Tag Archives: security

Misguided Security Managers

In the July / August edition of Infosecurity Magazine, there is a fairly interesting article on security matters, and differences, in the public and private sectors. I cant find this article online so you will have to trust me.

There is a quote in the article, from an “anonymous” security manager which sadly echoes comments I have heard right across the public sector, when public servants discuss the need to protect public privacy:

One senior manager at a local council – who ask not to be named – told infosecurity that he would rather be brought before the courts for an information security charge, than because a child or other vulnerable person has been harmed as a result of data not being shared.

(Here, I get visions of Reverend Lovejoy’s wife crying out “wont anyone think of the children”)

In the article this is presented as a dilemma public sector information security professionals face on a regular basis. My experience of said individuals supports this. It is very tabloid friendly. It is also complete nonsense that infuriates me to the point of wanting to choke the life out of the idiots who say it. (note for any future court action – this is purely imaginary, I am not really planning to kill anyone now or in the future)

There are so many things wrong with this it is hard to know where to start.

This person is paid to be a security manager. They are not a child protection professional. They are there to manage the security of the information that the public have entrusted to the council. Nothing else. If their job description means they have to ensure that vulnerable persons are safe in their homes, then I suspect there is something seriously wrong going on.

As a public servant, this “senior manager” is paid by the public, who you would rightly assume should have some expectation of his behaviour. Unless we’ve moved into some weird world where the vulnerable pay more for their services he has no right to unilaterally assume what laws he will follow and what laws he will break. He has no right or authority to compromise my privacy and personal data because he thinks that doing so 100,000 times might save one vulnerable person.

Equally this “manager” (sneer quotes intended) has no way of knowing if he is placing the safety of vulnerable people in further danger. Privacy laws and restrictions on how your personal data can be handled are there to protect everyone. Yes this includes criminals but it also includes vulnerable people. If this senior manager feels sending a copy of the addresses of everyone “at risk” to an agency across town would be helpful sharing of their data, what would he do if it got lost? What is his defence if his information security failures allow a predator to get the details of the vulnerable people he seeks to protect?

Equally importantly, what about those who only become vulnerable because of his lackadaisical attitude? This idea that passing private information and personal data is inherently a GOODTHING™© is insane. An otherwise fine person who has their home address details passed into the hands of a criminal becomes a vulnerable person. They have, through no fault of their own, become open to a vastly different threat – one they may not be prepared for. Is this acceptable behaviour for public servants? Imagine a serial rapist who gets hold of modified electoral roll data indicating addresses (and telephone numbers) of every house in the area where a single female lives. Would you be happy with the response that he would rather be in court over an Infosec case?

I suspect the real problem is that privacy and information security statutes don’t have enough teeth. If this senior manager was facing 20 years in jail for an infosec compromise, I am sure he would think differently. As it stands, nothing he does will get him properly punished in a court of law, so he must be talking about the court of public opinion. This is, sadly, so seriously misled by the tabloids that it is easy to see he would be hounded to the brink of suicide if it turned out he had withheld data that might have possibly prevented the death of a child. In a similar manner, if it turned out he had lost a disk containing the personal details of 250,000 people it would get, maybe, a few column inches.

To an extent this is our fault. We want easy to digest news. We ignore the mights and possibilities in the first instance, so we can get to the meat of saving the child. In the second case, its too technical, too distant and probably doesn’t affect “us” so we don’t really care about it. We, the public, are stupid.

Security sense

This is quite an astonishing news item.

East Lancashire youngsters see film on terrorism danger
More than 2,000 10 and 11-year-olds will see a short film, which urges them to tell the police, their parents or a teacher if they hear anyone expressing extremist views.
The film has been made by school liaison officers and Eastern Division’s new Preventing Violent Extremism team, based at Blackburn….
The terrorism message is also illustrated with a re-telling of the story of Guy Fawkes, saying that his strong views began forming when he was at school in York. It has been designed to deliver the message of fighting terrorism in accessible way for children. (from the Lancashire Telegraph)

(h/t Bruce Schneier’s blog)

No, really. It’s a real news item. You can check. I didn’t make it up.

It seems that the area around Lancashire is quite fertile territory for anyone trying to get kids to do free police-work. This blog item is also about kids being recruited to provide low-level spying services in their community. A Sefton school designed posters for a Community Information Box initiative. These are displayed in libraries, buses and so on. Sadly, I can’t find an image of the winning poster online but I’ve had my attention drawn to one.

The poster presents a list of things that public-spirited citizens should look out for and drop anonymous notes about in their local Community Information Box. The list is bizarrely inclusive: from swearing and dog-crap through to real crimes like physical attacks and terrorism.

(I hope that the anonymity is designed to protect the kids from life-threatening comebacks if they accidentally inform on some really vicious people. However, this only works if you assume that really vicious people are not just vicious but are also too stupid to make inferences about who reported them, from the content, context and timing of information. And I rather suspect some of them may have those skills. So, I hope that they also have a child witness protection programme in place. )

I really hope that the school students generated the volunteer informer’s checklist, rather than some adult with no sense of perspective. Because, although I am still womanfully resisting a fear of terrorism that is used to manipulate us out of any concern for our civil liberties, I can’t help but be filled with the fear of creeping totalitarianism.

What a wonderful tool for any authoritarian state – compliant children, ready to report any odd behaviour or unorthodox opinions to the authorities out of fear of potential terrorism.

