tag:blogger.com,1999:blog-85073823152744824722024-02-07T07:54:37.664+00:00The Smoothwall BlogWe all work in the internet security industry, and as such we're involved with a wide range of technologies, markets and people. <br>Our collective blog is a space for our insights, observations and interests...
<br><br>
<strong>(N.B. The opinions expressed here are those of the individual authors, and not those of Smoothwall ltd or Smoothwall inc.)</strong>Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.comBlogger95125tag:blogger.com,1999:blog-8507382315274482472.post-81932769189045478352015-08-06T09:42:00.002+01:002015-08-06T09:42:10.328+01:00Shock News: Trusted Sites Serve Malware in Ads<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-2emz_-paewg/VcHik5sRFcI/AAAAAAAABNI/6yZZDfvL-A8/s1600/trusted_sites_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="http://4.bp.blogspot.com/-2emz_-paewg/VcHik5sRFcI/AAAAAAAABNI/6yZZDfvL-A8/s400/trusted_sites_malware.png" width="400" /></a></div>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br />Yes, I know. We shouldn't really be particularly surprised that a legitimate site -</span><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: blue;"> <a href="https://blog.malwarebytes.org/malvertising-2/2015/08/large-malvertising-campaign-takes-on-yahoo/"><span style="color: blue;">even one the size of Yahoo</span></a></span><span style="color: #666666;"> - has ended up mistakenly serving some form of badware through their advertising networks. It’s not the first time. Yahoo hit the headlines for malware related problems </span><a href="http://www.pcworld.com/article/2086700/yahoo-malvertising-attack-linked-to-larger-malware-scheme.html"><span style="color: blue;">in 2014</span></a><span style="color: #666666;">, when an affiliate traffic pushing scheme targeted Yahoo users with malware served through adverts on the Yahoo website, and now it’s happened again. </span></span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Ad revenue on the Internet is hard to live on at the best of times, and we can expect "lowest cost" behaviours, including, but not limited to, fairly rudimentary checks on the intentions of advertisers.</span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">The obvious thing to do here is to bleat on about the efficacy of having a web filter in fighting some of those attacks - you've read that before, hey, you may have even read it before from me. Fill in this section on your own, as an exercise for the reader.</span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">You probably also know how important HTTPS interception is - of course, this malware was served over HTTPS, wouldn't want any pesky insecure mixed content now, would we? Again, I’ve expounded at length on the subject. No HTTPS scanning = no security. Don't accept "blacklists" of sites that get MITM scanned: the delivery site won't be on that list, and your malware sails on through free and easy.</span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">The thing I want to mention today is the other big secret of content filtering: some web filters only apply the full gamut of their filtering prowess to sites that are not already in their blocklists. This is wonderful for performance. It might even mean you only need a single web filter to provide for a huge organisation - but when a "trusted" site, that's already "known" to the web filter, bypasses some of the content filtering in order to save a few CPU cycles you may be getting a false economy.</span><br />
<br />Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-20078482433830924912015-07-28T11:24:00.000+01:002015-07-28T11:40:32.985+01:00Happy Birthday - Smoothwall Celebrates 15 Years<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Hker8bpuhmk/VbY-yZcpN2I/AAAAAAAABMM/2FLJxpY1WLU/s1600/happy_birthdaysw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://1.bp.blogspot.com/-Hker8bpuhmk/VbY-yZcpN2I/AAAAAAAABMM/2FLJxpY1WLU/s400/happy_birthdaysw.png" width="400" /></a></div>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Fifteen years ago, Lawrence Manning, a co-founder of Smoothwall, sat in his front room putting the final touches on a prototype for a special kind of software. </span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /><br />This week, we</span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"> spent some time catching up with Lawrence as he reflects on the 15 year progression of Smoothwall</span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"> from a Open Source Linux project to the UK's number one web filter. </span><br />
<span style="color: #666666;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;"><b>SW: Where did the name Smoothwall come from?</b></span></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: We had a couple of ideas for names. Since we were trying to popularize this through the Linux user groups, one of our ideas was to call it LUGWall. I’m glad we didn’t choose that! “SoHo” was a popular buzzword at the time, so we also had SoHo-Connect. And one of the other rejected names was WebbedWall, which I kind of like. The idea was also to have a “family” of projects one day, so we wanted a name that could be adapted. SmoothMail (email solution), and SmoothLinux which was going to be a desktop distribution based on Smoothwall ideas. Needless to say, nothing came of those ideas. There were rumours that the “Wall” part was named in honour of Larry Wall, the original author of the Perl programming language: the main language used in the project. I’m still not certain how much truth there is in this, but it’s a nice touch if it is true. Anyway, we went through a bunch of names and liked Smoothwall the best.</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: What prompted you to start the first Open Source Smoothwall?</b></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: The need for something to do! Not working at the time, I had energy to spend. And also the, maybe arrogant, belief that I could do something “better. There were alternatives around, not many, but some. Every one that we looked at was difficult to use, difficult to set up. The combination of those things was a pretty good driver.</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: Why did you chose Open Source instead of Proprietary?</b></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: Open Source is “free marketing”. I’m far from a believer that Open Source is the only way to make good software, but it is a great way to get people interested in what you are doing. In the early days of the project, I wrote all the code. But the fact it was Open Source (though it wasn’t run like a typical Open Source project) meant that people felt encouraged to tinker with it, and that led to ideas, and eventually code being contributed. This would not have happened if we’d kept the code closed; the interest just wouldn’t have been there.</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: Why Linux?</b></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: Well, there weren’t really any alternatives. I guess compared to the BSDs the driver support was better, but more than that, it was familiar. And we liked it of course. It was, and remains, the best platform for this kind of product, evidenced by the fact that everyone uses it in everything.</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: What does it feel like to have invented a product that is responsible for 150 jobs</b>?</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: Obviously I’m very proud with what we have accomplished. What is especially gratifying, beyond the fact that we’ve created a company with, I believe it is right to say, a good ethical record, but also that it’s main business is keeping people safe.</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: Did you imagine when you stated that Smoothwall would be where it is today?</b></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: Nope! I honestly believed this thing would go on for about six months, and then I’d be forced back to Windows development work, with Smoothwall just being another little project to add to the list of little I’d worked on over the years.</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: What's your favorite Star Trek character, or episode and why?</b></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: 7 of 9? Actually it is Scotty. Series wise, The Original Series still stands the test of time. Within that series, I have too many favourite episodes to list. The newer stuff is good too of course, but you can’t beat TOS. Oh, and “Into Darkness” sucks!</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: How did you meet George and Daniel?</b></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">George: I first met him at a motorway service station, near Exeter I think, to discuss commercial angles around Smoothwall. I was quite apprehensive because prior to it he’d sent me a big list of technical questions about Smoothwall, many of which I had no idea how to answer!</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Daniel: Well, George headhunted him. Prior to actually meeting him I’d downloaded his DansGuardian software, which is basically what we wanted Daniel for, and played around with it, and of course had loads of questions. We got on great from the beginning, though I do remember being appalled with his first crack at a Guardian user interface!</span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>SW: What's your best Smoothwall memory?</b></span><br />
<span style="color: #666666;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">LM: There are many, of course. From a development point of view, I don’t believe I have ever been as productive as I was in the 3 months after the company was founded. In those 3 months I wrote the first versions of our VPN add-on (which is roughly what is sold today), a simple web filter module, and other things. Working only from one sentence requirements, on your own, having to design UIs yourself, having to actually get the thing to do what it has to do and having to test it all, is both intimidating and extremely rewarding. </span><br />
<span style="color: #666666;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">I remember writing the first version of a early add-on module called SmoothHost in this way, in an afternoon. Over the years we probably made a million pounds in revenue from that afternoon’s work. That kind of pure creative, seat of the pants way of working, I have to admit, I miss immensely.</span></span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Outside of the working environment, we’ve had some great company weekends. My favorite is probably the trip to Coniston in the Lake District. I think it was 2007. The company was still “innocent” then. It was a superb weekend.</span><br />
<br />
<br />Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-25398386978873487052015-06-12T14:28:00.000+01:002015-06-12T14:28:31.085+01:00Time For a Digital Detox or Better Filtering?<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-GBdJCJV0dWY/VXrd6NvTkeI/AAAAAAAABIo/XF-Wrmi14Fs/s1600/digital_detox_blog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="http://4.bp.blogspot.com/-GBdJCJV0dWY/VXrd6NvTkeI/AAAAAAAABIo/XF-Wrmi14Fs/s400/digital_detox_blog.png" width="400" /></a></div>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /><br />Being easily distracted has been a thorn in my side since Oldbury Park Primary School. I remember the day when mum and dad sat me down and read out my year 6 school report. Things were going so well, and then - boom - a comment from Mrs Horn that rained on my previously unsullied education record. ‘<i><b>’Sarah can organize herself and her work quite competently if she wishes, but of late has been too easily distracted by those around her.” </b></i>She had a point, but try telling that to a distraught eleven year who valued the opinion of her teachers. I made a vow after that. I would never let my report card be sullied again. Working on my concentration in secondary school and college helped me to pass my GCSEs and A-levels.</span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Then, when I entered the world of work I found an environment not too dissimilar to school. There were managers to impress, friends to win, and office politics instead of playground politics. Comme ci comm. But I was more informed this time, and found ways to stay focused: wearing headphones (a great way to show your otherwise engaged), meditation (limited to the park, never in the office), and writing to-do lists. But these are workplace tactics, if I were a student now, my report would probably be worse. I'd be</span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><span style="white-space: pre-wrap;"> lost with access to so many devices and so much time-wasting material.
