CyberLaw Blog

Archive for the ‘Security’ Category

BBC News: MI6 boss in Facebook entry row

Personal details about the life of the next head of MI6, Sir John Sawers, have been removed from social networking site Facebook amid security concerns.

The Mail on Sunday said his wife had put details about their children and the location of their flat on the site.

The details were removed after the paper contacted the Foreign Office.

Foreign Secretary David Miliband denied claims security had been compromised, saying: “You know he wears a Speedo swimsuit. That’s not a state secret.”

Privacy protection

Sir John Sawers is currently the UK’s ambassador to the United Nations and is due to take up his new post in November.

The Mail on Sunday said information published on Facebook included the couple’s friendships with senior diplomats and actors, including Moir Leslie from BBC Radio 4’s The Archers.

Lady Sawers revealed the location of the London flat used by the couple and the whereabouts of their three grown-up children and of Sir John’s parents, the paper said.

She had not imposed privacy protection on her account, allowing any of Facebook’s 200 million users in the open-access “London” network to see the entries, it added.

Conservative MP Patrick Mercer, chairman of the counter-terrorism sub-committee, expressed concerns about the possible security risk.

He told the BBC: “It raises all sorts of worrying issues about the… personal life, in particular the location of flats, transport details, movement details, of an individual who is our most senior counter-terrorism officer abroad.

“A great deal of taxpayers’ money has been spent over the past several decades making sure he and his family are protected from security compromises. Well, it doesn’t seem to be very relevant anymore, does it?”
“ He’s a very able man, he’s a very able appointment. It’s pretty unfortunate that this has happened ”
Sir John Major

He added: “It’s distressing and worrying therefore that these sorts of details should be appearing in the public domain. I would have hoped these sort of mistakes would not have been made by people like that.”

Liberal Democrat foreign affairs spokesman Edward Davey said the disclosure had the potential to damage the security of Sir John’s family.

“We would be negligent if there wasn’t an internal inquiry into the security implications, not just in relation to MI6 but to Sir John and his family,” he said.

“We need to be reassured that this has been considered properly and there is nothing we need to worry about as a result of this.”

‘Grow up’

But Foreign Secretary David Miliband told the BBC’s Andrew Marr programme: “Are you leading the news with that? The fact that there’s a picture that the head of the MI6 goes swimming – wow, that really is exciting.

“It is not a state secret that he wears Speedo swimming trunks, for goodness sake let’s grow up.

“He is an outstanding professional who will do a really good job in an outstanding organisation.”

Former Prime Minister Sir John Major said the issue had been “overblown”.

He said: “I know John Sawers. He’s a very able man, he’s a very able appointment. It’s pretty unfortunate that this has happened, I think that is true.

“But I think when you’re faced with leaving Iraq possibly too early, huge problems in Afghanistan, the mess in Pakistan, the depth of the recession, I think this falls a long way below those.”

Sir John Sawers is due to replace Sir John Scarlett as head of the overseas Secret Intelligence Service (MI6).

He has been the UK’s Permanent Representative to the UN since 2007.

Before that he was political director at the Foreign Office, an envoy in Baghdad and a foreign affairs adviser to former Prime Minister Tony Blair.

He was in that post from 1999 to 2001 and was involved in the Kosovo conflict and Northern Ireland peace process.

Elsewhere overseas he worked in the British embassy in Washington, as an ambassador in Cairo and to South Africa from 1988 and 1991 when apartheid was ending.
Story from BBC NEWS:

http://news.bbc.co.uk/go/pr/fr/-/1/hi/uk/8134807.stm

Published: 2009/07/05 10:34:38 GMT

Government sets up two new cyber security bodies: “The Government will create two new public bodies to help protect Government and citizens from digital security threats. It will set up one strategy body and one operations centre to increase the UK’s cyber security, it said.”

(Via OUT-LAW News.)

