I spent an interesting hour or so this afternoon with a “white hat hacker” – someone who uses his substantial computing experience to identify system weaknesses and vulnerabilities so that those weaknesses and vulnerabilities can be fixed.
He demonstrated how simple it is to clone most so-called smart cards, so as to render many (virtually all) secure entry systems redundant. The technology is readily available as are the programmes required to do it.
This doesn’t mean that card-based systems are of no value, but what it showed was how often there are basic design flaws that could be fixed, so as to render such systems much harder to compromise.
I had missed the reports of the Dutch researchers who were able to put phantom money onto their Oyster cards so as to travel round London free. This afternoon, I saw how easily it can be done by those who are minded to cheat the system. I wonder how much Transport for London are losing by this weakness each day and whether their systems for detecting such fraud and de-activating the cards concerned are as robust as they claim.
At the end of 2005, I persuaded three reputable “white hat” penetration testing companies to offer their services for free to any Government department that would like some independent checking of their information security. I wrote with this offer to the designated “senior information risk owner” in every Ministry. The three companies were worried that they would be put out of business by the rush of Government agencies taking them up on their generous offer. However, you will not be surprised to learn that after seven weeks not a single one of the twenty or so “senior information risk owners” that I had written to had replied. I then got a letter from the Cabinet Office on behalf of all of them – an example of coordinated Government rarely seen before or since – declining and saying that they were confident that their systems for protecting information were more than sufficient and that no external validation was needed. Subsequent experience showed how complacent that response was.
This afternoon’s meeting suggested that similar complacency still all too often reigns – not only in the public sector but in the private sector as well. Of course, there are exceptions and I have come across examples of excellent practise with systems checked by two external penetration testing companies, independent of those who have supplied, installed or manage the systems concerned. However, those examples are just that – exceptions. Too often senior managers don’t understand the problem or the risks that they face and are too readily reassured by those who have a vested interest in saying that everything is fine.