</span></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><span style="white-space: pre-wrap;"><br /></span>So there, I’ve laid bare more than I should have, but I think my personal character assassination has been worth it, because it’s proved a point. Kids have always been distracted; tech has just made the problem worse. In addition to the usual classroom distractions, teachers now have to manage digital distractions, and it’s all affecting students’ progress.</span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">For the head of the Old Hall School in Telford, Martin Stott, observing this trend was worrying. </span><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #666666;">He said, “It seems to me that children’s ability to take on board the instructions for multi-step tasks has deteriorated. For a lot of children, all their conversation revolves around these games. It upsets me to see families in restaurants and as soon as they sit down the children get out their iPads.” Stott isn’t the first to raise the issue of digital dependency, (there are </span><a href="http://digitaldetox.org/retreats/"><span style="color: blue;">digital detox centers</span></a><span style="color: #666666;"> for adults who want to have a break from tech). He might, however, be the first to bring the issue to the education arena and get significant media coverage, by introducing a week’s </span><a href="http://www.independent.co.uk/news/education/education-news/keeping-it-old-school-pupils-swap-ipads-and-xboxes-for-reading-and-board-games-10301115.html"><span style="color: blue;">digital embargo</span></a><span style="color: #666666;"> at his school. Students have to put away the Xboxes, iPads, and turn off the TV in an attempt to discover other activities like reading, board games and cards.</span></span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">I’m split on the whole digital detox idea. The cynic asks how can a one week break to make any real change to the amount of time kids spend on devices. And restricting them completely is a sure fire way to spark rebellion. But my optimistic side says it’s a step in the right direction. It raises awareness by asking kids to realize that there’s life outside Minecraft and social media. Now that’s not so bad.</span><br />
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Nonetheless I do think that the problems with device dependency at Old Hall School could be solved with better filtering instead of a digital detox. As existing users will tell you, there’s a trusty little tool in our web filter known as ‘limit to quota’. Admins can configure the amount of time users can spend on different types of material, including material classified as time-wasting. According to predefined rules, users can use their allocation in bite-sized chunks, and be prompted every five or ten minutes, with an alert stating how much they’ve used. That way they’ll be no nasty shocks; when the timer eventually runs out after 60 minutes, they’ll be able to continue using the safe parts of the web that support their educational needs, without the distractions. Now that’s got to be more appealing than dropping the devices cold turkey, isn’t it?</span><br />
<br />
<br />Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-40144308033495183722015-06-02T09:21:00.000+01:002015-06-02T09:21:39.614+01:00It's no Fun Being Right All the TimeLast week, I finally got around to <a href="http://smoothwall.blogspot.co.uk/2015/05/hide-my-ass-comes-out-of-hiding_28.html" target="_blank">writing about HideMyAss</a>, and doing a spot of speculation about how other proxy anonymizers earn their coin. Almost immediately I hit "publish" I spotted this article pop up on <a href="http://www.zdnet.com/article/hola-a-free-vpn-with-a-side-of-botnet/" target="_blank">Zdnet</a>. Apparently/allegedly, Hola subsidise their income by turning your machine into a part-time member of a botnet.<br />
Normally, I really enjoy being proved right - ask my long suffering colleagues. In this case though, I'd rather the news wasn't quite so worrying. A bit of advertising, click hijacking and so forth is liveable. Malware? You can get rid... but a botnet client means you might be part of something illegal, and you'd never know the difference.Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-3662253946300043222015-05-28T14:20:00.003+01:002015-05-28T14:20:48.634+01:00"Hide My Ass" Comes Out of Hiding<span style="font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><span style="color: #666666;"><br class="Apple-interchange-newline" />The Internet has a chequered history with the humble ass. Kim Kardashian attempted to “break the Internet” with hers, and now we see VPN service “Hide My Ass” sold for<span style="background-color: white;"> </span></span><a href="http://www.bbc.co.uk/news/business-32702501" style="background-color: white;"><span style="color: blue;">£40 million to AVG.</span></a><span style="color: #666666;">
This subscription driven VPN service is an interesting case study. Many VPN services are surprisingly coy about where they get their revenue, and about why they exist. HMA, on the other hand, are pretty up front: It was started as a way to bypass school filters, and it is subscription based.
It’s nice to see the articles </span><a href="https://thevpn.guru/bypass-school-internet-security/"><span style="color: blue;">finally showing</span></a><span style="color: #666666;"> what we’ve long known - these services are, in the main, used for bypassing school or workplace filtering, and not only by oppressed revolutionaries in a far off land. Nor is Hide My Ass a way to avoid the long arm of the law, they have, in the past, given up </span><a href="http://www.securityweek.com/vpn-service-snitched-alleged-lulzsec-member"><span style="color: blue;">users’ browsing details</span></a><span style="color: #666666;"> under court orders.
What of other VPN providers - the “free” ones? Even subscription supported HMA admit freely they use affiliate marketing schemes to help keep the cost of plans down - what are the others doing to support the cost of bandwidth? Selling data, perhaps? For those with client software, they could be inspecting your secure connections! There’s even been cases where proxy/VPN software has inserted malware.
Our advice - block ‘em all - and think twice if you are a user attempting to connect to a VPN service. Despite the name, and the youth of its creator, HMA is a pretty grown-up VPN system - the others, well - who knows?</span></span></span><span style="color: #666666; font-family: Arial; font-size: 15px; line-height: 1.38; white-space: pre-wrap;"> </span>Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-11220145767012145042015-05-15T12:26:00.000+01:002015-05-15T12:27:18.166+01:00Game of 72 Myth or Reality?<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial; line-height: 22.0799999237061px; white-space: pre-wrap;">I can’t pretend that, in the mid 90s, I didn't pester my mum for a pair Adidas poppers joggers. Or that I didn't, against my better judgement, strut around in platform sneakers in an attempt to fit in with the in crowd. But emulating popular fashion was as far as I got. I don’t remember ever doing stupid or dangerous dares to impress my classmates. Initially, I thought, maybe I was just a good kid, but a quick straw poll around Smoothwall Towers, showed that my colleagues don’t recall hurting themselves or anyone else for a dare either. The closest example of a prank we could come up with between us was knock and run and egg and flour - hardly show stopping news. </span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; vertical-align: baseline;"><span style="font-family: Arial;"><span style="line-height: 22.0799999237061px; white-space: pre-wrap;"><span style="color: #666666;">
But now, teenagers seem to be taking daring games to a whole new level through social media, challenging each other to do weird and even dangerous things. Like the #cinnamonchallenge on Twitter (where you dare someone to swallow a mouthful of cinnamon powder in 60 seconds without water). A quick visual check for the hashtag shows it’s still a thing today, despite initially going viral in 2013, and doctors having warned teens about the serious health implications.
