Tuesday, 1 March 2016

Apple and the FBI some thoughts and judgement pre Farook decision


The Apple FBI saga



The disagreement over Apple and the FBI has become a microcosm of the world of cyber and digital crime. Warranty can secure access to homes, cars planes and any premise or item. However the encryption coding on the iPhone, that is loved by many, seems to be at the limit of the privacy issue, and not just because of encryption.

Cyber investigators have mixed views ranging from fully supporting Apple’s right to say no, through to a total distrust of the state to protect its citizens from digital theft. The role of private organisations and businesses to support and deliver security or evidence on behalf of the state seems an unreasonable one to many.

Understanding what has actually happened legally is also a concern as the media is either misunderstanding the application made by the FBI or is “bigging” up Apple’s response.

Either way the legal process will ensue as Apple appeals the FBI bid. Added to that are side issues such as whether the password for the San Bernardino shooter's iCloud account (Farook) associated with his iPhone was reset hours after authorities took possession of the device, was this an error or a deliberate ploy.  

Some questions already posed.

1.      Is Apple right to stand its ground, balancing personal security and privacy against national security?

There is also an issue about product confidence and the concern that the US is not the only country where iPhones sell. Its approach is to appeal and use its legal route first. This will take time.The below unrelated case gives support to Apple's view

2.      What are the long-term implications?

If the appeal fails then the FBI will secure what it is after, an ability to keep trying to crack the encryption without the iPhone losing data. The question is whether this will stop Apple’s encryption and create a back door for the FBI/Police. If they do, there is considerable fear it will be copied by other countries or organisations rendering the security of the iPhone useless.

3.      Since so much consumer trust is invested in how we use our phones for the most data sensitive of operations amongst commerce, mobile money and banking etc will this move compromise that trust?

If Apple are forced to create a back door it will reduce consumer confidence in the product on the basis that the techniques are likely to be copied or replicated elsewhere. Currently the Passcode is part of an encryption that cannot be broken

4.      If the government is effectively asking for a back door key, how secure would that process be? Through human carelessness or leaking could the key be compromised?

Industry doesn’t have a strong sense that the state could protect the “key”. And there are examples to support that view. What if those with access are compromised or neglectful? Apple has well-reasoned arguments to consider the ability of any state to hold that access “key”

However A judgement came yesterday in a not related case which doesnt have binding precedence over the Farook case but contains some some really helpful comments within the 50 page report

A good summary is found below, particularly the call for Legislators to deal with the fast changing technological developments



"In deciding this motion, I offer no opinion as to whether, in the circumstances of this case or others, the government's legitimate interest in ensuring that no door is too strong to resist lawful entry should prevail against the equally legitimate societal interests arrayed against it here. Those competing values extend beyond the individual's interest in vindicating reasonable expectations of privacy – which is not directly implicated where, as here, it must give way to the mandate of a lawful warrant. They include the commercial interest in conducting a lawful business as its owners deem most productive, free of potentially harmful government intrusion; and the far more fundamental and universal interest – important to individuals as a matter of safety, to businesses as a matter of competitive fairness, and to society as a whole as a matter of national security – in shielding sensitive electronically stored data from the myriad harms, great and small, that unauthorized access and misuse can cause. 

How best to balance those interests is a matter of critical importance to our society, and the need for an answer becomes more pressing daily, as the tide of technological advance flows ever farther past the boundaries of what seemed possible even a few decades ago. But that debate must happen today, and it must take place among legislators who are equipped to consider the technological and cultural realities of a world their predecessors could not begin to conceive. It would betray our constitutional heritage and our people's claim to democratic governance for a judge to pretend that our Founders already had that debate, and ended it, in 1789."



This is the full judgement passed yesterday re the FBI and Apple case in Brooklyn. It will be interesting to see how this is regarded in the main Farook case


Judgement Apple and FBI

Wednesday, 10 February 2016

New Fraud Task Force


New Task Force on Fraud
Same taters different gravy

Today the Home Office announced it latest drive into the world of fraud.
Some commentators have already said this is just another re run of the last one.
http://www.bbc.co.uk/news/uk-35536322


I take a slightly though not less cynical view

The latest move seems to be a direct result of the inclusion of reported fraud into the National Crime Statistics that will create an massive increase in overall crime. It also reflects a growing concern about the ease with which crime can be facilitated online with very little chance of detection.

