Main Navigation (Explore Website):
Nigel Stanley
Nigel Stanley is the IT Security Practice Leader for Bloor Research. In this blog Nigel will be commenting on the world of IT security and other areas of interest from time to time.
The BBC puts Smartphone security on test
BBC News has shown how straightforward it is to create a malicious application for a smartphone. Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset.
The application was built using standard parts from the software toolkits that developers use to create programs for handsets.
More here including a video with Bloor Research adding some commentary. This project took a few weeks but it has been very interesting—happy to talk through the issues in more detail if anyone is interested.
UAE, Saudi and the BlackBerry Security Conundrum
News that the United Arab Emirates (UAE) and Saudi Arabia want to block the use of some BlackBerry features rumbles on.
I was interviewed for my opinions on Aljazeera TV's Inside Story by presenter Teymoor Nabili, along with Thomas Shambler, the editor of Stuff Magazine Middle East and Ian Brown, a senior fellow at the Oxford Internet Institute.
This episode of Inside Story was aired on Monday, August 2, 2010.
Interested in Cell (Mobile) Phone Hacking?
I am running a set of 4 articles covering cell phone/mobile phone hacking and measures you can take to prevent such attacks on the Bloor site here. I'll be covering some of the underlying technology that makes cell phones vulnerable and exploring some of the new attacks that are emerging.
US Brands Targeted in Online Attacks
The latest RSA Online Fraud Report has just been published, revealing some interesting headlines. Some of the featured highlights include:
- As of July 1, 2010, the RSA Anti-Fraud Command Center has shut down 321,791 attacks in over 175 countries.
- In June, the number of phishing attacks identified by RSA decreased by 16%; a total of 13,855 attacks were recorded.
- U.S. nationwide banks remained the most targeted brands for the fourth consecutive month, increasing to 68 percent in June. Overall, U.S. brands in general were attacked at nearly a 2:1 ratio compared to all other countries.
- 85% of all phishing attacks in June were hosted in the U.S., UK, Canada, Australia and Germany
The report can be found here
Computer Crime Gets Sexy TV Show
I loathe the relentless onslaught of TV cop shows that seem to dominate peak viewing schedules these days, so it was with trepidation that I decided to watch a new show on ITV called Identity.
The drama is based on an elite police unit formed to combat the rise in identity-related crime. Of course the unit is staffed with the usual hand picked combination of a dominating boss, a cool but rebellious detective, a techie and a couple of other supporters.
Naturally the building they occupy has fantastic panoramic views across London and an internal styling, furniture and decor that would drain the Met Police decorating budget in one purchase order. The Chief Constable, played by a chap who I think was in The Office, was the usual over demanding stereotype who wore his whistle chain like a huge bog chain. [note to wardrobe - please fix this]
Aside from these irritations it made interesting viewing, and they certainly crammed a lot into a 55 minute program. It's worth a look if you just want to chill out and can ignore the ludicrous tech stuff.
My hope is that it will highlight issues around identity and data theft and will encourage people to be a bit more savvy with their personal data. Anything that can help with this education has got to be good.
We shall see.
Finally a Decent Use of Cloud Computing: Software Security
I am glad to say that I have finally found a solution that leverages the huge benefits of cloud based computing whilst at the same time delivering more secure applications. Check out this article for the details of an interesting new service being offered by Veracode.
Building Security In Maturity Model gets an Update
Today we saw an updated release of the "Building Security In Maturity Model" (BSIMM) study, which significantly expands the data defining benchmarks for successfully developing and growing an enterprise-wide software security initiative.
Launched in March 2009, BSIMM is the industry's first and only structured set of best practices for software security based on real-world data rather than philosophy and theory. The latest release, BSIMM2, triples the size of the original study from nine organisations to 30, across a range of seven overlapping verticals including: financial services (12), independent software vendors (7), technology firms (7), healthcare (2), insurance (2), energy (2) and media (2). BSIMM2 now reports the collective expertise of 635 people in firms with 130 years of collective experience.
This is really cool work and moves the game forward in terms of software security. Check out this link for more information
Time to hug a PGP employee?
Very rarely do I ever get to witness the effects of a corporate takeover first hand but the acquisition of PGP by Symantec, announced lunchtime on the last day of InfoSec 2010, was to be different.
I had been through the usual InfoSec battering of interviews, key notes and random discussions which are the hallmark of this important annual event. My antenna was starting to pick up some odd behaviour chez PGP. Stranded executives unable to attend "because of the ash" (because of the cash?) coupled with a rather bizarre discussion with another very pre-occupied executive on the Thursday morning who insisted they "only had time for a 10 minute chat" and hid their laptop from view in the public display area.
Clearly something was not right.
