Lord Toby Harris Logo

Archive for the ‘Information security’ Category

Friday
Feb 17,2012

There is an excellent article in the New York Times that explains the behavioural psychology that is now linked to supermarket loyalty cards and on-line shopping patterns to target and personalise adverts and offers.

It describes an incident in a Target store (a major US chain) as follows:

“a man walked into a Target outside Minneapolis and demanded to see the manager. He was clutching coupons that had been sent to his daughter, and he was angry, according to an employee who participated in the conversation.

“My daughter got this in the mail!” he said. “She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?”

The manager didn’t have any idea what the man was talking about. He looked at the mailer. Sure enough, it was addressed to the man’s daughter and contained advertisements for maternity clothing, nursery furniture and pictures of smiling infants. The manager apologized and then called a few days later to apologize again.

On the phone, though, the father was somewhat abashed. “I had a talk with my daughter,” he said. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

I suspect these systems are now so sophisticated and analyse so much data about individual’s behaviour that they far surpass even the databases held by the most anti-civil libertarian governments.
But for some reason you don’t hear so many complaints ….
Saturday
Feb 11,2012

A Police Service with a sense of humour?

How would the Met shape up if their website was hacked?

Sunday
Jan 29,2012

John Naughton in today’s Observer has an interesting article on the proposed new EU data protection directive and the way in which Facebook is getting “its retaliation in first”.  The proposed “right to be forgotten” is likely to conflict with Facebook’s newish “timeline” facility.  And the retaliation?  This is how John Naughton puts it:

“The day before the commission made its announcement, Facebook’s chief operating officer, Sheryl Sandberg, gave a speech to a technology conference in Munich. Her menacing subtext was neatly summarised by the New York Times thus: “Concerned about privacy? Maybe you should be concerned about the economy instead.” Translation: mess with us, Eurotrash, and we’ll screw you.

Sandberg’s speech was revealing because it exposes the line of argument that Google, Facebook, et al will use to undermine public authorities that seek to control their freedom to exploit their users’ identities and abuse their privacy. The argument is that internet companies create lots of jobs and are good for the economy and European governments shouldn’t stand in their way.”

Apparently, to back this argument Facebook referred to a report that they had commissioned from Deloitte which concluded that Facebook had  indirectly helped create 232,000 jobs in Europe in 2011 and enabled more than $32bn in revenues.

John Naughton is sceptical pointing out that Facebook itself only has about 3,000 employees world-wide and he continues:

“Inspection of the “report” confirms one’s suspicion that you couldn’t make this stuff up. Or, rather, only an international consulting firm could make it up. Interestingly, Deloitte itself appears to be ambivalent about it. “The information contained in the report”, it cautions, “has been obtained from Facebook Inc and third party sources that are clearly referenced in the appropriate sections of the report. Deloitte has neither sought to corroborate this information nor to review its overall reasonableness. Further, any results from the analysis contained in the report are reliant on the information available at the time of writing the report and should not be relied upon in subsequent periods.” (Emphasis added.)

Accordingly, continues Deloitte, “no representation or warranty, express or implied, is given and no responsibility or liability is or will be accepted by or on behalf of Deloitte or by any of its partners, employees or agents or any other person as to the accuracy, completeness or correctness of the information contained in this document or any oral information made available and any such liability is expressly disclaimed”.”

Although Deloitte is normally regarded as a respectable organisation, these caveats plus the rather tendentious conclusions should raise alarm bells.

Or as John Naughton puts it:

“The sole purpose of “reports” such as this is to impress or intimidate politicians and regulators, many of whom still seem unaware of the extent to which international consulting firms are used by corporations to lend an aura of empirical respectability to hogwash.”

Yet reports like this with sensational conclusions seem a particular feature of commentary on the internet.

And especially so in respect of information security, last year the UK Government published figures saying UK cyber crime was costing £27 billion per year and not to be out-done Symantec suggested that the global figure was $388 billion.  The reality is that all these figures are unverifiable – and whilst I am quite clear that cyber-crime is a very serious problem for the world economy these estimates are, to use John Naughton’s word, “hogwash”.

Spurious precision – whether it is Symantec’s $388 billion or Facebook’s 232,000 jobs in Europe – should always be treated with caution.

Sunday
Nov 27,2011

The Wall Street Journal reports that:

“British intelligence picked up “talk” from terrorists planning an Internet-based attack against the U.K.’s national infrastructure, a British official said, as the government released a long-awaited report on cyber security.

Terrorists have for some time used the Internet to recruit, spread propaganda and raise funds. Now, this official said, U.K. intelligence has seen evidence that terrorists are talking about using the Internet to actually attack a country, which could include sending viruses to disrupt the country’s infrastructure, much of which is now connected online. The official spoke on condition of anonymity and didn’t say when the infrastructure threat was detected and how it was dealt with.

Terrorists, however, are still more focused on physical attacks that lead to high casualties and grab attention. “For the moment they prefer to cover the streets in blood,” he said.”

