Monthly Archives: March 2012

Managing social media

You’d have thought social media was a simple thing: the two-way conversation where everyone’s connected, everyone’s linked, everyone’s liking, and everyone’s following. It’s a global world of connectivity, nonstop chitchat, an open existence where we learn, share and grow. At a basic level, yes, that’s social media defined perfectly, but as with any explanation of this kind, it merely touches the surface. Social media is much more than sum of its parts.

At first, many organisations were reluctant to be taken in by it all. They thought it was a fad, so to speak, extremely popular but transient. It’s time would pass. Everyone that took a sly little pop at it soon realised they had jumped the gun in their estimations. Everyone is now on Facebook, Twitter, LinkedIn, Tumblr and Pinterest to name the obvious few.

Initially, most organisations didn’t know what to do. They were connected, but didn’t fully understand how to “talk”, to disseminate and to engage. But, with the passage of time, they refined their approach, savvied up on the particulars and, with the help of experts, cracked it. They’ve even took the time out to develop authoritative social media policies (See the BBC’s English Region’s Social Media Strategy as one example).

However, this doesn’t imply that we’ve reached a level playing field. As we mentioned above, social media is a complex creature and a burgeoning one too. At RANT last night in London, Jitender Arora, chief information security officer (CISO) at GE Capital UK,  discussed whether such policies are suitable. His assertion is that “pragmatic” social media governance is more effective.

He makes a shrewd point. Businesses and indeed CISOs can’t cover every eventuality in a static document that sets the terms and conditions in stone. You simply can’t look over every eventuality across a number of different platforms, which although all connected in that they are social, are distinct in their makeup. Moreover, asks Mr Arora: “Are social media policies really effective in changing user behaviour?”

The obvious challenge is how one ensures that a business keeps its brand integrity intact when it publishes and engages on a macro level – a ubiquitous presence online, by virtue alone, opens them up to blunders. And these are the ones that can’t be quickly remedied for hope no one noticed. Your audience, online, is connected. They saw.

One of the more serious challenges is naturally concerned with data protection. Cyber criminals, as we know, possess many means to hack into websites and security systems, big and small. The consequences of having a social network hacked are not to be underplayed as a paper two years ago postulated. Produced by the Information Systems Audit and Control Association, the study stated that the biggest threats to organisations through this conduit are viruses, brand hijacking and loss of corporate content.

Which, funnily enough, brings us back to the central question: which is best, a pragmatic or following policy? Honestly, a bit of both perhaps. The UK has an “unwritten” constitution and it works; has done for many centuries. It responds and it grows. In the US they have a static constitution, which is superbly eloquent. It has been amended 27 times. Things change.

The next RANT forum takes place Near Earls court in London on Wednesday 25th April 2012. For more information, visit our website.


Would you believe, employees are the biggest cause of data breaches

It’ll be interesting to gauge, statistically of course, the difference between the level of investment that goes in developing strategies, performing regular audits of procedures and investing in security systems aimed at reducing data management breaches coming from outside sources, than those which originate from within.

In other words, are we in the risk management and information security industry more inclined to place a potentially unnecessary emphasis on snubbing out cyber attacks and viruses from non-native sources, than on mistakes made by ‘our own’?

The question may be construed as provocative, but its purpose is not to assail organisations – or for that matter staff – but to understand what the status quo is. We only ask because a new study done in collaboration with Symantec and the Ponemon Institute has revealed that in the US, “negligent insiders” have been found to be the top cause of data breaches. And some of these are deliberate, or malicious, to use a more accurate word.

So, the details: 39 per cent of organisations that took part in the study said data breaches are a result of carelessness; malicious or criminal attacks account for a third of all breaches; those who employ a chief information security officer (CISO) can reduce cost of data breach significantly; and, positively, fewer customers jump ship when such a breach occurs: they stay loyal.

With regards to employing a CISO as one of the key staff members of an organisation, we reckon this is something that will become a lot more prevalent in the foreseeable future. Like, for example, hiring someone to look after finances fulltime, which many businesses already do, CISOs will become part of the norm. This is the information age.

