Friday, 21 June 2013

ICO tells NHS watchdog CQC it cannot hide behind Data Protection Act

Concept image representing data protection rules
The Information Commissioner’s Office (ICO) has said that the NHS cannot hide behind the Data Protection Act (DPA) to stop the publication of the names of officials who held back the release of a report criticising the Care Quality Commission (CQC).

The scandal has come to light in recent days after claims that a report criticising the CQC was held back by a senior manager at the organisation. It came after it was criticised for its response to complaints about several deaths at Furness General Hospital in Cumbria.
Health minister Jeremy Hunt has called the situation “unacceptable” and there have been calls for those responsible to be named.
"There should be no anonymity, no hiding place, no opportunity to get off scot free for anyone at all who was responsible for this,” Hunt said.
The CQC had said doing so would be in breach of the DPA. However, speaking on BBC Breakfast on Thursday morning, information commissioner Christopher Graham said that the DPA cannot be used to hide behind when there is public interest in a case such as this.

“What appeared to be going on yesterday was a sort of general duck-out, saying, 'Oh, data protection, sorry can't help you.' That's all too common and in this case it certainly looked as if data protection really wasn't the issue," he said.
"So far as the Data Protection Act is concerned, we all have a right to the protection of our personal privacy, but if you are a senior official then there are issues about the point at which your privacy is set aside because of over-riding public interest. That's really the issue at stake here," he said.
The CQC said it is now reviewing legal advice to see if it can give out the names of those involved.
The comments echo numerous prior statements made by Graham over the years, where organisations have attempted to use the DPA as a means of avoiding their obligations to release data when it was required and legally permissible to do so.

Google avoids Street View WiFi fine from ICO yet again

Google Street View car
Google has avoided a fine from the Information Commissioner’s Office (ICO) despite admitting last year that it had not deleted all the WiFi data gathered by its Street View cars.
Google admitted some data had not been deleted and remained on its disks last July while new evidence came to light from the Federal Communications Commission (FCC) that the search giant knew more about the collection of data by its Street View cars than it had originally claimed. This prompted the ICO to reopen its investigation.
Reporting its latest findings, the ICO said its investigation found “the collection of payload data by the company was the result of procedural failings and a serious lack of management oversight including checks on the code”.
However, it also concluded there had no been deliberate intention to collect the data at any senior level. The ICO also said that because the data gathered had not been at risk of being accessible at any time there was no scope for a fine.
ICO head of enforcement Stephen Ecklersley said the enforcement action was designed to place a final warning on Google over its requirements under UK law.
“Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days,” he said. “[It must also] immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence.”
Ecklersley chided Google over the whole incident, though, highlighting the matter as an example of the sorts of things that can go wrong when firms do not consider data protection concerns.
“The early days of Google Street View should be seen as an example of what can go wrong if technology companies fail to understand how their products are using personal information,” he said. “The punishment for this breach would have been far worse, if this payload data had not been contained.”
Google reiterated its stance that the data gathered was never used and said it accepted the ICO’s findings.

"We work hard to get privacy right at Google. But in this case we didn't, which is why we quickly tightened up our systems to address the issue. The project leaders never wanted this data, and didn't use it or even look at it.

“We cooperated fully with the ICO throughout its investigation, and having received its order this morning we are proceeding with our plan to delete the data."
The head of communication, media and technology law at CMS, Chris Watson, said that the lack of a fine for Google undermined the ICO’s authority.

“The regulator has teeth but it doesn’t look as if he is prepared to use them,” he said.

“This is worrying because requiring proof of damage before imposing penalties goes against the whole spirit of effective enforcement of these rules.”
The action taken by the ICO is notably lighter than in other nations such as Germany where Google was fined £124,000 for its data gathering from the Street View cars.

