No surprises……you are being hacked by your government!

Everything you do online is probably being hacked/surveilled by your government. This includes, activities on Facebook or any social networking sites, Skype conversations, chatting, texting from your mobile phone, anything that is stored or transmitted digitally.

Companies are now selling, and they are selling hot in all countries, of-the-shelf hacking and surveillance products to governments… all in the name of national security. These tools have been used by middle-east during unrest earlier this year. There was a secret conference held in Dubai earlier this year that was not open to the public, and reporters were not welcome to attend sessions. Read more here.

Security innovation

David Lacey made a post concerning the (lack) of innovation, in how decisions in cyber-security in government are taken, not only the amount of money allocated to this work but how it is spent.

Apart from what David discusses I see that one of the biggest challenges when it comes to being innovative or visionary is that often decisions are based upon where we are today and then making a plan forward. When in fact there is only one way to really innovate in whatever area it may be, and that is to take that quantum leap into the future, 5-10 years ahead is enough, and visualize how it will feel, what will be our experiences, challenges, and then look back to understand how we got there. There is a whole load if visionary videos and tools out there that one can use to aid the process.

This comes up with a completely different picture to what comes up from starting from today and planning forward, over the quantum leap forward and looking back.

Cyber attacks on critical infrastructure

Although unconfirmed as of yet, there seems to be some evidence that cyber attacks to the critical infrastructure of the US has occurred. Some hackers, probably from Russia hacked into a water-plant and sabotaged the system. The water-plant was not sufficiently protected, and I would imagine didn’t see themselves as a potential target.

This is the first of many to come.

I am often thinking how we don’t appreciate how critical our work is. There are many of us that secure critical infrastructures although we don’t see that we save lives, as a doctor or nurse example can. I remember a conversation I had with a colleague around 5 years ago, he wanted to move into the fire-service, because there he could make a difference. However, we each one of us make a difference where we are today, building and securing critical services and infrastructures of our respective countries. We don’t see how many lives we save or how many peoples lives we make a difference to because of our work. However, we do save lives and we do make a difference!

Proving you are secure over compliance

I am a follower of David Lacey and his school of thought. He was an initiator for the BS7799 standard later adopted as ISO27001/2 in the EU. Beginning of September I participated in a telepresence conference with him and many others from the BCS around the globe. This was organized by David Misell. In the telepresence many influentials in thought leadership in information and cyber security.

This one meeting has influenced much of my thinking since. It is impossible to prove you are compliant, even if you follow the rule book, you cannot prove you are 100% compliant even with the best and most dedicated security consultants in the world, especially on large accounts that I am normally exposed to. Moreover, even if you could, proving you are compliant does not prove that you are secure.

So what is the answer, well as David Lacey believes smart use of technology is a part of a way forward. For example did you know that over 85% (maybe more) of PCs shipped today have a chip that supports trusted computing (TPM) and that Intel has acquired companies such as McAfee (DeepSafe and DeepCommand) and Nordic thern Edge (One-Time-Password, OTP). They are placing security at the chip level.

Now if you can prove your organization is secure by implementing secure technologies (note that I don’t say security). This is almost getting close to what the Common Criteria is trying to do, but never really succeeded wide scale because it just became too complicated, and customizations made by individual organizations, each with special needs made any CC status assigned void. I believe that secure at the chip level is an amazing step forward, and more companies should be looking into this, particularly when they are finding their existing IAM infrastructure is just getting too complex.

Happy bunny finds iPhone

Well so here I am preaching on the dangers of location services, and I enabled this service eventually, just two weeks ago on my iPhone. Started to get quite convenient with the purchase of my personal Mac Airbook (11″) and then I synced everything into the iCloud. Furthermore, I often lose my mobile phones, you know I have two, one for work and other for personal use… just as I now have again my HP PC for my work and beloved Mac for my playtime.

Well today I used the service. I couldn’t find my iPhone. Really thought this time I’d blown it, lost it and it was lying somewhere lost. And I was hoping…. did I enable that service, or did I do as usual and decide not to? I had enabled the service, and I found my iPhone. So I’m a happy bunny today… although still torn by the dilemmas that personal privacy presents.. i.e. convenience and safety vs. personal privacy..