The UK's approach through ActionFraud is fairly unique and is a world leading approach. Creating the capacity for victims to report offending directly and instantly, just doesn't work elsewhere. Likewise the National Fraud Intelligence Bureau is also a major step forward to protect the interests of industry and hard working tax payers.

Yet there remain considerable weaknesses in our joined up thinking and so for the benefit of the Task Force here are some ideas

1. Move the NFIB and all national responsibility for fraud into the NCA
2. Invest in prevention efforts. This is not just moving money from the costly CyberStreetWise to the very cost effective www.GetSafeOnline.org  but more importantly invest in the Cybercrime Information Sharing Partnerships (CISP). Nearly all the country is covered by them. But they are run on a shoe string. Invest a little in each to mobilise local business. 
3. Bring cyber safety and fraud prevention into schools at a much earlier age. A large percentage of very young people, 5-10, have access to iPads and tablets with unbelievable computing and communications power. Let them learn properly about their financial vulnerability and build on the work to protect them from sexual harm
4. Make Cyber Essentials compulsory for all those engaged in any web based industry. Set a higher standard and encourage insurance companies to provide discounts where training such as Cyber Essentials has been adopted
5. Encourage social and community groups, particularly those involving elderly and vulnerable people to make use of simple and effective material to help them defend themselves against fraud
6. Ensure that police forces implement the ActionFraud local investigation guidelines. A report of fraud is not an automatic route to ActionFraud. Where there is a potential suspect or a vulnerable person the local police must investigate. HMIC Could do this.
7. Build up the Regional CyberCrime Units to help them bring together local business and link to all business groups sharing best practice and advice.
8. Build on the work of ActionFraud creating a better link between its prevention role and that of Getsafeonline and industry fraud groups.
9.  Encourage forces to work closer to their business and industry groups spreading good practice and advice, especially encouraging Cyber Specials and volunteers
10. Increase the capability of forces to collect evidence of fraud online, especially through the enforcement of ISO 17025 to uphold the integrity of digitally secured evidence.

The UK response to fraud has, and remains, creative and world leading. But we cannot be complacent. 

Many excellent staff and officers work in this field and undertake highly intricate investigations to bring people to justice. Their commitment and professionalism is set alongside the need to protect vulnerable victims and reduce opportunities for offenders to rob people of their hard earned cash.

I hope this latest initiative builds on that work .

Monday, 25 January 2016

Safer Internet Day 9th February


#SID2016 is a great opportunity for take schools to take stock and consider whether they are meeting current educational online requirements. 

So what can your school do?

Teachers and Staff

Get yourselves up to date with what is available to you free on the web that is age appropriate and is ready for use in class
Run lessons focused on internet safety and provide opportunities for your pupils to learn about their own online presence, the risk and potential harm as well as providing the space to gain the most from their experiences online.

Parents

Take the opportunity to find out exactly what your children are being taught in school, and find out what to look out for to protect your children and how you can also protect yourselves

School children

Access to tools and guidance so that you can teach yourselves but also have fun doing some of the tasks and watching some of the videos available.

If you want a simple page to copy and upload to your site whether a school charity or other go to

 

http://sidsays.org.uk/

 

 

Wednesday, 6 January 2016

An evening with Mike Pannett 27th January 7-8.30pm Clark Foley Centre Ilkley

Cops, Cream Tea and the Countryside

An evening with Mike Pannett
 

Clark Foley Centre Ilkley
Wednesday 27th January 7- 8.30pm
£8.00
 

Tickets available from
stu@stuhyde.com

 

This is an event to help raise funds for my daughter's World Challenge visit to Nepal in

Mike Pannett was born in York, and joined the Metropolitan Police in 1988. He became one of the youngest officers to be given his own patch, and served on the Divisional Crime Squad, Murder Squad and TSG (Riot Police).

He transferred to North Yorkshire police in 1997 as he missed the countryside – and fly fishing! He became a rural beat officer and eventually, a wildlife officer. 


In 2005 he starred in the BBC’s Country Cops and was inspired to write about his adventures in the North Yorks force. Mike served nearly twenty years in the police, during which he became one of the highest commended officers. He lives with his wife Ann, and their three children in a small village in the shadow of the North Yorkshire moors.

Saturday, 12 December 2015

Using cybX exercising to test cybercrime capability in the UK and Europe

Last week I was helping a scenario based cyber exercise at the Cabinet Office Emergency Planning College in Yorkshire. We were using the CYBX suite. It involved  8 countries managing a range of cyber challenges.


