I recently read an article in New Scientist entitled " Want to clone bank cards? Just press 'print' ". They state that it has been discovered that "... a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts." This is possible because ATM Terminal vendors have succumbed to financial pressures, and the demand for greater functionality, and moved to using standard modular PC architectures and off-the-shelf operating systems, such as Microsoft Windows and Linux. These ATM devices then become vulnerable to similar malware as their desktop counterparts. SpiderLabs, part of Trust...

The answer is yes and no (note, in this blog, I'm not talking about cryptographic or identity trust, but systems trust). There are two aspects to this. Firstly, do you think your users will deliberately act against your organisation or try to harm the system? This is not usually the case for corporate employees - you also have severe sanctions available if they do. The second aspect is, do you trust your users NOT to make mistakes? Everyone makes mistakes; we're only human. You don't want accidental updates or changes, so in this sense maybe you shouldn't trust your users. Actually there are three overall approaches to system trust on networks. We can trust all of the people all of the time (bad idea, but much more common than you'd think), trust no one at any time (maybe too excessive and hinder functionality), or we can trust some of the people some of the time. The last one is usually the best strategy to adopt for your network. Finally, we have to decide on ...

Wireless Networks are still causing businesses problems. By their very nature they are insecure, as they are a broadcast network that frequently extends beyond your physical boundary - remember radio signals don't stop at your door. There ARE security mechanisms to make them secure, but too often these are not implemented properly or are circumvented by users. It is vital that all traffic on the wireless network be encrypted, and connections authenticated, otherwise anyone with a laptop can view all your traffic. There are many mechanisms for achieving this, but at the very least you should use WPA with long pass phrases (not simple passwords) and MAC address authentication. Don't use WEP ; it can be broken easily. I won't bore you with details here, but I refer you to Google instead. However, there are several flaws such as using a linear Integrity Check Value, such that predictable bit-flipping can be used to send invalid messages that will appear to be valid. Secondl...

With data leaks constantly in the news, I thought I would write a quick blog post about data anonymisation. The problem seems to be that people think it's perfectly acceptable to walk around with sensitive information on mobile devices and removable media. The solution, according to common thought, is to encrypt those devices. This is a solution that should be adopted, but after the more fundamental problem has been addressed. It should not be possible or necessary to store raw sensitive data on mobile devices or removable media! Assuming that you need the data for business intelligence purposes and that the IT department can't or won't (for some good reason) allow this to be done online through a secure connection, then you must anonymise the data first and then encrypt it. Why do you need to know the names, addresses and credit card numbers of your customers when on the road TK Maxx? Why do you need the names, addresses, dates of birth, national insurance numbers, salar...

OK, so many people have asked me how I do my presentations and could they have a link that I've decided to put the links and a short explanation on my blog. My presentations are all done in PowerPoint 2007, but I use a Microsoft Office Labs plug-in called pptPlex . From their website come the following quotes: "pptPlex uses Plex technology to give you the power to zoom in and out of slide sections and move directly between slides that are not sequential in your presentation." "...pptPlex can help you organize and present information in a non-linear fashion." If you don't know what any of this means, then you should ask me to do a presentation :-) or have a look at their videos. It's very simple to install and use. However, remember that you need it to be installed on your presentation machine in order to give the Plex version of the presentation, otherwise it will just show as a normal PowerPoint presentation. If the pptPlex Ribbon Tab doesn't...