Twitter in the dock as Thailand steps up web censorship

Apologies for the radio silence over the past week or so, but I have finally made the move out to SE Asia, where I’ll be poking my nose into all things technology for the forseeabe future (as well as documenting some food-related escapades over at Death Noodle).

One of the first stories that attracted my attention was that of Thailand becoming the first nation to publicly back Twitter’s controversial latest move to assist governments in taking down restricted content in their geographies. It was first reported here in the Bangkok Post.

Thailand already censors its citizens by removing content which is pornographic or harmful to its royal family, or both, and now it will be teaming up with the microblogging phenomenon to regulate the web even more rigorously in the country.

I reported Twitter’s original decision a fortnight or so ago on The Register, claiming that the move could be seen by cynics as a thinly veiled attempt to cosy up to repressive regimes. Well, one such regime – although nowhere near China on the repression stakes – has certainly nailed its colours to the mast. Let’s see how many more come out and declare their intentions.

The worry is that they will certainly not be doing this in as public a way as the government of Thailand. While it has been a force for much social good in the world since its inception, Twitter let a lot of people down when it announced this decision. The fear is that the true effects of the much more malign and covert deals certain governments may striking  be will be difficult to document.

Why S.E. Asia is the new frontier in technology

I’ve just finished my last piece for V3, a carefully worded opinion article detailing why IT managers need to gain a better understanding of  the Asian technology space.

I’ve been focusing more and more on this part of the world in the past few months, in preparation for my imminent departure to Hong Kong, and what has become clear is that South East Asia, with China at its heart, is set to drive technology innovation over the next 50 years.

The reasons?

• The economy is booming. Even in Japan, which has had its fair share of problems, GDP is expected to be higher than the UK this year. As such UK-based IT managers and C IOs in global companies may find themselves having to support expansion into these lucrative markets.
• The region produces most of the world’s silicon wafers, essential for the production of the computer chips.
• Established technology giants including Sony, Samsung, Toshiba and LG, and up and coming firms such as HTC and Huawei are all headquartered in the region.
• These firms are increasingly looking to sell into the UK and western markets.

2011 – the year the cyber security fightback began

Have just put the finishing touches to V3’s information security round-up/predictions piece so thought I’d share a few of the headlines with you here.

First the bad news – 2011 witnessed an unprecedented number of security incidents, with attacks launched by the usual suspects including state-sponsored hackers and cyber criminals as well as hacktivists such as the Anonymous online collective.

This new breed of hacker caused organisations from a wide variety of industries some serious problems throughout the year, launching denial of service attacks, harvesting and posting sensitive information online and even hacking the web site of The Sun to post a fake story.

Mobile became a big focus for attack in 2011 too, as the perfect storm of powerful consumer devices and the trend towards consumerisation in the workplace made them an attractive target for cyber criminals. All the major platforms have found to contain security weaknesses, but Android is still by far the worst, given its open ecosystem which allows fake malicious apps to be uploaded and sold on the official application store with disturbing ease.

The fall-out from the infamous Stuxnet worm also continued apace in 2011, as huge numbers of flaws were revealed in Scada and other industrial control systems which operate everything from nuclear power plants to sewage works. We can expect these vulnerabilities and as yet undiscovered ones to be exploited in earnest by hacktivists, state-sponsored hackers and cyber criminals in earnest in 2012.

And now for the good news. The past 12 months have seen some spectacular wins for law enforcement and industry players like Microsoft and Trend Micro in working together to take down big name botnets including Rustock, Coreflood and Esthost. These botnets are the root cause of most global cyber threats and if we can get a little better at cross-border, cross-industry co-operation, things may not be as bad as all that in 2012 after all.

Cloud computing not for everyone

Just got off the phone after a conversation with Dilbagh Virdee, an IT manager at Lord’s cricket ground, which threw up some rather interesting insights about the disconnect between vendors/analysts/journalists and the actual customers.

Ostensibly we were there to talk about his implementation of Trend Micro’s Enterprise Security Suite – which went very well by the way, thanks for asking. What soon became clear though is that some companies are just not jumping on board with the whole cloud computing thing.

Now, Virdee said that Lord’s, despite being the home of cricket and one of the world’s most famous sporting grounds, is not actually all that different to manage than any other organisation. If anything, he said, the single site set-up makes it more straightforward to manage than many organisations which have to deal with clusters of Exchange servers, WANs and the rest over multiple locations.

Just an average company then, but not a huge desire to go cloud, he said:

“I don’t know if we want to go to the cloud. It has been around for many years and all that’s happened is it has been rebranded. Unless we feel it’s the right fit we’ll be leaving it alone.”

Now I’m not saying Virdee is representative here, and in fact maybe this conversation stood out in my mind by virtue of its being so unusual, but it is interesting what you hear when you speak to real IT practitioners.