Now, apparently there’s another craze doing the rounds. #Gameof72 dares teens to go missing for 72 hours without contacting their parents. The first suspected case was reported in a local French newspaper in April, when a </span><span style="color: blue;"><a href="http://www.thelocal.fr/20150429/french-teen-disappears-for-new-facebook-challenge"><span style="color: blue;">French student</span></a> </span><span style="color: #666666;">disappeared for three days and later told police she had been doing Game of 72. Then, in a separate incident, on 7 May, two schoolgirls from Essex went missing for a weekend in a suspected Game of 72 disappearance. Police later issued a statement to say the girls hadn't been playing the game.
So why then, despite small incident numbers, and the absence of any actual evidence that Game of 72 is real, are parents and the authorities so panicked? Tricia Bailey from the Missing Children’s Society warned kids of the “immense and terrifying challenges they will face away from home.” And Stephen Fields, a communications coordinator at Windsor-Essex Catholic District School Board said, “it’s not cool”, and has warned students who participate that they could face </span><a href="http://blogs.windsorstar.com/news/windsor-police-urge-parents-to-warn-kids-about-the-dangers-of-game-of-72"><span style="color: blue;">suspension</span></a><span style="color: #666666;">.
It’s completely feasible that Game of 72 is actually a myth, created by a school kid with the intention of worrying the adults. And it’s worked; social media has made it seem even worse, when in reality, it’s probably not going to become an issue. I guess the truth is, we’ll probably never know, unless a savvy web filtering company finds a way of making these twitter-mobile games trackable at school, where peer pressure is often at its worst.
Wait a minute...we already do that. Smoothwall allows school admins to block specific words and phrases including, Twitter hashtags. Say for instance that students were discussing Game of 72, or any other challenge, by tweet, and that phrase had been added to the list of banned words or phrases; the school’s administrator would be alerted, and their parents could be notified. Sure it won’t stop kids getting involved in online challenges, because they could take it to direct message and we’d lose the conversation. But, I think you’ll probably agree, the ability to track what students are saying in tweets is definitely a step in the right direction.</span></span></span></span><span style="background-color: transparent; color: #666666; font-family: Arial; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; line-height: 1.38; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">
</span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-60971720804737497742015-05-06T15:39:00.000+01:002015-05-06T15:39:53.708+01:00Bloxham Students Caught Buying Legal Highs at School<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #666666; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-JU5CreMYY5g/VUoXOzlvCAI/AAAAAAAABB8/Z7IsRpRVuO4/s1600/Bloxham_highs_03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bloxham Students Caught Buying Legal Highs at School" border="0" src="http://4.bp.blogspot.com/-JU5CreMYY5g/VUoXOzlvCAI/AAAAAAAABB8/Z7IsRpRVuO4/s1600/Bloxham_highs_03.png" height="207" title="" width="400" /></a></div>
<span style="background-color: transparent; color: #666666; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">It’s true what they say: History repeats itself. This is especially true in the world of web security where tech-savvy students, with an inquisitive nature try to find loopholes in school filters to get to where they want to be or to what they want to buy.</span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><span style="color: #666666;">Back in </span><a href="http://smoothwall.blogspot.co.uk/2014/09/web-filtering-is-not-glamorous-but-you.html"><span style="color: blue;">September</span></a><span style="color: #666666;"> we blogged about two high profile web filtering breaches in the US; highlighting the cases of Forest Grove and Glen Ellyn Elementary District. Both made the headlines because students had successfully circumvented web filtering controls.</span></span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">Now the media spotlight is on Bloxham School in Oxfordshire, England, after pupils were caught ordering legal highs from their dorms. See what I mean about history repeating itself? Okay, so the cases aren’t identical, but there is a unifying element. The Forest Grove student was found looking at erotica on Wattpad, students from Glen Ellyn students were caught looking at pornography, and at Bloxham it’s “legal” highs. The unifying factor in all three cases is that they were facilitated by a failure in the school’s web filter. </span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><span style="color: #666666;">The difficulty, though, is working out what exactly went wrong with Bloxham’s filter, because none of the details surrounding the technicalities have been announced. Were students allowed access to website selling recreational drugs, or was there an oversight on the part of the web filtering management? In the original story broken by </span><a href="http://www.thetimes.co.uk/tto/education/article4428609.ece"><span style="color: blue;">the Times</span></a><span style="color: #666666;">, a teenage pupil was reported to have been expelled, and other students disciplined following an investigation by the school which found they had been on said websites.</span></span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">Without knowing the details, it is probably wrong to speculate, however, i’m going to do it anyway! It’s entirely possible Bloxham chose a more corporate focussed web filter. In a corporate environment, “legal" highs may not present as much of an issue as in an education setting. With a strong focus on education, Smoothwall’s content filter has always been good at picking up these types of site. This is aided by the real-time content filter not reliant on a domain list, as these sites are always on the edge of the law, and move rapidly. Because the law is different depending upon where you live - and, indeed, rapidly changing regarding these substances, Smoothwall doesn’t attempt to differentiate between the grey area of “legal highs” and those recreational substances on the other side of the law. All of them come under the “drugs” category. This gives a solid message across all age ranges, geographies and cultures: it’s best not to take chances with your health!</span></span></div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-52820543364519915932015-04-22T14:39:00.000+01:002015-04-23T09:55:59.304+01:00A new option to stem the tide of nefarious Twitter images...Smoothwall's team of intrepid web-wranglers have recently noticed a change in Twitter's behaviour. Where once, it was impossible to differentiate the resources loaded from twimg.com, Twitter now includes some handy sub-domains so we can differentiate the optional user-uploaded images from the CSS , buttons, etc.<br />
<br />
This means it's possible to prevent twitter loading user-content images without doing HTTPS inspection - something that's a bit of a broad brush, but given the fairly hefty amount of adult content swilling around Twitter, it's far from being the worst idea!<br />
<br />
<b>Smoothwall users:</b> Twitter images are considered "unmoderated image hosting" - if you had previously made some changes to unblock CSS and JS from twimg, you can probably remove those now.<br />
<br />Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-49582877729022813332015-03-31T17:06:00.000+01:002015-04-01T14:32:23.544+01:00Pukka Firewall Lessons from Jamie Oliver<div class="separator" style="clear: both; text-align: center;">
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #666666;">
</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-tQZs6A-krrA/VRq-QL3MGoI/AAAAAAAAA_Q/AxKUO9oMMyo/s1600/Jamie_Oliver_web_08.png" imageanchor="1"><img alt="Pukka Firewall Lessons from Jamie Oliver" border="0" src="http://2.bp.blogspot.com/-tQZs6A-krrA/VRq-QL3MGoI/AAAAAAAAA_Q/AxKUO9oMMyo/s1600/Jamie_Oliver_web_08.png" height="207" title="Pukka Firewall Lessons from Jamie Oliver" width="400" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #666666;"><br /></span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">In our office I’m willing to bet that food is discussed on average three times a day. Monday mornings will be spent waxing lyrical about the culinary masterpiece we’ve managed to prepare over the weekend. Then at around 11 someone will say, “Where are we going for lunch?” Before going home that evening, maybe there’s a question about the latest eatery in town. </span></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">I expect your office chit chat is not too dissimilar to ours, because food and what we do with it has skyrocketed in popularity over the past few years. Cookery programmes like Jamie Oliver's 30 minute meals, the Great British Bake-off and Masterchef have been a big influence. </span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><span style="color: #666666;">Our food obsession, however, might be putting us all at risk, and I don’t just mean from an expanded waistline. Cyber criminals appear to have turned their attention to the food industry, targeting Jamie Oliver’s website with malware. This is the </span><a href="http://www.bbc.co.uk/news/technology-31869595"><span style="color: blue;">second time</span></a><span style="color: #666666;"> that malware has been found on site. News originally broke back in February, and the problem was thought to have been resolved. Then, following a routine site inspection on the 13th of March, webmasters found that the malware had returned or had never actually been completely removed. </span></span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">It’s no surprise that cyber criminals have associated themselves with Jamie Oliver, since they’ve been leeching on pop culture and celebrities for years. Back in 2008, typing a star’s name into a search engine and straying away from the official sites was a sure fire way to get malware. Now it seems they’ve cut out the middleman, going straight to the source. This malware was planted directly onto JamieOliver.com.