One weapon in the war for information assurance is enforcing legal penalties: “A hacker has pleaded guilty to infecting hundreds of thousands of computers with malware in order to steal money from Paypal accounts. He could spend 60 years in prison and face a US$1.75 million fine.” Of course, given that so much mischief originates in S. Korea and China, (although contracted for by Western hooligans), those of us concerned with the safety of the Internet would have to consider financing a) legislation, b) enforcement and possible c) incarceration costs for this method to actually work.

The term ‘trusted news source’ takes on another meaning: Visitors to IndiaTimes.com, a major English-language Indian news site, risk infecting their computers with a deluge of malware, according to Mary Landesman, senior security researcher at ScanSafe.
“It’s an entire cocktail of downloader Trojans and dropper Trojans,” Landesman said Friday, putting the number of malicious files involved at 434. This includes scripts, binaries, cookies, and images.

Perhaps from the Stasi memorial files: If everybody is spying, is there any privacy to violate? “Think your wife may be cheating on you? Wondering who your boss might be talking to? “Learn the truth. Spy today.”
So reads an ad for “Bluetooth Spy Pro-Edition,” one of nearly 200 mobile phone spyware products currently listed for sale on eBay.
The software, which costs as little as $3.99, can be used to view photographs, messages, and files on the phone, listen into phone conversations, and even make calls from the phone being spied upon.”

I think we tend to pay lip service to the idea that many information assurance issues are rooted in human behaviour. I wonder if we really tend to look at this proposition carefully. We might be reluctant because of the daunting scope of human-caused problems, or we might be reluctant because we understand how difficult it really is to change human behaviour.

“Two-thirds of IT managers don’t stop company employees from downloading music online, and only 1 in 5 block them from social networking Web sites. While a study found managers are worried about lost productivity and security issues, they also are concerned that blocking access to sites might hurt staff morale. The study, funded by antivirus software maker McAfee, also found that about 20% of workers let their friends and family use company computers, about 50% connect their own gadgets to their workstations and about 60% store personal content on company PCs.”

Via Kable: “The Land Registry has pulled potentially sensitive documents from its online service. As from midnight on 5 November 2007, online access to documents such as mortgage deeds and leases will be removed. Members of the public wishing to inspect or have copies of any such documents can do so by applying in writing to Land Registry. The move followed a report in The Daily Mail that criminal gangs have stolen £12m over the past two years by exploiting loopholes in the website. They gained access to documents such as title deeds to make it possible to sell properties they did not own.”

It’s a pity legitimate users of Land Registry information will no longer have access to these details, I guess, but what were sensitive documents like these doing lying around in the open air in the first place? Did any review of this take place?

After the fact, the Land Registry tried to ‘put this in perspective,’ saying that the £12 million in fraud was a small percentage of the fee income it generated.

WAKE UP. The £12 million in fraud in all probability represented a very large percentage of the total wealth of the individuals who were defrauded, each of whom had to go through a long and laborious compensation exercise and probably had to get the services of a solicitor to help them. Of course it had minimal impact on the Land Registry. It’s not their money. It’s not their information. It’s not their privacy.

Mobile computing and wireless communications firm Motion Computing is collaborating with US computer chip manufacturer Intel to create a new tablet PC specifically for the healthcare sector called the mobile clinical assistant. It is now on the market.

“The Motion C5, the first mobile clinical assistant (MCA) that integrates technology from Intel® Health, combines durable design elements with key data capture technologies to simplify workflows, increase productivity and improve overall quality of care. Designed based on input from thousands of clinicians, the C5 brings reliable, automated patient data management directly to the point of care. Get a handle on patient care with the C5. It’s highly portable. It’s lightweight. And, it’s ready to work for you. A convergence of technologies allows you to do everything you normally do during your shift such as perform clinical documentation, administer medication and take pictures using a single device. With Intel® Centrino® mobile technology and integrated high-speed wireless connectivity, the Motion C5 integrates key functions that clinicians require to be productive during the course of the day.”

Now back in October of last year, when this was being tested, an interview with the company’s senior executives produced these quotes (notice the priority):

The new mobile clinical assistant will run using Motion’s existing tablet PC products and is being designed to advance the effectiveness of nurses, physicians and other clinicians. Toal told EHI that there were many questions about the ergonomics of the project that were being addressed and the product itself will probably not be released until mid-2007.

“The key thing that we are learning from staff about our plans to launch a mobile clinical assistant is not worry about the IT itself, but to ensure that we concentrate on the care-giving. The tablet needs to be a clinical aid, capable of improving the quality of care and the amount of time spent on delivering that care

“We have also had to address issues where staff here thought the technology we were using wasn’t mature enough and we have had to implement new technology such as RFID [Radio Frequency Identification Devices] and wireless transmissions in order to keep the product as effective as possible.”

However, Toal feels confident that tablet PCs will become the new norm for mobile medicine in the near future despite fears about durability and safety.

