Gallery

The truth is out there

Posted on 11 May 2007 at 11:57

Davey Winder searches for aliens in the enterprise while wondering whether anyone's listening when it comes to the AUP debate.

Mini me

Like everyone of a certain age with a particular interest in the field of internet security, I also have background experience in - well, let's say it - hacking. That instantly makes me twice as repugnant to many pure souls within the IT security industry, as I'm both an ex-hacker and a journalist. But I'm a hands-on man who firmly believes that the best way to learn is by experience. While there's no way I'd recommend hiring someone who's actually written malicious code - whether it's a virus, a worm or spyware - for a security job, things are less cut-and-dried when it comes to hiring ex-hackers. For example, some of the best penetration testers I know cut their teeth exploring systems without permission back in the 1980s, before hacking became a criminal offence in its own right in the UK.

One hacker who caught my attention recently, and who surely has all the ingredients needed for a feature film, managed to breach security at one of the most heavily guarded buildings in the UK, the House of Commons. With more than a little help from the BBC filming a report for its Inside Out series, this hacker managed to smuggle her equipment past the security guards and into the office of the MP for Guildford, Anne Milton, who'd agreed to leave her alone for just 60 seconds. I guess you can't blame the MP for thinking her secrets would be safe, as surely the BBC reporter couldn't possibly bypass her computer security and compromise her confidential data in less than a minute. Ms Milton was wrong, though, because it took this hacker just 15 seconds to install a keylogger.

Okay, to call her a hacker is a slight exaggeration, as the BBC claims she hardly knew one end of a computer from the other, but then the ability to connect some kind of hardware-based keylogger to a keyboard cable or place a USB flash drive containing an auto-installation routine into a free USB port is hardly rocket science. Nor is understanding that security requires more than a focus on the big picture: it requires attention to the small details as well. Very small in this case, since the reporter in question was just six years old.

I don't know the precise details of the device used in this UK Parliament hack, but let's assume it was a hardware keylogger. These are almost impossible to detect or block, but the hacker will require further access to retrieve the device in order to extract its captured data if there's no software installation. If, on the other hand, it was a software keylogger application that was installed from a USB drive, the situation is more serious. The technology has existed for a long time to stop such applications being installed from unauthorised external media. If an institution with such obvious security requirements as the seat of our government doesn't have such basics in place then I'm seriously worried about our ability to win the war on terrorism.

iPod virus all hype and no trousers

I was, in a very nerdy sort of way, rather excited by the news from Kaspersky Labs that it had uncovered the first ever iPod-specific virus. The first dents in my excitement were made by the line in the email that read "proof of concept", because this inevitably means it isn't a real virus at all, or rather it isn't an in-the-wild real-world threat to real users. The dents in the argument got bigger as I explored further, with the realisation that for "Podloso", as it was being called, to work it required that the iPod user had hacked the device to replace the default OS with a specific Linux installation instead. To say this greatly reduces the number of iPods that could, theoretically, be at risk from Podloso is an understatement. Remember, we're talking about a Linux installation on your iPod, not the computer you connect it to.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site