</span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">Apart from bad press, Jamie Oliver has come away unscathed. Nobody has been seriously affected and the situation could have been much worse had the malware got into an organisational network. </span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="color: #666666; font-family: Arial;"><span style="font-size: 15px; line-height: 20.7000007629395px; white-space: pre-wrap;">Even with no real damage there’s an important lesson to be learned. Keep your firewall up to date so it can identify nefarious code contained within web pages or applications. If such code tries to execute itself on your machine, a good firewall will identify this as malware.</span></span></div>
</div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-92201128491871751422015-03-18T15:33:00.002+00:002015-04-01T14:33:45.708+01:005 Important Lessons from the Judges Who Were Caught Watching Porn<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-zvAqFO5y_R0/VQmE97vjjKI/AAAAAAAAA7w/KvWlS6ElV1E/s1600/Judges_pornscandal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="5 Important Lessons from the judges who were caught watching porn" border="0" src="http://4.bp.blogspot.com/-zvAqFO5y_R0/VQmE97vjjKI/AAAAAAAAA7w/KvWlS6ElV1E/s1600/Judges_pornscandal.png" height="207" title="5 Important Lessons from the judges who were caught watching porn" width="400" /></a></div>
<span style="background-color: transparent; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 22.0799999237061px; white-space: pre-wrap;">I've never been in court before or stood in a witness box, and I hope I never do. If I am, however, called before a judge, I’d expect him or her to be donning a funny wig and a gown, to be above average intelligence, and to judge my case fairly according to the law of the land. What I would not expect is for that judge to be indulging while in the office, </span><a href="http://www.theguardian.com/law/2015/mar/17/three-judges-removed-and-a-fourth-resigns-for-viewing-pornography-at-work" style="line-height: 22.0799999237061px; white-space: pre-wrap;" target="_blank">as these District Judges</a><span style="line-height: 22.0799999237061px; white-space: pre-wrap;"> have done. Four of Her Majesty’s finest have been caught watching porn on judicial owned IT equipment.
While, the material didn't contain illegal content or child images, it’s easy to see why the case has attracted so much media attention. I mean, it’s the kind of behaviour you would expect from a group of lads on a stag, not from a District Judge!
Now the shoe is on the other foot, and questions will be asked about how a porn culture was allowed to develop at the highest levels of justice. Poor web usage controls and lack of communication were more than likely to blame. But speculation aside, the world may have passed the point where opportunity can remain unrestricted to allow things like this to happen. Employees, especially those in high positions, are more vulnerable and need protection.
So here are 5 important lessons on web filtering from 4 District Judges:
1. Know Your Organisational Risk – The highest levels of staff pose the highest risk to the organisation. Failures on their part risk the credibility of the whole organisation.
2. Recognise Individual Risk – While not always the case, veteran leadership may be the least computer literate and risk stumbling into ill-advised territory accidentally.
3. Communicate with Staff – Notification of acceptable use policies can go a long way to getting everyone on the same page and help with legal recourse when bad things do happen.
4. Be Proactive – Use a web filter for what’s not acceptable instead of leaving that subject matter open to traffic. If you still want to give your staff some flexibility, try out a limit-to-quota feature.
5. Trust No One (Blindly) – Today’s internet environment makes a blind, trust-based relationship foolish. There is simply too much shady stuff out there and much of it is cleverly disguised.
If there is anyone out there who’s reading and thinking, </span><span style="line-height: 22.0799999237061px; white-space: pre-wrap;">“</span></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif; line-height: 22.0799999237061px; white-space: pre-wrap;">this would never happen in my organisation; my staff would never do that</span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 22.0799999237061px; white-space: pre-wrap;">”</span></span><span style="color: #666666; font-family: Arial, Helvetica, sans-serif; line-height: 22.0799999237061px; white-space: pre-wrap;">, think again, my friend. Nobody is perfect; the ability to look at inappropriate content knows no bounds, including the heights of hierarchy. We’re all potential infringers, as proved by Judges Timothy Bowles, Warren Grant, Peter Bullock and Andrew Maw.</span><br />
<div>
<br /></div>
</div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-68823747312780786242015-03-05T13:29:00.000+00:002015-03-05T13:29:17.832+00:00Statement: Smoothwall and the "FREAK" VulnerabilityIn light of the recent <a href="https://freakattack.com/" target="_blank">"FREAK" vulnerability</a>, in which web servers and web browsers can be cajoled into using older, more vulnerable ciphers in encrypted communications, we would like to assure customers that the web server configuration on an up-to-date Smoothwall system is not vulnerable to this attack.<br />
<br />
Similarly, if you are using "HTTPS Decrypt & Inspect" in Smoothwall, your clients' browsers will afforded some protection from attack, as their traffic will be re-encrypted by the web filter, which does not support downgrading to these "Export Grade" ciphers.Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-62351437863946496002015-03-04T15:30:00.000+00:002015-04-01T14:36:54.826+01:00Searching Safely When HTTPS is Mandatory<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Pw42AFpO42g/VPcnfHggCRI/AAAAAAAAA5Q/wFfWEv9DuX4/s1600/Safe_search_blog_v5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Searching Safely when HTTPS is Mandatory" border="0" src="http://4.bp.blogspot.com/-Pw42AFpO42g/VPcnfHggCRI/AAAAAAAAA5Q/wFfWEv9DuX4/s1600/Safe_search_blog_v5.png" height="207" title="Searching Safely when HTTPS is Mandatory" width="400" /></a></div>
<br />
<br />
<span style="color: #666666;">Nobody wants anyone looking at their search history. I get it. I mean, look at mine —oh wait, don't—that's quite embarrassing. Those were for a friend, <i>honestly</i>.</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">Fortunately for us, it's pretty difficult to dig into someone's search history. Google even forces you to log in again before you can view it in its entirety. Most search engines now encrypt our traffic by default, too —some even using HSTS to make sure our browsers always go secure. This is great news for consumers, and means our privacy is protected (with the noticeable exception of the search provider, who knows everything and owns your life, but that's another story).</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">This all comes a little unstuck though - sometimes we want to be able to see inside searches. In a web filtered environment it is really useful to be able to do this. Not just in schools where it's important to prevent searches for online games during lessons, but also in the corporate world where, at the very least, it would be prudent to cut out searches for pornographic terms. It's not that difficult to come up with a handful of search terms that give potentially embarrassing image results.</span><br />
<br />
