mobile security

This UK government data loss thing has got me all stirred up. Like most I have a lot of questions to which I need answers. Perhaps you can help? Unless you have been living in a cave in Tora Bora then you will have heard in recent months of the two unencrypted disks which were lost by an office junior (so say) back in December, and then of course there were the UK Police records which someone found on a rubbish dump (and so the list goes on).

And once again, it seems the office junior (according to The Sun) has been at it again because yesterday it was the turn of the Ministry of Defence. They lost a mere 600,000 record of personal information of people who had applied to join the Royal Navy, Royal Air Force and Royal Marines. This includes National Insurance (Social Security) numbers, bank information, names, addresses oh, and the piece de la resistance, passport numbers.

According to the Beeb, the Information Watchdog is to quiz the Ministry of Defence (MoD) about it’s information security policy.

It is at this point at which my blood pressure starts to rise.

So you have already lost almost half the countries personal information, and only now do you start asking tough questions. And not only that, you only summon the head of the unit who’s unit screwed up!

Should you not be summoning all heads of the government departments, implementing short term contingencies and planning for a longer term solution?

According to the Information Commissioners Office, it implies there are still no mandatory controls in place with regards encryption inside government.

The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.

Frankly, that statement worries me. Particularly the word ‘recommends’, as it looks to be indicative of the current security climate inside Whitehall.

I would like to take a moment to illustrate this by quoting a few paragraphs from our friends at SANS

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.

A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

So even after all what has happened, there still seems to be both no interim solution and no clear policy on how handle personal information. Britain is a developed country, a member of the G8 and its information security policies would appear to be something out of the dark ages. This is shocking and the public have a right to be outraged.

PS To the UK Gov: In future data breaches, please stop using ‘office juniors’ as scapegoats - its demeaning to them and doesn’t buy you peoples’ sympathy.

Powered by Gregarious (41)

Hospital staff in Nottingham have issued a warning after a laptop was stolen which contained confidential patient data. The data includes names, addresses and dates of birth of some 11,000 children from the Newark, Mansfield and Ashfield areas. The hospital has contacted all affected familes and has setup a helpline. It also said it is very sorry for what has happened.

Now, I have reported on laptop thefts before, and will continue to do so in the future and this story has similar hallmarks to the Nationwide laptop theft which occurred last November.

Point no.1 The NHS is the biggest employer in Europe - yet their security policy obviously does not contain any statements about mandatory disk encryption. But apparently thats OK because according to Wendy Saviour, the PCT’s Chief Executive, the laptop was password protected (yeah OK). What I want to know, is how does the biggest employer in Europe have such crap security?

Point no.2 Apparently the NHS is very sorry about this. In this day and age, these kind of events should not be happening. This is a fundamental failing in the system. Laptops always have been and always will be hot potatoes. Easy to steal and easy to sell on. Many moons ago when I was a student, I used to work in PC World in the UK and every weekend we would have several people come into the store to ask ‘do you sell power supplies for IBM model X or Compaq model Y. Initially (until the penny dropped) I was amazed by how many people would loose their power supplies!

Come on NHS. You are legally obliged to provide patient confidentiality. There is no excuse for such lax security.

Powered by Gregarious (41)

An unnamed researcher, together with H.D, Moore, creator of metasploit and director of Security Research says vulnerable systems are exposed to a “stack-based buffer overflow that can lead to arbitrary kernel-mode code execution.” Essentially, you’re vulnerable when connected via WiFi as an attacker who is connected to the same WiFi network as you could remotely run some code on your machine. For this, the attacker needs to be running Linux, metasploit and have a wireless card capable of performing raw packet injections. The offending driver is called BCMWL5.SYS Laptops known to be using this driver (among other manufacturers) include Dell, Gateway, IBM, eMachines and HP.

What is interesting about this hole is that malicious packets will be seen by the driver before it is seen by a firewall, rendering it useless.

Until a driver a driver update is posted, a useful workaround for vulnerable systems is to switch to another wireless driver (e.g. Linksys) or to disable wireless completely.

Powered by Gregarious (41)