Monthly Archives: April 2012

History today – BYOD and the need for a smartphone policy

We all live through history. Seminal events, big changes in life, landmark breakthroughs and the like, however noteworthy, come to have a greater significance in the future, seen from afar, analysed, placed in a wider context. Like when the internet came – some of us remember hearing about it at school, a teacher remarking you could use it a lunchtime, but that was time for gossiping, kicking a football about. We didn’t know how important it was. It was just something new.

Needless to say, the internet has, in its relatively short history, come to transform life on earth radically. We look back at the day of dial-up and bland, static pages of content, and we see primitive beings working out how to exist within the confines of this new medium and it’s rather sweet, like children’s scribbles. And then one day, that scribble begins to take shape and an artist is born, shifting paintings worth millions of pounds. Back then it was just another picture, who would have known how important the work was?  History allows us to assess it.

What will they say of BYOD (bring your own device) in five or ten years time? Was it a fad, a stroke of genius or an inevitable consequence of the mass proliferation of powerful portable and handheld devices, the stuff of which was unimaginable a decade ago? It’s hard to say, this history is for those writing in the future. To us, whether it’s someone working in an information security or risk management setting, BYOD is just something that happened, like flexible working. It wasn’t a black and white thing where one day it wasn’t there and bam, the next day it was… it evolved.

Whatever your sentiments, it is definitely part of the discourse. And so, we stick to the present with this blog. BYOD is very open, complex and multifarious nature, meaning it is predisposed to any number of security issues. Smartphones in particular, because of the sheer volume of data, traffic and work conducted on them, are increasingly becoming part of the regular apparatus at work, yet policies governing their use are lax.

According to Darrin Reynolds, vice president of information security at Agency Services in New York, one of the key things is to have a policy in place and for it to be communicated in as simple a manner as possible, or as he puts it, for it to be written in “crayon”.

In an interview with SearchSecurity.com, he explained the canons that govern his organisation when it comes to BYOD and mobile phones.

“The rules are you can use any device you want, but if it is going to support or receive corporate data then you have to play by our rules,” he elucidates. “Our rules are: you have to have a [personal identification number] PIN; it has to support a code lock; it has to have an auto lockout feature; it has to support encryption; and it has to support remote wipe. We kept it really simple to those four things.”

And that’s it, he says, no additional security measures. He may well be correct in surmising that those four methods of security – which are top notch by the way – are enough to keep fraudsters and cyber criminals at bay, but, if history tells us anything, it’s that nothing stays static for long. In technology, what is new, what is current is immediately yesterday’s news. More measures will have to be developed either proactively or reactively when the time comes. History repeats itself, albeit it differently.

Advertisements

Thinking about cookies

We love cookies here at Acumin. We adore them, we ‘heart’ them and dig them like we dig the Rolling Stones when they were pushing a more R&B vibe back in the Swinging 60’s. We have come across Maggie Loves Cookies recently, we have to say, they are a pretty good bet, perhaps you will get a sample at the next Risk and Network Threat forum. They have a variety of flavours and designs to suit any mood.

You might have thought that this post was going to end up as a sort of treatise on the baking treat popular throughout the world, but alas, it isn’t, but wouldn’t that have been fun? Instead, we’re looking at cookies, which, to reduce it to its basic form, is simply a piece of data – or text files – that a website stores within a browser.

A cookie’s raison d’être is altruistic; at least it was from the outset. It was designed to make things easier. In short, every time you visited a website, a cookie was downloaded to your computer, which would then, on visiting that website again, let it know that you had been there before. In terms of efficiency, it allows you to log into a certain website that requires a user ID and password – let’s say Amazon or Google Mail – and revisit the site without having to log in again.

Now while to you and me that sounds wonderful, as easy as making the coffee and tea rounds at work – Jack likes coffee black with sugar, Jill likes her tea super-milky with no sugar, Sanjay likes a fruity herbal tea with five sugars – since the turn of the century there has been a growing army of critics who are concerned with privacy issues. Some of their arguments have been thoughtful and welcome to the conversation.

In the UK, after much chit chat over cups of tea, coffee and, would you believe it, cookies, changes have been made to Privacy and Electronic Communications Regulations, which demands that websites obtain consent from users before installing cookies on their respective computers.

