Lord Toby Harris Logo

Archive for the ‘Information security’ Category

Aug 8,2011

I gather that the Total Politics Blog Awards are now in progress.  I want to make it quite clear that I will not be in the least bit affronted should you chose to vote for this blog by clicking here.

Jul 30,2011

The Royal Air Force mission statement is:

“‘An agile, adaptable and capable Air Force that, person for person, is second to none, and that makes a decisive air power contribution in support of the UK Defence Mission”.

That is pretty clear and fits in with the RAF image, “The Few” and all that.

By contrast the mission of the United States Air Force is:

 “To fly, fight and win in air, space and cyber space.”

The “and win” bit is maybe a tad more aggressive than making a decisive contribution, but the interesting bit is the inclusion of cyber space.

Now this may be a bureaucratic land-grab with the USAF making a bid for the cyber-security leadership role in the United States Government, but it does pose the question who has the lead for cyber-defence in the United Kingdom?  Answers on a postcard (or email) please. 

Royal Air Force Typhoons

Jul 26,2011

An intriguing story is drawn to my attention by Team Cymru, leading experts on cybersecurity issues.  This highlights some strange goings on with the electronic voting system used in the 2004 American Presidential Elections in the State of Ohio.  As I remember it, early exit polls from Ohio suggested that John Kerry had won the state but that as the votes were counted it appeared that the exit polls were wrong and that Ohio had voted for George W Bush.  The electoral college votes from Ohio were pivotal and had they gone for Kerry he would have become President. 

The report says:

“A new filing in the King Lincoln Bronzeville v. Blackwell case includes a copy of the Ohio Secretary of State election production system configuration that was in use in Ohio’s 2004 presidential election when there was a sudden and unexpected shift in votes for George W. Bush.

The filing also includes the revealing deposition of the late Michael Connell. Connell served as the IT guru for the Bush family and Karl Rove. Connell ran the private IT firm GovTech that created the controversial system that transferred Ohio’s vote count late on election night 2004 to a partisan Republican server site in Chattanooga, Tennessee owned by SmarTech. That is when the vote shift happened, not predicted by the exit polls, that led to Bush’s unexpected victory. Connell died a month and a half after giving this deposition in a suspicious small plane crash.

Additionally, the filing contains the contract signed between then-Ohio Secretary of State J. Kenneth Blackwell and Connell’s company, GovTech Solutions. Also included that contract a graphic architectural map of the Secretary of State’s election night server layout system. 

Cliff Arnebeck, lead attorney in the King Lincoln case, exchanged emails with IT security expert Stephen Spoonamore. Arnebeck asked Spoonamore whether or not SmarTech had the capability to “input data” and thus alter the results of Ohio’s 2004 election. Spoonamore responded: “Yes. They would have had data input capacities. The system might have been set up to log which source generated the data but probably did not.”

Spoonamore explained that “they [SmarTech] have full access and could change things when and if they want.”

Arnebeck specifically asked “Could this be done using whatever bypass techniques Connell developed for the web hosting function.” Spoonamore replied “Yes.”

Spoonamore concluded from the architectural maps of the Ohio 2004 election reporting system that, “SmarTech was a man in the middle. In my opinion they were not designed as a mirror, they were designed specifically to be a man in the middle.”

A “man in the middle” is a deliberate computer hacking setup, which allows a third party to sit in between computer transmissions and illegally alter the data. A mirror site, by contrast, is designed as a backup site in case the main computer configuration fails.

Spoonamore claims that he confronted then-Secretary of State Blackwell at a secretary of state IT conference in Boston where he was giving a seminar in data security. “Blackwell freaked and refused to speak to me when I confronted him about it long before I met you,” he wrote to Arnebeck.

On December 14, 2007, then-Secretary of State Jennifer Brunner, who replaced Blackwell, released her evaluation and validation of election-related equipment, standards and testing (Everest study) which found that touchscreen voting machines were vulnerable to hacking with relative ease.

Until now, the architectural maps and contracts from the Ohio 2004 election were never made public, which may indicate that the entire system was designed for fraud. In a previous sworn affidavit to the court, Spoonamore declared: “The SmarTech system was set up precisely as a King Pin computer used in criminal acts against banking or credit card processes and had the needed level of access to both county tabulators and Secretary of State computers to allow whoever was running SmarTech computers to decide the output of the county tabulators under its control.”

