Alastair Revell - Blog

Data Protection Act 1998

2010-01-27T16:21:41.796+00:00

I suspect many businesses and probably most members of the general public are unaware that the fees for notification under the Data Protection Act 1998 were changed with effect from 1st October 2009. The change was made through The Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 Statutory Instrument 2009/1677 laid before Parliament by Michael Willis, Minister of State in the Ministry of Justice, on 6th July 2009.

The annual notification fee has been £35 for all data controllers, regardless of their size, since 2000. However, from 1st October 2009, two-tiers of fees have been in force.

Essentially, small and medium sized-organisations with fewer than 250 employees or less than £25.9M turnover continue to pay £35 annually and are now defined as “Tier 1” organisations. All other bodies (including any public authorities defined in the 1998 act) will now fall into “Tier 2” and must pay £500 annually.

I think the general public have come to realise over the last couple of years just how important their data is and how easily it can be lost by cavalier organisations (including government departments!)

I welcome the change in the fee structure provided the extra funds taken are used to increase the Information Commissioner’s capability to ensure all of our private data is kept more securely by those with whom it is entrusted and that those who flagrantly breach the rules are brought to task.

Many businesses see the current fee as a stealth tax and I suspect a good number of the general public too. However, I hope with the increased funding that the Information Commissioner will be seen to be doing more to actively protect the public from cavalier data controllers by everybody.

These fee increases have been introduced ahead of new powers that will come into effect in April 2010 that will allow the Information Commissioner to fine people and organisations that recklessly breach any of the eight principles that underpin the act.

These new powers were introduced as part of the Criminal Justice and Immigration Act 2008, but will only come into force in April 2010. The Information Commissioner will only be able to fine data controllers when one or more of the eight principles have been seriously breached in cases where the breach was deliberate, or where the controller knew (or ought to have known) that the risk of such a breach was likely to cause substantial damage or distress; and the controller failed to take action to stop it.

Hopefully, these new teeth will work in tandem with the new funding to ensure all of our personal data is kept much more safely.

This weblog is produced by Revell Research Systems.

More on the Exeter University Virus

2010-01-20T21:11:14+00:00

Just a quick update to my earlier blog regarding the problems currently being faced by the University of Exeter. It seems the virus is exploiting known flaws in the Microsoft Vista and Microsoft Server 2008 platforms.

Zack Whittacker, who blogs for ZDNet, has a source inside the university here in Exeter. Apparently, the virus is mainly targeting Vista SP2 machines and the IT staff at the university are trying to use patch MS09-050 to reduce the attack surface.

It is understood that this virus has not been seen outside of the Exeter campus, but clearly demonstrates the disruption that a carefully crafted attack can cause.

There is a suggestion in Whittacker's blog that some critical patches had not been applied (using the Microsoft System Update Service).

We strongly believe that machines should regularly be checked to ensure that patches that should have been applied, actually have been applied. If the loop is not closed in this manner then these sorts of problems are eventually inevitable.

We are concerned that many SMEs, who often do not patch properly, may be at considerable risk if this virus escapes the Exeter campus.

In addition, I remain concerned about the zero-day virus threat. A virus that spreads quickly and easily such as this one, that exploits a flaw such as the one in Internet Explorer that saw Google hacked in China, with a drive-by infection capability on a site such as any of the international versions of Google would lead to huge economic disruption across the globe.

For starters, many people set Google as their home page, so in this apocalyptic scenario, they would be infected and spreading such a virus internally inside the organisational firewall without detection or defence the moment they went online...

This weblog is produced by Revell Research Systems.

Exeter University Shutdown!

2010-01-20T17:02:17.343+00:00

It seems that the University of Exeter is currently in the middle of a major virus outbreak, which has led to their IT team shutting down the entire campus network, including their telephone system in an attempt to contain the problem.

The attack appears to have started on Monday. The campus network was shutdown at around 2:00pm as a direct response to the threat. However, the problems seem to be continuing today (Wednesday).

The university’s home page suggests that staff and students are only able to access email externally using home computers and the like.

The communications advice issued by the university says that it “is currently experiencing a severe IT incident, and as a precautionary measure we’ve taken much of our network offline. Parts of the University are being brought back online today as soon as it is safe to do so. The University switchboard is online and can accept calls, but we are unable to transfer them to some affected areas of the University.”

