david c.n. ma

two tales of security

From the “if I had a nickel every time..” category, a story from The Telegraph on the loss of sensitive information by the RAF:

The Ministry of Defence has admitted that files had been stolen, and more than 500 RAF staff have been warned of the possible consequences to them and their families after the unencrypted data – stored on three computer hard drives- went missing.

The extremely personal information had been given by servicemen for an in-depth vetting process to give them high security clearance.(emphasis added)

Now, I certainly can’t comment on the specific facts surrounding the loss of this data, but I did note, in particular that the data recorded was unencrypted. As most readers of this blog know, this is certainly not the first time an incident like this has occurred (i.e. a lost, misplaced, or inadvertently discarded data storage device that contained sensitive information). In fact, to be honest, it is somewhat mind-boggling that this still occurs. Not that things get lost. I understand that things like that may happen despite the physical security protocols that one may put into place. But not encrypting such data? Perhaps  a decade ago, something like that would be understandable. But it should not be today, particularly when there has been story after story about this sort of thing. In this case, not only has the RAF compromised the personal information of certain of its officers, it has also put the UK’s national security at risk. Completely inexcusable. And if I sound harsh, it’s because I intend to.

So, once again for anyone who cares to read this blog: If you are responsible for sensitive data and store it in digital format, you really, really, must ensure that you encrypt that information, particularly if it is on a storage device that may be transported, or is sitting anywhere other than a very secure vault. Otherwise, it’s only a matter of time that someone will come after you for negligence. Or worse.

On the other hand, there is a brief story in Wired about an interesting video on YouTube. It’s basically a faked video showing some “hackers” tapping into a building’s SCADA system. Interestingly, this appeared to set off alarm bells in some circles:

“Perhaps the first demo was just for fun, but the others will have less juvenile goals,” McAfee Avert Labs researcher Francois Paget blogged on Friday. “An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses.”

To be fair, McAfee’s Paget acknowledged some doubts “about the technical aspects of these light-show ‘attacks’ on unprepared buildings.” But with the enthusiastic faith of cybarmageddonists everywhere, he boldly asserts that it doesn’t matter if the video is genuine.

“Fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks.”

So, a question for anyone reading this – even if the video were real (and it’s not), why (other than what the article already notes) do you think Mr. Paget’s comments might be a bit off the mark, at least when it comes to the contents of the video itself?