Security and fundamental freedoms on the Internet

European Parliament, (Plenary sessions), Fundamental rights – 26-03-2009 – 13:28

Increasingly, companies, governments, police and even criminals are seeking the greatest possible access to our private data. The internet provides a previously unimaginable level of access to information about our private lives, which unfortunately, can be abused by companies, intelligence services or even identity thieves. The report highlights action against cybercriminals whilst also guaranteeing fundamental rights to privacy for internet users.
The report adopted with 481 votes in favour, 25 against and 21 abstentions is the first recommendation from MEPs concerning the fight against cybercrime and preserving the rights of internet users. Clearly the internet can be used as an excellent tool for accessing information and allowing connections between individuals and communities all over the world. However, it also has its dangers as it can expose users to surveillance, or even serve as a tool for criminals or terrorists. The main advantage and disadvantage of the internet is that it transcends almost all borders.

Criminalising grooming

Parliament urges Member States to update legislation to protect children using the Internet, in particular in order to criminalise grooming (online solicitation of children for sexual purposes), as defined in the Council of Europe Convention of 25 October 2007 on the Protection of Children against Sexual Exploitation and Sexual Abuse.

MEPs are also concerned with the idea that ‘e-illiteracy will be the new illiteracy of the 21st Century.’ The report argues that in this age, having access to the internet is ‘equivalent to ensuring that all citizens have access to schooling’, and that this access should not be denied by governments or private companies.

Fundamental freedoms of internet users

There are a number of fundamental rights which are affected by the internet, including ‘respect for private life…data protection…freedom of speech and association, freedom of press, political expression and participation, non-discrimination and education.’ The report calls on Member States to protect these rights by making use of existing national, regional, and international law, and to exchange best practices amongst themselves.

The report recognises that given ‘the global and open nature of the Internet’, international standards for data protection, security and freedom of speech are required. MEPs call on Member States and the Commission to draw up a series of regulations to protect the privacy of internet users.

Crime, identity theft and terrorism

The nature of the internet also means that it is open to abuse. It has ‘been used as a platform for violent messages…as well as for websites which can specifically incite hate-based criminal acts.’ Cybercrime, in general has also increased, and internet users are at risk of identity theft, if they transmit their personal details across the internet without a minimum level of protection. Therefore, the House calls on the Council and Commission to develop a ‘comprehensive strategy to combat cybercrime…identity theft and fraud.’

Finally, the report raises the question of consent of internet users, when giving personal information to governments or private companies, and the imbalance of negotiating power between users and institutions. In relation to this, MEPs stress the importance of internet users being able to retain the right to permanently delete any of their personal details saved on ‘internet websites or on any third party data storage medium.’

EU – Commission acts to protect Europe from cyber-attacks and disruptions: “(RAPID)
The Commission has released a new Communication on Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience COM (2009)149. The Commission called for action to protect critical information infrastructures by making the EU more prepared for and resistant to cyber attacks and disruptions. At the moment Member States’ approaches and capacities differ widely. A low level of preparedness in one country can make others more vulnerable, while a lack of coordination reduces the effectiveness of countermeasures.

“

(Via QuickLinks Update.)

Worm strikes Commons computer network

Parliamentary computers have been infected by the Conficker worm, like an estimated 10m PCs worldwide – and experts fear next week will see problems worsen

The House of Commons internal computer network has been infected by the ‘Conficker’ worm that has also infected millions of Windows PCs around the world, and has had to ban its users from attaching outside storage – such as USB ‘memory sticks’ – in case it gets reinfected.

The revelation is an embarrassment for the organisation running the network, which contains nearly 1,000 computers, because Microsoft issued a fix for the weakness that leaves PCs vulnerable in October – meaning that they have been lax in applying necessary security fixes. MessageLabs, owned by Symantec, is understood to be responsible for the antivirus and antispam filtering of communications with the network.

A memo sent out in the House of Commons network on Tuesday night warned that ‘the Parliamentary network has been affected by a virus known as conficker. This virus affects users by slowing down the Network and by locking out some accounts.’ It instructs users to leave computers turned on – so that they can have the malware removed – and that unauthorised computers be removed from the network.

Memory sticks, which can be used to transfer the worm accidentally between computer networks, have also been banned while the system is cleansed.

None of MessageLabs, the Parliamentary Information Communications and Technology helpdesk or a spokeswoman nominated by PICT had responded to requests for comment when this story was filed.

Security experts are meanwhile trying to work out whether the Conficker worm, which has infected roughly 10m Windows PCs around the world, will devastate the internet on 1 April, when it is due to seek out an update to its controlling software from the unknown group that wrote the original infecting code.