Now while much attention is focused on cookies, these alterations, which are convoluted, carry a far greater technical change. As one reader named Dave commented on The Lawyer’s website, things are not so black and white.

“Clear as mud? Thousands of businesses are entirely unaware they’re even running cookies,” the reader explained. “Most of the online world run Google Analytics, which provides the site owner valuable information to improve their site – do all those who’ve set up GA realise they’re at risk?”

At Acumin’s next RANT – as part of the huge InfoSecurity Exhibition in London – Alan Stockey, from the Institute of Information Security Professionals, is going to attempt to navigate this tricky minefield, delivering a brief history lesson; chuck in a practical illustration of the challenges; give a demonstration, and offer a personal view of where these regulations are taking us. Who knows, if you’re lucky, he might even have Maggie bake a few cookies for you (no pressure Alan).

In an interesting article for startup.co.uk, which is well worth a read, Nick Lockett, a solicitor at DL Legal LLP, discusses how the comprehensive directive – serious, just have a mosey here and you’ll begin to appreciate how much detail is involved – noting some of the things it covers: not only have you got conditions for use of traffic, location, and subscriber data, but there’s also new standards for direct marketing via SMS, email, fax and phone channels.

He ends the piece with a fitting flourish: “May lawyers and regulators be cursed for making us live in interesting times – again!”

Time for a cookie then.

The next RANT forum takes place on Wednesday 25th April, after second day of InfoSecurity Europe at Earls Court, London, which runs from April 24th to the 26th.

Kicking off at 5.30pm, attendees will be able to have a beer and network until 6.30pm, when Alan Stockey delivers Cookie…Doh. Following on, Ben William gives his talk on Exploiting Security Gateways via the Web UI.

For more information and to register for FREE for InfoSecurity Europe visit here or get in touch with Gemma Paterson at gpaterson@acumin.co.uk or call her on 020 7510 9041.

The Information Commission’s Office has also set up a page with the intention of helping businesses understand what they need to do to comply with the cookie law.

“Snoop bill” sparks fierce debate about privacy

“There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live—did live, from habit that became instinct—in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinised.”

So reads an excerpt from the first chapter of George Orwell’s seminal, much quoted and prescient novel 1984, a dystopian work of literature that explores the oppressiveness of authoritarian regimes, where freedom is a word that doesn’t even exist.

The words of the novel, like the above quote, feel uneasy because the idea that at any single moment one’s privacy can be exposed to be a fallacy is a frightening way of living. Even in today’s open age, with Mark Zuckerberg ushering in an open way of existing, people still value some semblance of a life that is theirs and nobody else’s. They want to keep snippets of themselves to themselves, or at the very least privy to the people they trust and love the most.

It’s no surprise that since the government revealed plans that it is looking to change the law so that every single phone call, email, text message sent and received and every website visited by people living and working in the UK is to be recorded, stored and ‘monitored’, there has been a resurgence in discussion about the ideas and lessons explored in Orwell’s powerful novel.

This is an unprecedented step that will see Britain adopt the same kind of surveillance seen in China and Iran,” commented Nick Pickles, director of the Big Brother Watch campaign.

“This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses. If this was such a serious security issue why has the Home Office not ensured these powers were in place before the Olympics?”

Nick Clegg, the deputy prime minister and leader of the Liberal Democrats, stated that this new “snooping law” as it has been dubbed by the media, does not represent an infringement on civil liberties, and reassured people that the government would ensure that there would be safeguards to make people feel comfortable.

“Let’s be clear, this is not about extending the reach of the state into people’s data, it’s about trying to keep up with modern technology,” prime minister David Cameron added, trying to bring a sense of calm to the debate.

“But we should remember that this sort of data, used at the moment, through the proper processes, is absolutely vital in stopping serious crime and some of the most serious terrorist incidents that could kill people in our country, so it’s essential we get this right.”

It’s unclear whether the proposed bill will be included in the Queen’s speech in May, but what is certain that in the meantime, this fascinating debate, with powerful arguments on both sides of the divide, will generate some fascinating ideas and viewpoints.

Anonymous attack mocks government security measures

They knew it was coming, yet they still couldn’t stop it. A few days before Anonymous launched a DDoS (distributed denial-of-service) attack against the coalition government’s Home Office website; it announced its plans to the world. And still it couldn’t be thwarted.