So, what a good job that our democracy is so secure. It’s not as if real extremists – say, people promoting a myth of indigenous ethic Britishness, frinstance – are getting any spurious legitimacy as a result of a British population that has been driven half-mad by its fear of dicey expenses claims, or anything……… Well, that’s OK then isn’t it?

Banks continue to control us

Untouched by their reckless behaviour (and blatant lack of any real knowledge of the mystical “market forces”) the true leaders of the Western World continue to flex their muscles and show that the interests of ordinary people are, on the whole, irrelevant. They remain blind to contradiction in demanding huge public subsidies, then refusing any form of public control. They continue to assert, in the face of obvious evidence to the contrary, that “they know best” over the current financial crisis. They ignore the problem of begging money with one hand, and paying out huge bonuses to their own staff. They know they are so important that whatever they do we, the public, will continue to bow to their demands. It beggars belief how most banks haven’t been declared International Terrorist Organisations – they demand money and threaten global meltdown if we don’t comply, they have a non-democratic influence in governmental policy and are happy to crush small businesses; the only thing missing is they aren’t (on the whole) Islamic.

Anyway, enough of that rant. You could easily be excused for thinking that giving a bank your money (often paying for the privileged) would mean it stayed your money and the bank just looked after it (although they would use it to make more money for themselves). You would be excused for thinking that you should be able to get access to your money.  You would, however, be wrong.

Not content with charging customers £1.75 for cash withdrawals (except those customers well off enough to be able to get to the increasingly rare free cash machines [ATM], if they can find a working one), the banks are now unveiling measures to make it harder for you to use your cash/credit card. All in the name of security though… so that makes it ok…

A few years ago we heard how Chip and PIN was being brought in to prevent card fraud. Gone were the days in which your signature was enough to prove who you were, now all it took was a 4 digit PIN. This seemed like madness, and in fact creates the current situation where my wife can use my card without anyone noticing she is not a Mr, but the banks were adamant it would prevent fraud. They added to this the demand for every Cardholder Not Present (CNP) transaction to use the 3 digit verification number (CVV) on the back of the card (ironically where the pointless signature strip lives). It was claimed that this would reduce CNP fraud and the two measures would reduce fraud to such an extent that their costs would be negligible.

Except, it never worked out like that.

People buy things over the internet, and give out their CVV with alarming ease – every time you do an online transaction you are asked for it – so after a while it becomes impossible to use this as verification. You would like to think the people you are carrying out an online purchase from are PCI-DSS accredited, but do you check? Do you read through their audits to make sure your holy grail of card number and CVV are safe? Do you assume the credit card companies are doing that? The padlock icon is just to tell you that the data link between you and the shop is secure, it says nothing about the long term storage of your data. I have even seen companies that email out a receipt with the card number in full and the CVV code used – all in a plain text email… Far from secure.

Anyway, it seems that despite these new measures the banks are still suffering almost as much fraud as before (which begs the question…)  and have now unveiled new measures. Basically they will look at your transactions and if the bank thinks you are doing something unusual they will block your card. Its crucial to note here, that this happens if the bank thinks you are doing something odd. They will monitor your activity and then make a decision as to if your behaviour falls within their idea of what is normal. The BBC report on this is interesting:

A leading bank is introducing new technology that will mean every credit card transaction is scrutinised for fraud.
HSBC is introducing the programme, which will affect 10 million card accounts and millions of transactions.

Hmm. You have to wonder what other data the HSBC will be able to mine from this, but we will leave the big brother rant for another day.

The banking industry has warned that more legitimate transactions will be queried or cancelled as a result.

So, what they are basically saying is that because the banks are losing money, ordinary people will be inconvenienced even more than normal. Imagine the scene, you are on holiday in a foreign country (several time zones away), you go for a meal and pay with your card. Only to have your card rejected. What do you do? The banks don’t care. You have to do the running to get everything sorted and cant even claim back any costs incurred from the banks mistake. Outrageous. The standard banking advice is to tell your bank when you are going on holiday but this is crap. It rarely works. From the same BBC page:

When Sally Wiber went on holiday to Borneo, she followed industry advice and told her bank where she was going.
But her credit and debit cards were blocked when she tried to use them on her first day.
“I spent much of the first day trying to deal with my bank and getting internet access, and then had a rather frustrating phone call trying to make sure that I could use my cards for the rest of my holiday,” she said.

Wonderful eh? I can support this from personal experience. My employment has me travelling around Europe a lot. My bank know this. I have told them about my travel and they know my job. However, in France last year, despite my bank being told in writing about my travel, my card was blocked on the second day. I used it on the first day to withdraw cash and make purchases, but on the second day it was decided my activity was unusual. Apparently, as I was on a family holiday, I had been committing the heinous crime of buying presents… I had told the bank I was going on a family holiday. The first days purchases (to a greater value) were fine, but the second day triggered something. The biggest problem I faced here was being stuck, in France, with no phone and no bank account and no money. How do you resolve that?

Does the banking industry care? Again from the BBC:

But Mark Bowerman of the card issuers’ trade body APACS said it was something consumers would have to accept.

That is a “no” then. He continues:

“If we as customers expect banks to do something about this we have to expect that from time to time we’ll be in a shop and the transaction will be queried or card declined. These systems are designed to stop cards being used fraudulently, so if that’s the price we have to pay I think people should be prepared to pay that price,” he said.

Crikey, doesn’t that sound like the war on terror? It actually reads that because the banks want to put a stop to card fraud people have to pay the price. I love the glib way he says that from time to time we’ll have a transaction declined. Like it doesn’t mean anything. Like it doesn’t mean embarrassment and possible legal problems for you when it happens. Try paying for a meal, having your card declined and then explaining that’s just the price you have to pay. Please let me know how far it gets you.

