Connect with us

Government

Hacking: British government extends Innovation Vouchers

Social hacking and breaches like the AP Twitter account are by far the most common sort of cyber-security threat. Spotty youths with laptops or activists are not the big threat to small business; the threat to you is about your banking and finance details, your customers’ details, data and their payment information. The bad guys are interested in details that can be converted to cash – and that means competitively valuable information like sales reports and new business leads – the cost to trust and reputation also have to be considered.

Published

on

Last night the stock market took a frightening tumble: following the hacking of the Associated Press Twitter account and a post about President Obama and The White House, at 13:06 EST the S&P 500 fell about 1%, a value of $130 billion. As traders hit the sell button, automated selling took over and funds moved into the Yen and Treasury bonds. At 13:09 EST, the panic was over as AP issued a hasty clarification from another Twitter account and fact-checking (remember that novel practice?) had eased potential chaos. It appears the Syrian Electronic Army were behind the hack on the AP account and have been active on Twitter for some time, hacking amongst others, the Qatar Foundation’s Twitter account last month as part of a pro-Assad campaign. I use the term hacking – somewhat of a misnomer as this sort of action is known as social hacking, or social engineering. Mike Baker from AP tweeted that staff had received a phishing email which looks to have installed malware on AP staff computers, giving the SEA access to log-in passwords.

What does this mean to small business?
Social hacking and breaches like the AP Twitter account are by far the most common sort of cyber-security threat. Spotty youths with laptops or activists are not the big threat to small business; the threat to you is about your banking and finance details, your customers’ details, data and their payment information. The bad guys are interested in details that can be converted to cash – and that means competitively valuable information like sales reports and new business leads – the cost to trust and reputation also have to be considered.

“Keeping electronic information safe and secure is vital to a business’s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.”

— Minister for Universities and Science David Willetts

Small business are certainly under greater threat than ever as more data and trade is moving to the web and cloud. Security at the leading computer companies who provide cloud and web services to you is generally excellent, but the social or human element is where the threat is greatest – does a former disgruntled employee still have log-in details to your CRM system where you record everything a competitor would want to know about your business?

The 2013 Information Security Breaches Survey indicates that 87% of small businesses across all sectors in the UK experienced a breach of some type in the last year; that’s up more than 10% and cost small businesses up to 6% of their turnover with the average cost of a serious breach or hacking incident at small organisations costing £35,000 or more.

“It is estimated that 80 per cent or more of currently successful attacks can be prevented by simple best practice. This could be steps as straightforward as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted.”

— Source: GCHQ

It’s welcome news then that the Technology Strategy Board is extending its Innovation Vouchers scheme to allow small and medium enterprises (SMEs) to bid for up to £5,000 from a £500,000 pot to improve their cyber security by bringing in external security expertise. The Department for Business, Innovation and Skills (BIS) is also publishing guidance to help small businesses accept cyber security as part of their normal business risk management process. A really positive initiative – and an announcement that couldn’t be more welcome for businesses growing aware of a threat and wondering what to do next, and the widely reported hacking incidents may prompt those business owners to sit-up, listen and act.

The scheme opened on the 15th of April and closes on the 24th of July 2013, so if applying, you should get started as soon as possible.

External links & references

  1. Cyber-security section @ Innovation Vouchers
  2.  BIS : Plan for Growth : PDF
  3. Australian central bank hacked? Not so much.  @ RedCert.com
  4. Business leaders urged to step-up to cyber threat
  5. 10 Steps to Cyber Security – Executive Companion: BIS:CPNI
  6. Get Safe Online website

 


Education

McAfee’s Digital Divide Survey: Parents in the dark

It’s no surprise to read in McAfee’s Digital Divide survey that teenagers are hoodwinking their parents, that’s unlikely to stop any time soon. The difference for teenagers now though, is the internet never forgets.

Published

on

Source
Original version of this article published in the Irish Independent, November 7, 2013Irish Independent

It’s no surprise to read in McAfee’s Digital Divide survey that teenagers are hoodwinking their parents, that’s unlikely to stop any time soon. The difference for teenagers now though, is the internet never forgets. The ten percent of teenagers surveyed who posted an embarrassing photo, or the twelve percent who used foul language may have a long time to reflect on their embarrassment. And that embarrassment could follow them to a new school, college or job. Online, the world is watching and you can be judged by your past behaviour for a lifetime.

