Have You Received An Invoice Spam?

Posted on 2016-01-07 by mike

 

The following is one of a number of spam messages that I received yesterday; all carefully filed away in the spam folder.

To Whom It May Concern,

Please find attached an invoice relating to Penalty Charge Notice Number IA54236946 along with a copy of the contravention.


In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.


Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.


Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.



Regards,

Buddy


[invoice54236946.doc application/msword (23129 bytes)]

If you received something similar (and you probably did), the following may be of some interest.

Of course it was a spam message, and of course the attachment was a malware payload (which would not have been detected by the majority of anti-virus engines). The interesting thing (and an opportunity to demonstrate something) was that many of us will have received a number of copies.

I saved 14 copies of the attachment (don’t try doing this unless you really know what you are doing), and all were different. The files were all multi-part MIME files containing a JavaScript and a binary. The binaries were all different.

Loading one of them into VirusTotal revealed only 3 AV products detected malware :-

2016-01-07_0907

Three on the day after; on the day itself it was only two.

This illustrates several things :-

  1. Malware writers are still attempting to infect computers with nothing more sophisticated than click-to-infect where you rely on someone doing something less than clever.
  2. Malware writers are producing malware that morphs per message. It is possible that this invoice malware has a different binary signature for every single copy that was sent out (and it was probably millions sent out).
  3. Anti-virus products don’t detect this malware at the initial stages (a 5% detection rate is small enough to say “don’t”).
Posted in Active Attacks, Email | Comments Off on Have You Received An Invoice Spam?

OSX Malware: Yes It Does Exist!

Posted on 2016-01-07 by mike

One of the messages that we are regularly trying to push is that malware on Apple devices can and does exist. We have even encountered a few infected Apple laptops! It is easy to overlook amongst the ever rising flood of Windows-based malware that OSX malware is also a problem.

(Sourced from https://www.av-test.org/en/statistics/malware/ and yes there is something about January 2016)

The grand total for each month is a bit deceptive; whilst there are hundreds of millions of different malware payloads each month, most of them are variations on a theme. Initially the comparison with OSX malware instances is amusing :-

(Sourced from: http://www.bleepingcomputer.com/news/apple/2015-was-the-worst-in-history-for-osx-malware/)

After all 100,000,000 is far greater than 1,000; a hundred thousand times greater in fact. But you will probably find the overall total is far lower than it appears to be, and it essentially does not matter – the risk of getting infected with malware is not directly related to the number of malware instances there are out there.

It is in fact related to the number of infections and the behaviour patterns of the person who gets infected. Refusing to believe that OSX computers can get infected is one behaviour pattern that increases your chances of getting infected!

After all, the number of malware payloads out there in the wild is irrelevant; it is the malware payload that is running on your computer that counts.

So if you are running OSX, what should you do? Various things :-

  1. Keep your major version of OSX up to date. As of 2016-01-06, you must not be running anything earlier than 10.9, and there is really very little reason not to upgrade to 10.11.
  2. Keep your minor version of OSX up to date. You should check for updates in the App store every couple of weeks (or more often) and apply updates when they become available.
  3. Consider running an additional anti-virus package such as Sophos. Whilst Apple provides its own anti-malware protection mechanisms (including a conventional anti-virus product), it can make sense to run additional protection.
  4. Avoid clicking on links in messages (of any kind).
  5. Avoid downloading software from untrusted sources – peer to peer networks are infamous sources of malware-infected software packages. In fact always download software from it’s original source – the company (or freeware developer) that actually wrote it.
  6. Consider periodically (once a week if you regularly install software, but at least once a month) running a package such as KnockKnock which checks what your Mac starts automatically.
Posted in Active Attacks, Malware | Tagged , | Comments Off on OSX Malware: Yes It Does Exist!

Who Would Want To Hack My ${Device} ?

Posted on 2015-11-26 by mike

One of the most common things you hear when talking about security to ordinary people is a variation on the question asked in the subject: Who would want to hack my desktop, laptop, phone, router, intelligent thermostat, smoke detector, etc.

