IT Security Expert

118800 Mobile Phone Directory Search Privacy Concerns

2009-07-10T22:11:00.006+01:00

"118800” is a new commercial Mobile Phone Directory Search venture, which charges absolutely anyone at all, £1 to obtain the mobile phone number of a UK citizen, searching by name and location. 118800 have amassed a database around 15 Million UK names, locations and mobile numbers for their directory, which was set to launch earlier in the week. I read a quote from an 118800 representative who stated the contact names and mobile phone numbers in their directory were harvested from the public domain, but what they really meant by public domain, was means they probably purchased the information from market research companies, online businesses and information brokers.

EDIT 12/06/09: Since I originally posted, a representative from 118800 has been in contact and provided further clarity on the 118800 directory search method. It seems my brief description of service was only partial, so may be misleading. I was unable to fully test the service at the time of posting, as the service was (still is) unavailable. I have decided to repost all of 118800 comments below within this post, both in the interest of fairness and to ensure the description of the service is correct and is not misleading.
"I'm from 118 800 and would like to correct the description of our service. We DO NOT give out mobile phone numbers to enquirers. We put people in touch with each other without disclosing any personal information. So if someone is trying to get hold of you through our service, you'll be called by us, told who is on the line for you and you can choose whether to be connected or not. The online service texts you with the enquirer's contact details so you can decide whether to contact them or not.

And, just like any other directory enquiry service, the enquirer needs to know your name & address. So it's very likely the first person to try to contact you using our service will be a friend or acquaintance who has lost your number or not got it on them." - 118 800

Most market research companies and online websites which collect our personal information, pretty much forcing individuals to input their mobile number these days. A minority of companies where this information is collected from, do a good job in warning their users that their information could be shared with a third party, however some companies use small print consent and opt out boxes which are disabled by default, knowing a percentage of people will neglect to read it properly, and some companies don’t even ask for consent, which is illegal under our regularly unenforced Data Protection Laws. So it is small wonder 118800 are able to go from zero to 15Million personal names, locations and mobile numbers in no time at all. Let's be clear on this, mobile service providers such as O2 and Vodafone are not providing your phone number to these guys, in fact I know they are just as annoyed at this practice.

Now it is true our government happily place our personal details on online searchable electrical roles, which can be fully searched for charge, and BT publish our names and home phone numbers in phone books which make them profit by way of advertising as well, but it doesn’t make this is right, we are now in the information age, information, especially personal information has value and companies handling our personal information are entrusted with it, they must protect it, not sell it or exploit it for profit. With the BT phone book you can opt out and go ex-directory, in fact over a third of UK citizens concerned about this have already done so, but try searching the BT website for information about going “ex-directory”, you won’t find it. Just like Sky won’t let you cancel TV package subscriptions without phoning their call centre up, BT do the same “round the houses” tactic. Incidentally Sky happily let you add TV packages by the web and via the TV. Online audio book providing company Audible use same tactic, sign up for a free trial and enter your payments details online to subscribe, but to cancel, you have to phone them up, this from an internet based company too.

So coming back to the subject of the day, I don’t think its right that companies profit from our personal information, but at the same time they are providing a useful tool for identity thieves. An ID thief would be happy pay £1 to obtain a victims mobile phone number, while we are all aware of issues of voice mail hacking by private detectives, which is hitting the

Interestingly the 118800 website is currently down, perhaps due to complaints and negative media coverage, and they are going to the trouble to clearly describe the mobile directory search as a “Beta”. I suspect they are waiting until the heat dies down before re-launching the service.http://www.phonepayplus.org.uk/ which regulates premium rate and directory enquiry services. And if this sort of privacy exploitation really annoys you, send a letter to your MP. Remember complaining worked with web tracking advertising venture Phorm, such was the public outcry, this week after a year of evaluating BT and TalkTalk finally dropped their plans to use Phorm.

The Information Commissioners Office (ICO), charged with protecting our personal information in this information age, again shows its complete lack of teeth by basically giving this service and others similar services than will inevitably follow the green light.

So what can we do?

1. Complain -
Some might say you will be wasting your time complaining to the ICO, but is still well worth a shot; however I recommend complaining with PhonepayPlus

2. Remove your Mobile Number from the 118800 Directory

Now if everyone did this, their service would crumble, but either way it well worth ensuring the removal of your mobile number from the directory (it really shouldn't have to be this way) and here's how.

When the 118800 website comes back, click on the ex-directory button on the 118800 website or you can text the letter 'E' to 118800 (which is also currently down) from the mobile phone you want to be made ex-directory. 118800 will send you an SMS message confirming you've been taken off. I have to give some kudos to 118800 for offering this clearly; certainly BT could learn a lesson here.

Secret Service tells UK Government not to Publicly Disclose Data Breaches

2009-07-05T20:20:00.000+01:00

Are you wondering why there haven’t been any UK Government Department Information breaches making the news headlines in recent months? Has our government departments resolved their poor Information Security Management and poor security cultures? Has other topics such as swine flu and dodgey MP expenses claims kept government data breach headlines out of the press? I would love to think UK Government Departments have cleaned up their Information Security Act, as I know serious efforts are being made, however we can't really be sure government have stemmed their poor information management tide, as I heard another reason which goes to explain why the once steady drip of media coverage of government departments data breaches has come to a halt.

I don’t want to name any names, but I heard a member of government committee working on the Digital Britain report say, government departments had been advised by a UK security service department to stop publicising data breaches, because it is letting our enemies know our weaknesses. If this is indeed true, I have to say I really don’t agree with this sweeping under the carpet approach, for one the cat is out already out of the bag regarding our government track record on security, tens of millions of records have been lost that we know about, so I think our enemies already know about our weaknesses!

I am a supporter of the public disclosure of data breaches where the public's personal information is involved, to the extend I would like to see UK laws passed to ensure all organisations, both within the private and the public sectors, disclose any data breaches where citizen personal information has been actually or potentially compromised. The reason we need such laws is I feel it is the only real way entire industries and individual organisations will be bothered enough to raise their information security to the required standards, and better secure all our personal information. I believe it should be a fundamental right that we are informed if (more like when) our government or indeed a private company, loses our personal information, placing us at increased risk of serious cybercrimes like identity theft, which is the UK’s fast growing crime. Only by holding government department heads and business senior directors to account for such breaches, will organisations truly recognise the importance of properly securing our personal information, which after all we have entrusted in their care.

Insecure placing of Chip & Pin (PED) places Customers at Risk

2009-06-17T23:44:00.002+01:00

Don't tell the misses, but I walked into a popular fast food restaurant in Central London today, I noticed the restaurant had fixed to the payment counter their Chip & Pin payment devices, these devices are known as Pin Entry Devices (PEDs) within the Payments Card Industry. The problem was they had fixed these devices behind the main raised counter, and the devices had no “pin protectors” on them, so forcing their customers to reach over a raised counter to the cashier's side, to type in the their 4 digit pin numbers. I observed several transactions taking place, each customer did not shield their pin entry with their free hand, probably because it would be too cumbersome to reach over the raised counter with both hands. The net result was most people in the queue and behind the counter could observe the 4 digit pin number as it was typed in.

This type of setup is a real goldmine for any potential pickpocket or mugger, as obtaining a payment card together with the pin number is a free license to withdraw hard money from cash machines and to spend freely in shops in the short term. The flipside is this is all very bad news for the victim, in such instances where payment cards are stolen together with the knowledge of the pin number, most card issuers and banks assume their customer is at fault, and must have written their pin number down and left it in their purse or wallet, and so are liable for any fraud losses. It can be very difficult to obtain refunds against fraudulent transactions losses in this type of scenario, not to mention the trauma of potentially being mugged for your card, remember the card has an instant high cash value if the pin is known, so the thief simply views the card as a wade of £50 notes

I am not saying shops should not screw down Chip & Pin devices to their shop counters. Fixing these devices to counters is actually a security necessity to prevent them from being “swapped out” by credit card fraudsters. Card fraudsters have been known to swap Chip & Pin machines when out of the sight of the cashier, then introduce a new identical looking and perfectly working device in it’s place. However the introduced device has been electronically modified by the card fraudsters to record each customer card details together with their pin number. After a few hours or even days, the criminals return and swap out their device and download all credit card details together with the pin numbers, and you know the rest.

So it is important for card security to attach payment entry devices to shops counters, and this is my main point with this post, merchants need to understand these payment devices are meant for their customer usage, not their own staff usage, so must present the pin entry devices on the customer side of the counter, so allowing the customer to put in their own card and enter their pin number without being overlooked by anyone.

Further there is really no excuse to not have pin protectors installed, especially as they don’t cost much. Merchants choosing to accept card payments do have a duty of care to protect their customers from card fraud, there is even an official security standards which they must follow called PCI-DSS.

Chip & Pin (PED) with Pin Protector

While on this subject, I was at a popular catalogue shop outlet in Chorley a few months back, they too had fixed their Chip and Pin devices to the counter, but this time they had a CCTV camera aimed at the shop counter and their payment devices from a high angle. In their wisdom they had positioned a screen to display the CCTV images, so allowing everyone in the store to view people’s pin numbers as they typed them in. So it is important for high street merchants to position CCTV correctly within their card payment environments, and consider whether it is really a good idea to show the CCTV output to general public.

What can we do as consumers? Always keep possesion of your card at all times, avoid handing it over, even to cashiers and especially waiters. Always shield your pin number entry with your spare hand as you type as in the above picture.

A Clear CRB Check means They haven’t been Caught Yet!

