Saturday 7 April 2012

Anonymous demonstration of foolproof Cabinet Office plans

Don't worry – this can't happen
The BBC are reporting that the hacking group Anonymous have caused the Home Office website to be taken out of service.

Under no circumstances should this be taken as an example of what could happen if the Cabinet Office have their way and all public services are delivered over the web.

The public can safely remain entirely confident that this could never happen to the G-Cloud, for example, the "government cloud" on the web in which Her Majesty's Government plan to store all our data. All our tax records and pension records and benefits records and health records and housing records and travel records (eBorders) and Companies House records and Charity Commission records and criminal records and military records and energy infrastructure records and  driving licences and passports and the Government Gateway and ... all tucked up in the G-Cloud and all as safe as houses.

The Chinese would be quite incapable of pulling off the same trick as Anonymous, a small group of gifted amateurs. Nor could the Russians. Or an undergraduate class at the University of Michigan.

Admittedly, the OECD recommend that "cloud computing creates security problems in the form of loss of confidentiality if authentication is not robust and loss of service if internet connectivity is unavailable or ...".

And ENISA, the EU's information security agency, say that cloud computing "should be limited to non-sensitive or non-critical applications and in the context of a defined strategy ... which should include a clear exit strategy".

But here in the UK, cyber security is masterminded by the arch-moderniser Francis Maude – and what could be more modern than to use the web for all government business?
Not that there's any need to address any enquiries to them or to anyone else. Francis Maude, Martha Lane Fox, St Augustine, Tony Blair, Ian Watmore, Andy Nelson, Chris Chant, Denise McDonagh and ex-Guardian man Mike Bracken know what they're doing. They are to be trusted implicitly.

As the BBC report says, the Home Office "have put all potential measures in place and will be monitoring the situation very closely". There really is nothing to see here. "Potential measures" are in place. Not just some of them. All of them. It is simply impossible that access to the G-Cloud should ever be cut off:

Don't worry – this can't happen

6 comments:

Quentin Vole said...

Please don't dignify these moronic 'script kiddies' with the name of hacker, let alone 'gifted'. This is the computer equivalent of ringing the doorbell and then running away.

There are good reasons why the government should not be storing data 'in the cloud', but this isn't one of them.

David Moss said...

Quentin

Good to hear from you again.

The "script kiddies" have got a lot of more significant "achievements" to their name which is why I do not dismiss this one.

There are good reasons to respect Whitehall's web achievements but, equally, this shambles isn't one of them.

I agree that there are more cogent reasons to deprecate Whitehall's cloud computing initiatives. They seem to want to get Amazon and Google to do the heavy lifting for them while they, Whitehall, remain in control and costs are dramatically reduced. We know that that won't happen.

Quentin Vole said...

David - thanks for your reply (and for maintaining this interesting blog). This really shouldn't be described as a 'shambles' though.

Any public web site has a finite capacity. If enough legitimate access requests can be generated simultaneously (usually by 'recruiting' innocent PCs that have been infected by malware), the web site can be overwhelmed. Actually, this is an argument for putting your public web sites in the 'cloud', because Google/Amazon/Microsoft can afford more servers and fatter Internet pipes than you can (even if 'you' are the UK government).

QV - 40 years in IT, the last 10 as a freelance security consultant.

David Moss said...

Quentin

Have just spent a pleasant 10 minutes or so reading some of your comments on the Economist and a few other sources Google dug up. I stopped when I got to "Florence Quentin vole par la suite de ses propres ailes en signant les scripts de ...".

Along the way, I enjoyed your Mario Monti/Super Mario joke, your trigonometric contribution to Life After Mastermind and the warning about outsourcing that you posted on this blog among others. (And which, I notice, I didn't answer. My apologies.)

I think it was the excellent Ian brown who pointed out that just because we call it "cyber warfare" is no reason to assume that the MOD should be given the money to defend us against it. That pun was bad enough but it looks like an even worse joke to give control of the budget to Francis Maude and the Cabinet Office instead.