<span style="color: #666666;">So, how can we prevent users running wild with search engines? The first option is to secure all HTTPS traffic with "decrypt and inspect" type technology —your Smoothwall can do this, but you will need to distribute a certificate to all who want to use your network to browse the web. This certificate tells the browser: "trust this organisation to look at my secure traffic and do the right thing". This will get all the bells and whistles we were used to in the halcyon days of HTTP: SafeSearch, thumbnail blocking, and search term filtering and reporting.</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">Full decryption isn't as easy when the device in question is user-owned. The alternative option here is to force SafeSearch (Google let us do this without decrypting HTTPS) but it does leave you at their mercy in terms of SafeSearch. This will block anything that's considered porn, but will leave a fair chunk of "adult" content and doesn't intend to cover subjects such as gambling —or indeed online games. You won't be able to report on any of this either, of course.</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">Some people ask "can we redirect to the HTTP site" - this is a "downgrade attack", and exactly what modern browsers will spot, and prevent us from doing. We also get asked "can we resolve DNS differently, and send secure traffic to a server we have the cert for?" - well, yes, you can, but the browser will spot this too. You won't get a certificate for "google.com", and that's where the browser thinks it is going, so that's where it expects the certificate to be for.</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">In conclusion: ideally, you MITM or you force Google's SafeSearch & block access to other search engines. For more information </span><a href="http://www.smoothwall.com/en-us/articles-white-papers/white-papers/the-risks-of-secure-google-search"><span style="color: blue;">read our whitepaper</span></a><span style="color: #666666;">: 'The Risks of Secure Google Search'. It examines the problems associated with mandatory Google HTTPS searches, and suggests methods which can be used to remedy these issues.</span><br />
<br />Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-63536974089445483682015-02-24T13:26:00.000+00:002015-04-01T14:39:02.864+01:00Twitter - Den of Iniquity or Paragon of Virtue... or Someplace in Between?<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-T-l8U43dx6E/VOx-7C2DvhI/AAAAAAAAA2Q/XG3Jg0AkOL0/s1600/Twitter_porn_image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between" border="0" src="http://4.bp.blogspot.com/-T-l8U43dx6E/VOx-7C2DvhI/AAAAAAAAA2Q/XG3Jg0AkOL0/s1600/Twitter_porn_image.png" height="207" title="Twitter - Den of Iniquity or Paragon of Virtue or Someplace in Between" width="400" /></a></div>
<span style="color: #666666;"><br /><br />Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that </span><a href="http://www.channel4.com/news/one-in-every-thousand-tweets-is-porn" target="_blank"><span style="color: blue;">one in every thousand tweets contains something pornographic</span></a>. <span style="background-color: white;"><span style="color: #666666;">With</span></span> <a href="http://www.internetlivestats.com/one-second/" target="_blank">8662 tweets</a> <span style="color: #666666;">purportedly sent every second, that's quite a lot.</span><br />
<br />
<span style="color: #666666;">Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.</span><br />
<br />
<span style="color: #666666;">That said - how porn riddled <i>is</i> Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the</span> <a href="http://www.huffingtonpost.com/2013/05/03/internet-porn-stats_n_3187682.html" target="_blank">Huffington Post reports</a> <span style="color: #666666;">that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.</span><br />
<span style="color: #666666;"><br /></span>
<span style="color: #666666;">Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.</span>Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-29066749864979686482015-01-30T12:18:00.000+00:002015-01-30T12:18:57.532+00:00Plausible Deniability - The Impact of Crypto Law<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">So, after the recent terror attacks in Paris, the UK suffered from the usual knee-jerk reactions from the technologically-challenged chaps we have governing us. “Let’s ban encryption the Government can’t crack”, they say. Many people mocked this, saying that terrorists were flouting laws anyway, so why would they obey the rules on crypto? How would companies that rely on crypto do business in the UK (that’s everyone, by the way)? </span></div>
<b id="docs-internal-guid-9396ed88-2bc5-4506-efe4-68c267c265d6" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Well, I’m not going to dwell on those points, because I am rather late to the party in writing this piece, and because those points are boring :) In any case, if the Internet went all plaintext on us, web filtering would be a whole lot easier, and Smoothwall’s HTTPS features wouldn’t be quite so popular!</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If the real intent of the law is to be able to arrest someone just for having, or sending encrypted data - the equivalent of arresting someone for looking funny (or stepping on the cracks in pavements). What would our miscreants do next?</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Well, the idea we need to explore is “plausible deniability”. For example, you are a De Niro-esque mafia enforcer. You need to carry a baseball bat, for the commission of your illicit work. If you want to be able to fool the local law enforcement, you might also carry a baseball. “i’m going to play baseball, officer” (may not go down well at 3 in the morning when you have a corpse in the back seat of your car, but it’s a start). You conceal your weapon among things that help it look normal. It is possible conceal the cryptography “weapon” so that law enforcement can’t see it’s there so they can’t arrest anyone. Is it possible to say “sorry officer, no AES256 here, just a picture of a kitteh”? If so, you have plausible deniability.</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What’s the crypto equivalent? Steganography. The idea of hiding a message inside other data, such that it is very hard to prove a hidden message is there at all. Here’s an example:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizEMr-WUcB_H81WeYUmPizSgkKjn7WNQteAgpb88RCsbSiB8FBIh1gTkJk4ZrUP7RtqnEV7KK3AQeuNbnkyohSthYr70l_l8NO_sNP-ORM_qmb3lCHuY7gM9s_P0X8DWPXAMep2Kuby0fX/s1600/catbox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizEMr-WUcB_H81WeYUmPizSgkKjn7WNQteAgpb88RCsbSiB8FBIh1gTkJk4ZrUP7RtqnEV7KK3AQeuNbnkyohSthYr70l_l8NO_sNP-ORM_qmb3lCHuY7gM9s_P0X8DWPXAMep2Kuby0fX/s1600/catbox.png" height="320" width="240" /></a></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-9396ed88-2bc6-1dba-c87b-026d195e33cb"></span></span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This image of a slightly irritated looking cat in a shoebox contains a short message. It will be very hard to find, because the original image is only on my harddisk, so you have nothing to compare to. There are many steganographic methods for hiding the text, and it is extremely short by comparison to the image. If I had encrypted the text… well, you would find it even harder, because you couldn’t even look for words. It is left as an exercise for the reader to tell me in a comment what the message is.</span></div>
Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com1tag:blogger.com,1999:blog-8507382315274482472.post-32374554827191195092014-11-24T14:24:00.000+00:002015-04-01T14:34:40.839+01:003 Rules for Cyber Monday<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-bnPMN0mgwHM/VG-WNfwbQbI/AAAAAAAAAuw/n6Yv5AvYzq0/s1600/3-rules-graphic_171114_v2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="3 Rules for Cyber Monday" border="0" src="http://4.bp.blogspot.com/-bnPMN0mgwHM/VG-WNfwbQbI/AAAAAAAAAuw/n6Yv5AvYzq0/s1600/3-rules-graphic_171114_v2.png" height="207" title="3 Rules for Cyber Monday" width="400" /></a></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">It’s nearly here again folks, and the clues are all there:
planning the office Christmas party, your boss humming Rudolph the Red Nosed
Reindeer and an armada of Amazon packages arriving.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Which brings me
nicely to the topic of this blog: online shopping at work.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">It’s official; we are
‘in love’ with online shopping. At this time of the year, it’s harder to resist
temptation. Retailers conjure up special shopping events like Black Friday and
Cyber Monday - all aimed at getting us to part with our hard earned cash. While
online retailers rub their hands in anticipation of December 1st, for companies
without proper web security, the online shopping season could turn out to be
the nightmare before Christmas.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #666666;">In a recent survey by RetailMeNot, a digital coupon
provider, </span><a href="http://www.abc27.com/story/24114456/cyber-monday-sales-up-workplace-productivity-down"><span style="color: blue;">86 percent</span> </a><span style="color: #666666;">of working consumers admitted that they planned to spend
at least some time shopping or browsing online for gifts during working hours
on Cyber Monday. That equates to a whole lot of lost productivity and
unnecessary pressure on your bandwidth.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">To help prevent distraction and clogged bandwidth, I know of
one customer, I’m sure there are others, who is allowing his employees time to
shop from their desks in their lunch breaks. He’s a smart man - productivity
stays high and employees happy.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">But productivity isn’t the only concern for the IT
department – cyber criminals are out in force at this time of year, trying to
take advantage of big hearts and open wallets with spam and phishing emails.
