High numbers of students turn to hacking

HackerIn a survey conducted by Security Firm Tufin Technologies, it acknoleges that around 1 in 5 students are admiting to hacking. The real intresting question is, are the other 4 being honest? When I was in high school , I knew one guy whom would be considered a hacker. At college I did a small amount – mostly accidental stuff – I tried to log on to an Oracle Database server with the system administrator log on – turns out the IT department had not changed the pasword for it. One of my freinds at that college showed me a technique to bypass a BIOS password, and it worked.

There is two sides to the story as always, ethical hacking, such as that taught at Dundee Abertay college in their Ethical Hacking and Countermessures allows students to develop skills of nessesary evil. If you are unaware of how to hack into a system, how can you possibilly prevent unauthorized access to it?

It is generally a grey area – hacking for ethical sake without the authority of the system in question such as an IT department clearly is wrong no matter what your intentions are. The study found that the vast majority of the students surveyed did agree with this assessment. Combining the remaining 16% whom do not recognize it as being wrong, the ones that have tried hacking from that lot are the ones that we need to worry about – they dont realise or do not understand what they are doing is wrong, and they have the skills to actually do it. These are the kinds of people that are going to cause us the problems.

Strangely, they suggest there is no gender bias but I find that hard to belive unless they actually interviewed equal number of students – generally speaking in computing science courses (at least the courses I have been on) have had a higher number of boys to girls ratio. Therefore less girls would be questioned and make up the ‘guilty’ selection.

On another consideration, the research does not define what they mean by hacking. How  many of the ones that admited it had merely overlooked a shoulder as a password was being typed? Or used completely automatic tools that got in? Neither of these are really major threats, its the ones that can sit down with just a shell and still manage to get in that we really need to worry about.


Internet Technology

Twitter users subjected to worms

Certain twitter users, by which it seems the vast majority have found they were vulnerable to a Cross-Site-Scripting XSS vulnerability in the twitter software. It allowed the site to generate a self replicating worm that spread very rapidly across many users at the peak of it around 100 replications a second were being generated.

The result varied from harmless messages to more dubious redirects. The most amusing of these would perhaps have been former prime minister’s wife Sarah Brown’s twitter account redirecting people to pornographic accounts.  She has around 1.1 million followers. I would not be in the slightest surprise should 1.05 million of those actually took up the vulnerability spreading it further whilst visiting the Japanese Porn sites. I am sure we really don’t want to know what she ended up linking to! She updated her feed shortly afterwords to say sorry, I wonder if she took the opportunity to have a nosey herself.

This kind of security breach is relatively straight foward to resolve and given the size and popularity of Twitter, it is a surprise that no one ever considered the security aspects of user input! In the security world, users should never be trusted, they are out to get you!

The most interesting thing about these kinds of problems is they are relatively straightforward to deal with by assuming from the outset of the project by simply presuming that your users will go out of their way to destroy your system. Its true, users sooner or later will find ways to break the system either deliberately and maliciously or through sheer accidental foolishness. As a developer you need to think about these problems. Think about encoding raw input should you not need to do any processing on it that’ll easily prevent a sql injection. Or verify before inserting that it is in an expected format like a date should have 3 parts to it separated by a separator such as “/” so if you get 3 “/” and 4 sets of numbers then it cant possibly be a valid date now can it?

The Independant


US self appointed as gaurdian of the internet

Camera Pointing to a SignSecurity is an important aspect of all technological advancement in this day and age. Quite possibilly then to fathom the concept of a Government runnning the security of something as huge as the Internet is unconceiviable.

However that is exactly what the United States wants. National Security Agency Director, Gen. Keith Alexander has indicated that the United States should take the responsibility of making the internet secure.

“We made the Internet” he states, funny, when I was in University, we always thought that scientests created the internet not a Defense Agency. Isnt Tim Berners-Lee, an englishman, most often citied as inventor of the Internet?