Spoonamore also swore that “…the architecture further confirms how this election was stolen. The computer system and SmarTech had the correct placement, connectivity, and computer experts necessary to change the election in any manner desired by the controllers of the SmarTech computers.”

In the Connell deposition, plaintiffs’ attorneys questioned Connell regarding gwb43, a website that was live on election night operating out of the White House and tied directly into SmarTech’s server stacks in Chattanooga, Tennessee which contained Ohio’s 2004 presidential election results.

The transfer of the vote count to SmarTech in Chattanooga, Tennessee remains a mystery. This would have only happened if there was a complete failure of the Ohio computer election system. Connell swore under oath that, “To the best of my knowledge, it was not a fail-over case scenario – or it was not a failover situation.”

Bob Magnan, a state IT specialist for the secretary of state during the 2004 election, agreed that there was no failover scenario. Magnan said he was unexpectedly sent home at 9 p.m. on election night and private contractors ran the system for Blackwell.

The architectural maps, contracts, and Spoonamore emails, along with the history of Connell’s partisan activities, shed new light on how easy it was to hack the 2004 Ohio presidential election.”

Interesting, if true.

Jul 17,2011

Last Thursday a reluctant* Sir Paul Stephenson, Commissioner of Police for the Metropolis, was called to appear before a Committee of the Metropolitan Police Authority to answer questions about the relationship between the Metropolitan Police and News International in the wake of all the revelations up to that date on the issue.

He answered questions for thirty minutes at 2pm before leaving.

He chose not to mention that Neil Wallis, a former deputy editor of the News of the World, had been employed by the Metropolitan Police as a media consultant in 2010.  It was subsequently suggested that as Neil Wallis had been arrested that morning, as part of Operation Weeting, it would have been inappropriate for Sir Paul to say anything as this might prejudice any future criminal proceedings and that in any case all that the press people at New Scotland Yard were saying was that “a man aged 60” had been arrested.

It now turns out that the Press Association had named Neil Wallis as the “man aged 60” at 11.07am that morning, so the name was already in the public domain.

Sir Paul’s answers were lengthy and carefully prepared.  I strongly believe that it was a serious error of omission not to say anything to the Metropolitan Police Authority about the Met’s contract with Neil Wallis – he was after all talking about his force’s relationship with the media and News International.

He could have said something like this without mentioning the arrest:

“And while I am talking about our relations with News International I should tell you that we do from time to time employ former journalists and media professionals as consultants and advisors.  Indeed, for a six-month period last year we employed on a part-time, two day a month, basis Neil Wallis, a former Deputy Editor of the News of the World.”

However, given that the name of the person arrested was now known to the media, he should also have said something about it perhaps along these lines:

“I am aware that some media outlets have named Neil Wallis as a person arrested by Operation Weeting earlier today.  I am not prepared either to confirm or deny such a suggestion and I would remind everyone of the importance of not saying anything that might prejudice any later court proceedings.”

Such remarks would have been consistent with openness.

The failure to say anything leaves Sir Paul open to the accusation that he is not prepared to be open with the body to whom he is accountable.  Which leads to the question about what else does he chose not  to tell the MPA.

And at a time when he and his senior colleagues need all the support they can get this was perhaps not very sensible.

*He was reluctant because he was due to preside over a long-service medals ceremony at Hendon and did not want to keep the officers receiving medals and their families waiting.

Jul 10,2011

I have tabled the following questions for the Commissioner for the next meeting of the Metropolitan Police Authority – either at its scheduled meeting on the 28th July or earlier if an emergency meeting of the Authority is called:

(1) Access to police databases.  Does the Directorate of Professional Standards audit access by police officers and staff to the PNC and other police databases to check whether the information accessed is appropriate and relevant to the work of the person accessing the information?  If this is only done in respect of a complaint about an individual officer or staff member, will this now be done more regularly to check all accesses to information from the PNC and other police databases on a sample basis?  If these wider checks are already done, what proportion of accesses to information are checked and will this proportion now be reviewed?

(2) Misuse of police information by police officers and police staff. How many police officers and police staff have been (a) prosecuted, (b) dismissed or asked to resign, or (c) disciplined for misusing police information in each year over the last decade?

