Category Archives: privacy

The recent “cyber attack” and the implications on the healthcare industry.

As you all now know, a recent “cyber attack” has affected many computers around the world, including, most prominently, the NHS. In this article I will ask the question, “what implications does this have on future IT services for the healthcare industry?”

Firstly, this incident was not a “cyber attack”. No targeted attack against the NHS took place. In fact, whether it is an attack at all is open to debate. The incident was in fact caused by a piece of “ransomware” which takes the form of an Internet worm. Worms are self-replicating pieces of code which spread from computer to computer using networks. They usually exploit a vulnerability in target software or operating system code to gain access and/or elevated privileges on the target system. Once infected, the real purpose of the worm, termed the payload, activates. The payload can range from something benign to something more sinister. In the case of ransomware, the usual modus operandi is to encrypt data on the target computer’s hard-drive and then offer to decrypt it  in return for the payment of a ransom.

So, having established what happened, how did it happen and why was the impact so significant? The answer to this lies in the exploit used. This particular exploit  leveraged a vulnerability which, according to Microsoft, was not known to them. In fact, it was developed by the NSA, who kept quiet about the vulnerability so they could use it against their targets. Recently a group leaked a set of NSA exploits, including one which used this vulnerability. Because the exploit was not discovered, disclosed to the vendor and patched, as is the normal way these issues are dealt with, Microsoft did not have an immediate fix. This type of exploit is termed a “zero-day exploit” in the industry. In fact, this is the worst kind of vulnerability. It was not just a theoretical vulnerability but a tried and tested working exploit.  Because Microsoft was now on the back foot, coders managed to release a worm that used this exploit before a security fix could be released. In fact, they had little hope of stopping a determined coder in time. So, this worm is more a direct result of the cracking activity of the NSA and by extension GCHQ as they are very closely linked. Is this something we should be concerned about? Absolutely! Could it have been handled better, most definitely!

Having established what happened and why, what lessons can we learn from this? Well, firstly, the standard response to this type of threat is to ensure your software patching schedule and methodology ensures your operating systems and software are kept up to date. However, in this circumstance, this would have done nothing to mitigate the risk. There are things that could have helped to protect important data, however. I will deal with these below.

The first question that springs to my mind is why is raw data is accessible from a terminal in the first place? If files are not directly accessible, they cannot be encrypted. This means that, even if a terminal is affected, a simple re-image will get you up and running again. If we take this a step further and look at network boot, thin client environments, the risk can be greatly mitigated and the recovery time greatly reduced.

Coupled with this we must look at how our data is accessed and presented. Placing our data in the cloud would help to mitigate against this type of attack. If our data is hosted on a highly secure system and accessed, for example, using HTTPS or XMLRPC  then our data would be safe even if the terminal was compromised. Data could continue to be accessed and it could not be held to ransom. We must also be mindful of correct backup procedure and cold storage, so that any data that is compromised could be restored intact. Placing data in the cloud provides a unique opportunity to protect ourselves from local network attack, so the only element at direct risk from attack vectors such as the one used by this worm is the access layer to our data. Cloud computing allows us to treat our local and wide-area networks as we should treat them; hostile, untrusted environments. It is obvious from the impact on the NHS that both the NHS National Network (N3) and local NHS Trust networks were heavily involved in the propagation of this worm and should not be treated as trusted networks. Perhaps the existing paradigm, where N3 is widely considered safe to pass patient data should be under heavy scrutiny and more controls should be applied to data transiting this network.

When we consider N3 as an untrusted network, we realise that our second line of defence, beyond our firewalls and security procedures is very simple. Isolate, contain, eliminate. We must be prepared to pull the plug on our links to the outside world when threats such as this take place in order to protect the integrity of our local networks and our data. Commonly, a loss of connectivity is considered an undesirable event. However, IT managers must consider a controlled disconnection as one of the tools in their arsenal to protect their network. This approach, however, presents unique challenges to business continuity, particularly around the access to services and data. These challenges are more apparent when we move towards a cloud-enabled data model. It is this specific area that my company, iCoriolis, is working on innovative solutions to ensure data is still accessible even when disconnected from the WAN and by extension the cloud, whether this event is controlled or an incident.