The BBC continues:

Spending large amounts of money or using your card frequently can trigger the alarm at the user’s bank, and with so much fraud taking place abroad, the same goes for using a card outside the UK.

So, basically, using your card can trigger alarms. This happened to me a few weeks ago when I was buying a new suit. I used a credit card that gives me loyalty points, and as I pay it off in full each month I was well within my credit. I spent a while buying an expensive new suit in the January sales, with a shop assistant fawning over me. When it came to pay, I hand my card over (knowing I had a credit limit more than £2000 over the cost of the suit and coat) only for it to be rejected. Shame is an understatement. Queue of people behind me and a shop assistant now convinced I am a petty thief. All because I tried to spend £300 in one transaction, rather than lots of £50 transactions.

There is a solution, and one which may shoot the credit card companies in the foot, but one I am heading towards more and more. Give up with the card. Credit cards are different, as it enables you to spend money you dont have, but you can live without your bank card. This is the travel advice from ABTA on the BBC, to try and get round the problem of having your card blocked at random:

Take a range of payment methods. Take cash for immediate expenses, take two cards, preferably from different banks and take travellers’ cheques as well for extra security if it goes disastrously wrong.

Why go to all this trouble. The only reason you would take the cards is to spend your money abroad. If you take cards with cash and traveller’s cheques as “backup” you are mad. The card is a back up for the other two, but now you cant trust it. If you have a backup you cant rely on, it is worthless, so don’t take the cards. Go abroad with a bit of cash and traveller’s cheques. You don’t need anything else.

Equally, given the disastrous savings rates, you could probably live your day to day life cash only. Wouldn’t that be weird?

Just to show how effective the banks previous anti-fraud measures have been:

Card fraud is rising – up 14% in the first half of 2008 – and fraud abroad now accounts for 40% of all card crime.

Not very effective then. What is the future for these new checks? Will they learn enough to allow people to go on holiday? Will they work?

What we have seen with chip and pin – it was successful for 18 months, two years – the fraudsters have worked a way round it, so we are now looking at more sophisticated means.

So then, in 18 months we will be encumbered with a system causing us problems, making sure we cant rely on our cards (defeating the purpose of them) and it wont be stopping fraud.

Wonderful.

A big “d’oh,” maybe

It seems like only last week that I was whining that browsers were disintegrating like so many smashed plates at a Greek wedding. Oh yes, it was only last week.

Well it looks as if some of this may not be a unique personal experience but is caused by a vulnerability in IE. Microsoft’s Security Advisory describes the flaw they’ve just found. The way it seems to operate sounds uncannily like what’s happened to my browser in IE.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. (from Microsoft’s Technet)

“invalid pointer reference in the data binding function.” I understand all the words individually but I got lost as soon as I tried to understand them when they are linked together.

But, causing IE to “exit unexpectedly”. That sounds like what IE has been doing randomly for weeks. Often failing to release the memory that it was using – which I don’t find out until too late. I didn’t really consider that it might be a new form of browser attack. How naive is that? D’oh.

Not that’s any excuse for Firefox. But I’m not convinced that FF is so magically free from being affected by the same attack attempts, that it won’t crash and die when it bumps into them, even if it doesn’t let an intruder in. In any case, I only ever use IE when Firefox has decided to commit suicide a few times.

I know that using Linux would mean that attacks like this would never work but it’s not completely intrusion-proof. This PC is pretty well on its last legs, as it is. It’s a few more bad reads away from hard disk failure, anyway. (And that’s in the not-completely “legacy” disk drive, not the really old disks that are also still in it.) The graphics card should be in the “Museum of graphics cards that were state of the art in 2003″ If I change its OS, my software won’t work, I’ll lose all my passwords, the cable connections will have to be reset and so on. When I’m forced to get a new PC, it will use Linux, but until then, no.

Microsoft Technet page warns site owners that SQL injection attacks might turn their sites into unwitting distributors for the malcode and directs worried site owners to a scrawlr, a free HP tool that is supposed to check your site for SQL injection code. Every site that uses something like php is fair game for that.

So it sounds like a plan and the scrawlr page has a good cartoon. But I end up far from convinced there’s any value in downloading scrawlr, after reading the comments. Like this one from leon:

The comic is xkcd
The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn’t find a thing… seriously, if you take anything away from this, let it be the comic.

(That link is to the comic, in general. The scrawlr page has the relevant cartoon.)
MarkH says:

Doesnt’ support POST forms or Javascript. In other words, this demo tool can’t actually test anything that any web developer would have written since, oh, say 2001.
Epic fail.

Doesn’t let you check POST forms? :-) I think I’ll pass, then.

A report on the BBC’s tech page had a “security expert” saying “don’t use IE ” and Microsoft – unsurprisingly – warning against that particular course of action. :-)

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.” (from the BBC)

As soon as “security experts” start talking up threats, I tend not to believe them. 10,000 websites sounds as unconvincing as the UK government’s “30 terror plots.” And so far the exploit has stolen game passwords. Hmm. Hardly a cause to panic about your e-bay sales or your online banking, then. Do you care if you find yourself playing World of Warcraft alongside an unaccredited troll?

Still, Microsoft’s idea of advice doesn’t inspire much confidence, either.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

How exactly am I supposed to be vigilant? I could try to check every invalid pointer reference in the data binding function, could I? Even if this wasn’t so far over my head that I could call it an “umbrella”, IE would have to become Open Source before I could even hope to identify the databinding function.

