Thanks to my good friends at Team Cymru, I have been keeping up-to-date on current developments on cyber security while I have been away.

Two items, in particular, caught my eye.

The first was that India is now developing its own army of software professionals to hack computer systems of hostile nations.

The second was about the vulnerability of major companies to “spoofing” – plausible sounding cold callers seeking information over the telephone AND being provided with enough material to assist hackers to penetrate information systems.  Apparently, at the recent DefCon conference in Las Vegas there was a “social engineering” contest challenging hackers to call workers at 10 companies including Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.  According to an article in The Age,  one employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

The article continued:

‘”You often have to crack through firewalls and burn the perimeter in order to get into the internal organisation,” said Mati Aharoni of Offensive Security, a company that tests company computer defences.

“It is much easier to use social engineering techniques to get to the same place.”

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continued Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

“We didn’t want anyone fired or feeling bad at the end of the day,” Aharoni said. “We wanted to show that social engineering is a legitimate attack vector.”

A saying that long ago made it onto t-shirts at the annual DefCon event is “There is no patch for human stupidity.”

“Companies don’t think their people will fall for something as simple as someone calling and just asking a few questions,” Hadnagy said.

“It doesn’t require a very technical level of attacker,” Aharoni added. “It requires someone with an ability to schmooze well.”

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

“As humans, we naturally want to help other people,” Hadgagy said. “I’m not advocating not helping people. Just think about what you say before you say it.”

I suspect most organisations and businesses in the UK would be vulnerable to this sort  of approach …..

From 25th September 2009:

The Parliament Education Service runs an annual Discover Parliament Programme aimed at 16-18 year olds studying higher level politics, citizenship and general studies.  This afternoon I met 80 students taking part in the Programme.  They were from three schools in Pinner, Chelmsford and Bristol.

As ever on such occasions, the questioning was lively, sometimes challenging and extremely wide-ranging.  We covered – amongst other things – such topics as:

• aren’t MPs too old (I’d explained that the average age of members of the House of Lords is 69);
• why aren’t 16 year olds allowed to vote or to sit in Parliament;
• what did I think of Gordon Brown;
• should taxes be put up in the current economic situation;
• should the age for getting a driving licence change;
• what were my views about David Cameron, Lord Mandelson and the BNP (interesting grouping);
• what should be done about knife crime and gangs;
• was “kettling” of G20 protesters fair (from a teacher);
• should children be taught more about current affairs;
• did the LibDems have a better record on MPs’ expenses;
• is the threat of terrorism rising;
• should there be limits on immigration;
• was the war in Iraq right; and
• did I think Labour would win the next General Election and when would it be?

As I said, a lively hour – and an exhilarating one too.

Effectively, these Discover Parliament programmes can only take place during school term time and when Parliament is not sitting.  In practice that means they are only possible for about four weeks a year from the early part of September.  A by-product of Speaker John Bercow’s proposal to shorten Parliament’s summer recess might well be to end these programmes. Whatever the merits or otherwise of Parliament sitting in September (something I personally would favour), it would be a retrograde step to lose this outreach work with young people.

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

Apparently, last weekend the Vatican was subjected to a cyber attack from an unknown source.  According to the Rome-based Zenit News Agency, the attack meant that anyone typing Vatican into Google was directed to the site “www.pedofilo.com” as the first suggestion, rather than the proper Vatican Web page.  According to the Agency:

“When this misdirection was discovered, Google was informed, said Jesuit Father Federico Lombardi, director of the Vatican press office.

The Internet organization immediately apologized and assured the Holy See that it would do what it could to resolve the problem as soon as possible.

On Sunday morning the problem seemed to be corrected, as users were once again directed to the proper Vatican Web page upon initiating a search for it.

Although the person who caused this problem has not been found, the indications suggested that the operation may have been carried out by someone who had significant knowledge of how Google functions.”

Heavens!  Is nothing sacred?

I have just had a meeting with a senior civil servant in his office in one of the more security-conscious parts of the Whitehall diaspora. I couldn’t help noticing the four separate screens on his desk. When I asked, he explained that one screen allowed him to access public material, one monitor was linked to a computer system that was authorised to handle material up to a RESTRICTED classification, another to a system that could handle CONFIDENTIAL material, and the fourth was – you guessed it – was for SECRET items.
I was suitably impressed.

