This blog posting represents the views of the author, David Fosberry. Those opinions may change over time. They do not constitute an expert legal or financial opinion.
If you have comments on this blog posting, please email me .
The Opinion Blog is organised by threads, so each post is identified by a thread number ("Major" index) and a post number ("Minor" index). If you want to view the index of blogs, click here to download it as an Excel spreadsheet.
Click here to see the whole Opinion Blog.
To view, save, share or refer to a particular blog post, use the link in that post (below/right, where it says "Show only this post").
Posted on 15th September 2024 |
Show only this post Show all posts in this thread (Cybersecurity). |
How embarrassing! Fortinet, one of the largest cyber-security companies in the world (they sell secure networking products such as firewalls, routers, and VPN devices, along with security consultancy services) has admitted that they have been hacked, as reported on Bleeping Computer. A hacker is now offering 440GB of Fortinet's files for sale. The fact that a company claiming they can protect your systems cannot even protect their own systems rather undermines their selling proposition. I am expecting that their existing customers are now reconsidering their choice of supplier, and shareholders are likely to divest. |
Posted on 15th August 2024 |
Show only this post Show all posts in this thread (Cybersecurity). |
Although this vulnerability, reported on CyberSecurityNews, sounds bad (it allows attackers to remotely execute code on your computer without you clicking anything), it will not affect most users, and Microsoft has already issued a patch. The issue only affects the IPv6 protocol, and only on Windows computers. Many users still do not have IPv6 (virtually every computer supports IPv6, but not all ISPs support the protocol). You are only at risk if your Windows machine has an exposed (to the Internet) IPv6 address. Modern Internet modems have a firewall to prevent external access to your devices IPv6 addresses unless you explicitly expose them, which you would only do if you are offering services like a web-server or an FTP server to Internet users. If you are, you should apply the patch immediately. |
Posted on 2nd June 2024 |
Show only this post Show all posts in this thread (Cybersecurity). |
I thought that some readers might find this article on "How To Geek" useful. It describes some simple ways to tell whether your webcam has been hacked, which probably means that someone has been spying on you. I thought this especially relevant at the moment, given that there currently seems to be a campaign to blackmail people with claims that someone has "recorded some videos of you jerking off to highly controversial adult videos." I am currently receiving several such emails per day with this claim, but they do not fool me. Not only can you use the article to check whether your webcam has been spying on you, but there are some very simple things you can do to prevent such intrusions:
|
Posted on 21th March 2024 |
Show only this post Show all posts in this thread (Cybersecurity). |
If anyone needs proof that Microsoft doesn't take their customers' security seriously, this report on Bleeping Computer is it. For those who don't know, RSA security certificates are used to secure connections for services like HTTPS (secure web-site access), FTP (the usual method to upload files to remote web-servers), SSH (secure shell connections) and RDP remote desktop connection). The longer the key, the more secure it is (although there is a data processing overhead with longer keys), and 2048 bit keys have been common for a very long time, and the recommended minimum since 2013 (the Bleeping Computer report states that 1024 bit keys were disallowed by Internet standards and regulatory bodies in 2013. 2048 bit keys have been recommended since 2002. I have, on occasion, even generated 4096 bit RSA-based SSL certificates for web-sites. Microsoft, however, is only now deprecating 1024 bit keys. Note that "deprecating" means that they are not encouraging the use of 1024 bit keys, rather than disabling them; you will get a warning, but will be allowed to create a connection to a system that uses one. One of the systems that I have has a Windows 7 operating system (on a virtual machine). Windows 7 uses 1024 bit keys. Microsoft ended support for Windows 7 in January 2020, but in the 7 years since 1024 bit keys were disallowed (and the 12 years since 2048 bit keys have been recommended) no updates to introduce 2048 bit keys were issued by Microsoft. Many popular tools (Firezilla, the most popular FTP client, all browsers and SSH) have required a minimum key length of 2048 bits since the end of 2013. I use Remmina (standard in Ubuntu and many other Linux variants) for my RDP sessions and it will not connect to a server unless it has at least 2048 bits; there is no option to ignore, and no way to relax the security settings. Windows, however, allows you to connect an RDP session to a remote system that has only a 1024 bit key (you will at least get a warning). To spell it out clearly, your Microsoft systems are inherently insecure and prone to hacking, and the company doesn't care. Even if they did care, experience has shown that they are not good at system security, or indeed in issuing updates that work. I know that many people still operate Windows 7 (the last Windows version that doesn't force system updates without the user's approval; there are several other legitimate reasons to use such an old operating system). If you are one of these, but would like to upgrade your RDP security, it is possible (complicated, but possible), here is what you can do:
|
Posted on 28th December 2023 |
Show only this post Show all posts in this thread (Cybersecurity). |
This report by Ars Technica should worry everyone. It describes a new vulnerability of SSH. SSH, or Secure Shell Protocol, was invented in 1995, and provides secure access to remote computers. It provides not only command-line remote access, but also remote graphical applications (where the program runs on the remote computer and any windows that it opens appear on the local computer) using a feature called X11 forwarding. This may seem rather esoteric to some readers, but it is the basis of the administration of remote computer systems like web-servers and cloud servers. It is very powerful and easy to use, and until now has been considered impregnably secure. Now, however, it has been found to be vulnerable to a so-called "man in the middle" attack. We should expect a series of system penetration events, resulting in hackers gaining access to Internet-connected systems and stealing valuable data, ransomware attacks and the like. Luckily, I do not use SSH to access my servers while away from home. Instead, I have written some tools which allow me to do most of the system administration by other methods. |
Posted on 28th December 2023 |
Show only this post Show all posts in this thread (Cybersecurity). |
It seems that the hackers have been very busy lately. Xfinity, a division of Comcast, waited about 9 days to patch a high-severity vulnerability. During that delay, hackers stole password data and other sensitive information belonging to 36 million Xfinity customers, as reported by Ars Technica. The stolen passwords are cryptographically hashed, so will not give the hackers access to those customers' accounts, but the other data is not encrypted. Basically, the problem was caused by laziness on the part of Comcast. The LockBit ransomware group claims to have hacked accounting firm Xeinadin, which serves customers in the UK and Ireland, and is threatening to disclose the stolen data, according to Security Affairs. Stolen data apparently includes:
Europe’s largest parking app operator, owner of brands including RingGo and ParkMobile, has reported itself to information regulators in the EU and UK after hackers stole customer data, according to this report on The Guardian. Data stolen includes customer names, phone numbers, addresses, email addresses and parts of credit card numbers. Luckily, complete credit card numbers were not stolen. Rather more worrying is this security breach at Panasonic Avionics, which provides in-flight communications and entertainment systems, as reported by Bleeping Computer. Data stolen potentially includes:
The reason that this is so worrying is that the breach occurred on the 30th of December 2022, but has only now been reported to California's Attorney General. This just goes to prove that our data is not secure, whether it is held by government agencies or by companies. |
Posted on 27th January 2023 |
Show only this post Show all posts in this thread (Cybersecurity). |
I was pleasantly surprised by this story on the BBC, which describes the Department of Justice's (DoJ) campaign of over 6 months hacking the cyber-crime organisation Hive. The FBI managed to gain deep access to the Hive ransomware group in late July 2022. The were the able to warn victims of impending attacks. They also gave more than 300 decryption keys to victims, saving them more than $130m. The US DoJ said it had taken down Hive's websites and communication networks, working with other national police forces including in Germany and the Netherlands. We need more of this proactivity. |
Posted on 28th November 2022 |
Show only this post Show all posts in this thread (Cybersecurity). |
There have been a number of significant hacking breaches is the last few weeks. This article on Security Affairs reports on a data breach (or multiple breaches - the report is a little confusing in this respect) at Twitter that has resulted in the data (including phone numbers and email addresses) of 5.4 million users being made available online. An even larger breach has been suffered by WhatsApp, with the user data (in this case, phone numbers) of nearly half a billion (487 million, 25% of the total) users accessed, as reported by Business Standard: the data of 32 million users from the US, 11 million from the UK, 45 million from Egypt, 35 million from Italy, 29 million from Saudi Arabia, 20 million from France, 20 million from Turkey, 10 million from Russia (10 mn) and 6 million from India. At the moment this is only a risk, since the data has not yet been made available online, but that is probably only a matter of time. The article also pointed out that "Last year, information about more than 500 million users of Facebook, another Meta-owned company, was offered online for free. In 2019, data of 419 million Facebook and 49 million Instagram users were exposed. In the same year, it had faced another breach leaving data of 267 million users exposed." Finally (for now), this piece from Bleeping Computer reports on the disclosure by Dropbox (whose software provides file storage and sharing, used by 700 million users) that 130 of their GitHub code repositories. Dropbox said "To date, our investigation has found that the code accessed by this threat actor contained some credentials — primarily, API keys — used by Dropbox developers," which opens up the possibility that Dropbox users' data (which is supposed to be secure) could, in future be accessed by the hackers. All this goes to show that companies (Twitter, Facebook/Instagram and WhatsApp) are consistently unable to keep the data of their users secure. |
