I’m a self-confessed geek with things on my mind. By day i’m an IT Architect and Security Consultant.
In my spare time I also love being outdoors, camping and bushcraft.
This is my homepage and blog. Feel free to browse, comment and share.
I’m a self-confessed geek with things on my mind. By day i’m an IT Architect and Security Consultant.
In my spare time I also love being outdoors, camping and bushcraft.
This is my homepage and blog. Feel free to browse, comment and share.
As you all now know, a recent “cyber attack” has affected many computers around the world, including, most prominently, the NHS. In this article I will ask the question, “what implications does this have on future IT services for the healthcare industry?”
Firstly, this incident was not a “cyber attack”. No targeted attack against the NHS took place. In fact, whether it is an attack at all is open to debate. The incident was in fact caused by a piece of “ransomware” which takes the form of an Internet worm. Worms are self-replicating pieces of code which spread from computer to computer using networks. They usually exploit a vulnerability in target software or operating system code to gain access and/or elevated privileges on the target system. Once infected, the real purpose of the worm, termed the payload, activates. The payload can range from something benign to something more sinister. In the case of ransomware, the usual modus operandi is to encrypt data on the target computer’s hard-drive and then offer to decrypt it in return for the payment of a ransom.
So, having established what happened, how did it happen and why was the impact so significant? The answer to this lies in the exploit used. This particular exploit leveraged a vulnerability which, according to Microsoft, was not known to them. In fact, it was developed by the NSA, who kept quiet about the vulnerability so they could use it against their targets. Recently a group leaked a set of NSA exploits, including one which used this vulnerability. Because the exploit was not discovered, disclosed to the vendor and patched, as is the normal way these issues are dealt with, Microsoft did not have an immediate fix. This type of exploit is termed a “zero-day exploit” in the industry. In fact, this is the worst kind of vulnerability. It was not just a theoretical vulnerability but a tried and tested working exploit. Because Microsoft was now on the back foot, coders managed to release a worm that used this exploit before a security fix could be released. In fact, they had little hope of stopping a determined coder in time. So, this worm is more a direct result of the cracking activity of the NSA and by extension GCHQ as they are very closely linked. Is this something we should be concerned about? Absolutely! Could it have been handled better, most definitely!
Having established what happened and why, what lessons can we learn from this? Well, firstly, the standard response to this type of threat is to ensure your software patching schedule and methodology ensures your operating systems and software are kept up to date. However, in this circumstance, this would have done nothing to mitigate the risk. There are things that could have helped to protect important data, however. I will deal with these below.
The first question that springs to my mind is why is raw data is accessible from a terminal in the first place? If files are not directly accessible, they cannot be encrypted. This means that, even if a terminal is affected, a simple re-image will get you up and running again. If we take this a step further and look at network boot, thin client environments, the risk can be greatly mitigated and the recovery time greatly reduced.
Coupled with this we must look at how our data is accessed and presented. Placing our data in the cloud would help to mitigate against this type of attack. If our data is hosted on a highly secure system and accessed, for example, using HTTPS or XMLRPC then our data would be safe even if the terminal was compromised. Data could continue to be accessed and it could not be held to ransom. We must also be mindful of correct backup procedure and cold storage, so that any data that is compromised could be restored intact. Placing data in the cloud provides a unique opportunity to protect ourselves from local network attack, so the only element at direct risk from attack vectors such as the one used by this worm is the access layer to our data. Cloud computing allows us to treat our local and wide-area networks as we should treat them; hostile, untrusted environments. It is obvious from the impact on the NHS that both the NHS National Network (N3) and local NHS Trust networks were heavily involved in the propagation of this worm and should not be treated as trusted networks. Perhaps the existing paradigm, where N3 is widely considered safe to pass patient data should be under heavy scrutiny and more controls should be applied to data transiting this network.
When we consider N3 as an untrusted network, we realise that our second line of defence, beyond our firewalls and security procedures is very simple. Isolate, contain, eliminate. We must be prepared to pull the plug on our links to the outside world when threats such as this take place in order to protect the integrity of our local networks and our data. Commonly, a loss of connectivity is considered an undesirable event. However, IT managers must consider a controlled disconnection as one of the tools in their arsenal to protect their network. This approach, however, presents unique challenges to business continuity, particularly around the access to services and data. These challenges are more apparent when we move towards a cloud-enabled data model. It is this specific area that my company, iCoriolis, is working on innovative solutions to ensure data is still accessible even when disconnected from the WAN and by extension the cloud, whether this event is controlled or an incident.
