Information Security No comments yet

BBC Report Highlights Bad Spelling As Key Factor In Email Data Loss

By on September 13th, 2011

A BBC Report has highlighted mis-spelled email addresses as a key factor in loss of sensitive data via email.  Putting a dot in the wrong place or utilizing slight mis-spellings in domain names has presented a security loop hole for malicious attackers to use to steal data.

Click For BBC Report

Many large organisations use multiple sub domains to divide their various divisions either by function or geographically.  When using email addresses in this type of environment they can get pretty complex. For example bank.com might use the sub-domain us.bank.com as the email sub-domain for it’s US employees. So, John Smith might have an address like “john.smith@us.bank.com“. Data loss can occur when a user types the wrong email suffix, such as usbank.com. An email to this address would normally be bounced back to the sender with an error as the domain wouldn’t be recognized. It is however very easy for an attacker to set-up the wrongly spelled email domain, putting them in a position where they receive all email for that domain.  Researchers have found that by doing this they managed to grab over 20GB of incorrectly addressed mail over a 6 month period. The data grabbed included personal details, usernames, passwords and a bevvy of other sensitive information.

This is a loop hole often ignored by companies, but one that is easily mitigated.  By using an information classification tool such a the Boldon James Email Classifier product, organisations can not only categorized their emails by their level of sensitivity, they can also control what domains are allowed to receive emails from their employees. This is known as white-listing. If you would like to know more about email white-listing please contact me or contact Boldon James directly at www.boldonjames.com

 

Uncategorized No comments yet

Hi Mum, I’m on TV – Campaign Win

By on September 3rd, 2011

For the past two years I’ve been working with my neighbours to try and stop a heavy industrial waste processing and burning plant from being built just 100 metres from my family home.  As co-founder, and soon after appointed Chairman of the opposition group (Say No To Green Lane Incinerator), I thought I’d share our recent victory with you. Below is the BBC North West Report Video:

My local Council, Salford, has assessed the proposal for the plant and all of the for and against arguments. Thankfully, they have decided to reject the application to build the facility.  I have really enjoyed working with our 1,500 member campaign group and feel lucky that I have had the opportunity to work with and get to know my close neighbours, as well as my local Member of Parliament (MP), Hazel Blears, who has provided support and guidance throughout.  In addition, my dual role as campaign Chairman and Spokesperson, has resulted in valuable leadership experience as well as experience with newspaper, radio and television appearances (which I hope to put to good use in future challenges and endeavours).

The case is by no means closed, as the developer may choose to appeal the council decision. Regardless, I’d like to say thanks to “Say No” supporters and all those people who contributed to the victory. Especially Boldon James for letting me take short notice holidays at critical junctures in the campaign.

Information Security No comments yet

ePrivacy Directive: EU to tighten up on Data Breach Notifications

By on July 19th, 2011

You may be aware that the EU recently put into force the updated ePrivacy Directive (2002/58/EC).  As of May 2011, the use of cookies to track website visitor information is now strictly prohibited.  Cookies which were previously used to track visitor behaviour and personal details may now only be used with the express permission of the visitor. Interesting website based outside of the EU, do not have to operate with the same constraints.  The enforcement and technical implementation of the directive may take some time to filter through to every cookie using site on the web, and penalties for not doing so are yet to be seen.

Work continues on the ePrivacy Directive in the coming months. One InfoSec concept which the EU are looking to tighten up control of through the directive is “disclosure”.  Whereas in the past, companies or organisations may have been a little shy about publicising their information security breaches, it’s soon going to be come a strictly enforced legal requirement to do so. Under the ePrivacy Directive disclosure requirements will be covered under Data Breach Notification rules.  A public consultation is currently underway and is sue to conclude in September:

ePrivacy Consultation

The consultation will cover the mechanisms for categorising. assessing and reporting breaches.

The hacker groups Anonymous and Lulzsec have made a mockery of the security controls of some major organisations in recent months.  Data loss and it’s prevention continues to be a major challenge for infromation security managers.  It’s time for organisations of all sizes to get serious about InfoSec, and this legislation could help push for that.

Information Security No comments yet

Phone Hacking How To: Hacking Voicemail

By on July 18th, 2011

I’ve been asked in recent weeks how the News of the World private investigators were able to hack into the voicemail of the alleged 4,000 victims of the phone hacking scandal.  While the details of all that activity are something for the police to worry about, we can explain the basic methodology of a simple attack to do this. The one probably used in the majority of cases.

In the world of Infosec there is such a thing called a spoofing attack. A spoofing attack is where you have your device (whether that be a phone, pc or laptop) send out network packets with the identity of someone else.  In the IP world, communications are broken down into thousands of small packets of data. Each packet has a destination address and a source address. When we’re trying to use a spoofing attack, we can use specialised software to send out packets, with someone else’s source address.

With the convergence of data and voice networks over the last 10 years, there’s been a proliferation of technologies that allow data networks to connect to older technologies traditionally used to provide voice services. This has come in the form of VoIP, technologies that provide Voice Over IP data network. This has brought voice communications into the realm of the computing community, and also into the hands of the bad guys in that community.. hackers.  Hackers have produced software tools, that allow them to control the data sent out over VoIP data connections, where calls are made and received.

Continue reading Phone Hacking How To: Hacking Voicemail →

Uncategorized No comments yet

Poll: Who Should Become New Met Police Chief?

By on July 18th, 2011

As the plot thickens on the UK Phone Hacking scandal, yesterday we saw the Chief of the London Metropolitan Police (Sir Paul Stephenson) resign. In an effort to help identify credible candidates to replace him. We have created the following poll to canvas the opinion of the public.  Our nominated candidates are:

Robocop Rebekah Brooks Tom Pellereau Harry Potter
After a long retirement, could Robocop be convinced to take the helm of the Met and utter those immortal words, “Phone Hackers, dead or alive, you’re coming with me”? His credentials for bringing justice are well documented and revered. Rebecca recently became available for new roles . In her previous role she was CEO of News International, an organisation famed for it’s ability to investigate the lives of  individuals, finding the truth at any cost. Winner of the Apprentice 2011. During the Apprentice selection process Tom came up with the revolutionary idea of “The Emergency Biscuit”. Could Tom’s genius be reapplied from Emergency biscuit to Emergency Services? Finally realizing that he was 10 years to old to play a wizard at prep school, movie bosses have brought the Harry Potter series to an end with HP7: The Deathly Hallows Part 2. In the series, Harry has proved himself immune to corruption from evil, a trait to be expected from the next Met Chief.

Please vote for who you think would be the best candidate to bring new leadership to the Met. Results to be published at the End of July:

Who should become the new Met Police Chief?

  • Robcop (56% of Votes)
  • Harry Potter (22% of Votes)
  • Rebecca Brooks (11% of Votes)
  • Tom Pellereau (11% of Votes)

 

Loading ... Loading ...