Lastly and possibly most important in my mind are the choices made by IT managers about the software and operating systems they choose for terminals and servers. This incident has shown us that Microsoft, despite considerable effort, cannot predict the future. They simply cannot fix an unknown vulnerability fast enough in these circumstances. This is not inherently their fault as they rely on the security community to identify and report vulnerabilities; no one company can discover everything. This is where Open Source software really shows its advantage. It’s not that Open Source developers are better (although some are). It’s not an ideological issue. It’s simply that because the code of Open Source software is made freely available and the community constantly peer reviews and improves it. Vulnerabilities are discovered, shared, discussed  and fixed. Rather than this time-bomb hanging around for years, it could have been fixed in a short amount of time. With these facts in mind, putting my personal preference for Open Source software and my dislike of Windows for a moment, I find it difficult to understand how anyone can now trust a closed-source operating system for critical data. Indeed, governments seem to agree, with the NSA and GCHQ widely using and recommending Open Source software. Whilst Open Source software is not a magic bullet, in my mind, this is certainly a case of “better the devil you know”.

The progression of the police state

“A society of free people will always have crime, violence and social disruption. It will never be completely safe. The alternative is a police state. A police state can give you safe streets, but only at the price of your human spirit. ”

These are the words of Alexander Shulgin in 1991, a name you may know as an expert in psychopharmacology. The full text of the lecture that this quote was taken from is linked below. I urge you to read it. He’s talking about the US war on drugs, but his words are strikingly relevant to the current “war on terror”. I do not post this for it’s words on drugs but rather as a mirror held up to the progression of society which is equally as applicable today as in 1991 when this was written.

Today, right now, our “leaders” are making an attack on our privacy, our right to expression, our right to communicate. David Cameron is seriously suggesting that the UK outlaw encryption and allow open monitoring of any and all of our communications, without the requirement for a court order. Does that fit the definition of a police state?

Don’t get me wrong, I understand that the security services need the ability to monitor, surveil, spy in the interest of national security, but not to offer the protection to the freedoms of the individual by requiring a court order to do so does, in my opinion cross the line into a police state and is disproportionate and dangerous, particularly if we allow politicians to decide who is surveiled and when. Politicians should only wield so much power and there should be protection against them using this power for their own gain.

There are so many parts of this text which are quote-worthy, but I will leave you with this.

“Let me ask each of you this simple question. What indicators would you accept as a definition of a police state, if it were to quietly materialize about you? I mean, a state that you could not tolerate.”

RIP Alexander Shulgin, 1925 – 2014.

http://www.psychedelic-library.org/shulgin2.htm

Banks and other organisations are irresponsible to ask for personal details over the ‘phone.

We’ve all had a call from the bank, this is nothing new. However, in today’s day-and-age, why do banks and other organisations we have accounts with think it’s okay to ask for our personal details on the ‘phone?

Several times this week I’ve had a call from my  bank. Upon answering, I’ve been told that they want to speak to me about “personal banking matter” and then asked for my personal details. This could be your date of birth, postcode, address, account number or one of many more pieces of personal information. I politely declined, telling the call-centre droid that it was a personal security risk to give this information out on a incoming call. They then proceeded to give me a number to call back on, which I also declined for the same reason. When I called my bank to ask about the call, they told me I did the right thing by not giving my personal information, even though it appears that it was them who called me!

We all know about about identity theft. Many of us have heard of social engineering, so why do supposedly reputable organisations insist on using such poor practice to try and contact us? Surely, we all know that someone can easily ‘phone you and pretend to be someone they’re not? Caller-Line ID is easy to fake if you know how so even the ‘phone number isn’t much use to you.

The FSA should produce guidance on this and banks and other organisations should agree never to ask for information in this way, to help stamp out unintentional information disclosure to nefarious third parties.

But why don’t these organisations seem to care? The answer is simple, all they care about is profit. They are not actually concerned about safeguarding you as long as they turn a profit and as long as it does not harm their reputation. The only way this behaviour is going to stop is if we all refuse to give out this information and make their calling not worthwhile.