It is a sort of warfare, isn't it. Think of Estonia: "The head of IT security at Estonia's defence ministry, Mikhail Tammet, told BBC News that ... the country was particularly vulnerable as much of its government was run online". That was prompted, as far as I know, by nothing more than a DDoS attack of the sort mounted the other day by Anonymous. The "script kiddies" are on the same wedge, at the thin end if you like, as the "shambles" I see and the shutting down of Estonia (a country which, for uxorial reasons, Charles Clarke wants us to emulate).

Going by media reports alone, Anonymous are not to be dismissed lightly. They caused wobbles at Visa and MasterCard after the latter stopped processing WikiLeaks payments. Anonymous conducted similar caped crusader/vigilante attacks on Malaysia.

Those were DDoS attacks but Anonymous have also, it is said, broken into Booz Allen's servers, stolen emails and deleted source code. They stole from Italy's cyber crime unit. And from Stratfor. Not to mention getting hold of recordings of the phone calls between the UK police and the FBI.

Some script kiddies. Some neck.

Quentin Vole said...

I'm flattered, David - it seems I have a cyber-stalker :)

The trouble with groups such as Anonymous is that anyone can do anything and then attribute it to the 'group' simply by posting a message to that effect (some people would say that dealing with Al Qaeda has similar issues). There have been some clever hacks carried out in their name, but these DDoS attacks don't fall into that category, and probably don't involve the same individuals.

My hero, Bruce Schneier ("the closest thing to a rock star that the security industry has produced") commented on cyberwar and DDoS attacks at a seminar held by The Register in London last year (I paraphrase): "carrying out cyberwar by DDoS is like an invading army landing on your shores, storming up the beaches, and then pushing in to the front of the queue at the post office".

I'm highly sceptical of the whole concept of cyberwar as a real entity (as opposed to a marketing opportunity for the security industry and the military to grab more funds). For a more complete discussion of why the concept is incompletely baked, I recommend this recent paper by Thomas Rid (King's College London) from the Journal of Strategic Studies:
http://dx.doi.org/10.1080/01402390.2011.608939

David Moss said...

• Stalker? Due diligence more like.

• No newsletter in today's inbox? Either it's not 15th of the month or it is 15th and Mr Schneier is writing another book. Agreed. He's excellent. Pushing to the front of the queue at the post office may not amount to an act of war but it isn't entirely laughable as a method of disruption. Luckily we have avoided it in this country by destroying the national network of the post offices.

• Thank you for referring everyone to Thomas Rid's paper. Like you, he doesn't want to use the term "cyberwar" or any of its cognates. OK. Don't. Does that mean that there is no work for freelance security consultants? Certainly not. Does it mean that G-Cloud is a good idea? Certainly not. Mr Rid says we should talk instead, of sabotage, espionage and subversion. G-Cloud has severe contra-indications. They may not be warlike but they're serious all the same. We're all agreed. You, me and Mr Rid. Except Mr Rid – the last proposition in his paper is "Cassandra could still have the last word", i.e. maybe there is such a thing as cyberwarfare.

• Like you, he belittles the threat posed by Anonymous and then writes:

"A second example is Anonymous’ perhaps most striking operation, a devastating assault on HBGary Federal, a technology security company. HBGary’s clients included the US government and companies like McAfee. The firm with the tag-line detecting tomorrow’s malware today had analyzed GhostNet and Aurora, two of the most sophisticated known threats. In early February 2011, Aaron Barr, then its chief executive officer (CEO), wanted more public visibility and announced that his company had infiltrated Anonymous and planned to disclose details soon. In reaction, Anonymous hackers infiltrated HBGary’s servers, erased data, defaced its website with a letter ridiculing the firm with a download link to a leak of more than 40,000 of its emails to The Pirate Bay, took down the company’s phone system, usurped the CEO’s twitter stream, posted his social security number, and clogged up fax machines. Anonymous activists had used a number of methods, including SQL injection, a code injection technique that exploits faulty database requests. ‘You brought this upon yourself. You’ve tried to bite the Anonymous hand, and now the Anonymous hand is bitch-slapping you in the face’, said the letter posted on the firm’s website. The attack badly pummeled the security company’s reputation."

If that's all they're capable of then I guess there's nothing to worry about. As long as it doesn't amount to war, who cares about a little sabotage, espionage and subversion?

Post a Comment