Got to love it when...
the story titled 'UK.gov loses 29 million personal records' is right next to 'UK.gov to spend hundreds of millions on snooping silo' :)
UK government departments have managed to leak a total of 29 million personal records over a single year. In addition to the 25 million records spilled in the infamous lost child benefit CDs debacle, another four million records went astray in other stuff-ups, some of which have previously gone unreported. Since the HMRC data …
Probably some of those 29 million are the same record being lost again...and again and again....
It may only be about 25 million or say two out of every five people that have had their whole life completely ruined by HMG...er that'll be more ruined than the remainder. Since this HMG has ruined pretty much the whole country and every one in it.
Mine's the one with the escape plan from this 'quasi fascist control freak state' in the pocket.
Paris - cos she has better t1ts than the one's running the UK.
...in the country who have now had their details thrown to the wind by the incompetent bunch of chuffwits. I wonder if we'll see quite the same level of delinquency when it comes to counting votes in the next general election?
Still, it could be worse. That awful Clarkson fellow could be in charge for a start.
Initially, I wanted to write a little bit about how "The Party" and it's members will bullshit their way around this matter; but I decided that everyone else will cover that matter...
I'm more concerned about the type of metrics that aren't released.
Who has access?
Who's access is restricted?
Who has artificially elevated access?
How much access do the Police get?
How often do the Police abuse that access privilege?
How are local councils (mis)using accumulated data?
How many instances of CCTV misuse were there?
How many people with access to ANPR used it to track people?
How has this vast accumulation of Data stopped crime?
Just how much safer has this made us?
Losing Data is one thing - you can claim it is a one off event. You can claim that if it is misused, then that will be performed by a "criminal element", not insiders. Anyone with a rudimentary knowledge of security knows that most problems come from the inside.
in government IT continues to astound me again and again. It is genuinely not hard to implement, and considering the risks, it's easy, even, to justify some amount of funding to get it done.
Even light encryption would render most of these breaches mostly harmless, unless they fell into the hands of somebody with the right expertise and equipment.
You know those parking tickets, where a supermarket decides you're badly parked, and issues a fine, which the DVLA gives them your home address and such handing out private data in a civil matter that it has no duty handing out. They then send ever increasing threats of fines for the misparking. And quote with pride about how the DVLA is on it's side by giving them this private data?
Well in the window of your car put a sign "by accepting my business at your establishment, you accept that the maximum fine for misparking will be 1 pound, and that you will reimbursh any and all costs related to fines, clamping, enforcement, my time involved, that of my solicitors, and any and all recovery and other related costs. In the event that you refuse this contract you are entitled to refuse my business."
Photograph the sign with the supermarket in the background at least once to show they've accepted it (with a receipt aswell).
You could take it further, stipulate that the supermarket and it's agents agree not to obtain your home details from the DVLA under penalty of 100 quid fine, and agree that if they do so, you are entitled to obtain the home details of any and all supermarket staff it's officers and agents.
That's fair! Then the supermarket can refuse to serve you if you mispark, or serve you and get the 1 quid fine.
And it protects you from the DVLA and parking cowboys.
Questions worth seeking answers to:
Has any Senior Civil Servant or MP been:
b) sacked (without golden handshake/pension),
c) banned from being placed in a position of authority,
d) faced civil or criminal charges,
e) all of the above,
f) None of the above
As in most things, our wonderful government scores an F.
@Dai - There is no excuse, GOV is responsible for the data, and they should ensure all users comply / are responsible for the safety of the data.
@DVLA & Supermarket parking tickets - shop elsewhere?
@29million incidents of incompetance with electronic Data and IT - D.O.P.E will now doubt come out with a suitable excuse
(Department Of Pathetic Excuses)
The idea that anybody, on either side of the Houses of Parliament, has the slightest idea about data handling, information security &c. is ridiculous.
All we need do is look at their sent boxes for the stuff they've mailed to themselves to read later, or the attachments they've saved. Let alone the copies with researchers, leaked to the press...