While vendors, analysts and journalists seem intent on hyping up the cloud to the max, most IT managers are taking a rightly more pragmatic approach. Virdee is absolutely correct to be cautious about jumping on board the cloud bandwagon, whether he’s thinking public, private or hybrid.

As with all new technologies – and as he alluded, there is a case for saying that the cloud is more of a new marketing term than a new technology platform – the key is to do your due diligence, ask the right questions then take stock.

Knowing the right questions to ask, of course, can be the tricky bit.

China does it again with crack down on web rumours

The Chinese government came good this week on its promise to come down hard on anyone it suspects of spreading ‘harmful’ rumours on the world wide web.

It’s yet another example of the increasingly uncompromising stance adopted by China in the face of what it sees as a huge threat to the Communist Party’s control and power – social media.

Where it will end no-one knows, but as high profile politicians such as William Hague and Joe Biden said at the recent London Conference on Cyberspace I reported from, any country deliberately blocking the free flow of information in such a way will eventually come unstuck.

Famous for its hard-line approach to internet expression and the free flow of expression, the authorities had already forced over 30 major technology companies in the country, including Baidu, Lenovo and China Telecom to agree to tighter censorship to control the spread of rumours.

China Daily reported this week that two men had been arrested in Changsha, Hunan after suggesting that a huge police escort had been spotted guarding a wedding in the city last week. The authorities denied this, and didn’t take kindly to the clip of the wedding escort which the men posted online.

They were apparently detained for four days.

Things are likely to get worse than they get better for the people of China, and for businesses trying to navigate local laws as well as the various cultural roadblocks in their way, it seems that a local partner is still a must-have for success.

ID fraud and LinkedIn: a marriage made in heaven?

Have just written a pretty extensive blog on identity fraud, off the back of an interview I had with Jason Hart, managing director of authentication firm CryptoCard.

Aside from his current role, Jason has an impressive 17+ year history in the information security business, many of those years spent as an ethical hacker where he tried, and succeeded in most cases, to crack password systems.

As a former ethical hacker, Jason is the perfect person to articulate exactly how easy it is for cyber criminals to obtain the information they need to either socially engineer a cyber attack, crack an account password or commit some other kind of ID fraud. To put it simply: it’s incredibly easy. LinkedIn was highlighted as a particularly rich source of personal information for hackers, and given the social network’s professional slant, this could be a particular concern for IT managers if cyber crims see it as an easy way to compromise an employee’s PC.

The example he gave was of a fraudster trawling the network for any professionals who had just started a new role. They could email the victim pretending to be from HR, or IT requesting certain information or encouraging the user to click on a malicious link. Most would not even query whether this email or the sender was legitimate or not, he claimed.

It’s a simple technique made possible by virtue of the fact far too much info is being posted on these sites and is publicly available when it shouldn’t be. So whose fault is it? Facebook has been criticised in the past for the complexity of its privacy settings, while LinkedIn sent me a fairly unequivocal statement about where it expects the balance of responsibility to lie:

“As a member of LinkedIn, you have full control over what information you share with your connections and beyond.  Privacy settings allow you to control what information you make available to search engines through your public profile, and to control the messages you receive from LinkedIn and other users. The privacy settings also allow you to control visibility and accessibility throughout the web site.”

The problem here is visibility. LinkedIn’s fabled privacy settings are not the easiest to find, and, while certainly more simple to get to grips with than Facebook’s, may still cause some people issues. As with all security and privacy arguments, if usability is compromised too much, it renders any security obsolete. This is, after all, why so many sites still only offer static passwords to authenticate users rather than two-factor systems.

Ultimately though, the rather unsatisfying answer is probably that users will just have to get more savvy, and for savvy read disciplined, at screening their emails.

Visa and the woes of 3D Secure

Trend Micro’s Rik Ferguson alerted me on Friday to a persistent problem with the credit card authentication system Verified by Visa relating to the password reset.

Basically, this ongoing problem, which I think The Register covered about three years ago, could allow a fraudster to reset the VbyV password and start using a stolen card.

Now, this isn’t exhaustive research and the exact implementation of the 3D Secure system, which is designed to make transactions more secure, probably changes from card provider to card provider.

However, in certain instances it asks for three pieces of info obtainable from the card and a fourth (birth date) which is obtainable from just about anywhere online.

Ferguson suggested, very sensibly, that birth date should never be used as a secret question. Instead a one-time password reset URL should be delivered to a registered email address.

Most disappointing in all of this was a very lengthy but ultimately unsatisfying response from Visa which basically amounted to “VbyV does a good job of cutting fraud and any further tweaks to it would tip the anti-fraud/convenience balance dangerously the wrong way for users, retailers and card providers”.