(3) Guardian article 6th July.  The Guardian has reported that in November 2002 Rebekah Brooks was confronted at “press social event” in New Scotland Yard by being taken into “a side room” and confronted by Cdr Andre Baker and Dick Fedorcio about News of the World surveillance of DCS Cook.  No futher action was taken about this.  Who was party to the decison to confront Rebekah Brooks in such a fashion and to take no further action?  In particular, was the then Commissioner and the then Deputy Commissioner (a) involved or (b) informed?  What other Assistant Commissioners or DACs were (a) involved or (b) informed? (I can confirm that as the then Chair I was not informed – indeed the first I learned of it was when I read the Guardian’s article.)  Was the team led by Assistant Commissioner John Yates which subsequently reinvestigated the murder of Daniel Morgan aware of this behaviour by the News of the World?

(4) Review of phone hacking case in 2009.  What remit did you give to Assistant CommissionerJohn Yates when you asked him to review the phone hacking case in 2009?  Did you set a timescale on the review?  How soon after you asked him to do the review did AC Yates report back to you?  Were you satisfied when he reported back to you that he had properly fulfilled the remit that you gave him?

Jun 22,2011

Sophos’s NakedSecurity site tells the cautionary tale of the company chief executive and the slighted IT administrator who took his revenge:

“Imagine you’re giving a presentation to the board of directors at your company. You have your PowerPoint slides all ready, you’re projecting onto a 64 inch screen… what could possibly go wrong?

Well, what would you do if your carefully composed presentation was replaced on the big screen by images of a naked woman? My guess is that you wouldn’t know where to put your laser pointer..

52-year-old Walter Powell used to be an IT manager at Baltimore Substance Abuse System Inc, until he was fired in 2009. Clearly someone who believed that revenge should be served red hot, Powell used his computer knowledge to hack into his former employer’s systems from his home and install keylogging software to steal passwords.

On one occasion, Powell took remote control of his former CEO’s PowerPoint presentation to the board of directors, and projected pornographic images on the 64 inch TV.

Press release about Walter Powell's sentencing

According to media reports, Judge M. Brooke Murdock gave Powell a two year suspended sentence, and ordered him to 100 hours of community service and three years’ probation.”

Interestingly, I read this on my way home from hearing a presentation from the CEO of a very large corporation who had described in passing the processes (that even he described as draconian) his company follows in monitoring the activites of employees who hand in their notice,  which includes checking what company files they access and download, reviewing their outgoing email traffic and monitoring memory stick usage. Once caught, twice shy?

Jun 7,2011

A few days ago I reported on the call for a “general obligation for data security”.

Now comes this report on CBS (thanks to FutureCrimes):

I wonder how many companies and government agencies are equally careless in this country?

It makes leaving a paper on a photocopier seem old hat …..

Jun 5,2011

High-level legal guru, Stewart Room, gave an excellent presentation at last week’s East-West Institute Global Cyber Security Summit.  In it he called for a “general obligation for security”, saying:

“I believe that holders of sensitive data, the controllers of important networks, systems and infrastructures – and their supply chains – should face a clear legal requirement to keep these assets safe and secure. As well as describing the obligation, this general security law should describe the consequences of failure.”

He pointed out that:

“It is naive to think that all relevant actors will do what is necessary to protect these assets without a clear steer from the law. Ignorance, laziness, apathy, short sightedness and greed are all powerful counterweights to enlightened self interest.”

He also highlighted the dangers of simply addressing the problem through the prism of the protection of personal data only.  Intellectual property is currently being leeched from corporate data systems all over the world – an issue repeatedly referred to at the Summit.  Likewise the vulnerability of national infrastructure systems – including power grids and water supplies – is also now increasingly apparent.

He warned that:

“In the UK and most of the rest of Europe the law for security is effectively left to reside in the domain of privacy and data protection law. This is a grave mistake. …  it gives the mistaken impression that the law only sees security as being important in the context of the handling of personal data. Of course, we all know that the substance of security extends much further that this. The impact of this problem is worsened by the fact that far too many people and organisations do not take data protection law seriously. Thus, the law is not properly driving behaviours.”

