If what this Times commentator describes is true, somebody should go to jail. The rest of us should take note. As we may have mentioned one or two thousand times before, security technology and security procedures mean absolutely nothing if there is not an organisational commitment to the security of information.

That senior officers of Norwich Union and Avivia would protect their own data following news of the leak without informing their customers is quite simply disgusting. I personally will remember this when making my own banking decisions, especially as all concerned remain in post, for some unfathomable reason.

…Or more specifically, to link to the Washington Post’s 3-page article about the U.S. Future Combat Systems.

This is going to get interesting, and the Economist says that this topic will be covered in their upcoming technology quarterly (which is really one of the best things about the Economist). We’ve been following UAVs here since summertime, and I really think it is a) emerging as a technology that has information assurance implications for UK government and b) it’s really cool.

Ranging from powered model airplanes for children to the Predator, UAVs are currently lightly regulated and not at all policed, which should worry law enforcement as well as IA practitioners. With progress in miniaturization in full swing, an unmanned aerial vehicle can carry a camera (the UK is already using them to carry CCTV)… or something quite a bit deadlier. It is clear that legislation and regulation hasn’t caught up to the implications of this.

Meanwhile, at the Popular Mechanics website, there’s a story about the Houston Police Department’s trials of a UAV. The story walks through a lot of the issues revolving around this stuff.

Remember the main IA issue is going to be integrating information flows to, from and about potentially large numbers of these critters into information about more conventional air traffic. As I’ve mentioned before, between UAVs, ultralights and normal increases in air traffic (as point-to-point becomes more popular than hub and spoke and small jets become more ‘affordable’), those charged with keeping air traffic safe are going to have a lot on their hands.

Related stories (copied off the PM site–thanks!)

Civilian UAVs: No Pilot, No Problem

Britain’s Police Drone: Could It Stop Next Terror Plot?

Miami’s New Test Aircraft Gets Look from Army, Navy

Air Scouts: FA-18s Take On UAV Reconnaissance Duties in Iraq

Unmanned NASA Aircraft Enlisted in SoCal Firefight

Sunday Update: “Police and border control authorities are to use an unmanned aircraft to patrol the south coast to catch illegal immigrants trying to enter Britain by boat.” …”It is understood the police have expressed interest in using the £5m drone to monitor crowds during demonstrations and events such as football matches.”

“Andrew Mellors, head of civil autonomous systems at BAE, told the conference: “From 2012 fully autonomous unmanned air systems could be routinely used by border agencies, the police and government bodies.”

Key Section Here: “On-board sensors also give the drone the ability to deal with unexpected incidents, for example by automatically changing course to avoid coming close to other planes in the crowded airspace.

BAE Systems is in talks with the authorities to ensure that the drone does not interfere with civil or military flying. It said that the Herti, in addition to its sensors, had transponders to allow other aircraft and ground controllers to see it on their radar.”

If BAE has the brains God gave a gnat it will put the sensors and transponders in a black box, sell it to everyone who wants to use a UAV, and politely inform government that they have the power to mandate inclusion in all unmanned aircraft….

Well, hope I got the Latin right. This is a bit unnerving (not this part–no application is perfect): “Antivirus software must open and inspect data in hundreds, if not thousands, of file formats. One bug in the software that does this can lead to a serious security breach. Zoller and his colleague Sergio Alvarez have been looking into this issue for the past two years and they’ve found more than 80 parser bugs in antivirus software, most of which have not yet been patched.”

“The flaws they’ve found affect every major antivirus vendor, and many of them could allow attackers to run unauthorized code on a victim’s system, Zoller said.”

It’s this part that is scary–the type of denial that has been the prelude to IT disasters for 20 years:

“Zoller says he has been criticized by his peers in the security industry for “questioning the very glue that holds IT security all together,” but he believes that by bringing this issue to the forefront, the industry will be forced to address a very real security problem. Between 2002 and 2005, nearly half of the vulnerabilities that were discovered in antivirus software were remotely exploitable, meaning that attackers could launch their attacks from anywhere on the Internet. Nowadays, that percentage is close to 80 percent, he said.”

Russ Cooper, a senior scientist with Verizon Business, had some criticism for the work of n.runs. “The research almost appears to be goading criminals into ‘getting better’ at attacking vulnerabilities… hardly helpful,” he said via instant message. “There’s no doubt that the list of vulnerabilities they have already published in security products looks daunting. However, historically, we have not seen this type of vulnerability exploited.”