I thought I’d already pushed the intrusion detection boat out by running Ethereal and Snort whenever I feel mildly obsessive. (And they piss me off because half the transactions that my computer indulges in can’t be fathomed anyway. So I stick to using them for purposes like getting my passwords off the traffic stream, in plain text, which is surprisingly helpful when I’ve forgotten them but annoys me all the same Why on earth have passwords that are hidden from the bloody user by asterisks but easily readable by anyone with a packet-sniffer? Cue another rant.)

This “data-binding function” of IE needs a whole new set of skills that I really don’t believe would hold much entertainment value. So I don’t intend to get them. And “invalid pointers”? Can Microsoft or someone direct me to the Girl’s Big Book of Valid Pointers so I can be properly “vigilant”?

Privateers to battle pirates

Anyone who learned some Tudor history at school has probably heard of “privateers”. (Licensed pirates,)

Plus ca change etc. According to Voice of America,

Private Contractors May Protect Against Somali Pirates

Pirates have captured 20 ships in and around the Gulf of Aden so far this year.

Naval vessels from about 10 nations will soon be patrolling the waters off the Somali coast, trying to prevent pirates from hijacking cargo ships.

The international efforts may soon be extended to include “private contractors”.

Now, Blackwater, a firm providing thousands of private contractors in Iraq, is offering its services to battle pirates.

VoA (somewhat unaccountably) interviewed a Maryland college professor for a view on this. (Is Maryland twinned with the Yemen?)

“I think it’s important to note first that historically this has been done. In fact, several hundred years ago, when piracy was rampant off the coast of Africa, it brought English trade in that region to a standstill. And the East India Company actually employed private convoys to protect their ships from pirates..

I will try to temporarily ignore the fact that “several hundred years ago,” English trade off the coast of Africa was the Triangle Trade (manufactured goods taken from England to Africa; slaves from Africa to the Americas; and sugar from the American plantations back to England.) All the same, this could hardly be seen as “trade” in any good sense.

I am also a bit confused by this particular historical parallel. The East India Company? My foggy memory of history had me thinking that the East India Company had something to do with India – indeed basically colonised India on a for-private-profit basis, not to mention caused any number of wars in its wake. Indeed, Wikipedia seems to share my delusion.

Maybe protecting the East India Company sounds a more respectable instance of the use of private naval warfare contractors than if you think of privateers in terms of the Pirates-of-the-Caribbean. Indeed, maybe, international co-operation can’t stamp out piracy in the Gulf of Aden. But in that case, what chance would an ad hoc private navy have?
More from VoA:

Cost of the private escort duty may outweigh the risk of sailing unprotected.
Berube says, “That would depend I think on the contracts themselves, but if you are a shipping company, for example, you would have to balance off the cost of providing that extra protection versus the potential loss of revenue… …
Berube says that his research shows most agree private contractors would provide escort duty and not hunt down pirates. “This is really simply just an extension of security that is already provided on some ships. We have armed riders for example. Some shipping companies are providing people on board to protect themselves from pirates,” he says.
He says, however, they must comply with international law, as well as local agreements

Hmm, Somalia has been in a state of complete chaos on and off for a couple of decades. International law doesn’t seem very big there. If it was – there wouldn’t be any pirates…… Or the UN would be able to stamp out the piracy threat, using member states’ existing navies. Without recourse to any private navy. Anyway, what is international law on the high seas? Who enforces it?

Are international governments like cash-strapped Tudor monarchs, forced to pursue their international objectives through fortune-seekers who’ll do the monarchs’ dirty work while enriching themselves?

It’s not just 1984 any more. Welcome to the Realpolitik of the 15th century.

Fear, fear and more fear

It seems that some members of the government are not happy that legislation to allow innocent people to be sentenced to 42 days in jail failed. From the BBC:

[Security Minister Lord West] told peers that while some measures had been taken over the past 15 months to make Britain safer “this does not, I’m afraid, mean we are safe”.

he said: “The threat is huge. The threat dipped slightly and is now rising again with the context of ‘severe’, large complex plots, because we unravelled one the damage it caused to al-Qaeda actually faded slightly.

“They are now building up again. There is another great plot building up again and we are monitoring this.”

Now, I am not fully sure what Lord West’s point in all this was, other than he is a supporter (albeit in strange circumstances) of the 42 day internment detention plans.

With this in mind, it seems that Lord West is trying the age old trick of making people worried about a nebulous threat with the hope it will cloud their judgement. For this to work, you need to whip people up into a panic, then explain that “doing nothing” is bad so doing anything has to be good. (Sounds familiar)

As is often the case, this is massively flawed.

For longer than I have been alive the UK has been under threat of a “huge, complex” terrorist plot. Since we became weak and frightened (and the terrorists stopped looking like “one of us”) there has been huge spending on the security services along with a massive increase in technical and legislative procedures to surveil and control the public. All of this has been done on the premise that it would reduce the threat from terrorists.

Despite this, we are constantly told by the government that the threat is as bad as ever with what appears to be a steady state 200 terrorist networks operating in the country. Often (such as now) we are told the threat is increasing. The “Terrorist Threat Level” in the UK has been at Severe for around five years now with no signs it will drop.

Nothing we have done has reduced the threat from terrorist attacks. Nothing we have done has reduced the number of terrorist networks. Even when the terrorists kill themselves (such as at Glasgow) the numbers remain the same. Nothing has changed for the better (*), in fact the more laws we enact the more we hear “DANGER, DANGER” and the more we are urged for more sweeping legislation.