Sources in Exeter suggest that the virus has not been identified, but it is thought that the university was deliberately targeted. Stuart Franklin, a spokesman for the university, speaking to the local evening paper, the Express & Echo, said: “We were attacked by a virus. It was a malicious attack. It is the first time I have known such an attack to succeed.”

It seems clear that this virus is extremely virulent and has managed to spread quickly and easily. This strongly suggests that it managed to circumvent the university’s antivirus systems and may have been akin to a zero-day virus.

Although a difficult decision, I believe that closing down the infrastructure in such circumstances is the right thing to do.

This incident should provide food for thought for many organisations. The cost of closing down a network is extremely expensive in terms of lost revenue and opportunities, even before the sheer amount of professional time spent checking systems and returning them to service is taken into consideration.

In fact, this sort of attack can cause immense damage to an organisation and is relatively easy to perpetrate, which has not escaped the notice of Lloyd’s of London Emerging Risks Team in their October 2009 report: ‘Digital Risks: Views of a Changing Risk Landscape’. The report states that “The value of data can vary enormously, but for some organisations it could mean bankruptcy.”

The interesting aspect to this attack is that the university believes it was “hit by the virus deliberately”.

I think we may see an increase in this sort of attack in the future. The recession has been very deep and many people with criminal intent and technical capability across the world may turn to cyber-crime.

In the first two weeks of January, we’ve seen the national governments of France and Germany warn their citizens about security flaws in Internet Explorer after an attack on Google’s site in China (along with some 20 other organisations), which Microsoft admitted late last week were part of the attack mechanism. The code that exploits these particular flaws were published on Monday, 18th January 2010 and there are already some reports of it being used maliciously.

Although the problems at the University of Exeter and the issues with Internet Explorer are probably not connected, the trend for increased, malicious attacks is clear.

This weblog is produced by Revell Research Systems.

IT Professionals must be Assertive!

2009-12-02T17:46:49.765+00:00

I’ve been mulling over Michael Cross’ article of 23rd September 2009 for the Guardian web site for a while now, which was written in response to The British Computer Society rebranding itself as BCS The Chartered Institute for IT and announcing that it was revising its process for Chartered IT Professional (CITP) registration.

The article sported the contentious title: “IT can have its professionals, if they don’t get stroppy” with a subtitle of “Government and employers will not recognise IT ‘professionals’ if they are demanding as doctors and lawyers.”

Mr Cross’ article highlights the tight rope that the Chartered Institute for IT walks as it tries to raise the level of professionalism in IT. The government is currently very supportive of the Institute’s moves to raise the bar in the IT profession, but Mr Cross rightly points out that “the trend could swiftly go into reverse if a new government finds IT professionals to be as stroppy and independent-minded as they find doctors and lawyers today.”

He continues: “Governments like taking expert advice – but only if it’s ‘Yes, minister’”, which certainly seems to be true with the recent resignations from various expert advisory panels because they apparently didn’t say what the current government wanted to hear.

The problem, of course, is that so called “stroppiness” is an important aspect of professionalism. A professional has a duty to their client to advise them when their actions are contrary to their professional advice and to point out the probable consequences.

It is precisely this lack of professional ethics that causes much of the damage to the public purse and, no doubt, many private purses too. As Cross chides in his article, “the IT industry isn’t shy about talking up its abilities” and he rams the point home with the anecdote that he has a corporate t-shirt that boasts a company slogan of “Mission impossible achieved”.

A major problem with the IT industry is that it is too heavily driven by sales hype that plays on the naivety of easily persuaded customers. Professionalism, on the other hand, is about telling the truth, whether the client likes the message, or not.

This weblog is produced by Revell Research Systems.

Rural Payments Agency: More Government Data Loss

2009-10-31T15:01:56.406+00:00

Farmers Weekly has reported that the Rural Payments Agency (RPA) has lost the payment details of every farmer in the United Kingdom that has ever claimed a farm payment. The details include names and addresses, bank details, passwords and security questions and apparently were not encrypted. The number of farmers affected is believed to be around 100,000.

The details were leaked to Farmers Weekly by frustrated civil servants working on the single payments system and an external consultant who was advising on the system.

