BoingBoing points to a piece on the Chinese malware economy:

The researchers set up virtual PCs running Internet Explorer, then visited nearly 15,000 Chinese websites, deliberately infecting their virtual systems with whatever crapware happened to be running on the system. Then they carefully analyzed the infections as they unfurled and encrappified the virtual instances of Windows, and used the results to reverse-engineer the way that the malware economy runs.

How easy would it be to find this information for UK and continental Europe?

“An estimated 8.3 million Americans over the age of 18 were victims of identity theft in 2005, according to an analysis of a phone survey released Tuesday by the FTC. That represented a decline of about 16 percent from an estimated 9.9 million victims in 2003, when the agency last conducted its survey.”

“Identity theft cost U.S. businesses $55.7 billion in 2006, according to Javelin Strategy & Research. The FTC estimates that in 2006 the cost to consumers was $1.2 billion.

But experts say complaints filed with the FTC offer only a glimpse of the actual damage. “Most people don’t even think about calling the government because they are not going to help them get their money back,” Litan said.

The FTC estimates that 1.8 million Americans discovered some type of fraud committed using their personal information, 3.2 million had their credit card accounts misused and 3.3 million experienced misuse of other financial accounts.

Javelin’s estimates back the FTC’s findings. It said 8.4 million people were victims of identity theft in 2007, down from 8.9 million in 2006 and 9.3 million in 2005.”

Here’s the story on the day after…

I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.

But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.

Government should control the use of its resources. But there has been an implicit social contract over the past 15 years–as work has intruded more and more into the lives of workers, management has conceded that some non-work activities done on the clock are permissible. It’s beginning to look as if that social contract should be made explicit…

ISLIP, N.Y. - “GPS tracking devices installed on government-issue vehicles are helping communities around the country reduce waste and abuse, in part by catching employees shopping, working out at the gym or otherwise loafing while on the clock.

The use of GPS has led to firings, stoking complaints from employees and unions that the devices are intrusive, Big Brother technology. But city officials say that monitoring employees’ movements has deterred abuses, saving the taxpayers money in gasoline and lost productivity.

“We can’t have public resources being used on private activities. That’s Management 101,” Phil Nolan, supervisor of the Long Island town of Islip.

Islip saved nearly 14,000 gallons of gas over a three-month period from the previous year after GPS devices were installed. Nolan said that shows that employees know they are being watched and are no longer using Islip’s 614 official vehicles for personal business.”

If a worker is multi-tasking and some of those tasks are work-related and some are not, should the worker be compensated? At one extreme, people are not fussed if a security guard catches up on his reading on the night shift. At the other end of the spectrum, do you really want your shrink to respond to your latest tale of woe by asking for a seven-letter synonym for dance starting with ‘F’? If work is only work, people will work to rule. If you want more from workers, flexibility will be key.

There is a variety of information assurance issues here. Resource allocation for monitoring employees, identity management (you’d better have the right employee identified before approaching him/her about their practices), records management, turning off monitoring when the employee is off duty, etc.

I just hope people stop and think about the implications for just a moment before using the latest technology marvels.

Via Kable: “The Land Registry has pulled potentially sensitive documents from its online service. As from midnight on 5 November 2007, online access to documents such as mortgage deeds and leases will be removed. Members of the public wishing to inspect or have copies of any such documents can do so by applying in writing to Land Registry. The move followed a report in The Daily Mail that criminal gangs have stolen £12m over the past two years by exploiting loopholes in the website. They gained access to documents such as title deeds to make it possible to sell properties they did not own.”

It’s a pity legitimate users of Land Registry information will no longer have access to these details, I guess, but what were sensitive documents like these doing lying around in the open air in the first place? Did any review of this take place?

After the fact, the Land Registry tried to ‘put this in perspective,’ saying that the £12 million in fraud was a small percentage of the fee income it generated.

WAKE UP. The £12 million in fraud in all probability represented a very large percentage of the total wealth of the individuals who were defrauded, each of whom had to go through a long and laborious compensation exercise and probably had to get the services of a solicitor to help them. Of course it had minimal impact on the Land Registry. It’s not their money. It’s not their information. It’s not their privacy.

Via Kable: The Office of Public Sector Information has launched an online forum on the commercial use of government data.

Go here. Register. Comment.

“Our users have posted a total of 0 articles
We have 1 registered users
The newest registered user is admin
In total there are 4 users online : 0 Registered and 4 Guests ”

If those numbers stay the same, I don’t ever want anyone to complain about how the UK government doesn’t listen, isn’t responsive, blah and yet again blah.

Here is your chance.