2009-06-11T08:48:00.000+01:00

Vanessa George, who worked at a Portsmouth nursery, stands accused of appalling sexual offences against young children. Already media reporters are queuing up in criticising the “enhanced Criminal Records Bureau (CRB)“ check, which this apparently despicable person passed, saying the check must of either failed or the CRB checking system itself is at fault. The CRB checking system has not failed nor is the CRB system at fault, as any seasoned security professional worth his salt will know, clear staff background checks does not guarantee an individual is not a dodgy person and is not capable of doing bad things. The truth is no background security check or test can ever provide a guarantee, whether it’s checking airport workers aren’t terrorists, checking child minders are suitable to be alone with children, or a data entry clerks aren’t data thieves.

Most organisations with staff dealing with financial information, government data or child care are required to carry out a CRB checks on their employees. Personnel whom pass these checks tend to be implicitly trusted by both their employers, and by the governing bodies which make the policies to have the checks done in the first place. As I always, always say, a clear background or CRB check simply means an individual has not been caught yet! Therefore individuals within their roles, depending on the organisation, should always be considered as a potential fraudster, a terrorist or indeed a sexual offender. By all means carry out background checks on staff, but never implicitly trust humans will not do bad things given an opportunity, only by accepting this together with assessing the internal risks staff can pose within their role, can we build the right security controls within processes and systems which will protect against internal staff threats.

EU Elections & Hypocritical Privacy Protection Practices

2009-06-01T18:19:00.000+01:00

I reluctantly posted my European electoral postal vote today, reluctantly because I considered not voting at all mainly due to a lack of an anonymous voting system, reluctantly because the European Union Parliament is not very democratic, in that unelected and non-accountable members of committees make the laws, not the people to whom I am being asked to vote to represent me as an European Union (EU) Member of Parliament.

Voting choice wise, there is no other option provided other than a postal vote, for whatever reason it is just not possible to vote at a traditional polling station, not in my area anyway.

The postal voting system involves enclosing a traditional ballet form within a pre-paid envelope, on which your full name is pre-printed with a unique ID number, your date of birth and your signature. Once sealed, the envelope must be placed into the public postal system as a “normal” letter, with its contents easily identifiable as a voting ballot (see picture). Should the envelope be lost (or stolen), then the person in possession will have obtained your full name, your date of birth and your approximant area of resident, from which it is child's play to establish your full address, which ironically can be found on the electoral role, which is publicly searchable. The voter also needs to sign the envelope in order for the vote to count, so your signature is part of the package of information, which is more than enough for identity thieves to start cloning your identity and stealing credit in your name.

Aside from the personal identity theft concerns, your political beliefs can also be discovered, assuming you didn’t spoil the ballet paper! Under European Data Protection Directives (laws) an EU citizen’s political beliefs is classed as “Sensitive Information”, the highest form of information classification. The EU Information Commission would be most upset if a company were to ask or send out such information by public post; however it appears the EU must be above their own laws.

And those volunteers who open and count the ballet envelopes will be privy to your political beliefs, more than likely they will be from the same area and so could know who you are. Hmm I wonder who Mr. Smith at number 24 voted for? While the bar codes sporting a unique number for each envelope will sure throw fuel on the conspiracy theorists fire, and they wonder why turn outs for EU elections are so low.

In the end I reluctantly posted my vote after reflecting on the millions of people who died to give me the right to vote in Europe during the last century. I concluded it was worth risking my financial identity out of respect to those who risked and lost their lives, fighting for the right for a just, fair and anonymous voting system and a democratic and accountable government system. Whether we are now taking backwards steps in Europe must be up debate, and whether such democratic debate can actually lead to changes in laws..

Secure Hard Disk Wiping & Disposal

2009-05-07T22:18:00.008+01:00

A study by researchers from the University of Glamorgan and BT, resulted in several alarming privacy headlines in the media today - http://news.bbc.co.uk/1/hi/wales/8036324.stm The study involved the purchasing of old computer equipment from trade fairs and online auctions from the UK, US, Germany, France and Australia, and the recovery of data from these purchased items. The researchers were able recover a raft of personal and sensitive data from hard disks, including detailed medical records from a Scottish NHS Trust, military secrets, business financial transactions and an variety of personal information, which included bank details, and the sorts of things identity thieves crave. The study concluded around 40% to 50% of the second hand hard disk drives they randomly purchased held sensitive data which could be recovered by pretty much anyone with half a brain.

I have to say, I am not surprised by this study’s outcome, which highlights the problem of hard disk disposal by both organisations and especially individual home users, who simply neglect to properly erase their personal information from their computer hard disks before selling or disposing of their old computers. Over a year ago I posted about this subject before using a hypothetical story - http://blog.itsecurityexpert.co.uk/2008/03/hard-disk-shredding-story.html I have come across several real incidences of where personal computers had been donated to charities by the way of the old computer equipment recycle bins at local supermarkets and rubbish tips (or as the Council calls them household waste and recycling centres) . These computers end up in places like West Africa, UK young offender’s institutions and youth clubs etc, where new PC users soon discover the original owner’s personal information and website access credentials, and unsurprisingly go on to compromised the bank account and the various online websites used by the original owner, now that’s gratitude for you!

Anyway on to the big question and what the media stories avoided explaining…

What should we do to ensure our personal information is "gone" from our old computer systems before flogging or binning them?

Well removing the hard disk drive from the computer and hitting it repeatedly with a sledge hammer is not quite the best approach. Physically damaging a hard disk does not necessary render it impossible to recovery the data held on it, but hey, it’s still better than doing nothing.

To do the job properly I recommend using a “Hard Disk Wiping” utility. Obliviously the first thing you should do before using such a tool, is ensure you have backed up all your the data, as once you use a hard disk wiping tool, there is no way back.

There are several commercial hard disk wiping utilities available, but there are also some good free utilities which can adequately do the job. My personal favourites are "Darik's Boot And Nuke” aka “dban” http://www.dban.org/, and Eraser http://www.heidi.ie/node/6 (includes dban), [edit based on comments] also Secure Erase is also highly recommended http://cmrr.ucsd.edu/hughes/SecureErase.html

Downloading and running these applications results in the creation of a bootable CD, which you use to boot your computer system direct into the tool operation. If you are a computer novice, you may want to ask that techie relative to help you out.In terms of the type of actual disk wiping method, I always go with securely wiping hard disks to the US Department of Defence standard, by selecting the “US DoD 5220-22.M” option, which will prevent even government secret service forensics experts from recovering the data, never mind petty ID thieves. Some say this level is a little over the top for a personal computer, but if you don't mind the "extra wait" for the process to complete, where's the harm hey!After completion of the hard disk wiping, it’s always a good idea to just double check the hard disk wiping actually worked by trying to boot the computer normally. And if you are super paranoid after applying the DoD 5220 disk wiping standard, go ahead and take your sledgehammer to the hard disk if you really want to.

There are file level secure deletion tools such http://www.fileshredder.org/, but for me, if you are selling or disposing of a computer holding a hard disk, or just a hard disk itself, which has held personal information, you should go with wiping the entire hard disk rather than individual files. This ensures nothing is missed, it is surprising where your personal details end up being stored within a Windows system.

If anyone has any other disk wiping utilities they would like to recommend or novel ways of physically destroying hard disk drives, please go ahead and post a comment.

[edit] NIST have the ultimate say on this subject, read http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Should companies block Twitter?

2009-04-27T18:50:00.000+01:00

Recently I have heard several security professionals say Twitter is a source for corporate information leakage, and therefore must be blocked by businesses using web filtering.

Should companies block Twitter? In my view the question is wrong, as I don’t think blocking access to Twitter on corporate networks will do much to prevent business information leakage. The question should be, how do businesses better educate their employees in the usage of social networks such as Twitter, educating instead of blocking will surely do a better job of mitigating the risks of information leakage and company reputation damage. The latter being the most likely outcome of unchecked employee social network website usage.

Twitter allows a person to make a 140 character statement to the entire world, so in terms of information leakage it’s not about controlling data files leaving an organisation, the most someone can do is to send an Internet link along with some text, all be it the text element could be company sensitive or damaging information. However blocking Twitter usage with corporate network web filtering will not prevent employee using of Twitter, as staff can simply tweet updates using their mobile phones, or just wait until they get home, or even find a free WiFi connection when on the road. So my conclusion is blocking will do little to mitigate risk. The answer is to educate employees and provide them with rules (a policy). Everyone in the business should be clearly made aware of what is acceptable and not acceptable to say about their company, their job role, work colleagues, managers and customers publicly (on the Internet), whether it is on Twitter, Facebook, company Emails, on web forum postings or even down the pub with in conversations with their friends.

Business Directors and Senior Managers argue Twitter and other social networking websites should be blocked in the name of productivity, which is a fare and valid point, but then the question is not about managing risk at all, but about business productively, which is a business and possibly HR question. Using “Security” to drive and hide the productivity reason to block social networking is wrong and sends out the wrong message to the user base. In my view, Security Managers need to be encouraging company staff to be onside with the security programme, not getting staff "backs up" and pitting them against the security programme, as ultimately business security always comes down to the individual business employees, who should be and need to be supportive of the security programme, and coached to be security proactive and aware, it's these individuals which can have the biggest impact in mitigating information leakage risk.

Finally, in recent times more and more people are being sacked for Twittering including recently a magistrate http://news.bbc.co.uk/1/hi/england/shropshire/8018471.stm and perspective Cisco employee http://today.msnbc.msn.com/id/29796962/#storyContinued. So understanding the acceptable social network boundaries is not just in the interest of the company, but in the interest of each business employee, who needs to be told and understand the social networking line which shouldn’t be crossed. I think many companies today are not doing a great job in clearly explaining those boundaries to their employees.

