HeathVault: would you notice?

Filed under: Security — lenand @ 6:15 pm
Tags: ,

Microsoft HealthVault looked like a good idea to investigate.  Rather strangely, it requested an OpenID or Facebook login to see more details.  Reluctantly, a rarely used Facebook account was used.  So far so good, then the next screen said.

“Microsoft HeathVault UK would like to access your public profile, friend list, email address, birthday and current city.”

No way.  A copy of that would be good for moaning via Quarkside.  No rush, so could wait for a couple of days.  Now can you see the spelling mistake?

Who could have done this?  Is it Microsoft, or Facebook, that isn’t on top of protecting innocent users?



‘Man in the middle’ attacks for dummies

Filed under: Risk,Security — lenand @ 3:49 pm

Public WiFi security risks are real, not imaginary.  This paper from the Royal Holloway College, University of London highlights Security Risks associated with the use of public Wi-Fi hotspots.

Should Quarkside publicise this paper?  The advice works both ways.  It gives as many clues to potential criminals as it does to those who should take more care.


Email leaks continue

Filed under: Governance,Privacy,Security — lenand @ 6:42 am

The technique of allocating a unique email address to suppliers was discussed two years ago and Quarkside reported an incident of a company not maintaining privacy of an email address.  That company would not hit the headlines, however my latest example surely would.  This is the story.

I started receiving unsolicited emails from a Big C company. They used an address which I reserved for communications with a Big M Company.  They were not ever given permission for it to be given any third parties.  I asked Big M for the source of Big C obtaining my email address, asking for any evidence that it had been leaked or that I inadvertently given permission to share it.

Understanding the possible reputational damage to Big M, I exchanged half a dozen emails via their internal channels and received no explanation nor apology. Their final stance was for me to report the incident to http://www.actionfraud.com. I did not think it was appropriate as they do not have the resources nor justification to handle such an apparently trivial case.

I also asked Big C for an explanation, who said “Security is very important to us, and we will look into this issue carefully.” Needless to say, I heard nothing.  However, talking to a Big C senior vice president, my advice was to forget all about it.  I would only be regarded as an irritant and would not achieve any satisfaction from any Big company.

Both Big M and Big C should take such complaints more seriously.  If there is a breach of email contact databases, then here is some evidence that might help them to trace the source.  Another possibility is that an employee, present or past, has copied some email addresses for commercial purposes.  In either case, Information Governance processes should lead to an internal investigation, not a hand-off to ActionFraud or a vacuous email address.


eBay unfriendly to use of gmail as email consolidator

Filed under: Privacy,Security — lenand @ 9:49 am
Tags: , ,

Unfriendly eBay sent this to me.

Oops. We weren’t able to send your message to XXXshop, because the email address you used to send this message, XXX@gmail.com, isn’t linked to your eBay account. 

To keep eBay safe, we need you to send messages from a registered eBay email address. This will prevent your messages from being blocked in the future.

I have no wish to record my gmail account with anybody other than Google.  It’s part of my Spam identification mechanism.  I give every supplier their own email address for me to track down misuse, such as passing on details to a Spam generator.  It has worked, to the embarrassment of a major software company.

Does it really make eBay any safer if  it blocks unregistered addresses?  They know who I am.


Recommendations for LAs for Citizen Id Assurance

Filed under: Governance,Security,Standards — lenand @ 2:33 pm
Tags: , ,

The Cabinet Office has done a good job in explaining many of the Citizen Identity issues for local government.  Here are their unexpurgated recommendations:


There is a strong sense of enthusiasm for securing wider understanding of HMG’s plans around citizen IdA. LAs are keen to identify whether, how and when their plans may be aligned to a national approach and to minimise any risk of future isolation. Additionally, an excellent potential opportunity for effective re-use of centrally developed standards and technology is recognised. To help LAs in moving forward, the following recommendations are made:

1. Provide assistance to LAs

so that they may align with the IdAP vision:

    • Publish IdAP vision and strategy at earliest opportunity
    • Publish IdAP deliverables roadmap and timeline
    • Enable LAs to utilise HMG procurement framework.

