tag:blogger.com,1999:blog-41759757564229321092024-03-13T14:45:06.858+00:00Ramblings of an Information Assurance SpecialistDr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.comBlogger36125tag:blogger.com,1999:blog-4175975756422932109.post-90223171345849556412012-09-21T12:45:00.001+01:002012-09-22T09:37:13.795+01:00Reliance Communications used for my Father's ID FraudIn February 2009, my father Divya Shah, went to Ahmedabad, India for an operation.<br />
<br />
He is a British Citizen and hence not a resident of India and neither does he have any address in India.<br />
<br />
He was in Ahmedabad for a period of 21 day and left in February of 2009.<br />
<br />
In October 2009, a person in Ahmedabad managed to open a Reliance Communications Post Pay Account under my father's name.<br />
<br />
You will note that my father left India in February 2009 and this account was opened by Reliance Communications in October 2009.<br />
<br />
They did this as they required a bill with y father's name and a local address on it to give to Kotak Life to mess about with a life assurance policy my father has with Kotak.<br />
<br />
I found out in September 2012 that this Reliance Communications bill with my father's name and an Indian address was used at Kotak. This is clearly ID Fraud and against the law.<br />
<br />
I subsequently asked Reliance Communications to look into this and provide me with details of the evidence submitted to prove that the person opening this Reliance Communications telephone account was my father, but rather than investigate this ID fraud i am simply being pushed from pillar to post by Reliance Communications. <br />
<br />
Is there anybody within Reliance Communication who after reading this Blog can assist in investigating what paper work was used to open this account under my father's name? My father left the India in February 2009 and is a British Citizen who does not have any Indian residency, so how did Reliance Communications open an account on his name?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-5P0NWdLo6-U/UF1r8NYYtOI/AAAAAAAAAEg/kis0thXtkXY/s1600/reliance.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-5P0NWdLo6-U/UF1r8NYYtOI/AAAAAAAAAEg/kis0thXtkXY/s1600/reliance.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<br />
<br />
Reliance Communication by law would have been required to do some checks to prove that the person who claimed to open the account under my father's name was genuinely my father. As my father was never in India what was used to open this account?<br />
<br />
So far Reliance Communications email Help simply keeps telling me that I should go to my nearest Reliance Shop, but I am in the UK. Its amazing what sort of people are at the end of this Reliance Communications email helpdesk. <br />
<br />
This is ID Fraud, simple. Reliance Communication's lack of ID checks made this possible and they need to take ownership of it. <br />
<br />
<strong><u><span style="color: red;">Mr Anil Ambani, are you going to look into this at all, or you not care just like your email helpdesk?</span></u></strong><br />
<br />
<br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-78706357520273947282012-08-29T07:52:00.002+01:002012-08-31T04:59:00.782+01:00BAA Heathrow T5 Parking Pod failure - No face for BAA CUstomer Services hereThis is a failure of the Heathrow T5 Business Parking Pod system where you pay premium parking rates. <br />
<br />
Its not bad that it failed, because these things do fail, what was worse was that they refused to send anybody down for the 20 minutes it was out of order. <br />
<br />
We had to listen to a voice hiding behind the screen, who after a while stopped picking up the help phone also. <br />
<br />
This is Customer Services which is truly shameless. It was 9.30pm, totally dark but BAA Heathrow refused to send any person down to assist or help calm passengers - they even stopped responding to the support telephone also.<br />
<br />
BAA Heathrow - can I expect a refund (Heathrow Airport parking confirmation - Ref U4LWJQ).<br />
<br />