Below is the release from CYBX about the exercise and it's forerunner Silver Pilot involving many Regional and National UK cybercrime assets. cybX is managed by Serco who run the Emergency Planning College for the Cabinet Office.


Testing and exercising cybercrime units across the UK and Europe is an essential aspect of planning and preparing ourselves for the future of criminality and risk in cyberspace.


See http://www.nationalcrimeagency.gov.uk/news/776-international-cyber-crime-exercise-tests-multi-agency-response


And 


http://www.cybx.org/




Serco has taken part in a ground-breaking exercise run by the UK’s National Crime Agency (NCA) to test the international response to serious cyber crime. 

Specialists from across Europe were put through their paces using Serco’s unique and realistic cyber exercising capability - cybX - which prepares private and public sector organisations to test their ability to prepare and respond to serious cyber attacks.

 

Exercise ‘Silver Shadow’ - a multinational exercise run by the NCA’s National Cyber Crime Unit (NCCU), funded by the Foreign and Commonwealth Office and supported by the Home Office -  saw officers from eight different countries come together to assess their collective response to a simulated cyber attack on a fictitious international petroleum company.

 

The aim was to test how investigators and prosecutors would work together in the event of a complex criminal incident spanning several different legal jurisdictions, to ensure an effective response to future cyber crime attacks.

 

The week-long exercise began on Monday 30 November and took place at the Cabinet Office’s Emergency Planning College (EPC) in North Yorkshire, which is run by Serco.

 

The countries involved in the exercise were Bulgaria, Georgia, Lithuania, Moldova, Romania, Ukraine, the UK, represented by the NCA’s NCCU, and the US, represented by the FBI. A representative from Europol’s Joint Cyber Action Taskforce (J-CAT) also took part.

 

cybX compliments the wider civil resilience training Serco provides at the EPC, enabling organisations to test and improve their cyber resilience in a safe, realistic and secure environment.Management and IT staff are tested through a variety of simulated scenarios on their ability to identify and end a cyber-attack, and manage their organisation’s response. 

 

The training gives participants a greater understanding of their organisation’s risks, strengths and areas for improvement, as well as a better understanding of the communications and relationships they need with their supply chain, customers and other stakeholders, including law enforcement.

 

Richard Preece, Serco's Director of cybX, commented: “It’s been a privilege to support members of the UK and international law enforcement community. Every day we hear about another cyber-attack and our training has helped the NCA to improve their capability to tackle cyber crime.

 

“It’s one thing to invest in the best technology, but organisations must also invest in developing their people and test their capabilities. Serco’s training puts employees from the board room to server room through their paces, enabling organisations to be more resilient to the inevitable cyber-attack.”

 

Further details on the NCA website

Sunday, 6 December 2015

Urgent Cumbria Flood Appeal

URGENT   Cumbria 2015 Flood Appeal

An appeal launched to raise funds to support the individuals and communities devastated by the December flooding and storms in Cumbria.



Friday, 4 December 2015

Wetherspoons Hack

The company Wethersoons seems to have been hit by the next in a long series of hacks.
See http://www.computerweekly.com/news/4500260119/Wetherspoon-pub-chain-warns-customers-of-data-breach for a good update

Some simple issues

1. In a breach, even if full financial data is released the data can be used to "con" victims into releasing other data. Using "Social Engineering" offenders may be able to act as if they are your bank or credit card company and illicit data that could compromise your personal financial security. Have a look at www.getsafeonline.org the UK primary site for cyber security
2. If you are a CEO or Chair of a company, anticipate that you will be in the front line in the event of a breach. In all cases, the top of the organisation has to become the voice of the business. Do you as a company think about how you would cope in the event of an attack, do you exercise or test your processes. for large organisations see www.cybx.org for a very sophisticated approach
3. At board level, do you understand what your IT staff do, have you seen a Firewall in action, do you know the parameters and policy for managing your data? Have your managers and supervisors engaged in creating a common understanding of your technological needs? Do you have access to effective and available technical staff when it goes wrong?

Wetherspoons CEO John Hutson has apologised quickly and rectified as well as identified that the breach could not occur again. The ICO no doubt will have further questions as will the media and shareholders, time spent preventing will ofen far outweigh the costs and time of investigating.

Who's next?

Popular Posts in last 7 Days