Lord Toby Harris Logo

Archive for the ‘Technology’ Category

Nov 14,2010

My invitation to attend the Nobel Prize presentations in Oslo seems to have gone astray again.

However, perhaps that’s just as well.

The Committee to Protect Journalists reports that:

“This weekend, staff at CPJ received a personal invitation to attend the Oslo awards ceremony for Nobel Peace Prize winner Liu Xiaobo. The invite, curiously, was in the form of an Adobe PDF document. We didn’t accept. We didn’t even open the e-mail. We did, however, begin analyzing the document to see was really inside that attachment, and what it was planning to do to our staff’s computers.

NGOs and journalists who work or report on human rights issues in China now regularly receive e-mailed attachments, often PDFs, which on closer examination prove to be malicious code sent from unknown sources. These attachments contain embedded programs that execute when the file is opened, and take advantage of local security flaws to install concealed software on their victims’ machines.

This secret software can delete or create files, commandeer the computer for cyber-attacks on other targets, or just sit and record keystrokes and network traffic, which it will then report to a remote “command-and-control” server elsewhere on the Net. A computer with this malware installed is an open book to whoever is controlling the program.

Malware is a problem for everyone. We’re all used to shady characters spamming us e-mail with enticing subject titles. But vulnerable journalists and activists receive far more sophisticated, customized messages that use narrow intelligence about their contacts and interests in order to trick their recipients into opening them. This Nobel e-mail, for instance, was sent from a colleague at a known NGO who I’ve personally met and who has invited CPJ to events in Oslo previously. The PDF, when opened, showed a legitimate-looking invitation with the organization’s logo and the signature of the NGO’s founder.”

I would probably have opened the attachment without thinking, despite being aware of the dangers. What would you have done?

Nov 13,2010

You cannot spend any time in the Palace of Westminster without being aware of the deep dissatisfaction that MPs have with IPSA, the Independent Parliamentary Standards Authority.

So I am somewhat surprised that there has not been more fuss about the fact that the Information Commissioner has reprimanded IPSA for a security breach just before the summer recess when MPs’ personal information – including banking details and home telephone numbers – were at risk for 21 hours.

According to ITPro:

“A data breach at the Independent Parliamentary Standards Authority (IPSA) led to MP’s information being placed at risk, including banking details and home telephone numbers.

The breach occurred on 13 July following IT maintenance on an MP expenses database, allowing people with an expenses account and their clerks to access the information.

The security loophole was left open for 21 hours and the Information Commissioner’s Office (ICO) has ordered the IPSA to take steps to ensure such a breach does not occur again.

“This case highlights how any work carried out on a database must be subject to rigorous security testing before being re-launched,” said Mick Gorrill, head of enforcement at the ICO.

“MPs carry out a high profile role and the information their expenses claims include could put them at risk of fraud and endanger their security.”

The IPSA, which said it reported the breach to the ICO as soon as it happened, has now signed an undertaking, which includes a requirement to ensure system administrator accounts are reviewed regularly.”

IPSA will shortly be offering courses on how to win friends ……

Oct 14,2010

There was a two hour debate in the House of Lords this evening on a Lords’ Select Committee report on protecting Europe against large-scale cyber-attacks.

My contribution (which followed an excellent maiden speech from Lord John Reid) was as follows:

“My Lords, it is an enormous pleasure to follow my noble friend Lord Reid of Cardowan and his maiden speech, in the course of which he paid a very graceful tribute to his successor as Member of Parliament. He told us that she had already attained the ripe old age of 25. I am informed that the noble Lord started his political career some considerable period earlier than 25. I am told, in fact, that he led his first strike at the age of about 14 and a half when he was still at school and was objecting to the practice of the fairly disciplinarian head teacher that the children should be kept outside, irrespective of the weather, until the school started. He called a strike of his fellow pupils on the basis that, if they were not allowed in until nine o’clock, they would not go in after nine o’clock. My understanding is that he was successful in that, which demonstrates a robustness and forceful nature, which we have seen in this afternoon’s speech. However, we have also seen the noble Lord’s other side—his erudite and thoughtful nature. I understand that it is that side that comes in particularly useful in his latter-day role as chairman of Celtic Football Club, where erudition and thoughtfulness is particularly important.