Google Glass privacy concerns raised in Canada, Mexico and Australia

Google Project Glass
Information commissioners from several countries have sent an open letter to Google chief executive Larry Page seeking clarification on the privacy implications of using Google Glass.
The letter – signed by officials from Australia, Canada, Israel, Mexico and Switzerland – questions Page about how Google is ensuring data protection laws will be upheld by the product, and highlights recent media coverage of potential breaches of privacy.
"Fears of ubiquitous surveillance of individuals by other individuals, whether through such recordings or through other applications currently being developed, have been raised," it said.
The letter strongly urges Google to enter into a "real dialogue" with data protection authorities concerning Glass. "As you may recall data protection authorities have long emphasised the need for organisations to build privacy into the development of products and services before they are launched. Many of us have also encouraged organisations to consult in a meaningful way with our respective offices.
"To date, what information we have about Google Glass largely comes from media reports, which contain a great deal of speculation."
Other concerns include the possibility of facial recognition, third-party data-sharing and social issues caused by the wearers themselves. The information commissioners also request a demonstration of the product to alleviate their worries.
The correspondence comes in the wake of a letter sent to Page by US Congress, seeking clarification on "unanswered questions" about Glass, and also in the midst of PRISM whistleblower Edward Snowden's accusations that the NSA is being given "backdoor access" to user data held by companies including Google.
A Google spokesman said that the company was already taking these concerns into account. "It's very early days, and we are thinking very carefully about how we design Glass, because new technology always raises new issues," he explained. "Our Glass Explorer program, which reaches people from all walks of life, will ensure that our users become active participants in shaping the future of this technology."
Google Glass has been touted for a late 2013 launch at under $1,500 (£960).

Apple rushes Java patch as Oracle fixes 40 critical vulnerabilities

Apple logo
Apple has released a security update to protect Mac OS X users from 40 freshly discovered vulnerabilities in Oracle's Java platform.
The iPhone maker released the update hours after Oracle announced the critical patch, promising it will protect Mac OS X users from a host of vulnerabilities in the Java platform.
Apple said: "Multiple vulnerabilities existed in Java 1.6.0_45, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.
"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_51."
The Java for OS X 2013-004 and Mac OS X v10.6 Update 16 patches are available for download now on Apple's website and relate to its Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7, OS X Lion Server v10.7 and OS X Mountain Lion v10.8 operating systems.
The Apple patch comes alongside a separate one from Oracle, made for other operating systems. The firm confirmed it relates to 40 new vulnerabilities in the platform and called for users to update as quickly as possible to protect themselves from opportunistic cyber crooks.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 40 new security fixes across Java SE products, of which 4 are applicable to server deployments of Java," Oracle said in its release.
The patch is the latest development in Oracle's ongoing battle to secure the Java platform. Since the year began the enterprise giant has been forced to release a number of security updates – one of which was off cycle – to address a number of vulnerabilities in the platform.
The vulnerabilities have led numerous security professionals to criticise Oracle for its lax security. Most recently WhiteHat Security chief technology officer and co-founder, Jeremiah Grossman, criticised Oracle saying it is still being too slow with its security update cycle.
"Java is definitely a cesspool of vulnerabilities waiting to be discovered, some of which will be patched and exploited. The thing to closely monitor is how fast end users are actually patching, not just how many vulnerabilities are being addressed when the patch is made available. The Java ecosystem is notoriously slow, which is why I recommend uninstalling Java unless you really need it, then you don't have to worry about the endless slew of patches," he said.
Rik Ferguson, global vice president of security research at Trend Micro, added: "The vast majority of the vulnerabilities fixed are critical and could result in 'remote exploitation without authentication', which basically means that a machine can be attacked over a network, resulting in successful exploit.
"The best thing to do is simply to remove Java from your machine entirely, which has been the advice for some time now. The next best option is to stop using Java in the browser, specifically in the browser that you use regularly. If Java is absolutely indispensable for internal application use then it would be most effective to limit its use to a secondary browser, one that does not have the ability to access the internet – through proxy configuration for example."