When will we learn – it is not working. Doing more of it wont magically make it work.

If the huge anti-terrorist effort since 7/7 has made no perceptible dent in the terrorist threat, it really is time to find a different way.

However, as it seems the security minister (et al) are more interested in telling the House of Lords and the House of Commons the sky is about to fall on our heads, it is unlikely they have the time to think of a way to be successful. Instead, it seems they would rather pander to the readership of the Daily Mail and be seen to be “tough on terrorism.” The fact it is having no effect is, basically, irrelevant….

* I am aware the security organisations may be working in the background to prevent attacks and destroy terrorist cells – that is what they are there for after all. However, if they are being successful, why hasnt the threat level changed and why aren’t we hearing that it is (even a little bit) safer today than it was yesterday?

A lesson in data control

An odd, superficially unrelated, lesson from the current global credit crisis is the crazy ideas people have been having about online services.

Over the last few years, there has been a growing trend in technology and internet magazines to promote the idea of online office applications and “renting” software that is held on a main server. The holy grail of this has been along the lines of using a remotely hosted system to edit and store your data in the manner of Google Documents.

This has some fantastic advanages – it is operating system independant (so might draw an end to the Linux-Windows wars…), it saves on having to purchase local software licences and data storage, it allows mobile workers complete access, it removes the need to have in-house admin staff etc. These are powerful advantages and even I use Google Docs, Basecamp etc. They really do have their place.

However, the big problem is pretty big.

You have no real control over what happens to your data. You can have all the service level agreements in the world, but when the s*it hits the fan, you have no real say over the matter. You may be able to take legal action, but if the company has gone bankrupt what good will the do you? Equally, how water tight are the user agreements you signed up to when you took on the service? If they go down at a critical time for you does that fall foul of their overall 99.98% uptime?

Drawing on the Icesave farce as an example, if you store all your data with a big company – we’ll use troogle as a totally made up example – then it is great when everything works. But if, Thor forbid, Troogle has problems (financial, technical etc) then what real recourse do you have? Even if the company is in the same country as you, you may have less weight than you think – what value is there in suing a defunct company?

Fundamentally, giving your data / software to a third party company is a risk. We may have forgotten what that means in recent years, but it would be negligent to not take this on board now and refresh our mindsets. UK councils forgot that giving money to a bank to gain interest carried a risk because the risk had been (traditionally) so low. The ignored the fact that increased rate of return carried with it an implied increased risk and suffered as a consequence.

By all means use online storage, use online applications, etc. Just remember the risk is there and make sure you have considered it.

More MOD data goes AWOL

This week’s data-loss story is a Ministry of Defence hard drive that’s gone AWOL. Another example of the UK government’s seemingly bottomless commitment to freeing up access to its data, by distributing it at random around the globe.

Ministry of Defence, that was.

An investigation is under way into the disappearance of a computer hard drive which could contain the details of about 100,000 Armed Forces personnel.

And when it says detail, it means unencrypted detail:

There may also be some personal information including bank and driving licence details, passport numbers, addresses, dates of birth and telephone numbers.

Of serving members of the Armed Forces. Does information get much more personal? It’s not as if that sort of data would be any use to enemies in the ongoing TWAT. (*heavy sarcasm*)

How much confidence does that inspire in the security of the information they’ll have on us mere civilians, when the ID-card scheme includes us all? (*Rhetorical question*)

A commenter said in the Independent

The MoD didn’t lose this data, EDS did. Nobody cares about data that isn’t their own. If this data had been handled in house and the work not outsourced it wouldnt have been lost

EDS is the MOD’s main IT contractor. Here’s their web page.

.. as an HP business group, EDS delivers one of the industry’s broadest portfolios of information technology and business process outsourcing services to customers in the manufacturing, financial services, healthcare, communications, energy, transportation, and consumer and retail industries, and to governments around the world.

The About us page has US contact numbers. It seems to have been written by someone from a Dilbert cartoon. Everything they do is “innovative” and their

highquality, cost-competitive services are provided from the optimal mix of onshore, nearshore and offshore locations.

This determinedly shore-heavy focus may refer to their “related companies”(part-owned companies) which include companies based in the UAE, India (workforce:28,000+ ), the USA and other unspecified locations. One provides “Benefits, Payroll and other HR Administration services to more than 34 million active and retired employees from its client organizations.”

On the 8 September, 2008, prison officers were disturbed about EDS’s loss of their personal data, to the point of threatening a strike.

At that time, Computer Weekly pointed out that EDS already had something of a track record in the data-loss area. The Burton Review Report, published in April 2008, looked into an earlier loss of MOD personnel data, in which EDS were involved.

One of the themes emerging from the Strategy for Transformational Government (2005) was the increased emphasis on sharing services, particularly in information and infrastructure. The Armed Forces have been early pioneers of this approach, through a range of Private Finance Initiative (PFI) and Public Private Partnership (PPP) contracts. (from page 4, Burton Report)

Hmm. Need look no further for the culprit methinks: the whole processes for giving out PFI and PPP contracts.

You might assume that the UK must be desperately short of cash, if it’s prepared to hand over its most crucial information to any company that offers to undercut government employees, while providing a better service and still making a profit. (Well, it must sound convincing to UK governments,) But, it seems that the UK government has a bottomless pit of money for bailing out banks, so shortage of cash can’t be the reason.

