Sunday 27 September 2009

The birth of the mobile phone and PCI payment

The BBC today released several archived clips from Tomorrow's World (their long running future technology program).

I was so taken with a couple of these clips I thought i would post them.

The first one from 1979 is a new technology called a 'radio mobile telephone' sending 'digital packet data' that I felt the need to post it. See the video here.... We have come a long way but in some regards full circle with this 'analog' dial app for the iPhone.

The second video is of the first PCI type payment system from 1969. Observations of vulnerabilities please form an orderly queue. See the video here...

Thursday 3 September 2009

Nearly half of Brits use the same password for all accounts

In a new password/log-on survey of 1,661 Britons for CPP there have been some very poor (but perhaps not surprising) findings.
  • 46% use the same password for their banking, shopping and social networking
  • 54% use a variant of the same password
  • The average person visits 23 sites per month that require a password
  • 40% admit that someone else knows their password, of these 39% believe these people may have logged in using their credentials!
  • 18% use their pet's name for a password
  • 12% use memorable dates for a password
  • 10% use their children's names for a password
  • 9% use their mothers maiden name for a password
A good way to look at electronic security is to make the analogy with physical assets. You would not use the same key for your office, car, home, parents house and safe-deposit box etc. so probably very wise not to use the same password!

One method of risk reduction is to take out and use a single credit card for all your on-line purchasing. Keep the limit on this card low and make sure you check the statement in detail. This can significantly reduce your on-line fraud exposure.

One must consider that if you are using the same password for multiple systems and platforms your risk of being compromised goes up exponentially.

If you and your company are lost in a sea of inappropriate password practices and don't know the way out contact FaberBrent now.

Wednesday 2 September 2009

$27 billion lawsuit could fold due to $50 covert surveillance device

In what may be the deciding twist in a 16 year, $27 billion lawsuit between the oil giant Chevron and the country of Ecuador covert video recordings have been released. These videos (and audio recordings) appear to implicate Ecuadorian politicians and officials (including possibly the judge overseeing the case) in potential wrong-doing.

The recordings appear to suggest that a $3 million bribe for environmental clean-up was obtained (or trying to be obtained) and the damages had been pre-decided.

What is a real eye-opener is the cheapness and effectiveness of the mass-produced 'spy cameras' used in this incident. Two main types were used; the 'spy pen' (here on Amazon UK from £14.99 and Ebay from £15.49) and the 'spy watch' (here on Amazon UK from £29.99 and Ebay from £23.49). These kind of devices are now being produced in the millions per year (predominately in China) and most can happily record 2 hours of audio and video.

If you are concerned about your privacy (or where the millions of covert video recorders are) contact a counter-surveillance specialist (like FaberBrent) to help mitigate this ever growing risk.

Chevron have published the actual videos and full transcripts here...
New York times article here...

Wednesday 26 August 2009

Shocking - The DWP do not keep records of how many times your data has been abused

The Department for Work and Pensions (DWP) has admitted (when asked) that it compiles no data on how often the Customer Information System (CIS) database is breached or inappropriately accessed.

There are around 200,000 personnel who routinely use the database.

"Central records are not maintained of this information and thus it is not possible to answer your request without collecting this information," the DWP told Computer Weekly in answer to a Freedom of Information request. It said collecting the information would be too costly.

The CIS is the biggest central government database of all of our information. How it can treat our data with such little respect beggars belief - over to you ICO.

Tuesday 25 August 2009

Met Police report shows CCTV costs £20,000 per single conviction - how many would an extra officer get per year?

An internal Met Police report has raised very serious questions regarding the value of CCTV as a cost-effective crime fighting tool.

We have yet to see the full report but the headline is that they have seen one conviction for every 1,000 CCTV cameras. They have equated this to £20,000 per conviction.

Since we have 20% of the worlds CCTV cameras in the UK (only 1% of the population though) one could argue that this is the perfect environment for a meaningful study.

The question is how many crimes does an average police officer conclude (or provide evidence leading to a conviction) each year. If it is more that one (and we suspect it is) this money is almost certainly better spent on actual Police Officers (starting wage for a Constable £22,680 PA).

"but CCTV is a great deterrent" - well... not in most cases. For the dedicated criminal there are many ways to bypass it:
1. Wear a baseball cap or 'hoddie' - we have seen countless hours of footage showing crimes being committed by people with a cap or their hood up. This negates the majority of useful evidence of any camera above eye-level (which most of them are).
2. Physically disable the cameras - spray paint, wire cutters, big stone, hammer, pointed stick etc.
3. Electronically disrupt wireless cameras - a more recent development but jamming equipment is very cheap and will easily disrupt any wireless camera (jammers are available for less than £100). Of course, you are not relying on wireless cameras for any of your mission critical functions?