Private Microsoft cloud computing service for government goes live

Cloud computing
A new private cloud service, intended for use in departments dealing with confidential information, has been unveiled by a government IT supplier.
The new offering from FCO Services, which makes use of various Microsoft productivity and office tools, is intended to cut costs and improve productivity in departments such as the police, HM Revenue & Customs (HMRC) and the Serious Organised Crime Agency (Soca).
FCO Services is a trading fund of the Foreign and Commonwealth Office and provides various secure IT services to UK and overseas government departments.
David Smith, interim head of IT at FCO Services told V3 that the new product's aim is to keep installations ‘evergreen', thereby cutting the financial and time costs associated with system updates. "The intent is that we would be on the prevailing version once it's on a service pack release," he explained. "You'll either be on the current or previous version. It presents a chunk of cost avoidance."
Smith hopes that the services will see widespread adoption among the relevant government departments. "There's a big pipeline at the moment – we have 14-20 serious conversations going on at the moment," he said.
The new service is also targeting a greater amount of flexibility. Available on the government's G-Cloud IT procurement scheme, PSN360 can be purchased as a commodity and therefore scaled as usage requirements change.
PSN360 will sit among relatively few equivalent products on G-Cloud's CloudStore, and will be part of a select group of private and secure solutions, according to Microsoft's Nicola Hodson.
"Accredited private cloud services are still rare among large IT suppliers but by working with FCO Services we're able to bring Office, Exchange, SharePoint, Dynamics, and Lync to the G-Cloud with IL3 [departmetns storing confidential information] certification," she said. "This means public sector bodies can use business-critical programmes in a highly secure manner, protecting sensitive data and information."
The services included with PSN360 include PSN360 Mail, Collaboration and Communicator, and can be accessed from any accredited device, anywhere in the world.
The service is now available for purchase on G-Cloud, a scheme that has seen mediocre uptake in recent months. Yesterday, the Home Office encouraged government departments to ‘take a risk' on purchasing services on G-Cloud.

Cyber criminals target mobile devices over PCs

Google Android Malware
Malware writers and cyber criminals have begun attack campaigns that are focused entirely on compromising mobile devices, say researchers.
Security firm F-Secure spotted a malware operation that forgoes any sort of desktop PC attacks and instead focuses on targeting mobile devices. The attack servers appear to redirect all traffic from desktop systems but when a mobile device is detected the site seeks to infect users.
According to the researchers, the server will redirect mobile users through a series of sites to destinations ranging from game download pages to adult content sites and a page that attempts to infect Android users with malware.
While the malware itself can be detected and blocked with mobile security products, researchers said that the operation is noteworthy in that it suggests a change in focus for malware writers who had previously focused exclusively on the PC space.
Once a small portion of the overall malware space, researchers now believe that mobile attacks are being seen by cyber criminals as an attractive and profitable target worthy of dedicated attack servers. While many of the early malware samples were simplistic tools that sent calls and SMS messages to premium services, malware writers have been building increasingly complex attacks.
Researchers have noted that in addition to a growing footprint, the unique habits of mobile users can make the devices an attractive target for malware. With users more likely to run 'jailbreak' procedures and download software from untrusted third-party services, malware writers have been able to infect smartphone and tablet devices with relative ease.

Microsoft offers $100K bounty payment on security bugs

Microsoft logo
Microsoft has announced that it will pay up to $100,000 to researchers who present the company with previously unknown security flaws.
Redmond said that its bounty system would be divided into three operations, which will also address defense techniques and browser exploits. The three campaigns will offer rewards of $100,000, $50,000 and $11,000.
The most lucrative category will be in the disclosure of zero-day flaws and attack techniques in Windows. The six-figure reward will be offered to researchers who can present critical vulnerabilities in the latest patched version of Windows.
The company will offer $50,000 to researchers who can bring the company techniques for mitigating attacks on critical security vulnerabilities. Both programmes will be ongoing efforts for the company.
A third programme will run for a limited time and will ask researchers to bring forward flaws in the latest version of Windows. That contest will run from 26 June to 26 July and will carry a $11,000 payout.
They will also help to fill gaps in the current marketplace and enhance our relationships within this invaluable community,” Microsoft security response center general manager Mike Reavey said of the programmes. “All while making our products more secure for our customers.”
The move represents an about face for a Microsoft group that was once an outspoken opponent of paying researchers for bug reports. In 2007 the firm said that bounty programmes were “not healthy” for the security community.
Once controversial, vulnerability payment programmes have become established as an effective way to connect security researchers with vendors and reduce the prevalence of zero day flaw disclosures. Platforms such as HP's ZDI purchase then confidentially report flaws to vendors, while Google has opted to directly pay out rewards to researchers who report Chrome vulnerabilities.