So, next time someone calls you like this, I urge you to politely decline to give information. It’s safer for you and if enough of us do it, these organsations will stop trying their luck.

Why don’t banks use digital signatures to stamp out phishing?

Ever wondered why banks don’t offer optional digital signatures on all of their messages to you, or even full encryption of messages? My ISP does it, why not banks? This has the potential to stamp out Phishing scams for good. It’s backwards compatible too. The processing power required is not a huge issue nowadays.

But, it’s not in the bank’s best interest to stamp out these scams. Why you ask? The answer is simple. Contrary to popular belief, cases of external hacks getting to sensitive bank data are very, very, very, rare. So rare as to be almost impossible. What is more prevalent is compromise involving some human, internal element. The public’s perception that external Phising or hacking attempts are responsible for data being compromised, cards being cloned, accounts being accessed, is an extremely useful diversion for the banks because it makes the average person assume that the threat is external and the bank is hence still trustworthy and safe. This is, however, not the case. Bank staff are no more trustworthy or immune to coercion and blackmail than anyone else. If inteligence organisations can be compromised, private companies can be compromised easier. In my entire time working in the security field I have never seen an external attack on a secure system succeed.

So, back to our phising. If the bank can blame an issue on phishing, you continue to trust your bank with your money, which is very important to their continued profit.

The same goes for credit and debit card fraud. I was told by my bank that most fraud happens because armies of people in the third-world are paid to type in random credit card numbers all day. This is simply not true. Most credit card numbers are compromised either at the retailer or at the bank, full stop.

So, consider this. Does your bank really care about your security? Absolutely not, what they care about is profit. Security can be reduced down to a risk on paper. They can insure against a risk, quantify it, budget for it and continue to make profit. Properly securing against these threats is expensive, more so than accepting the risk, so they accept the risk and carry on, much as a supermarket factors the cost of theft into product prices. They continue to make profit, so the board is happy.

Remember: banks don’t care about you, they care about your money, end of story.

Thought for today

I’m not anti-system. I will support systems that work for the good of society and peacefully object to those that don’t.

I’m not anti-government. I will support a form of government that I broadly trust and believe in and respects my rights as an individual.

I’m not anti-state. I will support a state which enables me to be a free and independent individual and to live my life as I choose without fear of discrimination hate and violence from others. In return I will not show discrimination, hate and violence to others.

I’m not anti-business. I will support businesses that act ethically where they can, in the best interests of human kind. I will do my best to limit my contact with those that don’t.

I’m not anti police. I welcome a police force that protects my human right to live as I choose without fear of violence, discrimination or prejudice but does not intrude on my right of privacy or my right of choice.

So, there’s some themes here:

1) Respect for the individual

2) How does the above apply to the current state of affairs?

3) Tolerance. Are we moving in the right direction? If so, maybe some patience is required and trust in the belief that we will get there.

4) Responsibility. We have a responsibility to society to support that which is good within our society and object to that which is not. Of course, the debate starts when we all try to agree on what’s good.

5) Misinformation. Whether it’s deliberate or unintentional, it clouds the issue greatly. The Internet and the way it makes it so easy for everyone to publish compounds this issue. Before you make a judgment, question the validity of your sources.

Diaspora* – a new social media platform

Many of you use Facebook. However, with decreasing privacy and the fact that FB own your personal data, many are looking for a new social media platform where control can be retained over your data. Enter Diaspora*.

Diaspora* is a new social media platform based on a federated architecture. This means that you can host your data on any one of many public servers, or run your own. The network handles distribution of posts to your friends in much the same way as email; your posts are delivered to your friend’s server directly, there is no central system. This is great for resilience and it is also great for privacy as only the data you specifically allow to leave your server ever does.

There is no advertising on Diaspora*. It features a nice clean, simple web interface and also a mobile site, Android and iPhone apps, just like Facebook does.