Big EU is Watching You

2009-04-08T18:41:00.003+01:00

As of last Monday all Internet Service Providers (ISPs) in the European Union (EU) are required to store the details of every email and every internet phone call placed by anyone, for at least one year. Principally this European law is in the name of protecting us all from terrorism. Let me make it crystal clear, this law is not about collecting and storing Email and internet phone call content, just tracking the “when”, “the sender” and “the recipient”, think of the information listed on your telephone bill, which is already legally required to be stored by telecoms companies.

Most ISPs in Europe already store this type of information, with the Email information used to help fight Spam for instance. Despite this most ISPs were dead against the law due to the hassle factor, but in the UK, ISPs have been “talked round” thanks to the UK government offering to reimburse ISPs the cost of storing and maintaining the data.

So why the law? Well I think one of the key reasons is to allow EU governments “easier” and direct access to the information on mass, so bypassing the legal system (no court orders), wait a minute, isn’t the legal system in place to protect individuals from governments? I think we can assume this information will be used for data mining, as well as the specific investigations of individual suspects. By data mining, I mean the scanning of these vast amounts of electronic communications data for patterns which match terrorism activity, whereby the system analyzes the data and then spits out the names of who it deems are terrorist suspects.

It’s not about the “Chatter”
In the Second World War before the German Enigma machine encryption was cracked, the UK intelligence would look for “chatter”, which is the tracking of the number of encryption communications being sent, with spikes in encrypted communications usually meant a german attack was being organised and therefore about to occur. The germans counteracted this by having all enigma operators send random messages periodically, so the spikes were not so obvious, in fact this counter activism actually helped with the breaking of the enigma code.

Anyway my point is looking for “chatter” in high volume Email and Internet telephone calls to predict a terrorist attack is about to occur is not likely to work, as unlike the mobilising of large military forces to carry out an attack, terrorist groups are very small and very insular in nature, generally very careful with their communications, which is why they aren’t discovered in the first place. Given the vast amount of daily communications taking place over EU part of the Internet, I just can’t see how it is possible to see terrorism communication chatter spikes, so this law cannot be about using chatter to help prevent or prepare against a terrorist act, not that anyone has said this publically, but it’s worth pointing out.

If anyone knows how the data mining of millions of the daily EU electronic communications is going to protect us from terrorism attacks, I’d love to know. In my view, surely it is much better to target our anti-terrorism resources with good old fashion "police work" approaches, and so investigate individual suspects, infiltrate suspect groups, rather than assume everyone is a suspect. Good luck if this big brother system decides you are a terrorist suspect, as ironically you will be the last person to find out if it does.

Protect Your Identity & Don’t Implicitly Trust

2009-03-30T18:24:00.003+01:00

I was looking at new cars over the weekend, I saw a car I liked and naturally wanted to take it out for a test drive. On making this request, the car sales guy immediately asked to see my driver’s license or credit card. A little puzzled by the “or credit card”, I asked whether he needed either one to prove I was lawful to drive, or for identification purposes. The sales guy said told me it was their policy, and need it to prove my identity and to keep hold of for “security” while I took the car out.

Identity theft is the fastest growing crime in the UK, and there are certain elements which we cannot control in protecting ourselves, such as when companies lose or have stolen our personal information. But there are many elements we still can control, such as protecting the personal information we have in our possession. A UK driver’s license is one of the strongest forms of proving our identity in the UK, and therefore has value to identity thieves, who can easily clone fake versions using your details and their picture. Therefore the last thing anyone should be doing is to implicitly trusting companies and strangers with holding these important forms of personal identification, especially if the document is going to be held out of sight for any period of time, or be photocopied.

Its clear many people are not doing enough to protect their identities, as the sales guy response was to tell me not to worry, as they do this thing all the time, and then went on to inform me that my driver’s license would be photocopied, but the details would be kept safe. Noooo! It doesn’t need a formal risk assessment to establish there was no way I was going to implicitly trust a car salesman with anything, let alone my key personal details and documentation.

So I came up with my own very simple solution, I just had the sales guy accompany me on the test drive, and so I didn’t allow a total “stranger” to hold on to and copy one of my key identity documents and the salesman could be sure I return with the car. By the way, I didn’t buy the car!

Before handing over identity documents, just consider whether it is actually necessary, don't be afriad to question what they are needed for, and whether they will be photocopied. Consider what may happen to your identity documentation while it is out of your sight. Heaven forbid if it is photocopied, as at that point you lose complete control over protecting the document and another element of your identity protection.

UK Payment Card Fraud Continues to Soar

2009-03-20T02:06:00.001Z

APACS, a UK trade association for payments and payment service providers, released their annual statistics on UK payment (credit) card fraud losses. As expected the APACS statistics shows UK payment card fraud is continuing to rise, breaking the £600 Million a year mark for the first time. 2008 fraud figures announced by APACS

In these times of billion pound bank bailouts, these figures might seem small fry, but we should remember these fraud costs are indirectly paid for by all of us payment card holders, and are recouped by card providers through higher interest rates and various charges. The card issuers and banks do cover consumers against payment card fraud losses and usually reimburse all fraudulent card transactoins, but just as insurance fraud losses are factored into our insurance premiums, payment card fraud losses are passed on to consumers, so in the grand scheme of things we all foot the bill for payment card fraud in UK. So we really ought to care more about these rising trends in UK payment card fraud, which increased by 14% in 2008. We should be questioning what the payment card industry and merchants are doing in tackling this problem and protecting our payment card information.

Another factor card issuers and banks overlook, is the personal stress and inconvenience card fraud causes the victim, especially if a bank card is compromised.

I’ll break down the APACS stats in another blog entry over the next couple days, explaining the trend, and the impact of the introduction of Chip & Pin in the UK.

As APACS released UK payment card fraud losses stats for 2008, the BBC published an undercover investigation report, which exposed how UK payment cards and personal details can be stolen to order from an India Call Centre. BBC Overseas credit card scam exposed Call Centres are one of the prime locations for targeted information theft, and particularly with internal based payment card information theft. It’s can be such a lucrative trade, so no surprisingly Call Centres are actively specifically targeted and even infiltrated by criminal gangs.

UK based Call Centres are problematic enough to secure against these types of threats, however where UK companies outsource or move their call centre function offshore to save money, so the risk of fraud, in my view, increases. Why? Well to be perfectly blunt crime rates are just a lot higher and less controlled in places like India than in the UK. Secondly UK companies generally do a very poor job of validating the security of their offshore and are mostly third party operated Call Centre due to the distant location. Companies often assume the required security policies and procedures are being practiced, and rarely conduct on-site security audits of the offshore Call Centre. Finally it is extremely difficult to criminal and credit check nationals in countries like India, because of the population size and commonality of names. So it is of no real surprise to me when I read these types of stories, as it’s been happening for years now. I guess due to quick reimbursement process with UK card fraud, UK consumers tend not to question how their card details were stolen in the first place, and so such Call Centre operations aren’t put under the required scrutiny. I always avoid providing my card details over phone to anyone at all costs; it’s actually safer to pay online or in person than to tell someone you can’t even see your card and personal information.

The Payment Card Industry (PCI) has a Data Security Standard (PCI-DSS), which all merchants and payment processes are suppose to comply with, but what I find interesting in my card fraud research, is most Call Centres, UK based or not, just aren’t complying with the PCI standard. It’s routine to record all calls, so these voice recordings end holding volumes of card information and are often left unprotected, while operators routinely write down full payment card details, including the 3 digit security code, often known as the CVV2 number. According to PCI DSS requirements, the three digit security code is not allowed to be stored (written down), and that’s for a good reason, to help prevent card fraud.

So if you are a generally low paid Call Centre operator, you have all the information you need to commit card fraud against countless victims, a full name, a full address, full card number, card expiry date and the security code, plus other personal data such as email address. Combining a payment card with a profile of the personal details about the payment card holder, increases the black market value ten fold. I find most dodgy Call Centre operators who “skim” card payment details, don’t actually commit the card fraud transactions themselves, but they tend to sell the card information on to other criminals, so a real division labour.

Thanks to the global economic down turn, and judging by what I'm seeing on the ground, I think its safe to say UK payment card fraud will continue to soar into 2009. As payment card holders, be mindful in protecting your card information, so when that hotel receptionist over the phone asks for your card CVV2 number as part of the booking process, question it and refuse. And most importantly scrutinise your card statements, as an unknown percentage of card fraud goes completely unnoticed by us consumers, and so is not being refunded by card issuers and does not appear on those APACS card fraud statistics.

BBC Click’s Pointless & Unethical Botnet usage

2009-03-17T19:49:00.001Z

After watching the latest BBC Click technology projavascript:void(0)gramme (see http://news.bbc.co.uk/1/hi/programmes/click_online/7938201.stm and watch on BBC iPlayer (UK Only) click here), it is clear BBC Click not only controlled a botnet of 1,696 PCs to send Spam Emails, but actually paid criminals for the privilege! The angle for the BBC Click programme was to illustrate and highlight the internet botnet problem. Which to be fair is a good awareness objective and interesting, however botnets have been widely known about for many years now, certainly within security circles anyway.

"After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine." - BBC Click

I'm ALL for raising awareness of cybercriminal activities, but I think BBC Click programme crossed the ethical line on this one, in they actually used a botnet (namely thousands of PCs infected with centrally controlled malware) without the PC owner’s permission to send out Spam Emails. Which is just not an illegal act in my view but a pretty immoral way to make a point. Furthermore I am troubled the BBC paid criminals thousands of pounds of license payer’s money to buy the botnet. I think they were ill-advised to take this course of action, surely the programme makers could have spoken with any one of the many security vendors on the forefront of dealing with and understanding intricacies of botnets instead.