“There will always be barriers, but we are working hard to overcome these. Battery life and security issues are topics which will inevitably be part and parcel of the debate surrounding mobile technology, but I do believe that clinicians will soon be able to carry mini-tablets on them to every patient they see and be capable of producing the best patient care possible. ”

Let’s see. Wireless transmission of sensitive information–yeah, we’ll get to that right after we take care of those pesky ergonomic and battery life issues. And preventing hacking and malware to ensure that the information is accurate? Hmm. Let’s put that on the list of things to do after we make sure it doesn’t add to the weight of the tablet device.

Readers of this blog may recall that we have referred to location-based services as jam tomorrow but not today. Readers may also have detected a note of frustration about this, as I personally believe this to be an area of high impact change.

Yesterday, Google announced the release of Android. “The system, which will control an untold number of cell phones, is designed to unify the developers of mobile applications around a common platform that makes it easier and more enticing to surf the Web on cell phones. The new package is called “Android” in tribute to a Silicon Valley startup that Google acquired two years ago to steer its secretive project. Google is hoping Android opens another lucrative channel for peddling ads and services to people when they’re away from their personal computers, supplementing the revenue already pouring into the company from Internet advertising.”

…”For now, Google is focused on rallying support for Android, which relies on openly available computer code that gives equal access to all programmers. That freedom is meant to foster innovation and new uses for the sophisticated handsets known as smart phones. “You will be able to do amazing things with your mobile device that you had never thought of before,” Schmidt promised. Google will release a tool kit for developers next week.”

The information assurance impact could be quickly addressed by a monitoring service that ensures that IA concerns are part of the innovation this is sure to stimulate, and perhaps going so far as having the UK government sponsor IA innovations via competitions or provisional service contracts.

Many of the innovations that have been talked about will be of value to UK government–field workers, including social services as well as emergency service first responders, education, especially in terms of concerns about truancy and punctuality, and traffic, if road charging is to move ahead. If IA is designed into the innovations, so much the better. If an IA solution is available on the market as a separate innovation, it will give government bodies more confidence about taking advantage of them.

When the Economist starts paying attention to a technology, it’s pretty much arrived. Their coverage of ‘flying robots,’ UAVs controlled by either joystick or programme, is more or less a good summary of the same literature we looked at and reported on in previous posts. Essentially, they’re coming soon, they will be an issue for the public, for UK government and for information assurance.

Their ability to hover and their growing numbers will make them a public concern. Control of traffic lanes and changes to privacy regulations will be a concern of UK government, somewhat counterbalanced by their ability to substitute for other, more expensive forms of surveillance.

The common sense approach would be to reserve the 300 metres closest to the Earth for government only use, with exceptions for parks and racing grounds. Although the primary reason will be to protect public safety, an extra benefit will be to forestall private surveillance cameras and early detection of criminal/terrorist activity.

The enabling technology will need to be a clever combination of GPS, RFID and wireless broadcasting, and the UK government should move very fast in defining what needs to be included in a UAV before it can fly. UAVs above a certain weight limit perhaps should file flight plans, but nothing, repeat nothing, should go up in the air without the appropriate equipment that allows tracking.

The UK government should consider auto-destruct buttons that can be operated by either the user or over-ridden and actuated by an ATC–one of these things has already fallen out of the sky over civilian territory. The alternative–the ability to invoke a ‘feather’ landing remotely, could be a significant expense, although this might be addressed by automatic cutoff of a motor and deployment of a parachute.

This should begin very soon. Were I in UK government, I would very quickly announce an X Factor contest with an appropriate prize (£5 million and some licensing agreement) for development of standards and a version of kit that will meet them. The kit might be a tamper-proof black box that is required to be installed in any UAV operating in the UK.

But what UK government needs to do now is to reserve the lowest tranche of airspace over populated areas and put Keep Off signs around those tranches. It will take exactly one criminal/terrorist/fool to put this entire technology into the long grass for a decade. Considering the potential (reductions in fuel use, lower utilization of conventional resources, improvements in shipping logistics, traffic monitoring, etc. [I once delivered a kidney for transplant from an airport to a hospital. I covered 28 miles in 17 minutes. It would have taken 4 by UAV]), getting the governmental and information assurance infrastructure right, now, would be a considerable public service.

Further down the road, they’ll need to buy a fair few of them and turn them into traffic wardens.

The implications for information assurance are a bit fraught. All vehicles will need identification, with secure verification when pinged. It is inevitable that licensing of operators will prove useful, and some form of background check will probably be needed. Weight limits, traffic lanes, rules of the road–this would all be a fruitful area for quick and targeted research. In the very short term.

I was going to do my regular round up for a bullet point post, but this is probably significant enough to merit its own little post here and now:

* “Enter the Meade mySKY, a $400 device that essentially turns the sky into a universe-size, self-guided museum tour. The premise is simple, and amazingly cool (even if it’s not so amazingly useful): Hold the radar gun-looking device up to the stars and mySKY uses a combination of GPS, magnetic sensors and motion sensors to pick out which planet, star or constellation it’s pointing at.”