The whistle-blowers allege that 39 backup tapes went missing last year when they were transferred from offices in Reading to Newcastle. Thirty-seven tapes have been recovered, but two are still unaccounted for.

The whistle-blowers were concerned that the RPA and DEFRA would remain tight-lipped over the incident. According to Farmers Weekly, DEFRA has admitted that tapes went missing, but has told them that the data was not lost in transit and was instead misplaced within the data centre.

DEFRA has also admitted that the data on the tapes was not encrypted, but insists information could not be accessed without specialised technical equipment and knowledge. The government department has also insisted that the risks posed to farmers are very low.

Apparently, the tapes were last seen in June 2008, but were discovered as missing by the contractor, IBM, in May 2009. There loss has only just become public knowledge in late October 2009.

Obviously, this will do little to bolster the general public’s justifiable lack of confidence in the government’s ability to safe-guard their data. The question is soon going to be what data has the government not lost!

However, as I have said before, I do not believe that the government is actually anymore cavalier with data than the private sector. It is just that the government is an easier target to expose. I believe the data handling procedures of many commercial organisations are equally poor.

This most recent loss has barely hit the headlines, probably because it is no longer newsworthy to say that the government leaks like a colander. The next organisation to be vilified by the press for data loss may well come from the private sector…

This weblog is produced by Revell Research Systems.

BCS Rebranded: The Future isn't just Green!

2009-09-21T21:29:48.921+01:00

The British Computer Society (BCS) launched its new branding over the weekend and it is clearly setting an ambitious course.

The changes clearly run far deeper than just the corporate colour change from blue to green.

Firstly, it is obvious from the web site that it wants to fulfil a more global role rather than just one confined to the United Kingdom. It has conspicuously stopped calling itself The British Computer Society in favour of referring to itself simply as the BCS.

It has obviously seen the globalising trends within information technology and realised that the IT profession is not only rapidly starting to mature, but also rapidly becoming global itself. Many more practitioners are working on projects across the globe and there certainly needs to be some sort of international standard. The BCS clearly intends to provide that standard.

The BCS has also added the strap-line “The Chartered Institute for IT” to its logo, which makes it very clear that it is a chartered body on a par with other chartered bodies, such as accountancy and surveying.

This is certainly a very important move. I believe, as I recently blogged, that Chartered IT Professional (CITP) status is a qualification whose time is coming. The IT profession is maturing and many people realise that IT touches almost every aspect of modern life. People also now know that when IT professionals do not act professionally that their actions can actually harm society.

Our profession is growing up and we need to take on the responsibilities that come with that maturity.

The CITP assessment process itself has been revised with two further hurdles being added. Candidates must now sit a formal examination and undergo a mandatory interview and presentation.

The motivation is clearly not to deter candidates, but to make sure that the qualification is “aspirational and demanding to achieve”. The new BCS literature goes further and says that the qualification should “show that holders understand the business they are working in and add value through the use of technology” and that CITP status should “tell employers something about the holder that they cannot find out easily for themselves.”

There have been a number of voices calling for some form of “practice certificate” for IT professionals to show that they are competent and up-to-date; and the BCS seems to have recognised this with the new Certificate of Current Competence, which Chartered IT Professionals will need to revalidate every five years.

I think this move may well put various manufacturer accreditations into context. They prove competence in a particular product from the manufacturer’s perspective, but they don’t necessarily show any understanding of business or a commitment to professional ethics.

People may be cynical about these changes. The rhetoric is certainly easily rehearsed, but I do believe that the BCS is determined to see this through. Also, I believe that there has been a recent ground swell from grass-root professionals in IT feed up with seeing poor work passed of as the product of “professionals”. At a number of lunches and other such events, I’ve noticed that whenever the “Professionalism in IT” agenda is raised that there are a number of ardent supporters who feel that this really needs to be moved forward. These changes are a vehicle for this and they deserve support.

Detractors of the BCS have often claimed that it is a rather irrelevant ivory tower that just appeals to academics. This may have once been true, but it has travelled an awfully long way since then. It now knows what it must strive to become and what it may lose if it doesn’t.

Indeed, the BCS is taking steps to right the imbalance that has long seen it portrayed as just a learned society reserved for academics and researchers. It genuinely seems to be embracing the requirements of its other important stakeholders (such as practitioners, government and the wider public).