The easy answer is that any cyber-criminal who wants plausible deniability would.

Any cyber-criminal redirects their network activity through a collection of compromised devices which can include some surprisingly modest devices – I wasn’t joking about smoke detectors!

Of course routing rogue traffic through your devices isn’t the only thing that is possible – they can use their access to your devices to sniff on what you are doing or use their access to further compromise other devices. Whilst you may not visit your bank’s website using your smoke detector, once someone has access to your smoke detector, they can use that access to attack other devices on your network.

With or without lots of technical details, the fix is to keep things updated – not just the obvious computers like your laptop, but also the devices that come under the banner of the “Internet of Things”.

Posted in General | Tagged | Comments Off on Who Would Want To Hack My ${Device} ?

Forged @port.ac.uk Emails

Posted on 2015-10-28 by mike

As many are undoubtedly aware, there have been a number of instances where email has been forged so that it appears to be from someone with an email address ending in @port.ac.uk. In the cases IS has investigated, the email forgeries have not involved an account compromise.

Whilst account compromises do happen, email forgeries can take place without being able to get in to the sender’s account.

IS are investigating technical counter-measures, but none of the candidates can be implemented easily nor are such measures likely to be 100% effective. In the meantime, please be aware that emails with an address ending in @port.ac.uk may be forged.

Detecting such forgeries is a more of an art than a science – or the counter-measures would be simple to implement. However there are usually some hints available :-

  • The sender address (or the “From” header) may contain a name that conflicts with the email address – such as “Sarah Williamson-Blythe <mike.meredith@port.ac.uk>”.
  • The salutation (“Hi!” , “Dear _”, etc.) may be unusually formal or unusually informal. How do people normally start an email to you?
  • The end of the email (or the “signature”) may look unusually plain, or different to that you normally see.
  • The subject may include suggestions of urgency (“Urgent”, “Priority”, “Immediate”, etc.).
  • The message itself may ask you to do something that you wouldn’t ordinarily expect to see from the sender. Such as click on a link to pay some fees, enable a quota, etc. Or send the supposed sender data that they need.
  • The language used within the message or the subject may be particularly ungrammatical (although not everyone has memorised “Eats, Shoots, and Leaves”) or uses Americanizations.
  • If you start to reply, and the email address changes (i.e. what appears next to “To”) then there is something suspicious going on.

If an email is suspicious in any way, it is advisable to contact the alleged sender to see if they really did send it. Essentially these forged messages are ordinary (or not so ordinary) spam messages that use a forged @port.ac.uk to gain credibility.

How Email Is Forged

Without getting too technical, the underlying network protocol that is used to transmit email between servers (SMTP) is very old, and was originally designed in the era when Internet services were very trusting.

Because it is so trusting, it will accept any headers including setting the sender address to “mike.meredith@port.ac.uk”.

Attempts have been made to improve the security of email over the decades (yes it is that old), but most of which are optional extensions that are aimed more at combating spam than dealing with forgeries.

Blocking The Forger’s Network Address

It is not uncommon for people to suggest blocking the network address used to send the forged emails. It is not a bad idea as such, because there are anti-spam measures that are very similar (RBLs).

However the blocking of a single network address can be compared to locking a stable door after the horse has bolted. It is likely that once such a network address has been used, the forger will use a different network address in the future. Essentially in almost all circumstances it isn’t possible to block a network address quickly enough for it to be effective.

 

Posted in Active Attacks, Email | Comments Off on Forged @port.ac.uk Emails

The Xcode Ghost In Your Apps

Posted on 2015-10-15 by mike

We are seeing a number of instances where people have installed legitimate applications from the Apple App store, and their phone is communicating with the Xcode Ghost malware infrastructure across the network. This sort of malware infection is a bit unusual as :-

  1. This is the first serious outbreak of malware to be found in the Apple app store.
  2. This is almost identical in concept to one of the classic security attacks (Reflections on Trusting Trust).
  3. Specific versions of normal, legitimate, and fairly widely used applications were “trojaned” by a malware author.

