Tech

Issues with the Met's information systems have contributed to failures to protect children at risk of sexual exploitation, according to a report by Her Majesty's Inspectorate of Constabularies (HMIC).

Published today, the 113-page report [PDF] following HMIC's inspection into national child protection, reported how London's Metropolitan Police Service (MPS) has had issues with its IT systems that are contributing to failures to protect vulnerable children.

Police staff told HMIC that information on the Met's Crime Recording Information System (CRIS), which holds data regarding children's circumstances and vulnerability, was “not easy to locate” and “complicated” while the system's usage was “neither universally adhered to nor universally understood”.

This is particularly a concern with regards to the force's risk assessments, according to HMIC, which said that in many incidents the cops failed to reflect the intelligence their systems held or simply made inaccurate assessments.

HMIC reported that some cases were graded as being of only “medium risk of harm on the basis that the children in question were 'streetwise and able to take care of themselves'.”

In one such incident, the report went on to explain, a 13-year-old girl who went missing overnight was assessed as only being at medium risk because she was “streetwise” despite the Met's communications centre receiving a report that the child was “alone and unsafe in a house with three men”.

Connectivity issues with the Met's IT systems meant this information was “in an email inbox in the MPS for 14 hours before the force acted on it.”

HMIC stated that such findings “in relation to the flagging and retrieval from the police computer systems of relevant information about child protection issues are a particular concern.”

IT explained that the difficulty of locating information on the current force IT systems risks cases being dealt with in isolation is leading to potential intelligence gaps.

The report concluded: "The lack of connection between the MPS IT systems, databases and spreadsheets used to record such analyses exacerbates this problem. As a result, much of the information on victims, offenders and risk is kept in isolated pockets across the force. This contrasts sharply with the free movement of people (both victims and offenders) around the capital." ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads


The Register - Security

Apple may have refused to help the FBI unlock an iPhone used by the San Bernardino shooter, but the tech industry is still better off working with the U.S. government on encryption issues than turning away, according to a former official with the Obama administration.

“The government can get very creative,” said Daniel Rosenthal, who served as the counterterrorism director in the White House until January this year. He fears that the U.S. government will choose to “go it alone” and take extreme approaches to circumventing encryption, especially if another terrorist attack occurs.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

“The solutions they come up with are going to be less privacy protective,” he said during a talk at the Versus 16 cybersecurity conference. “People will think they are horrifying, and I don’t want us to see us get to that place.”

Rosenthal made his comments as President-elect Donald Trump—who previously called for a boycott of Apple during its dispute with the FBI—prepares to take office in January.

A Trump administration has a “greater likelihood” than the Obama administration of supporting legislation that will force tech companies to break into their customers’ encrypted data when ordered by a judge, Rosenthal said.

“You have a commander-in-chief, who said at least on the campaign trail he’s more favorable towards a backdoor regime,” Rosenthal said.

Earlier this year, one such bill was proposed that met with staunch opposition from privacy advocates. However, in the aftermath of another terrorist attack, Congress might choose to push aside those concerns and pass legislation drafted without the advice of Silicon Valley, he said.  

Rosenthal went on to say that U.S. law enforcement needs surveillance tools to learn about terrorist plots, and that’s where the tech industry can help. During his time in the White House, he noticed a “dramatic increase” in bad actors using encryption to thwart government efforts to spy on them.

“There are people trying to come up with a reasonable solution,” he said of efforts to find a middle ground on the encryption debate. “To immediately say there is no solution is counter historical.”

dsc05324Michael Kan

Cindy Cohn (right), executive director of EFF, and Daniel Rosenthal, former director of counterterrorism for the White House.

However, Rosenthal’s comments were met with resistance from Cindy Cohn, executive director for Electronic Frontier Foundation, a privacy advocate. She also spoke at the talk and opposed government efforts to weaken encryption, saying it “dumbs down” security.

“This idea of a middle ground that you can come up with an encryption strategy that only lets good guy into your data, and never lets a bad guy into your data, misunderstands how the math works,” she said.