I very rarely try to catch TV or radio programmes in which I have been interviewed, but after a couple of people mentioned how good the programme was, I did make an exception and tracked down the broadcast from last Monday afternoon.

So I have only just listened to the Radio 4 feature programme “The Summer That Changed London“.  As an evocation of London and, in particular, the impact of July 2005 (the month of Live8, the declaration of London as the venue for the 2012 Olympics, the 7/7 bombings, the 21/7 failed bombings, and the shooting of Jean Charles de Menezes) on London and Londoners, it is brilliant.

But don’t take my word for it, listen – you can disregard the clips from my interview.   But hurry, you only have two days before it comes off the web-site.

I am not looking for any recognition, as you know these things don’t matter to me at all and I am profoundly disinterested in where this blog comes in the annual Total Politics ranking of political blogs, so I really am not asking for you to vote for me or my blog ……..

but ……..

should you be so inclined (and I repeat I really, really don’t mind one way or the other), this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

The New York Times reports that an English-language manual on “How to be a Terrorist” has been produced by the propaganda arm of Al Qaeda in the Arabian Peninsula.  The manual in magazine format includes instructions on how to “make a bomb in the kitchen of your mom,” an article on “Mujahedeen 101” and a lesson in sending and receiving encrypted messages.

Apparently, the publication which was circulating on the internet earlier this week was only three pages long.  The reason?   Some sort of virus seemed to have corrupted the remaining 64 pages.

And the New York Times speculates that this:

“could have been the work of hackers, possibly working for the United States government.”

Interesting, if true.

Francis Maude, the Cabinet Office Minister, has criticised Assistant Commissioner John Yates (who heads the Counter-Terrorist network) for a PRIVATE briefing he gave to Police Chiefs yesterday.  However, the criticism comes across as a Minister shooting from the hip rather than anything else.

Francis Maude has apparently told the BBC 

“I’d like to avoid public servants doing this kind of shroud waving in public.  There is a special responsibility on all public servants to be really careful what we say and what we do.”

But the briefing concerned was not in public.  It was in private.

The event was a CLOSED session at the conference of the Association of Chief Police Officers and the Association of Police Authorities.

The Times newspaper (behind its pay-wall, so no link) reported the speech on the basis of a conversation one of their reporters had with one of the those present and, according to this source, John Yates talked about the implications of the postulated 25% cut in police funding for counter-terrorism and security work. 

He is reported to have explained that the implications for the counter-terrorism budget were likely to mean that “the Metropolitan Police (Met) would see £87m wiped from its anti-terror budget, while units across the country would lose £62m.”

Is this shroud-waving?

Well, actually, it isn’t.

I remember the debates when police forces outside London were asked to host Counter-Terrorist Units and Counter-Terrorist Intelligence Units.  The forces concerned were naturally worried that they would be employing a substantial number of extra specialist officers and wanted to know what would happen if the funding was reduced or cut altogether.  Those extra officers could not be readily transferred to other duties (particularly if the force concerned already had a restricted budget) and there is no simple way of making police officers redundant. 

Quite properly, ACPO acknowledges - as I understand did John Yates – that police forces have to face cuts in the same way as other areas of public spending and their spokesperson said:

“The home secretary has made clear that alongside other areas of public spending, policing must deliver its share of savings to meet the fiscal deficit.”

And went on:

“No area of policing is immune.”

So, if the Treasury is pressing ahead with the Comprehensive Spending Review, so that the results can be announced in October, which it is, and, if the Home Office is to produce its figures for the Treasury by the end of July, which it does, that has certain consequences.  

Not surprisingly, the Home Office has asked the budget-holders who deliver the component parts of the Home Office budget to provide their figures to the Home Office very soon.  And that will include those parts of the police service that are responsible for counter-terrorism and security.

It would be a rather strange way of managing ANY public service for the person responsible NOT to take the opportunity of briefing those who might be left with a substantial contingent liability as a result of decisions that are in the process of being taken.

So John Yates was not shroud-waving, he was making sure – as any good manager would – that those likely to be directly affected by a decision – and who will have to implement it – were kept fully informed.

Let no-one be under any illusions, there will be consequences of a 25% cut in police expenditure on counter-terrorism and security, just as there will be for a similar cut in other forms of policing and just as there will be for other areas of public spending that are cut. 

No doubt we will all want to debate the implications when those decisions are finalised, but in the meantime Francis Maude should let senior managers get on with the job – and that includes briefing those affected.