The report estimates that if an organisation appoints an expert and gives him responsibility for protecting data, the average cost of a data breach can be reduced by an astonishing $80 (approximately £50.7) per compromised record. Even hiring via contract – i.e. outsourcing – is highly cost-effective.

“One of the most interesting findings of the 2011 report was the correlation between an organisation having a CISO on its executive team and reduced costs of a data breach,” commented Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “As organisations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges.”

In the meantime, it is worthwhile up-skilling and educating those about the importance of best practice, highlighting shortcomings that can lead to data breaches and advising staff on how to be careful with the way they deal with data. After all, not every business has the luxury of being in a position to be able to afford hiring a specialist.

2012: A year to remember

Writing for the Sunday Morning Herald, the technology and marketing journalist Lia Timson captured the growing sophistication of cyber criminals and their remarkable chutzpah, really rather well. It’s turning the industry inside out, upside down and then taking it for another rollercoaster ride.

“People tend to think of computer crime as a technology exchange – connections, bits of data, machines talking to other machines, credit cards cancelled – no real victims, no major harm done,” she noted.

“But what happens when it takes place under your watch? When you are the one in charge, responsible for not only the security of your own organisation and its reputation, but ultimately that of your clients – major corporations, government agencies and defence contractors too?”

This alludes to major hacks that have been experienced by RSA, a global security company, DigiNotar, a Dutch-based security vendor (now bankrupt), Symantec, one the largest producers of security software, and Verisign, the US-based provider of internet infrastructure services over the last few years.

Her question is not an easy one to come to terms with, whether you’re a security professional, an organisation that hires such services, an individual and/or the provider of security systems. Why? Because we all know what kind of an impact a climate of fear can have on the human psyche – what happens in a world where no one is safe?

That the numbers of incidents of security breaches occur on a daily basis throughout the globe is in itself axiomatic. It’s a crime, an illegal act, and like other acts of transgression, though against the law and punishable – and severely so – continues to happen nevertheless. It’s part of the nature of life. We do our best to tackle such misdemeanours, to reduce the number of attacks that happen, to reprimand those who perpetrate such crimes. Of course, that’s not to say we don’t desire a world where no one would be inclined to hack, steal and pollute security systems. Of course we do. We’re just realists.

While we can accept this is the current state of affairs, we can’t take our feet off the pedal towards being innovative, for, security firms to be, like Superman, made of steel, virtually indestructible (because even Superman has a weakness in Kryptonite). It’s achievable, something that we’re sure a lot of security professionals will agree with, but the major obstacle lies in how we get there.

“There’s no room for debate about the need for a paradigm shift in the way both business and government approach cyber security,” Tony Busseri, chief executive officer of Route1, a security and management company, wrote for Wired recently.

“But identifying a need is the easy part. Getting the relevant parties to agree on what to do, and getting that done, is like the proverbial sausage factory. It will take legislation, and laws that accomplish anything meaningful will require a public/private partnership of historical efficiency.”

Sometimes it takes getting hit hard and a number of times to kind of signal a wakeup call. We got lazy, we we’re happy with the good times, everything seemed rosy. Sometimes we can only ever grow by being reactive to catastrophes. It’s tough to plan for something that hasn’t happened yet. 2011 might have been significant in disclosures about big breaches across the board and the number of significant attacks that occurred. Let’s make 2012 the year we set a new standard.

Some things can’t be swept under the carpet and forgotten

“Why can’t we just ignore PCI DSS and get on with life?”

Now if that didn’t get you jumping off your seat with a certain “Hang on, what was that?” spot of confusion, then we admire your restraint. It certainly got us animated, curious and chatting away.

Why so? Well, this is the question that passes through the mind of many people, something that Jeremy King, European director for the PCI Security Standard Council, knows all too well.

Speaking soon at the next Manchester RANT forum, and having already presented this at the London RANT, Mr King discusses that while many people may indeed have this opinion of PCI DSS (Payment Card Industry Data Security Standard), the alternative – which he equates to burying one’s head in the sand – would be somewhat regressive.

