UK ID Card Scheme

Home Secretary Jacqui Smith has said that Post offices and pharmacies could act as enrolment centres for the Government’s ID card scheme. These cards will cost £60, £30 being for the card and £30 to cover the cost of collecting the data which is to be stored on a Government database.

The launch of the £5 billion scheme will take place in Greater Manchester this autumn. Anyone who lives in the city, who holds a valid UK passport and wants an ID card, or biometric passport as they are also known, can go to their local post office or pharmacy to have their fingerprints and a scan of their face stored. You can also sign up for information alerts at directgov website.

Ms Smith is meeting with pharmacy trade groups and post office managers to discuss the plans for them to become enrolment centres.

“The companies interested in working with us to deliver the service will play a key role in ensuring the public can apply for an ID card or passport simply and easily,” she said.

“While private companies will clearly benefit from the increased footfall from offering this service, their customers will benefit from being able to quickly provide their biometrics while they are out doing the shopping.

“With an identity card, people will be able to prove their identity quickly and conveniently while helping to protect themselves against identity fraud.

“ID cards will deliver real benefits to everyone, including increased protection against criminals, illegal immigrants and terrorists.”

Opposition parties believe that the scheme should be scrapped, as £5 billion is a lot of money to spend in the current economic climate, when the government’s finances are already being squeezed. The Home Office argues that it will save money in the long term, which is currently being spent on fighting crime, terrorism and fraud.

Our concern would be how are they going to protect the data once they’ve collected it? If past experience is anything to go by, they wouldn’t do a very good job! These ID cards are voluntary at the moment, so when you consider whether to get one, you need to consider whether you want to risk your information potentially getting into the wrong hands?

We have several articles commenting on security issues involving the government. They are Learn your lesson from Revenue and Customs to avoid a security meltdown, Another Security Meltdown and More Data Security Issues.

You can find further information on the proposed ID cards on the directgov website and the Identity and Passport Service website.

Everybody has a different opinion as to whether they think ID cards are a good idea or not. You can have your say on the BBC news website.

Security spending takes larger slice of the IT budget

Protecting systems takes bigger slice of shrinking budgets according to reports from Forrester Research. The reports show that spending on security is increasing in proportion to IT budgets – that is, the spending is remaining constant, whilst IT budgets are reducing. It is predicted that this trend will continue as security becomes an increasingly important issue.

“Even during challenging economic conditions, IT security remains an integral part of business operations as firms look to maintain their current environment as well as plan for the implementation of new initiatives,” explains Jonathan Penn, Forrester Business Data Services Analyst.

The two studies found that businesses have similar security concerns irrespective of the size of their organisation and that these businesses felt there was a growing need for improved data security. It was felt that the need for specialised skill sets and more attention to the budget have led to a growth in managed security services.

However, the day to day practicalities of handing data security were dealt with differently at larger organisations where IT staff regularly report directly to chief executives or company presidents on security matters. In SMEs, IT workers cite a lack of dependable security systems and difficulties in convincing executives to invest in more sophisticated security systems.

Derrick Cameron of Eximium, who advise businesses on a range of IT issues including data security, is not surprised by the reports conclusions. “In the UK, there have been several worrying security breaches which have heightened everyone’s awareness of the issue. One of the more positive side effects of these embarrassing lapses is the fact that they have made businesses more security conscious. These organisations now need to ensure that they have the right software in place and that they are using it correctly to safeguard against mishaps.”

NHS Data Integration

Here at Eximium, we are firm believers that data integration can improve your systems efficiency, thus saving time and money. I came across an article on the Guardian website today, by Michael Cross, about the governments plans to integrate the personal information the NHS keeps on us into one joint database. The idea is to breach the gap between hospitals and home care.

It’s a really interesting article. The theory behind the governments plan is sound and I can see how this could make some very real improvements within the NHS and how they work. My concern isn’t the integration, but the security of the data. Having everything in one place has enormous benefits, but also significantly increases the risks. This database will need to be extremely well protected and unfortunately, with the governments past record on data security, there are substantial doubts.

For help with your business systems integration or security from Eximium, click the following link:

 http://www.eximium.net/contactus.asp

To read Michael Cross’s article in full and have your say, click the following link:

http://www.guardian.co.uk/commentisfree/libertycentral/2009/feb/16/nhs-data-social-care-liberty-central

Terrorist database sparks privacy fears

The Home Secretary Jacqui Smith has revealed possible plans to compile an extensive database as part of the war on terrorism. It has also been suggested that a private company may be used administer the database, including recording details of telephone calls, emails and internet use. Under the current system, information has to be specifically requested from communications companies and internet service providers, but is not always readily available.

Ms Smith said that access to such data was an instrumental part in fighting terrorism and that the UK must adapt to technological changes if it is to deal with terrorism and organised crime effectively. “It is a difficult and sensitive area, which is why we will consult on a range of options. But I think doing nothing is not an option here if we are going to see our ability to deal with serious crime and terrorism actually eroded in the future.”

The proposed consultation has prompted concern from civil liberties groups and critics of the scheme fear that the idea raises serious privacy issues. Former Director of Public Prosecutions, Sir Ken Macdonald told the Guardian newspaper that he was not convinced by the Home Secretary’s assurances. “All history tells us that reassurances like these are worthless in the long run. In the first security crisis the locks would loosen.”

Derrick Cameron, MD of IT business specialists Eximium, acknowledges the importance of having access to potentially sensitive data, but recognises concerns that opposition groups have. ”This would be a massive undertaking for any private company. The database will be enormous and will need some serious software to ensure that security is tight. We have seen too many security breaches by public departments recently: people are naturally cautious and apprehensive about how secure the data will be and what it will be used for. However, it is an essential part of the fight against serious crime and terrorism that the appropriate organisations have access to this type of data. Whatever the outcome, the Government will need to have a thorough consultation to ensure they get the processes right.”

British man in final legal challenge to avoid US extradition

The case of a British man who has been fighting extradition to the US on hacking charges for the past three years is due for judicial review.

The review is Gary McKinnon’s last chance of avoiding extradition after the Home Secretary Jacqui Smith disregarded his recent diagnosis of Asperger’s Syndrome as having any bearing on the case.  McKinnon hopes to persuade the judge that this decision was unfair. With the failure of appeals to the House of Lords and the European Court of Human Rights earlier in 2008, McKinnon is resting his hopes on the oral review in chambers.

McKinnon, a Scot based in London, faces seven counts of hacking into 97 US Government, NASA and military systems during 2001 and 2002.  When arrested in 2002, McKinnon quickly confessed his actions, but denies causing any damage, estimated by the US at $700,000.  Whilst US prosecutors have suggested that McKinnon was mounting the ‘biggest military hack ever’, McKinnon himself maintains he was hunting for evidence about UFO encounters and harvested technology.

Derrick Cameron, Managing Director of IT business advisers Eximium has been following the case. “This is definitely McKinnon’s last stand,” he comments. “As his appeals so far have all failed, it doesn’t look good for the Scot. However, if the case does go to trial, the prosecution will have to prove that he had more sinister intentions – which could be difficult.”

If the review fails and McKinnon stands trial in the US, he faces a likely sentence of around 10 years imprisonment.

Gary McKinnon – Will he be extradited?

There seems that there may be some light at the end of the tunnel for Garry McKinnon, as the saga of whether he will be extradited to the US to face charges of computer hacking continues.

McKinnon has repeatedly resisted attempts to extradite him on the grounds that the offence was committed in the UK and his lawyer, Karen Todner has written to Keir Starmer QC, who is the recently appointed director of public prosecutions, requesting that he be charged under the Misuse of Computers Act. Ms Todner said that her client would plead guilty to the offence, to which he acknowledged his guilt and that proceedings against him could now be brought because there is clear evidence of a crime having been committed.

McKinnon, who is 42, fears for his chances of a fair trial in the US. He is accused of hacking into the US defence and NASA systems in 2001 and 2002 and causing an estimated £525,000 worth of damage. McKinnon denies causing any damage, but admits to hacking into the systems and leaving messages saying “your security is crap”. He lost his appeal against extradition in the House of Lords last year.