Monday 24 August 2009

Charity offices bugged

Reports coming out of Oklahoma City are claiming police are investigating the alleged bugging in three offices of the $1 billion PA charity Feed the Children.

It is suggested that the bugging may be related to an executive power struggle. NB - In our experience the use of covert devices is rife in employment/labor disputes.

The devices used were professionally installed and discovered by a TSCM specialist.

This is the third time in 12 months that we have come across bugging in a charity environment. If you run a charity or NFP organisation and need advice contact FaberBrent.

Mobile-phone handset complexity - the criminals friend.

In two related stories we have been told that one-in-four Brits own more than one mobile phone and that mobile phone manufacturers are not providing significant co-operation with law enforcement to help with unlocking data from suspected criminals handsets.

Firstly the multiple-mobile syndrome. This is a significant security risk. The ammount of data we now store on our devices is comprehensive (including passwords, account numbers, passport numbers, home addresses, family names, business contacts, childrens schools, client lists, appointments etc). How many of us can say that we fully wipe every old device (both phone and SIM) when we no longer need it? Does your company have a policy for dealing with this? Is it ok for your eployees to have business information on personal mobiles? When your provider upgrades your phone do you give the old one straight back? ....there are many questions to be answered. A final concern on phones is that the more phones you use the higher the risk that you suffer from a 'SpyPhone software' attack.

Secondly we are told that there is not sufficient co-operation in the UK by handset manufacturers to help law enforcement unlock mobile devices to retrieve potential evidence. It does seem a bit redicilious that the UK taxpayer is funding reverse engineering of code that is freely available from the manufacturers. Perhaps a little legislation here may be on order. At a minimum we need to prevent the completly annomious availability of Pay as You Go SIMS and phones.




Monday 17 August 2009

The security lessons from Britian's largest jewellery robbery

You may be wondering what a £40 million armed raid at a high-end jewelers store in central London has to do with InfoSec?

Well, in the last few days it has been revealed that the robbers were caught on CCTV 2 days before the robbery, outside the shop 'checking things out'.

So what we had here is pre-planning. This is a common part of all theft (including data), whilst their is opportunist crime it is the exception rather than the norm.

Now we are not post-judging this particular situation but there may have been a window for prevention. One possibility may have been that when they pulled up outside the shop two days before the security guard had approached them and asked something like "can I help you?". By the simple act of engaging during the information gathering or 'hostile reconnaissance' stage it may have been enough to deter the attack. Their reaction to the question may have also raised the security guards suspicion and caused him to brief the other staff to be on the look-out for these men.

How does this relate to InfoSec.... Create a positive culture of security understanding and ownership, check your logs proactively, set up rules and identify behaviour 'out of the norm'. Be proactive and follow up anything out-of-place in a timely manner. Engage your end-users, speak to them and encourage a culture of 'eyes and ears'. Help them understand the threats in 'plain English'.

Prevention is always better than reaction.


Labour MP and Dutch VIP's suffer website data leaks found by a Google search

In unconnected incidents there have been two recent cases of unprotected data being exposed by poor website administration.

These are both excellent examples as to why you should employee independent third-party security testing for your website (and all other security systems).

An untested security system is a false sense of security.

Black-hatter shows how to utilise memory in Apple keyboard to create a hardware key-logger

K.Chen at the Black-hat conference this year proved a concept that he could use the spare memory in an apple keyboard to run a rudimentary key-logging script. Whilst this is interesting it is only really a proof of concept.

What is of far more concern is the existing hardware key-logging devices (pictured) that will record 2 years typing for an average user. BTW these are invisible to all available anti-virus and hardware monitoring software and can only be found by a physical search of your keyboards and computers.

This is a risk that costs $70 and can create a very serious exposure. If you are concerned that your computers have never been checked for malicious hardware contact FaberBrent for help.

How to be a Corporate Mole ...and how to spot one

OK, by no means a comprehensive guide but the thing we found interesting is that this kind of role is becoming part of the public landscape.

Published by eHow (along with how to do just about everything in an amateur, half-arsed fashion) ....probably a bit harsh, there is some good stuff in there (we just wouldn't advise risking your job/life on their spying advice).

Monday 10 August 2009

UK Govt spied on more that one in every seventy eight adults in 2008!

Today Sir Paul Kennedy, the Interception of Communication Commissioner, released his report on the amount of surveillance requests in the UK in 2008. It has been revealed that Councils, Police and other organisations made 504,073 requests to monitor communication "traffic".