Law enforcement already possess a wide variety of surveillance tools to track terrorists, she said. In addition, tech companies continue to help U.S. authorities on criminal cases and national security issues, despite past disputes over privacy and encryption.

But law enforcement has done little to recognize the risks of building backdoors into products, Cohn said. Not only would this weaken security for users, but also damage U.S. business interests.

“If American companies can’t offer strong encryption, foreign companies are going to walk right into that market opportunity,” she said.

Cohn also said any effort to force U.S. companies to weaken encryption wouldn’t necessarily help catch terrorists. That’s because other strong encryption products from foreign vendors are also circulating across the world.

“The idea that the Americans can make sure that ISIS never gets access to strong encryption is a pipe dream,” she said. “That’s why I think this is bad idea. Because I don’t think it’s going to work.”

The Versus 16 conference was sponsored by cybersecurity firm Vera. 

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security

Versus16 Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy.

That's according to former White House counterterrorism and cybersecurity official Daniel Rosenthal, who was debating where the issue of encryption should go next.

Nonsense, responded Cindy Cohn of the Electronic Frontier Foundation (EFF), on stage at the Versus conference in San Francisco. If the tech sector offers some form of compromise now, the government will only come asking for more later.

In the week since Donald Trump was elected president, tech companies have reported a 25 per cent spike in people encrypting their communications.

The reason why is not hard to discern: on the campaign trail the Republican nominee repeatedly stated that he would be prepared to use the full power of the federal government to carry out his policy goals, which includes the forced deportation of millions of people, the surveillance of millions of others, and the pursuit of terrorism above all else.

What's more, Trump weighed in on the biggest showdown in the past decade between law enforcement and the tech industry, telling crowds that they should boycott Apple over its refusal to bypass its own security and grant the FBI access to a locked phone that belonged to San Bernardino shooter Syed Farook.

Risk

Both Rosenthal and Cohn acknowledged that the likelihood of the executive branch of the US government pushing for a backdoor into encryption was "significantly greater" under the Trump Administration.

Although both offered some consolation: Rosenthal said there still remained forces within the executive branch that would argue for the value of strong encryption and the importance of privacy; Cohn promises that the EFF will continue to fight – as it has for decades – to prevent government overreach.

But while both agreed in general, Rosenthal and Cohn represented two very different viewpoints, themselves reflecting two very different attitudes on the East and West Coasts of the United States.

Both agreed that the bill put forward by Senators Dianne Feinstein and Richard Burr in April was a horrible piece of legislation (it eventually died, but not without significant effort being made to kill it).

Rosenthal warned, however, that if the tech industry rules out working on ways to open up access to encrypted data, it may find itself left out the conversation when the "inevitable" next terrorist attack hits the United States and the government reacts to it with new laws.

Cohn stuck with well-worn arguments about the mathematics of encryption: weakened encryption is weak for everyone, and a backdoor is a backdoor as much for bad actors as for law enforcement.

She also warned that if the US government pushes a law to undermine encryption, it sends a signal to the rest of the world's governments, and makes it impossible for tech companies to stand up to other, inevitable demands from across the world.

Déjà vu

This is not the first time this debate has played out – for months this year the back-and-forth over encryption turned into fixed positions.

Rosenthal fell back on flattering the West Coast as being "much smarter" and urging tech companies to figure out a way to make breakable encryption possible. In response, Cohn offered the logic of math and argued that everyone has access to prime numbers. She shook her head at the Washington, DC policy process of finding a middle ground between opposing sides: there is no middle ground on encryption – it works or it doesn't.

Fortunately, neither fed into the familiar insults traded between the coasts – but they did reference them: Silicon Valley doesn't care about terrorism; Washington, DC doesn't care about its citizens' privacy.

Rosenthal thinks that Apple should feel an obligation to be a "good citizen"; Cohn notes that law enforcement agencies should be obliged to follow the law and run all requests for information through the legal process – "because companies are not always in the best position to evaluate requests or know if the system is being misused."