The noble Lord has had 10 years in very senior roles as a member of Her Majesty’s Government. He was in the last Government what I think should be described as a “big beast”, with the emphasis on some occasions on the word “beast”. I worked closely with him in a number of those roles, in particular in his time at the Home Office. One of the achievements of that period is a lasting one: the creation of the Office for Security and Counter-Terrorism. This country will learn to realise how significant and important it has been, and that is down to my noble friend. His contribution today has demonstrated the qualities of robustness and erudition that we will all expect to hear much more of in the time ahead. We do indeed look forward to many further contributions of a similar nature.

I am grateful to the noble Lord, Lord Jopling, for his introduction of the report and his work, and the work of his colleagues, in pulling together the report which we have had. It is a very important Select Committee report, and I had the privilege of sitting in on a couple of the evidence sessions to hear the discussion. As the noble Lord pointed out, we are having quite a timely debate following the reported comments of the director of GCHQ in the past few days. He has talked about the significant level of attacks on government systems, many of them precisely and deliberately targeted at those systems. The debate is unfortunately not quite as timely as it might be in that we do not yet have the benefits of the results of the security and defence review or the comprehensive spending review. We will have to wait a few more days for those. However, I hope that that fact of timing will not prevent the Minister from providing us with some more information on how the Government’s thinking on these matters is developing.

I have high hopes for the noble Baroness, Lady Neville-Jones, because I am aware of her continued personal interest in matters of cybersecurity and information assurance. I have attended so many meetings over the past few years which she has been at, and which have discussed these matters, that I know that she takes these matters extremely seriously. That includes, for example, her chairing for a period the Information Assurance Advisory Council, which brought—and continues to bring—together industry, academia and government to talk about these matters. We have high expectations of the Minister in what is going to be done in this field over the months and years to come, and I am sure that she will not disappoint us today in her response to this debate.

It is important that we recognise several elements in the issues around cyberattacks and the matters which this report has covered. A few years ago, a lot of these matters were dismissed as the actions of teenage cyberjuvenile delinquents who were merely interested in getting into systems because they were there and, perhaps, in gaining some element of self-respect by leaving their mark on those systems, proving that they had been there—a sort of petty vandalism, expressed in the cyberworld as opposed to the physical world that other juvenile delinquents might be engaged in. Yet we have to recognise that those juvenile delinquents have grown up. Some have grown out of those issues, but others have started their own criminal enterprises; some have been bought up by much more organised and serious criminal enterprises; some have, no doubt, become fundamentalist in their religious views; others are being employed by nation states. We have to recognise the scale and effectiveness of the targeting that can now be done.

We therefore have not only the continued action and vandalism of the juvenile delinquents but the issues around cyberactivism, of people trying to make a political or other point by mass cyberaction. We have small-scale crime, but more significantly we have an enormous wave of organised crime using the techniques that are now possible through the internet. That is now having an effect. We also have otherwise respectable businesses making use of these criminal techniques to inform themselves of their competitors’ activities and, indeed, trying to obtain intellectual property. Then we have state-sponsored activity, some of it at the commercial end but some of it much more about creating the opportunity to attack other nation states if that is necessary. The noble Lord, Lord Jopling, has talked about what happened to Estonia, and numerous incidents are now reported of what are perceived as being—although this is not necessarily the case—attacks sponsored by one nation state against another in this sphere. We have yet to see a serous terrorist act perpetrated through these means, but it is only a matter of time before terrorists also make use of these techniques as an adjunct, as part or as the main focus of their attack.

We therefore have to examine the issues raised by this report in a number of ways. First, while they might not quite meet the definition that the noble Lord, Lord Jopling, gave of a cyberattack, the activities of serious and organised criminality in terms of fraud and all the things that it is trying to do are of such a scale that Governments—national, Europe-wide and worldwide—should be taking them seriously and acting on them.

Secondly, we have to look at the scale of what is happening in terms of corporate raiders, intellectual property theft and the potential for industrial disruption. Again, some of this is by organised crime, but my understanding is that a significant proportion of that is carried out by nation states or at their behest.

Thirdly, and this is particularly important in terms of the responsibilities of our Government and the Minister, there are issues around the attacks on, and the vulnerability of, our own critical national infrastructure. Some of those attacks on government systems are about espionage, but some of them are about creating the potential for disruption.

