1. 17:12 14th Jul 2010

    tags: hacking

    “Assume you’re hacked”

    In one of the comments to post on password ageing I promised another post on the pros and cons of managed desktops. That’s still being written, but in the meantime I came across Security Rule No. 1 - Assume you’re hacked, which contains this:

    The best way to prevent hacking is to lock down workstations and servers and to allow only pre-approved software run on them. Most IT departments have no idea about what is and isn’t running on all the computers under their control. Use a software inventory or an application control program to learn what is running, review each active program, approve what is needed, and prevent the rest from running. If you can’t take this step, then it’s probably a losing battle

    That’s the classical approach, and it certainly makes life easier.

    The whole article is worth the read. As I said in my post on metrics, I don’t believe anyone who says they haven’t been hacked, but that can be thing a difficult thing to sell to senior management. Articles like this one (and the original article in Forbes) are all good stuff to have to hand in that discussion. 

     
    2. Comments

  2. 11:14 25th Feb 2010

    tags: security,news of the worldhacking

    On the News of the World phone hacking

    Following on from yesterday’s discussion of passsword stealing, we have the recent report on the News of the World by the House of Commons Culture, Media and Sport select committee on hacking at the News of the World.

    The general aspects of the case are covered elsewhere (and may well be dug up again by a judicial  review it seems), but I’d thought I’d add two comments.

    Firstly it shows, again, the uselessness of passwords as a means for protecting sensitive information. Exactly how this “hack” occurred isn’t public, but I’ll put hard up hard cash that it was a social attack and not a technical one. Over on At The Sauce there’s a description how one journalist believes his voicemail was accessed and it seems very plausible. As ever, the simplest solution to obtaining a password is to just ring up the provider and ask for it.

    Secondly, the MPs are quoted as being “surprised” that this action wasn’t illegal. It’s always seemed strange that accessing an already read email, or already listened to voicemail, isn’t interception. Hopefully that will change as a result of this. Gaining access by technical means (like the  Prince Phillip Prestel hackers, or the Paris Hilton case) leads to a charge under the Computer Misuse Act, but that doesn’t apply to these attacks.

    Yates told the committee it was hard to get convictions for accessing others’ voicemails under the Regulation of Investigatory Powers Act. The committee recommended that the law be amended to cover all hacking of messages. (Source)

     
    3. Comments