There are around 200,000 people with access to this database, one may wonder how proper checks and measures can really be implemented. Of course the nine mentioned are the ones that got caught.
Sunday, 9 August 2009
Nine Local Authority workers sacked for illegally accessing records on Govt customer Information System database
Following a Freedom of Information request by Computer Weekly it has been revealed that nine local government employees have been sacked for illegally accessing personal details held on the Customer Information System (CIS) database, part of a linked-up network of systems which constitute the government's planned national identity database.
UK ID cards - hacking debate rages on - is it just a super-database by stealth?
There has been a heated debate regarding the security of the new (non-compulsory) UK ID cards.
The Daily Mail ran a comprehensive article on how their expert analysed, decrypted, modified and recoded the RFID chip. He was able to change a range of details including 'Entitled to benefits'.
We have always argued that (at best) an ID card proves an innocent person innocent and (at worst) give an illegitimate person instant credibility.
The Home Office have rubbished these reports "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson. A very brave statement in our opinion!
There has been accusations that the Home Office doesn't care about the security of the card as the card itself is not relevant, just a vehicle to build a mass-database. Looking at the apparent ease these cards were cracked this accusation does seem potentially plausible.
Half of UK firms have redundancy plans - why is this a security challenge?
In a new survey by the British Chamber of Commerce reveals that one in two UK companies have planned of potential redundancies in the next 6 months.
Whilst this is probably not a business surprise there is a significant security risk here. Should these plans be leaked there could be serious consequences including union action, share price hits, key staff leaving, drop in customer confidence etc.
There have been many documented incidents of covert surveillance usage in labour disputes and conflicts. One battle-hardened CEO told us that whenever he is dealing with Unions he works on the basis that 'everything is being recorded'.
If you have redundancy contingency plans (in place or being developed) contact FaberBrent to help understand and mitigate some of the potential risks.
Monday, 3 August 2009
How to unshred a document
For the first time a software package is publicly available that is designed to rebuild shredded documents.
If Unshredder proves to be effctive it will, no dubt, soon become a staple of investigators and general snoopers everywhere.
Skype - spy vs spy and how the uncrackable service may be dismantled
Skype is currently very hard to intercept and decrypt. This has been a frustration for many security services.
It now appears that the ongoing dispute between Skype's founders may lead to eBay (current owners) redesigning the core technology (due to the IP dispute).
Any reworking of the code will be very welcome news for security services who apparently can't easily decrypt and/or intercept the current version.
Conspiracy stories... please form an orderly queue.
Clampi - the biggest Trojan virus yet?
It is being reported that Clampi may be the biggest and most effective Trojan type virus yet seen.
Thousands of the worlds top businesses have been targeted for deployment and attack.
Joe Stewart (Director of Malware Research with SecureWorks.) has been researching Clampi for 2 years. He said "We weren't all that worried about Storm, and we weren't all that worried about Conficker, this one you need to worry about."
iPhone SMS vulnerability patched in less than 24hrs
In a positive example of exploit exposure Apple have patched the SMS vulnerability (announced at the Defcon conference last week).
Within 24hrs an update was available to fix the problem.
Now when will Apple fix the far larger security vulnerability plaguing the iPhone (in contradiction to their marketing for the current version that supposedly had 'enterprise level' security).
Do you believe everything you read - was MI5's website really hacked?
Last week the Daily Express reported that the MI5 website was hacked and visitor data was stolen. This story seemed a little far fetched and indeed was not very accurate at all.
It turns out that a technical vulnerability was pointed out and duly fixed. The concept that MI5 would keep confidential data at the front-end of their public website should have seemed a bit unlikely, even for the Express.
I wonder when they will print the correction....
Hollywood comes true..again - VideoJak demos hacking and spoofing IP video feeds including cctv and video conferencing
A new tool shown at the Defcon hacker conference in Las Vegas last week has the ability to both intercept Internet video feeds and eject false 'looped' images.
This is another example of Hollywood coming true the attacker can hack, monitor and record a CCTV feed (when nothing is happening), then play this back in a loop to hide the actual live feed (presumably while Tom Cruise is lowered down on a black rope).
This tool also provides the ability to intercept video conferencing.
NB - if you are using any kind of conferencing facility you should be working on the basis that the information can be intercepted. Many of us rely on IP streamed video systems, do you know if your system is still secure? If you need help with securing your business communications contact FaberBrent.
Tuesday, 28 July 2009
David to Delores - MI5 whistleblower transforms into transvestite Jesus incarnate
One of those stories you just couldn't write.
Not strictly on topic but many in the security community read "Defending the Realm", David Shayler's MI5 expose. As with most of these types of books there were plenty of inaccuracies but there were also some accurate information.
