mobile security

This UK government data loss thing has got me all stirred up. Like most I have a lot of questions to which I need answers. Perhaps you can help? Unless you have been living in a cave in Tora Bora then you will have heard in recent months of the two unencrypted disks which were lost by an office junior (so say) back in December, and then of course there were the UK Police records which someone found on a rubbish dump (and so the list goes on).

And once again, it seems the office junior (according to The Sun) has been at it again because yesterday it was the turn of the Ministry of Defence. They lost a mere 600,000 record of personal information of people who had applied to join the Royal Navy, Royal Air Force and Royal Marines. This includes National Insurance (Social Security) numbers, bank information, names, addresses oh, and the piece de la resistance, passport numbers.

According to the Beeb, the Information Watchdog is to quiz the Ministry of Defence (MoD) about it’s information security policy.

It is at this point at which my blood pressure starts to rise.

So you have already lost almost half the countries personal information, and only now do you start asking tough questions. And not only that, you only summon the head of the unit who’s unit screwed up!

Should you not be summoning all heads of the government departments, implementing short term contingencies and planning for a longer term solution?

According to the Information Commissioners Office, it implies there are still no mandatory controls in place with regards encryption inside government.

The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.

Frankly, that statement worries me. Particularly the word ‘recommends’, as it looks to be indicative of the current security climate inside Whitehall.

I would like to take a moment to illustrate this by quoting a few paragraphs from our friends at SANS

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.

A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

So even after all what has happened, there still seems to be both no interim solution and no clear policy on how handle personal information. Britain is a developed country, a member of the G8 and its information security policies would appear to be something out of the dark ages. This is shocking and the public have a right to be outraged.

PS To the UK Gov: In future data breaches, please stop using ‘office juniors’ as scapegoats - its demeaning to them and doesn’t buy you peoples’ sympathy.

Powered by Gregarious (41)

Its been a fair old while (10 months or so) since I last wrote anything on this blog but lately I’ve had this urge of late to put finger-to-key and start getting things rolling again, so lets see what happens this time

Powered by Gregarious (41)

There are a lot of people in the queue waiting to get Joost up-and-running. Up to an hour ago, I was one of those people - until I discovered this workaround (intentional or unintentional by Joost). Here are instructions of how I activated my account without having received an invitation. Like many of you, several months ago I signed up for the Joost Beta but did not receive an invitation to start beta testing. A few weeks ago I received a ‘we have not forgotten you’ email. If you, like me, are in this situation, I can assume you account status is activated but you have not yet been notified. In order to get running, here is what to do:

1. Installation: This is the trickiest part. You need access to the Joost beta software. You will not be able to progress any further without it. I obtained a copy from a friend who is actually an active beta tester. Once you obtain it, install it on your machine:

2. Account setup: Now comes the interesting part. Previously, individuals were tied to their accounts with their email address. Now, Joost require you to create a username and password pair. Select Get Your Joost Name Here:

3. Account setup cont.: Enter your registered email address which you used to sign up to the Joost Beta, create your username and password and select OK. At this point, the email address is verified and account is created and off you go!

If you use an invalid/unregistered email, you will be presented with this screen:

I was looking on the Joost site for information about this, and this only information I could find was on the Joost Blog where they state that they have given existing beta testers fresh invitations, but the above steps seem to still be different to this as I have not been invited by Joost or by any existing beta testers. So it would appear some other list of approved email addresses exists but has not yet been announced.

In addition to myself, these steps have successfully been confirmed to work by another blogger.

I hope this works for you too!

Powered by Gregarious (41)

Hospital staff in Nottingham have issued a warning after a laptop was stolen which contained confidential patient data. The data includes names, addresses and dates of birth of some 11,000 children from the Newark, Mansfield and Ashfield areas. The hospital has contacted all affected familes and has setup a helpline. It also said it is very sorry for what has happened.

Now, I have reported on laptop thefts before, and will continue to do so in the future and this story has similar hallmarks to the Nationwide laptop theft which occurred last November.

Point no.1 The NHS is the biggest employer in Europe - yet their security policy obviously does not contain any statements about mandatory disk encryption. But apparently thats OK because according to Wendy Saviour, the PCT’s Chief Executive, the laptop was password protected (yeah OK). What I want to know, is how does the biggest employer in Europe have such crap security?

Point no.2 Apparently the NHS is very sorry about this. In this day and age, these kind of events should not be happening. This is a fundamental failing in the system. Laptops always have been and always will be hot potatoes. Easy to steal and easy to sell on. Many moons ago when I was a student, I used to work in PC World in the UK and every weekend we would have several people come into the store to ask ‘do you sell power supplies for IBM model X or Compaq model Y. Initially (until the penny dropped) I was amazed by how many people would loose their power supplies!

Come on NHS. You are legally obliged to provide patient confidentiality. There is no excuse for such lax security.

Powered by Gregarious (41)

I just found this article (I’ve been out of the loop for most of February) and couldn’t help but write something. If the claims in here are to be believed, we are in the middle of a mobile virus pandemic. There are some very interesting statistics:

The Situation Today
The purpose of the study was to discover to what extent mobile operators are affected by mobile threats. The findings revealed that:

* 83 percent of mobile operators questioned have been hit by mobile device infections
* The number of reported security incidents in 2006 was more than five times as high as in 2005
* The number of mobile operators in Europe and APAC reporting incidents affecting more than 1,000 devices more than doubled in 2006
* 100 percent more operators spent over $200,000 on mobile security in 2006 compared to 2005
* The number of mobile operators estimating that the cost of dealing with mobile threats is more than 1000 hours increased by 700 percent

Good grief! This all looks like pretty hairy stuff. And there’s more…

Nearly one-third (29 percent) of operators stated that subscriber satisfaction had suffered more than any other factor including revenue. The second most serious impact from mobile malware infections was on network performance.

Revenue? Network performance? Switch to DEFCON 1. Get me the president!

Whilst I will agree that mobile devices are becoming more of a target, it doesn’t mean history is going to necessarily repeat itself (with respect to Windows), although that’s not to say MS mobile platforms couldn’t do without a patch or two.

And perhaps McAfee could update their mobile site. Are they really are the only company in the world to have deployed a mobile suite? I think not.

UPDATE: It seems someone at McAfee took heed and their mobile site has been updated.  Original web page text from here.

Powered by Gregarious (41)