This proclamation, loud and vocal the digital way, is seen by many as a clear sign from the hacktivist collective that it means serious business and it doesn’t care how big you are as an organisation, everyone is liable for getting ‘hit’. Anonymous wants to be the preeminent force for political and social good, it argues, and if that is to be achieved through underhand means, then so be it – this is a “war” and rules don’t apply as they do in peacetime. This declaration was a sort of “come on have a go if you think you’re hard enough”.

It was audacious behaviour. As PC Advisor’s Anthony Savvas noted on April 5th, it meant that the pressure was on the government to show that it is on top of its game and able to quash such wildly flagrant threats. If it didn’t, then it would be unable to say, confidently, that it has the resources and savvy to stop “more serious cyber attacks” from taking place.

On April 7th, people trying to log onto the Home Office website were greeted with the following message: “Due to a high volume of traffic this page is currently unavailable. Please try again later.”

Now, this might have passed as a routine –  certain websites do, on occasion, get really busy – yet everyone knew what had caused the high volume of traffic: Anonymous and its motley crew of hacktivists.

Like a poker player bluffing with a decent but by no means winning hand of cards, the government was forced to show, losing face. They got beat. Even if no data was extracted and the website was back up and running again the next day, it has exposed some shortcomings, which security professionals will be, no doubt, keen to get to the bottom of.

2011 was the year that DDoS entered into the popular lexicon and made its mark as a bothersome security threat. What will 2012 bring? As the second quarter of the year gets comfortable, the big question is what can be done? Survivability is a word that gets thrown about in this conversation, but that comes across as weak, as if to imply that it’s not something that can be fully thwarted.

While that may be the case – all attacks evolve in a responsive sense – there is certainly scope for significant improvement. If Anonymous can be so brazen as to explain that it is going to attack, surely this should be met with an equally robust response. We have to work harder.

The big snooping debate

After announcing that it is considering introducing a new bill that will give the GCHQ unprecedented powers to monitor people’s emails, texts, social media content, phone calls and web browsing history – in real time – the government has had to defend itself from a barrage of condemnation.

Critics of the proposed legislation, which may be included in the Queen’s speech in May, have dubbed it a “snooping bill”, claiming that it is a clandestine way of monitoring the activities of everyday people.

The government, however, has assured the public that there is nothing sinister about the bill, no echoes of an Orwellian future, there will be no centralised database storing people’s information, and all information will remain “invisible”.

“Let’s be clear, this is not about extending the reach of the state into people’s data, it’s about trying to keep up with modern technology,” explained prime minister David Cameron, attempting to assuage opponents.

“We should remember that this sort of data, used at the moment, through the proper processes, is absolutely vital in stopping serious crime and some of the most serious terrorist incidents that could kill people in our country, so it’s essential we get this right.”

Advocates of the bill have asserted that this is its focus – to protect people and curb crime whether it’s tackling cyber criminals or terrorists. Akin to a software update, the new legislation is designed to respond to the significant changes that have taken place by virtue of the digital revolution, which has, in no short way, radically transformed most aspects of society. As Mr Cameron noted, a warrant will be needed to access the private information.

Others, however, are less sanguine. Nick Pickles, director of the Big Brother Watch campaign, sees it as leading to a reality that is comparable to the kind of surveillance that is prevalent in Iran and China, two countries known for having, for example, limited press freedoms.

“This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses,” he stated. “If this was such a serious security issue why has the Home Office not ensured these powers were in place before the Olympics?”

Although details of the proposed bill have yet to be finalised, it is believed that one of the most significant aspects will be for internet service providers and mobile phone companies to keep hold of all data travelling through their respective spheres.

At present, such information is accessible by intelligence agencies, the police and other public bodies, without any external organisations signing off. If the law is to go ahead, there is a desire to see an impartial body set up to monitor requests to ensure that freedoms are being protected and not abused.

“Whoever is in government, the grand snooping ambitions of security agencies don’t change,” Isabella Sankey, director of policy at Liberty, was quoted by the government as saying.

“The coalition agreement explicitly promised to ‘end unnecessary data retention’ and restore our civil liberties. At the very least we need less secret briefing and more public consultation if this promise is to be abandoned.”