I have a number of questions or issues that I hope the Minister will be able to respond to. The first relates to the sheer volume of criminality and whether as a nation we are equipping ourselves to keep up with those who are trying to defraud our citizens or otherwise cause problems. There has been a history of law-enforcement initiatives taken in this field. The National Hi-Tech Crime Unit, which was very successful, appeared to disappear when its responsibilities were taken over by the Serious Organised Crime Agency, so much so that the police had to set up a new unit, the Police Central E-Crime Unit—I declare an interest as someone who has been closely involved in that, as a member of both the Metropolitan Police Authority and the ACPO board that oversees it—which has had a series of successes, like the arrests a few months ago of the five men and one woman engaged in stealing the details of more than 10,000 bank accounts and allegedly netting themselves more than £3 million as a consequence. That unit, working with the private sector and levering in resources from it, has been remarkably successful, but it is still new and fairly fragile.

I understand that there are rumours that this unit should be subsumed into the proposed new national crime agency. I have no objection to the new agency, once it is established, maybe taking on this responsibility; it must certainly have a capacity to deal with these matters. My concern is that if we move too quickly to that process, the idea of subsuming a body that is only just beginning to work into a new body that will be going through its own birthing pains is not necessarily sensible. We have had evidence from the outgoing chief executive of the Child Exploitation and Online Protection Centre about the fragility of those structures and the private sector funding of them. He suggested that Microsoft may propose to withdraw the resources that it puts into CEOP because of the uncertainty about its future. I hope that the Minister will give us some assurances today about the continued budget to enable the police to play their role in fighting e-crime, that we will not see the fragile new arrangements subsumed too early into a national crime agency and that there will at least be time for any national crime agency to be established, and to establish itself, before such a change takes place—if that is what happens.

The second issue was referred to by the noble Lord, Lord Jopling, when he talked about the so-called Stuxnet attacks on the control systems of the Iranian nuclear power programme. I have been concerned, as have several noble Lords and others, about the vulnerability of SCADA systems to attack. Is the noble Baroness personally satisfied that enough is being done at present to protect such control systems for our critical national infrastructure, against both the sort of electronic attack that the Stuxnet attack seems to have been and the electromagnetic pulse attacks that the noble Lord, Lord Reid, referred to? He made the valid point that exploding a nuclear device might be rather a visible way of producing an electromagnetic pulse. However, there are regular cycles of sunspot activity that could produce the same sort of effects. The issue of protection remains, whether it is an external attack, a natural event or something triggered electronically.

I would also like the noble Baroness to tell us whether enough is being done to protect the intellectual property of the United Kingdom against electronic attacks. In this context, is she satisfied that the major contractors that provide services to government departments are themselves adequately protected against this sort of penetration? I have heard stories about some of those major contractors being heavily penetrated in possibly state-sponsored incidents. If that is the case it is extremely serious. It is important that the noble Baroness should give us her assurance as to what can be done.

Finally, I hope the noble Baroness will give us, in the course of her remarks, a route map that tells us who is in charge of the various key elements of this matter. Who is in charge of setting the standards of security for our critical national infrastructure? Who is responsible for attributing where attacks are coming from? Who is responsible for managing resilience and recovery, should an attack take place? Who is responsible, if necessary, for retaliation or taking out those who are carrying out these attacks?”

Oct 12,2010

I have taken an interest in the safety of children and young people using social networking sites for some time, so I was interested to attend the launch by DigitalME of Safe, a new social networking safety programme for primary schools.

The programme is:

“designed to support primary school pupils in learning the essential skills to enjoy social networking, whilst remaining safe online. With children sharing content online and joining social networks at an increasingly younger age, there is a greater need to ensure primary aged pupils are equipped with the knowledge to understand potential risks and the skills to manage their digital footprint.”

It provides downloadable teacher resources so that primary school pupils can be given fun activities that help them improve their digital literacy skills.  As teachers were heavily involved in its preparation, it is designed to meet their needs, to fit in with the curriculum and aims to satisfy headteachers’ requirements (eg. a plaque to put up in the school hall) as well.

The programme is essentially free (although there is a charge for the plaque) and it certainly looks like a worth-while initiative to me.  I wish it well.

Oct 3,2010

The Metropolitan Police Commissioner, Sir Paul Stephenson, has issued an important reminder about specialist policing in an article in today’s Sunday Telegraph.  In it he highlights the valuable work of the Central e-Crime Unit based in the Metropolitan Police, saying:

“Four criminals obtained the personal financial details of hundreds of people, allowing them to identify up to £8 million they could steal. They siphoned off £750,000 from 64 victims before police arrested them.

In another operation, detectives working with the financial sector found a network of 600 criminally-controlled bank accounts waiting to be used to ‘cash out’ the proceeds of cyber theft.