McKinnon has been diagnosed with Asperger’s syndrome and in a letter to the DPP, his mother, Janis Sharp wrote; “Many people with Asperger’s have a heightened sense of justice and have obsessions, which can sometimes get them into trouble. Gary’s obsession was computers.” The National Autistic Society (NAS) has offered to provide evidence about the diagnosis of Asperger’s syndrome, in order to support McKinnon.

McKinnon’s mother said that there were precedents for British based computer hackers to be tried in this country and they have the political support of about 80 MP’s who have signed an early day motion tabled by McKinnon’s MP, David Burrowes.

Internet Shopping at work

I came across an article written by Kelly Faircloth about the security issues caused by staff doing their Christmas shopping online. It’s particularly topical at the moment, but I’m sure that the basic principles behind it would be relevant all year round.

According to a report by Information Systems Audit and Control Association, online Christmas shopping poses a risk to the IT security of employers. The survey took place in America and found that 4 out of every 10 people aged between 18 and 24, will spend up to 5 hours shopping online.

This coupled with a recent survey of 973 employees, which found younger workers were the least concerned about workplace network security and that roughly half said they paid more attention to the security of their home computers. Only two thirds of employees over 25 said they worried about both home and office systems. This is a staggeringly low amount.

The survey also found that many employees don’t understand how to protect workplace computers. 22% admitted to having clicked on e-mail links to an online retailer, and more than a quarter said they either don’t bother or don’t know how to check a site’s security.  In another  survey, over half of the trade group’s 3,100 members said they allow shopping at work, even though many haven’t trained employees to guard against potential  security threats.

Kent Anderson, a member of the group’s Security Management Committee, said in a statement “The fact that Millennials [children born between 1977 and 1994] are planning to spend the equivalent of more than half a work day doing holiday shopping from their work computer, combined with their lack of concern for how secure their computer is, points to an urgent need for employee education,”.

As responsible business owners and managers, we need to ensure that we make the security of our businesses of paramount importance. Providing appropriate training for our staff and reliable anti-virus software on our networks has to be our responsibility. Here at Eximium we can help you with training for your staff and provide you with anti-virus, anti-spyware and anti-spam protection.

Click the following link for our training page;

http://www.eximium.net/training.asp

Click the following link for our managed security services page;

http://www.eximium.net/managed_security_services.asp

Watch Out - The Spammers Are Getting More Devious Than Ever

There has been a new wave of spam emails we want to make you aware of.  They come with an attached ‘zipped’ file (i.e. ending in .zip) and claim to be contacting you with regard to your account.  Some are more sophisticated than others and can be very effective at fooling you into thinking you are looking at a genuine email.

The more obvious ones appear to be contacting you as a customer.  They are informing you that they have sent you the information you will need to ‘recover your account’.   You may receive emails supposedly from your credit card companies, informing you that there has been some suspicious activity in your account and asking you to check the purchases on the statement attached.  Others are from bogus customers claiming to have made some amendments to the contract attached and asking you to review it. 

The most deceptive of these claim to be from a courier service regarding a parcel delivery.  They say that they are from ‘United Parcel Services’ and have a ‘UPS Tracking Number’ in the subject, very neatly tricking you into thinking at first glance that they have come from a legitimate company. 

Some example text in the body of the email is:

‘Unfortunately we were not able to deliver postal package you sent on Oct the 28 in time because the recipient’s address is not correct.  Please print out the invoice copy attached and collect the package at our office’

With Christmas around the corner, your staff are likely to be caught more off guard than usual and some of these messages even go as far as to notify you that you have 10 days in which to collect your parcel or you will be charged by the day thereafter.

Here are our top tips on how to deal with potential spam:

1. Be vigilant. Always check that you trust the sender of the emails you are opening. Even if you don’t know them personally, you are likely to know of them.

2. Treat all emails which you are unsure of as spam.  If the mail is genuine, the person trying to contact you will try again and it’s easier to cope with a slight delay than the potential after effects of a virus, spyware, etc.

3. Don’t use unsubscribe. Never click on the ‘unsubscribe’ link of an email you are unsure of as that is another way of opening the flood gates, as it notifies them that someone is at that address and susceptible to spam.

4. Never open an attached file if you don’t know the sender. Even if the file is zipped and it appears that the sender has been security conscious - this is potentially a ruse.

There are things you can do to protect yourself, minimise the potential impact that this kind of spam can have on your business, and even stop the majority of these emails getting through to you.  It is very important to have good, strong anti-virus, anti-spyware and anti-spam protection in place.

For further information, please see the following link to our managed security service page:

http://www.eximium.net/managed_security_services.asp

Letter lottery defines spam load

A new study shows that how much spam you get may depend on the first letter in your e-mail address. The analysis of more than 500 million junk messages identified the letters that get more junk than average.

According to the study, the difference may be down to the way spammers generate the e-mail addresses that they want to target.

The analysis was carried out by University of Cambridge computer scientist Dr Richard Clayton, in a bid to understand the widely noted discrepancies in the amounts of junk mail or spam that different people receive.

Dr Clayton took as his dataset the 550 million e-mail messages sent to customers of net service Demon between 1 February and 27 March 2008.

Looking at the mix of messages landing in inboxes, Dr Clayton found a wide discrepancy in the amounts of junk that different addresses received which seemed to hinge on their initial letters.

The most popular letters for spammers were ‘A’, ‘M’, ‘S’, ‘R’ and ‘P’. Around 40% of all the messages arriving in the e-mail inboxes of accounts with addresses that had one of these characters as their first letter were junk. Much less popular were ‘Q’, ‘Z’ and ‘Y’, generating 20% or less. 

Dr Clayton states that spammers often generate e-mail addresses by carrying out so-called “dictionary” attacks. In these, spammers take the part of a live e-mail address in front of the “@” symbol that they know is live, and add that to other net domain names to generate a new one.

For instance, spammers who know that there is a real person attached to john@example.com may try john@another.com to see if that reaches a live account too.

As a result, the relative abundance of names beginning with ‘M’ compared to ‘Q’ could explain some of the disparities, as spammers would be more likely to re-use popular names and send them more junk.

Dr Clayton said that the research had thrown up some anomalies that needed further research. For instance, addresses starting with the letter ‘U’ appear to get more than 50% spam despite there being relatively few of them.

Derrick Cameron from IT firm Eximium comments “These findings will come as something of a revelation for many. Spam email is at best an annoyance - and at worst can have implications for security. Dr Clayton’s conclusions may well help many companies to drastically reduce their junk email, which has to be good news for everyone – except the spammers of course.”

More Data Security Issues

I came across an article this week which has alarmed me.  It is about a speech expected to be given by Richard Thomas from the Information Commissioner’s Office, regarding the use of ‘Giant Databases’.

It highlights the fact that there has been a significant increase in data loss and that the databases getting lost are holding more information than ever before.  In fact, most of them are in breach of the Data Protection Act!  He is currently investigating 30 ‘serious’ cases where this has been the case within companies, councils, government agencies and central government.

These larger databases increase the risk of the information getting into criminal hands.  Much of the information is irrelevant and should be removed and the risk is significantly increased when the database is moved between different agencies.

As we are all aware, there have been a number of reports of data losses in the news lately and I found some new statistics listed in the article.  Apparently around 100 incidents were reported to the Commissioner’s Office between November 2007 and April 2008 and there were 277 in total in the year.  These include breaches in website security and the theft or loss of computers and electronic storage media, such as memory sticks and CD ROMs.  The NHS has reported the most incidents, 65 in total, 27 of which were lost or stolen computers.  This number alone is as many as were reported by the whole private sector.

Here’s the really alarming bit.  There is no legal requirement to report losses of personal data so, as bad as all these statistics are, the real figures are probably much higher!