The answer to the problem of what to do with an infected device is simple: Upgrade the applications in use. Indeed if you are not sure if you are infected or not then upgrade.

What Is Xcode?

Xcode is a suite of applications produced by Apple for use by developers. The developers use Xcode to compile source code into the binary language that computers understand. Every application on your iThingie (iPhone or iPad, plus Apple laptops and desktops) has been compiled by Xcode.

Or by a version of Xcode that has been “hacked” so that applications built with it are loaded with malware.

How Did This Happen?

Versions of Xcode distributed by Apple are and were safe. What the malware author did was to produce “hacked” versions of Xcode and made them available at alternative download sites.

For some reason, some application developers of legitimate applications downloaded Xcode from those alternative download sites, and the applications they compiled was “trojaned” with malware.

What Was The Damage?

The trojaned applications sent data that the application had access to via the network to the malware author’s command and control servers. The data that was sent was relatively benign, but passwords associated with known to be infected applications should be changed.

Links

Posted in Malware, Technical | Tagged , , , , , | Comments Off on The Xcode Ghost In Your Apps

What Do You Do With Your Old Phone, Tablet, and Laptop?

Posted on 2015-10-07 by mike

In the case of devices provided by the University, it is of course the University’s responsibility to maintain device security. But for your own personal devices?

That responsibility belongs to you.

Wiping a phone may seem like a waste of time – too much effort for too little gain, but there is a surprising amount of personal data on an old phone and there are people who like to recover such data. A small amount of that data (probably including your account details) is actually University data, so we have a vested interest in persuading you to clean your devices properly before disposing of them.

A recent report into the data recoverable from devices sourced from a well-known online auction site showed that data was recoverable from slightly over 1/3 of the devices.

Wiping a device may be both easier and harder than you expect.

Firstly a “Factory Reset” is not necessarily sufficient to clean a device.  If your device is encrypted (and there are lots of good reasons why you should, and no real reasons why you shouldn’t), then a factory reset is likely to be effective.

Android Devices

If you are using an Android device then use the Google Android Device Manager for the account your Android device is linked to. On the map that appears, you should see a pop-out with one of your Android devices shown :-

2015-10-07_1515

Click on the arrow pointing south-east next to the name of the device to choose which device you want to manage (it doesn’t show up if there’s only one device). If the device shows as above then you need to click on “Enable Lock & Erase” and accept that setting on your phone.

At which point it will look like :-

2015-10-07_1505

At this point the “Erase” button will take you through a warning dialog and then attempt to erase your device. Assuming it is on-line, it will be erased completely, or it will be erased the next time it managed to reach the Internet.

Erasing an iDevice (iPhone, iPad, …)

Simply :-

  • Back up your data (either using iTunes or to iCloud)
  • Tap Settings > General > Reset
  • Tap on Erase all Content and Settings

These instructions were copied from another article; without an iDevice to hand, I’m unable to test it.

Posted in General | Tagged , , , | Comments Off on What Do You Do With Your Old Phone, Tablet, and Laptop?

Mail Diagnostics: Getting The Original View

Posted on 2015-09-17 by mike

When dealing with problematic emails, it is vitally important to get a proper view of the message headers. Mail clients (such as the Google Mail client on the web) typically hide this view, and only show the interesting headers such as “From”, “Subject”, “To”, etc.

However the Google Mail client does allow the proper raw headers to be shown and that is done by opting for the “Show original” command.