Come to think of it, arent they responsible for securing the United States from national threats, like 9/11, or the security breaches at the Department of Defense and NASA by McKinnon  and the infected USB Drive in 2008 that caused problems in the DoD as well.

Continuing, he states that the task ahead is huge. Well, yeah of course its huge have you seen how well your agency secures things so far? You need a huge force just to fix the internal problems you have before even looking at other US Government Agencies, to say nothing about international security of hostile states.

He also states that citizens of the United States take an interest in government’s activities towards securing the internet and security of government agencies as a whole. So do I, in fact, I honestly doubt there is anyone who doesn’t. Lets face it with the number of security breaches associated with Government, we must keep a very close eye on what they are doing. Don’t want them selling the nuclear launch codes on eBay now do we?



Quantum Security Breach

Photo representing Quantum WorldThe world of quantum physics has been involved in the world of security. However a security breach is possible. Researchers have spent probably a huge portion of their time experimenting on techniques to be able to publish a paper indicating a vulnerability in a Quantum Cryptographic system.

They in essence have shown it is possible to hack into highly encrypted data. The principles of Quantum Physics which are used in quantum cryptography relies upon the Heisenberg principle. whereby looking at the data in essence actually alters its behaviour which could be used to identify a security breach or corruption of data in transit.

The technology of quantum cryptography uses fiber optic in order to transmit data. This being the weakest point in the system. Using laser signals the researchers were able to intercept and confuse the receivers when the signal reached it. Given the nature of fiber optic networking however I am not sure that this is a security risk that is overly likely to occur. Damage caused to fiber optic cables in order to send a laser signal in could corrupt data in its own right, and at the least is likely to have a negative impact on network performance. This would lead to the discovery of the hooked up equipment used for interception.


News Technology

Skeletal Scaner security ID

X Ray Scanner X-Ray scanners at airports could soon be a thing of the past. The new system would look at the skeleton and be able to accurately identify people based on that. At as much as 50 meters away from the scanner also. In an ideal world, this  could make getting through airport security much quicker. As you enter the building, you would be cleared for access through the security gates.

There is some problems with this approach however. Data Security, our government has certainly shown it cannot be trusted with personal information so can we really trust them with a database of people’s skeletons? It could even be said that this would be an invasion of privacy. The system would identify in depth bone issues such as broken bones and fractures, thickness of the bone.

The other issue that is likely to prevent this  kind of system replacing XRay at airport is the fact that the information must already be on record in order to establish if a person is trustworthy of airport access. Conducting a worldwide database of full body scans will be near on impossible. It would be like the DNA Database kept by the police which has aroused many concerns in the past.

Well, I am going to go and buy some shares in the Tin Foil industry.

The Register


Children’s Data in Public Realm

Dilbert Data SecurityNow we are slightly more than half way through 2010. In this year UK mostly government departments have lost significant quantities of data. The security levels of the UK seems to be at atrocious levels. The liberal democrats have initiated a Freedom of Information Request over the data that has gone missing. To the shock of the general public the findings was significant.

Around 200 electronic devices have went missing in just 6 months. Works out as about 0.91 items every single day are lost by Government bodies. This level of loss cannot be accepted. The largest breach of security, perhaps not to anyone’s surprise came from the NHS. Specifically, Yorkhill Children’s Hospital which lost 20 PCs with confidential patient data. Surely with the loss of children’s personal information associated with that, the government needs to consider the issue of data security.

I would recommend that a high level review of all government agencies take place as a matter of urgency. Find out why so much data can go missing in such a short period of time and plug the problem before it gets worse.

I think now is time for the Parliament to realise the danger of the importance of data loss. People of the UK, stand forth and speak to your MP make parliament listen.




David Cameron target of taliban

David Cameron Official visitIn his first official visit to Afghanistan since taking up his role as Prime Minister, David Cameron was at the center of a security scare. Intelligence reports suggest that Taliban forces had been aware of where Mr Cameron was and which Helicopter to target that he was on board.

