Tag Archives: Compromised system

Looking back to 8-bit computing to move forwards

In my third essay looking at increase breaches of personal information through malware and questionable security practices, I will now take a look at existing computing systems.

As security breaches have become common practice with companies and governments ‘loosing’ personal data, a new way of thinking and working with IT systems is required. There has been some recent high profile data losses, notably with eBay, Orange France, voice recording technology used by emergency services worldwide and the fallout from the Heartbleed bug in OpenSSL program’s code is still an unknown quantity.

Security researchers have complained about how the recent introduction of US Computer Fraud and Abuse Act (CFAA), is making it difficult to track down potential security vulnerabilities and exploits. The dichotomy of policy makers within government can be seen with another recent story where the “White House and NASA gear up for National Day of Civic Hacking”. Citizens are encouraged to find solutions to problems, technological or otherwise. This is at odds with government wanting to suppress security analysts from researching flaws through CFAA enforcement.

With the ever increasing threat from malware effecting modern operating systems of all flavours, should we all be looking at either not storing personal information on computing systems or returning to less complex operating systems? Should we be reviving 8-bit home computer booting practices to protect personal data?

I recently wrote about George RR Martin’s use of a DOS based computer running WordStar to write Game Of Thrones novels. The lack of connectivity and the use of a less advanced computer system protect Mr Martin’s work. I suggest in this article that maybe we should be looking back to the 1980s and early 1990s of 8bit and possibly 16bit home computing to look forwards again. Continue reading

Comments Off on Looking back to 8-bit computing to move forwards

Filed under InfoTech

Ubiquity and pervasiveness of SQL DBs

In my second essay looking at increase breaches of personal information through malware and some questionable security practices, I will now take a look at the harbinger of the modern Doomsday Book, the pervasiveness of SQL databases.

There is much about data loss and compromise in the news today, almost on a weekly basis it seems. There was a recent data breach with Orange France in May, who lost the personal information of approximately 1.3 million customers. When questioned, Orange France was unable to confirm whether the data they held was encrypted; this is very serious. It is not like asking someone how long would it take to fly a rocket to the moon, making a best guess. Data either is or is not encrypted when stored within ubiquitous database systems. Orange should have encrypted this data. Not being able to provide an adequate answer, demonstrates to customers that their personal information is not safe with this company. Being able to trust in the security of computing systems is paramount in this information age. It is crucial that companies and governments provide evidence that proves our data is kept safe, unfortunately all too often the contrary is occurring.

Rik Ferguson vice president of security research at Trend Micro recently told the Guardian:

“effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in.”

Is this a lack of imagination in protecting personal data or a consequence of how data is stored in the early 21st Century? If we take Mr Ferguson’s advice, then we should stop using computer systems for all personal information. However there are ways of designing computing architecture to reduce the surface area of an attack.

Many online services are far from safe and some are known for not using encryption on personal information stored; remember the Sony hack of 2011. Worse still, many companies not only use web services with associated SQL servers containing personal information connected to the Internet, but also whole networks. This enables their employees to email, process data and surf the web, while also having access to your personal data. As a consequence, crackers and other malfeasants can also gain access. Continue reading

Comments Off on Ubiquity and pervasiveness of SQL DBs

Filed under InfoTech

Personal data, bugs and security breaches

This is the first in a series of 3 essays, looking at malware’s far reaching consequences to personal information and questionable security practices some organisations implement.

Protecting one’s personal data is becoming more difficult as security breaches of many companies and governments advance at pace. Their has been some recent high profile data losses, with eBay, shoe retailer Office, music service Spotify, and gaming platform Steam over a two week period. What one might think would normally be a trickle of data breaches has turned into a torrent.

With this increased threat from malware exploiting bugs within software code and some organisations implementing poor security practices, a basic understanding of how one can protect personal data from the next hack like eBay is necessary. There are many news articles on ways one can protect personal data following an attack and breach of a database containing approximately 233 million customer records on eBay’s systems.

eBay said the breach, which was detected two weeks ago, had not given the hackers access to customers’ financial information. But it did affect a database holding encrypted passwords as well as customer names, email addresses, physical addresses, phone numbers and dates of birth which were not encrypted. The site has 233 million customers worldwide, including more than 14 million active in Britain.

After the hack of Sony’s unencrypted personal user records, in July 2011 I wrote a brief security guide on protecting your login identity. While this article requires some updating, much of this guidance remains valid and relevant with the increasing use of SQL databases, while companies and governments are amassing huge dossiers on individuals with their computer systems being breached.

Before the first dot-com bubble bust period roughly around 1997-2000, companies with an on-line presence would generally only request an email address and a password to use their service. Wind forward 10 years and the use of on-line services from game playing, shopping, booking hotels, email services, government services… ask all sorts of personal identifying information. If this trend of intrusion into personal data continues from companies and governments, it will not be long before ID photos are requested along with collecting personal data on one’s eye colour, etc. With personal information being stored on private networks often with public access, and worse on public facing servers too, the scope and scale of malicious attacks will increase. Continue reading

Comments Off on Personal data, bugs and security breaches

Filed under InfoTech

A brief security guide to protecting your login identity

With the recent spate of computer systems being hacked and information being leaked over the past few months, particularly with Sony in mind and now with latest breach on Sutton Seeds, I thought I would produce a security guide for those who are not system administrators or computer security experts.

Key points – What you need to know

  • Use of computing services leaves digital foot prints on the Internet.
  • Recommend using your own home personal computer for all non-work on-line activity.
  • Consider using a pen name rather than your real given name; this is circumstance dependent and a personal choice. Note, a pen name will not hid your real identity under most circumstances.
  • Have a different login name for your: local username, remote username and email address(es); this has become increasingly difficult with on-line services requesting email accounts over self generated login IDs.
  • Every login account, regardless, should have a different password associated to it. This means that if you use the same email address for different websites, such as Apple, Google, Amazon, etc. you should have a different password associated to the same login-name/email-account for every website. In addition, if a website allows remote username login accounts, the login account itself should be different for every site, as well as associated password.

Continue reading

1 Comment

Filed under InfoTech