Many security vendors and organisations have a wealth of real world information and data on botnets accumulated over many years, as well as the botnet key output, which is namely Spam Emails, and to a lesser extent botnet usage in denial of service attacks.

I mean wouldn't it be completely unacceptable to use thousands of pounds of licenser payer cash to buy drugs, just to prove there is a drugs problem, when everyone already knows there is a drugs problem.

I don't enjoy bashing the BBC as I am a huge fan of their many excellent services provided on TV, Radio and Online, however I think they dropped the ball with this one.

I carry out a great deal of research on cybercriminal activity and methodology myself, especially with online payment card fraud. However I am extremely careful to never to cross the ethical and law breaking line, even though it can be highly frustrating at times. For instance I would consider it highly unethical to purchase stolen payment card details from a cybercriminal, and it certainly would be illegal (it's fraud) to try use stolen credit card information to just prove a point. Despite some frustrations, I generally find such limits within my own research do not affect my ability to produce good results and raise awareness of important security issues

In fact I have been asked to perform unethical and illegal criminal and hacking actions on several occasions by reporters working for national newspapers, all of which I have refused on ethical grounds.

So I guess I'm pretty disappointed with the BBC Click programme, as I am sure they could have easily illustrated botnet usage within a lab environment, and backed this up with the real world factual data on criminal botnet usage from the anti-spam vendors.

Spotify: An Application Security Vulnerability

2009-03-05T20:44:00.001Z

Yesterday Spotify, a Swedish based online music/social networking type business, announced their music application had been successfully breached by a “Group". The Group/attackers managed to exploit what Spotify describe as a "bug" in their software, which is PR spin, yes maybe it's a bug or just bad application design causing the issue, still most security professionals would describe it as a security vulnerability within the application. This vulnerability was fixed on 19th December 2008.

I don’t know how or even whether Spotify had been testing their application for security vulnerabilities, but in my view it’s fairly likely a decent third party application penetration test or code review would have uncovered the vulnerability long before it was taken advantage of by the mystery Group. I think it’s dangerous to assume only the “Mystery Group” had taken advantage of the vulnerability, as eluded to on the Spotify breach statement. Just who this Group is and their motives for illegally exploiting personal details are unknown to me at this time of writing.

Credit where credit is due, the Spotify application account management did not store passwords in a plaintext form, but hashed the password (i.e. the password stored as a fixed value equating to the password plaintext when processed by a hashing algorithm) using a unique key (salt), creating a unique hash value for each user's account password. This is application security best practice, unlike what we saw with the recent Monster website breach. It was these unique password hash values along with account holder's personal details which were able to be compromised within the application.

Despite the good use of “salted” hashing, an individual password hash value can be “brute forced” or ran against a “dictionary attack” by the attacker to obtain the original password in plaintext, just not on mass.

Spotify were keen to stress that credit card details were not stolen, however credit card information isn’t always the prime information target for an attacker. Personal information can be worth much more than credit card details on the black market. Obtaining a person’s website password together with a raft of personal information, especially the person’s email address and login handle, is highly valued by Internet based fraudsters. Why? because most people tend to use the same internet login credentials on all their website accounts, the average internet user tends not to understand the importance, or just poorly risk assess the importance of using different passwords with their FaceBook and online banking web accounts.

If you had signed up to Spotify prior to 19th December 2008, in addition to the Spotify advice, ensure you are not using the same password on other websites (do this anyway!), if so it goes without saying to change your passwords as soon as possible and double check nothing untoward has occurred with those web accounts.

UK Online Concert Ticket Scams are Rising

2009-02-18T18:56:00.002Z

History shows with economic downturns comes increases in fraud, as the UK economy continues to slide there are real rises in online fraud targeting UK citizens. According to a recent survey by the UK Office of Fair Trading, one in four UK citizens either have, or know someone who has been a victim of an online phishing scam in the last 12 months, increasing from around one in six in the previous year.

The reason why internet concern ticket scams are proving successful and are on the increase in the UK, is its child’s play for a fraudster to setup very genuinely looking website on the internet in no time at all, which dupes the victim into trusting the website’s ticket offerings and parting with their money. It’s near impossible for UK authorities to police and remove such websites until it’s too late, while it’s relatively simple for fraudsters to remain anonymous and make off with the victims money without risk of being caught. Furthermore some of these ticket scam fraudsters go on to use the victims credit card details to commit further financial fraud against the victim.

Anyone seeking to buy tickets from unofficial sources online should exercise “glass half empty” caution, and be fully aware of the risks before providing their payment details, if it’s too good to be true, it usually isn’t true.

To underline the poor economic climate pushing an increasing fraud trend, it's worth noting several truly massive frauds involving banks have been alleged in recent months, such as with Bernard Madoff and Stanford International Bank, so it looks like it's not just the small time criminals which are at it.

TrueCrypt - The Best Open Source Security App (in my view)

2009-02-12T20:05:00.160Z

During the week I was advising a group of techies about free anti-virus applications and free network vulnerability scanning applications and tools. I was asked, "What is the best free security application I have used to date? Without any hesitation I replied TrueCrypt.

TrueCrypt is an example of an Open Source application at its best. In TrueCrypt we have a multi-platform application of real commercial quality, providing seamless “on-the-fly” encryption; encrypting folders (mounted as volumes), disk partitions and entire hard disks to rigorous industry best practice standards. Yet TrueCrypt is completely free for anyone to download and use, local country laws permitting of course.

TrueCrypt is less than 3Mb download and is compatible with just about any version of Microsoft Windows, including the 64-bit versions and Vista, as well as Mac OS X, and Linux distributions. Taking well under a minute to install, TrueCrypt doesn’t even require a system reboot and is quickly ready to go, TrueCrypt's speed of usage and low background encryption overheads is testament to years of good open source code development and coding.

To download TrueCrypt, including the open source code visit - http://www.truecrypt.org/downloads.php

I have never had any problems installing and using the latest versions of TrueCrypt, however before installing and deploying any application which is going to provide an encryption function on your system, I strongly advise to backup all your important files and data on your system first.

The TrueCrypt “Create Volume Creation" encryption wizard and detailed tutorial guides, even allows non-techies to protect their valuable information in just minutes. For the encryption geeks like me, there’s a whole raft of encryption and hash algorithms options to play with, such as AES, Twofish and Serpent on the encryption side, and SHA-512, Whilepool and RIPEMD-160 on the hashing side.

To secure an encrypted volume, TrueCrypt gives the options of either using a “Key File” (a text file holding the full encryption key), using a password, or using a combination of a “Key File” and a password, which controls and restricts access to the encrypted volume(s).

For the best level of protection I personally would go with using a password and a Key File, storing the Key File on a USB flash drive, but don’t leave the USB flash drive in the system, keep it on your person (i.e. keychain). In doing this provides strong two-factor access control, which means you need to physically have the USB Flash drive (hardware token), and you need to know the password.. However I would say just using a good strength password is sufficient security for the average home user. Also it's very important to make sure you create a “Rescue Disk” and store it somewhere safe, just in case.

TrueCrypt has been developed for over 6 years by a community of clever folk (http://www.truecrypt.org), with "V6.1a" being the latest version of TrueCrypt at the time of writing. I salute and heartily thank the community behind giving the world TrueCrypt, and least let us not forget those boffins who designed and have allowed their encryption algorithms to become open source as well, and therefore used by TrueCrypt. I recommend TrueCrypt to the business community and home users everywhere, but hey, just make sure you don’t break your country’s encryption strength laws when using it! ;)

If you use TrueCrypt, especially in a commercial capacity, please do the decent thing and make a donation (http://www.truecrypt.org/donations/). Donating will encourage further development of TrueCrypt and encourage the development of other Open Source security tools.

If anyone else reading this has any favourite “must have” free security applications or tools, please let me know, as I’m thinking about compiling a top ten list.

Woolworths Credit Card Blunder

2009-02-10T07:30:00.004Z

I have been quoted (more like misquoted!) in several national newspapers in relation to the Woolworths Credit Card Blunder, where I understand a batch of payment card details were found in a bin.

http://www.mirror.co.uk/news/top-stories/2009/02/09/the-blunder-of-woolworths-115875-21109011/

http://www.dailymail.co.uk/news/article-1139484/Woolworths-customers-risk-ID-fraud-staff-dump-banking-details-skip.html

The important points which didn't make it into these articles were...

1. Concerned former customers of the Woolies store should not panic about losing money! Where a merchant (Woolies) are found to have been sloppy in their protecting their customer payment card details, which results in fraud against the card holders, the card issuers/banks normally fully reimburse all the fraudulent transactions. This is especially so when fraud occurs on mass, as it is a lot easier to trace back to the original merchant responsible. Therefore customers would be protected against fraud transactions even though Woolies are out of business. Technically we all pay for card fraud through higher interest rates on cards anyway, by the way card fraud cost the UK around £600M last year, with 1 in 4 UK citizens being inconvenienced. UK Card Fraud is on the increase too, going up 14% in the first six months of 2008. Because of the state of economy at the moment, I am expecting payment card fraud to rise even further when new figures are released. http://blog.itsecurityexpert.co.uk/labels/global%20credit%20crunch%20cyber%20crime%20uk%20card%20fraud%20trend%20malware.html

2. If you are concerned you might be a victim of card fraud, be extra vigilant with your credit and bank account statements, and check every transaction. Fraudsters tend to test whether stolen card details are active by trying a transaction for a small amount, or going for a mobile phone top-up credit.