Posted on 15th August 2022 |
Show only this post Show all posts in this thread (Cybersecurity). |
This BBC report is a really bad advertisement for the company involved, Advanced. Advanced, which provides digital IT services to the NHS (UK National Health Service), has been hit by a ransomware attack. There is a chance (not yet confirmed) that NHS data including patient data, has been stolen in the attack. Although ransomware attacks do not usually steal data, the security vulnerabilities that allowed the ransomware attack could also be used by hacker organisations wanting to steal data. The NHS relies on all of its suppliers of services and products to ensure the security and reliability of its services and data, and it only takes one weak link in the chain to compromise potentially everything. This is not only very bad publicity for Advanced, but also (as if we needed any more proof - governments and their agencies are notorious for their poor protection of sensitive data) shows that the NHS is not taking cybersecurity seriously. Advance should be better protected, and the NHS have clearly failed in their duty of due diligence, which is something that needs to happen not only when suppliers are selected, but also continuously thereafter. |
Posted on 13th April 2022 |
Show only this post Show all posts in this thread (Cybersecurity). |
This report on "The Next Web" warns people about something worrying, even though it should be obvious to people who have a modicum of technical know-how: when you are in a video-conference, muting in the app will only prevent other conference participants from hearing you. The app/service provider is able to listen to anything you say, and record it or analyse it with an AI program. That does not mean that they are eavesdropping, but it is technically possible; it reminds us all of how much trust we are placing in the likes of Zoom and Microsoft (suppliers of Teams and Skype). I don't know about the rest of you, but I don't want someone recording or analysing my speech when I am muted. It is an invasion of privacy. You might think that, having muted, you can safely swear about your boss, or talk about something that is not intended for public knowledge with someone else in the room with you, but this is clearly not the case. Luckily, as the article points it, it is still possible to mute, by muting the device, not the app. For example, many headsets mute if you raise the microphone; alternatively you can use your operating system functionality to mute the microphone locally (how you do this depends on what operating system and version you have). |
Posted on 8th April 2022 |
Show only this post Show all posts in this thread (Cybersecurity). |
There is a reason why computer experts recommend that you have cybersecurity software and processes, as demonstrated by this story (reported here on The Register). Apparently the Andra Pradesh Mahesh Co-Operative Urban Bank's firewall licence had expired (at least they had one, which maybe still worked, but there would have been no more updates), and they had no phishing protection, intrusion detection system or intrusion prevention system. It is therefore no surprise that they got hacked, resulting in a significant amount of money being stolen. I feel sorry for their customers, who were probably assured that the bank had comprehensive cybersecurity systems and processes in place. For your computer systems to be secure, you need to be paranoid. For example, if you are reading this on my web-site, your access is through 3 different firewalls. That paranoia should extend to not sharing details with your friends, family, colleagues or employer of what kind of cybersecurity you have in place (notice that I didn't tell you what and where my 3 firewalls are). Even for securing your home computers, you need to be paranoid: at the very minimum, firewalls and antivirus programs, both regularly updated; and scan your systems regularly. Another thing you might want to look into is your Internet modem. In the old days, when all traffic ran over IPv4, all your home systems (servers, desktops, laptops, NAS, mobile phones and Internet of Things smart devices) were hidden from public view by NAT routing in the Internet modem. Then IPv6 was introduced: older IPv6 capable Internet modems (like the Techicolor TC7200) offered no firewall protection of IPv6 devices on your home network; they were all visible and accessible to anyone on the Internet; newer Internet modems like the FritzBox 7590 have IPv6 firewalling. You can find out by reading the manufacturer's user handbook, or checking the administration interface (if it has a section to allow your IPv6 devices to be accessed from the Internet, which you would need to do for a web-server or email-server, then it has an IPv6 firewall). |
Posted on 21st December 2021 |
Show only this post Show all posts in this thread (Cybersecurity). |