The Liberal Democrat home affairs spokesman Chris Huhne said: “The sheer numbers are daunting. It cannot be a justified response to the problems we face in this country that the state is spying on half a million people a year. It beggars belief that it is necessary to spy on one in every 78 adults. The fact that numbers are up a half on two years ago makes a mockery of the Government’s supposed crackdown."

Whilst no-one would object to legitimate law enforcement needs, the scale of this surveillance may lead to opportunities for abuse (as we have seen here).

It is worth noting that the vast majority of these requests are from the police and security services, only a small percentage are from local councils. More discussion on this topic here.

Of course these are the 'legitimate' requests. This does not account for all the operations that require 'rule bending', let alone all the illegitimate and illegal surveillance devices, sold in the tens of thousands in the UK each year. Add on to that spy-ware and trojan viruses monitoring or computers and spy-phone software using your mobile phone as a listening device. Oh, and lets not forget the 3.2M CCTV cameras in the UK, where in most cases no checks are required to monitor them.

If you are concerned about your privacy, both business and personal (and many of us are) contact FaberBrent for help.

Sunday 9 August 2009

Nine Local Authority workers sacked for illegally accessing records on Govt customer Information System database

Following a Freedom of Information request by Computer Weekly it has been revealed that nine local government employees have been sacked for illegally accessing personal details held on the Customer Information System (CIS) database, part of a linked-up network of systems which constitute the government's planned national identity database.

There are around 200,000 people with access to this database, one may wonder how proper checks and measures can really be implemented. Of course the nine mentioned are the ones that got caught.

UK ID cards - hacking debate rages on - is it just a super-database by stealth?

There has been a heated debate regarding the security of the new (non-compulsory) UK ID cards.

The Daily Mail ran a comprehensive article on how their expert analysed, decrypted, modified and recoded the RFID chip. He was able to change a range of details including 'Entitled to benefits'.

We have always argued that (at best) an ID card proves an innocent person innocent and (at worst) give an illegitimate person instant credibility.

The Home Office have rubbished these reports "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson. A very brave statement in our opinion!

There has been accusations that the Home Office doesn't care about the security of the card as the card itself is not relevant, just a vehicle to build a mass-database. Looking at the apparent ease these cards were cracked this accusation does seem potentially plausible.


Half of UK firms have redundancy plans - why is this a security challenge?

In a new survey by the British Chamber of Commerce reveals that one in two UK companies have planned of potential redundancies in the next 6 months.

Whilst this is probably not a business surprise there is a significant security risk here. Should these plans be leaked there could be serious consequences including union action, share price hits, key staff leaving, drop in customer confidence etc.

There have been many documented incidents of covert surveillance usage in labour disputes and conflicts. One battle-hardened CEO told us that whenever he is dealing with Unions he works on the basis that 'everything is being recorded'.

If you have redundancy contingency plans (in place or being developed) contact FaberBrent to help understand and mitigate some of the potential risks.

Monday 3 August 2009

How to unshred a document

For the first time a software package is publicly available that is designed to rebuild shredded documents.

If Unshredder proves to be effctive it will, no dubt, soon become a staple of investigators and general snoopers everywhere.

If you need help disposing of your confidential information contact FaberBrent.

Skype - spy vs spy and how the uncrackable service may be dismantled

Skype is currently very hard to intercept and decrypt. This has been a frustration for many security services.

It now appears that the ongoing dispute between Skype's founders may lead to eBay (current owners) redesigning the core technology (due to the IP dispute).

Any reworking of the code will be very welcome news for security services who apparently can't easily decrypt and/or intercept the current version.

Conspiracy stories... please form an orderly queue.


Clampi - the biggest Trojan virus yet?

It is being reported that Clampi may be the biggest and most effective Trojan type virus yet seen.

Thousands of the worlds top businesses have been targeted for deployment and attack.

Joe Stewart (Director of Malware Research with SecureWorks.) has been researching Clampi for 2 years. He said "We weren't all that worried about Storm, and we weren't all that worried about Conficker, this one you need to worry about."


iPhone SMS vulnerability patched in less than 24hrs

In a positive example of exploit exposure Apple have patched the SMS vulnerability (announced at the Defcon conference last week).

Within 24hrs an update was available to fix the problem.

Now when will Apple fix the far larger security vulnerability plaguing the iPhone (in contradiction to their marketing for the current version that supposedly had 'enterprise level' security).

Do you believe everything you read - was MI5's website really hacked?

Last week the Daily Express reported that the MI5 website was hacked and visitor data was stolen. This story seemed a little far fetched and indeed was not very accurate at all.

It turns out that a technical vulnerability was pointed out and duly fixed. The concept that MI5 would keep confidential data at the front-end of their public website should have seemed a bit unlikely, even for the Express.

I wonder when they will print the correction....