Also credit card issuers and banks are very good at detecting fraud on your behalf, so if they alert you about potentional fraud or unusual transaction(s) on your account, get in contact as soon as you can in case it is fraud, which will allow you to limit the damage.

3. I have put together a "Reducing your Risk of Identity Theft" guide http://itsecurityexpert.co.uk/downloads/ITSE-Reducing_your_Risk_of_Identity_Theft.pdf , which can really help reduce your risk of payment card fraud, there are also plenty of other good guides on the internet to search for.

Twitter & Google Latitude Security – Just be careful

2009-02-06T18:34:00.070Z

Twittering is really taking off in the UK at the moment, thanks to celebratory endorsements by regular twitters such as Stephen Fry, Jonathan Ross, Phillip Schofield, Andy Murray and Alan Carr to name a few. In simple terms, Twitter allows you to write and share 140 character statements with other Twitters, which is a kind of a current status update, with the majority tweeters using mobile devices to provide regular updates of what they are currently doing or thinking about. It's as not as boring as it sounds, for instance Stephen Fry just posted "Just landed in a rainy LA. Phones banned in customs hall these days. Will confiscate them if used. Gulp.", while Alan Carr posts "Get back to school you little s**s and stop throwing snowballs at my hanging baskets."

I’m not one for social networking as I don’t like the idea of sharing all my personal details with the whole world, only my views on information security. However I have been giving Twittering a go (www.twitter.com/SecurityExpert - follow me if you wish!), although I have to say I am having a few difficulties. I really don’t like revealing where I am, nor can I talk about what I’m doing most of the time for client confidentiality and general security reasons, and I don’t really want to go on about what I had for breakfast either! Another problem for me is I’m not really good a doing short posts, as you will gather from reading this blog, but nether-the-less I am going to persist with twittering, mainly to keep a couple of nagging mates happy, and besides I find reading some of those celebratory tweets rather amusing.

Security wise, I don’t want to appear hypocritical and some sort of kill joy or an alarmist, but I do have a nagging security concern with Twitter which bothers me. I simply don’t think it’s a good idea to tell the world where you are all the time, especially when out of the country or on holiday. Surely telling the world where you are is bound to increase the risk of having your home burgled, especially if you are a celebrity who is followed by countless anonymous thousands. For instance seven Liverpool football players have had their houses broke into while they were playing football matches, because the thieves knew where they lived, and knew the players wouldn’t be at home. http://news.bbc.co.uk/cbbcnews/hi/newsid_7710000/newsid_7716500/7716505.stm.

Google launched Google Latitude this week, which allows mobile phones to be tracked within Google Maps. The initial response by non-tech savvy media was to prey on people’s privacy fears. But I have to say Google have got privacy approach right, which is to have the privacy set to “on” as the default position. Most social networking sites adopt the opposite position with privacy settings, for example the privacy default in Twitter is allow anyone to follow your posts, rather than trusted friends.

Let's make the privacy of Google Latitude clear. For any mobile phone to be tracked on Google Maps by Google Latitude, the mobile phone owner must first enable the tracking feature on their mobile phone. The entry of phone numbers via the Google Latitude webpage (see above) is just a misleading rouse, and merely sends a text message with a link to Google Maps to the phone. So you just cannot track anyone or any phone number you want!

The mobile phone user must enable the tracking on the mobile phone itself, and then select who he\she would like to see his location. The default setting is to not allow anyone to track, with the user selecting specific Google friends to be allowed to see his or her location, rather than the entire world. And finally the user can select the level of tracking detail, which for instance can be set to track by city name rather than to specific streets.

My security advice with Google Latitude is to be careful about being too over zealous in who you are allowing to known your location; I mean, do you really want your boss and work colleagues to know where you are at the weekend?

Google Latitude is certainly an interesting tool, sure there are some privacy concerns to think about, but I think Google’s approach is spot on, and it could have some interesting uses, such as tracking where your kids are!

Monster and Website Passwords issues further explained by Sophos

2009-01-30T00:45:00.036Z

Graham Cluley, a Security Expert and blogger from Sophos got in contact after reading my recent posts on the latest Monster jobsite breach and the problem website passwords.

Graham had also highlighted the same issues with website passwords on his blog, and has put together nice little video explaining the issue, which he has kindly allowed me share below.

What the Monster.com security breach teaches us about passwords from Sophos Labs on Vimeo.

Monster Jan09 breach: The Website Passwords Problem

2009-01-28T19:03:00.038Z

Only a day or so after posting "The Problem with website Passwords" another big data breach at online job website “Monster” has come to light. What is particularly relevant to my last post and highly concerning, is in their breach statement Monster said website user account passwords were stolen along with other personal details, including Email addresses, names and user IDs.

"We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers" - statement from http://www.monster.com/

Firstly their web application is blatantly insecure by design, it's basic web application security for website (web application) passwords to be one-way hashed with a unique salt (number), which in other words making it pretty much impossible to obtain a user's actual password anyone, including a hacker or someone with full privileged access. This is because in using hashing means the website database does not store the user's actual password, but instead a unique hash (long number) equating to the user's password, which is checked upon sign on.

Secondly, as I said in the The Problem with website Passwords post, it is likely most Monster website users are using the same website credentials on other website accounts (i.e. user id, email address, their name, password), so hundreds of thousands of online banking, PayPal and eBay accounts are now likely to be at risk because of this breach, this is not just about Monster.com. On the black market this type of website account access information has high value, typically ten times the value of a stolen credit card for example, and this in my view is probably the reason why Monster was targeted for this information in the first place. Security monitoring of Monster accounts isn’t going to help as the horse as bolted, it is likely this information has probably been split up and already sold on around the world, just to repeat this point, the target of the breach is not to illicitly access people's CVs on Monster!

Finally Monster also stores an array of typical password reset questions, based on personal information only known to the website account holder. Monster didn't make any mention of this in their statement, but it's fair to assume these details were also stolen along with everything else, again providing fraudsters with all the information they need to impersonate a victim online, including resetting passwords on other websites. If this is indeed the case, I would have to say this is one of worst breaches I’ve seen, since it is putting Monster user's other websites usage at risk, from what I’ve read so far I think the media have missed this angle in reporting the breach and its potential significance and impact on the average joe.

My advice, if you are Monster user, change your Monster website password to something unique in case they are hacked again - let's be honest Monster have a history of data breaches now! Then ensure you aren't using that new password or your old Monster website password on any other website you are signed up with. And finally consider any Monster password reset questions you have in place and potential impact on other websites using the same reset questions.

The Problem with Website Passwords

2009-01-21T20:16:00.000Z

We are all consumers of the Internet and as consumers we are heavily reliant website a single username and a password to identify and authenticate ourselves into the vast majority websites, the number of different websites any one typical individual is tapping in a username and password combination, is not only an awful lot and but is always increasing. Typically we are talking in the excess of 30 different websites, which range from e-commerce shopping websites, online banking, an auction sites, social networking websites, online Email, forums and message boards, World of Warcraft and even blog sites such as this one, so the list of websites requiring an individual access credential by an Internet consumer is pretty endless. Yet if someone else were to find out and use our website access credentials for ill gain, it can turn into a stressful situation at best, or a costly time consuming soul destroying nightmare of identity theft.

However when it comes to the security of our website passwords, it tends to be overlooked and “taken for granted” by us, the website consumer, even though it fall within our own security responsibility. Be truthful, do you really use different usernames and passwords for each different website? Naturally the vast majority of people I ask do not use different passwords for each individual website, for the simple reason a menagerie of passwords on thirty plus separate websites is too higher burden for the average person, and so memorising all those different passwords is just unacceptable security trade off to be accepted by most folk. Yet using the same combinations of username and password credentials on different sites presents an increased risk, should a single account access credential be compromised.

The “Single Sign-On” Solution
This problem is far from a new one, and Internet egg-heads have being trying to crack it for many years now, and hoping to make a buck or two in the process. The answer to the website username and password problem is to replicate how this same age old problem was tackled and generally resolved within the corporate network environment. Over a decade ago the same problem was faced within the corporate IT environment; where there many different IT Systems requiring different credential combinations for individual access, in fact today this problem is still happening in the corporate world to a lesser extent.

The answer to the problem was to use “single sign-on” access to authenticate a user once and use that master authenticating to grant the appropriate access to the many other systems within the corporate environment. The “single sign-on” solution is fairly easy to implement within the corporate environment, simply because the backbone corporate network access system can be implicitly trusted, with it being the entry point perimeter for all individual access within the environment, the “master” the of access control if you like. Using a “master” system for access control allows single sign-on access to be used to govern and control access to other IT systems and applications within the corporate environment. This has works well within private corporate networks, so we just need the same type of single sign on access for different Internet websites. So we require a perimeter “master” access control system, which can be implicitly trusted. Who can set this up and be implicitly trusted by the huge array of organisations and communities on the internet, oh that’s Microsoft, right?

Microsoft Single Sign-on
The Microsoft single sign-on system, originally dubbed “Net Passport” and now called “Windows Live” was launched many years ago with the purpose of being the de facto Internet website single sign-on, and indeed it was a real contender for a website single sign-on access. However for whatever reason (could it be trust?) it really never took off, with only Microsoft websites such as Xbox Live and the odd commercial website signing up to use the system.

Others have also tried creating a website internet single-sign, but it’s still all work in progress at the moment. I think one day a across the board trusted Internet single sign-on system will eventually happen, but I think it will be built around a more secure hardware token based system, rather than a password based system for access. However, the reality of today is the vast majority of websites require a username and password combination which is unique to that particular website.