I first started raising these concerns more than seven years ago, pointing out in a debate in the House of Lords on the 9th December 2004:

“As a nation, the systems that are essential for our health and well-being rely on computer and communications networks – whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, indeed government and public services in general – and all of them are vulnerable to serious disruption by cyber-attack with potentially enormous consequences.  Indeed, the Coastguard Service was laid low by the “Sasser” worm in May this year.

The threat could come from teenage hackers with no more motivation than proving that it could be done, but even more seriously it could come from cyber-terrorists intent on bringing about the downfall of our society. “

At the time, I was assured that there was no intelligence to suggest that such a threat was significant.  The then junior Home Office Minister, Lord Steve Bassam, now no less a person (if such a thing were possible) than the Opposition Chief Whip in the Lords, said:

“there are also terrorists who would challenge and seek to undermine democratic society using any methods within their grasp. It is not complacent to say this; but perhaps it should be made plain that at the moment they do not appear to be interested in attacking us electronically.”

Of course, in the intervening seven years there has been a burgeoning realisation of an increasing number of cyber-threats and, if there is now intelligence to suggest that international terrorists are thinking in that way, I take no satisfaction from having predicted it in 2004.

What is important is that the substantial resources provided to GCHQ under the Government’s new Cyber Security Strategy, published last week, are used effectively to combat the threat. GCHQ and the other intelligence agencies are to get 59% of the £650 million that the Government has allocated to cyber security over the next three years.  It is unlikely that there will ever be much detail published as to how the resources are used, so we can only hope ….

Saturday
Nov 19,2011

I see that the US Congress is to investigate Chinese equipment suppliers Huawei and ZTE to see whether they present a threat to US national security.  According to PC World, the House Intelligence Committee wants to:

“examine if Huawei’s and ZTE’s expansion into the U.S. market gives the Chinese government an opportunity to hijack the nation’s infrastructure to conduct espionage. U.S. lawmakers worry that the networking equipment sold could secretly contain Chinese military technology to spy and interfere with U.S. telecommunications.”

Huawei has many links to the Chinese Government and its security apparatus.  As Jeffrey Carr summarises the key facts as follows:

  1. The company’s founder Ren Zhengfei was an engineer in the PLA prior to forming his company.
  2. The company’s chairwoman Sun Yafang worked for the Ministry of State Security and while there helped arrange loans for Huawei before joining the company as an employee.
  3. The government of China is Huawei’s biggest customer; specifically the State-owned telecommunications services.
  4. Huawei equipment is used to intercept communications in China for state-mandated monitoring.

Nevertheless, despite this its products are already widely used in the UK’s infrastructure particularly given its role in providing key components to BT.  I have expressed concern about this before and back in 2006 Newsweek recorded the Conservative Party’s concerns, saying:

“Political conservatives in Britain expressed the same security concerns about Huawei last spring. In April, the company won a $140 million contract to build part of British Telecom’s “21st Century Network,” a major overhaul of its equipment. But when rumors began circulating that the Chinese company might then bid on Marconi, a landmark electronics and information technology firm that was being put up for sale, a Conservative Party spokesman sounded the alarm. The Tories asked the British government to consider the implications for Britain’s defense industry of a Chinese takeover of Marconi. In the end, Huawei didn’t make an offer, and the Swedish telecom giant Ericsson is in the process of buying Marconi.”

Huawei continue to try and expand their access to the UK infrastructure market – see, for example, their wooing of Mayor Boris Johnson with an offer to provide mobile phone infrastructure for the Underground in time for the London Olympics.  In August, they recruited the former Government chief information officer, John Suffolk.

Their latest move to gain respectability is to sponsor a charity Christmas concert in support of The Prince’s Trust at the Royal Festival Hall next month, to which they have invited large numbers of senior Government officials and Parliamentarians.

No doubt, Huawei will say they are much-maligned, but I do wonder whether a UK Parliamentary Committee shouldn’t be following the lead of the US House Intelligence Committee and launch an investigation into the company’s growing influence in the UK and any possible implications for security.

Friday
Nov 4,2011

I’ve already asked what exactly was William Hague’s grand international conference on cyberspace for, but it is clear that my scepticism is shared by the journalists who were sent to cover it and came away disappointed or as the Daily Telegraph put it:

“So what did we learn over the course of the two-day meeting? Well, in short, almost nothing. ….

As the show limped to its finale on Wednesday, many of Mr Hague’s conclusions could have been written at any point in the last six months.

“All delegates agreed that the immediate next steps must be to take practical measures to develop shared understanding and agree common approaches and confidence-building measures,” the Foreign Secretary declared. Well, quite.”

And serious experts like Richard Clayton from Cambridge University were pretty underwhelmed too.
Tuesday
Nov 1,2011

In August, David Cameron wanted to block Twitter, Facebook and Blackberry Messenger.

Today, William Hague said:

“Some governments block online services and content, imposing restrictive regulation, or incorporate surveillance tools into their internet infrastructure so that they can identify activists and critics. Such actions either directly restrict freedom of expression or aim to deter political debate.”

And just in case the Prime Minister had missed the point went on:

““Human rights are universal, and apply online as much as they do offline… Everyone has the right to free and uncensored access to the internet.  … We saw in Tunisia, Egypt and Libya that cutting off the internet, blocking Facebook, jamming Al Jazeera, intimidating journalists and imprisoning bloggers does not create stability or make grievances go away.”

