There was an excellent line-up of speakers at Janet CSIRT’s conference this week.
Lee Harrigan (Janet CSIRT) discussed how the team are now monitoring Pastebin for signs of security problems affecting Janet sites. Pastebin can be a useful place to share large files, however some users apparently don’t realise that things posted to the site are publicly visible. This means that posting documents containing passwords or other sensitive information is not a good idea. Pastebin is also used by some Hacktivists to advertise embarrassing information they have taken from their targets. Around 90% of the alerts that Janet CSIRT obtain from Pastebin appear harmless, however giving Janet-connected organisations early warning of the other 10% may help them reduce the impact.
DI Stewart Garrick talked about the work of the Police Central eCrime Unit (PCeU). The unit, though part of the Metropolitan Police in London, provides support to forces across the country in dealing with computer crime where life, the economic survival of an individual or business, or more than £1M are at risk. Their processes are designed to deal with the particular challenges of computer crime, for example their forensic procedures produce early results within hours rather than weeks and they have quick and effective working relationships with forces in other countries. Investigations and prosecutions no longer stop at the UK border. It also seems that courts are recognising the seriousness of computer crimes, with those convicted being sentenced to several years in prison.
Rich Hutchinson talked about the MRC/UCL epiLab-SS service, used to handle medical research data. The sensitivity of this information needs particularly good security and the team decided this was best provided by running servers in a secure third party data centre, accessed from UCL using thin client systems. To reassure funders and those whose information may be stored in the system the service has now been certified as compliant with ISO27001. The support of both management and researchers was critical in this achievement.
Tony Brookes (University of Derby) has been studying data security breaches reported to the Information Commissioner’s Office (ICO) by various parts of the public sector. Most of these result from human error – sending personal information to the wrong recipient or losing files on paper, USB sticks or laptops – rather than technical failures. Nor does preventing or mitigating these require advanced technology – standard disk encryption is recommended in nearly every ICO report. Failure to learn lessons, both from your own incidents and those of others, now seems likely to result in a monetary penalty from the ICO. Since these can now be up to £500K this is a risk that organisations should be aware of and taking steps to reduce.
Graham Cluley (Sophos) reviewed the past, present and future of viruses, starting in the days when Doctor Solomon’s anti-virus was updated each month (by floppy disk!) to add around 200 new viruses. Today more than a hundred thousand new viruses are discovered each day – fortunately anti-virus programs now detect most of these by their suspicious behaviour and do not need to be updated individually for every one. Propagation methods have changed: effective anti-spam filters mean that many fewer infected e-mails reach users’ inboxes (though you should still beware of clicking on unexpected attachments). Instead viruses are now concentrating on social media (Facebook, Twitter, etc.) both because technological solutions are less well developed and because users are much more likely to click on links sent by their friends or those they follow. Once one account is infected, the virus can send itself through genuine messages from that person to everyone in their network, as well as collecting all the personal information that may have been stored in each infected account. From monthly updates in the post to daily updates by download we may now need to move to live checking by our browser every time we visit a new URL.
Chris Wakelin (Reading University) finished the day with a look at the techniques that malware uses to try to evade detection. Complex encoding schemes are used to hide the fact that a file contains executable code, with Java and PDFs being the most commonly infected files. Ensuring these applications are kept up to date is essential to reduce the number of successful infections. Monitoring network traffic patterns can often confirm that an infection was successful and, by looking for similar patterns elsewhere, detect other infections by the same malware. Once a computer has been infected modern malware makes so many subtle changes that the only way to be sure that it has been cleaned is to wipe the disk (including the boot record) and re-install from a clean backup. Patches, flow monitoring and backups remain vital security tools.