One click on a seemingly innocent link could take your entire network down.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">To keep such bad tidings at bay, here’s a web security
checklist to ensure your holiday season is filled with cheer not fear.</span></div>
<div class="MsoNormal">
<b style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></b></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>1.</b> </span><b style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Flexible Filtering</b><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">. Set time quotas to allow online shopping
access at lunchtimes, or outside of core hours. Whatever you decide is
reasonable, make sure your employees are kept in the loop about what you
classify as acceptable usage and communicate this through an Acceptable Usage
Policy.</span></div>
<div class="MsoNormal">
<b style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><br /></b></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>2.</b> </span><b style="color: #666666; font-family: Arial, Helvetica, sans-serif;">Invest in Anti-malware and Anti-spam Controls</b><span style="color: #666666; font-family: Arial, Helvetica, sans-serif;">. As inboxes
start to fill with special offer emails, it gets more difficult to
differentiate between legitimate emails and spam. These controls will go some
way towards separating the wheat from the chaff.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #666666; font-family: Arial, Helvetica, sans-serif;"><b>3. Issue Safety Advice to Your Employees</b>. Ask employees to
check the legitimacy of a site before purchasing anything. The locked padlock
symbol indicates that the purchase is encrypted and secure. In addition, brief
them to be alert for phishing scams and not to open emails, or click on links
from unknown contacts.</span><o:p></o:p></div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-65896332202700926722014-09-26T14:55:00.002+01:002014-10-21T15:21:42.219+01:0010 Things to Consider Before You Unblock a Website<div>
Just recently, I was asked by a customer to provide some advice for their network administrators on unblocking sites. Sometimes you have to say no, but how do you decide which to give the green light to? Here are some points to bear in mind...</div>
<br />
<ol>
<li>Have you looked at the <i>whole</i> site? There may be different content on some of the links.</li>
<li>Is the domain a generic one? Maybe many sites are served from this domain. Can we limit the unblock into just one specific URL?</li>
<li>Will the content change in future? If it is dynamic, what kind of content might be found there next week?</li>
<li>Is there a better website people could visit for this same purpose? For example, there is no reason to unblock an image search engine other than Google Image Search, as it may not have all the safety features enforced by Smoothwall.</li>
<li>What’s the reason the site was blocked? If it is a misclassification it should be reported to Smoothwall, and it will get fixed for everyone.</li>
<li>Do you want to unblock just this website, or <i>all websites of this type</i>? Often it is better to adjust the categorisation (such as allowing all “sports” websites) rather than dealing with one at a time.</li>
<li>Does it allow access to other pages surreptitiously, or draw content from other sites? Translation sites can cause this problem.</li>
<li>You might be able to understand the risks of this site; but do your users? Children, for example, may not be easily able to understand risks of bullying or grooming on a social network, and less technical users might inadvertently leak sensitive information on file sharing sites.</li>
<li>Are there any regulations or risk assessments you need to consider before unblocking this site?</li>
<li>Does the site rely on 3rd party resources? You can use the advanced Policy Test Tool to examine these. Are these locations also safe with regard to points 1-9?</li>
</ol>
<br />
<div>
<br /></div>
Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-51298471640211985642014-09-11T21:35:00.000+01:002014-09-11T21:35:18.338+01:00Web Filtering Is Not Glamorous, but You May Still Make the Paper<div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;">
<i style="text-indent: 0px;">What may be done at any time will be done at no time. </i></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;">
<span style="font-family: Courier New;"> </span>~ Scottish Proverb<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;">
<br /></div>
<div class="MsoNormal">
Procrastination seems to be built into human nature somehow;
some problems become crises before being dealt with. In the beginning, most web
content filtering problems are virtually unnoticeable. Maybe it’s because they
always seem to start so small they’re nearly innocuous: A slip here, slide
there. And who really wants to deal with web filtering and make it a priority? <span lang="EN-GB"><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Web content filtering isn’t glamorous. Other issues feel
more pressing, like network failures on testing days. Some issues are just more
pleasant to deal with, like procuring new hardware. And let’s face it, students
won’t sing your praises for bulletproofing your web filter. It is, however,
necessary. Unlike rescheduled test days or network performance issues, a web
filter failure will get your name in the paper. <span lang="EN-GB"><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Take Glen Ellyn Elementary District 41 near Chicago,
Illinois. After a web filter failure there, in which fourth and fifth grade
students <a href="http://www.chicagotribune.com/suburbs/glen-ellyn/ct-firewall-school-porn-glen-ellyn-tl-0508-20140502-story.html">were
caught viewing pornography</a> on the playground, parents combined forces to
bring to light <a href="http://www.chicagotribune.com/suburbs/glen-ellyn/ct-porn-d41-glen-ellyn-tl-0619-20140616-story.html">“other
instances of inappropriate computer usage at district schools.”</a> All
together, the story originally broke in early May, but once on radar with the
press, progressive coverage of events becomes standard. The most recent update
on Glen Ellyn was published in August. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Another example of this phenomenon happened in Forest Grove,
Oregon. A student there was using her IPad <a href="http://www.katu.com/news/investigators/Mom-alleges-students-read-erotic-literature-with-school-iPads-272813091.html">to
look at erotica</a> through the literature curation website Wattpad. The story was a follow-up in response to an <a href="http://www.katu.com/news/investigators/Neil-Armstrong-middleschoolers-breach-school-iPad-security-leads-to-questions-about-cyberbulling-272669321.html">investigational
piece</a> by the local news which focused on student agility in filtering
circumvention. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
And it isn’t just emergencies that get a school noticed for
its web filtering policies. Apparently even <a href="http://www.southernminn.com/waseca_county_news/news/article_ffb4a744-ab70-5290-abf2-a91850224c40.html">over
blocking of sites</a> is press worthy, as indicated by the Waseca County News,
on grounds that it is unfair. Sometimes the discussion even gets political, as
it did in Woodbury, Connecticut, where a student doing research noticed that
there seemed to be <a href="http://www.usatoday.com/story/news/nation/2014/06/25/high-school-student-republican-conservative-websites-blocked/11275317/">uneven
blocking of conservative branded sites</a>. <o:p></o:p></div>
<br />
<div class="MsoNormal">
There are also probably more instances of web filtering gone
bad that go unreported, but there’s really no way to tell how a filtering
fumble will shake out before it hits the press. Of course, that begs the
question; with so much at stake, why take the risk? Like laundry, dishes, or getting
your oil changed, making sure your web filter is up to the challenge is the
first small step in making sure that your students are protected, but it’s an
important one. Perhaps it’s time to <a href="http://smoothwall.com/en-us/evaluate">schedule some time</a>. </div>
<div class="MsoNormal">
<o:p></o:p></div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-17491809310539691622014-09-01T16:48:00.000+01:002014-09-01T16:48:04.069+01:00Red Letter Day for Onanists and Internet FraudstersYesterday a number of explicit photographs of celebrities, including Jennifer Lawrence, were leaked on the Internet. I'll get to that in a moment. First, if you read no further, read this:<br />
<br />
Don't go looking for these photographs, and don't click any links sent to you purporting to be them.<br />
<br />
If you must look, we've hosted them all <a href="http://bit.ly/A524dD" target="_blank">here</a>. Seriously, we have been out a-searching since the news broke, in order to protect our users from the inevitable tide of malware links that have already begun to spring up. The major search engines work hard to keep malicious sites seeded with "current event" keywords from popping up, but this time will be harder, as the sites offering these images will often be similar to those offering the malware.<br />
<br />
Now I am going to break from the norm. Most security blogs include the advice "don't take nude photos". I'm not going to ask you to quit. If that's your bag, keep at it — but bear in mind that your photo collection is now worth more. It's now worth more to an attacker who wants to populate their porn site, or to blackmail you. It is also worth more to you, for the peace of mind of those images being kept private.<br />
<br />
If we said the answer was "don't do it" every time doing something on the Internet resulted in a problem, we wouldn't have Internet banking. Or the Internet, come to think of it. So no, you absolutely should store your personal photos on the Internet. You just need to take further steps to ensure they are secure.<br />