David (sorry Delores) is now living in a squat in England and claiming to be the "spirit of Jesus".
You don't have to be mad to work here.......
How to set up a spoof wireless Access Points - if you use wifi you need to know this
Perhaps one for the techies here but a message for all of us.
The video here shows how to set up spoof wireless networks. Basically it means that if you connect to this network (whilst looking for a wireless connection) you may well have all your data stolen, login and passwords compromised and malware delivered to your computer.
All the software being used is available off-the-shelf but requires some technical knowledge to use.
Lesson - do not connect to a wireless network just because it is available! (are all your staff aware of this?)
NB - we provide this link for awareness and education, stealing peoples information is illegal!
The Times publish guide to new scams
The Times have published an interesting guide on some new and upcoming frauds.
Whilst this guide is not in any way exhaustive we think it makes interesting reading for all.
Upto 570,000 credit-card records breached at Network Solutions
Network Solutions, a major Internet hosting and systems company have discovered a major breach of their network security.
Malicious code was installed and credit-card details harvested and exported.
Once again we see that keeping systems secure is a major challenge and having ones data with third-party companies needs the same level of due diligence as your in-house systems.
We will see more details of how this breach occurred as the investigation develops.
Friday, 24 July 2009
SMS to be trailed by Visa as a means of payment verification
Visa are trialing a system where you receive a SMS message whenever you make a purchase as a tool to identify fraudulent payment. This is not a new idea but previously only been used for unusual pattern transactions.
There is a significant concern regarding fraudulent spoofing/fishing attacks with false messages. An example would be that one receives a message along the lines of "This is a security message from Visa, can you please call our team on 0845 123456 now".... I'm sure you can work out the rest. The challenge here is user education as apposes to systems performance.
FSA fine HSBC £3M over data breaches
Following an investigation HSBC have been fined £3M by the FSA for repeated incidents of sending large quantities of unencrypted personal data in the post!
Their are two clear lessons here; systems need to be designed to prevent the ability to dump unencrypted data onto removable storage and all staff need to have awareness training so they will know that posting disks full of data is akin to posting envelopes of cash.
Lucid Intelligence live with database of 120 million stolen records
We reported on the Lucid database before and now it is up and running. It enables you to search the millions of record they have obtained from sales of stolen data on the web. This allows you to get an idea as to whether your personal information has been compromised.
There are questions surrounding data protection of this base and potentially the ability to obtain details about somebody else by using their search.
SMBs can't keep up with ITSec in tough times
Probably not a surprising article but an important on never-the-less.
If you are a SME and have reduced your ItSec spend it is time to think smarter. We may seem a little strange to advocate more spending but a full (independent) review of legacy systems, procedures and cost centres often reveal significant savings.
We understand the preasures on SME's (we are one!) but also understand the conciquences of ignoring significant exposure. Security spend can only be justified against a threat and risk annalysis (just like an insurance policy). If the exposure is to big to accept sutiable measures must be implermented (head in sand is not an option).
For impartial advice contact us.
Wednesday, 22 July 2009
Laptop repair shop exposed - essential viewing
In a long overdue journalistic endeavour Sky sent in an undercover reporter to several laptop repair shops with a simple known fault and a laptop loaded with spy software to see what the repair shops got up to.
It will come as no surprise that they trawled through files and folders, attempted to access online banking account and more.
There is something important to understand here. You simply cannot give a computer to an unknown repair agent. Your laptop is not the same as another appliance as it far more that just hardware. It is akin to inviting a person to repair your office, letting them take all your bank books, photos and diaries off premises for investigation.
So what can you do? Some ideas include: buy laptops where you maintain the ownership of the hard drive, so in the event of a repair you keep you hard drive; create a second login called 'guest' with no data on it and only allow repair agents to use this login (please note this is not foolproof); establish a relationship with a respectable repair company and have them sign a privacy/NDA type contract. If you need help keeping your data private contact FaberBrent.
London Borough of Wandsworth has as many cctv cameras Dublin City Council, Johannesburg Police Dept, Boston Police Dept Sydney city Council combined!
A new BBC report on actual numbers of CCTV cameras in the UK makes for interesting viewing.
The much banded 4.4M UK cameras number is very questionable and is more like 3.2M (still quite a lot!). The original figure was calculated by using Wandsworth as an average!
UK Phone Tapping plans prove unworkable under current legislation
During secret testing Gordon Brown's proposed use of phone tapping has shown to be unworkable under current legislation.
A mock trial was run and the validity was examined. Quotes attributed to Sir Paul Kennedy, the Interception of Communications Commissioner, said that under RIPA there were “real legal and operational difficulties” and would “welcome the Government’s acceptance that intercept as evidence should not be introduced".
Subscribe to:
Posts (Atom)
Posts