And if I read this right, I do not want to do business with this company at all–he seems to be saying that there’s no need to fix it until it gets hacked: “Though Cooper agrees that antivirus file parsing vulnerabilities do pose a risk, he said there are several reasons they have not yet been the focus of widespread criminal attacks. For one, criminals are already being effective enough with their current tactics, such as sending malicious e-mail attachments. A second reason is that security software tends to get more scrutiny, meaning that any vulnerability that was being exploited would be quickly patched, and that any criminal involved in an exploit would be more likely to be caught.”

Coda

Security vendors have long known about vulnerabilities in their software, said Marc Maiffret, chief technology officer with eEye digital security. “Security software is just as vulnerable as any other software,” he said via instant message. “We all hire the same developers that went to the same colleges as Microsoft and learned the same bad habits.”

Here’s the story on the day after…

I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.

But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.

Jane’s Defence Weekly (subscription only) is an entertaining source of information. Sandwiched between news of Peruvian plans to upgrade their MIG 29 fighter force and adverts for body armour, you can find surprising amounts of detail relevant to information assurance issues.

We’ve posted before on UAV (robotic airplane) activity and the staggering bandwidth requirements they generate and the need for secure communications. Jane’s tells us more–that there are 157 types of UAV in development in 17 European nations, and that, according to the United States Air Force, co-ordination problems between the USAF and other services in Iraq, Afghanistan and other combat areas is currently a pressing issue.

The USAF (the organisation that brought us Curtis LeMay, advocate of bombing enemies until the rubble jumps), inevitably thinks that they should have executive authority over high and medium altitude unmanned aircraft. Well, they would.

Another story in the same issue talks of NATO planners demanding full interoperability for equipment and weapons, and specifically mentions UAVs. “The appetite of our field commanders for UAVs is unlimited, for example. But we cannot have a Dutch UAV flying over southern Afghanistan that is unable to send data to a UK or Canadian commander.”

Later, the article notes “A US-led project involving 10 nations and allied capability planners called MAJIIC aims to do just that by defining a common architecture for sharing data.”

As a former member of the US Navy, I have an inherent prejudice regarding the USAF, which may colour my thinking. Nonetheless, I would suggest that EU and NATO technical planners get a secure system for sharing information in place soon, and offer to share with the Yanks rather than cede control.

Its good to see that Peter Hustinx EDPS (here and here) is following in the footsteps of our own Richard Thomas, Information Commissioner, (here) by biting at the heels of government, reminding them of their privacy obligations. Balancing the security of the citizen vs the privacy rights of the citizen is not an easy one, but it seems to me that it’s healthy to have advocates in both corners of the debate, particularly when one corner has Uncle Sam as a strong proponent. Mr Hustinx has again reminded the EU not to let political expediency dilute the aims of data protection (here and here). However I do wonder what recourse Mr Hustinx has to ensure the EU institutions do pay due regards to his warnings.

Any views on the security of the citizen vs the privacy rights of the citizen are very welcome.

Three stories this week that I think together highlight both the good and bad sides of having the Internet around and the challenge it poses.

The good, user vigilance division: I saw a posting a few days ago on a community board I frequent that eBay was in the middle of being hacked. This eBay forum thread discusses the hack, though I don’t know how long the link will be valid. The story also got Slashdotted and YouTubed (someone made a video of the hack in progress, which involved posting user IDs along with contact and cc information, though eBay said the latter was not associated with the IDs). Someone else logged a list of posted IDs. It’s worth pointing out that this community effort warned people before eBay made an official response - by all accounts it took eBay an hour to an hour and a half to realise what was going on and shut down the Trust and Safety forum, where the information was being posted. How long would it take a government department on a weekend? eBay is, of course, a very big target; large government projects will be even bigger ones.

The good, keeping companies honest division: the comments, here on this week’s Excel bug were, I thought, rather interesting. The MS guy was trying to reassure them by saying that the underlying calculations are correct even though Excel is displaying the wrong values in the spreadsheet. But as the comments point out, this isn’t much comfort. People copy and paste values, and they read aloud and copy from printouts of spreadsheets - an error like this can find its way into all sorts of places. The machines are fine as long as they only talk to each other - it’s crossing the machine/human barrier that’s dangerous. Through the lens of the nanotech conference one might ask whether at some point the machines might decide we’re too risky to talk to. Interesting to speculate what the surfaces of computer programs would look like without the need for human display. (eg, Internet addresses would all be numbers, and there would be no domain name system).