Publishing and effectively disseminating the vision and strategy along with the deliverables roadmap will provide LAs with clarity on GDS technology and approach and aid them in formulating their own plans. Whilst LA procurement frameworks exist for a number of software application solutions, there does not appear to be any such framework that would apply to procurement of IdA services.

2. Work nationally with all suppliers

including LA suppliers to:

    • Review the landscape of IdA provision
    • Promote the national perspective.

A review of LA service providers for example to clarify which suppliers will only offer their own proprietary service for IdA, which are open standards based and may therefore present no interoperability issues, whether individual suppliers are offering a consistent product/service across their customer base, would provide information to enable useful engagement with those suppliers.

Engaging service providers will also help influence negotiations and reduce the risk of LAs being ‘boxed in’ by embedded suppliers (i.e. those suppliers from whom software systems such as online council tax are purchased).

3. Publish a common set of features & standards for IdA

such as a minimum feature list. Build on good practice guides such as the Requirements for Secure Delivery of Online Public Services(RSDOPS).

A common set of features would also help to clarify relationships between Levels of Assurance (0-3, Bronze – Gold etc.), factor authentication, and generally develop a common language that will minimize misunderstandings.

4. Engage with LAs to pilot federated IdA solutions

and further explore current non-federated approaches.

Many LAs are keen to collaborate to help develop and test federated solutions in their local environment. It would also be instructive to explore alternative non-federated approaches that have already been taken by some LAs such as Harrow to online citizen IdA

5. Widen lines of communications to LAs


    • Knowledge sharing platform
    • Newsletters
    • Social media (e.g. blogs, tweets).

There is a sharp appetite to share, learn, collaborate, inform and be informed. Additionally awareness-raising across the public sector would help address some of the barriers and issues facing authorities in relation to increasing understanding of the concerns within LAs and partner organizations, help to clarify thinking around potential solutions and increase efficiencies through avoidance of ‘re-inventing the wheel’.

6. Develop good practice guidelines

for implementing assisted digital for IdA

7. Customer insight research

is required to:

  • Investigate user attitudes to and perceptions of trust, data sharing and the role of 3rd party identity providers
  • Usability/accessibility studies should be undertaken and good practice for IdA defined and published
  • Develop a communications plan and national campaign to raise citizen awareness and trust.

8. Develop a national brand for federated IdA

to encourage citizens to trust the new approach.


This seems to have been a such low key report that nobody has talked about it.  There’s only common sense without any scare stories.  Who will take up these recommendations?


£21bn Cyber Crime cost contradicted

Filed under: Governance,Politics,Risk,Security — lenand @ 1:59 pm
Tags: ,

Cyber Crime (eCrime) is global, but it needs local solutions.  It needs political will to engineer a major reduction in eCrime.  The problem is that politicians need to recite credible evidence to justify expenditure to their key constituents, eg citizens and small businesses.  Such evidence is reviewed in a report published by Cardiff University, “eCrime Reduction Partnership Mapping Study”.

One of the authors, Dr Michael Levi, launched the review in Parliament yesterday.  In wanting to avoid headline-catching assertions, he obliges you to read the 80 pages to extract any gems:

  •  Estimated losses to UK business of £21billion (Detica and Cabinet Office) do not “meet acceptable quality standards”.
  •  The size and scale of eCrime is unknown and good data is not collectible;
  •  Criminals profit from eCrime, with tax and welfare being the greatest source of income;
  •      SMEs and individual victims do not get any justice response, nor do the Police plan to provide it. Malware, phishing or illegal copying are not on the radar.