PCI DSS is, after all, designed to be a full-bodied, comprehensive security standard applicable for ubiquitous use, geared towards service providers and organisations that handle cardholder information. Its aim is for safety and preservation of the integrity of information at every step, for all sorts of cards including debit, credit, prepaid and POS.

As the PCI Security Standard Council states on its website, PCI DSS provides a robust security process that includes prevention, detection and appropriate reaction to most security incidents. The most visible security measure is in thwarting criminals from accessing card payment details for fraudulent purposes. It is effective, yes, but critics go further and say that the weaknesses inherent in the system are serious.

Robert Havelt, director of penetration testing at Trustwave’s SpiderLabs, states that PCI-compliant networks are open to exploitation because refined malware, custom-made, allows criminals to bypass certain barriers, opening the back door, and allowing them to navigate through other channels to the jackpot: the store of sensitive data. This, he argues, downplays the effectiveness of segregating payment card data. It can be accessed.

It’s a topic that gets people heated up. It’s interesting, it’s relevant and it affects everyone involved. The idea behind PCI DSS is to be applauded and it is an effective measure against security breaches. However, it can be improved. Listen to what Mr King has to say at the end of the month and offer your thoughts.

The RANT forum takes place in London on the last Wednesday of each month.

Facebook’s hidden flaws

Facebook is such a standard these days for both individuals and businesses alike it’s an unwritten rule that anyone or any company that avoids it, for whatever reason, really is living in the dark ages.

However, with the recognition that the social networking platform is an everyday thing, like perhaps the presence of mobile phones, there’s also an acknowledgement that its impact on our idea of privacy, how we interact with one another and the amount of data we upload, is yet to be fully understood. Consequently, we are open to being exploited by those whose business it is to engage in subterfuge.

Because Mark Zuckerberg’s Facebook is still fairly new – it was launched in February 2004 – and is constantly evolving, many users are, despite their ability to use it effectively and on a daily basis, still not that knowledgeable about every facet of the world’s largest social network. It’s a beast that is hard to tame.

This month, Shah Mahmood, a research student at University College London, along with Yvo Desmedt, chair of information communication technology, revealed that they had discovered a significant flaw in the system.

Speaking at the IEEE International Workshop on Security and Social Networking SESOC 2012 in Lugano, Switzerland, the pair dubbed the weakness as a “zero day privacy loophole”. Now while this appears cryptic, they did elaborate. The loophole is known as the ‘deactivated friend attack’.

“Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account,” the pair explained.

“As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from a friend’s list) or added to any specific list.”

Because Facebook users receive no notification of when friends (hackers are included in this definition) have deactivated or reactivated their accounts, they remain none the wiser as to their movements. This leaves their information open to be consumed by strangers.

“The concept of the attack is very similar to cloaking in Star Trek while its seriousness could be estimated from the fact that once the attacker is a friend of the victim, it is highly probable the attacker has indefinite access to the victim’s private information in a cloaked way,” the pair noted.

“With targeted friend requests we were able to add over 4,300 users and maintain access to their Facebook profile information for at least 261 days. No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions.”

The meaning of the LulzSec arrests

It’s a name that immediately gets everyone involved in information security.


It was (or is, depending on a certain point of view) a well-known band of intercontinental hackers that prided themselves on carrying out cyber attacks on some very high-profile organisations and systems. Some of its alleged ‘hits’ have included tapping into the US Senate’s official website, causing ‘technical disruption’ to the CIA’s website, infiltrating a database that listed the locations of cash machines in the UK, and launching a denial of service attack against the UK’s Serious Organised Crime Agency.

It’s quite a list, to say the least. As such, it’s no surprise that since the arrest of Hector Xavier Monsegur – aka Sabu, the so-called leader of this gang of cyber criminals – last summer, security officials have been working double time to reign in the rest of LulzSec’s members. And it was recently revealed that a coordinated international effort has resulted in the arrest of some of its purportedly senior members in the US, the UK and the Republic of Ireland.

Speaking to Fox News, one unnamed hacker told the reporter that his peers were shocked about these recent developments.

“People are freaking out. Everyone’s totally freaking out,” the hacker said. “Everyone’s in shock. Bill Gates, Steve Jobs, Sabu – I mean of our generation, he’s going to be remembered in history.”