I am currently testing a new community Diaspora* server (or Pod, as they are known) with the view of offering access to it to all my friends so we can all start the migration away from Facebook together. Don’t worry though, Diaspora* allows you to cross-post your status to Facebook, Twitter and Tumblr automatically, if you like. This makes the transition easy to manage as your friends who have not yet made the switch can still see your posts.

If course, you’re welcome to use another Pod. One such public Pod is joindiaspora.com, which is run by the founders of Diaspora*.

The first step towards avoiding internet censorship and control (alternative DNS Roots, opennic and why you should care)

As governments and corporations look to exert more control over the internet the issue of avoiding internet censorship and promoting freedom of speech has become a central issue in shaping our internet for the future. To ensure that information is both free and uncensored it is imperative that political and economical forces are not able to unfairly modify the internet architecture for their own purposes. At the centre of this is issue is the Domain Name Service (DNS).

DNS is a directory of computers and their associated names, much like a ‘phone book. When you type an address in to your browser (for example, www.google.co.uk) your computer asks the DNS service to find the IP address that is associated with this address so your computer knows where to connect to to get the page you have requested. The DNS is a hierachical structure, made up of a number of Top Level Domains (TLDs). These TLDs are the right-most part of the adrress, like the .com, .net, .co.uk etc that we all know.

Anyone can run a DNS server. However, to resolve the domains we all know, your server needs to talk to the top-level or root servers. These servers are run by corporations and are distributed around the world. The overall administration of the DNS and IP addressing falls to an organisation called Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is a non-profit organisation which was set up by the US Federal Government to control DNS, which was previously within US Federal remit. The US federal government has retained influence over ICANN, not least because ICANN is operated within US jurisdiction. ICANN charges a large amount of money for the privilege of setting up a TLD or being a reseller for domains within a TLD, which used to be free when the internet was first created.

DNS can also be used to track your internet access. This is because every site you visit generates a DNS request, which can be logged, leaving a record of all of the hosts on the internet that you connect to. DNS can also be used to censor your access; if a domain is removed or blocked from DNS, you cannot resolve the domain name to the IP address on which it is hosted, thus stopping access to the domain. Censorship using DNS blocking has already been implemented in many countries.

However, there is a solution to this invasion of your privacy. Alternate DNS root systems can be used which do not have such censorship. This also provide an added bonus: free to register domains and TLDs, thus making DNS free, open and globally distributed, as it was always intended to be.

One such alternative root provider is opennic. Opennic allows you to resolve a host of new TLDs whilst still allowing access to the existing, ICANN administered domains. It’s easy to use, it just takes a simple configuration change on your PC to benefit. Click this link for more discussion on why this is a good idea and to find out how to make the simple change.

So there we are. Object to censorship, control and artificial costs. Join me in using opennic now and keep internet freedom alive.

Letter to my MP about the Communications Data Bill

Dear Mr ,

I write with reference to the government’s proposed Communications Data
Bill.

Firstly, a little about my background. I am a freelance computer
professional specialising in IT Architecture and IT Security. Over the
last fifteen years I have worked on systems and designs for many public
and private sector clients including <removed for personal privacy reasons>
. I have also been involved in the forensic analysis of data from computer systems.

I have serious concerns about the governments plans and it’s impact on
the individual’s freedoms and human rights. I also have concern about
the efficacy of this method of gathering information and the potential
for misuse of the data gathered, both legally and illegally.

People today have an intimate relationship with the Internet, in many
cases more intimate than relationships they have with other individuals.
For many the Internet is their first port of call if they have a
concern, for example, about a medical or personal problem. The internet
is used to communicate with like minded individuals, to access subject
matter of interest, even to persue someone’s deepest, most private
desires. An individual’s Internet usage therefore reflects their entire
life, even the most private of things like sexual preferences and other
private interests. Collecting data on Internet usage therefore has the
ability to expose an individuals private life in it’s entirety.

I believe data such as this should be private, safeguarded by the basic
human right to privacy that should be offered to every human being. It
is accepted that in society the Government, the Police and the Security
Services sometimes need to delve deeply into someone’s life for reasons
of crime prevention and national security. However, this intrusion must
be justified. Currently, the law provides this safeguard with the
requirement for a warrant to be obtained before this type of data can be
collected. In my view it is incredibly important that this safeguard to
our individual privacy is retained.