Digital learning initiatives like tablets in schools and emerging MOOCs, Massive Online Open Courses are transforming education and the potential for learning so it’s disturbing to read in McAfee’s survey that a third of parents have resorted to taking away their teens mobile devices or computers, counter-productive in the extreme. Neither is avoidance the answer. Parents appear to be in denial and exhibiting a trust that was not granted to my generation and platitudes from teenagers should be treated cautiously as half of teenagers are doing things online that their parents would not approve of.

When I was a student Civics was taught to imbue good citizenship but as we transition to a society with a growing population of digital natives there is a greater need for good digital citizenship, I would suggest even a dedicated course, ideally in the Junior Cycle curriculum. We don’t just need to teach children how to write apps and study using digital technology, we need to teach them how to be safe and sensible, and how what they say and do online can impact themselves and others emotionally, socially and even professionally. Parents must accept responsibility for the development of their children as digital citizens by providing supervision and taking an active, but unobtrusive, part in their children’s online lives. I’m not suggesting a digital version of peeking in the teenage diary, but parents generally, are interested in who their children are friends with and where they are after dark, and they should be interested in what their children are doing online. Installing monitoring software on a child’s computer would be a step too far and may even hinder the development of a teenager’s technical ability, but open discussion in the classroom and at home brings a sense of reality to digital life that is often lacking in the consciousness of teenagers who treat so much of online interaction in a way akin to playing a video game, allowing them to dissociate themselves from offensive behavior, sometimes with tragic outcomes.

Good initiatives like McAfee’s Online Safety for Kids are a great start, but there’s some distance to go and the school curriculum and parents must be part of the answer to the development of the teenage digital native. Human nature being what it is, teenagers will behave better when you keep an eye on them, because they know you’re watching, and their parents should be watching, because the rest of the internet is.

 

External links & references

  1. McAfee launch Online Safety for Kids programme : MerrionStreet.ie
  2. McAfee Digital Divide Survey : McAfee.com
  3. Twitter & the trolls : redcert.com
  4. The school curriculum : don’t ask.fm me why : redcert.com
  5. Pilot scheme launched in Wales : BBC News
  6. Redcert.com survey : should Digital Civics be on the school curriculum? 
Continue Reading

Government

Open data, does not mean losing our data. Get it?

Not much time passes between reports of another authority, company or agency losing someone’s data. Spying or intelligence agencies nosing around your data is one thing, I’m referring to how people are losing our data the old fashioned way; laptop, train home, oops. Laptops, tablets and USB keys – all of them it seems appear to be dropping out of sight, and control at an alarming rate the world over. I know we live in the era of open data – but someone needs to explain that means sharing data, not leaving it in a pub lavatory.

Published

on

Not much time passes between reports of another authority, company or agency losing someone’s data. Spying or intelligence agencies nosing around your data is one thing, I’m referring to how people are losing our data the old fashioned way; laptop, train home, oops. Laptops, tablets and USB keys – all of them, appear to be dropping out of sight, and control at an alarming rate the world over. I know we live in the era of open data – but someone needs to explain that means sharing data, not leaving it in a pub toilet.

Last week I did a radio piece with Will Faulkner on Midlands Radio.  Specifically we were looking at a report by Fiachra O’Cionnaith of The Examiner where following a Freedom of Information request, it was revealed that from January 2009 to Dec 2012,  69 devices owned or controlled by Ireland’s Health Service Executive (HSE) went missing, of which 61 of which have since been deemed stolen, this included 15 laptops presumed stolen in a single incident in the Midlands, in 2009. More than 50 had ‘sensitive’ data and, 20 were not encrypted. That’s a device lost or stolen, every three weeks.

“Somebody needs to be held accountable. Considering the previous assurances given in 2008, this is totally unacceptable.”

— Irish Patients’ Association chairman Stephen McMahon

Given the quote from Stephen McMahon above by I recalled a blog post I’d read a few years ago. So I got to browsing and found the excellent posts from 2008 & 2009 by John Lawlor of Trinity College in Dublin. John made the point contemporaneously that it was time everyone who was in control of:

personal private information, whether in the public or private sectors, took this issue seriously and started taking immediate, practical and effective steps to secure the data they store and control.

Alas, no-one acted on John’s good advice, which even went as far as including some pointers on encryption, from commercial to open-source and the practicalities around data-protection and security. Did anyone share blog posts then? Does anyone say “that makes sense, I’ll raise that at the monthly staff meeting – but I bet we have something in place already”; sad fact is, you don’t. Or if you do, no ones’ bothering to do what they should. Which is worse?