I was sitting on the Symantec stand an hour or so later having a chat with a senior product person when I was told the news. What was to be a pleasant discussion about Symantec turned into a bit of a navel gazing exercise as we all ruminated about the ramifications of the deal.
Symantec has had an encryption sized hole in their offering that had been papered over but never properly filled. Unlike McAfee, who realised the importance of encryption and went after Safeboot in late 2007, Symantec never really took the plunge until this week. The OEM relationship that Symantec had with GuardianEdge provided them with some data protection experience which has now been confirmed with the purchase of that company for a seemingly cheap £70M. Certainly in the past I had heard good things about GuardianEdge but have been rather disappointed in their performance over the past couple of years as they seemed to retrench back to the US, neglecting EMEA. Maybe it was a BOGOF—Buy One Get One Free—and Symantec thought they may as well pay a bit more and get GuardianEdge as well.
PGP have been upping their game recently, as was demonstrated by the TrustCenter acquisition, taking them further into the security infrastructure world. The strategy appeared to resonate well and gave me cause to think that PGP had finally gotten their strategic act together and were set on a very interesting path. Clearly Symantec thought the same hence the $300M deal.
Symantec now have to turn this acquisition into something useful, and something that will prove the market wrong, many of whom consider them to be synonymous with irritating bloatwear. PGP is good, well proven technology that carries a strong brand and should not be sucked into the "Borg" never to be seen again.
As for the PGP people I saw on Thursday afternoon at InfoSec, clearly they were too junior to be counting their stock options and were actively considering their futures. I for one felt an urge to give them all a hug and tell them it will all come right in the end, my only hope is that I am right.
InfoSec 2010 - A "must visit" show
InfoSec is rapidly approaching. This is a hugely important show for anyone that is involved in information security. I will be there meeting up with friends old and new, plus presenting at a couple of sessions;
Wrestling with PCI DSS Compliance - A Unique Look at Achieving Compliance From An Auditors' Perspective
11.00hrs Tuesday 27th April
Everyone that accepts credit cards must live up to the Payment Card Industry Data Security Standard (PCI DSS). Since 2006, enterprises have worked to achieve compliance with the evolving standard even as major retailers and payment processors continued to be in breach. With another PCI DSS update arriving at the end of 2010, how can IT teams be best prepared to protect their business and achieve compliance? Who better to ask than the auditors responsible for assessing and reporting compliance at the world's largest merchants, Qualified Security Assessors (QSAs). That's exactly what the Ponemon Institute and Thales set out to do and have just published in their new research. Hear from the researchers and an experienced QSA to learn more.
Issues this discussion will consider include:
- Understand what auditors find most important and challenging
- Select the technologies for achieving compliance that auditors find most effective
- Reduce the cost for compliance with the right data protection strategies
- Learn auditor recommendations for improving the PCI DSS program
- Plan for updates auditors expect to PCI DSS in 2010
- Evaluate their cost of assessment compared to other organisations
Tim Holman, QSA & CTO,Blackfoot UK
Larry Ponemon, Chairman, Ponemon Institute
Bryta Schulz, Vice President of Product Marketing for the information technology security activities, Thales
Compliance - How To Defend Yourself and Stay Out of Court
12.15hrs Thursday 29th April
Complying with what seems to be a never-ending wave of regulation has always been a difficult task, however it seems that we are now at a critical-mass of compliance, where the chances to fall foul have never been so great. So how can you avoid disaster and, if disaster should strike, what should you do?
Issues this discussion will consider include:
- Does good security = compliance?
- Crisis response should it all go wrong
- The importance of compliance—bringing it back to reputation and the bottom-line
- Is compliance possible in a global economy?
- Top tips for effective recovery and damage limitation
Tracey Andrew, Head Of Information Security & Compliance, Berkshire Shared Service
Keith Attfield, Ex-Director Of Information Security & Information Risk Specialist, Veolia Water
Shash Patel, Intellectual Asset Protection & Data Privacy, Air Products
Stuart Room, Partner, Field Fisher Waterhouse LLP
These should be interesting sessions and the panels will be up for a good interactive session with the audience—so come prepared with your difficult questions!
Email Leaks 10,000 Names from Police Data Check
Another interesting data loss story...
A user has accidentally sent an email with a sensitive Excel attachment to a journalist working for The Register. Reportedly the auto complete feature on the email system accidentally resolved an email name to that of the journalist rather than that of another police employee. The spreadsheet contained in excess of 10,000 names of people who have had their records checked prior to them being employed in a sensitive job role. The leaked spreadsheet contained details of over 860 people who were found to have been in "trouble" with the police.
Worse still the police asked them to cover the story up!
http://www.theregister.co.uk/2010/04/16/gwent_police_data/
The incompetent/non malicious inside threat strikes again...