In short, despite the best efforts of two very knowledgeable individuals actively looking to find some common ground, nothing new was uncovered.

It's also notable that neither Cohn nor Rosenthal currently possess government or tech industry roles. It is, of course, possible that there are lots of positive conversations going on behind closed doors between DC and Silicon Valley. But it seems unlikely.

What seems even more unlikely is that the conversation will start with the arrival of the Trump Administration. Trump's stated policies are in many ways antithetical to both the politics and the finances of Silicon Valley.

Trouble ahead

When that inevitable next terrorist attack does come, we can expect to see the Apple versus FBI argument return – but this time with much greater odds and carried out in much louder voices. Just as with the election itself, there is increasingly less room for compromise. One side will win, and one side will lose.

Where will it fall? It will come down to Trump and whether he can persuade Congress to enact a new law. The Obama Administration was split on the issue and the President very publicly sat on the fence. That is far less likely to happen with the President-elect.

If there is a large terrorist attack, as Rosenthal noted, the people's concerns about privacy will fall away if they are offered a firm hand and a clearly stated solution.

And while Tim Cook has taken a principled stance on privacy and encryption, and Google and Facebook and many other tech companies have said they support that view – no one has ever said they will ignore the law of the land. ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

Internet giant Google has signed up to the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US by businesses.

Data storage and software provider Dropbox has also self-certified under the Privacy Shield. The companies are the latest major US technology businesses to sign up to the scheme. Google's certification was registered on 22 September and Dropbox's on 23 September.

Microsoft self-certified under the Privacy Shield in August. >Amazon also announced that it was in the process of self-certifying last month, but it appears that it has still to complete that process as its certification is not yet listed.

Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield.

Data protection law expert Cerys Wyn Davies of Pinsent Masons, the law firm behind Out-Law.com, previously explained that businesses that sign up to the Privacy Shield within the first two months of it becoming operational can do so without first having to update arrangements for sharing data with others. Wyn Davies said, though, that those businesses then only have a limited time in which to put new contracts in place.

The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA).

However, Hamburg's data protection authority has said it is considering raising a legal challenge against the European Commission's endorsement of the Privacy Shield.

Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework. It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to [data] processors".

Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new Privacy Shield during the first year of its operation.

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Sponsored: Optimizing the hybrid cloud


The Register - Security

Plans are afoot in Westminster to burn even more taxpayers' cash by launching a new cyber-security startup accelerator in Cheltenham.

The accelerator will be the umpteenth vehicle for funnelling money to muppets since the coalition government came to power.

Other accelerators have included a military technology free-money haus opened in July, and Vince Cable's hipster tech creche with the Urban Innovation Centre last year.

Today, with bells and whistles, the Department for Culture, Media and Sport declared that it has teamed up with “GCHQ and the nation’s top tech start-ups to develop new technologies aimed at protecting the UK from cyber attacks.”

There are several groups which aim to protect the UK from cyber attacks, not least among them the UK's signals intelligence and surveillance agency, which receives billions in funding from the Single Intelligence Account budget every year.

According to a recent report from the National Audit Office, there are 12 separate teams and organisations who are in some way responsible for infosec in British government departments and whom the Cabinet Office is utterly failing to co-ordinate.

DCMS said:

The tie-up is the first step in the development of two world-leading innovation centres as part of the Government’s £1.9bn National Cyber Security Programme.

The facility will also fast-track new firms into the booming cyber security sector which contributed £1.8bn in exports to the UK economy last year and grew from £17.6bn in 2014 to almost £22bn in 2015.

The accelerator itself will be operated by Wayra UK, part of Telefónica Open Future, and will offer start-ups the opportunity to access “GCHQ's world-class personnel and technological expertise to allow them to expand capability, improve ideas and devise cutting-edge products to outpace current and emerging threats.”