The age old Password Problem
Using a username and password to control access has always been a problematic and far from a perfect security control. The specific problem is such as system is reliant on an individual memorising a password, which can cause the following yo-yo problem:

1. The first problem is people have a tendency to write down their passwords. The more complex the password requirement and the more difficult the password becomes to remember, the more likely the password will be written down by the user. Writing down passwords can pretty much remove the main purpose of having a password system in the first place. Another to which cause people to write down passwords, is if the password reset process is cumbersome to the individual, they more likely to write down than go through it again.

In the corporate world I come many access control systems using over zealous password requirements. For example a system using a complex password of at least 16 characters in length, with a forced change every 30 days actually increases the security risk of an account being compromised. The increased risk is simply because of the likelihood of the password being written down by the system users increases significantly. In my view, best practice is to force passwords to be complex with at least 8 characters in length, with a 90 day forced change and 3 attempt account lock out. The secret is the account lockout, which safeguards the system against bruteforce attempts and negates the requirement for over lengthy passwords and over zealous forced password changes. However what is interesting to compare here is that it is extremely rare that account lockout is used on Internet websites, other than with the odd online banking websites, which means hackers can and do brute force website accounts.

2. The second problem with Internet websites credentials is with the actual password reset process. Especially if you consider ecommerce sites, as the last thing they want is to make it too difficult for their consumers to access their shopping cart and to pay at the check out system. From their point of view, if a customer can’t log in, they can’t spend, so it doesn’t make good business sense for them so make the consumer password reset process over difficult when consumers forget their password, yet this introduces a security weakness.

Let’s take for Sarah Palin’s (remember her?) online Email account which was easily “hacked” during the recent American election campaign. Why was it easy? Well it is because her password reset question was easily guessable. In this case the password reset question was about her personal history, which just happened to be splashed across the media at the time.

If you look at the typical website password reset questions, What is your favourite colour? What’s your post code? What’s your date of birth? Where were you born? What’s your favourite sport?” What’s your dog’s name? What school did you first attend? What university did you attend?” Obtaining your account name and your email address, or guess them in some cases couple with details about your background can be enough for a cybercriminal to access your website account. You could find out the answers to most of these types of password reset questions using a search engine or within social network sites. In fact such personal details are sold by cybercriminals

I saw stats from the Serious Organised Crime Agency which said you can buy a complete package of UK personal data on an individual for £80. Actually I find from my research it’s a lot less, around £20 per package. What you get for your money along side a credit card or bank account information is a full profile, full name, full address, date of birth, educational history, and other miscellaneous information which can include pet names, and even children details. The bad guys even offer a guarantee it is correct! So when looking at those typical website password reset questions, you can understand why individual profile information has a lot more commercial value than bank and credit card details, as well as for the identity credit theft angle, where such details can be used to obtain credit fraudulently.

I know some of some UK banks which use a single factor username and password, together with personal question (i.e. what’s your mother maiden name?) to gain to online banking.

Many website actually email a new reset password or even the original password to the individual. Although there is one type of online website which doesn’t Email passwords but displays them on the webpage, and that’ web based Email, which is common used technique which hackers, in going for control of the targets web based Email, which ironically allows them to read password resets from other websites.

Summary
So if the password reset process is too difficult, as with most online bank accounts (not all of them though!), the more likely the consumer will write the password down somewhere. Quite often I find users tend to store their website passwords on their PC, usually in a Notepad or within a Word document on their desktop, talk about putting all your eggs in one basket! Sure this is a different risk to using the same combination of credentials over and over again on different websites, but still presents a risk. If you must put all your eggs in one basket by storing them, there are ways to store them securely on your PC, which usually involves an application and remembering another username and password!

Another method often used is to automatically store usernames and passwords in the web browser, so they automatically populate the credential fields on the website. Again not the best policy, especially if the PC is shared or in a cyber café. Credentials held in browser cache are not usually stored encrypted and can be easily recovered, and some malware applications actually targets such information. In fact 95% of malware (viruses, worms, etc), have one aim, to steal data, with website access credentials top of their list. There many different types of malware attack, which can be simple as recording a person’s key strokes and secretly forwarding those details on, and there is even malware which will scan for files and documents matching the profile of holding account and password details. It’s not too hard, go to your search box and search for “password” for example.

In the corporate world, for some reason people like writing passwords onto Post-It notes and sticking to their monitors, another place to check is under the keyboard, which is a favourite of IT folk for some reason.

Tips
1. Use different passwords with different sites. Especially ensure you are use unique passwords for those highly sensitive websites, such as your online banking and any e-commerce websites which store your payment card information.

2. If you need to store your array of passwords, ensure they are stored encrypted. You could use“password vault” application or encryption software such as TrueCrypt or PGP to create an encrypted file or folder.

3. Be careful setting your password reset questions.
Good systems let you set your own question yourself. If it does ensure it is a question that no-else could guess.
TIP: If a friend or close relative doesn’t know the answer to your question, then it’s a good password reset question.

If the system uses bad password reset questions, such as “What’s your first school? Lie in the answer and put something different that you remember, but ensure you can remember that lie!

In the corporate world it is best practice to change your passwords every 90 days, however most people never ever change their online password. But if you can find time, try to change your website password on annual basis.
TIP: Pay particular attention to older passwords on systems, which tend to use poor passwords complexity requirements, meaning they can be brute forced or are guessable.

4. Ensure your Anti-Virus is enabled and up-to-date. 95% of Malware (Virus, Worms), collect information, especially website login credentials, which can collected from browser cache (stored passwords) or from monitoring what’s typed by the user (known as a key logger). Keeping your Anti-Virus up-to-date will help keep such malware at bay.

Why UK Data Breach Disclosure Laws are Necessary

2009-01-11T18:46:00.000Z

Just before Christmas, a UK national press reporter asked for my views on public disclosure of data breaches by UK companies. The reporter was writing a piece highlighting UK companies and organisations which appear not to have a policy of publicly discolouring their data breaches, and were even dead set against any moves for new UK laws forcing public disclosure.

I think the reporter was expecting a "the public has the RIGHT to know" type response; however I see a more overall fundamental benefit for having laws in place to ensure all UK companies and organisations fully disclosure data breaches to the UK general public...

“Public disclosure of data breaches plays an important role in driving security improvement across industries. Public scrutiny and criticism often acts as a wake up call to companies running unnecessary risks, especially those operating in the same industry as the breached organisation. There is nothing like seeing a competitor made to run over hot coals due to a data breach, to invoke a Board level reaction within similar type companies, which leads to self assessment (could this happen to us?) and quick instigation of security improvements. If you found out your next door neighbours house was burgled, isn’t one of your first reactions to assess your own home’s security?

The public are entitled to be fully informed about data breaches, not just those individuals affected. As consumers, we want to make a fully informed decision when buying products and services, and knowingly or not, security and trust comes into play with our decision process. This is especially the case with companies which take and hold our money and personal details. Such informed consumer choice, provides competitive pressurises, ensuring companies meet their security obligations, responsibility and entrustment demanded by their customers.

Keeping data breaches secret is a dangerous approach, as this approach prevents public discussion and the raising of security awareness. As a result other companies are not benefiting and learning the lessons, and so are not driving security improvement and can continue to run unnecessary risks with their customer’s information.”

Even Phishing Emails warn of Phishing Emails

2008-12-17T19:57:00.001Z

I received a Phishing Email targeting customers of a UK bank just moments ago. I wouldn't normal post such things up, but I found this one particularly amusing and a bit of a phishing Email first, because the email actually warns of suspicious Emails and phishing! I thought the phrase "A new Second Level Password" particularly funny. The scam email finishes with another warning about "suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank - please ignore it and contact us now", it all rather like a 1970s Monty Python sketch!

Phishing Emails always target one of two human emotions, Fear or Greed. This one is targeting Fear; its objective is to scare the receiver into thinking their bank account security (their money) has been compromised, so encouraging the user to click the link through to a bogus website impersonating the bank site, where the users banking credentials are harvested unknowingly. "Greed" based phishing Emails usually offer free prizes, free holidays or just straight up cash, for example telling the receiver they have won the European Lottery, or that Nigeria millionaire who needs you to pay the bank transfer fees in order to send that a large oil inheritance you have due, not that the user has ever entered any lottery nor has any connection with Nigeria what-so-ever.

Perhaps I shouldn't be making light of these scam Emails, as even though most people are aware of these types phishing email scams today, there are always one or two who do get sucked in and caught out. This is why these scam emails are still common place in our mailboxes, it is simply because they do work

(I have removed the bogus website links)

"Dear Customer,

Latest News

ALERT MESSAGE: SUSPICIOUS E-MAILS - PHISHING FOR DEBIT CARD NUMBERS AND PASSWORDS:

Please be informed that currently fraud e-mails are sent to customers and non - customers of Alliance & Leicester Commercial Bank requesting to provide their online banking details.

In any case you should not provide any of your personal information or banking details.

A new Second Level Password has been sent to all our Retail customers in your online

Please activate the new one.

Start now the Alliance & Leicester Commercial Bank authentication process.

When you log onto the service we will ask you to accept the updated Terms and Conditions.

Once you have accepted these, you will be able to access your accounts in the usual way.

Alliance & Leicester Commercial Bank would never ask you to give through e-mail or any other mean any private and confidential information.

If you receive in your mailbox a suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank,

please ignore it and contact us now.

Alliance & Leicester Commercial Bank Online Billing Department."