A recent ransomware attack on Kronos (reported on here by the BBC) highlights the risks of using online services for business critical functions. Kronos provide cloud-based services for workforce management and human capital management, which includes payroll services. Due to the attack, a number of large businesses, including Sainsbury's (a large UK supermarket chain), were unable to process their payroll. Large corporations like to outsource, including to online service providers like Kronos and Kaseya (read about the Kayeya incident here), because there are cost advantages. The downside, however, is the increased risk of loss of service. A large online or cloud-based service provider is a larger and more interesting target for hackers; why spend time and effort attacking one company, when you can with the same effort attack a service provider and impact many companies? This is why there are so many of these kinds of attack at the moment; almost all attacks target either service providers, providers of software used by many organisations or large multi-site organisations like healthcare provides and government agencies. There are, of course, contingency measures that one can take to protect against an attack on one's service providers, although they all have a cost. For example have a fallback service provider, to whom you send the same data, whether payroll, print or backup service data. When one's primary provider is hacked, you will be ready to go with an alternative. |
Posted on 26th August 2021 |
Show only this post Show all posts in this thread (Cybersecurity). |
Several recent stories show that hacking (and rasomware) attacks, and security vulnerabilities, are part of every day life in the modern world, and not just some passing phase. They also show that the problem is being exacerbated by a lack of the appropriate paranoia about the risks, and by general stupidity. Earlier this year the Solarwinds hack came to light, which mainly targeted U.S. government agencies, although it went undetected for many months. More recently there was the Kaseya attack, which affected companies around the world. Many companies were much more seriously impacted than necessary, because they were using Kaseya's backup service, meaning that the backups, which were also compromised, could not be used to recover from the hack. A friend who runs a small to medium sized company in Munich was impacted by this hack (and he is totally paranoid about cybersecurity!), and will not be using Kaseya's backup service any more (he didn't actually realise that his backups used this service, because his backups were handled by one of his service providers, who in turn used Kaseya). Crypto-currency traders and repositories were also hit recently. There was an attack on Poly Network, in which about $600M was stolen, although bizarrely, most of the funds were later returned by the hacker. Then there was an attack on Japanese crypto-currency exchange Liquid. where the hackers stole around $100M. There was a hack which stole data on more than 40 million of T-Mobile's U.S. customers (and people who had merely applied to be customers). Microsoft continues to be the greatest cybersecurity risk in many people's everyday lives; Adobe is a close second. After the PrintNightmare vulnerability came to light, there is now a new security hole which would let hackers take control of your systems, without needing an administrative password. This article on Tom's Guide really says it all: "Boneheaded recent change to Windows just makes it too easy". It's like I always say, you can't trust Microsoft. We need to accept that this problem affects everyone, and all systems, and to apply some common sense and paranoia, to reduce the risks and impacts. The problem is not going away. Security needs to be designed into systems from the ground up, not added as a bolt-on fix. Do your own backups, and store them off-site; update your systems frequently (but vet the updates before rolling them out); use firewalls which only allow essential access, and review the settings regularly; use dissimilar systems where possible (e.g. Linux servers with Windows clients); use quality malware scanners (more than one); block your users' access to dangerous web-sites; provide your users with a quarantine environment where they can open suspicious email attachments and visit suspicious web-links; control the connection of removable media/devices (USB drives, mobile phones, etc.) to company systems; and trust no-one. |
Posted on 4th July 2021 |
Show only this post Show all posts in this thread (Cybersecurity). |
This news report on the BBC describes a huge cyber-attack, with about 200 US companies effected so far, and the number apparently still growing. The attack seems to be working in a similar way to the SolarWinds attack on US government agencies in 2020, whereby a software supplier (Kaseya, in the latest attack) was breached and their software compromised; the compromised software was then distributed to their customers through the standard software update process. The latest story, also on the BBC, reports that the Swedish Coop supermarket chain has had to close hundreds of their stores, because they were unable to process customers' payments. This is a huge problem in Sweden, where almost all shop payments are electronic, and many people do not carry enough cash to pay for their groceries. The worrying thing is that the Swedish Coop is not even a direct customer of Kaseya, but a customer of one of Kaseya's customers. This suggests that the impact could potentially grow even larger. |
Posted on 3rd July 2021 |
Show only this post Show all posts in this thread (Cybersecurity). |