However, I am pleased that it is not just throwing the baby out with the bath water and intends to remain a learned society with the formation of the BCS Academy of Computing. I think being learned is an important aspect to a professional body that wants to be at the heart of a profession that changes so rapidly that we joke about “internet years” being but just a few months.

The BCS has certainly taken a momentous step in the right direction this month, albeit the first step in many. I am particularly encouraged that the BCS itself recognises this. The new web site itself has a lot about the necessity for further change and transformation, going as far as to say: “BCS doesn't just need to be changed, but completely transformed.”

It is time for experienced IT practitioners to become chartered professionals and to shape the future of our profession.

This weblog is produced by Revell Research Systems.

National Museum of Computing to Reboot the Harwell Machine

2009-09-03T18:43:56.671+01:00

I was pleased to just read a few moments ago on the BBC Web Site that the National Museum of Computing at Bletchley Park is to acquire the Harwell machine. It is the oldest computer in existence (depending on whether you classify the Collusus machine as a computer or not) and will definitely strengthen their growing collection.

I understand that the machine is to be dusted down and restarted as part of a renovation project. The machine was originally built and used by staff at the Atomic Energy Research Establishment at Harwell in Oxfordshire. It was designed in 1949, commissioned in 1951 and ran in regular service until 1973.

I think it is important that the IT profession looks after its heritage. We like to boast that a year in computing or Internet time is equivalent to just a few months. We need to realise that, if this is the case, that we are producing history at around four times the normal rate!

This weblog is produced by Revell Research Systems.

Chartered IT Professional (CITP): The Qualification Whose Time is Coming?

2009-08-25T10:29:16.421+01:00

I welcome the joint report produced by fellows of The Royal Academy of Engineering (RAE), The Institution of Engineering and Technology (IET) and The British Computer Society (BCS) entitled: "Engineering Values in IT", which was published on 3rd August 2009 and is available from the academy's web site.

The report recommends that "appropriately qualified Chartered Engineers (CE) and Chartered IT Professionals (CITP) should be employed to lead and manage major IT projects within both government and industry."

I sense that, in particular, Chartered IT Professional (CITP) status is a qualification whose time is now rapidly approaching. I’ve noted over recent months that many IT professionals in senior positions have recently been awarded chartered status.

It is a necessarily hard qualification to achieve and is certainly on a par with those in other chartered professions, such as Chartered Accountants or Chartered Surveyors.

The motivation for the report was the critical importance of IT at a national level.

The report notes that the take up of chartered status within information technology remains a problem. I certainly think that those who have attained the CITP qualification should make it clear that they are "Chartered IT Professionals", since I believe that this will accelerate its adoption.

This weblog is produced by Revell Research Systems.

Selling and Marketing in a Recession: Forget EMail?

2009-05-28T11:26:13+01:00

I’ve recently had occasion to contact a number of professional service firms “out of the blue” about the services that they offer.

As an IT professional, I’ve naturally used email as my preferred means of communication. What concerns me is that in all cases, I’ve had to chase these emails because I’ve had no reply – no doubt because my original email has been eaten by my recipient’s anti-spam system.

This raises serious questions about the effectiveness of email for “first contact” communication and begs the question just how many leads are being lost by organisations in this recession!

Clearly, telephone contact or a written letter is probably both more efficient and more effective. In fact, as traditional (ie: paper-based) junk mail seems to be in decline, any written communication is more likely to stand out when marketing services to other firms, rather than being automatically hidden as frequently now happens with emarketing.

Where does this leave email?

This weblog is produced by Revell Research Systems.

Bletchley Park: Important to the IT Profession

2009-05-20T16:14:46.859+01:00

I attended the BCS South West AGM Talk “The Second World War Code Breaking Centre at Bletchley Park” at the University of Plymouth on Wednesday, 13th May 2009, given by John Gallehawk of The Bletchley Park Trust, who came complete with an Enigma machine – the code machine used by the German’s during the war to send encrypted messages between various fighting units and their commanders.

It was the first time that I had heard anyone from Bletchley Park talk and the speaker was very engaging. The history of the house, its role during the war and its more recent history were all fascinating.

