IT Security

Never rains …

A short note on Labour’s cyberbreach. Sienna Rogers at Labour List reports on the 3rd party victim of Labour’s cyber breach. The software is I believe provided by blackbaud, who usually provide this as software-as-service, and have been previously attacked, but Rogers states the system is run by Tangent which I believe to be a trading name for Tangent Marketing Services. This article in the Guardian (HTML/ .PDF ) reports (2007) on Labour’s award of the contract and identify Michael Green as the supplier CEO, although his wikipedia page suggest he’s moved on; he us still registered as a Director at Companies House, although the last set of annual accounts state he has resigned. Labour’s General Secretary at the time was Peter Watt whom wikipedia quote the BBC as saying he resigned “following the revelation that a property developer made donations to the party via three associates”. Tangent also appointed an ex-Party Director of Communications, Paul Simpson (HTML / .PDF) as it’s account manager for the Labour Party in 2009, although he left 4 years later.

This story adds to the questions that need to be answered, one of which is why the software and its run time contract has been in place for so long? Has it it been market tested, are the terms and conditions still appropriate?

When the leak was first reported, I wrote a piece on IT Vendor Management (also on my blog) and posed some question. I also wrote a short piece on Cyber-security and the NIST Cyber-security framework. In the first of these articles I described what a decent vendor management policy looks like, and how the use of international standards on IT security, (ISO 27001), and governance (COBIT) would help, as would having a National Executive Committee properly equipped, trained and interested. …

Wiping the phone at the Treasury

I wrote a piece on the Guardian story about the Treasury losing the Perm Sec’s texts and posted it on linkedin. One particularly disturbing feature of this story may be that messages from David Cameron about Greensill Capital have been lost. On the linkedin blog, I looked at the story from an IT Security and employment law point of view rather than looking at the political corruption angle. I suggest that for an organisation with a public record, FoI or compliance liability that SMS and whatsapp or any messaging product without central logging should not be used. I suggest that wiping the phone instead of a password reset especially when the device has not been lost might be a bit extreme. I hint that peer to peer messaging without a super user is also inappropriate.

I argue that this is a symptom of the growing contempt that politicians and now it seems bureaucrats have for their record keeping responsibilities which are mandate by statute law. It is likely that the use of personal IT i.e. phones and emails if not laptops/workstations is becoming endemic destroying and designed to destroy audit trails of behaviour. I note and have commented elsewhere on the failure to pass the email & records relating to Johnson’s decisions with respect to Jennifer Arcuri’s trade missions and grants.

I note that such behaviour if undertaken by more junior staff would probably involve disciplinary action. I have dealt with cases where people have been investigated under the disciplinary policy for misuse of their personal IT in the office and also for the destruction or unauthorised amendment to business records. These have usually been considered gross misconduct cases which can lead to dismissal, but most of my members are blue collar workers.

With respect to the Treasury, I wonder if the texts have been truly lost, if they have, it’s either a policy failure, i.e. a failure of the control design or a deliberate breach. Someone should be accountable, just as they should at the GLA. The irony here i.e. at the Treasury is that it looks like the responsible person for either of these failures is the same person. The Permanent Secretary is meant to be a check on the, certainly, financial probity of ministers and occupy an important role in implementing a segregation of duties and avoiding toxic combinations. These controls are designed to stop fraud and corruption. These ones seem to have failed. …

Vendor Management and the Labour Party

I wrote a blog on linkedin, on what I call Vendor Management. This is based on my experience as an IT Security and Compliance consultant, and leans on ISO 27001. Some of the words in this article, mirror what I say in the linkedin post. This article, see below/overleaf talks about risk classification, risk control super-strategies and risk monitoring. It then looks at the Labour Party, recommends the adoption of quality brands as an employer and as an IT User. It ends by asking some basic questions about the impact of [the lack of IT Governance]. It challenges the secrecy and the commitment of the NEC to get this right and concludes the statement that there is a common body of knowledge that allows the effective management of IT & IT Risk. AS Liverpool Council have discovered, this can’t be made up. …

Virtuality & the Labour Party

Somewhere inside my head there’s an article on how businesses weren’t planning for a pandemic as a business continuity risk, most plans were about protecting infrastructure. My most recent linkedin article looks at the under-licensing and data leakage risks exposed by the spontaneous adoption of remote desk top technology but the country has had to adopt a much wider “work from home” practice than previously, stressing those parts of the economy that serve it, including home space and furniture supply. This all leaves unanswered how are democratic decisions being taken? Let’s look at the Labour Party; I wouldn’t want to be the Labour Party apparatchik that allowed 7.IV.H.8 (P41) 2019 to expire. It used to say,

The NEC shall invite CLPs to take part in pilots of staggered meetings, electronic attendance, online voting and other methods of maximising participation. The NEC may immediately give effect to these pilots and may incorporate any resultant rules into this rule book, subject to approval at Annual Conference 2019, when this sub-clause shall expire.

