Bending it not quite like Beckham

31 Aug 2011

Last Friday, Computing, our charity partner Computer Aid and media representatives of some the industry's leading IT firms congregated in Hyde Park for a footballing showdown - to support the work that Computer Aid does and to raise awareness of its cause.

The event was sponsored by Racepoint Group – the media agency for tech firms such as ARM Holdings and Ebay; Proof Communications – which works with Dell and CompTIA; and ITPR – which counts Tripwire among its clients.

Teams were entered by Computing, Racepoint, Proof and Computer Aid, which had both men's and mixed teams.

The first match kicked off at 3pm, when the heavens opened and players were treated to a downpour that is part and parcel of a British summer, but it wasn't enough to thwart their enthusiasm.

Both Computing and Racepoint Group started off well, notching up consecutive wins, before meeting each other in a crunch match that was not for the faint-hearted.

With scores level at 1-1, Racepoint scored a last-minute goal to take them into the lead. However, we at Computing don't know when we're beaten and one inspired player received a pass from the resulting kick-off, dribbled through the defence and placed a finish into the corner during injury time to level the scores at 2-2.

Meanwhile, Proof Communications valiantly battled on despite having an injured player, Computer Aid Men's showcased some silky football, and the Computer Aid mixed team impressed, surpassing expectations by finishing third.

Ultimately though, Racepoint Group's determination was clear and they dominated against the other teams, running out as winners on goal difference, with Computing clinching second place, level on points.

The tournament was great fun - but more importantly, it was all for a wholly worthwhile cause.

Computer Aid provides professionally refurbished PCs, donated by businesses in the UK, together with training and support to help schools, universities, hospitals and charities who can't afford to buy new PCs.

Its work helps children and disadvantaged people get an IT education, helps doctors access specialist advice to treat patients and many more besides. Most of its work takes place in Africa but it also supports organisations in the UK and Latin America.

Computer Aid has provided over 190,000 PCs to organisations in over 100 countries and fundraising initiatives like Friday are essential to helping raise awareness of the cause.

To find out more, please visit http://www.computeraid.org/

H4cked Off: UK cyber security – a disaster waiting to happen?

19 Aug 2011

Computing reporter Stuart SumnerCyber security is viewed by the government as a ‘tier one threat', as it stated in October last year, along with a pledge to invest £500m over four years into the UK's response to the problem.

And with the Olympics now just under a year away, with the accompanying global attention (both from sports fans and criminals) that it will bring, the need for a ‘tier one response' to the tier one threat appears more pressing than ever.

In March this year, Neil Thompson, director of the Office of Cyber Security and Information Assurance (OCS), stated that the UK wants to lead internationally on cyber security.

But are we as a country set up in the right way to even lead our own fight against cyber criminals, hacktivists and malicious foreign agencies, much less lead our peers?

Off the top of my head I can think of 20 different public sector organisations with cyber security as a core function, besides the OCS mentioned earlier.

I haven't got the space to list them all, but a few of the more recognisable names are the Government Communications Headquarters (GCHQ), Centre for the Protection of National Infrastructure (CPNI), Police Central e-Crime Unit (PCeU), Cyber Security Operations Centre (CSOC) and the National Crime Agency (NCA) (itself an eventual replacement for the Serious Organised Crime Agency (SOCA).

And there are many more, with overlapping briefs and confused chains of command. 

In the words of former security minister Baroness Neville-Jones, who possesses the gift of understatement, the organisational structure of the UK's cyber crime effort is 'not ideal'.

Does this sound like a cogent and co-ordinated response to the cyber threat? Or does it sound like a fragmented mess, possibly the result of organic and unplanned growth rather than a strategic and cohesive network of assets?

In July this year, the Information Security Council (see, there's another organisation) released its annual report which stated that the government has shown "confusion and duplication of effort" in its approach to cyber security.

Apparently the chief of the Secret Intelligence Service (and there's another) was similarly unenthused at the UK's setup, stating: "I'm not sure the Cabinet Office processes for determining what is a coherent cyber programme [are] as sophisticated as [they] should be."