<br />
These steps include:<br />
<br />
1. Make sure you know where your photos are. Many phones now automatically send your images to the NSA/GCHQ etc. under the guise of backup. This can be turned off. Weigh up your dismay at not having your photos any more, vs. the chance of them being stolen. Personally, I vote for backup, as anyone who pinches my pictures will find a heady combination of safari shots, and pictures of serial numbers for things I need to fix. Remember any other backup services (DropBox, Mozy, Backblaze, Crashplan et al) that you use here as well.<br />
<br />
2. Secure the photos on-device. If your PC has no password, and your phone regularly sits around unlocked, there's no point hacking your backups. Seems obvious, but the proportion of people who take nude selfies is greater than those who use a lock screen. Apparently.<br />
<br />
3. Use a password you use nowhere else. No, really. I <i>mean</i> it this time. I know you ignored me when I said "use a different password everywhere". Look, I forgive you, because I like you. But this one is pretty serious. Don't share the password with the one you use on a messageboard, or for grocery shopping.<br />
<br />
4. Turn on "two step verification", "two factor authentication" or whatever anyone's calling it these days.<br />
<br />
5. Secure the reset channel. Password resets are a good way to break an account. This could be email (password and 2 factor advice applies here), phone (PIN protect your voicemail!), or silly security questions that anyone with access to your Facebook can answer (make like <a href="http://grahamcluley.com/2014/09/naked-jennifer-lawrence-leak/" target="_blank">Graham Cluley</a> and tell them your first pet was called "9£!ttty7-").<br />
<br />
A final word on this: watch for those malware links. They're already out there.Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-37372007941245166642014-08-22T11:17:00.000+01:002014-08-22T11:22:17.111+01:00Security: Hard to Get Right!Couple of interesting articles doing the rounds this week, which are worthy of a quick comment!<br />
<br />
<b>Heartbleed: the bug that keeps on giving</b><br />
Reports suggest that the <a href="http://www.csoonline.com/article/2466726/data-protection/heartbleed-to-blame-for-community-health-systems-breach.html" target="_blank">Heartbleed vulnerability was involved in a breach</a> of over 4 million records from a health provider in the US — we won't see many of these, as identifying the culprit as Heartbleed is really difficult in most cases. That instances like this are still cropping up reminds us of the need to ensure we're patched, and not just in the obvious places like a web server. This time it seems to have been SSL VPN at the heart of the issue, so to speak.<br />
<br />
<b>Passwords: why are we still so rubbish at this?</b><br />
Apparently <a href="http://www.net-security.org/secworld.php?id=17273" target="_blank">51% of people share a password</a>. This is properly daft. Really, crazier than a box of weasels. Even if you trust the other person, there's no telling what accidents might occur, or where they may re-use that password themselves. I always get gyp from my wife that I won't tell her my passwords, but I won't — and believe me, I do pretty much everything else she tells me!<br />
<br />
<b>EU "right to be forgotten" rule still here, still a waste of time?!</b><br />
Internet numptys are still asking Google to remove them from searches in their droves. Happily the BBC is <a href="http://www.bbc.co.uk/news/technology-28851366" target="_blank">kind enough to reveal</a> who they are by linking us to the relevant articles. When will people realise that once you publish something on the Internet, it is there forever. Unless it's that really useful document you bookmarked last week, which now 404s and was never in the Internet archive. Yes, that one.Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-66879794081781461472014-08-19T08:57:00.001+01:002014-08-19T16:07:19.273+01:00For an Internet of Things, We Are Going to Need Better ThingsThere's a lot of hype around at the moment about "The Internet of Things" (IoT), which, I suppose, is all about attaching, uh, things to the Internet. By "things", it seems we are supposed to be thinking household goods, vehicles; basically anything with electrical current running through it is a candidate for the "internet of things".<br />
<br />
While setting up a cheapo DVD player last week, I couldn't help thinking of Chief Brody in the film "Jaws"... "You're going to need a bigger boat", he says, on seeing the enormous shark. We're going to need a bigger mindset on security if we are to survive the onslaught of "things". The firmware in the kind of devices we are already routinely connecting up is drivel. I mean some of it is absolute garbage. I know there are exceptions, but most of it is badly built, and almost none of it is ever updated.<br />
<br />
Each of these devices is likely perfectly capable as a host in a botnet - for DDoS, for sending SPAM, SPIM and SPIT (OK, we are yet to see much in the way of unsolicited Internet Telephony... but with the IoT, devices built to make calls/send texts are likely to get hijacked), so each of these devices has a value to the Internet's vast supply of wrongdoers.<br />
<br />
Researchers at Eurcom recently completed a <a href="https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin" target="_blank">study</a> showing up vulnerabilities in the 30 thousand or so firmware images they scraped from vendor websites. Apparently one image even contained a linux kernel whose age had just hit double figures. Ouch. The "Nest" next-gen thermostat hasn't been without issues either, a high profile target, at least we can expect firmware updates from them!<br />
<br />
Synology's NAS storage devices are among the early victims of malware attacking non-traditional computing devices, and may be an indication of IoT issues to come. Users of these storage devices have found themselves victim of a crypto-ransomware attack: their files are encrypted, and the encryption keys offered for sale back to them! Other early warnings come in the form of attacks on SCADA industrial control systems. These are all places that traditionally, little or no emphasis has been placed on security.<br />
<br />
What can we do to help ourselves here? My advice is be careful before you buy anything you're going to add to your network. Look to see if the vendor has a firmware download, and if there's a recent-ish update. If they're the fire'n'forget types, you're probably not going to want to deploy it.<br />
<br />
Footnote: Gartner appears to believe the Internet of Things to have reached "<a href="http://www.networkworld.com/article/2464007/cloud-computing/gartner-internet-of-things-has-reached-hype-peak.html" target="_blank">peak hype</a>". Reminds me of an old saying about those dwelling in vitreous abodes launching masonry...Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-89403118453138957752014-07-04T16:30:00.002+01:002014-07-04T16:30:15.066+01:00Of Wikipedia and vandalism.Wikipedia is regarded as a bastion of factual accuracy and impartiality.<br />
<br />
If you have no idea what Wikipedia is, please step blinking into the sun and let me explain:<br />
It's an online encyclopaedia that anyone can contribute to. Literally anyone. There are no pre-requisites, no background checks and exactly one hoop to jump through: bothering to post the edits.<br />
<br />
Fantastic idea isn't it? A platform for the entirety of human knowledge to be collected in a single shining pantheon, stripped of journalistic bias and sensationalism, and laid bare for all to marvel at. Enshrining almost <a href="http://en.wikipedia.org/wiki/Wikipedia:Size_in_volumes" target="_blank">60 times more information</a> that the Encyclopaedia Britannica. A beacon of knowledge and wisdom through collaboration and communal spirit!<br />
<br />
Except this is the internet, a place which at times can be a wretched hive of scum and villainy<span style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; line-height: 22.399999618530273px;">™</span>.<br />
<br />
From Wikipedia:<br />
<blockquote class="tr_bq">
Vandalism is any addition, removal, or change of content, in a deliberate attempt to compromise the integrity of Wikipedia. Examples of typical vandalism are adding irrelevant obscenities and crude humor to a page, illegitimately blanking pages, and inserting obvious nonsense into a page. </blockquote>
Wikipedia has an entire team and <a href="http://en.wikipedia.org/wiki/Wikipedia:Vandalism" target="_blank">comprehensive guidelines</a> for dealing with vandalism.<br />
As of April 2014, there were <a href="http://en.wikipedia.org/wiki/Wikipedia:Size_in_volumes" target="_blank">4,500,000</a> articles on Wikipedia. That's potentially 4,500,000 blank canvases for anyone with the inclination and an email address to put their mark on. Repeated transgressions will result in the user or their IP being banned from editing anything on Wikipedia. This is fine for Vandal A sitting at home trolling, but becomes a problem when an entire organisation's connection is blocked. They don't like to, but Wikipedia can <a href="http://en.wikipedia.org/wiki/Wikipedia:Blocking_IP_addresses" target="_blank">block an entire IP range</a> if the need arises. Jobs have been lost due to irresponsible Wikipedia edits (<a href="http://www.telegraph.co.uk/sport/football/teams/liverpool/10904540/Civil-servant-fired-after-Telegraph-investigation-into-Hillsborough-Wikipedia-slurs.html" target="_blank">in Government, no less</a>) — there are very real risks.<br />
<br />
