Friday, March 25, 2011

Australian Government bans and slams Hotmail as being too insecure

There can be little doubt that cloud-based services will feature strongly in the future of the Internet.

Even if you prefer to do your word processing on a stand-alone PC and opt to have the family snapshots stored safely on your own DVDs or USB drives, there are some services that really are just better served from a cloud.

Email for instance.

In fact, cloud-based webmail services are probably the oldest form of cloud computing and ever since Hotmail became "flavour of the month", almost everyone has at least one email address which is accessed through a cloud-based provider.

Unfortunately, it seems that the Australian Government doesn't think that such webmail services are secure enough and it's banned access to a raft of different ones, including GMail and Hotmail.

No, they haven't banned all Australians from accessing them (yet), they've simply told parliamentary workers that they are no longer to use these services for security reasons.

To back up the directive, the parliamentary firewalls will be configured to block all access from government PCs -- all in the name of security.

Microsoft has responded by claiming that HotMail is not insecure at all.

Their web-based email service conforms, they say, "ISO 27001 and SAS 70" standards, which mandate a degree of management and security that provide more than adequate levels of protection.

Alas, the Australian Auditor General does not agree and has declared that "agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services".

The ban and blocking comes into effect as of July 1st.

Let's hope their own email systems are secure so as to avoid being left with a little egg on face.

Friday, March 18, 2011

Security is just an illusion (more proof)

RSA is a big company and touts itself as a vendor of top-notch, ultra-strong computer security.

Who wouldn't want to be a fly on their wall then, now that they've admitted to a massive security breach which has resulted in information relating to their key products being stolen from right under their noses.

Apparently a hacker or hackers unknown have managed to break into the RSA's own computers and gain access to critical data used in the creation of tokens for their two-factor authentication system.

Not only is this a huge embarrassment to the company but it's also likely to cause big problems for its valued customers, which include the military, governments, banks and many other key industries.

In admitting the breach, RSA described the attack as "very sophisticated" and said that the intruders had accessed strategic information related to the SecureID product, a cornerstone of implementing secure, restricted access gateways to important computer systems and databases.

Users of RSA's SecureID product are now left on tenterhooks, waiting anxiously to see how the company intends to mitigate this security breach. They have been advised to closely monitor their networks and computer systems for unusual activity that could be indicative of someone gaining access through information leached from RSA.

What can the rest of us learn from this event?

Well there really is no such thing as unbreakable security. Anything made by man can be broken by man.

It's unknown whether the "sophisticated attack" used to breach RSA's own security was a purely technical one but it's well known that social-engineering is often the preferred vector for such intrusions once the hardware and software proves too difficult to circumvent.

There has been speculation that the source of the breach may have been an infected USB drive - as was the case with a major infection of many NZ hospital computer systems a year or two ago.

As I've said before -- the only way to ensure real security for the data on your computer is to turn it off, unplug all network cables and lock it in a secure room. Of course its functionality and performance will be severely affected by such an approach.

Total security is a myth. The best we can hope for is to establish a safe balance between paranoia and practicality.

Might now be a good time to check your firewall and anti-virus settings -- just in case?

Friday, March 11, 2011

Mobile phones, the new target for crackers and "evil little sods"

Generally speaking, the more complex the technology, the more chances there are that lurking somewhere within, is some kind of vulnerability that can be exploited by nasty people such as crackers and "evil little sods" (ELSs)

To date, large, monolithic operating systems such as Windows have been a key target for these miscreants.

With little to do and lots of spare time, these people seem hell-bent on making everyone else's lives a misery and/or extracting money from those who are unfortunate to catch their attention while ambling along the information superhighway.

Trojans, viruses, worms -- they're all the work of these ELSs and cause nothing but grief to the general internet and computer-user population.

But now the ELSs seem to have found that invading people's privacy, stealing their credit card numbers and holding their PCs to ransom is "so last week". Instead, they're turning their attentions to mobile phone users.

And why not?

Mobile phones are just as ubiquitous as computers and, thanks to prepay SIMs and the ease with which mobile access can be had through stolen phones -- an ELS has far less chance of being caught when he's targeting poor cellphone users.

And let's face it, some of today's smartphones, such as the Apple iPhone, are really full-blown computers anyway.

What's more, with the move towards having your mobile phone serve as an electronic wallet, there may soon be rich pickings for the successful ELS who manages to break in and seize control of your cellphone.

Recently Google was forced to disable a number of applications designed for use on mobile phones using the Android OS, when it was found that they contained malware that compromised users' security and privacy.

However, it would seem that it's not just the smartphones that are vulnerable to the kind of complex technical exploit one usually associates with the actions of the ELSs amongst us.

A handful of German researchers recently demonstrated that it's possible to crash some of the most basic mobile phones through the use of a carefully crafted SMS message.

By embedding some binary data into the SMS, these researchers were able to either crash (force a reboot) or "brick" (totally and permanently disable) a number of popular "basic" cellphone brands and models.

Amongst the list of those phones which proved vulnerable to this exploit were household names such as LG, Sony Ericsson and Nokia.

Is there no device that is safe from the prying, wrecking, coveting eyes and hands of these malevolent crackers?

As always, vigilance is essential to security. However, sometimes we're simply at the mercy of the manufacturer and their ability to design good solid systems. Unfortunately, it seems that such reliance is sometimes just not enough.


Friday, March 4, 2011

Clouds to the rescue

It's now been over week since the horrendous earthquake that devastated Christchurch and despite the best efforts of a small army of volunteers and professionals, it will still be quite some time before normality is restored to this city.

Amidst so much sorrow and human tragedy it can be easily forgotten that those who survived will now have major problems to contend with.

Many of those who survived the quake will now be without work, the companies run by their employers having been put out of business, at least temporarily.

Within the precincts of the CBD, most of the computer systems on which valuable and essential debtors, creditors and other accounting data is stored, remain "out of bounds" to business-owners and their staff. Nobody knows for sure whether their PCs will have survived intact, or whether they've been crushed by falling mortar, drenched by the rain that's since fallen, or stolen by opportunistic looters.

It is perhaps a disaster like this that may encourage many businesses to look more closely at the benefits of moving much of their IT operations to "the cloud".

Those companies who already kept their accounting records and systems on cloud-based services may well be able to process invoices and payments, re-jig their budgets to allow for the costs of the quake and even continue most of their day-to-day clerical operations.

For those cloud-based companies to continue, all they need is another computer and an internet connection.

No need to reinstate their previous computers or restore a myriad of backups -- simply log-in and carry on as usual.

With insurance companies looking to cut their losses and reduce risk I would not be surprised to see policy discounts being offered for companies who opt to use cloud-based accounting and database systems in future.

Perhaps clouds do have a bright future, especially in a world where natural disasters are becoming an increasingly common and expensive event.