Monthly Archives: August 2012

We could all do with talking more

There’s something to be said about good communication, whether it’s an after work chat on the crazy wages of football stars, an enlightening exchange of tweet with someone across the world on press privacy in a digital age, or a networking meeting to discuss the latest happenings in the information security and risk management industry.

It’s always good to talk, whether you’re the individual imparting your expertise on some of the pioneering ideas you have with regards to penetration testing, or whether you’re an audience member, completely enthralled by an interesting and revelatory discussion on new models of business continuity and disaster recovery.

Human thirst for knowledge, though attainable through an autodidact orientation, is often best in a collaborative environment, ideas bouncing between different minds, the result being unintended outcomes that enlighten.

Bearing all that in mind, we find it odd then that new research from the European Network and Information Security Agency (ENISA) has found that many organisations and individuals across the continent not only are unaware that they have been the victim of cyber crime, but don’t report it.

The consequence of this is a sort of fictitious environment where the actual reality of the cyber crime landscape is not as it seems. Because there’s a gap of knowledge, no coherent system of reporting, what we think we know is decidedly lacking.

“Lack of transparency and lack of information about incidents makes it difficult for policy makers to understand the overall impact, the root causes and possible interdependencies,” the authors of the report state, highlighting the problems this lack of uniformity leads to.

“It also complicates the efforts in the industry to understand and address cyber security incidents. And finally, it leaves customers in the dark about the frequency and impact of cyber incidents.”

This is in spite of the fact that in recent years, many countries, not just Europe specific, but all around the world, have stepped up their game with their efforts against cyber crime, recognising it as a big challenge to keeping order.

However, where they have fallen short is in talking to one another, keeping each other informed of when they’ve experienced major cyber crimes, and letting other European nations know of advancements they’ve made.

The reason it is important to have cross-nation rapport is pretty self-evident. We live in a global world, where movement across borders, especially in Europe, is the norm where organisations have bases in many countries. Moreover, cyber crime doesn’t care for boundaries. It can happen anywhere in the world and have an international impact.

If, as ENISA notes, there is a common approach to tackling such crimes, a uniformed approach in their reporting, and constant dialogue between experts in respective European nations, you’re already well on your way of addressing the current gaps in knowledge and denting the success of fraudsters. Otherwise we’re always going to be losing.

“Reliable and secure internet and electronic communications are now central to the whole economy and society in general,” the report said. “Cyber security incidents can have a large impact on individual users, on the economy and society in general.”

Humans are supposed to be social creatures. Let’s get talking.


Sending a message: The meaning of Google’s privacy fine

The fine levied by the Federal Trade Commission (FTC) on Google for violation of privacy laws was either in proportion to the billions of dollars the multinational tech company makes every year or so big as to send a message that such abuses will not be tolerated by other organisations.

Either way, the $22.5 million (approximately £14.4 million) is humongous. What was the crime? Well, according to the FTC, which exists to ensure that consumers are protected from dishonest, manipulative and unfair practices, Google basically “misrepresented privacy assurances” to users of Apple’s Safari browser.

This is a huge indictment of a company known for its motto “don’t be evil”. In the preface of its code of conduct, Google explains that it’s “about doing the right thing more generally – following the law, acting honourably and treating each other with respect”.

The FTC concluded that the influential company was anything but honourable in its assertion that tracking cookies would not be placed on users’ computers. This it did, which in turn meant that peoples’ browsing habits could be monitored without permission. Targeted ads could then be deployed.

“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” stated Jon Leibowitz, chairman of the FTC. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

It’s a statement of magnitude because it reinforces the importance of privacy, which has had its foundations shaken ever since the internet began to find its voice, so to speak, and when people began to “live, socialise and exist” in a virtual world. Without privacy – or the option to preserve it as we so choose– we risk being exploited and the internet becomes a playground for this

“At the bottom, the elimination of spyware and the preservation of privacy for the consumer are critical goals if the internet is to remain safe and reliable and credible,” Cliff Stearns, the US representative for Florida’s 6th congressional district, once said. You can’t dispute that argument.

An attorney from the IT Law Group says that companies should not pay lip service to privacy and if they have a practice, to stick to it. Speaking to BankInfoSecurity, Francoise Gilbert, who has far-reaching and detailed experience with data protection and information security, said that while a privacy policy is a good thing, if it’s not adhered to, it becomes inessential.

Google, while accepting the fine, didn’t have to accept any wrongdoing. It’s a strange thing given that the fine is unprecedented, and resulted in one judge dissenting on the decision. His colleagues however argued that denial of liability is not inconsistent with the “imposition” of a civil penalty. So long as Google pays the fine, then that is all that matters.

