My default position is that the new Coalition Government is hell-bent on creating a double-dip recession and on dismantling vital parts of the public sector, is ideologically-driven and is cavalier about the impact of its policies on disadvantaged communities. And I remain to be convinced that it is not taking unacceptable risks with national security.
So the stories I have been hearing about the willingness of the Government to invest in the nation’s cyber-security come as an unexpected, but pleasant, surprise.
I am told that David Cameron personally has been convinced that the comprehensive spending review must ensure that substantial extra resources are spent on developing the UK’s capacity to counter cyber threats to its infrastructure and that the debate between the Treasury and the Cabinet Office is whether the new investment should be £1.5 billion or £2 billion.
This of course is still far less than many other countries are investing. However, if my informants are correct, this would be a useful step in the right direction. Seeing will be believing. And we’ll see on 20th October.

The perils/dangers of USB sticks are highlighted by two news stories in the last few days.

First, Greater Manchester Police have been embarrassed by an unencrypted USB stick that was “found lying in the street” which the public spirited citizen who “found” it passed on to the responsible authorities (aka The Daily Star on Sunday).  Apparently, the USB stick contained “2,000 pages of highly-sensitive and confidential information” including material “on countering the threat of terrorism on British streets include strategies for acid and petrol bomb attacks, blast control training and the use of batons and shields.”  

Of course, it is entirely natural that, if you find something outside a police station, emblazoned with the logo of Greater Manchester Police, the first thing you do is take it home and plug it into your laptop.  And then when you realise how sensitive it is you decide not to return it to the Police but give it to a tabloid newspaper.  This public-spirited citizen was so confident of the correctness of his actions that he “asked the Daily Star Sunday to withhold his identity ­because he feared reprisals”.

Meanwhile in India, the Times of India reports:

“Even as Chinese and Pakistani online espionage agents continue their attempts to hack into Indian computer systems, hostile intelligence agencies are also trying to steal defence secrets through use of computer storage media (CSM) devices like pen drives, removable hard disks, CDs, VCDs and the like.

The Intelligence Bureau has sounded a red alert about “intelligence officers of a hostile country” encouraging their “assets” working in Indian defence establishments to use CSM devices to pilfer classified information from computer networks.”

It looks as though the Chinese and Pakistani intelligence agencies are wasting a lot of effort – all they need is to get a few Mancunian businessmen and the Daily Star onside and they will have all the information they need …

Well worth a watch:

http://www.youtube.com/watch?v=Ouof1OzhL8k&NR=1

The Washington Post reports that the US Deputy Defense Secretary has publicly acknowledged what is being described as the most significant breach of U.S. military computers.

The cause was a flash drive inserted into a U.S. military laptop in the Middle East in 2008.

And the consequence was that the malicious code, which had been placed on the drive by a foreign intelligence agency, uploaded itself onto the network run by the U.S. military’s Central Command. Apparently, the code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

This disclosure was apparently part of a deliberate strategy to raise the awareness of the US Congress and the American people of the cyber-threat being faced by the USA.  Apparently, the Pentagon’s 15,000 networks and 7 million computing devices are being probed thousands of times daily and the US Government’s concern is that cyberwar is asymmetric and that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult to identify the instigator of an attack.

The problems faced by the Pentagon are no doubt faced – on a smaller scale – by the UK Ministry of Defence and the British armed services.  I do not, however, detect a similar openness about the threat by the UK’s Coalition Government – perhaps because the strategy to address the problem is nothing like as well-developed as it should be.

I’ve commented before on the market that has developed for hackers and malware writers to sell on their “products” to other criminals – even promoting their activities via Twitter.

This concern has now been repeated by the Canadian Criminal Intelligence Service in its 25th Annual Report on Organised Crime.  According to the Montreal Gazette:

“The report, released Friday, focuses on securities fraud, and states the size and complexity of schemes help conceal criminal activity, generate ample profits and facilitate tax evasion.