Antivirus companies have managed to decode enough of the code of the program – also known as ‘downadup’ – to realise that from next Wednesday it will start to check 50,000 randomly-named domains which might be registered in any one 110 different countries, seeking one site that will have been set up to issue it with new instructions.

That marks a step up from earlier versions of the worm, which used to check 250 sites per day – but which was defeated because in an unprecedented effort, a multinational industry security team managed to block all of the potential domains, including a number in China.

The fears are that the update might instruct the infected machines to start an all-out attack on major sites such as Google, Yahoo or Amazon – all of which have been targets of ‘denial of service’ attacks by large groups of infected computers, known as ‘botnets’, in the past.

But it is more likely that the computers will simply get updated orders to carry on sending out spam emails, or hosting ‘phishing’ sites – which look like official bank or credit card sites but are fake, and collect information to send to the botnet’s owner.

The worm seems to have been developed by Chinese hackers, but its purpose is not clear. It has spread to millions of PCs, often in corporate organisations, by exploiting a flaw in older versions of Microsoft’s Internet Explorer browser.

In February, Microsoft put a $250,000 bounty on the head of the writer, or writers, of Conficker: ‘The Conficker worm is a criminal attack. People who write this malware have to be held accountable,’ said George Stathakopoulos, of Microsoft’s Trustworthy Computing Group.

‘We don’t know who’s behind this worm, but they seem to be pretty professional in what they do,’ noted F-Secure, one of the antivirus companies that was first to spot the worm. The worm uses a cryptographic system called the MD6 hash algorithm, which encodes its content using a secure new system that has proven impossible for antivirus teams to break.

But others think it will be less dramatic. ‘What happens on April Fool’s day is anyone’s guess,’ noted Vinoo Thomas of McAfee. ‘But what have we learnt from history? From the days of [the] Michelangelo [virus, in 1992] to the recent Blaster, SoBig, Sober and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have only turned out to be damn squibs.’

Rick Wesson, of the industry team that has built up around efforts to defeat Conficker, thinks that its legacy may turn out to be positive: because it has forced different countries to work together, it has created the first forms of a worldwide cyber security system. ‘No matter what happens with Conficker, it’s created something here….a beautiful opportunity to bring cyber security to the kitchen table,’ he told the Washington Post.

(Via Latest news, sport, business, comment and reviews from the Guardian | guardian.co.uk.)

EU – European Push for More Online Rights to Privacy: “(IDG News Service)
Members of the European Parliament (MEPs) will push for a re-think of the balance between the need for security and the right to privacy on the Internet, not just in Europe but around the world. They supported a report which calls on the 27 countries in the European Union and the European Commission, its executive body, to define global standards for data protection, security and freedom of expression. The author of the report, Greek socialist MEP Stavros Lambrinidis, said the move is vital at a time when people’s digital identity is becoming an integral part of their actual identity. One specific demand in the report is for a strict definition of a user’s ‘consent’ to share his data, given the unequal balance of powers between users, private companies or governments. Another is that the right of access to the Internet should be considered equal to the right to education, and should never be blocked by governments or private companies. The report debated Thursday drew support from academics, civil liberties groups and Europe’s data protection supervisor Peter Hustinx, who warned against applying less strict data protection rules to the Internet than the protection expected in daily life. See EP Legislative Observatory.”

(Via QuickLinks Update.)

Europeans push for more online rights to privacy: “Members of European Parliaments will push for a rethink of the balance between the need for security and the right to privacy on the Internet.

(Via Macworld.)

Spooks told to get used to encrypted VoIP: “

UK start-up aims to conceal more conversations

A British security firm has urged the government not to impose heavy-handed interception regulations on VoIP providers, ahead of the forthcoming consultation on communications data.…

“

(Via The Register – Comms.)

Prime Minister’s health records breached in database attack: “

Scottish rich and powerful victimized

Personal medical records belonging to Scotland’s rich and powerful – including Prime Minister Gordon Brown and Holyrood’s First Minister Alex Salmond – have been illegally accessed in a breach of a national database that holds details of 2.5 million people.…

“

(Via The Register – Public Sector.)

Facebook users ‘at risk’ as hackers target site: “Facebook users are at risk from malicious hackers targeting the site, online security experts warned.”

(Via Tech and Web from Times Online.)