The FTC accepts that the fine may be perceived as insufficient, but to kind of steal a quote from Heath Ledger’s Joker in the Dark Knight, it’s not necessarily about the money, it’s about sending a message. The fine is part of that message: you abuse privacy, you will be hit hard. Google’s reputation might be intact given how useful it is to our lives, but other companies might not have that luxury.

Ethical hacking: The card game

Whether you are a precocious youngster brought up on classic hacking films or a seasoned professional at the top of his game, Control-Alt-Hack, which has been developed by the University of Washington, is a card game that is worth a try.

The game is based on the pursuit of ethical hacking, which is, in short, the activity that sees individuals, on behalf of an organisation, attack or infiltrate a system in a controlled way so as to establish what weaknesses there are.

Now then, we are quite sure we’ve piqued your curiosity here, so allow us elaborate further. The theme is based on the Information Security industry and attempts to paint an accurate picture of what ethical hacking, sometimes referred to as white hat hacking, is all about.

The premise is that you, along with your fellow players, work for a Hackers Inc, an elite company specialising in network security and data protection. The motto of the company, brilliant by the way, is: “You Pay Us to Hack You.”

“Your job is centred around missions – tasks that require you to apply your hacker skills (and a bit of luck) in order to succeed,” the designers of the game explain.

“Use your social engineering and network ninja skills to break the Pacific Northwest’s power grid, or apply a bit of hardware hacking and software wizardry to convert your robotic vacuum cleaner into an interactive pet toy…no two jobs are the same. So pick up the dice, and get hacking!”

It all sounds very exciting and aside from the fact that it is, in part, a game, the authenticity of it is not to be underestimated. After all, the developers, Tamara Denning, Tadayoshi Kohno, and Adam Shostack, are all computer security experts. They have wanted the game to mimic reality, and thus it has as much “juicy and accurate” content as possible.

While the developers and the university are keen to point out that it should not be mistaken for a being educational – it is, above all, designed for entertainment – the unfolding narratives of the game nevertheless reveal important information security concepts.

Consequently, it can therefore be used as an educational tool, be it in a school session informing the next generation of potential ethical hackers of some of the things they might be involved in, or as a genuinely engaging and fun way of conducting training sessions in a professional capacity.

The game might be fun and a little bit dramatic, a quasi-fictional representation so to speak, but it can be instrumental in triggering new ideas, discussion points and strategies in a decidedly novel way. In this, the efforts must be applauded. Although it is not out yet, professionals, academics and instructors can sign up here for notification.

Before go, we thought we’d elaborate on those timeless hacking movies we’ve all come across. There’s a ton, that much is true, but, for some reason, what came to mind instantly was WarGames with a young Matthew Broderick, the Net, with, well, young Sandra Bullock, and Tron, with Jeff Bridges. And yes, he is young.

Taking a leap into the unknown

Sun-Tzu, the great ancient Chinese military general and strategist, famously said: “Keep your friends close but your enemies closer.” He was a very wise man and his iconic work, the Art of War, is popular among successful politicians and businessmen and women all around the world.

We’re talking about Sun-Tzu because we speculate that Keith B Alexander, a top man at the National Security Agency (NSA), has recently brushed the dust off his version of the book and had a good peruse to explore new ideas.

His speech at the 20th annual Def Con convention, which is attended by and aimed at hackers, suggests that he’s keen on exploring non-traditional avenues to make the internet a safer place. He certainly was in an affable and accommodating mood, turning up in jeans and a t-shirt. It was a statement that said: “I’m not the enemy.”

“In this room, this room right here is the talent our nation needs to secure cyberspace,” Mr Alexander told the audience. “We need great talent. We don’t pay as high as everybody else, but we’re fun to be around.”

The appearance of a senior member of the NSA, the US government’s influential and power security agency, is unprecedented in the country’s history. His language was placatory: “You know that we can protect networks and have civil liberties and privacy; and you can help us get there.”

What he’s promoting is essentially collaboration. He’s not condoning those who engage in criminal behaviour, exploiting networks for commercial reasons or in the name of extremism, political or religious. Such individuals or groups will be found and prosecuted.

Instead, he’s after those who show a promise in this field, precocious youngsters who are bored, those who feel like they are engaging in legitimate protest – the digital manifestation of civil disobedience, for example – who can make a difference to the world if mentored.

“From my perspective, what you’re doing to figure out the vulnerabilities in our systems is absolutely needed,” Mr Alexander said.

If anything, it’s a novel approach and certainly an interesting way in recruiting talent. At a push perhaps, it also implies that there are gaps in knowledge and indeed in the number of specialists. He could certainly do a lot more to attract those who have a gift in this area by actually making an effort to improve public sector pay in this area.

Fun is great; don’t get us wrong, but everyone wants to earn a decent living. Match private sector pay and you’ll have a generation of talent doing a lot of good. Make people feel valued. Sun-Tzu knew that:

“For them to perceive the advantage of defeating the enemy, they must also have their rewards.”