If you are interested in looking up the track record of other private companies that keep public data, datalossdb.org could fill in an obsessive hour. Type the name of your chosen PFI company and see what turns up.

Bank Security?

Here in the UK things such as ID-theft and bank fraud are “big news.” It feels like almost every day there is a news item about the government or large organisations losing personal data or a scare about how many people are out there stealing our online banking details. While I have a professional interest in people worrying about information security (and will provide a wonderful consultancy service for a discount if you quote WhyDontYou Blog) I have to say there is more than a small dose of hype and overkill in this.

That said, there is a risk and it is only sensible that people are aware of the potential risks and given the correct advice to mitigate against them.

The important bit is the “correct advice.”

In the UK at least, the Banks are largely responsible for making good any fraudulent use of an account unless they can prove it was the account owners fault. This is a good thing and while the banks will suffer a bit because of some stupid people, the majority of “innocent” victims are protected.

Obviously the banks dont like this. They could take measures to improve their banking security or they could take measures that give a superficial improvement but, on the whole, only shift the burden onto the account holder. Not too long ago, in the UK, if you wanted to buy something with a card you had to sign to prove who you were. The shop owner compared this with the signature on the card and verified your ID – if they were in doubt, they could seek additional documentation. Despite what people think, signatures are hard to forge. This method also forced the shop keeper to physically check the card and read the details.

Despite this, there was still some residual fraudulent activity so the banks changed the process to “Chip and PIN” where you now enter your card into a reader and type in a 4 digit PIN. Wonderful. This is a reasonably secure system but it has a few pitfalls. The most basic is often the shop staff have no contact with the card during the transaction. This means they don’t carry out the basic authentication check of seeing if the person before them is the owner of the card. My wife regularly uses my credit card to shop, because nowhere we go checks that the person in front of them is Mr **** ****** despite it saying that on the front of the card in big letters. This is less important because the 4 digit PIN becomes the safeguard, but basically, it makes it easier to pass of a cloned / fraudently created card – 4 numbers are reasonably easy to find out or, if the card is “created” then they are irrelevant. As far as security goes, this is (largely) marking time. But it does the important task of moving the burden away from the bank.

The latest brainwave the banks have come up with actually annoys me.

Barclays Bank has decided to implement “PINSentry” when you log into their online banking or try to make online payments. Wonderful idea. Well, maybe.

In a nutshell, they have sent everyone a card reader that you use when you log in. To do online banking, you enter your password (etc) as normal, then you have to enter your card into the reader, get an authorisation code and enter that. All well and good – in fact this is a wide scale implementation of a time-worn authorisation system. Previously the entry system was username+password, then a “secret” code. Now the secret code has been replaced by this token generation system.

The problem is that it undermines one of the reasons you do online banking. For me, I like to use online banking from various locations – I often use it from work and if I am travelling. If I were a Barclays’ customer I would now be forced to carry this bloody stupid PINsentry device around with me. Should my bag be stolen, the thief would have my card and the PINsentry, defeating any security improvement it gives.

From the banks point of view, however, it is a good idea. It shifts the burden of blame in the event of a fraudulent transaction. Now you have to prove your PINsentry was compromised, not them having to prove their systems were not compromised.

This is not a good change. It doesn’t really make your transactions any more secure. It just makes you more to blame if something goes wrong. (Even, I suspect, if the bank has sold your details on eBay…)

Blame the Cold War

Yet another “downside” of the thawing tensions between East and West was announced on the BBC today. Sir Edmund Burton was investigating the MOD’s woeful inability to prevent laptops going missing, and one of his conclusions was reported as:

Armed forces recruits from the “Facebook generation” do not take data security seriously enough, a Ministry of Defence security probe has found. (…)
In a highly critical report, he says the MoD had lost its Cold War discipline for data security and there was “little awareness” of its importance among staff. As a result a major security incident had been “inevitable”.

I sort of agree in that such a loss was (and still is) inevitable. However, I am not convinced it is as clear cut as the “facebook” generation or the end of the cold war.

First off, most of these breaches are not made by inexperienced recruits – they are not the sort of person who carries a laptop around with huge amounts of classified material. The people who do this are senior members of staff (even MPs…), I doubt Hazel Blears is part of the “facebook” generation – she simply had material on her machine that shouldn’t have been there and it got stolen. The MOD losses are similar.

Portable IT equipment is a high value target for theives, by its very nature it lends itself to being carted away easily. Of course people will try to steal things like this so any security plan must take that as an assumption and build from there (such as not putting unnecessary data there in the first place…). It is not the cold war’s fault for having the barefaced cheek to end.

The larger “issue” of all this, is despite the poor record, our government is continually trying to record and store more and more data on its citizens. Imagine the security compromise possible when a laptop containing 25,000,000 (not a made up number) people’s ID card details goes missing…

Remind me again why ID cards are good?

Rights fading away

If you hadn’t already noticed, I am a keen hobbyist photographer. I love going out with my family and taking pictures of everything around me. This is pretty harmless and it gives us nice pictures to hang on the walls or foist off on relatives in place of Christmas and Birthday presents. As a pastime, there could be much worse.

Being interested in photography, I always considered myself lucky that I was born in a democracy where people are basically free to indulge in their hobbies and predominantly interested in landscape photography where you dont have to ask someone to smile.

It seems, however, I was actually quite wrong and it is only my tendency for landscape shots that keeps me on the right side of the law. Despite our “evil freedoms” being abhorrent to the nutcases like Usama Bin Laden, we actually have a lot less than you would think. Actually, that isn’t true (yet) but I will come back to this.