Lastly and possibly most important in my mind are the choices made by IT managers about the software and operating systems they choose for terminals and servers. This incident has shown us that Microsoft, despite considerable effort, cannot predict the future. They simply cannot fix an unknown vulnerability fast enough in these circumstances. This is not inherently their fault as they rely on the security community to identify and report vulnerabilities; no one company can discover everything. This is where Open Source software really shows its advantage. It’s not that Open Source developers are better (although some are). It’s not an ideological issue. It’s simply that because the code of Open Source software is made freely available and the community constantly peer reviews and improves it. Vulnerabilities are discovered, shared, discussed and fixed. Rather than this time-bomb hanging around for years, it could have been fixed in a short amount of time. With these facts in mind, putting my personal preference for Open Source software and my dislike of Windows for a moment, I find it difficult to understand how anyone can now trust a closed-source operating system for critical data. Indeed, governments seem to agree, with the NSA and GCHQ widely using and recommending Open Source software. Whilst Open Source software is not a magic bullet, in my mind, this is certainly a case of “better the devil you know”.
When my daughter went to secondary school, it just didn’t fit. To be fair, it was not just the schools fault. You see, she suffered Meningitis when she was seven and she was left with brain damage. When she came around from three weeks on a ventilator in a medically-induced coma she was lucky to be alive. She’d lost her speech, her movement on her right side and her ability to walk.
What followed was little short of a miracle. With minimal help from the medical community, she started the slow process of learning to walk and talk again. She went back to school and there began the struggle with the system which eventually led to the decision that the system could not provide for her very individual needs. Primary school was okay. It was certainly not perfect, but she managed. Secondary school, on the other hand, was much more of a challenge. She managed one year at secondary school until eventually, with much negativity from the school and Local Authority, we sent our de-registration letter.
What followed was similar to many EHE familes. A period of de-schooling led to that all too familiar “what next” feeling. She did some on-line courses. She saw a private tutor, primarily focusing on English and Maths. During this period, she also sustained a serious injury to her ankle, which, over the course of the next year, put her in a wheelchair when outdoors and on crutches indoors. She now had coming to terms with a new disability and all of the associated pain and upset this brings.
Our EHE provision adapted. We focused on independence, resilience and coping strategies for a disabled teenager to be independent in life. Whilst she continued some academic work, of primary importance was her ability to interact with the world and to cope with her disability. We felt, and still do feel, that this is the biggest enabler for a young person coping with disability. Academic study can come at any time in life, but coping strategies can last a lifetime.
This year, in what would have been her year-11 year if she was in mainstream school, she has gone to college, on a pre-vocational course. It’s been a struggle at times but she’s done really well and we’re proud of her. Next year, she hopes to study Media. She’s come full-circle, from mainstream schooling, following a parabola through EHE and back to main-stream again next year. Her time as EHE has allowed her to step back and re-assess what she wants to achieve from education. It has allowed her to see education as a very personal, positive experience which she can be excited about. She is motivated and engaged. (most of the time, she is a teenager!)
Last week, it felt like all of our hard work had been justified, when the local authority EHE advisory teacher, who has always been very supportive, praised our daughters achievement and said her story was a “model” for other EHE parents in similar situations.
I would imagine many EHE parents and young people, particularly those with some element of special needs, will identify with this path. EHE is a great enabler, but many still want to be able to engage with mainstream higher and further education as a conclusion to their EHE journey. It’s great to be able to look forward to a life where a young person can fully integrate into society, taking their new-found confidence and skills that have been fostered by EHE. The next couple of years for our daughter could see a complete transformation. From young person to adult and due to some hopefully life-changing surgery, from wheelchair user to able-bodied young woman. We’re excited to see what the future holds.
Last week I received my new Hytera MD650 from my helpful Chinese supplier.
I am very impressed with the radio indeed. It is:
The radio came pre-programmed with the latest European version of the firmware; from the version 7 series and I was also supplied with the correct version of CPS.
You may have noticed that I have the MD650 – this is the Chinese, Zone 0 version. This is nothing to worry about, however. The supplier had pre-programmed the radio with the Zone 5 (Europe) firmware and provided the appropriate CPS to go with it. The hardware for all versions is the same. Buying the Chinese version direct from China was far cheaper than buying here in the UK.
Programming the radio with CPS was simple enough and will be no great challenge for anyone used to programming radios. I bought the PC-47 programming cable with the radio. Having pre-installed the driver and CPS software in a Windows Virtual Machine on my laptop (I use Linux) before receiving the radio, it worked first time.
