It’s time to quarantine infected computers

Image credit: Roy Costello used under Creative Commons

Image credit: Roy Costello used under Creative Commons

Quarantine is a word derived from the the 17th century Venetian for 40 (quaranta). The purpose of quarantine is to separate and restrict the movement of otherwise healthy organisms who may have been exposed to disease, to see if they become ill. The 40 day period was designed to identify carriers of the Bubonic plague or Black Death, before they could go ashore and spread the contagion more widely.  Desperate times call for desperate measures, nevertheless the concept was widely adopted and remains with us to this day.

The word quarantine has been thoroughly misused by the well-meaning security industry, where known infected files or systems are moved to a protected area until they can be examined and cleaned-up. More accurately we should be calling this “isolation” as in most cases we already know the subject to be compromised or infected.  Nonetheless, this serves an equally important purpose of containing the spread of compromise and it’s consequences; abuse of compromised systems for sending Spam, theft of sensitive information and spread of infection just for example.
Continue reading

Oy vey, eBay! Five questions for you…

Image courtesy of Richard Elzey used under Creative Commons

If you’re making a list of high profile data breaches, you now have a new name to add to that list; eBay. In a posting in the “in the news” section of their web site eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth

Although investigations are of course still ongoing, the current posting indicates that eBay are relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view. For now, if you’re an eBay user, you need to change your password there and if you used that password on any other web site, you’re going to need to change it there too (yes, again). Unfortunately changing your name or address is not so easy, that’ll have to stay compromised I’m afraid.

Continue reading

The “right to be forgotten” is not censorship.

Image used under Creative Commons by Sara Biljana

Enshrining the right to be forgotten  is a further step towards allowing individuals to take control of their own data, or even monetise it themselves, as we proposed in the 2020 white paper (Scenarios for the Future of Cybercrime).

The way the law stands in the EU currently, we have legal definitions for a data controller, a data processor and a data subject, an oddity which lands each of us in the bizarre situation where we are subjects of our own data rather being able to assert any notion of ownership over it. With data ownership comes the right to grant or deny access to that data and to be responsible for its accuracy and integrity.

Continue reading