I was reading a well-known telco’s document on the trade-off between productivity and network security recently. A lot of what they said is fair comment and they do have some helpful suggestions. However, their response to security risks, like those of many organisations, jumps straight for the technology solution with only a thin veneer of trying to deal with people. Many organisations will talk about people and process and how important they are and that you need education programmes (most of which miss the point and are not terribly effective), but they say it as if they have been told to and don’t really believe it themselves. At the end of the day they will jump on the technology bandwagon and sell you/buy the latest bit of kit. One statement in this document stood out though: “...full administration rights to all data are rarely appropriate for the entire workforce.” What? When are they EVER appropriate for the entire workforce? When is full admin rights over all data ever ...

It seems that many users are receiving Phishing phone calls through Skype from a profile called 'ONLINE HELP'. This call, if answered, plays a recorded message telling the user that their computer is not protected and that they must go to visit www.hosog.com . If you do visit this site, it is riddled with malware. This is a phishing scam! The user account that I have observed is drationlinehelpgb and shows as being registered in the US, but seems to have been taken down now. However, others have reported a user account of drajizonlinehelp, which appears to be registered in Afghanistan. This one is still live at the time of writing and is using the same 'ONLINE HELP' profile name. It would appear that new accounts are being created as the old ones are blocked by people and reported for abuse to Skype. It is slightly worrying the number of people who are reporting having answered this call. If you receive any unsolicited calls through Skype from users outside your con...

I was asked to comment yesterday on the story that emerged about the Google mail accounts that were compromised over the last few days, so I thought I'd put some of my answers down here. First off, Google wasn't compromised ; a set of phishing emails were sent out and a fake Gmail login set up to harvest login details. These were used to set up forwarding rules to copy mail to another account. Unfortunately, although a large number of people are aware of phishing and are (to a certain extent) vigilant, it only takes one person within the organisation to fall for the attack to compromise security. The scammers are becoming better at targeting people and making the initial phishing contact more believable to some people. Phishing is not just about email, although that is the most common avenue for the initial contact. Social media is also commonly used and we have seen the use of SEO to force phishing sites to the top of search engine rankings as well. User education is the o...

I have blogged about 3M's privacy filters before and their gold filter still remains, in my opinion, the best privacy filter on the market. If you want to find out more about that one and why you need a privacy filter, see my previous blog post " Why do I need a privacy filter? (3M's new Vikuiti Gold Privacy Filter) ". I also blogged about their mobile phone privacy filter . The problem with their mobile phone privacy filter last year was that it was only available in their standard grey louvered filter, so didn't work well with accelerometer phones that can be used in portrait or landscape modes - you had to pre-select which orientation you wanted to use your smartphone in. Also, the light transmission wasn't as good as the gold filter nor was the touch quite as good after applying it. Well, they've addressed this and lanuched a new filter for mobile phones and slates at InfoSecurity Europe. The filter is now significantly thinner with excellent tou...

InfoSecurity Europe is over for another year. Once again there were several interesting companies and sessions worth noting. The 'themes' (if they can be called that) or 'hot topics' were cloud security again, social media and mobile access/the consumerisation of IT. The big difference seemed to be in the attitudes of people - more 'how can we reduce the risks to an acceptable level?' rather than 'we can't secure it, so we won't allow it!' We are seeing a shift in the types of systems end users are accessing the corporate network from. The IT department are no longer dictating what will or will not be allowed. More and more users want to use their own personal devices, such as iPhones or iPads, on the network. In the past IT departments have resisted this and said no to the users. However, this attitude is beginning to change and there were a raft of organisations with solutions to help secure these devices and manage the data they contain. How...

I have once again come across an IT department who were/are firmly convinced that the commercial web application that they use is secure and has encrypted user details. What it actually does is Base64 encode the password. This is not encryption and must be treated as plaintext. So what is Base64 encoding and why do we have it? Well, a large number of popular application layer protocols are ASCII text based, i.e. they transfer plain text over the network. A good example of this is HTTP - the protocol used to transfer HTML (or Web) pages around. Originally, only text pages were sent with markup embedded to style it. However, soon other resources were added to the web including pictures, documents, etc. HTTP is designed to transfer plain ASCII text, so how do you transfer a JPEG photograph? Answer: You convert it into plain ASCII text. The basic principle of converting a file into text is to use the data to represent an index to the ASCII character, e.g. 'A' is 63, 'B...

There are many factors that influence the risk to your organisation and they are by no means all about hackers. However, we do have to deal with hackers and have to realise that they are a fact of life that won't ever go away. So how much risk are we at from hackers? The truth of the matter is that the risk your organisation faces from hackers is proportional to the skill of the hacker. There are many different types of hacker, from the person who downloads a free tool, through script kiddies to highly intelligent, technically skilled people who can discover and exploit any vulnerabilities you may have. The tricky thing is to figure out who you will likely get attacked by. Many organisations have the attitude that they are not a natural target so nobody will attack them and they don't need to worry about security. Unfortunately that just isn't true. Computers are very good at doing repetitive tasks without getting bored. As a test we have a standard ADSL line with a web...

Much of security relies on randomness - encryption keys should be random and random passwords are more secure than dictionary words or predictable sequences. The problem is, how do we generate a random number? Well, actually, this is a trick question. The answer is that you can't generate random numbers, but you can observe them. Most programming languages give you a random number generator, so why not just use that? Well, it's not actually a random number generator, but a Pseudo-Random Number Generator (PRNG), or more accurately a Pseudo-Random Sequence Generator (PRSG). Given the same seed value, it will produce the same output every time. Try seeding the random number function in your favourite programming language then run your program a few times. You should see the same numbers coming out each time. The reason for this is the function used to produce random numbers is just a mathematical formula that takes an input and gives an output. To have a random number out, ...