This is the second such device to come to market. The information assurance angle is what happens when you replace all the map info for stars with the GPS co-ordinates for all the buildings in a city or country. Or all the GPS co-ordinates of mobile phones. Or your soldiers. Or police officers, DWP field workers, or all the kit in your warehouse that has a GPS chip. I cannot imagine a better way of gaining a tactical battlefield / emergency site / etc. view–and it will be considerably cheaper than a UAV dawdling overhead, consuming bandwidth and petrol and vulnerable to attack or mechanical failure. Just another typical Web 2.0 mash-up job for this to happen.

Soooo, the IA implication is that GPS devices will have to identify and choose which requests for location they will respond to–what we used to call IFF, back in the days when the ships were made of wood and the men were made of steel. Whilst I have seen references to encrypted GPS transmissions, I haven’t seen evidence of a GPS function that authenticates a request for information. Choose your pings!

Can anyone tell me if there is a commercially available GPS function that only recognises and responds to specific requests for location information?

The threat of a serious cyber-war with a determined enemy - always a possibility - is now closer to becoming a reality.  A report posted on debka.com warns that, from November 11th, al Qaeda’s electronic experts will start attacking Western, Jewish, Israeli, Muslim apostate and Shiite Web sites (ref. http://debka.com/headline.php?hid=4723).

Even if this threat does not materialise in the short-term, it is clear that cyber-warfare is becoming an increasingly common tool for terrorists and criminals:

- Prominent Estonian government and commercial websites came under DDOS attack for several weeks, allegedly from Russia

- Anti-fraud websites (Castlecops, AA419, Fraudwatchers, 419eater, and others) have been under DDOS attack for over 2 months.  This attack is being delivered by “Storm Worm”, a network of 5-10 million compromised PCs controlled by the Russian mafia.

- Several cases have been reported where companies have been asked to pay a ransom else face a DDOS attack against their websites.

The common factor in all these cases is the use of very large networks of “zombies” (compromised PCs, usually owned by IT-naive users) to deliver the attack.  These PCs can also be used for other purposes - delivering spam, hosting illegal content, etc.  The Storm Worm network being used against the anti-fraud sites is particularly worrying - its size rivals than of the largest super-computers owned by national intelligence agencies, and there is no reason to expect it will stop growing.  The controllers of Storm Worm are allegedly based in Russia, and the Russian authorities should be encouraged to take appropriate action against them.  Ref. http://www.networkworld.com/news/2007/102407-storm-worm-security.html

The Achilles heel of Storm Worm and similar networks is their assumption that ISPs will continue to allow zombies to operate freely.  In fact, ISPs can tell if a PC has become a zombie, and can isolate it from the Internet once found.  However, they have no commercial incentive to do so - disconnecting zombies and dealing with their owners is time-consuming, while the pain is felt elsewhere.  Moreover, responsible ISPs who bear such costs may lose business if irate users simply migrate their infected machines to irresponsible ISPs who are prepare to turn a blind eye to zombies.  A code of conduct for ISPs might be a good start, particularly if it is backed up by a willingness by the responsible ISPs to isolate the rest who ignore the zombie menace.

In the meantime, the likelihood and impact of DDOS attack against government / CNI sites seem likely to grow.  Site owners therefore need to review their vulnerability to DDOS attacks on a much greater scale and frequency than has been seen in the past.

It doesn’t seem as if anybody has noticed yet, but what Web 2.0 (really, it’s Web 1.05, in my opinion) is all about is databases accessible from the Internet.

A weblog such as this is a database with scripting that generates a valid URL and a time/date stamp when a field is entered. A wiki is the same thing, but instead of publishing the time and date stamp, it allows rewriting. Mashing up of data is just porting data from two different databases to a third location and doing useful work on the data at its new home.

All of the recognisable Web 2.0 success stories are variations on the theme: MySpace and Facebook, blog farms. Flickr and YouTube, modified blog farms–databases all.

I won’t really start thinking of Web 2.0 as Web 2.0 until it does what it says on the tin by incorporating off-net data into their offerings, and start sending fused data streams outwards, both on and offline. When SMS and Skype seemlessly integrate into a web offering, we’ve got something. When UpMyStreet automatically texts me to stay out of this neighbourhood because of night-time crime statistics, then we’re onto something. Similarly, when I receive an SMS in a bar telling me that someone with my Facebook profile is in the same bar and is available for conversation, then Web 2.0 is here. Because for me, Web 2.0 is all about moving information off the Internet and into the real world and vice versa.

Sadly, the information assurance issues regarding databases are significant and so far less than amenable to easy solution. Databases will take notes of changes made to them, but unless the data is archived before the change is accepted, those notes are only useful in assigning responsibility for errors and crime. Archiving large scale databases prior to accepting any change would be a bit impractical.

If anybody can talk us all through a practical guide to effective information assurance for databases, the comments field is all yours…. here’s hoping.