MalwareBytes takes fight to drive-by-attackers with Zero Vulnerability Labs acquisition

Malwarebytes has acquired US firm Zero Vulnerability Labs, adding its flagship ExploitShield browser protection service to its anti-hacker arsenal.
Malwarebytes chief executive officer, Marcin Kleczynski, confirmed the acquisition had finalised, promising the new technology will help the company offer enterprise customers increased protection against browser based attacks, like drive-by-downloads.
"I am very pleased to announce the acquisition of Zero Vulnerability Labs and to welcome its employees to the Malwarebytes team," said Kleczynski. "We are always looking to improve upon our existing offerings, and have done so with the addition of Zero Vulnerability Labs' technology. The proactive nature of this technology makes it a great addition and complement to the existing Malwarebytes software suite."
Zero Vulnerability Labs is a security firm that specialises in vulnerability, exploit and security research and development. Its flagship ExploitShield service is available in both corporate and browser editions.
Both editions offer customers protection against basic attacks from exploit kits like Cool and Blackhole. The corporate edition offers firms more robust protection against more sophisticated file format-targeted attacks, media format-targeted attacks and advanced stealth-targeted attacks.
MalwareBytes confirmed said it has already created a new improved version of ExploitShield with new features. The new version has been rebranded as Malwarebytes Anti-Exploit and is available for a limited time through the Zero Vulnerability Labs website.
The financial details of the purchase were not revealed.
Despite the lack of clarity, co-founder and chief of executive officer of Zero Vulnerability Labs Pedro Bustamante welcomed the acquisition, promising the team up will help the two firms offer firms more robust protection from hackers.
"We are excited to be joining the Malwarebytes team and to work to advance the latest anti-exploit R&D efforts, which we started at Zero Vulnerability Labs," he said. "It is a great fit between two companies who are fighting malware in innovative and effective ways in order to protect both users and companies from the most dangerous and complex types of attacks."
The acquisition of Zero Vulnerability Labs comes during a period of expansion for MalwareBytes. Prior to it Kleczynski confirmed to V3 plans to expand into the mobile sector, releasing a new Android protection tool by the end of the year.

Texas bans police email snooping in PRISM reaction

The state of Texas and its government haven't traditionally been seen in the best light by the rest of the world.
The people that brought us George W Bush have taken the heat for everything from immigration policy to science curriculum. The state is routinely seen as backwards and misguided, particularly in Europe.
In one case, however, Texas seems to be ahead of the rest of the US and much of Europe when it comes to protecting user privacy.
Earlier this week the state legislature passed a bill that would place the nation's strongest restriction on law enforcement collecting data from email service providers. The bill, which has yet to be signed by governor Rick Perry, would terminate any provisions in which investigators will be able to access data without first obtaining a warrant.
Hacker in hoodie
Such protections would provide a valuable safeguard for citizens online. Such warrantless collection of data is often seen as a central component of covert data snooping programmes such as PRISM, which has been brought to light in recent weeks. The rule would require investigators to stand before a judge and provide just cause each and every time they want a service provider to hand over user data.
If the bill is signed, users in Texas will have greater protections from online eavesdropping than those in such progressive havens as San Francisco, Boston, New York City and Seattle. As unlikely as it may be, in this case Texas is setting the standard for electronic policy and user rights.

Email encryption flaw helps criminals and snoops hide hijacked messages

A flaw in Microsoft Outlook email clients potentially exploitable by curious cyber criminals has been unearthed by bug hunters on the Full Disclosure forum.
Trend Micro global vice president of security research Rik Ferguson told V3 the bug relates to how Microsoft Outlook handles message signatures. "The thread talks about how Microsoft Outlook in particular – although this is probably common to other email clients – does not show a warning when the signing certificate does not match the ‘From:' address in an email," he said.

"Digitally signing an email is a way of assuring the recipient that the content, while not encrypted, has not been modified in transit, it's effectively a cryptographic hash of the content and attributes of the mail. If the from address is rewritten, for example, a signed mail is sent to a distribution list and then forwarded onto each of the members of the list with a new ‘From:' address – usually the address of the distribution list – then the content has been modified and the signing will no longer match.”

Ferguson warned that the flaw could cause a number of problems for businesses, making it more difficult to spot messages that have been tampered with or hijacked by cyber criminals. He said to secure the services Outlook would have to begin alerting recipients to the mismatch, a task that has several potential pitfalls.

"There is a bigger issue, in a post-PRISM world, more people are beginning to pay attention to how they can secure their email communication from prying eyes. Simply signing will not achieve this anyway, as mails not encrypted, merely ‘certified', so full-blown mail encryption is the answer," he said.

