Friday 18 October 2013

PRISM: UK government will hold public debate on GCHQ snooping powers

GCHQ Cheltenham
The UK's Intelligence and Security Committee (ISC) has expanded the scope of its investigation into whether new privacy legislation is required following the PRISM scandal to include public feedback.
The chairman of the ISC, Sir Malcolm Rifkind, announced the expansion in a public statement, arguing that businesses' and citizens' ongoing concerns over the data-monitoring powers held by Government Commnications Headquarters (GCHQ) will only be allayed if all parties are included in the investigation.
"In recent months concern has been expressed at the suggested extent of the capabilities available to the intelligence agencies and the impact upon people's privacy as the agencies seek to find the needles in the haystacks that might be crucial to safeguarding national security. There is a balance to be found between our individual right to privacy and our collective right to security. An informed and responsible debate is needed," he said.
Rifkind said the UK parliament and ISC would now begin expanding scope of the inquiry and begin accepting feedback from the public. "The Intelligence and Security Committee of parliament has therefore decided to broaden the scope of its forthcoming inquiry to consider these wider questions, in addition to those relating to the existing legislative framework," he explained.
"In addition to the classified information that only the ISC has access to, the Committee will also be inviting written evidence more broadly, including from the public, to ensure that the Committee can consider the full range of opinions expressed on these topics. Once it has considered those written submissions it will also hold oral evidence sessions, some of which it expects to hold in public."
The ISC initially cleared the GCHQ of any wrongdoing regarding PRISM in July. The initial investigation only focused on the question of whether the types of data collected and how it was collected by the GCHQ broke existing UK laws.
News of the PRISM scandal broke earlier in the year when ex-CIA analyst Edward Snowden leaked classified documents to the press proving that the US National Security Agency (NSA) was gathering vast amounts of web user data from companies such as Google, Facebook, Yahoo and Microsoft. The scandal led to a global debate on existing privacy laws. The European Court of Human Rights is also investigating GCHQ's involvement in the PRISM spying scandal.
The expanded investigation follows widespread calls for a public debate about intelligence agencies' data collection powers. Ex-Navy Seal and Silent Circle chief executive Mike Janke called for a public debate about what powers the NSA and GCHQ should have in interview with V3 in August. Renowned cryptographer Bruce Schneier made a similar call to arms, accusing the NSA of "commandeering the internet" in a public blog post.

Google promises Microsoft Windows XP support for Chrome until 2015

Google Chrome is currently a beta release for Windows XP and Windows Vista
Google has promised to issue Chrome web browser security patches for Windows XP until at least 2015, a full year after Microsoft officially ends support for the operating system.
Google director of engineering for Chrome Mark Larson announced the news in a blog post. "Since unpatched browser bugs are often used by malware to infect computers, we're extending support for Chrome on Windows XP, and will continue to provide regular updates and security patches until at least April 2015," he said.
Microsoft will officially end support for its decade-old Windows XP operating system on 8 April 2014. Despite this, many businesses are not preparing to update their systems to newer Windows versions.
In April research from application migration specialist Camwood revealed that two out of five UK IT decision makers are yet to begin migrating to a more modern platform. Larson cited the number of people still using Windows XP as a key reason for Google's decision to continue support for the OS.
"We recognise that hundreds of millions of users, including a good chunk of current Chrome users, still rely on XP. Moreover, many organisations still run dozens or even hundreds of applications on XP and may have trouble migrating," he said.
"Our goal is to support Chrome for XP users during this transition process. Most importantly, Chrome on XP will still be automatically updated with the latest security fixes to protect against malware and phishing attacks."
Google's announcement follows widespread reports the cyber threat facing businesses is growing. Earlier this month Symantec researchers reported finding a bogus Facebook page duping victims into downloading data-stealing malware.