I guess we’ll have to wait until that tipping point when it becomes a tried and tested method of bypassing 3DS, then the card giants will have to sit up and listen.

Link to my original story is here.

Ministry of Defence cyber chief: UK needs to emulate Estonia

 Just got back from Cyber Security 2011, another information security event in central London with an impressive list of speakers ranging from former home secretaries David Blunkett and John Reid to Europol assistant director Troels Oerting and the government deputy CIO, Bill McCluggage.

Standout for me, however, was major general Jonathan Shaw, head of the defence cyber operations group at the MoD, who certainly didn’t pull his punches in sharing his judgement on the UK’s cyber security posture.

“It’s a bit like the 80s when everyone knew about AIDS but were shagging without condoms anyway,” he told the attendees.

Fair point, if a little bluntly put. As was his remark that the UK is behind Estonia in terms of cyber readiness. We need to move from being a country in “pre attack mode” to one, like the Baltic state, in “post attack mode”, where security is taken far more seriously by all citizens, he argued.

It’s surely only a matter of time before a massive cyber incident hits these shores, knocking out key national infrastructure, but will that be enough to focus minds on the importance of “cyber hygiene”, as Shaw called it?

I’m not so sure. It’ll certainly take more than a Get Safe Online campaign to do it, although if Shaw’s estimate that 80 per cent of threats could be nullified by such measures is true, it is certainly an end goal we need to try and achieve.

Is the UK government’s Cyber Security Strategy any good?

The British government released its long-awaited Cyber Security Strategy on Friday, just over a year after its initial decision to plough £650m into the area was revealed.

Some of the key parts of the strategy include:

• a cyber security ‘hub’ where government and businesses will be able to exchange information on threats and responses, with GCHQ at the forefront of this cross-fertilisation of skills and knowledge.
• A cyber crime unit to be set up within the new National Crime Agency with input from the Met’s PCeU and Soca’s e-crime unit

•  a single fraud reporting system for cyber crime.
•  recognition of the need to protect critical infrastructure with the strengthening of the Centre for Protection of the National Infrastructure
• creation of a new Joint Cyber Unit hosted by GCHQ which will further develop military capabilities.

• User education was also highlighted as key, with Get Safe Online’s web site getting a revamp, and the government also work with ISPs to form a new voluntary code of conduct to help users identify if their computers have been compromised and what they can do about it.
• Finally, on the international front, the government said it would continued to foster dialogue between companies as per the recent London Conference on Cyberspace which I reported from.

All told I think the government has made a pretty good stab at things here. Although it has been a long time coming, I can’t really think of an area which it hasn’t addressed and in general the commentators are all making the right noises about this one.

The tone seems to be very much of engaging with private sector, of knowledge sharing and of improving user education, which experts in the industry have been crying out for for so long now.

My only slight concern is that there has so far been no mention of exactly how much money Get Safe Online will get. It blatantly needs a significant profile boost as despite the best efforts of Tony Neate and co, it is still somewhat marginalised.

The other worry is that the PCeU will also lose its voice if it is subsumed into a larger National Crime Agency body, just as the NHTCU was when its work was folded into Soca.

These are minor concerns though and the government is certainly on the right path. Trend Micro EMEA director of security research Rik Ferguson even went so far as to tell me  that if delivers on the report’s goals, “it will put us in a leading position in Europe and globally to prevent online crime in the first instance and take action where it does arise”.

He also explained that the government had consulted heavily with industry to draw up the strategy, which in itself is a positive step. The only way to make headway against cyber crime / warfare is to take an inclusive, collaborative approach like this –  government and industry together is a far more formidable prospect for the bad guys.

Xbox Live customers phished – another bad day for static passwords

So I’ve just been working on a story here about yet another phishing incident, this time affecting Xbox Live customers.

Some reports suggested the criminals involved managed to pilfer millions of pounds from their Xbox victims all over the world, cunningly only siphoning off small amounts of money to avoid detection once they’d managed to phish the initial bank account details.

One thing really struck me looking at this story, and having recently spoken to Cryptocard MD Jason Hart (it’s an authentication security firm if you were wondering). That is, Microsoft was very quick to clarify that its Xbox Live service was not hacked in any way, which is lovely for them, but short on long term answers.

Redmond said how it was helping all its affected customers in any way it could, by trying to “investigate and/or resolve any unauthorised changes to their accounts” which may have occurred as a result of the phishing, but what about preventative measures?

It became clear to the banking community some time ago that one time passwords and two factor authentication were the way forward, when are the big gaming companies finally going to realise that it does their reputation no good at all when stories like this one get out?

It will only take one firm, I predict, to set the ball rolling and soon they’ll all be at it, which will be good news all round for customers and the industry in general.