No such thing as a Secure Web Browser

2008-12-16T22:50:00.007Z

The big security story in the main stream news today, has of course been the security vulnerability with Microsoft's Internet Explorer web browser (Serious security flaw found in IE) The vulnerability can be exploited by deliberately engineered or compromised regular websites, allowing the attacker to invisibly access the host PC system, from which point a whole series of further possible attacks can be run, such as stealing website usernames and passwords. At this time Microsoft aren't saying when they will be releasing a patch to fix this issue, which is really unfortunate, as this vulnerability has been known about for at least week from my own knowledge.

The solution to problem being eagerly suggested on TV and radio news, is to download, install and then use different web browser, as they are not affected by this flaw (which is completely true), and are safe & secure. I have problem with the latter, which I heard said and implied on several occasions today, this is a highly misleading statement, as there is no such thing as a "secure web browser".

A couple of weeks ago I spoke with some nice chaps from OWASP (Open Web Application Security Project), a non-profit making and "The" world recognised authority on web application / website security. At the time I was taken back and found it astonishing that at their last OWASP "brain storming" event, which was attended by some of the world's leading web (site) application experts, not one of the web browser companies or organisations sent a representative, despite them all being "VIP" invite to the event. OWASP rightly recognise the architects and developers of web browsers play a key role with the overall security of web sites (web applications) on the internet, and the big flaw discovered with IE really highlights this.

The leading used alternative web browser on Windows systems at this moment is Mozilla Firefox (click here to download it), which is completely free to download and pretty easy for any novice to install and start using. Personally I switched from using Internet Explorer (IE) to Firefox several few months back, mainly because I found it was generally a better web browser to use than IE, and I particularly found the array of security related browser plug-ins extremely useful. So I'm a Firefox convert, but I think it would be a completely wrong and dangerous statement for anyone to state or suggest Firefox is more secure an Internet Explorer, all web browsers by their nature, open source or not, are bound to have vulnerabilities present which are currently unknown and are yet to be exploited. You cannot ever get 100% security, and this law especially applies to software applications.

So what's my advice to IE users? Well I'm not quite going to be a sheep and bleat what I've heard others are advising the masses today, which was to just switch to another web browser application, and hey I'm certainly neither pro nor anti Microsoft either...

My advice is if you are using Internet Explorer, make sure you have "PROTECTED MODE" ENABLED (IE7 or 8 with Vista) and set the Security Zone to "HIGH".

And then make sure you are taking the usual security measures on your PC, such as enabling the local (Windows) firewall, applying all Windows patches & updates, and installing and keeping up-to-date anti-virus / anti-spyware software. Until a patch is released, be especially cautious when browsing "dodgy" type websites, setting the security zone to high, allows you to accept or deny any scripts being executed through the web browser, which is how this and other vulnerabilities are exploited.

Sure, this could an opportunity to give Firefox or another web browsers such as Safari, Opera, Chrome a try out. Using a different web browser will fully protect from this particular flaw, but do not assume your new web browser is any more secure than using Internet Explorer. We tend to know a great deal about the security issues and weakness with IE, mainly due to it being the worlds most popular, therefore the most attacked web browser. Firefox has also had (no doubt will have further) it's fair share of serious security vulnerabilities too - Mozilla Foundation Security Advisories, but these tend not to get same level media coverage, and to be fair here Firefox vulnerabilties have tended not to be exploited to the same high degree as IE vulnerabilties at present, but if everyone switched to Firefox and it became the worlds most popular browser...

So if you are Firefox user (like me), make sure you exercise all the usual security precautions on your PC, firewall, patches, security software etc. And for any techie who is truly paranoid, you could do what I do when researching the real dodgy websites, which is to run your web browser in a Virtual Session.

Finally I have no doubt Microsoft will release a patch for this issue in the next few days anyway, it's just a real disappointment they couldn't of patched the problem last week as part of the usual security patch release cycle.

EDIT 17-Dec-08: Since the original post, Microsoft has released a patch for this vulnerability - http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

Recommended Business WiFi Encryption

2008-12-09T19:50:00.005Z

I was forwarded an interesting wifi security tech question yesterday which resulted in a debate about whether hiding a WiFi SSID made you secure. I just couldn't resist answering the question, and as usual went off on a security mission with my answer. Lots of positive comments on my answers and my general advice around home and enterprise wifi security, so I'd thought I'd post it up on my blog for all to see.

Original Q. "I've been having an ongoing debate about the the practice of hiding SSIDs in a corporate environment. I'm curious to know if hiding SSIDs is widely (emphasis on widely) considered a best practice or whether there are equal arguments on both sides. My thoughts are that if you couple high grade encryption (WPA2) with some form of authentication (802.1x?) then hiding the SSID is unnecessary - and in fact makes it harder for valid users to find the network."

"Hiding the SSID can keep out the casual WiFi browsing neighbour, but will not prevent the “school boy” level of WiFi broadband thieves from finding out details of your WiFi network, you know those guys who steal WiFi for downloading illegal games, music and other unsavourily whatnot…

The SSID name plays an important part of the WPA-PSK encryption process, as the name is used to uniquely create (or salt as it is referred to) the hash of the WPA passphrase in order to protect against bruteforce attacks, as each bruteforce attempt needs to be hashed 4096 times, meaning it takes ages to try combinations for the passphrases, although it is doable if you have power and time on your hands. I have rainbow tables (like a hash answer cheat sheet) for top most popularly used SSID names against pre-computed hash values, which allows me to bruteforce passphrases extremely quick, so I can quickly crack poor WPA-PSK passphrases for the most commonly used SSIDs like “NetGear”.

So therefore my advice, for commercial companies using WiFi always goes with the enterprise WPA encryption options instead of using WPA-PSK (static key/passphrass). At home, go with a long and unique SSID name and decent random passphrase which will prevent rainbow table hash bruteforce. If you are super paranoid at home, go with 20 char+ random SSID name, hiding it doesn’t make any difference to those with the capability of breaking in.

Another point already made, do not name the SSID after your family name or company/department, you shouldn’t advertise what it is to the world, unless you are offering a guest WiFi network.

And yes, we all know WEP is has been broken for 6 years, any WEP key can be cracked in a couple of minutes no matter length and complicity of password and SSID name you used.

Also in the corporate environment, best practice is to scan for WiFi rogue access points at least once a quarter, or even buy a device with continually scans if you have a particularly sensitive site to protect, this is regardless of whether you use WiFi or not at the site.

Oh MAC address filtering is a waste of time too, MAC addresses can be easily spoof (in fact they are impossible to prevent from being sniff), applying a sniffed MAC address to a network card within any OS is easy."

Response - "Thank you for your informative response. While I’m quite knowledgeable of Microsoft’s products (AD, Exchange, etc.), I’d consider myself an intermediate when it comes to wireless security. When setting up WAPs, I’ve always used WPA-PSK because that’s what I know to do. I assume that Enterprise WPA is more secure, but I don’t know what it is. Is there a website that you could point me to help learn more about this? I understand that there’s a thing called 802.1x authentication that, for example, would let me require authentication against my Active Directory. I envision a wireless user establishing the connection, and being prompted to enter their AD credentials, or perhaps it takes what’s cached from when you login to the computer. Again, any good concise references to this stuff would be greatly appreciated."

"To recap, WPA-PSK (Pre-Share Key) is a personal mode designed for home and small office users who basically do not have any authentication servers available, i.e. Active Directory. WPA-PSK operates in an unmanaged mode using a pre-shared key (PSK), and uses a passphrase to create the encryption key, this the big weakness, as it’s vulnerable to bruteforce attacks. If you have to use this mode within the business setting, I recommend a passphrase of at least 13 characters and regularly changing of that passphrase. BTW the passphrase can be up to 95 characters in length.

By Enterprise modes, I was referring to WPA & WPA2 with IEEE 802.1X and EAP, which operates the WLAN in a managed mode. It uses IEEE 802.1 authentication framework and EAP (Extensible Authentication Protocol) to provide authentication between the client and authentication server. In this mode each user is assigned a unique key to access the WLAN. In answering your question, it uses single-sign on with AD or it can prompt, or it can be setup to use certicates.

Something else I should mention about enterprise modes is WPA-TKIP. TKIP encrypts each data packet for each individual user at a time, making the encryption extremely difficult to break. WPA uses the RC4 encryption cipher, where as WPA2 uses the AES encryption cipher, which provides a stronger degree of encryption than RC4. Recently TKIP was proven to have several minor weaknesses with it, in that it’s possible in inject a few packets, and decrypt ARP frames in around 15 minutes, although this is not over concerning and a major flaw, however in my view it is always best to completely avoid such potential issues and go with WPA2 AES option given a choice.

You can use digital certificates with WPA-EAP-TLS, and there’s PEAP authentication as well; all have single sign on capabilities with Active Directory, LDAP, NDS and even with NT Domains."

Reason to Secure your Home WiFi

2008-11-14T22:01:00.000Z

Just the other week I saw “Which? Computing” report which highlighted complaints against video games companies who were going around accusing innocent of people of being file-sharing pirates. In one case Atari accused a couple in

Scotland

of file sharing the game Race07. The couple were aged 54 and 66, and unsurprisingly had never played a computer game in their entire life, yet they received a threatening letter care of Atari’s lawyers, instructing them to pay a £500 fine or face court action.

In due course the fine and case was rightly dropped, however there were 70 other similar cases dropped, often involving senior citizens who have never heard of peer-to-peer file sharing.

But what caught my attention was the law firm’s response in making these accusations, according to Michael Coyle, an intellectual property solicitor with law firm Lawdit, “more and more people are being wrongly identified as file-sharers. Most commonly problems arise when a pirate steals someone else's network connection by "piggybacking" on their unsecured wireless network” While prosecutors argue that users are legally required to secure their network, Mr Coyle dismisses this. "There is no section of the Copyright Act which makes you secure your network although it is commonsense to do so" he said.