Two news items from this weeks Amateur Photographer magazine give pause for thought about our “rights” and freedoms. The first is a worrying incident in the land of the free:

A TV crew filming a story about photographers being harassed at a US railway station were stopped by security and told to switch off their cameras. (…) Tom Fitzgerald, a reporter for Fox 5 television, was interviewing the chief spokesman for rail operator Amtrak when a security guard ordered the crew to stop filming. Ironically, the spokesman had apparently just confirmed to the reporter that photography was, in fact, allowed.

It continues to mention that this is not an isolated incident (flickr discussion) and the madness that “moves are afoot to introduce draft legislation designed to protect the rights of photographers to take pictures.”

It is doubly ironic that they tried to put paid to the film crew filming the company spokesman saying filming was allowed. What better example of corporate non-communication could there be?

The Amtrak Goons are insane, but are not alone. We have a similar problem in the UK:

Olympics 2012 bosses have apologised to photographers who complained about heavy-handed treatment by security guards at the East London construction site. The Olympic Delivery Authority (ODA) came under fire after two amateur photographers complained following a confrontation outside the site on 3 May. Louis Berk and Steve Kessel say they were left feeling intimidated after guards demanded to see their identification. ODA spokeswoman Laura Voyle said the guards approached the photographers ‘to investigate a report that they had been seen within the Olympic Park boundary’. However, the pair insisted they had been on a ‘public pavement’ and had not ventured onto the Olympic site itself. (…) And [Olympics Security Manager] promised to conduct a ‘review of instructions on how they will deal with issues relating to photography’.  (…) However, [Louis Berk] does not feel reassured, telling us: ‘What concerns me is that I still don’t know if the ODA realises that suspicion of taking photographs of their property from a ‘public place’ is not a cause for intervention by the guard force.’

There is more madness around the 2012 London Olympics but this highlights the current problem.

In a nutshell, both instances were the result of private Security Guards not being aware of the rules regarding their location. This is down to poor education by their employer. In the UK you can photograph almost anything (some locations are exempt under the 1911 Official Secrets Act) from a public place. If you can see it, you can photograph it. Kind of makes sense really. It is different if you are on private property, but 90% of the time the property owner will give permission. Again, it makes sense. I can only assume the law is similar in America.

What is worrying is that both instances show people have a default setting of STOPPING photography. I will be charitable and say neither organisation put out instructions to annoy members of the public (including tax payers who paid for the bloody Olympic-farce) so the security guards must have assumed the camera was a security threat. Over the last few months there have been lots of occasions where over zealous guardians have taken offence at people trying to take photographs, even in (weirdly) popular tourist destinations like Trafalgar Square. I have read claims that people were questioned because they could be “terrorists doing reconnaissance” (with an overt camera and tripod – good job Johnny Foreigner isn’t clever enough to use a mobile phone camera…) or other equally spurious risks (there were children present etc..).

The problem is, these fears (and certainly this one in particular) are nonsense. Bruce Schneier, BT’s chief security technology officer, recently wrote an excellent article for the Guardian where he dismisses most of these fears. The article is really, really worth reading even if you aren’t a photographer – there are many more “freedoms” at risk from our apathetic approach to them and “terrorism.” Schneier has an interesting theory that this madness where we fear long-lens cameras is because it is a “Movie Plot Threat.” Also worth reading.

Sadly, it may well be too little, too late for our society. We fear that the evil Islamic terrorists will destroy our culture, so to “beat” them we destroy it ourselves. Well done us.

Civic Duty

It seems that not only is the UK full of people too stupid to realise that 42 days detention of innocent people is a BADTHING©™®, but it is also full of people with a weird idea of what to do when something, which is a potential threat to national security, happens.

The second main news item on the BBC now (after the travesty of 42 days) is about the government losing some top secret documents on a train. Now, I am not going to harp on about the irony that a government that wants to intern people for six weeks is staffed by people who can’t look after a document for a sixty minute train journey. That would be too obvious :-)

What really intrigued me is the actions of the member of public who found the documents. Did they, upon seeing the MOD and Government headers and top secret classifications, go straight to the police and report this heinous breach of national security?(*) No. Did they, on realising a crime had taken place report it to the police? No. Did they, in fact, do anything which could be described as fulfilling their public duty? Not really, no.

What they actually did was give it to the BBC security correspondent. Yes, not just turned up at the BBC and said here you go, they actually made enough arrangements to find out who the BBC security correspondent was (I have no idea and cant be bothered to look it up), then went to the BBC to hand over the documents. Madness.

What sort of world do we live in where 65% of people want innocent people locked up but don’t have the sense of civic duty to hand top secret documents in to the police, preferring to give them to the media….

* Top Secret apparently means “Information and material the unauthorized disclosure of which would cause EXCEPTIONALLY GRAVE DAMAGE to the nation (UK).” (source)

Cameras and Security

A comment on a recent post, by someone apparently called Video Surveillance, got me thinking about some common misconceptions. In case you are wondering, I the link I munged goes no where of any value – it certainly doesn’t continue the “story” began in the comment.

The odd thing is one of the concepts the commenter (bot?) has brought up. Do video cameras make you safer?

With crime on the rise many people and business are looking for added security.

Well, I agree with this. There is a very strong argument that crime being on the rise is a misleading claim, but the fact is people think crime is on the rise, so they are looking for added security. Sadly, people who are easily misled into thinking crime is on the rise, are also easily misled over how to improve their security.