The bad, enabling anonymous distribution of performance-enhancing drugs. This week saw a huge DEA action in the US that took out more than 50 labs churning out steroid pills from powders sourced from China and more than 120 arrests. The pills, which the DEA says were made up in bathtubs and sinks in unsanitary conditions (as much like scare tactics as that sounds - it’s probably true, but it’s not clear how big a risk it is compared to ingesting the steroids themselves), were largely sold over the Internet through Web sites and chat boards to folks like amateur bodybuilders and high school kids, if I’m reading this right. Illegal drug smuggling is of course nothing new, but as much as we make fun of the oft-invoked Four Horsement of the Infocalypse (organised crime, drug dealers, terrorists, and pedophiles) a DEA report from 2003 talks about the setup they’ve since spent two years investigating, and one of the points they make is the difficulty posed to them by services like Hushmail. It dismays me quite a lot that the general answer to this problem overall (and I think if kids are taking steroids to make the football team it *is* a problem) is rampant drug testing with all the privacy invasiveness and presumption of guilt that involves. Going after the distribution network seems to me a better idea, though I doubt long-term it will make much odds. Since WADA’s testing regime began drug use has done little but escalate among athletes at all levels, AFAICT. The Net didn’t make this happen, and correct enforcement is not to shut down privacy-enhancing services or Web forums but to investigate in the physical world. I don’t think, though, that morality plays like last week’s sententious posturing over Floyd Landis’s suspension from cycling, help at all. If anything, they serve to highlight the notion that winners take drugs…

wg

I’m referring to the format, hopefully not the effect.

* The US Department of Homeland Security, which sets the benchmark for IT security practice in America, suffered more than 840 IT security lapses in 2005 and 2006, despite spending $332m on IT security this year.

* Unisys has dismissed reports in the Washington Post that it was to blame for data breaches at the US Department for Homeland Security last year. Unisys said, “The allegation that Unisys did not properly install essential security systems is incorrect. In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with those protocols.”

* Attackers have set their sights on two Microsoft flaws — an unpatched DirectX Media vulnerability and the XML Core Services flaw the software maker patched last week in its MS07-042 security update. Antivirus company Symantec has issued alerts for both exploits in emails to customers of its DeepSight threat management service. The security company said it had raised its ThreatCon to level 2 in response to the threats.

* Hackers managed to steal information from the US Department of Transportation and several firms by using fake job listings for employees, reports Reuters. It is believed information was stolen from around 1,000 corporate PCs. The FBI is now investigating the reported breaches.

* Newham Borough Council has delayed a major desktop roll-out after hitting a barrier in its 10-year strategic relationship with Microsoft and Hewlett-Packard. The council has put back the deployment of Windows Vista in its new 1,500-desktop corporate head office by 12 months, because of a lack of Vista-certified applications from its third-party suppliers. As a result, Newham will incur the cost of deploying XP in the new office, only to have to upgrade the machines to Vista at a later date. The council will now roll out Windows XP in March 2008 instead of Vista as originally planned.

* Reliance on ID systems can take you to some strange places (via Ideal Government): “Supermarket staff refused to sell alcohol to a white-haired 72-year-old man - because he would not confirm he was over 21.”

* (Via Light Blue Touchpaper): “When it rains, it pours. Following the fuss over the Storm worm impersonating Tor, today Wired and The Register are covering the story of a Dan Egerstad, who intercepted embassy email account passwords by setting up 5 Tor exit nodes, then published the results online. People have been sniffing passwords on Tor before, and one even published a live feed. However, the sensitivity of embassies as targets and initial mystery over how the passwords were snooped, helped drum up media interest.”

* (Via Bruce Schneier) “Copper cable has been known as the easily tapped physical transmission medium for years. Conscientious network and security managers either provided tight physical security for cabling or used fiber as an alternative. Many network managers considered fiber relatively safe due to the perceived challenges associated with tapping into an optical cable run. However, fiber is no safer than copper. For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run. The tap consists of bending the fiber to the point that it leaks light.”

I have a piece in today’s Guardian (”Does antivirus software have a future?”) that was suggested to me by some comments Alan Cox made on one of the ORG lists. I think there are a couple of interesting points that emerged in researching the piece:

- the difficulty of finding an approximation of the truth between the natural tendency of vendors to deny (at least in public) that there is a problem and the natural tendency of researchers and journalists to want to find one

- the genuine escalation of threats

- new technology designs (virtualization, flashable firmware, software-controlled hardware) that create new opportunities (hardware you have to physically change is inherently secure from software threats)

- confusion because names stay the same while the technologies they represent change and the press does not alter its reviewing language or habits (antivirus software doesn’t work the way it did 10 years ago, but the press still tests AV software the same way and reports on it as though signatures were the key - several people complained about this)

The next stage seems to be leveraging the same connectedness that is bringing us botnets and infected Web pages to create collaborative intelligence that can identify the ever-stealthier, ever-more-targeted threats. (I discovered only afterwards that Google has started labelling pages it thinks are infected with a warning - while I can see the logic of their doing this, it’s a little worrying about the impact on a site or its business if Google gets it wrong - I see lawsuits of green…What a wonderful world…)

wg