Use Webmail? Time To Change Your Password

Posted on October 7, 2009 by brian

Various news media are reporting that over 30,000 email accounts belonging to users of web based email providers such as Gmail, Yahoo! Mail, Hotmail and Aol (to name a few) have been compromised. It is unclear yet as to the exact nature of the compromise. Some reports state that the accounts were compromised by a phishing attack. Others state, and some of the sources I have spoken to, state the accounts were compromised as the result of a trojan or keylogger software infecting the victims machines.

Either way if you use a webmail based service you should change your password. Also make sure you do not use the same password across different systems because if your email password has been compromised then those other systems could be accessed by the criminals. If you are responsible for managing the security of your organisation then consider that some of your users may use the same password for their personal email and their corporate account. You should monitor your access logs and if you detect any suspicious activity, such as logins from countries your users are not based in, then react accordingly. The CyberCrime & Doing Time blog have a good post on the topic which analyses how they believe the attack may have happened.

I was interviewed by both the SiliconRepublic and RTE today on this issue

The "Beta Culture" and Security

Posted on February 6, 2009 by brian

Today’s Irish Independent has an article on “Are buggy smart phones now the reality in our new ‘beta culture’?” Marie Boran interviewed me for the pieceasking for my thoughts on the security implications resulting from our acceptance in using Beta products.

From a security point of view I have to admit that I do have concerns over the growing “beta culture”. The problem is compounded by what is now acceptable to release to consumers. In many cases tagging the phrase “beta” to your product seems to be like a get out of jail card free. But in spite of that tag a lot of these products are snapped up by the public without any consideration as to the potential risks. Would you buy a Micro Wave, car or gas boiler if you were told it is not fully tested? Yet for electronic gadgets, computer systems and application software the general public seems to be comfortable entrusting their “digital life” to untried and untested solutions.

Look at Google’s range of applications. Gmail is still beta, as is Google docs. Yet millions of people and businesses are entrusting sensitive and personal data to these applications. Another good example is the Google Chrome browser. This is still a beta product yet when released it created a buzz and many people downloaded it onto their systems. Within days a number of security bugs were found within Chrome and Google had to rush out patches.

The challenge many of the vendor companies face is that they have commercial deadlines to meet in order to satisfy shareholders and customers. To compete, products are becoming more and more sophisticated and complex. It used to be all you used your mobile phone for was making and receiving phone calls. Now your phone is a mini-computer that can take pictures, videos, record and play music and browse the Internet. But complex systems are very difficult to secure properly. The problem is that criminals and hackers actively look to exploit bugs in these systems. Badly designed and/or complex systems that are not properly tested will result in those criminals being successful.

Consumers also seem to be not aware of the risks. They want the latest and greatest gadgets or applications to show off to their friends or workmates, yet do not worry if the products they are using could result in their data being lost, corrupted or accessed by others.

The above is compounded by the fact that companies often have in their license agreements clauses that protect them from legal action from the customer should their device or application fail in such a way to cause them damages. So if your sensitive financial details are stolen from your shiny new phone by criminals due to a bug in the phone’s software then you have little or no recourse with the manufacturer.

Consumers need to be more cognisant of the risks they take with new systems and not rush out to buy the latest gadgets until they have been properly proven. But with the appetite for newer and shinier toys ever increasing this may not happen.

Me I still stick by my trusty Nokia 6310i mobile phone.

Microsoft To Release Out Of Cycle Patch for IE Vulnerability

Posted on December 17, 2008 by brian

Microsoft has announced that it will release an out of band patch for the vulnerability in Internet Explorer as outlined in the Microsoft Security Advisory 961051.

The patch will be released on the 17th December 2008.

Microsoft will host two webcasts to address questions on the patch. The first is scheduled for 13:00 Pacific Time (US Canada) on the 17th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448Culture=en-US.

The second is scheduled for 11:00 AM Pacific Time (US Canada) on the 18th of December , you can register for this webcast at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449Culture=en-US

More details on this out of patch band are available at http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

I was interviewed about this vulnerability on this evening’s Last Word Show on Today FM by Matt Cooper. A podcast of the show is available here, my piece is about 5 minutes in from the beginning.

I found it interesting to see how today a security vulnerability is getting press attention, whereas a few years ago it would be computer viruses. Have we moved on to realise that the threat landscape is changing?

