C5 The Insecure Computer

Summary

Computers are now used in every aspect of life. For example doctors will store patient details on their desktop computer, home users who use Internet banking may store their financial details on their laptop and banks will store account details of all their customers. Even without an Internet connection computers are a security risk: a laptop left on a train may contain sensitive details about the company that the laptop owner works for. However, when a computer is connected to the Internet many more problems occur. This chapter looks at many of the problems associated with computer security and a number of the solutions.

An important point that I make is that while technical solutions are, of course, needed there are a whole host of non-technical crimes that can be committed for which the solutions are simple, but not often applied. For example, there have been occasions where memory sticks containing sensitive data have been lost that have no encryption protection.

Chapter Links

  • HSBC were fined for losing their insurance data; here is the Financial Services Authority’s verdict.
  • On pages 64 and 67 I described the loss of 25 million records by the British government. Here is a news story from Sky. Here is a link to the BBC story.  The data was associated with the British benefits system, but also mirrored data that is used for the children’s tax credit system. It included details of parents and children, bank details and National Insurance numbers. Happily though, the data seems not to have found its way into criminal hands. The full and correct name of the branch of government involved was Her Majesty’s Revenue and Customs.
  • An article from Time Magazine detailing the use of Twitter in the protests after the Iranian elections.
  • The jailing of the creator of the Melissa virus.
  • An article from the New Scientist on the threats to computers including viruses.
  • A good introduction to how viruses work.
  • A typical anti-virus scanner (I have no connections to this company apart from the fact that I use their free anti-virus program).
  • An article that describes how a firewall works.
  • A good introduction to cryptography in the very short introduction series can be found here in Amazon.
  • This page from the Bletchley Park web site describes some of the machines used to crack German codes.
  • A fuller introduction to public key cryptography.
  • The book The Art of Deception by Kevin Mitnick and William Simon can be found here at Amazon. Although the book is quite old (hardback published in 2002) the fact that it deals with social engineering makes it still relevant today. Mitnick has just released another book on his previous life as a hacker. Mitnick now runs a company that is used by companies to carry out ethical hacking in order to find weaknesses in corporate computer systems. There’s an interesting interview with him at ZDNet here.
  • The Pfleeger and Pfleeger book can be found at the Amazon site here.
  • This is a very useful site on computer security which contains lots of articles.
  • An excellent Guardian article by Misha Glenny about cybercrime and whether it is out of control. I recommend his recent book on cyber crime. It’s very readable.
  • Brian Krebs is a leading security expert. His web site, although a little technical, is an excellent source of news about cybercrime.
  • The Melissa virus did not ‘find’ the documents that it emailed out. What happened was that it infected a popular MS Word template on the computer that was infected and anyone who used that template to develop a document and then send it to someone else started the cascading process whereby the document, which could have been confidential,  was emailed to 50 others and then 2500 others etc. It truly was pernicious.

Blog posts

Computer Forensics

Over the last decades police forces thourhgout the world have developed special computer forensic teams that are able to dig out evidence from a suspect’s computer. Here’s an example of where computer forensic evidence was used in a murder trial.

Industrial Cyberwarfare

In November the security company Symantec described a series of attacks on chemical firms that employed a Trojan horse: a program that came attached to an email and which infiltrated computers. What was unusual about this attack and other recent attacks is that they targeted industry rather than individuals. I have noticed that attacks on home computers and personal computers seem to have decreased recently; probably because of media cover age over the last five years, and that we are now seeing an increase in industrial cyber-spying. There are also worrying trends elsewhere, for example the Iranian nuclear program seems to have been affected by a virus. Here’s a worrying article on this. If you are interested in this aspect of computer security I recommend Misha Glenny’s new book.

The Insecure Memory Stick

This is a BBC account of a recent non-technical loss of data.. Memory sticks are small and often are designed in such a way that they can fall off a key ring. If I was in charge of a major organisation I would insist that staff use encrypted memory sticks.  Here’s an example of such a stick.

What has a French Rugby Club and a Stock Exchange got in Common?

They have the same name: Dax. Dax is the name of a French rugby club and also the name of the German stock exchange. A hacker trying to infiltrate the stock exchange infiltrated the rugby club web site. Story is here.  This hacker may have had terrific technical knowledge but their real world knowledge lacked something.

So Mr Bond What Did Your Last Google Search Reveal?