A video of the BAA person hiding behind the screen refusing to pick up multiple times I available at:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/yNdm-HGwIcM?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
<strong>So rather than even pick up the remote phone service, they hung up on us, not once, not tice but nearly four times.</strong><br />
<br />
It is clear that the Pod is entirely unmanned and that vulnerable people or people travelling with young children will face a very hard time when the system breaks down, as BAA is an effort to save money will not have any real person to assist you.<br />
<br />
When it works its great, but when it breaks down, BAA sends no real person and people at the end of the phone don't want to speak to you either. This is truly wrong!!!<br />
<br />
<strong><u>Why can a real person not be available at the Pod itself, its totally wrong they refuse to put a real person on hand, especially during failures.</u></strong><br />
<strong><u></u></strong><br />
<strong><u>So</u></strong>Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com4tag:blogger.com,1999:blog-4175975756422932109.post-20293283704633651822012-08-07T20:07:00.000+01:002012-08-08T06:53:31.728+01:00Lovefilm an Amazon company. Why can't they respect the Data Protection Act.I left Lovefilm, now an Amazon company, as a customer last year.<br />
<br />
But for the past one month Lovefilm has been harassing me with phone calls trying to win me back virtually every single day.<br />
<br />
Despite informing them to stop calling me in line with the Data Protection Act, they have refused to do so. They simpy don't get it that I no longer wish to be a customer. How desperate can a company be for some business, and how exactly do they think by harnessing customers, will they get more custom?<br />
<br />
Here is the number of times they called me from their <span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">0845 286 1740 call center in just the last few days:</span><br />
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;"><br /></span>
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">7th August - 10:05</span><br />
<div class="MsoNormal">
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">6<sup>th</sup> August – 11:43<u></u><u></u></span></div>
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">
</span>
<br />
<div class="MsoNormal">
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">3<sup>rd</sup> August – 16:58<u></u><u></u></span></div>
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">
</span>
<br />
<div class="MsoNormal">
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">3<sup>rd</sup> August – 11:01<u></u><u></u></span></div>
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">
</span>
<div class="MsoNormal">
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">2<sup>nd</sup> August – 15:12<u></u><u></u></span></div>
<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">
<div class="MsoNormal">
31<sup>st</sup> July – 18:32<u></u><u></u></div>
<div class="MsoNormal">
30<sup>th</sup> July – 16:28<u></u><u></u></div>
<div>
<br /></div>
<div>
I even emailed this to the Amazon legal team but they have still not shown any respect to statutory law.<br />
<br />
I will keep updating the Lovefilm calling list untill they stop.</div>
<div>
<br /></div>
<div>
Hopefully this public shaming will stop them... I hope!!!</div>
</span>Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-65972391099678695862012-06-29T16:50:00.002+01:002012-07-01T14:42:17.746+01:00Fuel Genie and the 3% fuel cost saving claim.... I wonAs a company director i use Fuel Genie for my company cars. I was attracted to this because of a claim of save 3% on fuel costs by Fuel Genie when i joined in 2009.<br><br>
However this claim has never materialised and mutiple emails have been ignored by Fuel Genie.<br>
<br>
Today 29/6/12 i got an email from them saying this claim was based on a 2009 study carried out but never checked again although they kept using this claim. They have now agreed to take this claim off thier website and i hve asked for the claims to be taken off all petrol forecourts that Fuel Genie can be used.<br><br>