I am very impressed with the simple, solid-feeling speaker-mic, which has the LCD display and all of the buttons required to operate the radio on it. Operation is intuitive and the transmit and receive audio is great, as confirmed by on-air comments. Dare I say it, but in subjective tests, it seems to consistently outperform many Motorola radios for audio quality. The AGC seems to work well too.
I have asked the supplier to get me a Roaming Licence, as this is separately licensed for Hytera radios, which he has promised to do.
All-in-all, I’m very satisfied, especially for the price – a little over 200 UKP; around 300 USD.
Shipping by DHL was reasonably priced and reliable.
I would definitely recommend the radio. I bought it from here.
Please note, I’m not affiliated with this seller but based on my experience with their service, I would thoroughly recommend them.
Here is the simple recipe for Thai Green Curry I use. It’s easy and quick and tastes great:
Note: vegetables can be switched up to you liking.
I tend to cook this in pretty big batches. You can halve the ingredients list if you like.
NEVER let this boil or it separates the coconut milk and ruins the curry!
It amazes me that companies selling TLS certificates are really allowing you to generate your private key and your CSR online. Anyone who would do this completely misunderstands how TLS works.
Generate your private key on the server it applies too!
I’m struggling to reconcile the response to the Shoreham air crash with the current crisis involving refugees that is happening globally.
Don’t get me wrong, the Shoreham air crash was terrible and the families deserve help and support. However, in the last few days, I’ve seen shops collecting for the families, café’s donating their tips to the Shoreham air crash families. I have heard supposed stories of distant family members who barely knew the victims starting go fund me campaigns to cash in on the disaster and make £20-30k tax free profit from this tragic accident, effectively conning the public and exploiting someone’s death.
The families of the unfortunate victims will receive help, not least from the Public Liability Insurance for the event, as they rightly should without all of this public fund-raising. Is the offer of money not in some way insulting; it can’t bring someone back.
In sharp contrast, I have not seen any fund-raising for refugees locally. Just a modest contribution to this cause could greatly change the lives of these vulnerable people.
So, Great Britain, are eleven British lives really more important than thousands of others, just because they are British and died on British soil? In my mind, no they are not. These refugees (I refuse to call them migrants) deserve our help and support. If we have any humanity left in us, let’s remember the dead from the Shoreham air crash, let’s help the families, but let’s also offer the same compassion to those fleeing violence, oppression and death too.
“A society of free people will always have crime, violence and social disruption. It will never be completely safe. The alternative is a police state. A police state can give you safe streets, but only at the price of your human spirit. ”
These are the words of Alexander Shulgin in 1991, a name you may know as an expert in psychopharmacology. The full text of the lecture that this quote was taken from is linked below. I urge you to read it. He’s talking about the US war on drugs, but his words are strikingly relevant to the current “war on terror”. I do not post this for it’s words on drugs but rather as a mirror held up to the progression of society which is equally as applicable today as in 1991 when this was written.
Today, right now, our “leaders” are making an attack on our privacy, our right to expression, our right to communicate. David Cameron is seriously suggesting that the UK outlaw encryption and allow open monitoring of any and all of our communications, without the requirement for a court order. Does that fit the definition of a police state?
Don’t get me wrong, I understand that the security services need the ability to monitor, surveil, spy in the interest of national security, but not to offer the protection to the freedoms of the individual by requiring a court order to do so does, in my opinion cross the line into a police state and is disproportionate and dangerous, particularly if we allow politicians to decide who is surveiled and when. Politicians should only wield so much power and there should be protection against them using this power for their own gain.
There are so many parts of this text which are quote-worthy, but I will leave you with this.
“Let me ask each of you this simple question. What indicators would you accept as a definition of a police state, if it were to quietly materialize about you? I mean, a state that you could not tolerate.”
RIP Alexander Shulgin, 1925 – 2014.
We’ve all had a call from the bank, this is nothing new. However, in today’s day-and-age, why do banks and other organisations we have accounts with think it’s okay to ask for our personal details on the ‘phone?
Several times this week I’ve had a call from my bank. Upon answering, I’ve been told that they want to speak to me about “personal banking matter” and then asked for my personal details. This could be your date of birth, postcode, address, account number or one of many more pieces of personal information. I politely declined, telling the call-centre droid that it was a personal security risk to give this information out on a incoming call. They then proceeded to give me a number to call back on, which I also declined for the same reason. When I called my bank to ask about the call, they told me I did the right thing by not giving my personal information, even though it appears that it was them who called me!
