BCS ELITE annual dinner

Last night I attended the BCS ELITE annual dinner - the first for several years, but well worth the wait. It was a black tie event at the Landsdowne Club, where the food and wine was excellent, and the latter flowed in quantity (hence feeling rather fragile today). I was really pleased to find that I was sharing a table with the always entertaining Lord Renwick and his lovely Lady, as well as several other intelligent and erudite folk. What a good start to the festive season :-) This post isn't really much to do with security, but I would recommend ELITE to anyone interested in good conversation and networking with IT people.

ISACA European ISRM Conference

I just spent three extremely useful and enjoyable days at the ISACA Information Security and Risk Management conference in Amsterdam. A great selection of speakers and topics, plus terrific networking opportunities. If you are able to attend next year (in Vienna I believe) it could be a good investment. For US readers, the conference is also held Las Vegas - this year's event was just as stimulating as the European version.

Facebook bugs galore

I'm an enthusiastic Facebook user, unlike some in the security community. I find social networking rewarding on a personal level and as a musician and am prepared to go the extra mile to limit my exposure as a result.

I was therefore, fascinated to find The Month of Facebook Bugs - a series of reports on vulnerabilities in Facebook applications. Well worth a read, especially if your personal information on Facebook is genuine and you enjoy using lots of Facebook apps!

Global crime networks

Today I was sent a link to an excellent video of journalist Misha Glenny, who spent several years investigating organized crime networks worldwide. If you watch one security-related video this week, this should be it!

Skype hack (at last?)

I'm conscious that my blog postings now resemble a London bus - you wait for ages, then three come along at once - but I had to share this with you.

Ruben Unteregger wrote a Skype phone call Trojan three years ago, then a few days ago he released the source code. Now, unsurprisingly, something very similar has appeared in the wild. I continue to be pleased that we don't allow Skype (or any real time protocols in fact) in our business.

Defending the Enterprise webcast

My recent webcast "Defending the Enterprise with more than Silver Bullets" is now available to view in recorded format here

How safe is your online bank?

When Which? Computing asked me to help evaluate online banking services, I expected to find very similar results amongst the ten banks they selected. However, as their press release says, there were some pretty big differences. Although we only looked at the visible security measures in place, some banks appeared to offer little to help defend against simple keyloggers.

I know that there are some sophisticated banking Trojans around, using man-in-the-browser attacks, but surely that's not an excuse to ignore defending against simpler malware and physical keyloggers?

Obviously banks need to balance good security against usability, being concerned that consumers may be put off by complex authentication processes. But with the vast increase in the number of Trojans, and more and more people using public WiFi and shared computers, Barclays' approach of using a PINsentry device seems like the most secure option.

A day off

Having decided to have a day off, I find myself browsing the National Museum of Computing web site. I first met Tony Sale about ten years ago and his enthusiasm was infectious. If you haven't visited Bletchley Park then I strongly recommend it - not only to learn about the history of computing but also the incredible work done by the code breakers during World War II. If you've got a few quid (or dollars or Euros) to spare, then consider a donation to either of these excellent organisations.

The show is over ... and web authentication bypass

Well, that's Infosecurity Europe over for another year - our 7th as exhibitors and my 11th as a speaker (I think). The new venue at Earls Court seemed to be viewed by most people as a big improvement and I have to agree - the show felt more relaxed yet more alive.

Our press conference on web authentication bypass was well received, with Computer Weekly and Infosecurity Adviser reporting the story. We'll be explaining more about this problem, which stems from poor web site configuration, at our next white-hats.co.uk meeting on 15 May. The fact that the problem affects web portals as well as e-commerce sites and that even two-factor authentication is no protection makes this an important issue for discussion.

It's that time again!

Once again it's almost time for Infosecurity Europe and this year I seem to have a very full diary for all three days!

On Tuesday 28th April at 12:00 I'm giving a talk on "Cloud Computing: 50 Ways to Lose Your Data" closely followed by a press conference on a nasty new trend in compromising e-commerce sites.

On Wednesday 29th at 15:00 I'm wearing my white-hats.co.uk and ISACA hats and chairing a security expert panel on "Social Engineering: Techniques and Mitigation", a topic very close to my heart!

Then finally on Thursday 30th, again wearing my white-hats.co.uk hat, I'm facilitating two different discussions in the new Security Cafe one on "Laptop Security - Understanding The Threats & Countermeasures" and the second on "Wireless Security - The Real State Of Play" which is about threats to corporate security through insecure home wireless networks.

I'll be ready for the long weekend after all that!

Excellent podcasts

I was recently introduced to podcasts by finux on Hacker Public Radio

finux is a very talented guy who I met during a trip to the University of Abertay in Dundee. His podcasts are well worth a listen. You can also find him on his Linux Society blog

Fame at last

OK - it had to happen, someone finally posted a video interview of me to YouTube. It's all about blended attacks and was recorded at the Combating Cybercrime in Betting & Gaming conference in January this year. I'm quite pleased with the interview, but I hate to imagine what the YouTube viewers are going to say! :-)

Gary McKinnon

As someone who works to combat cybercrime and cyberterrorism you may be surprised that I am very much against the extradition of Gary McKinnon. However, I am also someone with intimate knowledge of Asperger's syndrome in two members of my immediate family. As a result, I had the privilege of meeting and discussing Asperger's with the UK's foremost authority, Dr. Simon Baron-Cohen during a diagnosis some years ago. Dr. Baron-Cohen has lucidly explained the condition and the potential impact of incarceration on Gary here. I have no doubt that if he believes Gary has Asperger's then that will be the case.

The IT industry not only contains more than its fair share of people with Asperger's, it also benefits significantly from their intelligence and intense focus. If you work in IT you probably know several people with this condition, although you (and they) may not realise it. We need to try to understand them, to celebrate their positive contributions and to make allowances for some of their apparently obsessive behaviours. You may even be interested to test your own Autism-Spectrum Quotient or to support the National Autistic Society.