Firstly when you are reading the mail in question, look at the menu under the “Reply” button :-

2015-09-17_1447

The underlined button has a drop-down arrow next to it. If you select that you get the menu :-

2015-09-17_1449

And the option “Show original” will show a very plain looking page with just the raw text view of the email within it, which may contain something like :-

Delivered-To: mike.meredith@port.ac.uk
Received: by 10.64.133.101 with SMTP id pb5csp2715007ieb;
        Thu, 17 Sep 2015 03:23:19 -0700 (PDT)
X-Received: by 10.66.253.170 with SMTP id ab10mr70840708pad.135.1442485399205;
        Thu, 17 Sep 2015 03:23:19 -0700 (PDT)
Return-Path: <upngxfym@quicvt.com>
Received: from quicvt.com ([122.190.89.187])
        by mx.google.com with ESMTP id yo3si4299121pbb.127.2015.09.17.03.23.09
        for <mike.meredith@port.ac.uk>;
        Thu, 17 Sep 2015 03:23:19 -0700 (PDT)
Received-SPF: neutral (google.com: 122.190.89.187 is neither permitted nor denied by best guess record for domain of upngxfym@quicvt.com) client-ip=122.190.89.187;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 122.190.89.187 is neither permitted nor denied by best guess record for domain of upngxfym@quicvt.com) smtp.mailfrom=upngxfym@quicvt.com
Message-ID: <2ED9BF882B94D9ACDC5E3863B7CEB321@quicvt.com>
From: =?utf-8?B?5r2Y5YWI55Sf?= <upngxfym@quicvt.com>
To: <mike.meredith@port.ac.uk>
Subject: =?utf-8?B?77yI6YKA6K+35Ye977yJ6IGM5Zy65r2c6KeE5YiZLS3kuK3lnZrlipvph4825aCC6K++?=
Date: Thu, 17 Sep 2015 18:23:03 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0B32_01510E77.1F352EB0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512

This is a multi-part message in MIME format.

(It usually carried on into the message at this point).

This “original view” allows us to look more closely at where emails originate from.

The Authentication Check

When looking at the “original view”, there is one header whose presence is a good indicator that the email was probably sent by someone using the sender’s account. This header is :-

Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of mike.meredith@port.ac.uk designates 2607:f8b0:400d:c04::229 as permitted sender) smtp.mailfrom=mike.meredith@port.ac.uk;
 dkim=pass header.i=@port.ac.uk

The name of the header (“Authentication-Results”) and the significant parts of that header have been made bold. There is a reasonable degree of confidence that the mail associated with this header was in fact sent using Craig Robson’s account.

In the event that the mail was a spam, there is a good chance that the account has been compromised.

But It Says “From …”

The “From” header in an email is just a label and anyone who can control the mail software they use can put anything they like in that header.

Posted in Email | Tagged , , , , , | Comments Off on Mail Diagnostics: Getting The Original View

CESG Offer Password Security Tips

Posted on 2015-09-11 by robbie

Unlike previous guidance, this doesn’t focus on trying to get ever more entropy into passwords.  Instead CESG are encouraging system designers and security architects to think more about where they’re requiring passwords, and what they’re trying to achieve with them.    As Information Services  have always recommended to users – a simple approach can greatly improve security, and doesn’t have to  compromise usability.

Follow the link below for the full report and infographic:

https://www.gov.uk/government/publications/password-policy-simplifying-your-approach

Posted in Uncategorized | Comments Off on CESG Offer Password Security Tips

Protecting personal data in online services: learning from the mistakes of others

Posted on 2015-08-17 by robbie

Unfortunately, there are many serious data loss incidents which could have been avoided or reduced in severity if simple good practice had been implemented.   The Office of the Information Commissioner has published guidance on the most significant threats to data protection. These are defined as those that have either resulted in a severe breach of the DPA or frequently occur in the ICO’s casework.  This blog-post offers a summary of this work.