As a business user there is fundamentally no saving to me in using Fuel Genie and its time they take responsibility for thier actions.<br>
<br>
<b>I have asked for a 3% refund, on all my Fuel Usage simce 2009, lets see what they do as clearly thier advertising was misleading and hence against the law.<br>
<br>
<i>But the one thing I am proud of is that a single small person like me finally forced Fuel Genie to admit their advertising was against the law and hence to take it off.</i><br>
<br>
You only have to do a Google Search on Fuel Genie 3% discount to see cached website showing the misleading advertising.</b><br><br>Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-80622808181123982962012-04-18T07:01:00.002+01:002012-04-18T07:08:49.319+01:00Big Gaff by GiffGaff Mobile NetworkAs one does, i requested for VAT receipts for payments made to GiffGaff Ltd who i use for two of my mobile telephones.<br />
<br />
What subsequently happened was simply amazing however quite embarrasing for GiffGaff i am sure.<br />
<br />
A little digging on my side revealed a lot and quickly put GiffGaff back in its box.<br />
<br />
Attached below are communications from GiffGaff from thier "Ask an Agent" part of thier website where one can ask for help.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-qDT9h8ouIVk/T45RbcJVD3I/AAAAAAAAADw/gzbaszW_Nz4/s1600/giffgaff+response+1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="473" src="http://4.bp.blogspot.com/-qDT9h8ouIVk/T45RbcJVD3I/AAAAAAAAADw/gzbaszW_Nz4/s640/giffgaff+response+1.jpg" width="640" /></a><a href="http://4.bp.blogspot.com/-Rx7PYKrTKJU/T45WgnJmN0I/AAAAAAAAAEI/cdYWovEYP_0/s1600/giffgaff+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://4.bp.blogspot.com/-Rx7PYKrTKJU/T45WgnJmN0I/AAAAAAAAAEI/cdYWovEYP_0/s640/giffgaff+2.jpg" width="640" /></a></div><br />
Few things to note from this message from GiffGaff Ltd:<br />
<br />
1) GiffGaff believe VAT Invoices are protected under the UK's Data Protection ACT as they believe it contains sensitive information.<br />
2) GiffGaff claim that although VAT receipts are protected under the Data Protection ACT that they can be simply emailed as a PDF. (I dispute the fact that an Invoice is protected under the DPA to begin with). However it is fasinating to note that GiffGaff believe information which is protected under the DPA can simply be emailed over plain text email.<br />
3)However the statement which really makes me laugh is: "Our email servers here at GiffGaff are secure and protected.<br />
<br />
A simply quick check via NSLOOKUP against a public DNS Server shows that GiffGaff uses Google Hosted Email for its entire corporate email.<br />
<br />
<a href="http://3.bp.blogspot.com/-KcAmpJAN_Ms/T45Rhg0MR1I/AAAAAAAAAD4/uztWyF8HCYY/s1600/giffgaff+NSlookup.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-KcAmpJAN_Ms/T45Rhg0MR1I/AAAAAAAAAD4/uztWyF8HCYY/s1600/giffgaff+NSlookup.jpg" /></a>Hence neither can these email be considered "Our email servers here at GiffGaff" and nor can they be considered "secure and protected" as Google's own terms and conditions clearly state that the information on Google Servers can be held anywhere in the world. This obviously goes against the UK Data Protection ACT as the ACT requires the information to be held in certain countires only.<br />
<br />
This however is not a issue for Google, as they are not selling Hosted Email which is compliant with the UK DPA, but an issue for GiffGaff who believe they can fool a customer like myself by stating they actually own and physically host their own email server.<br />
<br />
There is nothing wrong in using Google Mail, even i use it, byt for GiffGaff to sell it as UK DPA compliant is simply laughable.<br />
<br />
When i pointed out this Google Email Hosting issue to "Joe the Agent" he quickly changed his tone and agreed to post out the the VAT receipts by 1st Class Recorded post no less.<br />
<br />
This might be just a one of Rouge Agent Joe who thought let me just try and make a mockery of the customer, but i did on every ocassion also copy the emails into Mike the CEO of GiffGaff. As i also got an out of office reply from Mike the CEO, the emails clearly did get to him. However Mike the CEO of GiffGaff did not reply once at all. <br />