In response plans were altered to avoid any attacks against the craft diverting them to a new location. Now senior military figures are calling for a ban upon media reporting of the Prime Ministers activities whilst in  war zones.

Surely it would be better to withdraw from the war zones and return to dealing with our own problems back home.

Security risks associated with our presence there in the first place could quite be the cause of the leak that lead to the Taliban being aware of the Prime Ministers plans. Each military base tends to employ local staff such as interpreters in order to communicate with the natives. These personnel are not either British or trained  military personnel. It would be quite easy for them to be intimidated into collaborating with the enemy as a spy.

Sky News

News Politics

Plans to blow up Torries announced

IRA Explosion Brighton Hotel In 1984 at a Conservative party conference in Brighton, 5 were killed as a result of an IRA attack which saw an explosive device detonated at the hotel where the party were staying. Now the conservatives are back in power and the explosions are set to return.

Counter Terrorism and security expert Patrick Mercer has been informed by army intelligence and former senior police officers of the threat. It is his believe that the threat should be taken seriously of course, any threat of an terrorist attack on a government conference surely should be taken seriously?

The republican terrorist group behind the threat have plans to built up their activity base perhaps to get practice in blowing things up prior to the big day. However experts doubt they have the capability although they undoubtedly have the will to do it.

The party may have been behind an explosion recently that had no warning in Lurgan, County Armagh. They are in support of the Continuity IRA. It is also said that they are prepared to use any excuse to attack police and riot including the excuse of “its good fun”. A rather disturbing development.



Intel to be a software Vendor now?

Intel LogoIf it was April the 1st, I’d think Intel were playing a April fool’s joke on us. But according to my clock, this is nowhere near April and my computer seems to agree so I can only conclude  that the purchasing and investments people at Intel have had one or two too many.

Intel have agreed to purchase the software manufacturer McAfee in what could perhaps be the most bizarre corporate purchase in quite some time. 5.5Billion of Intel’s investment budget of 6.7Billion dollars has been spent on the acquisition.

Intel officials have claimed that the reason behind the bizarre purchase is to integrate security technology into a new age of hardware based security solutions beneficial to the cloud infrastructure of the future. They state that the first breed of Anti Virus powered Processors should be on the market in the first half of 2011.

With Intel being the major company for pc processors means that industrial regulators will usually prevent them from making stratregically sensible investments. They would be unable to buy the competitors AMD for example as that would for all intents and purposes give them a total monopoly on processors.

Therefore it is necessary to look at other areas of revenue such as merging in software solutions like McAfee and any other investments with what is left of the budget is likely to go to other strange areas.

Like all business Intel makes deals with firms in the hopes that it will make a huge sum of money from the investment. If this is not the case then they will normally sell of the section of the business to some other company whom perhaps has the resources, technology or other facilities to take advantage of the venture. Intel sold a firm that they had purchased in 2007 called StrongARM a low power processor manufacturer just as the iPhone was about to kick in and revolutionise the mobile smart phone market. Undoubtedly they are regretting that deal.

I am not entirely sure i am convinced of a benefit either to Intel or McAffee from this deal. Neither company is really realted in any way to each other. The idea of a hardware based security chip sounds impressive but at the end of the day security technology is constantly moving. Is embedding security with the chip really going to benefit the end user?



Is your card details safe?

Having been at a meeting today discussing a ePOS system, we were informed that new regulations were coming into play regarding storing of credit card information.

In my bid to find out more about these new regulations i came across some disturbing information that earlier this year Argos had been storing credit card numbers along with their card verification number inside source codes to customer emails. This seems to be a major breach of the PCI-DSS standard.

More to the point however changes do seem to be pending from the PCI council. The organization which deals with card securities has indicated nine new points are under consideration. The majority of the changes proposed however are for clarification purposes.

The link to the official release is below, if this applies to you feel free to have a look and prepare yourself for the next generation in security.

The Register