Richard Thomas is expected to say that he believes companies who hold personal data should hold less of it if possible and take greater responsibility with the data they do hold.  He also believes that companies who lose data should face tougher penalties.  His comments are likely to be seen as a direct criticism of the Home Offices’ announced intension to record details of every phone call, email and text message sent in the UK.

To read the article, please use the following link:

http://news.uk.msn.com/Article.aspx?cp-documentid=10478193

More information on the Data Protection Act can be found here:

http://www.ico.gov.uk/

Computer Hacker appeals to Home Secretary

Lawyers for a Briton accused of hacking into secret military and NASA computers are asking the Home Secretary to ensure that he is not jailed in the US.

Glasgow-born Gary McKinnon, 42, who last month lost his appeal against extradition, could face life in jail if convicted of accessing 97 computers. He says he acted out of curiosity, not malice.

His lawyer Karen Todner asserted that his human rights would be breached if he did not return to the UK after a trial. The Home Office said his case was “receiving consideration.”

A spokesman for the Home Office said “Further representations have been received today from solicitors against Mr McKinnon’s surrender to the USA which are receiving consideration.”

Mr McKinnon, from Wood Green in North London, is currently out of work. He was said to be “distraught” after losing his extradition appeal at the European Court of Human Rights. He has admitted breaking into the computers, but says he sought information on UFOs and only got in because of lax security.

In America, the government insisted he committed a malicious crime - the biggest military computer hack ever. They say he stole passwords, deleted files and left 300 computers at a US navy weapons station unusable immediately after the September 11th terrorist attacks.   Clearly it is time to re-think summary extradition when US prosecutors threaten to ‘fry’ a non-violent computer hacker.

Ms Todner said she had written to the Home Office asking for an intervention on her client’s behalf.  She said: “We have requested that the Home Secretary obtain an assurance from the United States Government that Mr McKinnon be returned to the UK immediately on receiving a sentence in the US, should he be extradited.”

Derrick Cameron from Luton based IT firm Eximium comments “McKinnon first lost his case against extradition at the High Court in 2006 before taking it to the highest court in the UK, the House of Lords. Clearly he is running out of time and places to go. I understand that his lawyers want his case to be tried in Britain, arguing that the alleged offences were committed on British soil.  This will make a significant difference to the outcome if he is found guilty.”

McAfee Announces Major Acquisition

As a McAfee partner, we were delighted to hear news of a major strategic announcement from them at the end of last month.   David DeWalt, President and CEO of McAfee, announced their intention to acquire the Secure Computing Corporation, who are a leading provider of network security to businesses of all sizes. 

When Secure Computing and McAfee are combined, it will reinforce their position as the largest dedicated security company, and a leader in security risk management industry.  Once Secure Computing’s products and services are added, McAfee will be able to deliver the industry’s most complete network security portfolio.  This will cover intrusion prevention, firewall, Web security, email security, data protection and network access control.  These will benefit small and medium-sized customers up to the world’s largest organizations.

Other benefits for McAfee customers, and channel partners such as ourselves, also include:

• broader product offerings and a comprehensive set of solutions that can help customers protect their critical Web, email and network assets
• the industry’s most complete network security solution to businesses of all sizes, extending the success of its total protection strategy through best-of-breed technology suites
• the resources of a global security company with enhanced research capabilities
• increased investments in technology and development and continued support for customer’s existing investments

We are very excited by this news, as it will enable us to expand our offering to customers, whilst remaining secure in the knowledge that we are protecting them with the best dedicated security available.

For more information about our managed security services, please use the following link:

http://www.eximium.net/managed_security_services.asp

Arrest made over data-stuffed eBay laptop

Police have made an arrest in connection with the recent eBay sale of a council laptop computer containing personal data.

The latest information security lapse took place in Charnwood, Leicestershire, where taxpayers’ personal details were found on a computer which was sold for £6.99. The details are said to include bank account information and sort codes.

Charnwood Borough Council has said that it is investigating the incident; it has traced the hard drive of the computer and is awaiting its retrieval.

The council stated that it has reported the matter to the police, who have now arrested someone in relation to the sale of the machine.

“The case has been referred to Leicestershire Constabulary as a criminal investigation and we can confirm that an individual has been arrested and is assisting the police with their enquiries,” said a statement from the Charnwood Borough Council. “We have traced the hard drive and are currently retrieving it. The purchaser is co-operating with Charnwood and has stated that the data has not been distributed to any other parties.”

Leader of Charnwood Council Richard Shepherd promised that a review into the data loss would be held.

“I regret the concern caused to Charnwood residents by this serious matter,” said Shepherd. “We will give every assistance to the police in their further investigations and I will personally ensure a thorough review is also completed by the council to find out how this happened.”

Last week a machine was taken from a company which stores bank records. The laptop contained banking information on up to a million customers of the Royal Bank of Scotland, NatWest and American Express.

Derrick Cameron of IT firm Eximium comments “Organisations should create a privacy protection policy for every new system they build because they are storing more and more information on individuals.”

He goes on to add “For years I have suggested that companies consider the impact on individuals’ privacy before developing new IT systems, but often this gets overlooked. Individuals cannot be blamed when lapses occur as it is often the whole system that is at fault.”

‘Widespread’ US web banking security flaws

Recently published research by the University of Michigan has found that 75 per cent of American online banking sites have at least one design flaw that leaves customers exposed to online crime.

The study, by Atul Prakash from the Department of Electrical Engineering and Computer Science, and students Laura Falk and Kevin Borders, looked during 2006 into the security of websites of over 200 financial institutions.

The report found that the design flaws causing the problems were not simple bugs that can be fixed with a patch, but went far deeper.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” said Professor Prakash.

“Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

The design flaws uncovered in the study included:
• Inadequate user IDs and passwords
• Placing contact details and security advice on insecure pages
• Placing secure login boxes on insecure pages
• Breaching the chain of trust, by redirecting customers redirected to other sites
• Emailing security-sensitive information insecurely

Derrick Cameron, MD of UK based IT firm Eximium comments “The review work was carried out over time and I’m sure that many of the issues highlighted have now been rectified.  However, UK banks and other businesses holding secure information about their customers must never become complacent.” He adds, “As long as people hold valuable financial data online, others will try to steal that information for financial gain. Regular checks and improvements need to be made and this report from America shows what can happen if this isn’t done properly.”

Are we looking after our mobile data carefully enough?

After the numerous issues with data security over the last 12 months, the BBC has reported that over 60,000 mobile devices have been left in the back of black taxis in the last 6 months, from mp3 players to laptops.

You would think that the recent high profile incidents would have alerted us all to the dangers of leaving these sorts of items for thieves, but it seems that the warnings have gone unheard.  Although 80% of the taxi drivers claimed that the items were reunited with their owners, there were still 12,000 that were not, and this is just in London.  How many others are being given into the hands of thieves across the country?

With mobile devices being capable of so much more than ever before, they often contain sensitive business and personal information, and can give thieves the tools to start accessing other confidential information and a whole lot more.  We need to be more careful with the physical security of our mobile information devices, consider what sensitive information about us, our staff and our customers is being held on them, and how carefully it is protected.

We need to ask ourselves:
• Are we fully compliant with our obligations under the DPA, where mobile information is concerned?
• Is the information password protected or encrypted?
• Do the devices contain any sensitive information they don’t need to?

Otherwise, our confidential business and personal information could easily leak out into the public domain.

Another Data Security Issue

It doesn’t surprise me anymore when I hear of another Government data security issue on the news.  It has become such a regular occurrence that it doesn’t even make the headlines anymore.  The latest revelation is that EDS, who is the IT contractor involved, lost a 500GB external hard drive disk containing the personal data of 5,000 prison officers’ across UK.

As I said, I am not surprised, but what did worry me about this incident was that the government were unaware for more than a year.  It has been suggested that the information held on the hard drive was sufficient to endanger the prison officers concerned.  It included their names, date of birth, National insurance numbers and employee numbers.  It has been said that it could be used to seek revenge or to blackmail prison officers and give crooks a huge advantage in targeting prison officers to bring in illicit contraband, either by some gentle persuasion or by menace and threats.