An interesting article in the Daily Telegraph today that reported the words of an ex-director of GCHQ the British technical spook factory in Cheltenham. He pointed out that spies will need to work harder given the amount of information that can be found on the Internet. Looks like future James and Jemima Bonds will not only need to shoot straight, dress elegantly but also frame complex Google queries. I’ve always wanted to be a secret agent, perhaps…

Another Scam

Came across another variant of the bank account scam today. My daughter is selling her car and has advertised it on the Internet. She got this email (I have not corrected it).

Thanks for the mail and update ,Am really interested in the purchasing it from you and the prices well okay with me,My mode of payment will be informed of bank to bank transfer ?If you  will accept that i will call my bank account officer so that he can remitted the money into your account ,Once you confirmed the money into your account then arrangment will be made for the shipping company for the pick of the car in your premises to my destination .I will be hoping to read back from you so as to preceed further on this sells.

Kindly write back and let me know if you will accept direct bank transfer to your account ?

A clear scam: request for bank account details, eccentric phrasing and punctuation, the use of a shipping company who would charge much more than the car was worth and the remarkable fact that the buyer was not interested in seeing or driving the car. Its the equivalent to the burglar turning up with a striped jumper, eye-mask and bag marked ‘swag’.

It’s a dodgy world out there. The golden rule described in the book is ‘Never give your bank details away’.

It’s Not Just Your Credit Card Details They Want

There is an incredibly worrying article at the BBC web site. It describes an attack on part of a water system. What is worrying about this ‘incident’ is that SCADA systems are used in all sorts of applications many of which are safety critical. I describe the potential problems with offshore oil installations in Chapter 1. This is just the tip of the problem. Read the article and worry, particularly the reference to the three-character password.

Do you Want to be a Spy?

If any of you fancy being a spook then there’s a competition online that challenges you to crack a code (BBC link). It’s from GCHQ, the British techno-spying department. Gone are the days when all that was needed to progress in the spying career was the ability to wear evening dress, an attraction to the opposite sex, good shooting skills and the ability to consecutively fight and kill at least four opponents. Life gets tougher for prospective James and Jemima Bonds.

Botnets on the Increase

The BBC reported today that millions of computers throughout the world had been infected by viruses that, for example, send out spam to other computers. Here’s another link. In the first chapter of the book I described a survey by the security company McAfee that reported that in 2009 this was a major problem. The survey that McAfee carried out referred to an infected computer as a zombie. The report by the BBC describes a long term study that showed that the problem is increasing; it describes an infected computer as a bot and a collection of computers as a botnet. Although the UK came off pretty well in terms of infected computers the figures are still really scary. There is some excellent advice from Microsoft about infections and botnets here.

Security Software

I have been asked about security software. In the book I state that to guard against viruses and other malware you will need to have anti-virus software and that you will need a firewall. There are a number of excellent products on the market, for example these from  Norton. Note that I am not recommending these products; you will need to shop around, scan the web and ask advice from experts based on your personal use of a computer. There are also excellent products from companies such as McAfee and Kaspersky so it’s your choice. What is certain is that if you don’t employ such products you are asking for trouble.

Security Advice

Increasingly computer users are coming under attack from criminals. I’ve just read the advice from the bank I use. I thought that I would share it with you. Here are three links: protecting yourself, spotting common scams and other advice.

Security Tools

I came across this useful review of security suites. These are software systems that combine anti-virus and personal firewalls with other software facilities. Given the insecure state of the Internet you would be foolish not to buy one.

Good News about Phishing

Phishing is the process whereby a scammer sends out an email purporting to come from a legitimate source such as a bank and asks you for personal information such as your account number or password. This is then used for criminal purposes. The good news is that many of the behemoths of computing have got together to develop a standard that can recognise Phishing. Here’s a link.

Credit Card Scams on the Decrease

Report from the Daily Telegraph about the fact that credit card fraud is decreasing. The bad news is that phone fraud and other low tech stuff is on the increase. Just remember your bank or anyone else will not ask you for sensitive data over the phone. About six months ago someone tried this on me. They sounded quite convincing; beware.

Phishing Again

I have started to receive emails to one of my addresses asking for details such as my email password, my date of birth and my profession. What is worrying is that this email address is not publicised. What I suspect is happening is that someone who has my address in their address book has had their email account compromised by replying to the sort of email that I am receiving. The first of the spam arrived yesterday. Deep sigh: there has been enough news about phishing over the last year or so and I am baffled that people still fall for it. The result is inconvenience for me and everyone else that was on the address book that was compromised.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s