 – Read this guidance, apply the principles and avoid the pitfalls –

The Ten most frequently-arising computer security issues are:

1 Operating system – software updates not done Unpatched servers are a real security hazard – keep all software on your server up to date.
2 SQL injection attack possible Poor coding can create security holes which leak data – websites are particularly at risk.
3 Unnecessary services left on. Unnecessary services can offer an open door to cyber-criminals.
4 Disposal of software and/or equipment Data hygiene is essential before any digital equipment is recycled, reused or destroyed.
5 Passwords and storage Passwords must be strong and they must be stored securely.
6 Poor configuration of SSL and TLS Incorrect configuration (including default) can lead to a mistaken sense of security.
7 Data processed in an inappropriate location. A large number of data breaches involve personal data being processed in an inappropriate location (e.g. at home without permission)
8 Default system credentials left intact. Many software components are distributed with default credentials (e.g. a username, a password) which are often overlooked. These credentials are widely known!
9 ‘Layered Products’ – software updates not done Unpatched versions of PHP, Java, Tomcat, Networker, PuTTY etc, are a security hazard.
10 Unencrypted personal data Personal data should be appropriately protected by strong encryption.

 

1.0 Software security updates

Without regular application of security updates to a system’s software, it will become progressively more vulnerable over time as more security flaws are discovered and methods for exploiting them become more widely-known. The same situation will arise when the developers discontinue technical support for a software product, which normally means that no more security updates will be available.

If there is a good reason not to apply all available updates as soon as possible, then an exceptional patching policy must be drawn up.   The business owner should perform a risk assessment and seek appropriate approval for any risk treatment decisions made, taking proper account of the nature of the data being processed.    

1.1 Good practice summary:

1.1.1 You must have adequate arrangements in place for OS software update – especially for software used for processing personal data.   

1.1.2 There may be good reasons not to apply all available updates as soon as possible. For example:

  • an operational need to wait for a suitable maintenance period;
  • co-ordination with other necessary updates on related software;
  • the need to test updates before rolling them out to production systems; or
  • an assessment that a vulnerability does not affect the configuration used by the relevant systems.

When there is a reason to delay, the server owner or business owner should perform a risk assessment and seek appropriate approval for any risk treatment decisions made.  This risk assessment should take proper account of the nature of the data being processed.   Security updates must be applied as soon as is reasonably practical after they become available.   

 

2.0 SQL injection

The risk of ‘SQL injection’ affects applications that pass user input to databases in an insecure manner.   Typically this can occur in a publicly-available website that uses a database, in order to display or input information.     Since SQL injection flaws are introduced in the source code of applications, it is important to identify who is responsible for maintaining the source code of any application used.

2.1 Good practice summary

2.1.1 Be aware of all of your assets that might be vulnerable to SQL injection. SQL injection can affect applications that pass user input into a database and includes many modern websites and web applications.

2.1.2 SQL injection presents a high risk of compromising significant amounts of personal data and it must be considered to be a high priority for prevention, detection and remediation.

2.1.3 SQL injection results from coding flaws – so be sure you know who is responsible for developing and maintaining your code.  It is these people who you will need to rely on to prevent SQL injection or fix SQL injection flaws if they are found. They will need guidance and training to understand the issue.

2.1.4 Consider independent security testing (penetration testing, vulnerability assessment, or code review, as appropriate) of the relevant sites or applications in order to identify code development issues, including SQL injection flaws.  Do this before the application goes live and periodically test live applications.

2.1.5 When remediating an SQL injection flaw, consider using parameterised queries where possible, and ensure that all similar input locations are also checked and remediated where applicable.

Parameterised queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This ensures that the database can distinguish between code and data, regardless of what user input is supplied and means that an attacker is not able to change the intent of a query, even if SQL commands are inserted.

 

3.0 Unnecessary services

A golden rule in network security is only run services that are absolutely necessary. This will reduce the number of ways an attacker might compromise systems on the network.    If you have services which are publicly accessible and are not being actively used, you are leaving doors open (i.e. exposing potential attack vectors) unnecessarily.

3.1 Good practice summary:

3.1.1 Completely decommission any service that is not necessary.

3.1.2 Avoid high risk services such as telnet.

3.1.3 Ensure that services intended for local use only are not made publicly-available.

3.1.4 Periodic port-scanning to check for unnecessary services inadvertently enabled.

3.1.5 Maintain a list of which services should be made available.  Periodically review the list to see whether any services have become unnecessary, and restrict or decommission them as appropriate.