And there may be unintended consequences:

“This gives effective ownership of the field to people who are the least competent to manage it. I am talking about a small cadre of data protection regulators and bureaucrats, who are so slanted toward privacy that they may unwittingly encumber us with anti-security policies, which could jeopardise the health of cyberspace, our economies and our societies.”

He concluded byasking “what will a general obligation for security look like?”:

“Aside from removing the issue from the privacy and data protection domain and describing the nature of the obligation to secure assets and the penalties that may flow in breach, a general obligation for security will capture:

1. Critical definitions. We need to agree the parameters and make sure that we are all talking the same language.

2. The traditional “cyber crime” subject matter, dealing with the criminalisation and prosecution of unacceptable behaviours of hackers, botnets and others whom attack information and information systems. The interests of law enforcement should be properly served.

3. The role of the private sector cyber security industry, so that innovation in IT solutions can continue. We are totally reliant upon the private sector for security solutions, so we must give it our full support.

4. Intelligence sharing between the public and private sectors and across geographical boundaries.

5. The need for identification measures for people and machines operating in cyberspace. Privacy should not provide a cloak for criminals and anti-social behaviour.

6. The right for people and organisations under cyberattack to take offensive action in their defence. This is probably the most controversial point. But we need to ask ourselves whether it is morally right to tie the hands of those under attack. And we need to be sure that we do not open Pandora’s box.”

Whilst ideally this needs a solution in international law, a good start would be made by legal changes in this country to establish a better and more robust framework, whilst British Ministers argue for European-wide changes via Brussels and press the case through the G8 and G20 fora.

There was a palpable sense of urgency about the need for change at last week’s summit.  I hope it was felt by Francis Maude MP, who is apparently now the Minister in charge of cyber-security, and that he takes it back to his Government colleagues.

Jun 1,2011

I am attending the Worldwide Security Summit being held at the QEII Conference Centre in London.
It is currently being addressed by Dr R Chandrashekar, the Secretary of the Department of Information Technology in India. His address has been very wide-ranging, but I was much taken by the way in which ha acknowledged almost as an aside a massive vulnerability to the world economy before moving quickly on.
After spending several minutes outlining the increasing dependence of the world on the internet, including government and commercial systems. He then pointed out that, of course, the internet only functions because of the existence of a small number of undersea data cables, connecting the major continents together. These have been damaged from time to time, for example, by shipping and by natural disasters. These have produced significant, if (so far) short-term, disruptions. For those wanting to cause major problems for the world economy the implications are unfortunately obvious …….

Feb 20,2011

The lead story on the front page of today’s Sunday Times (behind the paywall) proclaims “China gives £50 million aid for Olympics” and reports that:

“A Chinese company is offering Britain £50 million of ‘aid’ to put in a free mobile phone network in time for the Olympics.

Huawei, one of the worlds biggest telecoms equipment firms, is presenting the offer for the London Underground as a gift from one Olympic host nation to another.”

This proposal has the support of Mayor Boris Johnson.

However, as the Sunday Times warns:

“The offer has been made only two years after intelligence chiefs warned that China could have the capabilityto shut down Britain by bringing down its telecoms and utilities systems.

They raised fears that equipment already installed by Huawei in BT’s network could be used to cripple vital services.

A deal would see Huawei, which has close military links, install mobile transmitters along the ceilings of tunnels so that commuters can make and receive calls for the first time while travelling underground.”

I have been concerned about Huawei for some time.  We are breath-takingly complacent about the vulnerability of our critical national infrastructure and – particularly in the current economic climate – there seems to be no appetite from the Government to prevent huge chunks of it falling into foreign hands.

This is potentially another example – aided and abetted by Mayor Boris Johnson.

Not all Tories are so relaxed (and Mayor Johnson has a reputation for being very relaxed!): Patrick Mercer MP has pointed out:

“… it absolutely answers a terrorists’ prayers to be able to detonate devices on the Underground.  …  It has been proven that a proportion of the cyber attacks on this country come from China.  I wonder when the eyes of the world are upon us whether there is sense in using a Chinese firm to install a sensitive mobile network.”

These are serious matters and a serious London Mayor should not complacently give his support, presumably he hopes that if his eyes are firmly closed and his fingers are crossed that it will all be OK.