Edward Snowden reveals office politics sparked PRISM leaks

Edward Snowden NSA Prism whistleblower
NSA whistleblower Edward Snowden has revealed his decision to leak countless top secret documents to journalists was taken after his efforts to improve the NSA's security practices were ignored.
In a wide-ranging interview with The New York Times, the former NSA contractor continued to justify his decision to leak thousands of documents relating to the surveillance practices of the American and British security services.
"So long as there's broad support amongst a people, it can be argued there's a level of legitimacy even to the most invasive and morally wrong program, as it was an informed and willing decision," the 30-year-old explained.
"However, programs that are implemented in secret, out of public oversight, lack that legitimacy, and that's a problem. It also represents a dangerous normalisation of ‘governing in the dark', where decisions with enormous public impact occur without any public input."
Snowden also revealed the series of events that led to him making the decision to hand the documents – including those relating to the PRISM scandal – over to the Guardian and The New York Times.
He explained that it was a gradual process as he became frustrated that his efforts to prove the existence of security flaws in the NSA's systems fell on deaf ears and even resulted in "petty email spats" and disciplinary action. He said that he was convinced that trying to work through the NSA's systems was a fruitless effort.
The New York Times reports that Snowden finally decided to take action when he discovered a document during a system cleanse, which was "too highly classified to be where it was". "Curiosity prevailed," he said.
On his decision to become the public face of the story, Snowden said that he effectively had no choice if he wanted to be taken seriously. He said that if he had made the leaks as an anonymous insider, he would have been discredited and his work "buried forever".
The fallout of Snowden's leaks and the trickle of revelations from The New York Times and the Guardian has sent shockwaves across the technology industry, with governments, major enterprise technology brands and consumer technology firms all accused of malpractice at some stage.
On several occasions, the EU has stepped in, most recently insisting that European businesses should continue to make use of cloud computing services in spite of the surveillance revelations.

KPMG buys 3,500 BlackBerry 10 smartphones

Blackberry logo
Consulting firm KPMG has bought 3,500 new BlackBerry 10 (BB10) smartphones for use by staff in its Milan office, despite ongoing questions over the Canadian firm's long-term future.
BlackBerry said KPMG's is also pushing ahead with its plans to migrate to BlackBerry's new Enterprise Mobility Management (EMM) solution and BlackBerry Enterprise Service 10 (BES10).
The news comes during a dark period for BlackBerry, which has been losing money since the launch of its current BB10 operating system. The losses led BlackBerry to seek buyout offers from a variety of sources with no clear future for the firm in sight.
IT lead partner at KPMG Davide Grassano highlighted the security benefits of BES10 and BB10 as key reasons for the company's continued interest in the platform. "Every day our professionals need to share confidential information and need a reliable smartphone with strong security, and the flexibility to meet different working needs," said Grassano.
"With BlackBerry 10 we have found the best solution in terms of usability, security, connectivity and price. The BlackBerry solution allows our users to have access to shared files and other internal resources, while also working to prevent the accidental leakage of business documents and attachments."
Managing director for southeast Europe at BlackBerry Alberto Acito mirrored Grassano's sentiment, arguing that the platform's robust security and device management powers will lead to further successes in the enterprise space.
"Security, usability and cost-effectiveness are at the heart of the BlackBerry 10 solution. The combination of BlackBerry Enterprise Service 10 and BlackBerry 10 smartphones delivers a breakthrough platform that combines state-of-the-art security with a powerful new mobile computing experience," said Acito.
"Customers understand the value and benefits of our offering and this is why more than 25,000 BlackBerry Enterprise Service 10 commercial and test servers have already been installed globally, including within many of the world's top organisations."
The robust security of BlackBerry services has been praised by numerous companies and government agencies. BlackBerry 10 smartphones won approval by Nato for use with classified communications up to the level of Restricted earlier in October.