They are, after all, our peers. We do get exactly what we elected - these aren't thought leaders they're populists and to think they behave any differently to the rest of the populous when faced with hard work is to set a different standard.
We all know that the reason data is mis-handled is that nobody can be a****d to do it right. Data security used to be easier because handling it was hard work and most security consisted of the person who would do the work saying "No", or "have you got budget?".
Now it is the work of minutes to get an extract and shut the ******* up rather than have to sit through interminable meetings and email threads climbing up through the organisation.
Once upon a time, when you had to have authority / budget in order to be able to mail stuff, when creating a copy was hard then you thought about what you were doing. Not least because photocopying a 100 page document was tedious.
I spend a significant amount of time responding to security / data handling questionnaires and the you can bet I'm the only person in the process that reads the questions and my answers.
Certainly once we're operational most people's reactions are to want the data sent to them regardless because they can't get PGP approved, nor an sftp site set-up. They don't want strong password controls because they can't remember them... as for their reaction when I suggest that a mail-out might be regarded as a change of purpose...
I fully agree, although the problem is not wholly and solely with the respective IT departments, (all the time anyway!).
I did a stint recently with a UK government organisation overseeing a large technology deployment. One of the challenges faced was trying to get the users to adopt encryption for removable media. This problem was exacerbated by the fact that the head of HR could not see the need for encryption!!
Needless to say i was gobsmacked and even though everyone in Technology was pushing for encryption none of the users would allow it.
Talk about the tail wagging the dog.
...this is the same government who, IIRC, released some kind of statement or had a spokesperson announce, after Hazel Blears' home computer got stolen, saying that all the confidential government data that was on the machine (and never should have been to start with, by the way) was perfectly safe, because Windows had a password on it.
Yes, the current government believes that it is impossible to crack a Windows password, despite there being hundreds of freely downloadable tools on the intarwebnets which will do just that.
If they are ignorant of that fact, which I would call pretty basic IT security knowledge, then how can they be expected to keep data safe?
Paris, because she's well aware of exactly how exploitable all of her security holes are.
Today's theme is One of Repetition and DeJahFoos. Check out the posts which got the most comments and do them again?
However in Seventh Heaven's Finest Rose Gardens, are the CAT5 dining on a well deserved Tuna fish supper dDelivered from Russia with Love, and they will not be distracted with handfuls of stale nuggets from passing strangers.
Money is what IT has been about and what the PupPeT Masters Is doing for IT?
42 Truly Entertain, does IT take Imagination to make the Servers Purr, for the CAT5 own their Masters, never the other way round -and such is their MuTuAIL Affection that this topsy turvy relationship is Tolerated and Moderated.
And Paris? -a Fine Feline in Great Cat-Calling Games.
If you loose your keys, you don't have them anymore and can't use them. HMG still has the records and can still use them, they have just shared them with members of the public. It is reasonable that government should share information with the public. Now come on, it is unreasonable to ask which members of the public they shared them with. If they had shared them with you, would you want the whole world to know? So just rest assured that HMG does not loose things and will never tell the world about the data it has shared with you.
It's just another failure to see the wood from the trees.
Don't take the data off the premises. Ever.
If it ever must be physically transported, then it should be treated with the importance it deserves, not stuck on a CD in an envelope and given to a courier.
But why should it?
Don't take the data off the premises. Ever.
The government doesn't.
@AC - Be fair chaps
[quote]Probably some of those 29 million are the same record being lost again...and again and again....[/quote]
May well be but, as it’s from a different department, there is, very likely to be, extra data from the records lost that will enhance better ID fraud based on all the previous data this government has decided to give away.
One might believe that this is a deliberate tactic to further the establishment of even more draconian rules that tout the necessity of an ID database so that any personal data “in the wild” can be matched against it in order to stop the terrorists playing out their destruction of the non-complicit with their view.
@Aetyr - Of course they lost it...