I spoke to the Cabinet Office requesting a list of all government organisations with a cyber security function. I was told that such a list would be impossible to pull together. I'm guessing that's because they have no idea exactly how many such bodies exist.

OK, "How about a list of those organisations with cyber security as their principal function?", I asked. "We'll think about it" was the terse and slightly irritated response I got.

I'm still waiting for the results of that cogitation. I shan't hold my breath.

 

Stuart Sumner, chief reporter and security geek

H4cked Off: How the hell did the RSA hack cost EMC £40m?

29 Jul 2011

Computing reporter Stuart SumnerStorage company EMC has admitted that the cyber attack on its security division RSA Security has cost it £40m, both in investigating the hack, and in tightening security to make sure it doesn't happen again.

I'm not entirely sure how you manage to spend that amount of money in those ways. How much does it cost to check your log files, scan your network for malware or oddities, and go through all your documents to see what has been accessed, when and by whom?

There's quite a bit of work there, so let's say you hire in some incredibly expensive external talent and it takes them a month. I still don't see how that can possible come to more than £1m tops.

And then you have to improve your security in the hope that someone somewhere might actually trust you enough to use your products again.

As part of this drive, RSA created a new CSO role, which it gave to Eddie Schwartz, who was already working at EMC, and originally at NetWitness, which EMC bought in April.

If they're paying him £39m, then that would both explain where the money went, and prompt an immediate change of career direction for myself, and probably most of you too.

Unless they're factoring in loss of sales, which is possible and would certainly come close to explaining the figure.

Companies are understandably reluctant to reveal their losses as a result of security breaches. They'd rather brush the whole thing under the carpet as soon as possible, and hope their customers suffer from amnesia.

Sony has probably lost far more as a result of its encyclopaedia of security mishaps, but it isn't telling us, besides to say that it has lost something (besides all credibility).

So had EMC properly secured RSA's network in the first place, what else could that £40m have bought?

Well for a start it's what the US military paid recently for the manufacture and delivery of the new XM-25 computer smart-rifles, complete with explosive shells and thermal imager sighting.

Are your competitors' sales teams all armed with smartphones? They're no match for the smart-rifles, and the thermal imaging should help track them down even in the comfort of their air-conditioned BMWs.

Or, how about Manchester City striker Carlos Tevez? £40m should be enough to prize him away, then simply install him in the foyer of your headquarters and make him do keepy-ups. That'll be more interesting than a few potted plants and a drinks dispenser.

Personally I'd plump for the Meamina, a luxury 200 foot boat available from Burgess Yachts. It lists one of its features as ‘teak decks'. And it leaves a cool million in loose change for important things like gin and helicopters.

So EMC, those are just a few things to reflect on as you eye the hole in your profits this quarter. For everyone else, go spend £50,000 upgrading your security then blow the rest on a teak-floored yacht.

Stuart Sumner, chief reporter and security geek

H4cked Off: I hate to say I told you so...

07 Jul 2011

Computing reporter Stuart Sumner

Last month, I quoted security firm Kasperky's CTO Nikolay Grebennikov as he explained why he feels that Apple can't keep its iOS platform secure all by itself.

It's a fairly bold statement, but he went further, stating that Apple would be forced to open up the iOS within a year.

Apple keeps a firm grip on its mobile operating system, only allowing applications and services to be downloaded from its own store. And it, presumably painstakingly, vets these apps and their developers first, ensuring that they're free of malware and other nasties.

Android, a far more open platform, has no such restrictions.

Both operating systems are doing well, although Android is the faster growing, perhaps partly because it's easier for developers to get involved.

Having said that, Android has the worse security record, with DroidDream and other malware bursting out from seemingly innocuous apps once in a while.

Hell hath no fury like an Apple customer spurned. My article was quickly swamped with outraged comments from Apple devotees.

"Currently, iOS is completely immune from viruses and malware," shrieked one.

Another addressed Grebennikov directly with some career advice: "Dude, go get a new job, your business model is going bye-bye!"

Leaving aside the disconcerting and cultish fervour with which some Apple customers exalt the company, their unshakable belief that the platform is safe could be their undoing.