On this evidence it is difficult to imagine that many politicians will be inspired enough to lead on promoting local eCrime reduction partnerships formed from police, business, government and local authorities.  Self-help may be the way forward, but how do you inform people of the true risks and methods of avoidance?  It may be practical to initiate a scheme like Neighbourhood Watch, but sustaining success would depend on charismatic leadership – not on bureaucratic data collection and dissemination.  It is a fact that the offer of advice creates fear, and the perception that things are worse than the evidence suggests.


7DIG: Identity Trust Matrix

Filed under: Innovation,Risk,Security — lenand @ 2:49 pm
Tags: ,

Here is a suggestion for a visual chart that will help people to understand risk they are taking in electronic transaction between a customers and suppliers of goods or services.  How much should a supplier trust a potential customer? – and vice versa?

Trust Matrix

 Identity Trust Matrix

Suppliers look at the vertical axis and decide how much value is at risk if the customer avoids paying for what is delivered – whether by deliberate fraud or by accident.  In other words, what level of trust can be placed in customers’ electronic credentials?

Customers look the horizontal axis to gauge whether the Trust Level of a credential is sufficient to meet the value of potential purchases.

Each transaction is given a Trust Index with a calculated value from 0 to 100.  These are split into three ranges of high, medium and low risk – from a supplier’s perspective.

  • RAG         Risk                 Trust Index  Proceed?
  • Red          High Risk           10-100       Unwise to proceed
  • Amber      Medium Risk      2.5-10        Proceed with caution
  • Green       Low Risk              <2.5         Sufficient eID to proceed

The amber area of the matrix is where the reputation of each party should be considered in addition to the trust level.  What is the trading history of both customer and supplier? Ebay traders understand this principle.

Clearly, the matrix depends on the agreement of Trust Levels of credentials.  Quarkside has not developed a firm proposal, but here are some starting suggestions for four ranges (with maximum low risk value):

  • 1         (£10)         Username and password.
  • 2,3      (£100)       Additional personal secrets;
  • 4-6      (£1000)     Documentary evidence of identity, such as banks’ “Know Your Customer” requirements.  Inclusion of credit agency data.  Face to face interviews by the enrolment agency may be needed. Sufficient to obtain a passport;
  • 7-10     (£10,000)  Biometrics necessary to complete transactions.  The highest levels would have government security vetting and very strong protection against counterfeit credentials.

If this sparks any interest, suggestions to help definition of trust levels will be considered.  The background to the need for an Identity Trust Matrix will be the subject of future posts, following the 7DIG framework.


Identity Governance: Protect-Policy

Filed under: Governance,Policy,Risk,Security — lenand @ 9:48 am
Tags: , ,

The Cabinet Office has completed some DRAFT policy documents on an Identity Assurance Framework.  In June 2011 they were “Final Draft approved for external review”.  There is some very good work documented with significant implications if the recommendations are acted upon.  They have been circulated to a limited extent, but every page has been protectively marked as:



The marking indicates that there are risks in widely circulating the documents.  It is a clear warning to Quarkside not to publish them and contribute to open debate.   On inspection, the criteria for assessing PROTECT (Sub-national security marking) assets are:

  • cause distress to individuals;
  • breach proper undertakings to maintain the confidence of information provided by third parties;
  • breach statutory restrictions on the disclosure of information cause financial loss or loss of earning potential, or to facilitate improper gain;
  • unfair advantage for individuals or companies;
  • prejudice the investigation or facilitate the commission of crime; 
  • disadvantage government in commercial or policy negotiations with others.

Surely “external review” should mean what it implies, and that the Cabinet Office should obtain feedback from more experts before the policy is cast in bronze.  There are enormous implications to Local Authority and Voluntary sector service providers. Couldn’t the draft be published for consultation and made unrestricted less than six months after internal approval?


A Tale of Two Summits

Filed under: Security,Technology — lenand @ 6:26 pm

It must be the season of summits.  Quarkside attended two in one week.  “Get Safe Online Summit” and “Oracle Business Analytics Summit”.  Both events were free to attend.  Both had good locations, Portcullis House and London Bridge Hilton.