Since these arrests came to light, it has also been made known that Mr Monsegur has not only pleaded guilty to a string of offences relating to cyber crimes, but turned informant, working with the FBI to help it paint a clearer picture of what subterfuge activities they have been involved in, who its members are and the kinds of strategies they’ve used to cause havoc and inconvenience business.

While this activity is welcome news, after all, they have reportedly caused billions of dollars worth of damage to corporations and governments, one expert has highlighted that the group was an offshoot of a much bigger movement known as Anonymous. The implication being that a significant battle has been won, but the war is still raging.

Anonymous is basically a worldwide group of hacktivists, its numbers unknown, who pool resources to launch various attacks that are ‘ethical’. Cnet’s Elinor Mills commented that while this crackdown will have an immediate impact, it will hardly diminish the resolve of those in Anonymous in continuing with their politically-motivated attacks.

Speaking to Cnet, one member said that arrests were commonplace, and, consequently, this latest clean-up of criminals will not be that detrimental. They’re not the ‘kingpins’, the hacker said. As it noted on its Twitter feed, in typical hyperbolic style: “We are Legion. We do not have a leader nor will we ever. LulzSec was a group, but Anonymous is a movement. Groups come and go, ideas remain.”

It’s a riveting story that reveals the complexity and challenge of combating online criminal activity that has no real tangible base. The democratic power of the internet, its open composition and its philosophy of freedom, is conversely one of its downsides. We haven’t yet figured out how to preserve all that while enforcing regulation and policing those who abuse these freedoms. However, as with anything in life, so long as the security officials work together, patrol the ‘digital streets’, across borders, small bites into the larger machine can erode the size and scope until its impact is infinitesimal.

Get ready for the White Hat Rally

With a cast that was comprised of moustachioed Burt Reynolds, the suave Roger Moore, the arresting Farrah Fawcett and the legendary singers Dean Martin and Sammy Davis Jr, The Cannonball Run (1981) was a riotous movie. The basic premise saw these oddballs compete against one another in a race across the country to win a bounty of cash. Naturally, given the eccentricity of the characters, a number of amusing incidences arise throughout the journey, making it a rip roaring chase all the way through.

In a similar spirit, though minus the sheer wackiness of Hollywood fiction, the White Hat Rally, a UK-based charity event, sees equally energetic and enthusiastic participants get in their assorted vehicles and drive from Market Harborough into Lincolnshire, via lush countryside and panoramic vistas (basically the East Midlands). And then they mosey on back to Buckinghamshire, thereby completing a rather epic journey all for a good cause.

It is not a competition mind you, so if you’re thinking of getting your inner-Burt Reynolds on, you’ll be sorely disappointed. Instead, think of it as a fun drive across a stretch of captivating scenery with likeminded people. Teams that have already checked in include Acumin and Pentura.

First formed in 2009 by a group of kind-hearted individuals from the UK information security industry, the White Hat Rally has gone from strength to strength. In the spirit of the London 2012 Olympic Games, this year’s theme is Chariots of Fire. Each team that takes part will be representing a country that will be taking part in the Olympics. Fancy dress, naturally, is encouraged!

The rally supports a chosen charity any given year and 2012 will see it raise money for Barnardo’s. In previous years it has chosen ChildLine and the NSPCC as recipients of its fundraising endeavours. It selects a charity through using a lengthy evaluation process, after which it invites the shortlist to submit a tender.

There are four types of cars that can be entered. There’s vintage vehicles (defined as pre-1986 – old school Mini and Morris Minor for example), super cars (expensive and fast like an Aston Martin DB7 or a Lamborghini Bugatti), the self-explanatory Bangers (a just about ticking over motor valued at £500 or less) and themed cars (any car as long as it is adorned in the colour of your Olympic nation).

Not only do participants get to have fun, raise money for a charity, enjoy driving as a leisurely pursuit, they also get to take part in lots of fun Olympic-themed activities over the three days, and moreover, it provides a great, leftfield and interesting way to network with those involved in the information security industry. This concerns both professionals and customers, which is helpful for those wanting to discuss “business” at any of the resting points.