This report on PCMag, and this one on Tom's Guide are about the newly discovered PrintNightmare exploit of a Windows security vulnerability. Yes, the vulnerability is already being actively exploited, and your computers are at risk. So, yet again, Microsoft, with their poor design and cavalier attitude to users' security, have put millions of users at risk. The potential impact is huge, because all Windows versions since Windows are vulnerable. The vulnerable software is the Print Spooler, which is common to all Windows versions, both client and server. As yet there is no patch to close the vulnerability, but there are some things that you can do to reduce or eliminate the risk (depending on your network topology and security policies). Microsoft has released a document listing “PrintNightmare” mitigation strategies. The suggestion on Tom's Guide is to disable the Print Spooler service (which you probably can't live with) or to disable inbound remote printing through Windows’ Group Policy. Disabling inbound remote printing means that your Windows print servers will not work; yet another reason to migrate your server functionality to Linux. |
Posted on 12th June 2021 |
Show only this post Show all posts in this thread (Cybersecurity). |
This report on "Laptop" describes the latest release of hacked email passwords on the Internet. The published leak is a 100GB text file comprising 8.4 billion private login entries (email address and password pairs). The article included a link to "Have I Been Pwned?", where you can easily check whether any of your email passwords have been compromised. This is safe: all you need to do is enter your email address, and it will respond with the number of passwords in the file for that address. You are not asked for your password, and there is no way for you or anyone else, to find out what those passwords are. I strongly recommend that everyone checks all of their email addresses. |
Posted on 12th June 2021 |
Show only this post Show all posts in this thread (Cybersecurity). |
As reported here on Defender Network, Amazon Sidewalk has now been rolled out (on the 8th of June). If you didn't opt out, you already have it. More to the point, your neighbours with Amazon devices (Alexa, Echo, or a Ring Doorbell) also have it, with the option to use your WiFi is theirs is not working, unless you opted out. "Amazon Sidewalk is a free, shared network to help customers with Amazon devices, Alexa, Echo, Ring doorbell, and security cameras, stay connected even if your wifi is weak or fails. Sidewalk automatically connects customers to the wifi of neighbors who also have Amazon devices." This is a huge security risk for your home network, opening the door to hacking from your neighbours' networks. Any security measures are only as secure as the weakest link, so your risk is determined by how careful your neighbours have been. Personally, I am rather paranoid about my network security. This means:
|
Posted on 6th November 2018 |
Show only this post Show all posts in this thread. |
No wonder government agencies do such a poor job protecting our data. This story on the BBC describes how a porn-addicted worker at the US Geological Survey (USGS) infected computers on a government network by visiting malware-infected porn websites. The US Office of the Inspector General has recommended that the USGS blacklist "rogue" websites. You think? Duh! I find so many things incredible about this story:
It is not as if the threat posed by porn sites is a surprise. It is a well know problem. If you want to look at porn sites (and many people do - porn is one of the heaviest sources of Internet traffic), then do it from home, or somewhere else private, and use a virtual machine (which you can then easily periodically restore from a clean backup - i.e. from before you used it to access porn). Then any infection will only affect the VM (virtual machine), and can be easily dealt with by the restore. You can use VMs on Windows, Mac, and Linux computers. If you are concerned about people knowing that you look at porn, access it via a VPN (there are widely available options for free or low-cost VPNs). Also, choose your porn sites wisely (read a review to help decide which are safe). Of course, porn sites are not the only way to get infected with malware. The worst infection that I had was from a Microsoft site, when downloading a document template. Phishing emails are very common; you should never open email attachments from unknown sources. I use a quarantine VM to open email attachments that I am unsure about. You can read more about virtualisation and how to virtualise, although these are mostly focused on virtual machines running on Linux hosts. |
Posted on 18th August 2017 |
Show only this post Show all posts in this thread. |
This report on the BBC is rather worrying. A US web-host service provider, DreamHost, is embroiled in a battle with the US Department of Justice (DoJ) over a request for all the IP addresses of people (about 1.3 million of them) who accessed a web-site that helped organise a protest on the day of President Trump's inauguration. DreamHost is currently refusing to provide the data, and the dispute is due to be heard in court later this month. Regulations have already been changed to allow ISPs and other web-service providers (like Google) to sell the data on what web-sites you visit (if they choose to, but so far no-one has chosen to do this). Now the government wants that data too (presumably without even paying for it). This is all rather bizarre, given that the US constitution gives people the right to free speech, which is normally considered to include the right to protest (peacefully). It seems that the world described in George Orwell's "1984" is coming to pass (albeit more than 30 years behind schedule); if you have never read this book, now seems to be a good time. If you don't already use one, now might be a good time to investigate the use of a VPN or a public proxy server to hide your web-activity; a service that is based outside of the USA, otherwise the US government will be able to force the VPN or proxy service provider to hand over data on your browsing habits. Also, you should get in the habit of using HTTPS (secure HTTP) when you visit web-sites; most major web-sites are available over HTTPS (this site is available over HTTPS, and many sites automatically redirect you to HTTPS if you visit using non-secure HTTP). Since I live in Germany, where data protection and privacy laws are strong and well enforced, I don't currently have many worries about my Internet usage data being sold or handed over to some government, but nevertheless I use a proxy for some of my traffic. Readers in the USA (and the UK) are much more exposed, and you need to protect yourselves. |
Posted on 2nd August 2017 |
Show only this post Show all posts in this thread. |
There were two stories on the BBC today about VPNs:
I can understand both these decisions. Russia wants to enforce their bans on illegal web-sites, such as those on the dark-web which sell drugs and weapons. Apple needs to keep the Chinese happy, otherwise their business in China (manufacturing iPhones, and the sales of Apple devices in the Chinese market) will be interfered with, as has happened in the past. These, however, are not the only crackdowns against VPNs. Streaming services like Netflix have been making it more and more difficult to bypass their regional controls (designed to ensure that material can only be accessed in countries where they hold a licence to sell it) by blocking access to their services from known public VPN services. Governments around the world have also been strongly making the case for having access to encrypted Internet traffic (most business operated VPNs are encrypted) to help prevent terrorist attacks. A VPN is a Virtual Private Network: a logical (i.e. not physical) network to seamlessly connect computers as if they were physically connected. The access to VPNs is usually controlled (with a user-id and password, and sometimes with more complex access controls) and many are encrypted to keep their traffic secure. In this respect they differ from the public proxy servers, widely available, that you can also use to keep your Internet traffic secure. Many of you may not care very much about the trend to ban the use of VPNs, but if VPNs become widely banned, it will effect all of us. Most readers may not have been exposed to the legitimate use of VPNs, and believe that they are only used to access illicit web-sites and to view copyrighted streamed content which is otherwise not available where they live, but VPNs are widely used in industry, and are essential to the business which use them. VPNs are the usual means to allow remote access to IT systems (email servers, file servers, databases and a host of collaboration tools). I used to work for a company which had VPN access (one of many jobs where I used VPNs, actually). From home I could connect to all the systems that I would use when in the office, via their VPN. I could then use that VPN to connect to another VPN, providing me access to a customer's systems in another country, enabling me to perform software installations, diagnose and repair faults, and other system administration and support tasks. Without the VPNs, I would have had to go to the office and/or to the customer's site for all such tasks. Since I frequently received work phone calls in the middle of the night, that would have been very inconvenient, and would have vastly increased the cost and the time to complete otherwise simple tasks, if I had had no VPN to use. Most companies having offices or factories in multiple locations operate at least one VPN. Siemens is an example. Siemens staff can access IT resources at their home office when they are on secondment to another site, and even make phone calls over the VPN to other offices, and make calls at local rates to suppliers, friends and family over the VPN. Given the attempts by governments to access mails on public email services (see here) and the tapping of Internet traffic, you can understand why companies want to use their own email servers, and have their employees access the servers via a secure VPN. I run a Linux server at home (where this web-site is hosted), meaning that I have free software enabling me to set up a public VPN or even a proxy server. I am starting to wonder whether I should do so, as a statement of my objection to the trend to outlawing VPNs. |
Posted on 15th May 2016 |
Show only this post Show all posts in this thread. |
There are several very important lessons to be learned from the recent enormous ransom-ware attack (reported here, by the BBC), which affected at least 99 countries, and had huge impact on the National Health Service (NHS) in the UK. The attack was a worm (not a virus), meaning that infection passes directly from one networked device to another, without the need for any user interaction (being careful about what email attachments you click on is no protection). The attack was stopped, in part, by the efforts of a UK security researcher "MalwareTech", who found a "kill-switch coded into the worm. This kill-switch will prevent new devices being affected by the worm, but will not decrypt already infected devices.