For some time now I have been warning home users about the consequences of not securing their home WiFi properly, or even purposely sharing WiFi Internet access with anyone in range. In this case it was a computer game being shared without the WiFi network owners knowledge, which resulted in a scary letter from a law firm. But what if their neighbours or a complete stranger was using the Internet connection to file sharing illegal pornography, it would probably result in a knock on the door by the police, subsequent removal of all computer equipment from the address and an arrest. Interestingly the lawyers were certainly thinking about blaming the wifi networks owner, I wonder if the network was intentionally by the owner shared whether they could be found liable, regardless of that I don't think it's the smartest move to purposely share your home WiFi network outside your home..

Opening wireless network access up or not ensuring the WiFi is properly secured, opens up many other concerns. For one it’s possible for someone to listen in (snoop) your Internet traffic, learn what websites you visit and in some cases steal personal information. Unless you encrypt your Email, the bad guys can intercept and read your Email, and even adjust the Email contains without your knowledge. And by attacking the wireless router from inside WiFi network, they can even redirect you invisibly to fake websites. For instance it's possible to snoop which bank website you use, adjust the DNS on the wifi router, so the next time you visit your bank website have your computer sends you to fake bank site which has the correct URL in the address bar, in doing this the bad guys could harvest your bank account website logon credentials without your knowledge.

All food for though, whether stealing your personal information, or your neighbours are committing file sharing piracy or worst, you should make sure your home WiFi is secured for just your own usage, and avoid all the inconvenience and hassle.

Web Application Security with HP's Billy Hoffman

2008-11-11T02:37:00.004Z

The increasing shift in Internet hacking attacks against the (web) application layer is leaving many end customers as victims. Recently I met up with the head of HP Security Labs and Web application Security researcher Billy Hoffman, and discussed why this attack vector is on the rise, and solutions to the problems.

In recent years there has been an explosion in the number of web applications on the Internet, the so called “Web 2.0”. Web applications are becoming more complex, whether they are social networking sites, e-commerce sites or banking sites, the new breed of web applications are increasingly handling high amounts of consumer financial data and personal details. Such information is of commercial value and targeted by cyber-criminals. Many web applications are simply not developed as secure as they ought to be, and as a result are vulnerable to web application hacking and attacks. The bad guys are taking advantage on this situation, with recent research showing 75% of cyber attacks are now carried out at the web application level. So the stakes are high for the end consumers of these web site applications, and the rewards are high for the cyber-criminal, who exploits poorly written web application code to steal data. In essence if the application doesn’t have proper security checks written in the code, the hacker can take advantage and make the web application do something it wasn’t designed to do, this can result in large amounts of consumer information being harvested by cyber criminals. One of the most common attacks is a SQL Injection, which can literally return the whole chunks of the database within the webpage, while another common attack is know as a Cross-Site Script (XSS), which allows the attack to inject malicious code into the webpage, which in turn could steal user login sessions and deliver malware to user desktops, amongst things.

Firewalls do not protect Web Applications
What’s even more worrying about web application attacks is such attacks are often not even being monitored and therefore are going unnoticed by the website administrators. A web application (layer 7) attack completely bypasses the security and monitoring provided by devices such as network Firewalls, Intrusion Detection and Protection Systems and website encryption (SSL/TLS - that golden padlock on the browser). Even network level penetration tests resulting in “not hackable” seals of approval offer no guarantee against a web app hack. So when you see that webpage stating it’s a “secure website”, using encryption (“https”) and displaying an up-to-date anti-hack testing seal of approval by a well known security company, it all has no consequence to the security of the web application, which could be full major security issues despite all those security measures which only operate at the network layer.

The network layer security really does lull some organisations into a real false sense of security. A specific web application layer penetration test can be used to test for web application vulnerabilities; however these are still rarely regularly carried out by medium to small sized organisations, and even some large organisations, mainly because it costs too much to get one done, or the organisation just isn’t aware of the problem.

The Reality of Web App Hacks
A recent UK example highlights the problem, a few months ago Manchester based online clothing outlet, Cotton Traders, disclosed their website users were victim of an web application attack, namely a SQL Injection attack in early 2008. They had firewalls, a “secure” encrypted website and a seal of approval, yet their customers had credit card details stolen through a web application attack. And just last week NetCraft found a cross-site script vulnerability on Yahoo -Netcraft

Why are these Web Application Attacks possible?
It’s quite simple, the developers writing the web application code, either do not know how to code a web application to be secure, such as using proper field validation, or the developers are skipping proper code techniques in a bid to have the application ready and released due to commercial pressures on time. Either way these are needless flaws and yet are too common place, with 8 out 10 web applications on the Internet having a high to medium web application vulnerability going unchecked.

How to combat Web Application Security?
Some vendors will state their or their client’s reputation on installing Web Application Firewall (WAF); however WAFs are still a relative new technology. I have to say I am sceptical about any vendor who says such a product is the silver bullet which will plug all possible web application layer vulnerabilities. The other big problem with a WAF, is throughput, as every packet has to be inspected at the top layer of protocol stack (layer 7), so data packets need to dissembled and analysed, which takes time and results in a performance hit. The answer to the performance hit is to have a large or many WAF devices inline, which can really rack up the cost. I am not dismissing using a WAF, but for me it needs to be a “belt and braces” security approach, which means ensuring the code is developed and tested for web application vulnerabilities prior to release, which for me is the first and key battleground to win ahead of the installing a WAF.

How to Secure the Development of Web Applications
To do this, developers need to be properly and regularly trained to code web applications securely. In addition other controls within the development process are needed to ensure corners are not cut, security coding is not being missed, or mistakes being made. It is surprisingly easy to miss validation on that one field, the more complex the application, the more likely security vulnerabilities tend to slip in. The answer to this problem is to use a web application vulnerability scanning tool as part of the development process, and for testing within live environments.

One of the leading commercial web application vulnerabilities scanning suite of tools is Hewlett-Packard Security Labs’ DevInspect, WebInspect & QAInspect, which was formally under the umbrella of SPI Dynamics, which were acquired by HP in 2007. For further details about these tools and what they can do click here
https://h10078.www1.hp.com/cda/hpms/

Billy Hoffman (HP Security Labs)
I managed to spend quality time with web application expert Billy Hoffman, Head of HP Security Labs. I use the phrase “quality time”, because Billy Hoffman is just one of those guys who I could talk techie security all day long, and I count myself lucky to have spent several hours chatting about web application security with Billy, as well as listening to several fascinating “hacking” stories, which I can’t publicly repeat!

Prajakta Jagdale - Dave W (Me) - Billy Hoffman

Billy is just one of those inquisitive out of the box thinkers, which makes you thankful he is one of the good guys, alas a white hat. However Billy became well known as a bit of a grey hat hacker, known as Acidus. While he was studying at Georgia Tech he famously hacked the university swipe card system, finding a fault with the magnetic stripe data, and it’s fair to say his resulting exposure of the flaw wasn’t fully appreciated by the system owners. Billy went on to graduate from Georgia Tech and joined Atlanta start-up company SPI Dynamics, becoming their Lead Security Researcher. Billy and SPI Dynamics specialised in web application security and web app vulnerabilities scanning products. So Billy is a real web application subject matter expert and is a frequent speaker on the subject at many of the top security conference events around the world. In fact I think the term “Web Application Security Guru” is the more fitting description to use when describing Billy Hoffman.

In late 2007 Billy released his first and in my view a much needed book on Ajax Security, appropriately called “Ajax Security”. http://www.amazon.co.uk/Ajax-Security-Billy-Hoffman Today many Web Application are being re-written in Ajax, which gives an application that “real desktop application” feel within the web browser. However poorly written Ajax code produced by developers is introducing a new frontier of web application security vulnerabilities problems which the bad guys are taking advantage of.

Prajakta Jagdale (HP Security Labs) on Flash Security
Also in attendance at the met up was HP Security Labs Security Researcher Prajakta Jagdale, who highlighted issues with Flash application security. In recent times malware has targeted poorly secure Flash web applications, and there have been several cases of successful exploitation of premium website Flash applications by malware and hackers. A common example of such an exploitation is specific malware which automatically embeds advertisements within the application, which known by the term “Malvertisement”. The bottom line is secure Flash application development is really not too different to traditional secure web application development, developers need to code the application so it fit for the purpose of being public facing. We all agreed writing a secure web application isn’t rocket science; most of it is just common scene, such as adding proper validation checks on entry fields, by white listing acceptable characters instead of trying black list. However the “secure” development of Flash application still tends to be overlooked by many organisations, perhaps because Flash applications are more difficult to scan than traditional web applications and perhaps there are less people with the expertise to code review and test them, or perhaps Flash application aren’t on radar with security testers and professionals. Whatever the reason, Prajakta’s research and findings with Flash application security is very interesting, leads me to believe there are many Flash applications on the Internet today which are vulnerable to attack.

Summary
In summary, in the security industry today it is generally accepted the web application security problem is increasing, with the bad guys going after this layer more. It’s not hard to learn how to attack at web application layer either, anyone can do it, and interesting it is not particularly difficult to fix. Speaking with application security experts like Billy Hoffman and Prajakta Jagdale, really underlines the importance of web application security, and the role of the HP Security Labs Dev\Web\QAInspect web application vulnerability tools in tactically the problems. It is clear that the HP Security Labs suite of web app security tools are helping many responsible organisations develop and deliver public facing web applications much securely, which in end protects those organisations end consumers.

If you have any interest in testing your web application, check out the HP Security Labs website and download a 15 day free trial of their tools.
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200_4000_100__