Applicants can contact Wayra here to be part of the programme which includes "insights to Government procurement processes, IP management, export controls and information assurance architecture." ®

Sponsored: Optimizing the hybrid cloud


The Register - Security

Twitter, Dropbox, Uber and several other major tech companies have joined forces and launched the Vendor Security Alliance (VSA), a coalition whose goal is to improve Internet security.

The VSA aims to help organizations streamline their evaluation processes for vendors through a standard questionnaire designed to assess security and compliance practices.

Companies will be provided a yearly questionnaire that will help them determine if a vendor has all the appropriate security controls in place.

The first questionnaire, created by security experts and compliance officers, will be made available for free on October 1. It will measure vendors’ cybersecurity risk level, including procedures, policies, privacy, data security and vulnerability management.

“Once complete, that questionnaire is evaluated, audited, and scored by an independent third party auditor working alongside the VSA,” explained Ken Baylor, head of compliance at Uber. “Points will be granted for sound practices and taken away for practices that could increase security risks. Vendors can then use that score when seeking to offer their services to any business in the VSA, without the need for further audits.”

“The VSA will also enable companies to save time and money through the use of a standardized cybersecurity evaluation with real-time answers. The current way of evaluating cybersecurity risks and approving vendors can take several months – the new VSA process cuts the process down to minutes,” Baylor added.

The founding companies of the VSA are Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy and AirBnb. Executives from each of these organizations form the VSA’s board of directors.

A vendor security assessment questionnaire (VSAQ) is also available from Google. The search giant announced earlier this year that it had decided to open source its VSAQ framework, which the company has been using to evaluate the security and privacy posture of its third-party vendors.

Related Reading: Businesses Doubtful That Vendors Would Disclose a Breach

Related Reading: The Three W's of Re-evaluating Your Network Security Vendor

Related Reading: Facebook, Partners Unveil Alliance on Cybersecurity

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

First things first, we do not recommend that you screw around with crooks.

That includes fake support calls, 419 scammers and fake tech support outfits.

If you’re talking to them on the phone, they know your phone number. If somebody in the scam outfit got your number via a data breach, the caller might even know where you live.

All you really know for sure is that they’re crooks.

Our advice is to just hang up, lest you be on the receiving end of threats to, say, chop you up and feed you to the fishes.

Having said that, there’s a set of people who most certainly don’t hang up.

Damn the potential risk, full speed ahead. They do things like draw out the conversations to waste the crooks’ time. One guy even cooked up an autobot to do the work for him: he’d forward calls to it, thereby automatically (and hilariously) wasting the fraudsters’ time.

There’s a new one to add to that turn-the-tables genre. His name is Ivan Kwiatkowski, and his modus operandi was to infect the caller with Locky ransomware.

As Kwiatkowski tells it, earlier in the month, his parents somehow managed to land on a page (now defunct, but here’s a screenshot) telling them that their brand-new system – it had been in use for only 30 minutes! – had somehow been infected with the notorious Zeus malware.

As tech support scams go, this one was replete, blinking and flashing like the Strip in Las Vegas on a Friday night:

This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows’ BSoD days, and yet somehow it displayed a random IP address instead of the visitor’s one.

Kwiatkowski decided to mess with the crooks. So he fired up an old Windows XP virtual machine (VM), got in touch with “tech support,” got past a prerecorded message, and eventually reached a human who identified herself as “Patricia.”

The typical tech support scam ensued:

She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.

In these scams, the caller won’t take no for an answer until you give them remote access to your computer and let them “fix” the “threat” – for a fee, of course.

You also need to buy their super duper antivirus software, of course, and open up whatever executable files they want you to click on.

It used to be that these fake tech support callers would call us, but nowadays, as more and more people refuse to take calls from unknown numbers, the crooks have been adapting.

Instead of them calling you, it’s increasingly common that they’ll use a web ad or popup that simply runs the scam in reverse: like what happened to Kwiatkowski’s parents, the crook will display a warning and advise you to call them, typically on a toll-free number.

Toll-free! Hey, they’re paying for the call, so they’ve got skin in the game, right? Well, that’s what they’re hoping you’ll figure, at any rate.