As far as I know, no NHS patients died or suffered other major harm due to the cyber-attack; that is pure luck, and next time (because there will certainly be a next time) we may not be so lucky. We have a whole host of services (electricity generation, including control of nuclear power stations, electricity distribution, water distribution, flood prevention, mobile phone, emergency services, Internet services, traffic control, air-traffic control, weather forecasting, weapon system control, etc.), most of which are essential and many of which are safety-critical, which depend on computers. Hacking is relatively easy (you can buy kits to develop hacking tools fairly cheaply) and preventing it or repairing the results is hard, expensive and time-consuming. The world really needs to learn the lessons from this attack, urgently. |
Posted on 4th March 2016 |
Show only this post Show all posts in this thread. |
This BBC report, about how easy it is to hack into the bank accounts of customers who do online banking from their mobile phones, highlights the reason why I don't use my mobile phone for banking (I also don't do in-App purchases on my phone, for the same reason). Not only do many banking and purchasing Apps keep sensitive data on your phone, from where it can be hacked, but phones (actually SIMs) can be cloned, and traffic (calls and SMSes) can be diverted to another mobile device (as described in the BBC news story). There are some (usually national) standards to try to make such things more secure, many of which ensure that your sensitive data (bank account numbers, credit card numbers, etc.) are not actually kept on your phone, and if a new SIM is registered for your phone account, these details must be re-established. My project is testing this functionality, amongst other things, right now. What the article highlights, for me, is just how pathetic the security analyses by NatWest and Royal Bank of Scotland were. I am sure their customers expect better. If you really need to do online banking and purchasing on your phone, then make sure that your financial service provider complies with good standards. If you are not sure, check with an expert. You might have to change financial institutions and/or mobile provider to get a solution that is good enough. |
Posted on 15th January 2016 |
Show only this post Show all posts in this thread. |
This BBC story is one of the more recent of many about encryption and encryption back-doors. The Dutch government says that it will not force technology firms to provide back-door access to encrypted data such as emails and instant messaging. I like their attitude, but it is in direct contradiction to government policy in the USA and UK. FBI director James Comey said in November "We are not some kind of maniacs who are ideologues against encryption … but we have a problem that encryption is crashing into public safety and we have to figure out, as people who care about both, how to resolve it." It seems clear that the FBI has concluded that, in a contest between privacy and public safety, public safety wins. Proposals on the table to solve the FBI's dilemma include the outlawing of very strong encryption and back door access for security agencies. Outlawing very strong encryption will ensure that security agencies can crack the encryption, but that also means that criminal organisations, foreign governments, and even terrorists can also crack it. Back door access for security agencies will probably mean that other nations (Russia and China, for example) will be granted such access; plus, given the appalling track record of security agencies (even in the US and UK) in keeping secrets and being hacked, it is only a matter of time until these back-door access channels also leak out to the various other kinds of bad guys. So no, neither of these proposals work for me. People sometimes ask me why I am so concerned about my privacy: what is it that I have to hide? Actually, at the moment, I have no great secrets, and put a lot of my life in public view on this site and on social media. That, however, might change: if there is a change in my political environment (e.g. a totalitarian government), then it might be that my privacy becomes a life or death issue for me. One thing that I can and will do, if legislation erodes my privacy even further, is to choose who has data about me. If Facebook, LinkedIn and Microsoft can’t keep my data secret because of legal constraints, or even for their own purposes, I will do what I can to ensure they have no data about me, including ceasing to be their customer if necessary. |
Posted on 3rd November 2015 |
Show only this post Show all posts in this thread. |