Needless to say, there are reports that the future of the EDS contract is in jeopardy and the Ministry of Justice has launched an enquiry into who was responsible and how it happened.  It’s all a bit late now and anyone who would have needed to be relocated or given new identities will have been terrorised or killed already.

Has The DNA Database Project Gone Sour?

I recently wrote an article about the proposed expansion of the national DNA database:

http://www.eximium.net/blog/index.php/2008/06/business-advice-luton-6/

This subject and the controversy surrounding it, have featured in the news recently too:

http://www.eximium.net/blog/index.php/2008/09/business-advice-luton-19/

As this news item states, the enquiry by The Human Genetics Commission has recommended that the government removes all the DNA profiles of innocent people and those of criminals who have served their sentence. What I found particularly interesting about this was that this inquiry was funded by the tax payer on the government’s instructions. I thought that the government wanted every UK citizen registered on the database? Isn’t that what Tony Blair said, and was then backed up by Gordon Brown?

I have to ask myself why the government instigated an enquiry at this late stage that was at odds with their vision ‘every UK citizen will be recorded on the DNA database’. Surely this inquiry should have taken place at the outset of the idea, where it could have been properly debated and then acted upon.

Are they telling us that they have only just realised that it may not be a good idea to have innocent peoples’ DNA recorded on the database, so we had to organise an enquiry to cover ourselves? Or perhaps the thoughts at the outset were, ‘Well we know we may have some issues here, but we are going to do it anyway. The overall idea is good and we can sort out the teething problems later. It would be far too much hassle to have a detailed debate or enquiry into the suitability of such an idea, and anyway people might actually object!’

And so what are they going to do with this report?
• Ignore it?
• Act upon it?
• Instigate another enquiry that may have a more favourable outcome?
• Bin the whole idea of a national DNA database?

I think this just goes to emphasise the pitfalls of not carefully planning an approach to the introduction of a new idea, then strictly following the plan, right from inception through to implementation. This becomes even more important when technology is involved.

Ask yourself, does this scenario ever happen in my business, and if so what is it costing me?

Controversy over DNA database rages

The Human Genetics Commission has urged the government to remove innocent people from the police national database.  The Citizens’ Inquiry found that the database should be put under independent control and criminals who have served their sentence should be removed.

The inquiry looked into a broad selection of opinion.  Alice Maynard, chair of the working group said “We wanted to hear the public’s views on the development of the national DNA database and whether storing the DNA profiles of victims and suspects who are not charged or are subsequently acquitted is justified by the need to fight crime,” she said.

The database holds the fingerprints of four million people, including around one million who had their biometrics taken, but were acquitted or who volunteered to be on the database to eliminate themselves from a police inquiry.

The panel also recommended a vigorous nationwide education campaign that explains why DNA samples are taken and the special arrangements for situations where DNA samples have to be taken by force.

“Such a database will hold an incredibly large amount of highly sensitive information” comments Derrick Cameron, MD of Eximium.  “Given the Government’s track record of losing data it is an understandable concern to many that so much information is held in one place” he adds.

Scottish Hacker to Appeal to Europe after Lords Rejection

Glasgow born Gary McKinnon has vowed to take his case to the European Court of Human Rights, after his appeal was rejected by the House of Lords yesterday. He is accused of hacking into secret American military computers, and therefore faces a long-term prison sentence.

In an interview with BBC Radio 5 Live, he said he was “pretty broken up” by the ruling, but claims that he only acted in the public interest. “I am…sorry I did it, but I think the reaction is completely overstated - it felt like a moral crusade.”

McKinnon achieved a form of worldwide fame after gaining access to 97 US military and NASA computers.  It is believed to be the biggest military hack in history. After gaining access, he hacked into and disrupted numerous US military computers in 2001 and 2002.  This was all done from his North London bedroom. Since his arrest in 2002 he has never been formally charged in the UK.

McKinnon has consistently claimed that he is “a bumbling hacker” who was never a threat to security, and that he was only looking for UFO files that he believed the US government was keeping under wraps.

Derrick Cameron, MD of IT specialists Eximium comments “There is no doubt what McKinnon did was wrong, but the question should be - what were his intentions?”  Cameron adds, “perhaps the US authorities should consider using his services in future to test the security of their computer defenses.”

Another Data Security Meltdown!

It would seem that the lessons which should have been learnt from the loss of sensitive data of people claiming child benefit were not learnt at all. Revenue and Customs lost disks containing personal details in the post, back in November 2007.

See our article on this:

http://www.eximium.net/blog/index.php/2007/12/it-advice-bedfordshire/

An investigation into another case of sensitive data not being protected began on Tuesday. The Government launched the investigation after a laptop containing the bank details of over a million people was sold on eBay for just £35!

Andrew Chapman, an IT manager bought the laptop and found that it contained customers’ credit card applications, account details, signatures, mobile phone numbers and mothers’ maiden names. Natwest Bank and The Royal Bank of Scotland have confirmed that their customer’s details are among the details found.

The computer belonged to a former employee of the company, Graphic Data, who digitally store information for a number of British banks and Building Societies. He placed it for sale on eBay, without erasing the sensitive data stored within it. A spokes person for Graphic Data said the company did not authorize the sale of the computer.The identity of the seller of the laptop has not been disclosed and Graphic Data and eBay have also launched investigations.

All this on top of the admission by the Home Office that it has lost 43 laptops and 94 mobile phones in 3 years.

The catalogue of losses are as follows;

August 26 2008: The sale of the laptop on eBay for £35.88.

August 22 2008: A memory stick containing details of 127,000 criminals in England and Wales is lost, including the names, addresses and dates of birth of 33,000 persistent offenders.

July 18 2008: Ministry of Defence admits that 658 laptops have been stolen and 89 lost in four years. Only 32 were recovered. It also admitted to losing 26 portable memory sticks since January 2007, with 19 of them classified as secret.

January 19 2008: A Royal Navy officer had his laptop stolen in Birmingham, containing the bank and passport details, National Insurance numbers, doctors’ addresses and family information details of 600,000 potential armed forces recruits.

January 18 2008: Details of benefit claims, mortgage payments and photocopies of passports were found on a roundabout in Devon. Other confidential data had been found at the same location before in November 2007.

December 23 2007: Nine NHS trusts admitted to losing patient records. In one case they lost the names and addresses of 160,000 children.

December 17 2007: The details of 3 million candidates for the driving theory test were lost in transit in Iowa.

December 11 2007: Two non-encrypted computer discs containing the names and addresses of 7,658 Northern Ireland motorists were lost.

November 20 2007: The two computer discs holding details of 25 million people including 7.25 million families receiving child benefit were lost.

When will the lessons finally be learnt? They are there for all to see and it would seem that they will be for a long time to come yet.

Wesbite Security and ‘https’ - How Does it Work?

Anyone who has looked at the address bar in their web browser might have noticed that the majority of web pages that they visit begin with the acronym ‘http’.  A few might even know that it stands for ‘hypertext transfer protocol’ – the protocol (or ‘language’) of the World-Wide Web.  Sometimes though, they might notice that a web page begins with ‘https’ and if they are particularly observant, that such pages are accompanied by the image of a closed padlock – usually somewhere in the status bar.  That gives us a clue as to what is going on: the ‘s’ stands for ‘secure’.

So why might we want a ‘secure’ protocol?  The most common place that we will find ourselves on a secure page is where the information being displayed or entered is sensitive and must be protected from a ‘man in the middle’ attack where the data could be intercepted between the server and the browser. The obvious example of this is a page where credit card or bank details are being entered. Obviously, with the rapid growth of e-commerce, these types of web pages are proliferating.