<br />
Hence i can only assume that the replies from Joe were fully sanctioned by GiffGaff.<br />
I have forwarded this matter to the UK Information Commissioner's Office.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">If GiffGaff Ltd wishes me to change any of this information, as long as they can provide the necessary justification i will be happy to do so.</div>Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-72185381533623721572012-01-11T14:54:00.001+00:002012-08-08T06:54:44.330+01:00Choice of Credit Card Hashing AlgorithmIn December 2011, i tried a Groupon code that allowed me access to four boxes of nibbles to be delivered to my door.<br />
<div>
<br />
Lets call this company that delivered the nibbles to your door as Company A. We all know who this company is!!!</div>
<br />
Although all i wanted was the four box trial, i had to enter my credit card details.<br />
<br />
I tried my first box and was unhappy with their delivery and the fact they put all the onus onto Royal Mail rather than accepting the fact that legally it is the responsibility of Company A to deliver the item to my door and whoever they choose, if they are let down, legally they are still held accountable.<br />
<br />
So i requested for my account to be closed and requested for all 4 boxes to be delivered as per my trial and made it clear on the 11th of December that they should not charge my credit card.<br />
<br />
On the 15th of December a charge appeared and hence this set of a series of issues.<br />
<br />
Now to the part part of the Blog.... I askedCompany A how they protected my credit card details while held on their servers and their response was simply amazing:<br />
<br />
<strong>Reply from <a href="mailto:Krista@Company">Krista@Company</a> A on 16th December 2011 was - The one-way hash that we use is MD5 encryption algorithm.</strong><br />
<br />
<div>
</div>
<ul>
<li>For a start MD5 is a Hashing algorithm and NOT encryption. </li>
<li>Secondly the PCI (Payment Card Industry) Code themselves ask you not to use a weak Hashing algorithm.</li>
<li>Finally MD5 is probably the weakest algorithm you can choose.</li>
</ul>
So i asked Company A why they used such a weak algorithm and why they did not understand the difference between Hashing and Encryption.<br />
<br />
<div>
<strong>The reply from </strong><strong><a href="mailto:Krista@Company">Krista@Company</a> A</strong><strong> on 16th December was - We will give no furhter details on this or on our use of the MD5 algorithm as that in itsself would compromise security. </strong></div>
<br />
So Company A confirm they use MD5 to hash the credit card number, with so many public hacks regarding MD5 why on earth does Company A use it? And why would it make this public to me on an email? If i was their security chap i would never state this to start this. <br />
<br />
Even if this hash is further encrypted, at some point within their system it will have to be stored as an MD5 hash to be processed (charge a card, refuse, etc). So at some point the MD5 hash value of my credit card would be available. <br />
<br />
<strong>Please Company A can you kindly stop the use of MD5 and move to either SHA-1 or SHA-256?</strong><br />
<br />
<div>
And if you have made the change since you provided the information of the 16th of December, can you let me know so i can update the Blog?</div>Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-79809043524963359312011-04-12T08:13:00.001+01:002011-04-12T08:24:27.302+01:00No authorised Advertising at the Olympics.<br><img src="http://lh4.ggpht.com/_3TZXU2QOwjo/TaP9ncNrxaI/AAAAAAAAADo/x7d2Hm3qyr0/No%20authorised%20Advertising%20at%20the%20Olympics._img_1.jpg"><a href="http://lh4.ggpht.com/_3TZXU2QOwjo/TaP9ncNrxaI/AAAAAAAAADo/x7d2Hm3qyr0/No%20authorised%20Advertising%20at%20the%20Olympics._img_1.jpg"></a><br /><br>Draft legislation has been proposed ans put forward for the Olympics which makes its illegal for any advertising which has not been paid for to the Olympics Committee.