A Django site.
July 31, 2008

Inside Security News
insecnews
is about »
» UK goverment is ignoring the importance of your confidential details

This is not a laughing matter anymore. The first large hit to the UK government was the reporting of 25 million child benefit records stored on disks going missing [1, 2, 14, 15] . Then we had more going missing [13, 8, 9, 10, 11, 12]. To top the icing on this wonderful cake called 'e-government and e-commerce tossed fruit salad', just today we read that:

Thousands of driver details lost [4]

Thousands of staff details leaked [5]

Building society loses staff data [6]

I would be surprised if this quarter (i.e. based on the US fiscal year [3]) was not named 'the quarter of privacy lost'. Let's hope that something will come out of reports like [7] and all the publicity. If in the end they will protect the consumer or will it just be another opportunity for a money making scheme?

How hard can it be to enforce an encryption paradigm where a public key cryptography [16] is used by the high ranking members of a department?

Note to self: Putting a price on 25 million records is really tough. Giving a £20,000 reward for the discs, containing the records, that are 'worth £1.5bn' to criminals, there must be something wrong there, i think.

Links Used:
[1] UK's families put on fraud alert, BBC News - http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm
[2] Private data 'also given to firm', BBC News - http://news.bbc.co.uk/1/hi/uk_politics/7108532.stm
[3] Fiscal year, en.wikipedia.org - http://en.wikipedia.org/wiki/Fiscal_year
[4] Thousands of driver details lost, BBC News - http://news.bbc.co.uk/1/hi/northern_ireland/7138408.stm
[5] Thousands of staff details leaked, BBC News - http://news.bbc.co.uk/1/hi/england/merseyside/7138426.stm
[6] Building society loses staff data, BBC News - http://news.bbc.co.uk/1/hi/england/west_yorkshire/7138106.stm
[7] Better data protection 'required', BBC News - http://news.bbc.co.uk/1/hi/uk/7131980.stm
[8] Drivers sent wrong DVLA details, BBC News - http://news.bbc.co.uk/1/hi/wales/7131506.stm
[9] More firms 'admit disc failings', BBC News - http://news.bbc.co.uk/1/hi/uk_politics/7127951.stm
[10] £20,000 reward offered for discs, BBC News - http://news.bbc.co.uk/1/hi/uk_politics/7128851.stm
[11] Discs 'worth £1.5bn' to criminals, BBC News -http://news.bbc.co.uk/1/hi/uk_politics/7117291.stm
[12] Personal files go to wrong office, BBC News- http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/7116944.stm
[13] Six more data discs 'are missing', BBC News - http://news.bbc.co.uk/1/hi/uk_politics/7111056.stm
[14] E-mails reveal data check warning, BBC News - http://news.bbc.co.uk/1/hi/uk_politics/7106987.stm
[15] Data lost by Revenue and Customs (15,000 Standard Life customers), BBC News - http://news.bbc.co.uk/1/hi/uk/7103911.stm
[16] Public Key Cryptography, en.wikipedia.org - http://en.wikipedia.org/wiki/Public_key_cryptography

November 21, 2007

Inside Security News
insecnews
is about »
» To be (encrypted) or not to be? That was the question.

Yesterday was an eventful day in British news, as far as computer security is concerned always. No, I am not talking about the 'Windows random number generator is so not random' [1, 2] by which all cryptographic systems using Windows Operating System's (here Win. 2000) pseudo-random number generator (PRNG) are vulnerable.

Update: Computerworld.com reported [5] that Windows XP contains the bug and a fix will be provided with SP3 (out next year). Also...

'...Windows Vista, Windows Server 2008, and Windows Server 2003 SP2 are not affected... '
'Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch.'

I am talking about the 25 million records [3] that was stored on two disks and were lost while on transit (by unrecorded delivery) to the National Audit office. The disks included names, addresses, date of birth, national insurance numbers and bank accounts. They did mention they where protected by a password. Nice one!

The second interesting news from yesterday was that of the animal rights activists [4] having to surrender (Section 51) any cryptographic keys they know or make the encrypted information 'intelligible' (Section 49) under RIPA. This is of special interest as it is the first case by which the new sections of Regulation of Investigatory Powers Act (RIPA) are being used.

An interesting mention by the BBC News [4] site is that: 'The BBC news website talked to one animal rights activist who had their computer seized in May and has received a letter from the CPS.'. Poor employee, think the BBC will think twice before interviewing an activist again?

Future watch: Let see what happens when pharmaceuticals start producing 'acute Alzheimer's disease for a year pill'. Oh right… encryption will be so weak with bad implementations we wont need the keys anyway.

Links Used:
[1] 'Windows random number generator is so not random' - http://www.theregister.co.uk/2007/11/13/windows_random_number_gen_flawed/

[2] Leo Dorrendorf and Zvi Gutterman and Benny Pinkas, 'Cryptanalysis of the Random Number Generator of the Windows Operating System', ACM CCS 2007 conference - http://eprint.iacr.org/2007/419

[3] 'Darling says 25m records 'lost'' - http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm

[4] 'Campaigners hit by decryption law' - http://news.bbc.co.uk/2/hi/technology/7102180.stm

[5] 'Microsoft confirms that XP contains random number generator bug' - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId;=9048438