talkmagic.co.uk

"Authorised NHS staff will need smart cards and passwords to access confidential information." (Safety pledge on medical records — BBC News_

I very nearly had access to one of said smartcards. How? A receptionist left one lying around next to a computer and the receptionist who saw it put it into an unlocked desk drawer (in complete view of me)

Now, I'm not against a central database in the NHS (in fact, I'd love to have it everywhere: it makes life so much easier when you're seeing a medical professional somewhere you haven't before/rarely go to, eg. an nhs walk-in centre or A&E because they have your medical details right in front of you so you're not answering questions about your history for the 20th time), but what's the point in us geeks coming up with better security in IT when 'laymen' do silly things like that?

Sorry for the rant, but poor computer security really makes me angry

Airport "security" isn't much better. It's a flippin' miracle we all haven't been blown out of the sky by now.

It astounds me how little security there is ANYWHERE. Every single place I've worked has had lax security, once you know the procedures you could easily exploit them.

I used to work in retail within a train station and it was a legal requirement that you had Network Rail ID on you at all times when you were out in the labrynth of corridors behind the scenes, but I was never asked a single time to produce it and I was all over the place in there, plus the fact that the double doors that led to the security restricted area wasn't locked or swipe-card protected, it just had a sign on saying "authorised personell only" which is rather easy to ignore if you're confident and up to no good.

I also used to work in an inner city office of a chartered accountant and the window next to the first floor fire escape had a broken lock for 3 years, so at any time during the night or day - if you knew about it - you could just go up one flight, push it open and climb right in. I actually did that one morning when I'd forgotten my keys!

The problem with most security is that it's arranged by accountants who hire the cheapest tender and then given to someone who knows very little about security. More often than not, that's a facilities manager who has to look after all sorts of other things.

Even in high security environments this can be the case and when things go wrong, they look for scapegoats and not at plugging the holes.

I've advised some of the worlds top organisations on physical security and at the end of the day it all boils down to cost and the attitude of 'it will never happen to us'.

dat8962 wrote:The problem with most security is that it's arranged by accountants who hire the cheapest tender and then given to someone who knows very little about security.

As another security professional, I also am angered by bad security. But, one of the problems that is seldom mentioned is the fact that a lot of people (especially senior management) are rarely willing to live with the inconvenience of the added security. One example is Windows Vista UAC. It is so annoying that many people just disable it, leaving them less secure.

Whilst I don't disagree with you, people generally have, or should have a wider appreciation of physical security principles as opposed to data security principles. Both can be equally catastrophic if breached but most people don't understand data principles as much, and are nearly always in a position where they leave this to others - e.g. at work.

Physical security touches peoples daily lives in a much more noticeable way.

You are also right about managers not willing to live with the inconvenience and this is where any self respecting organisation should have a director responsible for security so that managers are not given the choice.

Other than the Data Protection Act for records, there is no legislation outside of where security crosses into Health and Safety that provides a structure on which to build effective security models.

Kolisar wrote:As another security professional, I also am angered by bad security. But, one of the problems that is seldom mentioned is the fact that a lot of people (especially senior management) are rarely willing to live with the inconvenience of the added security. One example is Windows Vista UAC. It is so annoying that many people just disable it, leaving them less secure.

*nod* — most people think that computer security procedures are there to make things difficult for them, so they just ignore them. I've lost count the number of times I've heard of passwords being given to colleagues, friends, etc "just in case". And even though they think "it won't happen to me, we can trust a colleague", that doesn't always hold true!

But dat is right, physical security (which these smart cards sort of slide into, in a nice shade of grey area) is just as important. The examples in this thread are just shocking

one of the best ones I've seen was at work in our finance department. To access the BACS systems the staff need to use and smart card and PIN.

Where did one woman keep her smart card? Blu Tacked to the monitor with a nice sticky lable stuck on the card with her PIN written on it.

As an ICT Security Pro myself I feel your frustrations!! We can pen test, we can identify backdoors and weaknesses, we can show exploits and recommend how to close them and in the end we can close every hole that is a security breach as a consequence. Yet the one thing you cannot remedy is the human interface!!

People are different from one another so whilst you may have 95% of your workforce being extra vigilant there will always be the odd few who are absent minded or ditzy!! Sadly there is no code to fix such an exploit!!

The callcentre I am stuck in has a mix of security.

To access the systems involving the main customer data, there are 3 different usernames and passwords for each employee to remember. To get to a computer, you have to use a swipecard for the doors, and even if you have access to the computer systems and have all the login details you need, there's the ultimate piece of security...

...A computer system that goes up and down more than a drug-taking body popper on a rodeo bull in the middle of an earthquake. (Cue the phrase "The system is Winehouse'd again...")

When I worked for a government quango, we were all issued security passes with photo ID. You had to show it to the guard/receptionist as you came in.

One morning I accidentally flashed my Zoological Society membership card instead. It didn't even have a photo on it. Nobody noticed.

The human element is ALWAYS the weakest link in any otherwise competent security arrangement. In fact, there's a whole field devoted to studying and subverting the human element. It's called social engineering and it has an awful lot to offer magicians and mentalists in particular. When I was a network security consultant, I used to enjoy getting into places like server rooms and data centres to "plant the flag". A good, readable introduction to social engineering is "The Art of Deception" by Kevin D. Mitnick.

Social engineering is something that sadly can never be eradicated... in my IT role but as a magician!! What a form of manipulation!!

Check PC PLUS Jan issue on page 10 for more Tomo and Jordan

The Art of Deception is a fantastic read (although I admit I got it during one of my "OMG Security and Elite Hacker Dudes" moments). Made more sense than The Art of War, and probably a lot more useful too.
Shame that Mitnick went through the US legal system a bit more heavy handed than he should have, with people doing far worse now and getting less of a punishment. I suppose it's to do with the fact that back then the legal system just didn't "get" computing...

A recent survey conducted by Google into Social engineering revealed that 85% of those surveyed, freely gave away ALL of the information needed to commit an identity theft in exchange for a free cadbury's creme egg.

Thus demonstrating that it's not what you ask but how you ask it.

True