 

4.0 Decommissioning of software or services

When an old or temporary/test service is no longer needed, it must be decommissioned thoroughly, otherwise it will continue to pose a risk.   

4.1 Good practice summary:

4.1.1 List all the components of a service so that you can make sure they are all decommissioned.

4.1.2 Make a record of any temporary services which you will eventually need to disable.

4.1.3 Thoroughly check that the decommissioning procedure has actually succeeded (use systematic tools such as port scanners to check this).

4.1.4 Arrange for the secure disposal of any hardware and storage devices.

 

  1. Password storage

Users’ access credentials (eg a username and password or passphrase) are particularly valuable to attackers and it is important that credentials are appropriately managed.

5.1 Good practice summary:

5.1.1 Don’t store passwords in plain text, nor in an easily decryptable form.

5.1.2 Use a hash function.  Only store the hashed values.

5.1.3 The hash function should have appropriate strength to make offline brute-force attacks extremely difficult – if not, impossible.

5.1.4 Use ‘salting’ to make offline brute-force attacks less effective.

5.1.5 Periodically review the strength of the hash function and keep up to date with advances in computing power. The best way of achieving this is to use a password hashing scheme with a configurable work factor.

5.1.6 Use a combination of password strength requirements and user education to ensure that attackers can’t simply guess common passwords.  

5.1.7 Have a plan of action in case of a password breach (e.g. how to reset users’ passwords in bulk and how to notify them of what has happened and what they need to do about it)

 

  1. Configuration of SSL or TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are closely related encryption schemes used for ensuring secure communications across the internet. In practice, the single term ‘SSL’ is often used loosely to signify either or both of SSL and TLS, even though TLS has been in existence since 1999 and is now widely used and supported.  Misconfiguring an SSL or TLS service will cause one or both of these assurances not to be guaranteed.   However, both assurances are required to create a trusted connection so that personal data or other sensitive information can be securely transferred.

6.1 Good practice summary:

6.1.1  Ensure that personal data (and sensitive information generally) is transferred using SSL or TLS where appropriate.

6.1.2 Consider using SSL or TLS for all data transfer in order to reduce complexity. Remember that in the case of a website, any included content such as images, javascript or CSS should also be provided over SSL or TLS in order to avoid ‘mixed content’ warnings.

6.1.3 Ensure that SSL or TLS is set up to provide encryption of adequate strength.

6.1.4 Ensure that every SSL or TLS service uses a valid certificate, and schedule renewal of all certificates before they expire to ensure the services remain secure.

6.1.5 Consider obtaining an Extended Validation (EV) certificate if assurance of identity is of particular importance.

6.1.6 Do not encourage users to ignore SSL or TLS security warnings.

 

  1. Inappropriate locations for processing data

A large number of data breaches involve personal data being processed in an inappropriate location.  There are typically two main types of cause of this:

  1. Poor security architecture, meaning that it isn’t clear where and how personal data should be processed.
  2. Inadvertently storing personal data in a publicly accessible area.

7.1 Security architecture

An important principle is segregation of production environments from development or testing environments.

7.1.1 Ensure testing or staging environments are segregated from the production environment.

7.1.2 Consider segmenting your network according to function and in accordance with your data protection policies.

7.1.3 Ensure your network architecture accounts for functions such as backups and business continuity in general.

7.2 Storing personal data in a widely-accessible location

Data leaks can happen as a result of three mistakes that can be made, either separately or together:

7.2.1 Failure to realise that the storage place is widely accessible

7.2.2 Failure to realise the personal nature of the data in the first place

7.2.3 Administrative error

7.3 Storing personal data – good practice:

7.3.1 Make sure you have policies for how, when and where personal data will be processed.

7.3.2 Consider all the services you are running, how they are accessible, and whether they comply with your policies.

7.3.3 In particular, ensure any web servers are exposing only the intended content. Where necessary, apply specific access restrictions.