[quote]Yes, the current government believes that it is impossible to crack a Windows password, despite there being hundreds of freely downloadable tools on the intarwebnets which will do just that.[/quote]
Absolutely correct. And if you can't be bothered to seek the tools just boot up WinPE on a CD and the access the data without worrying about finding a password. I believe this doesn't apply to Vista though - but I will test that theory tomorrow.
@Jim - Re: Yet another reason against socialism...
[quote]Yeah, cos the private sector is so much better at keeping peoples details safe...[/quote]
The private sector may not be that much better, but as soon as a punter finds out that the company they use has screwed up they can change allegiances, within a few days. The same is not true for government - this is one of the myriad of reasons why allowing government the power over personal data is a complete nightmare and ultimately will lead to the destruction of our democracy.
I do wonder why there are so many Register news items that basically expose our current government’s “no nothing bonzo” strategy on decent IT, especially, when ultimately, it will lead to their downfall – it’s nonsensical; however, perhaps, this video (http://video.google.co.uk/videoplay?docid=3664960863576873594) may provide some kind of insight – but then again it may not. Who knows?
Also I wonder why The Register is not digging deeper; are their journalist too scared?
As you've probably read, the government's position on this is:
"We thought long and hard about the request to make Jeremy Clarkson the Prime Minister and in the end we put our thoughts down in a short film on YouTube. You can take a look here http://www.youtube.com/watch?v=cNy1w4DV5Hw"
Good to see them doing something useful with their time... still, the less actual "governmenting" they do the less harm they can do!
Seriously, though, Clarkson would make an awesome PM. Make everything go faster, make Britain far more patriotic over this once-great country (and specifically its cars) and cut a vast amount of red tape from Government. Probably end up with us in a recession from overspending on projects... but as we're almost there already what's the problem?!
Bizarrely off topic but what the heck..
>Photograph the sign with the supermarket in the background at least once
>to show they've accepted it (with a receipt aswell).
That doesn't show that they accepted it, otherwise you might as well write
out a bill of sale for the supermarket building and photograph that next to it.
Supermarkets very rarely prosecute their customers for parking, doing so just loses a customer so either, 1) The parking must be phenomenally bad, just do it better or 2) It's another organisations car park next to a supermarket. If that organisation is the council, it's government, and so is the DVLA.
Back on topic.
Why are they carrying all these laptops around with important data on anyway?
Can't they just take a précis? Or use a network connection at the other end?
In lots of organisations I've noticed that possession of a laptop is a sort of status symbol, when that happens it's just a security risk.
That would ring true no matter who was in government.
don't get me wrong, I'd love to see Our Dave as head honcho right now but I still wouldn't trust anyone far underneath him to do the right thing. Public sector employees don't change after an election after all.
Politicians are corrupts bastards who all need introductions to the real world or more preferably a chav tio get the right and proper deed done.
The general understanding in the IT.gov/Security community is that the CDs were almost certainly never posted - i.e. were lost inside the building and never made it to TNT. Its rather less likely they are "in the hands of criminal masterminds" than the Daily Fail would have you believe. Probably went in the bin and are in landfill.
Still careless and 'at large' though.
@Supermarket AC - DVLA get paid for giving access to Big Jimmy the Wheelclamper, that's why they do it (naturally).
"That doesn't show that they accepted it, otherwise you might as well write"
The parking person must have read it because it clear and in your window and they are at your car, they have the opportunity to refuse (tannoy you to leave the supermarket because your misparked, or tannoy you to correct the parking and pay the quid fine as per your contract terms). The purpose of the photograph is simply to show a judge it's there and clearly visible and readable and always on for a long time (i.e. opportunity to read it every time the car parking is checked) and a similar contract to the plaque they put up.
The aim isn't to protect you from ticketing harassment however, it's to show that parking is a civil problem and DVLA has no business releasing private confidential information without agreement. It holds that info in trust, a bank wouldn't release your account details just because someone claims you owe them money, so why should the DVLA.
By adding the term "you agree I can obtain the home addresses of supermarket staff... blah blah blah, DVLA blah blah blah to get the fine for your contract". It's to give a basis on which you can go ask for the DVLA details of the plates in the staff car park.