Video surveillance is one the top ways to improve the security of your belongings and loved ones.

Well, after a good start this amazing claim. Here I strongly disagree. This is the standard “marketing” crap pushed out by people selling woo to the public. Tell them they should be scared, then lie about your product solving their fears.

As with all the best lies, there is an element of truth. As part of a robust security package, video surveillance will improve your overall security, slightly. I am not sure what “top ways” means, but it certainly is not the “best way” or the “most cost effective way.”

Security is a many headed beast, and it will mean different things to different people. The best that can be claimed about video surveillance is that it offers a “deterrent” effect in that people who SEE a CCTV camera may be less inclined to commit a crime because they know the chances of being caught AFTER the event are slightly greater. The same can be said about a robust lock or a big thick door, however. A functioning, real, burglar alarm which is actually responded to is more effective than a CCTV system.

Here we hit a crux of the problem. For CCTV to be anything other an an “after-incident” investigation tool it has to be monitored 24/7 by people capable and willing to respond to an incident within an effective time scale. I could set up the best CCTV system in the world to monitor my house, but if I didn’t lock the door when I went on holiday it would be useless. CCTV is defeated by the simple expedient of wearing a hood – what sort of security system is that. Without monitors and responders it is the most pointless security system (do you really want to watch a video of someone breaking into your house?). With monitors and responders it becomes prohibitively expensive.

All in all, selling CCTV as “security” is tricking fools out of their money. CCTV has value in identifying criminals and will have some deterrent effect but it certainly is not a remotely cost effective method of improving your security.

If you want real, tested, cost effective security advice, my rates are reasonable :-)

Photographers become new enemies of the state

Greetings, any time travellers who’ve accidentally crash-landed in the present. If you’ve come from ten years ago, say, you really have my sympathy. You may find some things are a bit of shock. I bet this little story will come as a surprise, for a start, but this is just one of the subtle but wonderful improvements we’ve made to your superficially identical world.

Labour MP Austin Mitchell has tabled a Parliamentary motion in support of photographers’ rights.

As a time traveller, you may have idly wondered about the elongated metal rectangles and darkened globes that you see everywhere. They are not uninspired art pieces. These are cameras. CCTV cameras. They don’t need any “rights” because they already have them all. (They are theoretically under the control of some data protection law that says you can have any footage of you but Dom Joly showed, on television last week, that you have a 0 out of 35 chance of getting it.)

It turns out that it’s only the meat-based photographers who are short of rights. The humanoids with visble cameras, with lenses and lens caps and a carrying strap and a bag full of odds and ends. These humanoids are increasingly being challenged for taking pictures. Camerabots are free to take pictures of whatever they want. I think it’s guaranteed in Asimov’s Forth Law of Robotics or something.

The BBC page mentions a photographer who was stopped from taking a picture of a soap star switching on Christmas lights. (I will pointedly not wonder why anyone wants a picture of a Y-list celeb showing that they are capable of operating an On switch.)

The 49-year-old started by firing off a few shots of the warm-up act on stage. But before the main attraction showed up, Mr Smith was challenged by a police officer who asked if he had a licence for the camera.
After explaining he didn’t need one, he was taken down a side-street for a formal “stop and search”, then asked to delete the photos and ordered not to take any more. (from the BBC)

A licence? To take pictures in public place? Where do we get these handy licences? I might need to pick one up when I get my next mp3-player operation licence and my permit to read on the bus.

Even Austin Mitchell has found that he’s been stopped from taking pictures:

Mr Mitchell, himself a keen photographer, was challenged twice, once by a lock-keeper while photographing a barge on the Leeds to Liverpool canal and once on the beach at Cleethorpes.
“There’s a general alarm about terrorism and about paedophiles, two heady cocktails, and police and PCSOs [police community support officers] and wardens and authorities generally seem to be worried about this.” (from the BBC)

The BBC shows a Metropolitan police poster that asks the public to be vigilant about people taking photographs. (I couldn’t find mention of it on their website.) Hmm, that will be people taking photographs in public in London. That was “London”:a popular (if sometimes inexplicably so) global tourist destination. Tourists: you know, the ones with the cameras.

And the shamelessnessness of constantly using the terrorist/paedophile-kneejerk-panic-effect to get us into line. Terrorists with any intelligence would take their pictures on a phone camera or a hidden camera. They wouldn’t walk round with a big obtrusively-lensed Nikon slung round their necks. And I suspect that there is nothing magic about photos for paedophiles, either. If they can see a kid in the street, they can see a kid in the street, whether or not they’ve taken their picture. Do kids magically become invisible to paedophiles when they aren’t in digital format?

*********Asides – related and random***************

1. In a charming irony, there is an incredibly expensive (£250 million, almost $500 million) and laughable plan to get all the Metropolitan police electronically tagged, like so many absconding juveniles. Who watches the watchers indeed? Well, you can watch them with a GPS but you’d better not take their pictures.

2. The Mr Smith story above reminds me of the orchestrated Daily Mail-style clamour for an extension of “stop and search” powers. This man was pulled out of a crowd and searched, apparently on the basis of being in possession of a photographic device with intent to use it.

It’s pretty obvious that Mr Smith didn’t look “a bit muslim” (unlike Jean Charles de Menezes) or the story might have been much worse. And just imagine what would have happened if he didn’t understand enough English to know that he was being “stopped and searched” so he’d just carried on taking pictures at will.

3. This blog gets many more hits when we don’t actually post. (That speaks volumes for the quality of the prose. Yes, I know.)