Hi all,

I have referred in the past to Dave’s Bit Bucket, run by Dave Walker of Sun. His blog can be a bit of a slog as he actually has the temerity to post code up regarding his Trusted Extension work, which just glides gracefully over my head. However, when he turns his attention to other subjects, we have to pay attention. So I will perform a much-needed public service here and link to specific posts relevant to Blindside:

Dave’s earlier post on Microsoft Vista (Why Microsoft Windows Vista cannot be deployed in Government, Critical National Infrastructure, or Battlespace …and I may well have missed a few categories for the sake of a concise subject line, especially where Finance, Aerospace, etc are not specifically included under the banner of “Critical National Infrastructure”. Read this, and be startled. Update: Putting a black hat on for a moment, this also means that Microsoft’s licensing verification servers will be the number 1 target for any actual Black Hat who wishes to cause general chaos, rather than target specific organisations; taking the licensing servers down in a manner which resulted in an outage of significant duration would precipitate a worldwide Vista outage. Also, in battlespace, if you’re running Solaris and your enemy is running Vista, it may be within the rules of war to target Microsoft’s licensing infrastructure (with either electronic warfare methods or, depending on the sphere of conflict, ordnance) and watch your enemy’s C4I infrastructure collapse…)

led to Dave linking to this: “DRM bites again: the Microsoft Windows Genuine Advantage servers (which every XP and Vista install phones home to) all failed sometime earlier today. The result? Every single Windows XP and Vista installation — except possibly those with volume license keys — is being marked as counterfeit when it tries to check in. Installations which are flagged as counterfeit switch to a “reduced functionality mode” which results in features like Aero and DirectX being disabled.”

When it comes time for Dave to renew his passport, he immediately sees a problem: “From the large list presented - and notwithstanding the extending clause of “someone of similar standing in the community” - I suspect that the average person wouldn’t have too much trouble finding someone who could be duped or bribed into providing a false assertion of identity for the Passport Office… ”

And, although we don’t want to stimulate plot ideas for 24, Dave looks ahead to future problems with remote working: With the continued rise in home-based and mobile working, the possibility of staff being forced to access and potentially modify data by suitably-armed ne’er-do-wells becomes a genuine - if niche - security issue. (…) Taking this into account, it’s possible that a well-designed system which authenticates users based on a username and password would require up to 4 passwords per user - one for legitimate login in a non-duress situation, and three more, one for each type of duress!

I guess I’ll never be a comedian–I don’t do things in the right order.

Here’s the punchline: Safety fears over new register of all children. “It will be available to an estimated 330,000 vetted users. Some of those allowed to check records, such as head teachers, doctors, youth offender and social workers, are uncontroversial, but critics have questioned why other potential users, such as fire and rescue staff, will have access to the database.”

Erm, why is this level of access uncontroversial?
Here’s the set-up:

Five civil servants who help run the national DNA database have been suspended after being accused of industrial espionage. It is alleged they copied confidential information and used it to set up a rival database in competition with their employers, the Government’s Forensic Science Service.

A civil servant who was paid thousands of pounds to rubber stamp passport applications for illegal immigrants and a drug dealer was jailed for two years and two months today.

An internal investigation at the Department for Work and Pensions (DWP) has found that civil servants are colluding with organised criminals to steal personal identities on “an industrial scale”. Ministers have been privately warned that the investigation will show that hundreds of thousands of stolen personal details have been ripped off from official databases, often with inside help. Key personal details such as national insurance numbers can be used to commit benefit fraud, set up false bank accounts and obtain official documents such as passports.

More than 200 civil servants in the Department of Work and Pensions (DWP) have been disciplined for surfing the Web for porn during office hours. In the last eight months the staff accessed over two million pornographic images, including 18,000 involving child abuse. The Sun newspaper reports that some of the sites touted images purported to be of kids as young as 13.

Teacher arrested over child porn

And in a different case,

Teacher arrested over child pictures

And in a different case,

Royal News Princess Eugenies Teacher Arrested On Porn Charges

And in a different case,

Ex-teacher charged with sexual encounter with pupil

And in a different case,

College rocked by new sex scandal

I give up–there’s a lot more out there.

Via the BBC: “US job website Monster.com has suffered an online attack with the personal data of hundreds of thousands of users stolen, says a security firm.
A computer program was used to access the employers’ section of the website using stolen log-in credentials. Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server.”

Oops. Is anybody keeping score on these things? It’d be great to be a journalist covering this subject. Write the story once, use search and replace on the company name, hit submit.

If this is happening to companies that live or die based on their security, what do we expect to happen in situations (such as some government applications) where security is a ‘tick the box’ annoyance? Don’t get me wrong, a lot of people in government are passionate about information security–but by no means is it universal.

What are the possible consequences? Well, the story continues: “The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords. More than 8,000 new variants of Trojans are found each month, according to internet security specialists Sophos.

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails. They threatened to reveal personal details unless she paid them.

I’m in a session on Google click fraud, and the ultimate problem, Broward Horne, is saying is that the TCP/IP and the Web were never designed to uniquely identify individual people or enforce identity - but that is what Google’s business is based on (when it charges and pays based on clicks on advertising links). So far, this fundamental mismatch has not hurt Google’s business or its stock price, but eventually…

…a link that turned up to a Wired article by Bruce Schneier points out that this problem is endemic online and turns up all over the place, hence so many systems (captchas, etc.) to ensure that a real human is at the keyboard. We can fool computers better than they can fool us.

wg