We all know about about identity theft. Many of us have heard of social engineering, so why do supposedly reputable organisations insist on using such poor practice to try and contact us? Surely, we all know that someone can easily ‘phone you and pretend to be someone they’re not? Caller-Line ID is easy to fake if you know how so even the ‘phone number isn’t much use to you.
The FSA should produce guidance on this and banks and other organisations should agree never to ask for information in this way, to help stamp out unintentional information disclosure to nefarious third parties.
But why don’t these organisations seem to care? The answer is simple, all they care about is profit. They are not actually concerned about safeguarding you as long as they turn a profit and as long as it does not harm their reputation. The only way this behaviour is going to stop is if we all refuse to give out this information and make their calling not worthwhile.
So, next time someone calls you like this, I urge you to politely decline to give information. It’s safer for you and if enough of us do it, these organsations will stop trying their luck.
This is our favourite slow-cooked curry. It’s super easy, feeds loads and tastes really good. Ingredients
This dish works great with just about any good curry paste, just adjust the ingredients and seasoning to suit. It tastes even better if refrigerated overnight prior to serving. It keeps for ages in the ‘fridge and also freezes well.
We’ve all done it; you receive a request to sign a petition from an organisation like 38 Degrees via email or Facebook and you sign and select the options to share with friends via twitter, Facebook, Google+ etc. It’s easy, quick and it doesn’t require much thought or effort.
These organisations claim to be non-political; to represent the masses without involving themselves in party politics but is this true? Humans have a tendency to form social groups, to follow, to succumb to peer pressure. Every time you share a petition on-line you’re using peer pressure to help these organsations coerce your friends into supporting their point of view. Organisations like 38 Degrees use inclusive language to make the reader feel a rapport, a belonging to the group at large. There is a strong psychological and sociological basis for this. Humans want, even need, to feel part of a group. The more of your friends who openly support these causes, the more likely you are to support them. A social network creates an implied trust and by extension, when an idea is shared in a social network it creates the same implied trust of the idea and it’s source in your network. Are you really so confident in the source and intention of a petition that you’re willing to personally vouch for it’s integrity? The same theory is used in sales and marketing and yes, also by political parties. Many of these petitions carry the equivalent of a tabloid headline. Emotive language is used to invoke an emotional response without proper consideration of the subject matter. This reaction makes it very easy to manipulate the masses in to showing support for an idea with very little understanding of the issues. Once you’ve shown support for the idea, you’re encouraged to use your social influence to convince your friends to do the same. This process could easily be manipulated. Petitions could be crafted to suggest successively more extreme ideas and many would not notice the resultant gradual erosion of their freedoms and extremism creeping in post by post. History has shown us that governments often go through the transition to extremism slowly, one seemingly reasonable change at a time.
Organisations like 38 degrees are, to me, overtly political even though they claim not to be. It could be argued that they are not party-political in the traditional sense as they seek to influence existing MPs regardless of party. Another argument is that they are a party themselves and should therefore “come out” and register their intention as such.
These sort of organisations, often with good intentions, seek to influence and change the current climate. I’m not saying this is a bad thing. However, I feel that this process should not be pressured. To force your ideas on someone is not freedom. People should be encouraged to understand issues and respond to them, not to react emotionally to tabloid headlines. To illustrate this point, imagine if every Daily Mail headline had a petition attached which readers were asked to sign immediately. I think we’d see some dangerous ideas seeing support when in reality many readers, with proper analysis of the issues, would not agree.
We have to accept that tabloid journalism and sensationalism is part of the political climate in the UK. I wonder if it’s safe, however, for this type of comment and political lobbying to be so closely linked.
So what can you do about it? Personally, I’ve made a decision to not share petitions on Facebook or Twitter any more. If you chose to sign a petition, do so after you’ve read the full text and understand the issues. If you don’t understand, you can always save signing for when you have enough information. Perhaps, abstinence from this debate is more appropriate? Sometimes it’s best to leave it to those who do understand. It used to be considered impolite to impose your political views on your friends and I feel it still should be. Remember, your Facebook friends don’t ask your opinion before every petition post. In this sense they are unsolicited, like spam, and have a real potential to cause annoyance and division between friends.
If you do choose to sign a petition or support a cause, that’s your decision, but don’t help the lobbying organisations pressure everyone else into thinking the same by exploiting your social networks to do so. If you need to share an idea you feel is important, do it personally, write something yourself and let your readers decide.