For the more technical amongst you, the data on a secure page is transmitted through ‘SSL’ – a ‘secure socket layer’ and uses a different port – normally 443 instead of 80.  In order for this to work, an SSL certificate registered to the website owner must be installed by the web server.  To go even more technical for a moment, SSL uses one of the most secure cryptographic mechanisms currently available using two keys – one public and one private – that is theoretically unbreakable within a reasonable amount of time.  If this sounds like double-dutch to you then don’t worry – you don’t need to understand how it works in order to use it.  What you do need to know is that you can trust it and the only habit you need to adopt is to check that if you are entering sensitive data the address of the web page begins with ‘https’ and, probably, that there is a closed padlock (or similar) displayed somewhere in your browser window.  It is worth taking a few minutes right now to familiarise yourself with your favourite browser and discover the difference between a secure and insecure web page.

To help you with that here is an example of a secure page:

https://www.paypal.com/uk/cgi-bin/webscr?cmd=_send-money&nav=0.1

and an insecure one:

http://www.bbc.co.uk

See if you can spot the difference!

Finally, if you are developing or specifying the creation of a web site for your own company and you expect your users to enter sensitive data, you must ensure that such pages use the secure protocol otherwise you will lose valuable business as potential customers will abandon the checkout process if they feel the security of their personal data is threatened.

Other useful links:

http://en.wikipedia.org/wiki/Https
http://en.wikipedia.org/wiki/HTTP
http://www.instantssl.com/ssl-certificate-products/https.html

Internet Privacy Debate Heats Up

More and more people are worried about their privacy when it comes to the Internet and they have every right to be.  Information about us is collected and stored in many different ways on the Internet.  Most of which we are aware of and consent to, such as contact forms and questionnaires, but what about the information stored about us which we have no knowledge of, or access to?

I recently posted this article about a new search engine called Cuil:

http://www.eximium.net/blog/index.php/2008/07/it-advice-luton-11/

One of the advantages of this site is that it analyses the web, not the user and doesn’t save user data like other search engines, such as Google.

Google has confirmed recently, in a letter to the US government, that it is watching the way we surf, using it’s double-click ad serving cookie, and is saving this user data.  The advantage for them is they can target ads at specific user groups based on the type of surfing they do, something  called ‘behavioural advertising’ (although they say they don’t do this at present).  This is potentially worth big bucks to advertisers, but is it ethical?

It was exactly this which caused public concern recently, when BT, Talk Talk and Virgin Media, three of the UK’s largest Internet Service Providers, sold their customers’ private browsing history to an advertising broker called Phorm.  This kind of secret invasion of privacy worries many people and has prompted calls for ISP’s to withdraw from what is known as ‘deep packet inspection systems’ all together.

For further information on this issue and for links to other websites containing information and petitions against Phorm go to   http://www.badphorm.co.uk/page.php?2

UK based SMEs need to tighten up on security issues

UK Managing Directors need to tighten up their security procedures. In a warning from the Economic and Social Research Council (ESRC), British firms were shown to be the most likely to fail at effectively securing their data.  This issue could have a serious effect on a large portion of the UK economy.

The small business sector makes up 51.9 per cent of the UK’s annual turnover.  It also accounts for 99.3 per cent of businesses, according to official figures from the Department for Business, Enterprise and Regulatory Reform.

“Information security is now a mainstream political issue, and no longer the province of technologists alone,” said Tyler Moore of the Computer Laboratories, University of Cambridge. “In 1999 it became clear that even the latest and greatest technology will not solve all our problems if those who protect and maintain them are not sufficiently motivated. The issue is one of incentives.”

“Security is about assessing and dealing with the risk of different types of people who interact with your information.  Whether they are staff, customers or strangers, they all present a potential risk to the security and long term future of your business” comments Derrick Cameron, MD of IT based firm Eximium.

The high level of reported fraud is now staggering.  It cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountants BDO Stoy Hayward.

Banks and insurance firms suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008: management fraud accounts for 46 per cent of fraud cases whilst third party fraud accounts for 32 per cent, costing businesses a total of £541m.

Is Oyster card security starting to crumble?

I was very interested by the news this week that Oyster cards belonging to thousands of passengers were corrupted at the weekend.  According to reports, anyone who travelled between 5.30am and 9.30am on Saturday July 12th, had their card corrupted, due to a failure in the Oyster card system.  This failure is reported to be the worst in its 5 year history.

The result of this was that thousands travelled free of charge that day.  Staff were ordered to allow free travel to anyone with an Oyster card, which had a registration error, to avoid ‘rush-hour chaos at ticket barriers’.

Tube bosses said that they were lucky that the breakdown occurred on a Saturday morning and not during the week.  Nevertheless, at least 60,000 cards have been confirmed as corrupted and it is estimated that the figure could be as high as 100,000.  All these cards will need to be replaced and an investigation into the situation has been launched, though it is thought that the fault was with the card software ‘touch-in’ system.

More interestingly, Dutch students recently claimed to have cracked the Oyster card.  At 4.02pm, Wednesday June 18th 2008, students of Radboud University claim they travelled for free on the Underground using cloned cards they had created and even managed to execute ‘a denial of service attack’ on the gates.  This came after they cracked the card in the Netherlands earlier in the year, which uses the same system. 

It is tempting to speculate that these 2 incidents, particularly as they happened within a month of each other, are somehow related.  Was this a deliberate attack?  Are the security measures that has kept the Oyster cards secure for the past 5 years starting to fall apart?

Both the OV-chipkaart in the Netherlands and the Oyster card use the same technology - NXP’s Mifare.  It was suggested that the Oyster system should be upgraded at the time of the Dutch crack, but TFL’s response was that it would not be necessary, as there were additional layers of security on the Oyster card. 

When TFL learnt that the Dutch students had gained free travel, they released this statement:

 “Londoners can have total confidence in the security of their Oyster cards. We run daily tests for cloned or fraudulent cards and any found would be stopped within 24 hours of being discovered. Therefore the most anyone could gain from a rogue card is one day’s travel. Security is the key aspect of the Oyster system and Londoners can have confidence in the security of their Oyster cards. Using a fraudulent card for free travel is subject to prosecution.”

This could be another in a long string of public sector security problems. 

I’m eagerly awaiting the results of TFL’s investigation…

The Facebook Generation gets the blame for recent MoD theft

An early investigation into the theft of a of a Royal Navy recruiter’s laptop from a parked car in January has blamed the ‘Facebook generation’ for lapses in security at the Ministry of Defence.

The findings into the loss of MoD data also show that the stolen laptop, which contained the unencrypted personal records for more than 600,000 recruits, was actually the fourth laptop to be stolen in the past four years.

The investigation was conducted by Sir Edmund Burton, chairman of the Information Advisory Council.  He warned that the so called Facebook generation has failed to understand the culture of security which came into being after the Second World War. 

Burton claims that “These well-developed processes and procedures have not been translated effectively into the information age…Generally there is little awareness of the current real threat to information, and hence to the MoD’s ability to deliver and support operational capability.”

The MoD has initiated an action plan in response to the report in which it outlines how it intends to implement its 50 plus recommendations.

Derrick Cameron, MD of IT firm Eximium comments “In my opinion, the report comes to some very sensible conclusions.  It’s one thing to lose a laptop containing your personal contacts book and a few computer games.  It’s a different matter altogether to lose one with details of over half a million MOD staff on it.  Serious questions have to be asked around what data should be allowed out of the office and why.”

Bill Jeffrey, permanent undersecretary at the MoD said “We deeply regret the losses of personal data. We have identified weaknesses within parts of the MoD that led to this situation, and I am confident that we are taking the necessary steps to address them,” he adds.

‘SQL Injection’ – what is it and why could my business information be at risk from it?

Many people have heard of the term ‘SQL Injection’ when talking about data security in connection to websites.  There have been a number of high profile web-based security breaches in recent months using this technique.  For example, in March this year, a pair of attacks were uncovered by researchers, one infecting 10,000 pages and another compromising 200,000 pages.

But what is ‘SQL Injection’, why is it so dangerous, how does it work and why are certain websites open to attacks using this approach?

In order to understand what ‘SQL Injection’ is, and how to avoid it, we first have to know what SQL is and why, under certain circumstances, its use can leave your website vulnerable to attack.

