Tag Archives: hacking

Security News Roundup: Defending The Indefensible

news, security, , , , , ,

Here’s a data security conundrum. The news that anonymous DNA sample data has been used to personally identify the original donor sounds, at first, like an information security problem.

The reality is, it isn’t.  A team of geneticists has shown there is a systematic weakness in the way that this data is handled. It turns out that statistical analysis combined with good old-fashioned searching the Internet for identity clues may be all it takes to render the strict controls associated with donor data completely powerless.

The law of unintended consequences always applies with new technology. If we give information away freely, we shouldn’t be surprised when someone finds a way to use it. Imagine what a geneticist could do with this research that uses Facebook ‘likes’ to predict race, religion and sexual orientation?

This does raise the question of how to design security systems to protect data from threats (or developments in technology) that we don’t know about yet. This intractable problem is likely to remain with us for the foreseeable future, but one approach is to offer up your implementation for attack, and pay a bounty for positive results.

Which sounds very much like the Google-sponsored “Pwnium 3″ contest where cash prizes of up to $150k are available for demonstrable exploits of Google’s Chrome OS. Google did manage to get some last-minute patching done just before the competition started, and (consequently?) there were no clear winners, with Chrome fending off all attacks.

Let’s wrap up this weeks somewhat sober assessment with a data-leak-of-the-week  quote from this story about widely reported data breaches at various credit reference bureaus:

“The data leak this week is being called a juvenile prank and not necessarily the work of any sophisticated hacker”

We’re not entirely sure what the difference is, from the victim’s perspective, but it’s an interesting defence.

 

Security News Roundup: Can You Hear Me Now?

news, , , , , , ,

Sometimes, the price of success is unwanted attention. Witness the apparently stratospheric rise in malware on the Android mobile platform. With mobile usage continuing to explode, coupled with the vast array of valuable data we store and access from our phones, it should come as no surprise that the  bad guys want a piece of the action.

Why does Android seem prone to these issues? Part of the answer lies not in the technology, but in the end user. Hacking the human mind continues to yield some rich pickings. Disappointingly, we just keep clicking on stuff without thinking. Where’s the patch for that?

We can’t help recalling the uproar a few years ago when “free” webmail services were all the rage. The big deal then was the realisation that these providers could actually read your mail. The very thought! Roll forward to the present day, and not only have we completely forgotten about that, we’re storing all sorts of data in all sorts of places, without a care in the world.

Lost or stolen USB keys, DVDs and  laptops were also big deal, but now that’s all passé.  Now we have an even better way to lose sensitive data that we shouldn’t even be storing in the first place. Yes, it’s bring your own cloud, the thoroughly modern approach to data storage that has done for data security what King Henry VIII did for gender equality.

Emails aren’t secure, data is at risk of compromise more or less all the time. What’s left?  The good old cellphone system. That’s probably secure. By “probably”, of course we mean “probably not”. Witness this post via Bruce Schneier highlighting the techniques used by the FBI in order to intercept phone data and track users. Very informative.

But is it controversial? An organisation that tracks your location, knows all your contacts, reads your emails and extracts data from your phone? This is, of course,  completely unheard of on the Internet. On a mobile phone. We’re sure you see our point here.

Let’s end with a summary. We’re using mobile platforms that are full of holes, to store data that we shouldn’t be storing, on cloud services that are insecure; whilst assorted governments, commercial organisations and bad guys all compete for access to that data, right in the palm of our hands.

Who says information security is boring?

Security News Roundup: The Demise Of The Human

news, , , , , ,

With the US version of the RSA conference in full swing this week, we’re pleased to be able to present some signal despite the noise.

It turns out that China is being hacked by the US. There, we said it. As they say, it takes two to tango, so we presume this comes as no great surprise to anyone. Except for governments outside of the US and China, who are no doubt feeling a little “hacker envy” right now. Don’t worry, one of the big guys will get round to you eventually.

The age-old “my system is more secure than your system” arguments still rage on.  In the latest twist to this interminable, intractable and possibly uninteresting discussion, a Microsoft partner has claimed that Microsoft software is better patched than Linux software, under certain circumstances, with consideration given to other factors. All we can say is that we absolutely agree with that finding. Whatever it was.

Anyway, non-patches are not the only threat to security. Encryption experts agree that the current trust-based system of Certificate Authorities (the entities who digitally vouch for the authenticity of millions of  web servers) is not working as well as hoped, and should be replaced. Apparently, we need a system where people can choose who to trust. In other words, replacing one system that fails due to fundamental human weakness, with one where humans can make even more uninformed choices. That should work like a charm.

Speaking (indirectly, at least) of Achilles and his infamous heel, the word of the week is “sisyphean”. Of course we didn’t have to look it up; we instantly recognised that other Greek mythological reference which equates the task of doing proper security with the task of repeatedly pushing a giant boulder up a hill only to watch it roll back down again.  Many readers will no doubt identify with that job description. Have no fear, help is at hand.

In the future, big data analytics and advances in machine learning will decide on our behalf what is friend, and what is foe. We simply don’t need to get involved. Perhaps the encryption experts we mentioned earlier have got it wrong – we shouldn’t be permitted to make trust-based decisions; as a species we’re simply not evolved enough to spot digital predators. A sobering thought, for sure.

But then, whilst we’re in the mood for classical references, Quis custodiet ipsos custodes?

Security News Roundup: Chinese Take-away

news, , , ,

The biggest story this week. Chinese military unit behind ‘prolific and sustained hacking’ says security report.  A highly-skilled team of intelligence gatherers working systematically to steal confidential information from organisations around the globe?  Shocking stuff – we can’t imagine for a moment that our government is doing the same thing.

But things move fast in the murky world of  attack and counter-attack. The widely-touted report  itself  has become a security risk, and is being used as bait in a phishing attack.  Naturally, that’s the level of entrepreneurial, free-market thinking that one automatically associates with communist China.

Speaking of Chinese ingenuity, malware is getting smarter says anti-virus vendor McAfee; a revelation that presumably comes as no surprise to competitor Symantec, whose own products apparently failed to spot (and here’s that phrase again) the prolific and sustained hacking of the NY Times. Can anyone else see a pattern emerging here?

If security products can’t help us, we have to defend ourselves against the data breach apocalypse. Better not start with Sharepoint then. According to a recent survey, two thirds of Sharepoint users have no security policy.  We know it’s called Sharepoint, but really there are some things that one shouldn’t be sharing. Like the fact that you have no security policy, for example.

Finally, if that’s not apocalyptic enough, we now know that the emergency TV broadcast systems used to address the US public in the event of a real apocalypse are riddled with default passwords and other poor configuration choices. We know this because during a recent spate of zombie uprisings across three US states, community-spirited citizens were able to alert the general public to the imminent danger posed by the walking dead.

What a relief.