<br><br><br /><br>These sponsorship deals cost millions of £££ for a few weeks of the games, so the Olympics committee is keen to make sure that who ever has not paid can't advertise.<br /><br>An interesting angle to this is Smart Phones, Tablets and Laptops. The proposed law says that it is illegal "to carry an apparatus by which an advertisement is displayed at of within a few hundred meters of the Olympics venues during the games".<br /><br>The Olympics committee will take this very seriously and will enforce it. So you better leave your phone, iPod, tablet or laptop at home. <br /><br>Its obviously designed to stop the big boys advertising something they have not paid millions for at the games, but I  am sure the security teams at the Olympics will over exert their power in applying the law and have great fun doing so.<br /><br>Make sure anything you wear is not displaying any logos or adverts...they will most likely check your underwear too for logos... ;-><br><br /> <a href="http://www.london2012.com/documents/imported/advertising-and-street-trading-regulations-english-summary.pdf">Advertising Legislation Link.</a> <br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-91404043774322846262011-04-07T08:43:00.001+01:002011-04-07T08:43:02.915+01:00When NOT to trust an SSL cetificate.<br>Comodo recently issued a security alert that after a breach 9 SSL certificates were falsely issued.<br /><br>Unfortunately far too many people on the internet associate the SSL padlock as a symbol of ultimate trust.<br /><br>Unfortunately this is seriously misplaced trust.<br /><br>Sophisticated hacking attempts mean it is now getting easier for SSL issuers to be hacked into issuing certificates.<br /><br>Moreover all a certificate really does in terms of integrity is that the host name you types in your browser is what the server hosting the SSL certificate claims to be.<br /><br>Today it is easy to get (fool) a domain registrar to redirect a domain's IP address or poison DNS to give out a false IP. At this point even if you typed your bank's URL for instance, there is no gaurante that you are actually going to your bank.<br /><br>So the next time you simply rely <u>on</u> the SSL padlock symbol to keep you safe, think twice... look at the page, is it all the same and if you credentials which are correct are rejected or you get a website error after putting in your credentials, chances are you are logging onto a hacker's site.<br /><br>SSL and the padlock are NO longer a symbol of trust on their own<br><br /><br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-17690048127517314112011-03-31T12:06:00.000+01:002011-03-31T15:13:00.492+01:00Wales e-crime cost nears £1bn - Trusting everybody<br><img src="http://lh6.ggpht.com/_3TZXU2QOwjo/TZSLblZPGfI/AAAAAAAAADc/QKismexPjYw/Wales%20e-crime%20cost%20nears%20%C2%A31bn%20-%20Trusting%20everybody_img_1.jpg"><a href="http://lh6.ggpht.com/_3TZXU2QOwjo/TZSLblZPGfI/AAAAAAAAADc/QKismexPjYw/Wales%20e-crime%20cost%20nears%20%C2%A31bn%20-%20Trusting%20everybody_img_1.jpg"></a><br /><br>An interesting stroy in the BBC this morning [<a href="http://www.bbc.co.uk/news/uk-wales-mid-wales-12909246">BBC</a>] about E-Crime now having doubled in a period of just 12 months to £1 billion.<br /><br>However what was more interesting is the final part of the article. In that a Mr Perring had all his business information stolen by a disgruntled employee when he had to let him go due to the recession. The reason was simple, Mr Perring basically trusted the employee to setup his IT system and run it without checking if it was actually secure because he did not know much about it. He also did not understand that they IT Guy he let off actually had access to all his information<br /><br>This is what really amazes me - i appreciate that you may not understand IT, but you would no give your house or car keys to just anybody and trust them so why would you not do the same with your information.<br /><br>Its unknown if Mr Perring lost any personal information that he was processing on behalf of his clients, but if he did and the ICO did have a look at it, Mr Perring would have broken the Data Protection ACT, because as the owner of the business and hence the Data Owner, it would have been his responsibility to ensure all information was being securely processed.