McAfee put it well in its 2011 Threat Predictions report:

"The popularity of iPads and iPhones in business environments and the easy portability of malicious code between them could put many users and businesses at risk. The lack of user understanding regarding exposure on these platforms and the lack of deployed security solutions make a fertile landscape for cyber criminals."

I realise I'm quoting security companies with something to gain from identifying a need for additional security in the iOS, but that doesn't mean the need isn't there.

This week, elite hacker Comex released a jailbreak service for the latest iOS version. In so doing, he revealed a zero-day flaw in the platform, managing to skirt around its security counter-measures. That flaw is now in the public domain. By the time you read this, malware will be out there in the ecosystem, exploiting this vulnerability.

And as a closed system, there's little iOS users can do to protect themselves until Apple releases a patch. Actually that's not true. You can jailbreak your device using Comex's service, then download his own patch which fixes the problem.  Irony?

OK. So I lied. In fact I love to say I told you so.

Anything can be hacked, it just has to be worth the effort. Apple products are no exception. And I say this as an Apple user myself, just one who has yet to be initiated into the cult.

Stuart Sumner, chief reporter and security geek

H4cked Off: Losing the Cyber War

17 Jun 2011

Computing reporter Stuart Sumner

In recent months hacktivist group Anonymous has been keeping security commentators busy with its humiliation of such global brands as Sony, Mastercard and Paypal.

Though often basic in nature, the sheer muscle-power behind these attacks was sufficient to knock these mighty websites off their not-so-mighty pedestals, and go some way towards the group's political goal of supporting whistle-blowing site Wikileaks.

Its preferred method of attack? Distributed denial of service (DDOS). This is where a website is bombarded with so many requests for information that the server, unable to cope, falls over and has to go for a quiet lie down and a glass of milk.

As Graham Cluley from security firm Sophos told me this week, it's like a group of fat men all trying to go through the same revolving door – it just won't work.

This is a very basic form of attack – the DDOS, that is. It's successful for two reasons. First: scale. Anonymous ‘members' (though the group is so loosely affiliated that this can apply to just about anyone who once visited one of its forums, or who just plain thinks it's ‘cool') can download a tool that enables their PC to be used as a bot.

And that's all they need to do. Then their machine becomes part of the Anonymous network, and can be programmed to send out countless requests to a targeted website until it runs sobbing from the internet.

As anyone in the world with access to a PC can do this, and as a lot of people like the vague sense of rebellion and the stylings of V from the graphic novel series (chosen as the Anonymous figurehead), that results in a very large, free, powerful network.

The second reason it's successful is that even in this day and age of DIY malware kits, Zeus, SpyEye and Stuxnet, hardly anyone seems to know how to secure a website.

Even security companies such as HBGary and secure token specialists RSA seem not to know, both having experienced large-scale and embarrassing cyber attacks in recent months.

DDOS is not a sophisticated form of attack. Neither is SQL injection, where malicious code is inserted into a webform rather than, say, a user's name and address as the original coder anticipated. But that seems often to work too.

But now there's a new(ish) kid on the block. I've written a few stories over the past couple of weeks about Lulzsec, another hacking collective, although this one is nothing like Anonymous, as one of its members told me recently (at least I assume he's one of the members – pretty secretive on the whole, hackers). As the name implies, Lulzsec are in it for the lulz (laughs).

This week, besides taking down the CIA website (a DDOS attack) and an Australian web registrar, it published 62,000 email and password combinations via a file-sharing site.

It said shortly afterwards on Twitter: "Hope everyone enjoys that list. Good to see some refreshing carnage." Their followers later thanked the group for access to other people's Paypal accounts, pornographic sites and in one case, ownership of a World of Warcraft account.

And Lulzsec appears to be engaged in something of a spat with security firm Sophos, having posted several disparaging posts aimed its way on Twitter.

One read: "Sophos, every one of our tweets gets more views than a week's worth of your website traffic, and we're just spouting inane sh*t. umad?"

All in all, the episode lends further credence to the idea that hackers are unaccountable, unassailable and just maybe, unstoppable. Anonymous style themselves as the ‘Lords of the Internet'. At the moment it appears that they, and their peers are exactly that.

Stuart Sumner, Chief Reporter and security geek