It wasn’t extended at Conference 19, and the rule now no-longer exists and virtual meetings are not permitted to take decisions. Someone’s going to be happy.

If deliberate, it’s another example of the bureaucracy just not giving a shit. …

Source code engineering rights

I have just written a piece on my linkedin blog emphasising the requirement that software support organisations must have access even if only via contract to source code engineering rights. …

Reinforcing Monopoly

Hereby are two stories about how software acts as a barrier to entry to a market and reinforces the monopoly power of its provider.

The first is shown by the fact that industrial content are getting cold feet over the EU copyright directive as the service providers have switched to supporting Article 13 since they already have the so-called “upload filters”. Only the big boys will be able to remain in the game of hosting user authored content. As predicted, the new regulations will inhibit both startups and SMEs.

The second story is closer to home. The UK have decided to mandate age verification functionality for porn sites. Who do you think is going to build that? Alec Muffet and the Open Rights Group have been tracking this and even if you think it’s a good idea, they way it’s being done is disastrous. The BBFC is the regulator and this is a massive piece of scope creep, it looks like they will licence a third party to act as the software provider and again the favourites to win this business is an interested party. Alec’s latest blog post is on Medium and is critical of the regulator’s stance and IT Security expertise and he previously wrote about the competitive dynamics and opportunities created by the new laws. Muffet is also concerned about the profiling use of such a database of porn users. It’s almost back to the days of the Roman Empire where monopolies were licensed. …

I.T. implications

In my many articles on Labour’s Democracy Review, and in a preview I talk about the Information Technology implications of Labour’s coming rule changes. I have extracted the following quote from my article, The denoument, as I’d like it to be easier to find,

In the NEC rule changes as presented to Conference the NEC talks about using IT to maximise participation. All constituency documents, are to be available to all members via a clockwork platform, sorry, I made it up, an electronic platform, “provided by the Party”; I hope that’s the national party as I have thought hard about this and creating a shared disk is not hard, managing the Access Control List (ACL) is, particularly if your membership and volatility is large.

…

Equifax

Bruce Schneier testified to Congress on the Equifax Breach and posted his testimony onto his blog. .Because of the political nature of the content, he is frequently much more technical some of the the comments are very superficial, complaining about the need for more regulation.

The problem is, as he says, that without regulation business wont keep personal data secure. The problem is bad corporate behaviour.

His testimony, in my mind, shows the weakness of seeing this as a consumer protection issue. Much of the bad behaviour comes from 3rd parties; the data subject is not the customer and thus have no rights of tort and in the US, the FTC can’t pursue the data controllers. By placing privacy in a consumer protection framework, they also leave it to the victims of breaches to prove harm.

In the EU, our rights based legal framework means that a breach is harm, because our human rights to privacy have been infringed.

Schneier raises the GDPR as an example of how companies can confirm to better standards and raises the spectre of the EU imposed fines on US companies. He also hints at the fragility of safe harbour/privacy shield. …

A note on IT Integrity and authority

I posted an article that had taken a long time to get approval for on my employer’s blog, Information Integrity, the final frontier. I argue that the business has not taken integrity as seriously as it has availability and confidentiality. In the blog, I state that,

Information integrity requires an accurate representation of the state of the business and the audit records as to how it got there. Modern systems need to record both; it’s not enough that the system is provably accurate, records are required to ensure that transactions and changes are appropriately authorised.

The key insight is that not only must the true state of the data be recorded but that the person verify this truth must be recorded.

The article talks about strong “Requirements Management” and good “Testing” processes, and then talks about the use of PKI to sign application to application feeds or transactions to guarantee to the system of record that the author is a permitted actor and that the delivered data is accurate and authorised. I also propose that application logs as proposed under the “Application Security” domain of ISO/IEC 27034 should be used to record the authority/author of a database update.

ooOOOoo

Given the startling longevity of this blog, I have made a mirror of the Citihub article and loaded it to this site; integrity: the final frontier, a mirror …

Big Time Pocket Vulnerabilities

Another refugee from Storify, this time I was asked for a comment on some research into mobile app IT security and identified the Operating System and physical proximity as the two key attack vectors.

…

« Previous