The latest drama in the hacking saga, this time at Vodafone in the UK, really makes me wonder if anyone can be trusted with our confidential data. The most recent hack in the news was of Vodafone UK, as reported by the BBC here: details of around 2,000 Vodafone customers were accessed. Before that there was TalkTalk (the latest BBC report is here), where hackers accessed around 1.2 million email addresses, names and phone numbers and 21,000 unique bank account details. At the beginning of October, hackers stole personal information on about 15 million T-Mobile US customers and applicants, as described in this BBC news story. Almost two years ago, payment details from up to 40 million credit cards were stolen through a hack of card payment machines in the stores of US retail giant Target (described in this BBC report). Remember, these are just a few examples (a lot of hacks do not get reported, especially when the targets are banks). So clearly, we cannot trust the companies with which we do business to keep data about us safe. We ought to be able to trust our governments to keep our data safe (especially as they are hoovering up data (both legally and illegally) like it's going out of style, but no, it seems that we can't. This BBC report is just one of a series about a data breach in April this year at the US Office of Personnel Management (OPM): initial reports were that data about 4 million people were stolen; more recent reports are saying it is 21 million (which is 6.5% of the nation's population!). More recently there was a hack, purportedly by Anonymous, of the US Census Bureau in which hackers pulled down information on thousands of users, including email addresses, phone numbers, addresses, usernames and password hashes (i.e. encrypted passwords). The data includes information on Census and other federal employees, as well as members of organizations with user accounts for submitting audits to the site. It really seems that no-one is able to keep data about us safe. This inability to ensure data security just adds to the concerns (due to issues of privacy and censorship) that are regularly voiced about data collection in the modern world. One recent example, described in this BBC story, is that the former head of GCHQ (the UK equivalent of the NSA) has said that "Internet firms" (by which I assume he means Internet Service Providers - ISPs) should be forced (by legislation) to keep users' data. Another example is the ongoing story about Facebook and the Safe Harbour Agreement (an international agreement that recognised foreign and private data protection processes as "good enough" to meet European data protection standards), reported here by the BBC; the Safe Harbour Agreement was ruled invalid in early October 2015 by the European Court of Justice, clearing the way for Facebook to be taken to court for sharing personal data internationally. There are two separate issues with both cases: these firms should not, in principle, be collecting such data about anyone without just cause, and most certainly not when it cannot be guaranteed to be kept securely. Since I work in IT, I do understand that there is no system which is 100% secure, but the ease and speed with which some of the recent hacks have been achieved means that basic efforts are not being made. The degree of protection that is afforded our private data does not meet my basic Terms and Conditions. Either do better, or stop keeping so much data about us. |
Posted on 3rd November 2015 |
Show only this post Show all posts in this thread. |
This (a BBC news story) is a pretty sorry tale. The South Korean government has withdrawn a phone app, "Smart Sheriff", from the market and is recommending exisating users to change to an alternative. Smart Sheriff had been downloaded hundreds of thousands of times inside South Korea. One of reasons this market is so big in South Korean is that the government there mandated in April this year that all children's mobile phones must be monitored. Smart Sheriff was developed by a group of telecoms companies called the Korean Mobile Internet Business Association (Moiba), and seems to have been the government's recommended app. It turns out that Smart Sheriff is not actually very Smart. Its security is described as "catastrophic" in two reports, one by the University of Toronto and the second by software auditing firm Cure53. It seems that children's personal details were not stored securely and that the parental filters were easy to disable. So, in summary, it doesn't do its job properly, and whilst failing to work it leaks confidential data. Paedophiles (Pedophiles to any American readers) must simply love this app. A great job all around! |