SQL is an acronym for ‘Structured Query Language’.  It is a standardized language for getting data into and out of relational databases such as Microsoft SQL Server, Sybase, Oracle, MySQL, etc.  This is a language consisting of statements entered as text which are then offered to the database to be performed and (usually) to get data returned to the user.

Provided the text is valid SQL and does not conflict with the security permissions granted by the Database Administrator (DBA) to the person entering the statements, the database will faithfully do what it is asked.  So far, there is nothing wrong with this and millions of websites around the world rely on things working in exactly this way.  To see how it can be misused though, we need to dig a little deeper into what SQL can do…

Let’s imagine that we have a website with a login procedure – the sort of thing you do when you access your email or bank details online – and that you type your username into a field on a website before clicking the ‘Login’ button.  The website then takes the username you have entered and incorporates it into an SQL statement that – when executed on the database server - will retrieve all of the details for your username. 

This statement could look like:

MyStatement = “select * from USERS where UserName = ‘” + MyLoginName + “’”

This needs a bit of explanation…  Firstly USERS is the name of the place where we store all information about users.  Secondly ‘MyStatement’ and ‘MyLoginName’ are what are known as variables.  Think of them as named boxes that you can put a value in.  In this example ‘MyLoginName’ would contain the username you entered when you logged in to the website.  Let’s say this is ‘Fred’ for now.  The variable ‘MyStatement’ is going to contained the constructed SQL statement that we want to give to the database to execute.  Finally, the asterisk (‘*’) is shorthand for ‘everything’.  So the above statement, when the login details are added becomes:

select * from USERS where UserName = ‘Fred’

which is the SQL way of saying “give me back all the information about the user with the name ‘Fred’ “.

So far so good.  However, USERS contains information about all of our users (not just Fred) and, as such, would be a juicy target for a hacker with malicious intent.  By building the SQL statement in the way we have, we have left ourselves wide open to our hacker manipulating the input.  Let’s see how…

The weakness lies in the fact that we blindly accept what is in the MyLoginName variable. We assume that it is going to be a user’s login name but as we don’t check that we can’t be sure of it.  Imagine that, instead of typing the name ‘Fred’ on the login screen, our hacker typed the following text:

a’ OR ‘x’ = ‘x

I know that looks strange, but as we aren’t checking that it is a valid username, there is no way we would know that.  When it gets incorporated into the SQL statement above, we get:

select * from USERS where UserName = ‘a’ OR ‘x’ = ‘x’

What that means, in simple language, is ‘give me all of the information about users where the username is the character ‘a’, or where the literal character ‘x’ is equal to the literal character ‘x’.  That must sound strange if you don’t understand SQL but think about it for a moment; adding the “‘x’ = ‘x’” has changed things entirely.  Matching the username is now irrelevant as the character ‘x’ will always match itself and that is sufficient to get the statement to return data.  And the result?  The contents of the entire USERS table will be given to our hacker!  All of the information about all of our users…

But it could be worse…

Because SQL can accept several statements at one time, separated by semicolons, our hacker could have entered the following:

a’; drop table USERS

When we incorporated that little bombshell into our statement we would have got:

select * from USERS where UserName = ‘a’; drop table users

which should get you running for the backup tapes fairly sharpish!  Why?  Because you have just allowed your hacker to delete all your user data from the database – that’s what the ‘drop table users’ statement does!

So how do you protect your website from this sort of attack?   The following points will give you some guidelines:

1.  Ensure that the security granted by your DBA to the users connecting through the website is the absolute minimum level it needs to be.  They certainly do NOT need to be able to delete tables.

2.  Speak to whoever develops your website and check that: 

a) They do not build SQL statements incorporating input text supplied by the user unless absolutely necessary.

b) If they do find it essential to do this, they validate the input before using it to check that it conforms to expected rules.

c) They should consider rewriting the SQL as a stored procedure inside the database and pass the user input as arguments that can be validated internally.

3.  As part of the development / testing process, employ professional testers to attempt SQL injection attacks on your website.  There are many more subtle ways of gaining unauthorised access than are detailed in this article and you need to be assured that you are adequately protected against all of them.

To summarise, SQL is powerful but it needs to be used carefully on web-based systems, or it can leave websites and intranet systems open to attack.  I advise caution and vigilance, otherwise your website could come crashing down, at least, or your sensitive business data could find it’s way out of your business, at worst.

The expansion of the DNA database – has it become a data security issue?

Last autumn, while visiting the London HQ of the Forensic Science Service, Tony Blair, who was still Prime Minister at the time, called for the national DNA database to be expanded to include every UK citizen.  Gordon Brown raised the matter again in a speech this week.  In light of continuing high-profile breaches of data and information security in the public sector, and concerns that even the highest profile information systems are not safe, has this debate become a data security issue?

What are the arguments for the database?

So what are the implications of this? The arguments for a DNA database are compelling:
1. Without DNA evidence convictions may not always be secured.
2. Police time can be saved by narrowing down suspects very quickly.
3. Unsolved crimes spanning many years can be solved and the criminals brought to justice.

A case in question centers on Mark Dixie, a pub chef from Surrey, as detailed in this article from The Times Online by Richard Woods and Daniel Foggo earlier this year:

“Dixie was regarded by friends as an ordinary guy who enjoyed a party. He had managed to keep hidden a history of violent sexual assaults and had emigrated to Australia in 1993 before the collection of DNA became routine. He was not on the national database when he returned to Britain.

In September 2005 Dixie was prowling the streets in the early hours when he chanced upon Sally Anne Bowman, an 18-year-old aspiring model, returning home. He pounced in the driveway of her house and stabbed her repeatedly, inflicting wounds that one detective said were “off the scale”. Dixie sexually defiled Bowman’s corpse.
Although police recovered DNA samples of the attacker, the database held no match. For nine months the murder investigation made little progress. The police, believing the killer lived locally, had a list of more than 22,000 suspects.

Then in June 2006, Dixie was arrested after a fight broke out among football fans watching an England match in a pub.

The police were puzzled as to why he burst into tears as he was taken away. Dixie knew what was coming. His DNA was taken and within days was matched to the Bowman murder case. Dixie was sentenced to life.”

And the arguments against?

But what about the arguments against a DNA database?
1. Is the data held accurate? Or can mismatches occur?
2. Is this data secure and safe from malicious interference?
3. How would it be used and can we be sure it won’t be used inappropriately?

Expanding on point two you have to look at recent and past high profile breaches in data security, and the government’s record on securing data. Most recently there is the case of a “serious” security breach after a civil servant lost top-secret documents containing the latest intelligence on al-Qaeda!

Then we have the Prime Minister who used a speech on the June 17th to claim the government’s policies of creating a DNA database were protecting civil liberties rather than eroding them. His bid, however, to champion the security agenda was undermined when it emerged that Hazel Blears, the Communities Secretary who has been spearheading a “hearts and minds” campaign to fight extremism, had her laptop stolen from her constituency office in Salford! The computer contained restricted government files on extremism and defence, although aides stressed none of the files were “top secret”!

Conclusion

To conclude I would suggest that the majority of the general public would welcome such a database, but ONLY if they knew that:
• The data held was 100% secure
• That it would not be used or accessed inappropriately

But as history has proven that neither of these points, currently, have the remotest chance of being met, we have compelling arguments against an idea that should, in reality, stand up on its own!

HMRC fires staff for reading personal data

An MP has revealed that over 600 staff at HM Revenue and Customs have been disciplined for reading tax payers’ personal histories. Treasury Financial Secretary Jane Kennedy said that 238 people were disciplined in 2005, 180 in 2006 and 192 in 2007.

While some employees received a reprimand, the MP revealed that a large number had been fired.

Kennedy said that HMRC has a “strict policy forbidding staff to access customer records unless they have a legitimate business need.

“Breaches of this policy are taken seriously and will result in the commencement of disciplinary proceedings,” she said. “Each case is treated on its merits but, in many cases, the disciplinary penalty for breach is dismissal.”

The cases highlight continuing concerns about the department’s competence in handling data on UK citizens.