The Enigma machine was clearly the star attraction of the talk and sparked a lot of discussion amongst the various IT professionals drawn from across the region and from a variety of computing disciplines.

John Gallehawk, from The Blethcley Park Trust,
demonstrating the use of an Enigma Machine.

The talk accidentally followed Stephen Fry’s visit to Bletchley in the same week, which had managed to draw a lot of attention to the plight of the centre. News of his informal visit seems to have escaped because he uses Twitter to keep his fans informed of his movements. He’d announced that he was as “excited as a kitten” about his visit.

I certainly believe that Bletchley Park needs as much publicity and money as it can get. It is very much the cradle of British computing and is arguably the birth place of the first modern computer, the so-called Collossus. It would be a terrible disgrace if our generation of IT professionals allowed this important piece of our history to decay and disappear, which it most certainly is in danger of doing.

I blogged last September about Dr Sue Black of the University of Westminster’s letter to The Times, which she had been spurred to write after the feedback she received from other heads of computing departments across the British higher education establishment. She’s right - the centre really does need saving.

This weblog is produced by Revell Research Systems.

IT Security: No Symptoms? No Problems?

2009-05-19T19:37:15.765+01:00

I periodically battle with SME clients who argue that no one really would want to “hack” their organisation – they are simply too small or too insignificant to warrant the effort. I suspect I am not alone and that many other advisers on IT have the same trouble persuading their clients of the very real risks they face.

The argument that is often recited is that when the partner or director was employed elsewhere, their previous firm was much slacker with their IT security and had no problems whatsoever. The issue, of course, is that the goal in hacking has changed from destruction to utilisation. The aim is to take unseen control of the computing resources of an organisation and to use those resources for crime. It simply doesn’t surprise me that there never are any signs of compromise!

The BBC recently reported that security firm Finjan had tracked down a botnet with over two million machines under its control to a group of criminals working in the Ukraine. This particular botnet had even ensnared computing resources inside both the UK and US governments, which in itself raises concerns.

I suspect that firms that take few steps to lock down their workstations will have background malware undertaking all sorts of malicious activities. These infections will probably have managed to enter their sites via the web or email, which is increasingly carrying malicious content.

The so-called drive-by attacks using infected third party web sites is particularly worrying. Few organisations seem to scan inbound data over the web for vulnerabilities, partly because of the impact on browsing speeds that this would have. Those organisations that then don’t lock down their desktops so users cannot install software run very real risks of users innocently and unknowingly installing something they really don’t want. Once such software is on the inside of the firewall, most SME organisations simply have little or no defence, especially if the software is not strictly considered a “virus” and ignored by their anti-virus product.

A technical colleague in another firm drew my attention recently to Sophos’ Security Threat Report 2009, which provides examples of firms that have suffered attacks on their web sites. Some of these web sites would have posed risks to casual browsers of those sites as well as to those who had previously provided them with confidential information.

The list included such well-known names as ITV, a site selling Euro 2008 football championship tickets, the anti-virus firm Trend Micro, Cambridge University Press, Sony’s US Playstation site, the Association of Tennis Professionals’ web site as Wimbledon opened in the UK in June 2008 and the Business Week web site.

Unfortunately, I doubt few SME business leaders that have small (if any) indigenous IT staff will actually ever get to read it.

However, the difficulty simply persists that many SME organisations believe that no symptoms means no underlying problems. I can see their dilemma – a bunch of (often external) IT professionals becoming excited about dangerous threats and advocating the spending of money in a recession is far from appealing, especially when the risks from a naïve perspective seems minimal.

I was recently a guest at The Institution of Analysts and Programmers Spring Seminar in the London Docklands at which Microsoft’s Chief Security Advisor in the United Kingdom, Ed Gibson, spoke. He is an engaging speaker, an attorney in the United States and a practising solicitor in England and Wales, as well as a former FBI agent. He has for sometime been trying to raise awareness of these issues in the United Kingdom.

While listening to him and while mulling over his thoughts at the (excellent) lunch that followed, I believe that we really do need some form of reliable reporting mechanism for attacks of the sort documented by Sophos and these need to become highly publicised, even if in an anonymous form.

SME business leaders need to have independently verified facts about the IT security risks they face that are both readily available and easily digested; and in a form that brings the message home.

This weblog is produced by Revell Research Systems.