Here at Smoothwall, we've had more than one request for the ability to make <b>Wikipedia read only</b> in an effort to prevent this issue getting that far. Tomorrow this goes live and is in a similar vein to our previous work on Facebook and Twitter, albeit a little more niche. It's also not a blanket on/off switch, it's applicable the same way as any policy is — to whomever, whatever and whenever you like.<br />
<div>
<br /></div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-17569647766195492502014-06-03T10:32:00.000+01:002014-06-03T13:28:46.117+01:002 Weeks To Secure Your Networks... Starting...Well, roughly 2 weeks ago. Apparently, there's <a href="http://www.bbc.co.uk/news/technology-27668260" target="_blank">a malware storm a-comin'</a> - batten down the hatches, man the barricades, etc.<br />
<br />
Yawn. Look, if you're not ready for this influx of malware, you're not ready to plug in your router. Surviving on the Internet during this coming malware bonanza is like surviving in a 'phone booth with 2 angry brown bears. If I said, hey, let's go with one angry brown bear instead, you wouldn't fancy your chances any better.<br />
<br />
Ursine analogies aside, if we do get the proposed storm (and here I'm going to suggest that we're looking at a level of likelihood similar to that of weather forecasting), keep doing what you're doing. It's always a good time to start doing what you're doing better, but to make changes for this - fairly generic - incident that you're not willing to keep in place full-time is a second rate scheme.<br />
<br />
My advice, pick one thing you've been looking to improve about your IT security for a while, and use the press coverage to justify your budget spend - but don't show the bean counters this article.Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-84418381959240410072014-06-02T16:10:00.001+01:002014-06-02T16:10:54.539+01:00Passwords - At it again?The recent <a href="http://threatpost.com/ebay-compromised-in-data-breach-urges-password-change/106205" target="_blank">eBay hack</a> got me thinking about passwords, for about the 5th time this year. After Heartbleed, I did a bit of an audit on the passwords I was using, and I hope you did too. I then moved house, and had to change a bunch of address details, and in the process, I found a few more places I had passwords set up that I didn't know I had. One of these places emailed me a reminder with the password in plain text. This means they are storing my password, on their server, in the clear. I'm not mean enough to name names, and indeed I have offered to help them fix it, and given a few pointers - I'm nice like that, you see!<br />
<br />
There's a moral to this tale, however. I should be concerned that Company X's servers may be compromised, and my password released, because they stored it badly. If that was the case, I would want to change my password as soon as I heard of the breach, as an attacker would immediately be able to access my account. My best defence would probably be that my name's likely to be right in the middle of the list, and any attacker is probably working his way past Archibald Atkins up there at the top of the user list - I hope I can get to reset my creds before the bad guys get to "N"!<br />
<br />
However, I hope that eBay are smarter (not that there's any direct evidence that this is the case: they've been a bit evasive on how they stored our passwords). Despite this, I immediately changed my eBay password too. Why? because even a hashed password is cracked fairly easily these days, and that crack is getting easier every day.<br />
<br />
Given a 6 character password (still accepted by many sites), hashed with MD5, it is possible to check every possible password in less than a minute on standard hardware.<br />
<br />
So: sites are still storing passwords plaintext. For a while, MD5 was the go-to hash function. How many people do you think are still using that? SHA-1? Not much better apparently. Salt-per-password - better odds, but not unbeatable. While there's so much that a site could do "wrong" that would mean your password is brute forced in no time, there's a bunch you could do wrong too, like picking a dictionary word, or something nice and short. Be aware that the bad guys are finding ways to crack passwords orders of magnitude faster, such as using CUDA/GL setups.<br />
<br />
What can we do to protect ourselves against the disparity between the ability of wrong 'uns to crack passwords, and the slow uptake of more secure hashing?<br />
<br />
You can <b>never ever re-use a password</b>. I am pretty sure I still am - probably on accounts I should have closed years ago, but tidying up your passwords is worse than changing your postal address! It's really difficult. You will need a password manager. I chose Lastpass personally, some of my colleagues use passwordsafe and keep the file in dropbox - pick the one that's right for you.<br />
<br />
A password manager is essential to keep up with the large number of passwords you will need - however, I would advocate keeping your key passwords out of any manager - eggs, basket, and all that. So email, financial services, that sort of thing, probably should stay in your head!<br />
<br />
Finally, any sites which offer 2 factor authentication, please do take them up on the offer. That way you're less likely to suffer a breach while the organisation decides on the best way to tell you your password has gone walkies.<br />
<br />
TL;DR - three things you <b>need</b> to remember about your passwords:<br />
<br />
<br />
<ul>
<li>Two factor Where You can</li>
<li>Password Manager for the Many</li>
<li>Remember the Few</li>
</ul>
<br />
<br />Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-35245430150108730122014-04-09T09:46:00.001+01:002014-04-09T10:05:49.295+01:00Statement: OpenSSL "Heartbleed" and SmoothwallSome of our customers have been asking about Smoothwall's vulnerability to the "Heartbleed" issue in OpenSSL. We can confirm that our version of OpenSSL is not vulnerable to this issue, and our version of GnuTLS has also been upgraded as of update73 to resolve another possible, but unrelated, SSL vulnerability, of which OpenSSL's is the latest of 3 recent issues in SSL implementations.<br />
<br />
Smoothwall users are protected from Apple's recent bug (link below) by browsing through the web filter, however they are not immune to the "Heartbleed" issue where present on other web sites and services (though a MITM filtered connection is perhaps marginally harder to attack).<br />
<br />
More information on each issue can be found here:<br />
<a href="http://heartbleed.com/" target="_blank">OpenSSL "Heartbleed"</a><br />
<a href="https://threatpost.com/gnutls-certificate-verification-flaw-exposes-linux-distros-apps-to-attack/104614" target="_blank">GNUTLS issue</a><br />
<a href="http://www.zdnet.com/major-apple-security-flaw-patch-issued-users-open-to-mitm-attacks-7000026624/" target="_blank">Apple "Goto fail"</a>Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0tag:blogger.com,1999:blog-8507382315274482472.post-90924565263862127752014-02-11T13:48:00.001+00:002014-02-11T13:48:39.670+00:00Safer Internet Day: 4 Things You Might Not Realise Your Webfilter Can DoSince it's <a href="http://www.saferinternet.org/safer-internet-day" target="_blank">Safer Internet Day</a> today, I thought i'd use it as an excuse to write a blog post. Regular readers will know I don't usually need an excuse, but I always feel better if I do.<br />
<br />
Yesterday, I was talking to our Content Filter team about a post on the popular <a href="http://www.edugeek.net/" target="_blank">Edugeek</a> forum, where someone asked "is it possible to block adult content in BBC iPlayer?". Well, with the right web filter, the answer is "yes", but how many people think to even ask the question? Certainly we hadn't thought much about formalising the answer. So I'm going to put together a list of things your web filter should be capable of, but you might not have realised...<br />
<br />
<br />
<b>1. Blocking adult content on "TV catch up" services like iPlayer.</b> With <a href="http://www.bbc.co.uk/news/entertainment-arts-25944605" target="_blank">use of the service soaring</a>, it's important that any use in education is complemented with the right safeguards. We don't need students in class seeing things their parents wouldn't want them watching at home. There's a new section of the Smoothwall blocklist now which will deal with anything on iPlayer that the BBC deem unsuitable for minors.<br />
<br />
<b>2. Making Facebook and Twitter "Read Only"</b>. These social networks are great fun, and it can be useful to relax the rules a bit to prevent students swarming for 4G. A read-only approach can help reduce the incidence of cyber-bullying and keep users more focused.<br />
<br />
<b>3. Stripping the comments out of YouTube.</b> YouTube is a wonderful resource, and the majority of video is pretty safe (use Youtube for Schools if you want to tie that down further — your filter can help you there too). The comments on videos, however, are often at best puerile and at worst downright offensive. Strip out the junk, and leave the learning tool - win win!<br />
<br />
<b>4. Busting Google searches back down to HTTP and forcing SafeSearch.</b> Everybody appreciates a secure service, but when Google moved their search engine to HTTPS secure traffic by default, they alienated the education community. With SSL traffic it is much harder to vet search terms, log accesses in detain, and importantly force SafeSearch. Google give you DNS trickery to force the site back into plain HTTP - but that's a pain to implement, especially on a Windows DNS server. Use your web filter to rewrite the requests, and have the best of both.Tom Newtonhttp://www.blogger.com/profile/17889630359738527948noreply@blogger.com0