“The data loss that occurred last year at the treasury was the start of a string of stories concerning the mishandling of Government data. What for years was a trusted area is now under the spotlight, where revelations such as this will undoubtedly raise eyebrows,” comments Derrick Cameron, from IT firm Eximium.

“Businesses must deploy an information security solution, which hides sensitive data unless the request is genuine, if they are ever to completely overcome human curiosity and error,” adds Cameron.

Are you compliant with the PCI standards?

In September 2006, the Payment Card Industry (PCI) Security Standards Council released version 1.1 of a document entitled ‘PCI Data Security Standards’, generally referred to as the ‘PCI DSS’.  The PCI Security Standards Council was formed by the leading payment brands, including Visa and Mastercard, specifically to develop the Data Security Standards. This was in response to rising fraud within the industry, and the standards were designed to ensure organisations adopt consistent security measures to proactively protect customer account data. The standards will be updated in response to new payment security risks, as they are identified.

Adherence to these standards became a mandated requirement in July 2007 for all organisations handling credit and debit card transactions, or providing systems or services that do.  However, many companies are still not compliant and nonconformity could result in hefty fines and possible withdrawal of payment services.  The largest merchants, those handling over 6 million transactions a year, are expected to be compliant first, with the smaller merchants following along later, working towards a deadline of December 2008.  Companies offering systems or services that handle credit and debit card data will also need to comply or face going out of business.

The PCI requirements, like many standards, are just a framework and so by their nature are quite generic. This can make it difficult to pin down exactly how they should apply to your business, your systems and your processes. Anyone who has implemented an ISO standard, such as ISO 9001, will be all too familiar with this problem.

The good news, of course, about a framework such as this is that it’s prescriptive about what needs to be done but not always about how it should be done, so allows you some leeway to implement the approach in a manner that suits your business and the way you like to operate.

So what are these standards really about?

The key information that the standards are interested in is known as ‘cardholder data’.  The PCI define cardholder data as the ‘full magnetic stripe or the PAN (card number) plus any of the following: cardholder name, expiration date and service code (often referred to as the security code on the magnetic strip)’.  In fact, however, many of the requirements deal with general industry best practice in connection with system and data security and have nothing directly to do with card data at all. For example, ensuring that each user of your system has a unique user id and password, and that their password is not one that can be easily guessed.  If your system security policy is already top-notch, then you’ll be a long way there already.  If not, you may have a lot of work to do.

Let’s have a look into the essence of what these standards are really getting at. There are 12 main requirements which are grouped under 6 main headings.  Here are the headings with my simple explanation of the requirements underneath each:

1. “Build and Maintain a Secure Network”
Ensure you have a secure network, including firewall protection and the need for passwords to gain access.

2. “Protect Cardholder Data”
Protect cardholder data wherever it is stored, and even when being transmitted outside your secure network.

3. “Maintain a Vulnerability Management Programme”
Ensure your systems are protected against unauthorised access, including using up-to-date anti-virus software.

4. “Implement Strong Access Control Measures”
Install and maintain strict controls around system access, even access to the physical bits of hardware, ensuring only those people who actually need to see cardholder data have access to it.

5. “Regularly Monitor and Test Networks”
Monitor and track access to systems and, more specifically, cardholder data within systems.  Also, regularly test the security systems that have been put in place.

6. “Maintain an Information Security Policy”
Implement and maintain a policy for the security of information in your business

A common misconception about the standards is that they only apply to credit or debit card numbers. In fact, whilst only the card numbers themselves need to be protected using encryption (meaning converted into something incomprehensible using a ‘key’, so that only a holder of the matching key can convert it back to its original form), information such as expiry dates, issue numbers, customer names, addresses, etc., all need to be carefully protected according to these standards.

The 12 requirements under these headings are then further broken down into a total of 64 smaller requirements.  I don’t propose to list them all out here - suffice to say that the PCI council have been very thorough in covering a lot of areas that could result in a security breach, leading to card fraud.  Interestingly, as you can see from these 6 headings, only number 2 is actually concerned directly with what state cardholder information is in inside your business.  The others are all to do with stopping any unauthorised or unscrupulous activity that might compromise that information.

Is everyone affected in the same way?

The PCI have categorised merchants into 4 levels, each with their own set of compliance criteria, based on the annual number of credit/debit card transactions that your business handles, as follows:

Level 1 - over 6m transactions, or anyone whose data has previously been compromised. An annual onsite security audit and a quarterly network security scan are necessary.

Level 2 - between 1m and 6m transactions. An annual self-assessment questionnaire and a quarterly network scan are necessary.

Level 3 - 20k to 1m transactions.  An annual self-assessment questionnaire and a quarterly network scan are necessary.

Level 4 - everyone else.  An annual self-assessment questionnaire and an annual network scan are necessary (although this is under some debate and may be lessened in the future).

What will happen if I don’t comply?

In theory, each payment brand will take the action that it feels is appropriate (and achievable) to enforce these standards.  At the moment, there isn’t a set fine, and the PCI council doesn’t appear to have any plans to create one.  It’s likely that each brand will want different evidence to show you are compliant and they may opt to withdraw your payment services, in extreme cases.

All the original deadlines that were set for compliance have now all passed, so they’ll probably be looking to set a date based on factors such as your level and the importance of your business.  Your acquiring bank should be the best place to start to find out what date you need to work to and what penalties you can expect to pay if you’re not compliant on time.

How do I go about implementing these standards into my business?

So, what do you need to do to implement these standards into your business?  And how can you ensure that you are compliant with a standard, if it’s so generic?

Firstly, it’s important to review each of the standards carefully and assess how it applies to you and to your business.  You may already have some of these things covered, so it’s a good idea to find those straight away and tick them off the to-do list.  This should leave you feeling slightly happier and with a more focussed list of work to be done.

A number of the requirements are things which are going to need a business process change rather than a system change. For example, users of a system being forced to regularly change their passwords.  You’ll be able to confirm whether your systems are capable of this, or change them to make it so, but it’s not quite so simple to establish whether your people are actually using the facility.  So, identify the standards that cover a business process in this way and think about how you’ll implement them, and how you’ll confirm that they are being adhered to.

You’ll also need to think carefully about where your credit and debit card data is being captured, stored and sent. Ideally, it should remain either hidden or encrypted at all times, but of course this just isn’t practical.  In order to actually use the information, it will need to be decrypted and visible.  However, it will need to be re-encrypted again once it’s been used in order for it to remain safe, so you’ll have to find these scenarios as soon as possible and work out what you are going to do.

It’s important to remember that any form of recording or transmission is covered by these standards, so emails, forms, and letters are just as much of a security risk as computer systems.  Make sure you know about the use of these other methods in your business and are doing something to control and audit their use.

The standards call for you to protect cardholder data from prying eyes and not to expose it to the risk of being stolen, even by your support staff. This is harder than it sounds!  Usually, there are backdoors that allow support staff to view and even amend data. This won’t be allowed in the future, in all but the most extreme cases and, even then, use of this facility has to be carefully controlled and audited.

Think carefully about your support processes because these changes could have an impact on your people’s ability to handle certain transactions in your business successfully. For example, are there any regular processes in your business that involve someone either looking at or manipulating card data?  If so, you’ll need to find these and start working out an alternative approach to handling them.

What about processes that rely on the use of people’s card details? For example, do you process credit card chargebacks?  These often start with the need to search a system using the customer’s credit card number. This might not work once card numbers have all been encrypted on your system!  Check these situations out carefully.

OK, I’ve started work on this but what will all this change mean?

Let’s have a look at the type of testing need all this will create.  At the end of last year we completed a testing project for one of our customers to help them ensure that their system met the requirements for the PCI DSS.

We undertook the work in 4 streams:

1. We needed to prove that the changes to their system achieved what they were supposed to have done.  In essence, were they doing what it said on the tin?

2. Then we had to confirm that the changes had led to the requirements under the PCI DSS being either met or exceeded.

3. Also, it was important for us to confirm that everything else still worked correctly on their system, i.e. that the changes hadn’t broken any of the important processes they already used.