It is worth bearing in mind that a minimum of £1,000 must be raised by every team as a condition for entering the event, which historically hasn’t been a problem for those wanting to take part in the rally. If it makes you feel better, many participating groups have in fact raised minimums of £6,000. An outstanding figure it is, but anything is possible with energy, enthusiasm and, drive. Be creative in the run up to the event as to how you and your colleagues can raise money. Part of the fun is hosting fundraising events of your own.

“Last year, the White Hat Rally Carry on Driving event raised an impressive £38,548 for the NSPCC’s ChildLine Service,” Martin Law of White Hat Rally told Infosecurity Magazine. “This year we aim to build on this success to raise even more to support the fantastic work that Barnardo’s does for young people. We can’t guarantee the weather, but we can guarantee one of the best weekends imaginable.”

For more information, visit the official website or give them a tweet over on Twitter.

The event runs from June 22nd to 24th.


What does privacy even mean these days?

Nearly a year on from what was ultimately a triumphant debacle that engulfed parliament, the judiciary and the media, Ryan Giggs finally consented to being named as the footballer who took out an injunction over his alleged affair with the model Imogen Thomas. Whatever your thoughts about the matter, the main topic of conversation was the idea of privacy in the digital age and what constitutes as being in the public interest.

It all kicked off back in May 2011, when 75,000 Twitter users openly named Giggs as the man at the centre of the scandal. The newspapers, albeit reluctantly, refrained from naming him. The online world continued chattering away. Realising that things were becoming quite absurd, while the injunction was still in place, the Liberal Democrat MP John Herring used parliamentary privilege to name Giggs. His point was: “Yes I am naming him but given that everyone knows who it is, it’s hardly a revelatory thing, and to that end, not that controversial.”

The internet has changed things beyond recognition as the above example shows. Privacy is fast becoming antiquated, at least in the sense of what it means. With so many people living their lives through social networks like Twitter and Facebook, we are discussing, candidly, our everyday likes and dislikes and itineraries. Even if we restrict access to our pages – i.e. you require an invite to have the opportunity of being able to ‘access’ someone’s content – within our extended network, there is a degree of frankness that was never possible before the web established itself as a social norm.

Sharing information online, whether it is a generic tweet about what we’re doing – “I’m enjoying a veggie burger” – to indicating that we liked an article on whether an investment in Bordeaux wine is sensible is, even if it appears insignificant, short snippets of data that can, once assembled, disclose a lot about us as individuals. You either think this is a good thing – sharing/connecting is good – or you worry about the implications of being so candid – identity theft for example. Mark Zuckerberg, Facebook’s founder, is an advocate of a “de-privatisation” of life, whereas Max Mosley, the ex-motor racing boss, backs greater regulation of content.

There’s now a privacy committee currently debating this – i.e. how freedom of expression and privacy can exist. However, in the meantime, Twitter, so central to sparking off this national and global conversation, is back in the news, this time as a villain. It has admitted this month that it has been lifting the contents of peoples’ entire address books from their smartphones (principally iPhones) and storing the information on its servers without the knowledge or ‘consent’ of its users.

This happens when people first download a Twitter app and click “Find Friends”. It does as it says: identifies who in your address book is on Twitter and then allows you the ability to connect; which is great. However, what many people hadn’t realised is that in linking this way – as opposed to searching for a pal and clicking follow – you are “allowing” Twitter in. This is worrying. If Twitter can do this, who’s to say a cyber criminal won’t jump on this bandwagon? Twitter responded by saying that it will change the language it will use, giving the example of potentially changing the misleading ‘scan contacts’ to ‘import contacts’.

This is clearly an unparalleled time with so many developments in how data is disseminated, kept and shared, voluntarily and involuntarily occurring on a seemingly regular basis. We are only now catching up to the repercussions of this new era and what that means practically, socially, intellectually and ethically. In some ways we want both – to be social and to be private. This, in some ways, suggests that much hasn’t changed, as after all, outside of the web, we physically control how much information we share with one another depending on who it is we’re engaging with. There are a great number of questions that need answering. Let’s talk. Tell us what privacy means to you?