.
21 March 2012

Russian wins Facebook Hacker Cup Again
Eight thousand initial entrants to Facebook’s second annual Hacker Cup from 150 countries were reduced to just 25 finalists from Russia, Germany, Poland, Ukraine, China, South Korea, Japan, Taiwan, and the United States.
21 March 2012

Indian company hacks GSM and usurps IMSI
At a security conference organized by Null in India, Matrix Shell claimed and demonstrated the ability to hack into GSM phones and manipulate the user’s International Mobile Subscriber Identity.
21 March 2012

Categories: All, Security News

From the sublime to the ridiculous – comments on the EU

March 21, 2012 Leave a comment

Rick Falkvinge, founder of the Swedish Pirate Party, has written the most sublime rant against the Swedish parliament: In Grand Deceivefest, Swedish Parliament Just Voted For Data Retention. I cannot do it justice and you must read it.

This has been one of the most filthy, deceptive political campaigns to introduce a massive Big Brother law I have ever seen. Its only parallel is when the general wiretapping was introduced in 2008, and I’m pissed off as all hell. There have been attempts at deception of every conceivable kind.

He then lists the deceptions, adding

Additionally, a Germany study concluded that the data retention had only helped on 0.002% of criminal cases. Yes, you read that right: zero point zero zero two per cent. In other words, hiring two new police officers is more effective for fighting crime than this abomination.

The worrying thing is that beneath this rant lies truth – a truth that is increasingly ignored by all of our governments.

That’s the sublime. The ridiculous is reported by TechDirt: German Gov’t Uses Anger Over Lack Of ACTA Transparency To Justify Further Lack Of Transparency. For example,

the European Commission tried to counter accusations that the [ACTA] negotiations were lacking in transparency by pointing out that the German government had a representative present during all the sessions (that’s transparency?). This was news to people, since the German government had somehow omitted to mention this fact.

So they tried to discover more, such as who was this representative, even going so far as to deliver a freedom of information request. The German government declined. Transparency? Ridiculous!

Categories: All, General Rants, Politics

Infosecurity Magazine news stories for 20 March 2012

March 21, 2012 Leave a comment

My news stories on Infosecurity Magazine for Tuesday 20 March…

New twist in social engineering rogue AV
Rogue anti-virus products continue to be a major source of malware. The trick for the criminal is in getting the victim to click the link; and GFI has spotted a new development.
20 March 2012

Cost of data breaches outstripping inflation
The average cost to UK business per record lost, according to the latest Symantec/Ponemon study, has increased from £47 in 2007 to £79 in 2011. Had it been inflation alone, it would have increased to just over £53.
20 March 2012

Infosec human factor solved only by education
Information security is among the most popular of all the training courses offered by SkillSoft, with ‘An introduction to Information Security’ second only to the ‘Fundamentals of Networking’ in the top 100 IT courses says the company.
20 March 2012

Categories: All, Security News

Infosecurity Magazine news stories for 15/16/19 March 2012

March 20, 2012 Leave a comment

My news stories on Infosecurity Magazine for Thursday 15, Friday 16 and Monday 19 March…

Duqu: a government intelligence agency built cyberweapon?
Last week Kaspersky Lab announced that it had discovered an unrecognized programming language within the Duqu worm code. It asked the research community for help in diagnosis; and the research community responded.
19 March 2012

Four EU Member States to take part in ENISA’s ‘security week pilots’
Four EU Member States are planning to run national ‘security weeks’ during October 2012. The aim is to develop a fully-fledged combined EU and US Security Month by 2014.
19 March 2012

LulzSec’s Kayla given bail
Ryan Ackroyd, a 25 year-old Brit from South Yorkshire, was granted bail at Westminster Magistrates’ Court pending a plea and case management hearing at Southwark Crown Court scheduled for 11 May.
19 March 2012

Did Anonymous accidentally blow covert surveillance of Assad’s emails?
On 6 February hacktivist group Anonymous delivered a threatening email to Bashar Assad’s personal email account. On 7 February his use of that account ceased.
16 March 2012

Trends and truths in DDoS attacks
Neustar has analyzed the evolution of DDoS attacks over the last year, showing the techniques that are used and the problems that will come.
16 March 2012

Password managers on mobile devices – fail
Elcomsoft, a computer and mobile forensics specialist, is today presenting the results of its analysis of mobile device password managers at Amsterdam’s BlackHat Europe conference.
16 March 2012

Kaspersky’s February malware scorecard
Kaspersky Lab has published its monthly malware report for February, discussing Duqu, Google Wallet and Google Analytics, mobile threats and attacks on corporate networks.
15 March 2012

2011 Global Encryption Trends Study
Ponemon’s Global Encryption Trends Study commissioned by Thales is a treasure trove of insights into the corporate view of security.
15 March 2012

Quis custodiet ipsos custodes – Who watches the watchmen?
The Dutch Big Brother Awards for 2011 have been announced. There are three prize categories: People, Companies and Government.
15 March 2012

Categories: All, Security News

Is Assange running for Senate to avoid FBI entrapment?