<br /><br>Take stock now:<br /><br>1) Do you actually know where all your data is, especially if it is being hosted on a cloud or looked after a contractor or 3rd party compaany.<br><br />2) Do you know if it has role based access control over it - surely everybody does not need access to all of it.<br><br />3) Are you sure all access to the data is actually secure, including when the data is at rest (on a laptop, desktop, server) or in transit across a network.<br /><br>Remember your Data Ownership risk cannot be transfered simply because you dis not bother to get your policy right and your data goes missing.<br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-13533722890577771042011-03-29T08:26:00.002+01:002011-03-29T08:38:35.325+01:00When too much information is not good. Tesco vs Asda Price refund Policy.<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ENJ3K5-LCbw/TZGMIpeX9GI/AAAAAAAAADY/p2ROm51XaEE/s1600/tesco.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="150" src="http://2.bp.blogspot.com/-ENJ3K5-LCbw/TZGMIpeX9GI/AAAAAAAAADY/p2ROm51XaEE/s200/tesco.jpg" width="200" /></a></div><a href="http://lh3.ggpht.com/_3TZXU2QOwjo/TZGKPpGH0NI/AAAAAAAAADU/qjEYmwQC0II/When%20too%20much%20information%20is%20not%20good.%20Tesco%20vs%20Asda%20Price%20refund%20Policy._img_1.jpg"><img height="143" src="http://lh3.ggpht.com/_3TZXU2QOwjo/TZGKPpGH0NI/AAAAAAAAADU/qjEYmwQC0II/When%20too%20much%20information%20is%20not%20good.%20Tesco%20vs%20Asda%20Price%20refund%20Policy._img_1.jpg" style="margin-bottom: 10px; margin-left: 0pt; margin-right: 10px; margin-top: 0pt;" width="200" /></a><br />
<br />
Recently ASDA launched a price policy which allowed you to take your ASDA shopping receipt home, punch in the special code on the receipt and it would automatically price check the whole shop against Tesco and give you an ASDA voucher for the difference if they were more expensive.<br />
<br />
Not to be outdone, Tesco started the same. However within weeks Tesco had to change it's policy and reduce the amount you could claim back.... Why you ask??? Well its because too many people started discussing on specific blogs exactly which products were more expensive in Tesco and thereby increasing their voucher claim if they specifically purchased thoes items.<br />
<br />
Tesco has received a lot of flame for this on their Facebook page too after back tracking on the original price policy.<br />
<br />
Websites like mysupermarket.com do checks on a daily basis against the popular supermarkets and make them avaliable for all to see. Super eager savers use the website to spread the word on where the largest profit it to be had when the price difference between Tesco and Asda is large for a particular product and then websites like moneysavingexpert.com and twitter help spread the word like wildfire.<br />
<br />
Hence too much information has forced Tesco to back track and its good to see even a giant like Tesco can be brought down by avaliabilty of information.Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-31213332462243724452011-03-25T08:13:00.002+00:002011-03-25T13:20:52.290+00:00More email lists go missing - Play.com, Tripadvisor. <a href="http://lh3.ggpht.com/_3TZXU2QOwjo/TYx03CaW08I/AAAAAAAAADQ/FKUsWITpBdg/More%20email%20lists%20go%20missing%20-%20Play.com%2C%20Tripadvisor._img_1.jpg"><img height="92" src="http://lh3.ggpht.com/_3TZXU2QOwjo/TYx03CaW08I/AAAAAAAAADQ/FKUsWITpBdg/More%20email%20lists%20go%20missing%20-%20Play.com%2C%20Tripadvisor._img_1.jpg" style="margin: 0pt 10px 10px 0pt;" width="92" /></a><img height="150" src="http://lh6.ggpht.com/_3TZXU2QOwjo/TYx0xK8R7CI/AAAAAAAAADM/__m_Xb5RF1g/More%20email%20lists%20go%20missing%20-%20Play.com%2C%20Tripadvisor._img_1.png" width="200" /><a href="http://lh6.ggpht.com/_3TZXU2QOwjo/TYx0xK8R7CI/AAAAAAAAADM/__m_Xb5RF1g/More%20email%20lists%20go%20missing%20-%20Play.com%2C%20Tripadvisor._img_1.png"></a><br />
<br />