"In addition to public key encryption such as GnuPG, there are options that allow you to encrypt mail content before it is pasted into the client interface. Of course you still have to find a way to transmit the decryption key to your recipient, and that should be done through an alternative channel to the email itself, otherwise you simply give anyone else seeing your mail the key as well."

The PRISM scandal began Earlier this month when leaked documents revealed that the US National Security Agency (NSA) had been siphoning information from Microsoft, Facebook and Google through a programme called PRISM.
Ferguson touted the firm's hybrid identity-based encryption (IBE) tool to email encryption as one course of action for firms concerned by this issue. "With an IBE solution, you are able to generate an encrypted email to any recipient, regardless of whether they have signed up with any service, simply by knowing their email address," he said.

Yahoo account recycling policy draws heat from security experts

Yahoo logo
Yahoo's recent decision to re-assign inactive accounts is drawing concern from security experts who worry that the system could be abused by cybercriminals.
The company said last week that it would be taking accounts which have not been accessed for more than one year and allowing users to re-register the name with new accounts. Users will have until 15 July to log into their inactive accounts in order to avoid losing them.
Yahoo said that the aim of the move was to free up old usernames and allow users to shorten and simplify the addresses they want to register.
According to security experts, however, the decision is dangerous and could put a large number of users at risk of attack. Scott Hazdra, principal security consultant with consulting firm Neohapsis, said that the unused accounts could be leveraged by an attacker to perform any number of social engineering tricks.
Those quick on the draw will be able to grab accounts like they would freed-up vanity licence plates,” he explained.
There will definitely be instances where those secondary accounts will receive notices that a password is about to expire or has been changed, that a balance is low, that someone has pushed this message to your account, that someone has tried to log into your account, and on and on – and that could present a major problem.”
Additionally, Hazdra believes that Yahoo's quick turnaround period will not leave many users who otherwise want to keep their accounts with enough time to reclaim their addresses. He suggests that the company opt to extend the verification period signficantly.
Yahoo plans to send out notices and bounce back emails that the accounts no longer exist, but doing that for just 30 days is not long enough,” he said.
If Yahoo is intent on re-issuing these accounts, they should keep them inactive for at least six months to allow that process to pay out and to provide the original account owner a chance to take action.”

UK Home Office invests £4m to raise SMBs' cyber threat awareness

Houses of Parliament
The UK Home Office has launched a new £4m cyber awareness campaign, designed to educate businesses and citizens about rising hacker threats.
The government will use the money to launch the first stage of the campaign in the autumn. The opening stage of the campaign will see the government department take bids from media, PR and creative agencies to partner with it on a series of communications campaigns designed to educate consumers and small businesses on how to protect themselves against cyber crime.
Applicants can submit bids now using the Government Procurement Service's online portal. The Home Office will lead the campaign, though experts from the Department of Business, Innovation & Skills and partners from the business sector including Get Safe Online will also help oversee its implementation.
UK Security Minister James Brokenshire said the campaign said the initiative is an essential step in the country's ongoing bid to arm businesses against cyber attacks.
"The digitisation of the UK economy has made our lives easier and has created huge opportunities, but it has also created individual security risks as well. If we are to meet these new challenges it's essential we step up our efforts to stay safe online," he said.
"The threat of cyber crime is real and the criminals involved are organised and driven by profit. By making small changes British businesses can remain competitive in the global economy and consumers can have greater confidence using the internet."
The campaign is a part of the UK government's wider National Cyber Security Programme. The Programme is one of many initiatives launched by the UK government designed to improve the country's cyber defences.
The government launched its main Cyber Strategy in 2011, pledging to invest £650m to improve the nation's defences and train a new generation of security experts. Most recently the initiative saw the government pledged to invest £7.5m to create two new cyber security higher education centres Oxford University and Royal Holloway, University of London.

Cloud Computing ( Providers, Benefits and its Challenges)

The write up will be focused on the first three categories
1.    Application and Information clouds – Sometimes referred to as Software-as-a-Service, this type of cloud is referring to a business-level service. Typically available over the public Internet, these clouds are information-based.

2.    Development clouds – Sometimes referred to as Platform-as-a-Service, cloud development platforms enable application authoring and provide runtime environments without hardware investment

3.    Infrastructure clouds – Also referred to as Infrastructure-as-a-Service, this type of cloud enables IT infrastructure to be deployed and used via remote access and made available on an elastic basis.