ICO chides Panasonic for lost laptop with unencrypted data

Panasonic logo
The Information Commissioner’s Office (ICO) has criticised Panasonic after an unencrypted laptop was stolen, containing personal information on 970 people.
The device was stolen from an employee of a unnamed third-party firm that Panasonic had hired to help it put on an event at a hotel. The laptop data included names, addresses, contact details, dates of birth, passport details and emergency contact details.
The ICO discovered that the passport information was only needed for overseas guests staying at the hotel, but that passport data on all guests was collected as it was felt it might be useful in an emergency. 
The laptop was password protected, but did not have encryption or physical security. The ICO said that although Panasonic’s own data-protection policies were comprehensive, it had never communicated these to the third party.
The firm's UK managing director Andrew Denham has now signed an undertaking to improve its data protection policies. V3 contacted Panasonic for comment on the case but had received no reply at the time of publication. The ICO had also not responded for a comment on the case.
The incident is the second the ICO has ruled on this week, after it criticised the Royal Veterinary College (RVC) for failing to implement bring your own device policies after sensitive data, which was stored on a staff-owned device, was lost.
Unencrypted devices are frequently the cause of data loss incidents. Despite numerous incidents and warnings from the ICO, firms are still failing to adequetely protect their data, with the ICO again urging organisations to understand their security obligations for data.

BT warns UK is losing cyber arms race due to lack of interest in IT


BT cyber director Bob NowillUK industry will lose the cyber arms race with hackers if it does not work to address young people's lack of interest in information security, according to BT cyber director, Bob Nowill (pictured left).
Nowill said despite yielding a number of positive results the UK cyber strategy is yet to fully plug the cyber skills gap, during an frank discussion with V3.
"I think it's a bit of an arms race if I'm honest. Yes, we've been making some good inroads into ethical hacking and penetration testing but, the truth is all of this stuff is getting more and more complex and there are more attacks coming, we can see that just through our own cyber defence operations at BT,” he said.
“Therefore, there is a continued need and demand for new and better people to help with this problem."
The BT cyber director said this is troubling as the company has seen growing sophistication and tenacity within a number of hostile groups.
"In terms of the threat actors you can see state actors, criminals, activists and hacktivists. They're all at it, they always have been but the volume has gone up. Some of that could be because we generally are taking more care to look, but overall the numbers have gone up," he said.

"I think there's also been a balance change. If we were having this conversation 10 years ago we'd be talking about the lone student in a bedroom doing terrible damage. That stereotype may have been true once, but it's certainly less so now. Obviously there's been the rise of the hacktivist, where we've seen a growing sophistication within some groups."
Nowill's said this means businesses can no longer afford to ignore cyber security. "If you've got badly configured firewalls, or if you've got out-of-date or non-existent denial-of-service (DoS) defences, or you don't have a managed security service provider and are just trying to DIY it, you are more likely to fall victim to something than you were in the past," he said.
To fix the problem, Nowill said everyone from security providers to schools need to take a more proactive, exciting approach to educate board members and children about information security.
"Storytelling is the best way of getting it across. Not everyone likes reams of graphs, stats and figures showing how awful everything is. People, as do the boards of companies, like stories. They like real stories about things that have happened, what the consequences were, with pictures and videos that bring it all to life."
He highlighted hands-on dynamic tuition programs, such as Cyber Security Challenge UK, as a key example of how schools and businesses can make information security education more exciting.
"Another good thing is to give them hands-on experience, with things like the Cyber Security Challenge masterclasses. Get them doing a real exercise that's authentic and based on something that's happened in the real world, something they can really get stuck in with and make great progress," he said.
BT has been an avid supporter of the UK Cyber Security Challenge since it began. The telecoms company is currently partnering with the GCHQ and National Crime Agency (NCA) to design the 2013 challenge's final.
The UK Cyber Strategy launched in 2011, when the government pledged to invest £650m to help bolster the nation's cyber defences. Education has been a key part of the strategy and to date the government has launched several schemes and initiatives to help plug the ongoing skills gap.
These have included the the GCHQ's Can You Find It challenge and the opening of two new higher education centres designed to train the next generation of security experts at Oxford University and Royal Holloway, University of London.