ISSG Magazine – Malware

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Spring 2006 issue:

Dubious Anniversary
The PC virus turned twenty this year. The Brain.A virus was first discovered and identified on the 19th January 1986. Twenty years on how have things changed?

For the viruses, worms, Trojan horses, malware, spyware, adware, bots etc. it’s been a wonderful two decades; growth, development and migration to new platforms.

For the writers, a chance to move from earning kudos to earning cash; working with spammer, porn peddlers, extortionists and organised crime.

For the vendors, it’s been a goldmine; growth and development of threats, along with new platforms to be affected and infected, means more products and updates.

For the media, scare stories sell; they’re easy news, often written by the vendors.

For the users, we suffer more as things become more interconnected and technology ‘progresses’; we buy, install and maintain firewall and anti-everything (virus / spyware / adware / spam etc.) software with no hope of respite.

0-day Troubles
As more and more vulnerabilities are discovered how can users, both domestic and corporate, be expected to keep up with the ever-increasing need to patch, and to patch quickly? The vulnerability to exploit windows is becoming narrower.

0-day vulnerabilities, such as the recent one related to the Microsoft Windows Metafile (WMF), show that some people are looking for gain, when they discover a vulnerability, rather than fame. The vulnerability to exploit window is closed.

As vendors, such as Microsoft and Oracle, are moving to monthly patch release cycles some undesirables are using their computer skills to make a profit, selling exploits for unpublished and unpatched vulnerabilities.

Reliance on patching is unlikely to be viable in the long-term. We need defence in depth, combined with systems which are less susceptible to compromise; possibly with an improved architecture and trust model, where the scope for software negatively impacting a system is considerably curtailed.

Who are you?
The National ID card continues to spark heated debate with frequently polarised opinions. One issue, with its semantic word games, is about how much the scheme will cost, and who pays. What both sides of this argument have failed to publicly address is the difference between cost and charge.

The ‘user’ may be charged a certain amount when they apply for a card. This is unlikely to represent the full cost, which will be hidden within the machinery of government. What is certain is that the taxpayer will foot the full cost of the scheme, either directly or indirectly, whatever the charge is.

Another issue, which goes beyond a debate about whether National ID cards are a good or a bad thing, is about what information will be stored in the National ID Database. Only a small number of data types are necessary, or indeed proportionate, to ‘establish identity to a high degree of assurance’.

What has been proposed, discussed and suggested, by government representatives, represents a massive expansion in what information is stored, over what is required to prove who you are. It is time the debate took a look beyond the card and looked at the data, and how your data may be used.”

ISSG Magazine – Education, Professionalism & Partnerships

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Winter 2005 issue:

Education
Recently, another new initiative to educate and protect the IT user community was launched. Get Safe Online (www.getsafeonline.org) joins the myriad of other ‘advice’ websites set up over the years, by government and industry, to help the general public identify and address computer security threats.

Hopefully this latest attempt, backed by financial and marketing assistance from big names, including eBay, HSBC and Microsoft, will help the government get the message, of safe online computing, through to the consumer. The website offers a clear and balanced approach to mitigating Internet threats.

For cynics, who see Microsoft’s support of this initiative as self-serving, advice to consider alternatives to the Microsoft browser and e-mail client software does appear on the website. Also, a broad range of non-Microsoft security applications is referenced, along with advice being offered for the Apple Mac and Linux OS.

Professionalism
The embryonic, and tentatively entitled, Institute for Information Security Professionals (IISP) is aiming to launch on 1st January 2006. I urge you to review the work they have undertaken to date, and decide whether you support this route to the professionalism of the information security industry.

An overview of this new body, and the Working Group papers, is available on the Security Alliance for Internet and New Technologies (SAINT) website (www.uksaint.org). Questions, comments and offers of assistance related to this new body should be directed to Barrie Wyatt
(barrie.wyatt@nottingham.ac.uk).

The Working Groups have created papers on ‘Creating a Professional Body’, ‘Common Body of Knowledge’, ‘Codes of Professional Conduct’ and ‘Skills and Accreditation Requirements’. These papers are drafts which require your feedback to make them even better, and acceptable to the broadest community.

Partnerships
I was recently at a congress focused on partnerships to help tackle organized crime. The aim of the law enforcement community was to improve links with industries, which have close ties with large user communities, such as banking, telecommunications, retail and e-commerce.

Some areas of concern included ensuring compliance with current legislation (especially the Data Protection Act) in any information sharing agreements and whether information will truly flow in both directions, an area in which law enforcement and the government are improving.

I think that it can be good when businesses and security professionals go beyond the limits of their usual activities – simply hawking wares – and get involved in other, non-profit driven, activities, such as information security education and crime reduction partnerships for the good of the wider community.”

ISSG Magazine – Terrorism

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Autumn 2005 issue:

Recent Events
The terrible events of 7th July, and fortunate failures of 21st July, exploiting vulnerabilities in our transport system to cause death and mayhem, remind us all that we may be subject to attack, even while going about our normal business.

Our assets are not only our population, which we must do our utmost to protect, but also our way of life, which is not only being threatened by the attacks against us, but may be undermined by a hasty or draconian response to terrorist attacks.

The threat is from ‘international terrorism’, which has both the capability and intent, has grown over the last two decades, and considers its actions justified, as payback, for many years of the ‘West’ interfering in the affairs of the ‘East’.

As well as trying to convince the public that they’re safe from the risk of another attack, governments must be more open and honest, and target the causes of terrorism, as well as its symptoms, as part of their risk management strategy.

Real War or Cyberwar?
The oft-quoted ‘cyberwar’ has, as yet, failed to materialise. Personally, I don’t expect a digital equivalent of Pearl Harbour or 9/11 for some time. For now, I expect major attacks to remain physical, which makes for good ‘terrorism by TV’.

An electronic attack is much less likely to terrorise the general population unless the attackers acquire some new expertise or knowledge, which could be harnessed to create widespread carnage in Critical National Infrastructure (CNI).

What is not at doubt is that the current breed of ‘international terrorists’ has learned how to use the Internet and media outlets effectively for communications, information distribution, propaganda and recruitment.

New Powers?
The UK, and its own ‘coalition of the willing’, is still pushing, through the EU, for sweeping data retention powers. A past attempt, at slipping it through with minimal discussion and review, has been declared illegal, but we persist.

The current powers and retention requirements seem to have been sufficient in recent attacks, both at home and abroad. Those that wish for greater powers should put forward convincing arguments as to why they should get them.

Coupled with other moves – to introduce ID cards, reduce burden of proof, have detention without trial, limit legal representation, present secret evidence, impose control orders, and broaden surveillance – we must avoid a ‘1984’ scenario.

“Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety” – Benjamin Franklin (attributed)

If we become a police state, which spies on our people as the norm, at the same time as ‘encouraging’ such states to become democratic and open, would we meet in the middle, or would they become free as we become repressed?

In this growing surveillance society quis custodiet ipso custodes?”

The Blog of Gareth Niblett