March 18, 2012 1 comment

Back on Christmas Day, Wikileaks tweated: “is it possible for JA to run for the Australian Senate from house arrest in another country?” Later on the same day, Australian solicitor Peter Kemp responded:

Peter Kemp Tweet

Go for it!

He explained his reasoning in a subsequent article posted to WL Central – an independent site dedicated to allow free and open discussion on WikiLeaks issues. Now, it would appear, WikiLeaks and JA have decided:

WikiLeaks Tweet

OK – we will.

It’s going to be interesting. Australians have a natural tendency to thumb their noses at the establishment. He might well succeed. I hope he does.

But what then? I don’t know the law; but even if it is possible to extradite an elected Australian senator, would the UK wish to? Will we see the Swedish judiciary and the UK Home Office trying to expedite the extradite to avoid embarrassment? I hope not – and here’s why…

Nobody doubts that Sweden will just be a staging post for Assange en route and in irons to the USA. The US wants him because of the Bradley Manning leaks. But Bradley Manning, and ergo WikiLeaks, has a very strong defence: public interest. What the FBI really needs is a charge that carries no public support. Like the hack and leak of private correspondence from a well-respected independent news organization. Like Stratfor, perhaps.

Stratfor was hacked by Sabu. Anonymous immediately and officially – as far as Anonymous can ever do anything officially – denied involvement; and accused Sabu: “Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs.” Since then we have learned that Sabu was turned by the FBI and had been working with the FBI since the end of last summer. In short, Sabu hacked Stratfor while he was working for the FBI. Anonymous was aware of this. ‘Agent provocateur’ was not an insult, it was a description.

More recently still, the stolen Stratfor emails have been leaked to WikiLeaks. On 27 February, WikiLeaks announced: “LONDON–Today WikiLeaks began publishing The Global Intelligence Files – more than five million emails from the Texas-headquartered “global intelligence” company Stratfor. The emails date from between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal’s Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defense Intelligence Agency. The emails show Stratfor’s web of informers, pay-off structure, payment-laundering techniques and psychological methods, for example…”

But remember, Anonymous has denied involvement. So who leaked to WikiLeaks? The FBI? On 7 March, the Guardian wrote:

A second document shows that Monsegur [Sabu] – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.

The Hacker News put it more bluntly a couple of days ago: “But if Sabu was in fact working for the FBI, how could the Stratfor hack be anything more than a clearcut case of entrapment perpetrated by the FBI?” It looks horribly like Stratfor was sacrificed and Anonymous used simply to get Assange.

I call on all Australians – do what other nations daren’t do: thumb your nose at US machinations, and vote Assange. For all of us.

All-Party Intellectual Property Group announce [sic] new Inquiry

March 17, 2012 Leave a comment

On the surface it looks promising. The All-Party Parliamentary IP Group has started a public consultation into The Role of Government in Protecting and promoting Intellectual Property. Is this an opportunity for the public to voice its opinion on government attitude to intellectual property?

There have been numerous reviews into IP policy in the last ten years but the decision-making framework within which policy is developed and agreed has not been sufficiently examined.

The purpose, says John Whittingdale MP, Chair of the Group, is “so we can feed into developing Government thinking in this area, particularly following its Copyright Consultation.”

But don’t go thinking this is democracy in action. It isn’t. If you want to respond, you’ve got 2 weeks to do so. And if you want to respond, you have to write to Luther Pendragon, which provides secretariat services to the Group – paid for by the Alliance Against IP Theft. Luther Pendragon also provides services to the British Pharmaceutical Industry (ABPI), providing “strategic advice to the representative body for the research-based pharmaceutical industry on its relationships with politics, the NHS and patient organisations.” Unbiased it ain’t.

The All-Party Group sounds impressive and official. But it isn’t. “They are essentially run by and for Members of the Commons and Lords, although many groups involve individuals and organisations from outside Parliament in their administration and activities,” says Parliament itself. They are really nothing more than private lobby groups essentially operating inside government, and are the opposite of democracy. The purpose of this short-lived consultation is so that the Group can feed the views of the rightsholders into official government thinking under the guise of public opinion.

I’m afraid we have to accept that the alliance of rightsholders (that includes entertainment, monopolistic software companies, pharmaceuticals, life-sciences and generics companies) already pwns the government.

Categories: All, General Rants, Politics

Get every new post delivered to your Inbox.

Join 137 other followers