Good for the gander.
You're wrong, leaving a notice on your car doesn't automatically bind anyone who looks at the car.
If you can't see that the best thing for you to do is to try it.
>Good for the gander.
Duh, it's not their leaving a notice that binds you, it's your _act_ of parking your car there.
Like I said supermarkets rarely fine customers, either the car park belongs to someone else or you're properly abusing it.
As for the DVLA thing, are you sure they didn't ask a court for the address?
"You're wrong, leaving a notice on your car doesn't automatically bind anyone who looks at the car."
The *choice* part of my contract is where they make the choice between
a) Tannoy me to leave (i.e. ask me to leave the supermarket because I won't accept their parking terms, and reject my terms).
b) Do otherwise.
"Duh, it's not their leaving a notice that binds you, it's your _act_ of parking your car there."
The plaque forms an offer of a civil contract, they claim that by parking and not leaving it forms acceptance of the terms on that civil contract (leaving aside questions as to whether you read it). However I have not accepted that civil contract, I have offered my own terms. Those terms are reasonable (mispark = a 1 quid fine) and they have ample opportunity to reject my terms on many occasions.
"Like I said supermarkets rarely fine customers, either the car park belongs to someone else or you're properly abusing it."
No, it's common now. They use to employ a person to run the car park, who would tannoy you to say 'Y8364 THG has left the lights on", or "Y8364 THG is blocking a delivery bay can you move it please". Parking companies offered to do it for free, but only if they can issue fines. DVLA made it possible to get home addresses from the number plate for these companies (they even get a computer connection right into the DVLA records). A nice little earner.
The companies try to maximize the number of fines issued to maximize it's revenue, for the weakest of infringements with the minimum of collection fees. The contract with the supermarket sets the limits they can get away with.
Some do the clamping game (I read McDonalds carparks do this), they stick the fine on then clamp, or even a tow away. Perhaps McDonalds gets a cut of the revenue, I don't know.
"As for the DVLA thing, are you sure they didn't ask a court for the address?"
No sadly the DVLA makes it possible for any individual to obtain the car details on a disputed or false claim, and for the large parking scammers, debt collectors, credit card companies, all sorts of others, they can apply for direct computer access.
Government not only loses 29 million records, it hands out confidential info too via this DVLA route and many others.
That Leeds boy was prosecuted on terrorist info charges, part of the case against him was that he had the home addresses of some officials. But I can't help thinking, if he worked for a parking company he could just plug their number plates into the DVLA to get those details, HMGOV is so free and easy with info.
>The *choice* part of my contract is where they make the choice between
>a) Tannoy me to leave (i.e. ask me to leave the supermarket because I
> won't accept their parking terms, and reject my terms).
So for them to refuse your contract they have to seek you out and make a public notice, but for you to refuse theirs a note in your windscreen is enough?
It requires an act for a party to become bound to a contract, you've accepted theirs by parking. They haven't accepted yours just because you wrote it down somewhere.
Try it, you'd be guest of honour on Top Gear if it works, otherwise it'll cost you about 60 quid, plus costs.
Who's the supermarket? Sounds like they deserve a bit of bad publicity.
Normally I can fully accept that people are stupid enough to do really really stupid things.
But this is beyond stupid. This is *so* stupid that it makes me blubber at the mouth and, my subconscious creates possible scenarios with which to explain the event which dont involve everyone in all of levels of government quite seriously having special needs.
The idea that Britain is flooded with Russian spies who are exporting data as part of some plot to further destabalise our messed up society becomes *preferable* to the *slightly* more likely explanation that our country is being run by a bunch of dope-head, university drop-out scumbags high from the fumes of each others absinthe-ladenm piss.
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.
Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.
Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.
Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.
RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids.
Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.
For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.
1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.
Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.
"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.
A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.
In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.
"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.
Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.
The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.
"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.
Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.
Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.
This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.
"Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."
Biting the hand that feeds IT © 1998–2022