It said social-networking websites are allowing criminals to efficiently and anonymously issue fake news releases and promotional material to potential victims.

Aside from the use of Facebook and Twitter, criminal organizations are taking advantage of the hacker-for-hire black market, it said.

The report offered few further details. However, it did say that because of the availability of these services, fraudsters don’t need to acquire the necessary technical expertise to hijack computer accounts on their own.”

Thanks to my good friends at Team Cymru, I have been keeping up-to-date on current developments on cyber security while I have been away.

Two items, in particular, caught my eye.

The first was that India is now developing its own army of software professionals to hack computer systems of hostile nations.

The second was about the vulnerability of major companies to “spoofing” – plausible sounding cold callers seeking information over the telephone AND being provided with enough material to assist hackers to penetrate information systems.  Apparently, at the recent DefCon conference in Las Vegas there was a “social engineering” contest challenging hackers to call workers at 10 companies including Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.  According to an article in The Age,  one employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

The article continued:

‘”You often have to crack through firewalls and burn the perimeter in order to get into the internal organisation,” said Mati Aharoni of Offensive Security, a company that tests company computer defences.

“It is much easier to use social engineering techniques to get to the same place.”

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continued Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

“We didn’t want anyone fired or feeling bad at the end of the day,” Aharoni said. “We wanted to show that social engineering is a legitimate attack vector.”

A saying that long ago made it onto t-shirts at the annual DefCon event is “There is no patch for human stupidity.”

“Companies don’t think their people will fall for something as simple as someone calling and just asking a few questions,” Hadnagy said.

“It doesn’t require a very technical level of attacker,” Aharoni added. “It requires someone with an ability to schmooze well.”

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

“As humans, we naturally want to help other people,” Hadgagy said. “I’m not advocating not helping people. Just think about what you say before you say it.”

I suspect most organisations and businesses in the UK would be vulnerable to this sort  of approach …..

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

According to a German News Service, a man from the Rhineland has been arrested for spying on more than 150 girls in their bedrooms by hacking into their computers and using their webcams to watch them, provoking warnings that others will be doing the same thing.

Apparently, Thomas Floß from the association of data protection advisors, discovered the case. He often visits schools to talk with children about data protection and sensible behaviour on the internet and gives a presentation including a video showing how children can be spied on via their webcam.

“I want to show how dangerous webcams are,” he said. “I became suspicious when from February, increasing numbers of girls expressed the suspicion this was happening to them.”

According to the report:

“Two girls told him the little lights on their webcams were not going out when they had finished using them. On examining one of the computers Floß discovered a so-called Trojan computer program which was being used to control the equipment, and which had been spread via the chat service ICQ.

The hacker had allegedly broken into the chat service account of one schoolgirl, and used it to choose which others he wanted to spy upon, and send the Trojan to their computers.

He was traced to the Aachen region and arrested – when police officers arrived at his home they found several live feeds to bedroom cameras running on his computer.

Floß said he believed many more people were doing the same thing. “I have visited 50 to 60 schools, and every time at least one schoolgirl tells me they have such a problem [with webcams not switching off],” he said.”

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

Apparently, last weekend the Vatican was subjected to a cyber attack from an unknown source.  According to the Rome-based Zenit News Agency, the attack meant that anyone typing Vatican into Google was directed to the site “www.pedofilo.com” as the first suggestion, rather than the proper Vatican Web page.  According to the Agency:

“When this misdirection was discovered, Google was informed, said Jesuit Father Federico Lombardi, director of the Vatican press office.

The Internet organization immediately apologized and assured the Holy See that it would do what it could to resolve the problem as soon as possible.

On Sunday morning the problem seemed to be corrected, as users were once again directed to the proper Vatican Web page upon initiating a search for it.

Although the person who caused this problem has not been found, the indications suggested that the operation may have been carried out by someone who had significant knowledge of how Google functions.”

Heavens!  Is nothing sacred?