The Irish Times Reports on IRISS

Posted on November 28, 2008 by brian

John Collins from the Irish Times has a piece in today’s paper on the setting up of Ireland’s first national CERT (Computer Emergency Response Team), IRISS.

Man I Feel Like A Woman

Posted on October 13, 2008 by brian

Marie Boran from The SiliconRepublic.com challenged me recently to steal her identity. I had to work within the following parameters;

I could do nothing illegal
I could only use information gleaned from online sources
I could not contact or collaborate with any of her friends or colleagues.

So to this end our keyboards at dawn challenge began and I fired up Google to see what I could find out about Marie. Suffice it to say that after much searching and cross referencing I was able to gather enough information to build up a false identity in her name. The information I got included

Her name
Her date of birth
Her father’s name
Her Mother’s name
Her home address
Her education details
Her professional details
Personal information on what her likes and hobbies were and also what blusher she likes to wear.

Marie has provided a write up of the challenge on The SiliconRepublic.com.

For those of you outside of Ireland would the above information be enough to steal the identity of someone in your country?

Law Society's Gazette Publishes My Opinion Piece on Breach Disclosure

Posted on October 11, 2008 by brian

The latest issue of the Law Society of Ireland’s Gazette has an opinion piece in it where I argue the case in favour of introducing breach disclosure laws into Ireland. The issue is available online and the article is on page 20. I would be interested to hear your own opinions on this important matter especially in light of the recent security lapses resulting in individual’s personal data being exposed and also comments by the Justice Minister, Mr Dermot Ahern, that he is considering introducing such legislation.

Keeping Data safe at work

Posted on September 7, 2008 by brian

Today’s Sunday Independent ran a piece in their business supplement on what companies should be doing to protect the data stored on various devices such as PCs and laptops. I am quoted in the article and highlight that companies need to develop their data classification and handling policy and educate their staff in same before rushing out to solve the problem using technology alone. I have said it before and I will say it again, technology is only part of the solution, people and processes are equally, if not, more important.

By the way in case you read the article and are wondering what document I am holding in the picture, it is the ISO 27001 Information Security Standard. Quite appropriate for the topic being discussed.

Global Security Seminar Covered by SiliconRepublic.com

Posted on September 4, 2008 by brian

Marie Boran from The SiliconRepublic.com published a good article on the upcoming Cyber Crime seminar being run next Wednesday at 14:00 in Jury’s Hotel Croke Park. There are still places available so if you are interested in how cyber crime can impact you or how to prevent you, your family or your company becoming victims of cyber crime then contact me to register.

Summer Edition of Security Watch Newsletter Now Available

Posted on September 1, 2008 by brian

The Summer 2008 edition of our sister publication, the Security Watch Newsletter, is now available online. For those of you who do not subscribe to our newsletter, you may find it a useful read as we highlight issues and stories that may not be applicable to our Blog

Staff Issues Regarding Data Leakage

Posted on August 21, 2008 by brian

Today’s Irish Independent has an article “The Perils of Identity Theft” citing me on some of the issues that staff need to be aware of when dealing with sensitive personal information belonging to the customers of their employer. We all need to be careful with the data we access in order to do our job and we need to handle that data accordingly.

When it comes to cash companies are quick to ensure staff know exactly what they are and are not supposed to do when handling that cash. Unfortunately when it comes to data many companies do not take the time to either identify what data is sensitive, how they should protect that data, who should have access to it and how those with access should treat that data. Very often companies rely on employees to “do the right thing” or that IT will have that covered.

Without a comprehensive, unambiguous and well communicated data handling and classification policy your company will be doomed to have a data breach at some stage. If you are a manager reading this and your company does not have such a policy in place then I recommend you look into this as soon as possible. Take it one step further and consider implementing the ISO 27001 Information Security Standard in your organisation. A key element of the standard is data classification and handling. By implementing the standard you will also have the confidence that your company has taken appropriate steps to make that data more secure.

If you are an employee and you are not sure what your company’s data classification and handling policy is then you should ask. If there is not one in place then insist that you are told exactly what you are supposed to do with the information you are working with.

Remember that some industries have regulatory and/or legal requirements for certain types of data and in any event the Data Protection Act places certain obligations on how companies deal with data.

SecurityWatch

BH Consulting's Security Watch Blog

Category Archives: Press