Revised (Final?) Draft of Muffett response to #CCDP / Communications Data Bill! Will post in morning. Comments?

UPDATE: Replaced by this

“Why is nobody crowing about ‘Critical National Infrastructure’?” ( at Computerworld) #cybersecurity #cni

Why is nobody crowing about ‘Critical National Infrastructure’?

O2 went dark; RBS/NatWest/Ulster Bank died. Surely the Government ought to tell us what to do? Much cybersecurity planning is couched in terms of we must protect critical national infrastructure – but when a bank goofs a software upgrade and commits transactional suicide for a week (or more, see Ulster Bank) – and when an entire phone network loses internet connectivity that is the lifeblood of modern commerce – you would think that someone in authority would be jumping up and down saying that this was evidence that the private sector could not be trusted to deliver critical national infrastructure and that banking and telco infrastructure ought to be nationalised, standardised or at least put under central government regulation to ensure that this does not happen again. But they’re (apparently) not doing that. Why not? Partly because they don’t see it that way […]

…read more, or comment at Unscrewing Security

“If it turns out that #LinkedIn passwords have leaked…” ( at Computerworld)

If it turns out that LinkedIn passwords have leaked…

…here’s what you should do

Rumours are circulating on the net that a database of hashes of LinkedIn passwords has been published on a Russian hacker site.

I cannot confirm this, but if the article referred to above is correct then there is a risk to LinkedIn users; password cracking software such as Hashcat can be brought to bear on the problem, and passwords that are derived from common words and phrases – or which are just too short – can and will be broken.

I’ll write more in the meantime, but in the meantime:

  1. Choose a new password – a short phrase, make it twelve or more characters long; don’t worry too much about making it look random but instead make it long-and-memorable and use proper spacing and (perhaps) punctuation.

  2. See this famous cartoon for techical explanation, but don’t reuse the password it suggests.

…read more, or comment at Unscrewing Security

“Chinese Cyberwarriors in your Chips?” ( at Computerworld) #FPGAbackdoor

Chinese Cyberwarriors in your Chips?

Perhaps, but the Cambridge ones are more interesting

The security interwebs this morning are alive with reference to Sergei Skorobogatov’s webpage at Cambridge, the key quote from which is:

We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon `chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.

I recommend against panic.

Instead there are a bunch of questions to ask:

What’s the threat?

…read more, or comment at Unscrewing Security

“Ask Alec: Security for Freelance Developers” ( at Computerworld ) #security

Ask Alec: Security for Freelance Developers

What do you do to be secure when you’re on your own?

So in my mailbox a few weeks ago there arrived the following:

Hi Alec

I was wondering whether you’d mind doing me a small favour. It’d be great if you could punt out a quick top 5 / top 10 tips for sensible data security practices for freelance developers (encrypted backups, being mindful of client data dumps from production systems – am sure you get where I’m coming from) […]

Cheers,\ Steve

It’s a question that I hear a lot and the challenge is keeping my response down to a reasonable, memorable minimum; let’s try, though this will assuredly be an incomplete list…

…read more, or comment at Unscrewing Security