In other cases, suspects have allegedly offered sophisticated online courses in cyber fraud.

And last week, detectives from the Metropolitan Police Central e-Crime Unit (PCeU), working with the FBI to investigate the theft of money from online bank accounts, charged 11 people.”

I have been closely involved in the setting up of this Unit over the last few years, so it was gratifying to see Sir Paul’s acknowledgement of its contribution to the fight against crime.

Sir Paul points out:

“All these cases indicate the scale of the challenge facing us. Yet my investigators tell me the expertise available to them is thin, compared to the skills at the disposal of cyber criminals.

In a modest south London office block, the PCeU’s small team of officers and civilian support staff are working to tackle cyber criminality.”

As it happened I was in that “modest south London office block” last week, looking at another of the Metropolitan Police’s specialist units, but as I passed the PCeU I was reminded yet again how small a unit it is given the scale of the problems and organised criminality that it is facing.

But Sir Paul was not simply praising a small team of dedicated police officers and staff.  He was making a much more fundamental point:

“They are unseen officers, as far as the public and some politicians are concerned. They work with the financial and internet industry to tackle the use of the internet to facilitate criminality and cyber crime, and to close down illegal sites.

However, the significance of the unit goes to the heart of the current debate about what policing should look like in an era of significant budget cuts.

Some commentators argue that we should concentrate on uniformed policing and draw back from specialised work that could be done by others. Leave cyber crime to the banks and retailers to sort out, the argument runs.

It is a fundamentally misguided argument.

If the debate about police cutbacks gets bogged down in arguments about ‘uniforms before specialists’ we will not serve the public well. It is vital to have a balanced model of policing with visible uniformed officers and specialist units such as PCeU, as well as other key units like the Kidnap Unit, Child Abuse Investigation and homicide teams.”

Sir Paul has hit the nail on the head.  Policing must be about much more than “Bobbies on the beat”.  Neighbourhood presence is of course essential.  But so too is having the specialised resources to tackle organised crime and terrorism – if  these are neglected the ultimate impact on all of our qualities of life is potentially catastrophic.

Current debates about police budgets must not fall into the trap of focusing all the attention on visible policing.  Balance will be essential.

And round the corner what will be the impact of the proposed directly-elected Policing and Crime Commissioners?

There is a danger that a populist focus on visible local policing may appear to be an election-winning formula and that the essential balance in policing will be lost.  If there are to be directly-elected Commissioners – and the Coalition appears to be pretty determined that there should be – it will be vital that a clear legal duty is placed on the new Commissioners to deliver an effective contribution to the fight against organised crime and terrorism.  The new legislation must make sure that the balance between visible local policing and specialist resources, like the PCeU, is maintained.

Sep 10,2010

You know what it is like when you are eagerly awaiting something.  You can’t wait, even though you know it is only a matter of time.

But now – for me – the waiting is over.

Finally, just a couple of hours ago it arrived.

Not my Labour Party ballot paper – I got that at the beginning of the week.

No, it’s my personalised phishing email from Her Majesty’s Revenue and Customs.

Less than a day after HMRC announced that some six million people had paid the wrong amount of tax enterprising fraudsters began emailing people all over the country telling them that they were entitled to a tax rebate and inviting them to provide details of their bank accounts so that they could have said accounts emptied/be sent their entitlement.

I was beginning to feel left out, but now it’s arrived.

Today after the last annual calculation of your fiscal activity, we have determined that you are eligible to receive a tax refund.

Complete the individual tax refund form attached this confidential message.

After completing the form allow us 5-9 business days in order to process it.

Your verification form will only be valid only for 24 hours.

HM Revenue & Customs“

The form itself is very user-friendly and asks for those hardy perennials: full address, date of birth, mother’s maiden name, telephone number etc – everything needed in fact to answer most standard bank security questions.  And is accompanied by a stern HMRC-like warning:

Important: The tax law imposes heavy penalties for giving false or misleading information

No doubt, I’m about the thirty-millionth person to receive one of these, but I can’t help wondering why the Government has done so little to warn people about these and to make it clear that HMRC will be WRITING to all those affected and would NEVER request such details by e-mail.