Oh dear …..

Monday
Oct 31,2011

In July the Foreign Secretary announced that the UK would be hosting an international conference on cyberspace.  The purpose was to bring together governments, international organisations, NGOs and businesses from around the world to “address the challenges presented by the networked world including cyber crime that threatens individuals, companies, and governments.”  William Hague said that it was “vital that cyberspace remains a safe and trusted environment in which to operate. This can only be done effectively through international cooperation, engaging both the public and private sectors. Together I hope that we can begin to build the broadest possible international consensus.”

In case you missed it this major attempt to build international consensus is taking place tomorrow and Wednesday – indeed the process of international bonding began over drinks and nibbles at the Science Museum earlier this evening.

However, looking at the programme, it is not clear what the programme offers that is going to be different from numerous similar gatherings over the last few years.  Nor is it apparent where the “broadest possible international consensus” is going to be hammered out.

But we are assured that it is going to look good …..

quorh.jpg

But this picture really does deserve a caption competition:

quorh.jpg

Printable suggestions only please.

Friday
Oct 28,2011

What would the people in your office do if a couple of people looking the part turned up at your office door saying that they were there to do a fire inspection?  Or said they were more or less any other branch of officialdom flashing ID and saying they needed to do an inspection?

Here is a salutory warning:

“Let’s say I am posing as a fire inspector. The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen. Outside, we’ll have our car guy. The guy that sits in the car, and basically his job in the beginning is to send chatter through to our walkie-talkies. We will have a recording of all that chatter you’ll hear on walkie-talkies. He sits in the car and plays it and sends it through to our walkie-talkies.

We walk into the facility and make sure that all the chatter is coming loudly into to the walkie-talkies as soon as we walk in their door so that we are immediately the center of attention. When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down.

I show the person at the front desk my badge. They’ll say “Hi, how’s it going?” I’ll say “Good, I’m here to do a fire inspection.” They say “Great” and assign someone to us, like a teller. It’s generally someone who’s nice. I’ll start talking with them, flirting with them, or whatever it takes. We’ll start walking around.

While I’m talking with the person who has been assigned to us, my partner knows his job is to immediately wander away from us. So, my partner will immediately walk off. In most cases our escort will say “Can you come back here? I need to keep you guys together.” We say “Sure, sorry.” But really that means nothing to us. All it means is that we keep doing it until she gives up. My partner will wander off two or three times more times and get warned until she finally stops and gives up. She just thinks he’s a fireman and thinks “Let’s just let him do what he needs to do.”

At that point, my partner’s job is to start stealing everything he can steal and start putting it in his bag. And he also has to get under the desks of any employee he can find and start installing these little keyboard loggers. I stay with the person who is escorting me and my whole job now is keeping them entertained. I keep walking around rooms, giving them advice on keeping their facility fire safe, even though I really have no idea what I’m talking about. I make stuff up and probably give the worst advice ever. I’ll pull out cords and say “This looks a little bit dangerous.” I’ll comment on space heaters. I’m completely winging it.”

You can see how it might happen.  Read on here …..

Thursday
Oct 13,2011

Earlier today I chaired a fascinating seminar for patient groups and professional organisations which discussed healthcare acquired infections (HCAIs) and, in particular, what needs to be done to better prevent such infections in community (rather than hospital) settings.

As the meeting continued, I was struck by the surprising number of parallels that exist between what needs to be done to cut the risk of such infections and what needs to be done to improve information security.

For example, there were those a few years ago who thought the situation with HCAIs in hospital was so bad that nothing effective could be done.  They have been proved wrong by the success of the initiatives taken over the last five or six years to reduce dramatically the incidence of MRSA and C Difficile in hospitals (80% and 60% reductions respectively). Likewise there are those who throw up their hands in horror about the current tide of cyber security problems and seem to believe that our systems will always be irredeemably compromised.  Hopefully, they will also be proved wrong in a few years time.

The response to HCAIs was in the past seen as better and stronger technical solutions (i.e. ever more powerful antibiotics) and, whilst such solutions remain necessary for those who are infected, the sharp reductions have been achieved by other means – largely through achieving major changes in behaviour amongst staff and patients (i.e. better and more effective hand-washing, greater emphasis on cleanliness etc).  This is mirrored by the increasing recognition that social engineering and behavioural change is an enormously important component of better cyber security and information assurance.

Similarly, without being too Cameron-esque about it, we all have to be in this together. Everyone has to play their part.  Thus, patients and their visitors need to understand the importance of washing their hands with alcohol gel and remembering to do it.  In the same way, individual computer users need to adopt precautions to prevent their systems being compromised.  At the same time, product manufacturers must play their part in making their products less vulnerable to infection (e.g. catheter or commode design can be used to make HCAIs less likely, just as computer software and hardware can have security built in).

Likewise, you cannot help but notice that meetings, whether about HCAIs or addressing cyber security, always conclude that more public education is needed and that the message needs to start at primary school ….

Well, I thought they were interesting parallels ….