Using Cloud Computing to Build Next-Generation Government Services

In a previous post (regarding a private sector company, PA Consulting, who managed to lose data on thousands of criminals) John Lawlor referred to controlling access to internet storage sites as agency employees could create another vulnerability by using services like Gmail or Hotmail for storing data. Good advice at the time, and a there was indeed  a trend for ‘send it to yourself’, at the time. The gigabtye (and counting…) of storage was new – and huge for its time. Five years on things have changed. Well, the technology landscape has changed, the indifference of employees entrusted with our data appears much the same. Cloud services have evolved radically, and it is now practical and safe to store confidential data using a cloud service.

I’m not suggesting that government agencies upload something like patient data to Dropbox or Skydrive; in fact commercial cloud services vary widely on how they treat our data, for example Skydrive and Apple explicitly reserve the right to scan your data, sometimes with embarassing consequences. as experienced by a German photographer. What I am suggesting is that as we talk up the opportunities of Cloud computing, as a job-creator and cost solver, we also use it to solve some data protection challenges. SpiderOak, a company I particularly like offer personal, business and enterprise cloud services whereby your data is encrypted before you upload to the cloud, so they don’t know what your storing with them.  EMC run the clever and cost effective Mozypro, and Accellion offer FIPS 140-2 compliance services to stat authorities.

If you’ve got mobile devices with sensitive data, using Mobile Device Management software you can ensure important data is encrypted. If it’s stolen or lost the device can be wiped. And if you’re unsure whether it was stolen or lost or just where it is, by using a GPS boundary, you can ensure the device is wiped if it moves more than say, a mile from your office or 50 metres from an employees home. Waheed Qureshi the founder of Zenprise said to me last year, ‘people lose their tablets yes, but there’s no excuse for losing your data.’ Citrix and Good Technology amongst others, make this cost-effective, and more importantly, easy to do.

I’ve been a laptop user for more than a decade – and I’ve never lost one. Not one. I’ve never lost a tablet or a smartphone. Am I remarkably careful, security conscious and St Anthony is watching me? Maybe it’s just because I paid for them, myself. Cost = care. And care for our data, or it will cost, you and us.

External links & references

  1. Litany of HSE data breaches : Irish Examiner
  2. List of UK government data losses : WIkipedia
  3.  Laptop Theft and Data Loss By Irish Healt
  4. h Service Executive : John Lawlor, 2009
  5. Microsoft & Skydrive uploads : WMPowerUser.com
  6. My secret crush on big data : redcert.com

 

Continue Reading

Government

Internet companies write: “we need to know” letter to Washington

Today, 60 of the world’s major internet companies like Google and Facebook, advocacy groups like the Electronic Frontier Foundation and investors including Y Combinator have written to  Washington urging the administration to allow more transparency following the recent disclosures detailing extensive federal surveillance programs of global internet users.

Published

on

Yesterday, 60 of the world’s leading internet companies including Google and Facebook, the advocacy organisations ACLU and The Electronic Frontier Foundation and technology investors, including Y Combinator wrote to the US administration urging for more transparency to be allowed, following the recent revelations regarding the PRISM surveillance program first published in The Guardian and Washington Post.

With the existing legislation, Internet Service Providers and other Web companies can be compelled to provide the government with the metadata of customers, yet at the same time they are often prevented from acknowledging those requests. A number of companies have published vague information about these FISA (Foreign Intelligence Surveillance Acts) requests in recent months, including Google, Microsoft and Yahoo, yet the internet firms are prevented by law from publishing specific details of these requests.

“Basic information about how the government uses its various law enforcement–related investigative authorities has been published for years without any apparent disruption to criminal investigations. We seek permission for the same information to be made available regarding the government’s national security–related authorities.”

— We Need To Know Transparency Letter: July 18 2013

We Need to Know Transparency Letter

The 63 signatories on the letter sent this week say the US government should ensure that the internet firms entrusted with users security and privacy are allowed to report the statistics illustrating the number of government requests made under the PATRIOT Act and FISA, as well as the number of accounts or individuals impacted and figures reflecting instances in which the contents of phone calls or emails are recovered.

External links & references

  1. Patriot Act : Wikipedia
  2. FISA : Wikipedia
  3. Raytheon predict a RIOT: redcert.com
  4. Snowdens Message Buried in Mud  
  5. NSA leaks coverage at RT News
  6. Prism: coverage at the Guardian
  7. We Need To Know : Transparency letter
Continue Reading

Popular

Copyright © 2014 redcert.com

Skip to toolbar