There is also a major security issue in collecting and retaining this
information. A leak of this information from an ISP could easily happen.
This could potentially put individuals, particularly those in the public
eye, in a situation where they could be blackmailed, threatened,
compromised or harmed. For ISPs to handle this sort of information,
there is also a wider issue here; should ISP staff be subject to
Security Clearance if they have the potential to access this sort of
sensitive information? Would it be appropriate for this information to
be officially classified as Confidential, Restricted, Secret or above?

Information that could be collected under the Communications Data Bill
will not be effective in fighting terrorism and organised crime as has
been stated by the government. I can think of many ways that an
individual could circumvent these measures. For an organised group the
possibilities to avoid detection are even greater. Instead, the data
generated will only really be useful for monitoring and profiling the
innocent. Fear of being caught for doing something that is completely
innocent could do the greatest harm, with individuals, particularly
young people, afraid of seeking information for fear of being
criminalised for it. Profiling in particular is also a major concern as
it effectively criminalises individuals or singles them out for special
attention based on probability. It is incredibly important to remember
that an individual is not a criminal unless they have actually broken
the law. It should also be noted that it would be easy for criminal
groups to resort to more traditional techniques of communication, thus
circumventing this proposed legislation entirely.

– From a technical perspective, the technical implementation of this
Bill runs the risk of harming the internet experience for many, causing
slowdown, breakages and difficulty in accessing sites, at least in the
beginning. The heavy technical requirements in terms of skill and
investment favours the very large ISPs and penalises smaller companies.
Some websites do not function correctly when used via an internet proxy
and some ISPs may not be able or willing to make the investment in
infrastructure required to provide a performant web proxy solution. I
worked on one of the UKs larger proxy deployments for the [removed for privacy reasons] and I can
assure you that the hardware and skill requirements to provide this type
of service are significant. Someone has to pay for this and this will
always be the public, either by increased internet costs, taxation or both.

This bill also preys on the public’s lack of understanding of the
technical issues surrounding this issue. Whilst saying these measures
will enable the Police and Security Services to catch more terrorists,
criminals and paedophiles is very emotive, in the real world I do not
expect a statistically significant increase in apprehension rates as a
direct result of this legislation. I therefore find it difficult to
accept the investment required as there is no real benefit to be gained
from it. I also find it impossible to justify this gross breach of
individual rights for so little gain. To me this Bill is little more
than policing by numbers; monitor enough people and eventually you’ll
find a criminal. This is not by any intelligent process but pure statistics.

I would therefore urge you to consider opposing the proposed
Communications Data Bill in its entirety.

Yours faithfully

Simon

Reply from Experian about their Web Monitoring Tool

Thank you for your email, which we received on 11/06/2012.

*Web Monitoring

The information we advise you about is only used to alert you to the details we have uncovered.

It is not passed to any other parties or will not be used in any other way, including in profiling issues.

The information is not used for credit scoring purposes.

Web monitoring can only be entered through your Credit Expert membership. Our systems are constantly under review to ensure that the retrieval and storage of your personal information is as secure as possible.

The data retrieved is subject to our normal rigorous storage controls, governed by the Data Protection Act and overseen by the Office of Fair Trading.

If you no longer need to monitor a piece of data you can delete it by visiting your web monitoring hub. Next to each piece of monitoring information you’ve entered in the personal, financial and other contact detail sections you’ll see a minus sign. Clicking on this will give you the option to delete that piece of data.

Please remember, if you need to update the details in your profile information section then you will need to update your details in the “My details” section of your Credit Expert account. Once you’ve updated your details here the changes will automatically be made to your Web monitoring details.

Alerts will remain available for one year after which they are destroyed.

If you’d rather not benefit from the Web Monitoring part of the service we can switch it off for you. You can opt out of web monitoring by clicking on your profile section within your membership.

Kind regards

Mr Joe Farrelley
Customer Service Representative

Customer Support Centre
Experian