4. Lastly, we had to check that other changes they had had to accept as part of the upgrade were also working correctly.  Their system is essentially a package, so some dependant updates were also provided by the software provider to make the PCI changes work.  This issue may or may not affect you.

After we had completed our testing successfully, we handed everything back to our customer so they could start their own testing, to make sure everything was fit for purpose for their business and their business processes.

I can’t stress strongly enough that all the changes you are going to need to make, whether they are to your business processes or your systems, are going to need to be tested thoroughly.  Don’t just implement them and expect them to work.

Hopefully, that gives you something of a flavour as to how complex testing something like this can be, and what all this change is going to mean to you.  The bigger companies are spending millions of pounds getting this right.

So what do I do next?

The best place to start is to download the standards themselves and the Self-Assessment Questionnaire from the PCI website at www.pcisecuritystandards.org.  You also might also want to contact a PCI Approved Scanning Vendor (ASV) and get them to come in and assess how much work you’ve got to do.
Also, if you haven’t already done so, I’d talk to your acquiring bank as soon as possible and confirm with them what level merchant you are.  Oh, and don’t forget to ask them that all important question about when you need to be compliant by, and how much it will cost you if you’re not ready by then!

Ultimately, this could be a complicated and costly process.  But, it’s worth remembering that it’s an important investment in risk reduction.  And, according to statistics from Visa Europe released in January this year, 84% of customers want to shop with merchants who are security market leaders and 75% say they would not shop at a store that had suffered a security breach.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches.  For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.

Learn your lesson from Revenue and Customs to avoid a security meltdown

There have been shouts of ridicule at the recent security failings of Revenue and Customs (HMRC) which enabled the sensitive details of millions of child benefit recipients to get ‘lost’ somewhere within their postal service. But there is actually an important lesson to be learnt here. It’s easy to point the finger of blame with the benefit of hindsight, but it’s an episode which business owners would do well to view as a warning and learn from. Data is a valuable resource which can be easily lost or stolen if stringent security measures aren’t in place and actively enforced. The responsibility for making sure that this happens starts right at the top of your organisation, with you, explain’s Derrick Cameron, Managing Director of Eximium.

Businesses across the UK and the world have spent a lot of time and money ensuring that data is well secured within the virtual world of their computer systems with limited access, passwords, encryption etc. Organisations such as HMRC no doubt have rigorous procedures to protect the data while it is inside their computers – but information exists to be used, which automatically puts its security at risk. So what procedures do you have in place to ensure the protection of your data once the information leaves the security of its virtual world?

Protecting data on the move

Start by identifying all the potential ways that sensitive information could find its way out of your systems and your organisation, and make sure you have strict policies and safeguards to address any areas of risk. Ideally, different organisations’ systems should be able to talk to each other, so that passing data between them using an insecure medium such as CDs or flash drives is unnecessary. But for many companies, this is still some way in the future, so if this isn’t possible, at the very least you need to ensure that security procedures for the physical world are at least as stringent as those for the virtual world inside your computers.

When data is transferred between parties, it is at its most vulnerable, so look at ways of making the transfer process as safe as it can possibly be. Electronic transmission methods, such as secure FTP (File Transfer Protocol), or a secure site to site connection using a leased line or a VPN (Virtual Private Network) over the Internet are both preferable options that ensure the data cannot be seen by unauthorised personnel.

If you have no choice but to resort to using CDs or other ‘removal media’ for the transfer of sensitive information, don’t choose to use couriers or postal services unless absolutely necessary. It’s far more secure for an employee to hand deliver the media, making sure that it has reached the correct personnel at its destination. You also need to have a policy on what happens to the media once it has been used - ideally it should be returned to the source to be destroyed. Whilst this isn’t a foolproof method, it does enable you to track your data and ensure its safe return.

Don’t let your staff be your Achilles Heel

As appears to be the case with HMRC, many security breaches are committed by the people who work for you – often unwittingly. Equally, hacking and other deliberate attempts to access secure information often begin as an approach from someone trying to get sensitive information from an employee, using a confidence trick – known as social engineering. A social engineer may well pretend to work for your company and get an unsuspecting member of staff to reveal confidential information. For example, by pretending they work for your company’s IT section and asking for your employee’s password to confirm their login details are working. From here, the skilled social engineer may then be able to access your sensitive data however they want to, whenever they like – and all that information is now at risk.
However, there is something you can do to help prevent this happening in your organisation, and it is really quite simple: communication. It is often easy to assume that everyone who works within your company has the same understanding of data security as you do – but this is rarely the case. As the manager, owner or director of an organisation, it is your responsibility to ensure that those who work for you understand the what, why and how of data security.

Making policy practice

Your starting point should be a clear and practical data security policy which everyone is aware of, has read, understood and signed – even the cleaning staff. Put policy into practice and communicate the gravity of data security by making any violation a dismissible offence. Your Staff must know which data is sensitive, why, and how to protect it. After all, if this isn’t made clear to your people, how can they be expected to ensure its security?

First and foremost, your staff need to understand why they must never give sensitive information out to anyone unless the proper procedure has been followed – unfortunately employees at HMRC have learnt this the hard way. In addition, if a third party does need access to data, make sure they only receive the information they need, and that any sensitive data is either encrypted, removed or disguised. In this case at Revenue and Customs, the National Audit Office didn’t actually need most of the sensitive information on the disks - like bank details - so this information was exposed to unnecessary risk. Further errors of judgment and common sense were revealed in the subsequent story of KPMG receiving copies of similar disks. In this instance, they requested only a fraction (1500 or so) of 25 million records that they were actually sent!

Keeping control over what people can access is vital: if someone needs to retrieve sensitive information, the safest choice is to give them a user id and password which enables them to access the system directly. You can then control exactly what information they are able to see and what they can do with it. Similarly, if analysis of data is required, it is better for someone in your organisation to create a report that carries out the analysis, and send this to the third party rather than all the detailed information in the source database. The golden rule is to limit access to data so that people see only the information that they need – never expose sensitive data unless absolutely necessary.

The faults in security at HMRC were many, and perhaps the most serious security breach was the fact that a junior member of staff was allowed access to extract a complete database of sensitive information, coupled with the fact that they were then allowed to put that unencrypted information in a packet and post it without any need for authorisation from a senior member of staff. Whether it was HMRC policy or practice at fault, or most likely a combination of both, the repercussions of this massive security breach will be felt for a long time to come. So learn from the mistakes of these embarrassed officials and make sure that you address these issues within your own organisation – or you could be next.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches. He has been in the IT industry for 20 years. For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.

Firms should think about email leaks

Around half of all employees have sent emails to the wrong person. In a month dominated with news headlines over missing data on disc, a new report shows that misfiring e-mails can cause serious problems for leaked data. Businesses are increasingly concerned about sensitive company information being leaked by email.

Research conducted by IT security firm Sophos has highlighted the problem and concludes that half of all employees have admitted to sending an embarrassing or sensitive email to the wrong person. The potential level of trouble for a company is high because as much as 80 per cent of a company’s business records are contained in emails.

“As more and more business and personal interaction is conducted via work email, the risk of clicking send without double-checking the recipient’s details is growing,” said Graham Cluley, senior technology consultant at Sophos.

“I think most people have experienced that heart-stopping moment when they realise that their message is heading towards the wrong person. I received an e-mail last week revealing an MD of a company has serious mental issues verging on a breakdown. The e-mail was rapidly recalled but by that time I had read it and the damage could have been serious” says Derrick Cameron MD of IT firm Eximium “Technology can make human error faster and more damaging”

There is now technology which scans messages for sensitive data and keywords, and that uses encryption to ensure that business critical emails are sent securely. “Most data leakage on email is accidental and not malicious. Companies should put a solid security policy in place, and educate employees on how to use email with care. Whilst this won’t eliminate the problem, it will reduce the number of red faces experienced in 2008” says Cameron.