Sep 9,2010

My default position is that the new Coalition Government is hell-bent on creating a double-dip recession and on dismantling vital parts of the public sector, is ideologically-driven and is cavalier about the impact of its policies on disadvantaged communities. And I remain to be convinced that it is not taking unacceptable risks with national security.
So the stories I have been hearing about the willingness of the Government to invest in the nation’s cyber-security come as an unexpected, but pleasant, surprise.
I am told that David Cameron personally has been convinced that the comprehensive spending review must ensure that substantial extra resources are spent on developing the UK’s capacity to counter cyber threats to its infrastructure and that the debate between the Treasury and the Cabinet Office is whether the new investment should be £1.5 billion or £2 billion.
This of course is still far less than many other countries are investing. However, if my informants are correct, this would be a useful step in the right direction. Seeing will be believing. And we’ll see on 20th October.

Sep 6,2010

Well worth a watch:


Sep 3,2010

Can anyone explain what it is about this that makes me laugh?

For those who can’t be bothered to click on the link, here is an extract:

“Japanese toilets have long and famously dominated the world of bathroom hygiene with their array of functions, from posterior shower jets to perfume bursts and noise-masking audio effects for the easily-embarrassed.

The latest “intelligent” model, manufactured by market leader Toto, goes a step further and isn’t for the faint-hearted: it offers its users an instant health check-up every time they answer the call of nature.

Designed for the housing company Daiwa House with Japan’s growing army of elderly in mind, it provides urine analysis, takes the user’s blood pressure and body temperature, and measures their weight with an inbuilt floor scale.

“Our chairman had the idea when he was at a hospital and saw people waiting for health checks. He thought it would be better if they could do the health tests at home,” says Akiho Suzuki, an architect at Daiwa House.

Toto’s engineers developed a receptacle inside the basin to collect the urine for sugar content and temperature checks, and an armband to monitor blood pressure. The readout is displayed on a wall-mounted computer screen.

“With the current model, your data is sent automatically to your personal computer, and then you can email it to your doctor,” said Suzuki.

“In the next generation model, the data will be sent automatically to family members or doctors via the Internet,” she told AFP.

The electronic marvel, called the “Intelligence Toilet”, is capable of storing the data of up to five different people and retails for 350,000 to 500,000 yen (about 4,100 to 5,850 dollars) in Japan, she said.

“For now our customers are essentially middle-aged and senior people. But we hope the young generation will also become more health-conscious.”

The model is the latest advance in a string of sophisticated toilets, known as “washlets” in Japan, which have become ubiquitous in recent decades.

The first models were imported from the United States, where they had been used mainly in hospitals, and quickly became standard in Japan in the booming 1980s, finding their way into at least 70 percent of Japanese homes now.

Pioneering Toto designed its first models by asking hundreds of its employees to test a toilet and mark, using a string stretched across the bowl and a piece of paper, their preferred location for the water jet target area.

“For the problem of nozzle angle and water temperature, there was a particular development team dedicated to these tests,” Kuno recalled.

First-time foreign visitors to Japan are often baffled by the complexity of Japanese high-tech toilets, which feature computerised control panels, usually with Japanese language instructions as well as small pictograms.

Standard functions include heated seats, water jets with pressure and temperature controls, hot-air bottom dryers and ambient background music.

A function called “otohime” (literally “princess of sound”) produces a flushing sound to cover bodily noises. A portable gadget is available for customers who want to use it on the go, in restrooms far away from home.

In most recent toilet models, the lid automatically lifts when a user enters the restroom. Men can then push a button to also flip up the seat.

As soon as the user leaves the room, both the seat and lid automatically glide back into horizontal position, a clever feature that can preempt potential conflict between male and female members of the same household.”

Aug 26,2010

The Washington Post reports that the US Deputy Defense Secretary has publicly acknowledged what is being described as the most significant breach of U.S. military computers.

The cause was a flash drive inserted into a U.S. military laptop in the Middle East in 2008.

And the consequence was that the malicious code, which had been placed on the drive by a foreign intelligence agency, uploaded itself onto the network run by the U.S. military’s Central Command. Apparently, the code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

This disclosure was apparently part of a deliberate strategy to raise the awareness of the US Congress and the American people of the cyber-threat being faced by the USA.  Apparently, the Pentagon’s 15,000 networks and 7 million computing devices are being probed thousands of times daily and the US Government’s concern is that cyberwar is asymmetric and that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult to identify the instigator of an attack.

The problems faced by the Pentagon are no doubt faced – on a smaller scale – by the UK Ministry of Defence and the British armed services.  I do not, however, detect a similar openness about the threat by the UK’s Coalition Government – perhaps because the strategy to address the problem is nothing like as well-developed as it should be.