One affects most of the UK population, to the estimated cost of £27 billion per year.  The other was targeted at FT100 companies planning to improve their profits.  Both had a great line up of speakers, Francis Maude spoke at one of them.  It doesn’t take a lot of imagination to predict which was the better attended.

Get Safe Online” has been campaigning for seven years to educate people about Internet safety.  There are some serially nasty criminals out there and the campaign aims to heighten awareness by adding a logo on as many web sites as possible.  By unscientific observation, there aren’t many around.  More people should be shown the video of one day’s work by Trend Micro.  They created an Android App and installed it on a smart phone.  The app cheerfully sent one premium call per minute, ad infinitum, until the owner notices a multi-thousand pound bill.  Sneekily, the app intercepts incoming texts from the premium number.  Infection of work based portable devices is an easy target.  The room was half empty (probably 50% no-shows) and there were lots of sandwiches left to feed the birds.

“Oracle Business Analytics Summit” did have a Home Office speaker, championing the democratisation of Business Intelligence.  Progress is slow, but sure.  However, within four months, Betfair has developed a system that can perform 7 million transactions per day; personalised by real-time decision making.  This can be while a horse is approaching the winning post – or you can bet during a penalty shoot out.  No wonder Betfair was worth 1.5 billion in the IPO.  Also pretty fast was the analytics hardware, a 40 core processor with 1 terabyte of Dram. It chomps through 900 million in-core records in the blink of an eye.  Oh – and you can run it from an iPad on the Web.  Would you like one or two for your Cloud Service, sir? The rooms were chock-a-block, elbow room only, and the demand for food could not be satisfied.  With only 15% no-shows, the venue had difficulty coping with the 300 or so that did show up.

It still seems that new whizzy technology still attracts an audience, but getting safe online doesn’t warrant many people leaving their offices.




Secure money saver

How many confidential or official documents must be sent by the post? Bank statements, payslips, licence renewals, invoices,… Why can’t they be sent electronically? The over-riding reason is to guarantee a real address.

The “Private and Confidential” sticker is irrelevant once it has been delivered to the household, but the sender has done as much as they can – or have they? Shouldn’t the recipient have the choice of asking for such documents being sent to a secure, encrypted, email inbox?

The benefits to the recipient are:

  • Password, or token, protection to keep mails private and confidential.
  • Correspondence filed electronically
  • Readable from any location
  • Fewer paper cuts

The benefits to the sender, often public sector organisations, are far greater:

  • Reduced postal charges; 12 payslips a year must cost at least £2. That’s £2000 if you have a thousand pension payments to make.
  • Guaranteed delivery; there’s an audit trail to see if a document has been delivered and opened.
  • Interception free delivery and fewer non-delivery complaints to manage.
  • Ability to implement closed invoicing and payment processes with minimal intervention from administrators.

So here is a business proposition for the Local Authorities  (LAs) or the Post Office. Offer citizens a free, secure, encrypted, email inbox on a GCloud service. Offer any public or private sector organisation a secure, encrypted, traceable, email service at a sustainable annual fee. Some citizens may also wish to subscribe to a secure Web-based outbox for replying to secure inbox messages, or even to initiate communications.

The key to success is to link a secure email address with a property and a person.   Local Authorities have knowledge of the Unique Property Reference Number (UPRN) and at least one person responsible for paying Council Tax. They could minimise the risk of fraud by sanity checking the number of secure email accounts at each property.  LAs must lead on this innovation. There’s lots of work to do on the detail, but the good thing is that there’s an Agile solution because the basic facilities are available out of the box. Quarkside is trialling them now.

At some time in the future, this service could stimulate interest from the Electoral Registration Transformation Programme (ERTP, IVR and EIR are among the abbreviations). You read it here first.

Next Page »

Create a free website or blog at WordPress.com.