7.3.4 Do not rely merely on obscurity to prevent access.

 

  1. Default credentials.

Many software components are distributed with default credentials provided, typically a username and password.  This can make distribution, installation and set-up simpler, but also poses a security risk because these credentials are widely known.

8.1 Default credentials – good practice summary:

8.1.1 Change any default credentials as soon as possible.

8.1.2 When changing default credentials, remember to follow good practice on strong password choice.

8.1.3 Ensure that credentials are not hard-coded into any of your software.

8.1.4 Ensure that credentials are not transmitted in plain text.

 

  1. Layered products.

Layered products include software components, services, libraries and development frameworks which sit on top of the operating system in a layer just below or adjacent to the application.  These include Rails, PHP, Java, Tomcat, Networker and PuTTY.     Without regular security updates to these layered products, they will become progressively more vulnerable over time as more security flaws are discovered and methods for exploiting them become more widely-known.

9.1 Layered products – good practice summary:

9.1.1 You must make adequate arrangements for the software update of layered products.   If there is a good reason not to apply all available updates as soon as possible, then an exceptional patching policy must be drawn up.   The business owner should perform a risk assessment and seek appropriate approval for any risk treatment decisions made, taking proper account of the nature of the data being processed.    

 

  1. Unencrypted personal data.

Personal data must be adequately protected from unauthorised disclosure, theft, loss, and accidental and deliberate damage.   Adequate protection means protective controls which are commensurate with risk.     Personal data is vulnerable when it is processed on a mobile device, or when it is at rest (stored on USB, magnetic or optical media) or when it is being transmitted.  Encryption must be considered as a control to protect personal data at these times.

10.1 Personal data – good practice summary:

10.1.1 Don’t process, store or transmit personal without management consent.

10.1.2 Know how much personal data you are processing

10.1.3 Know what the personal data contains

10.1.4 Know the path followed by the data during processing

10.1.5 Ensure that personal data is encrypted when the data is transmitted or stored.

 

Posted in Uncategorized | Comments Off on Protecting personal data in online services: learning from the mistakes of others

Time For WordPress Updates Again! And Automating Backups …

Posted on 2015-07-23 by mike

Today, WordPress announced a critical security update that should be applied to all installations of WordPress. Whilst you are hopefully applying updates to the main WordPress installation automatically, now would be a good time to log in to the control panel and check for updates.

In addition to the main WordPress installation, it is worth checking for other updates – plugins and themes – which do not automatically update. And many wordpress break-ins of recent times have been due to vulnerable plugins.

It isn’t as if checking for updates and applying them is too time consuming – doing that for all three of the blog sites I run took less time than it took to write this posting.

On a practical note, WordPress suggests performing a backup before performing an update, but providing that you perform regular backups you can probably take the risk of not bothering. I have been updating WordPress installations for years and except for the very earliest days, have yet to have an issue.

Automating Backups

But you should be performing regular updates which are reasonably easy to arrange. The first step is to install a plugin called “WP-DB-Backup” :-

2015-07-23_1458

  1. Click the “Plugins” menu option down the side.
  2. Click the “Add New” menu option that appears.
  3. Search for “WP-DB-Backup”.
  4. Click on the “Install Now” button next to “WP-DB-Backup” (it’s underlined manually above).

Once installed you will have to activate it, and then configure it. The configuration screen is accessed from “Tools” -> “Backup” :-

2015-07-23_1501

If you scroll through the options until you reach “Scheduled Backup” :-

2015-07-23_1519

Ignore the complicated bit to the right where you select additional database tables to back up. For now these can be ignored. Simply select a frequency of backups (once a day is reasonable) and specify an email address to send to.

Then click on “Schedule backup”.

There are of course other options for performing backups; many of which have many more features but they do tend to ask you to pay for them. And this one is the one I have been using for long enough that I can advise to use it.

Posted in General | Tagged | Comments Off on Time For WordPress Updates Again! And Automating Backups …