So “Patricia” got access to Kwiatkowski’s VM, typed in commands that returned results that she knew would frighten the naïve and supposedly give her tech cred – “1452 virus found!” or “ip hacked!” – and yet, in spite of her purported tech sophistication, missed the fact that the VM had a few interesting icons kicking around: OllyDbg, a 32-bit assembler level analyzing debugger for Windows, as well as IDA: a hosted multi-processor disassembler and debugger.

Oops! Your 15 minutes of free support are over, Mr. Kwiatkowski. She’ll call back so you don’t have to pay for more of this benevolence.

And that’s just what she did: she called back, berated him for not running antivirus software (which he told her he wasn’t), and encouraged him to buy ANTI SPY or ANTI TROJAN, “for the measly sum of $ 189.90.”

As a matter of fact, there’s somebody connected to your system right now! she says.

The conversation that ensues:

Isn’t that you? I ask. This says it’s someone from Delhi.
An awkward pause follows. She tells me that she’s actually the “localhost” line, because localhost means secure connexion. I fight back:
— Are you sure? I thought localhost meant the local machine.
She mumbles a little then proceeds to read me that whole section of her script again, asserting once again that this other IP belongs to [someone] who lives in Delhi like her but is a totally different person – a malicious hacker.

Back to the software sale, Patricia booted her uncooperative “client” up to her boss. Kwiatkowski sent the guy test credit card numbers that were sure to fail payment processing.

Eventually, claiming bad eyesight, Kwiatkowski sent a “photo of his credit card” and told the caller to try inputting the number himself.

That was no photo of a credit card.

He’d gone into his junk email folder and found samples of the latest Locky campaign: .zip files with a script that downloads ransomware.

Kwiatkowski had already noted that the remote-assistance client was a two-way street: he could use it to upload to the scammer’s PC as well as to download.

He grabbed a piece of malware at random and uploaded it, telling the caller that…

Look, Dileep, I’m old and my sight is not so good. It’s starting to hurt, having to squint to read those tiny numbers. Also, we’ve established I’m no good with computers, how about you give me a hand here?

That was followed by silence, after which the caller said that he had tried to open it, but nothing happened.

The scammer was wrong, of course: there was indeed something happening.

In the background, a process was running to encrypt the files on the tech support scammer’s system. The only way to get them back: to buy the decryption key from the crooks via the dark web.

As of February, we were seeing prices to decrypt Locky-ransomed files that varied from 0.5 to 1.00 bitcoin, with one bitcoin being worth about $ 400/£280.

Kwiatkowski says he’s contacted the scammer’s ISP to report abuse, as well as their webhost and authorities.

He’s considering this a solid win in the war against tech support scammers and is recommending that others do the same, even listing a phone number to call.

But I’m not so sure. It’s a great story, but we don’t tend to give hip-hip-hurrays to people who inflict ransomware.

Do two wrongs make a right?

Let us know your thoughts in the comments section below.

In the meantime, if you’re wondering…

What to do?

  • If you receive a cold call about accepting support – just hang up.
  • If you receive a web popup or ad urging you to call for support – ignore it.
  • If you need help with your computer – ask someone whom you know, and like, and trust.

In this case, when we say “someone you know,” we mean “someone you’ve actually met in person,” as opposed to just online.

You know that old truism that on the internet, nobody can tell you’re a dog? Just take out “dog” and substitute “Donald Trump himself,” “Justin Bieber,” or “legitimate tech support,” and that equation’s still solid.

In the case of PC technical support, especially to do with malware or any sort of cyberattack, don’t look for help online. In fact, if you use Bing, you can’t look online: in May, they threw out the whole lot of tech support offers, instituting a blanket ban on all online tech support ads.

Were there any babies in that bath water? Sure, probably. There might well have been legitimate tech support outfits that got banned from the search engine.

But how can you find them? Scammers have ruined it for everyone, turning that bath water into a toxic swamp.

DEALING WITH FAKE SUPPORT CALLS

Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.

(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)


Information Security Podcasts