Lord Toby Harris Logo

Archive for the ‘Technology’ Category

Wednesday
Aug 25,2010

I’ve commented before on the market that has developed for hackers and malware writers to sell on their “products” to other criminals – even promoting their activities via Twitter.

This concern has now been repeated by the Canadian Criminal Intelligence Service in its 25th Annual Report on Organised Crime.  According to the Montreal Gazette:

“The report, released Friday, focuses on securities fraud, and states the size and complexity of schemes help conceal criminal activity, generate ample profits and facilitate tax evasion.

It said social-networking websites are allowing criminals to efficiently and anonymously issue fake news releases and promotional material to potential victims.

Aside from the use of Facebook and Twitter, criminal organizations are taking advantage of the hacker-for-hire black market, it said.

The report offered few further details. However, it did say that because of the availability of these services, fraudsters don’t need to acquire the necessary technical expertise to hijack computer accounts on their own.”

You read it here first.
Saturday
Aug 21,2010

The BBC reports today on the loading of the first nuclear fuel at the Bushehr reactor in Iran tell us that the international community can be reassured on the basis that (1) the nuclear fuel rods are all being supplied by Russia and (2) the spent rods and waste will go back to Russia.

At the risk of sounding like an unreconstructed cold warrior, I have to confess to not finding this at all reassuring.

Why does Russia want to do this and what do they expect to get out of it?

And as for the waste, the work I have been doing in recent months on the safeguards (or lack of them) at reprocessing plants hardly makes any of this sound any better.

Please somebody persuade me that this is good news ….

Tuesday
Aug 17,2010

Thanks to my good friends at Team Cymru, I have been keeping up-to-date on current developments on cyber security while I have been away.

Two items, in particular, caught my eye.

The first was that India is now developing its own army of software professionals to hack computer systems of hostile nations.

The second was about the vulnerability of major companies to “spoofing” – plausible sounding cold callers seeking information over the telephone AND being provided with enough material to assist hackers to penetrate information systems.  Apparently, at the recent DefCon conference in Las Vegas there was a “social engineering” contest challenging hackers to call workers at 10 companies including Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.  According to an article in The Age,  one employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

The article continued:

‘”You often have to crack through firewalls and burn the perimeter in order to get into the internal organisation,” said Mati Aharoni of Offensive Security, a company that tests company computer defences.

“It is much easier to use social engineering techniques to get to the same place.”

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continued Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

“We didn’t want anyone fired or feeling bad at the end of the day,” Aharoni said. “We wanted to show that social engineering is a legitimate attack vector.”

A saying that long ago made it onto t-shirts at the annual DefCon event is “There is no patch for human stupidity.”

“Companies don’t think their people will fall for something as simple as someone calling and just asking a few questions,” Hadnagy said.

“It doesn’t require a very technical level of attacker,” Aharoni added. “It requires someone with an ability to schmooze well.”

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

“As humans, we naturally want to help other people,” Hadgagy said. “I’m not advocating not helping people. Just think about what you say before you say it.”

I suspect most organisations and businesses in the UK would be vulnerable to this sort  of approach …..

Friday
Jul 30,2010

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

Thursday
Jul 22,2010

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to
toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

Tuesday
Jul 20,2010

Apparently, last weekend the Vatican was subjected to a cyber attack from an unknown source.  According to the Rome-based Zenit News Agency, the attack meant that anyone typing Vatican into Google was directed to the site “www.pedofilo.com” as the first suggestion, rather than the proper Vatican Web page.  According to the Agency:

“When this misdirection was discovered, Google was informed, said Jesuit Father Federico Lombardi, director of the Vatican press office.

The Internet organization immediately apologized and assured the Holy See that it would do what it could to resolve the problem as soon as possible.

On Sunday morning the problem seemed to be corrected, as users were once again directed to the proper Vatican Web page upon initiating a search for it.

Although the person who caused this problem has not been found, the indications suggested that the operation may have been carried out by someone who had significant knowledge of how Google functions.”

Heavens!  Is nothing sacred?

Tuesday
Jul 20,2010

I have just had a meeting with a senior civil servant in his office in one of the more security-conscious parts of the Whitehall diaspora. I couldn’t help noticing the four separate screens on his desk. When I asked, he explained that one screen allowed him to access public material, one monitor was linked to a computer system that was authorised to handle material up to a RESTRICTED classification, another to a system that could handle CONFIDENTIAL material, and the fourth was – you guessed it – was for SECRET items.
I was suitably impressed.

Monday
Jul 5,2010

I am not looking for any recognition, as you know these things don’t matter to me at all and I am profoundly disinterested in where this blog comes in the annual Total Politics ranking of political blogs, so I really am not asking for you to vote for me or my blog ……..

but ……..

should you be so inclined (and I repeat I really, really don’t mind one way or the other), this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

Friday
Jul 2,2010

The New York Times reports that an English-language manual on “How to be a Terrorist” has been produced by the propaganda arm of Al Qaeda in the Arabian Peninsula.  The manual in magazine format includes instructions on how to “make a bomb in the kitchen of your mom,” an article on “Mujahedeen 101” and a lesson in sending and receiving encrypted messages.

Apparently, the publication which was circulating on the internet earlier this week was only three pages long.  The reason?   Some sort of virus seemed to have corrupted the remaining 64 pages.

And the New York Times speculates that this:

“could have been the work of hackers, possibly working for the United States government.”

Interesting, if true.

Friday
Jun 18,2010

According to “The Voice of Russia“, Kyrgyzstan is on the verge of cyber war.  Apparently, the escalating ethnic conflict in Kyrgyzstan has already given rise to cyber attacks carried out on government and media websites.  Official information servers with .kg domain names have been broght down by DDoS attacks, so that local residents and others are denied access to official information.

The article warns that:

“The information war has not yet started in full force and effect in Kyrgyzstan, according to Russian IT-analyst Andrei Masalovich of DialogueScience Inc. He believes cyber attacks could be launched on every country which will send its troops to Kyrgyzstan to help resolve the ethnic conflict. Russia should not therefore intervene in the current situation, the businessman said.

Further aggravation of the ongoing conflict will result in a full-scale information war. Those who will bring armed forces to the republic, will be definitely exposed to massive cyber attacks.

Battles in cyberspace are an integral part of armed conflicts, like for instance, the Georgian aggression against South Ossetia in 2008. Tbilisi then unleashed another kind of war, blocking the country’s entire web segment, so that the world could not find out the truth about the origins of the conflict.”

The comments are interesting in that they put forward the argument that because of the risk of cyber-retaliation Russia should not intervene in the conflict.  This either suggests that the author has little confidence in the ability of the Russian Government to withstand cyber-attacks or that virtually any excuse will be sufficient to keep Russia out of Kyrgyzstan.

Of more general salience is the point that battles in cyberspace are becoming an integral part of more conventional armed conflict.

I wonder how prepared the UK would be?