In the last 7 days both Play.com and Tripadvisor have stated that their marketing email databases which collectively probably exceed 40 million email addresses have been hacked and taken off them.<br />
<br />
What surprises me is how both these organisations make it out that its just an email address and hence it is okay. Also they both state that it was not their fault and they were part of an elaborate attack. How is this even acceptable?<br />
<br />
Both organisations clearly know they have a legal duty to look after the information and should proactively check and probe their systems, yet none actually do.<br />
<br />
However in the case of Tripadvisor there are reports and rumours that the internal system was open to all employees without any restrictions and hence ripe for the taking.<br />
<br />
Unless the EU and USA tighten up their Data Protection rules and assign some criminal convictions to them, nothing will force a CEO to take Information Assurance seriously.<br />
<br />
Ahh well here is to more spam.Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-271097639897082782011-03-24T14:36:00.002+00:002011-03-25T04:43:27.198+00:00ASDA selling Samsung Galaxy Tab for just £299.<a href="http://lh3.ggpht.com/_3TZXU2QOwjo/TYtXXEL7XKI/AAAAAAAAADI/WP4Td9dHrxE/ASDA%20selling%20Samsung%20Galaxy%20Tab%20for%20just%20%C2%A3299._img_1.jpg"><img height="150" src="http://lh3.ggpht.com/_3TZXU2QOwjo/TYtXXEL7XKI/AAAAAAAAADI/WP4Td9dHrxE/ASDA%20selling%20Samsung%20Galaxy%20Tab%20for%20just%20%C2%A3299._img_1.jpg" style="margin-bottom: 10px; margin-left: 0pt; margin-right: 10px; margin-top: 0pt;" width="200" /></a><br />
<br />
Its IPAD2 launch day in the UK in under 24 hours and ASDA have dropped the price of the Galaxy Tab to just £299. At one point it was over £600.<br />
<br />
Now this is a much better price, but it had been this from day one it would have sold a hell more devices.<br />
<br />
It's a bit late for me now especially considering the Galaxy Tab has just a single core processor, and a 7" screen.<br />
<br />
I will wait for the IPAD2 and hope that the Dual Core 10" tablets come down to a decent price soon.<br />
<br />
Android hardware device makers fail to understand the power of coming in at a decent price point and hence always loose out against Apple.Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-60510730016872146382011-03-24T14:22:00.002+00:002011-03-25T04:43:43.515+00:00Amazon Android App store going live... but only is the USA.<img height="133" src="http://lh4.ggpht.com/_3TZXU2QOwjo/TYtU0gxqyXI/AAAAAAAAADE/bw2XqHFTCQg/Amazon%20Android%20App%20store%20going%20live...%20but%20only%20is%20the%20USA._img_1.jpg" width="200" /><br />
<br />
I am in the UK and was <u>allowed</u> to download the Amazon Android App store.<br />
<br />
It than asks me to enter my Amazon credentials which I do with my Amazon UK account.<br />
<br />
It accepts this and then shows the Apps.<br />
<br />
I click on Angry Birds RIO and complains of 1 click not being active, so it takes me to the Amazon website and shows me my UK account where I activate 1 click.<br />
<br />
Still when I try to download the App it complains of 1 click not setup. I double check and it is.<br />
<br />
Others who complain about this on the internet point to the fact that the App store is for the USA only.<br />
<br />
SO why does Amazon allow me to:<br />
<br />
Download the app store with a UK IP address?<br />
<br />
Sign in with a UK Amazon account?<br />
<br />
Ask me to setup 1 click on the UK account?<br />
<br />
Nowhere does it tell me that not being in the USA is the problem. This is a poor design by Amazon but I am used to it.<br />
<br />
Well I will simply have to wait for Angry Birds RIO.Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-38556136365204014382011-03-23T08:43:00.002+00:002011-03-25T04:43:57.155+00:00UK IPad2 launch and Price drop<a href="http://lh4.ggpht.com/_3TZXU2QOwjo/TYmyvJ_inxI/AAAAAAAAADA/2QC-u_qfASw/UK%20IPad2%20launch%20and%20Price%20drop_img_1.png"><img height="125" src="http://lh4.ggpht.com/_3TZXU2QOwjo/TYmyvJ_inxI/AAAAAAAAADA/2QC-u_qfASw/UK%20IPad2%20launch%20and%20Price%20drop_img_1.png" style="margin-bottom: 10px; margin-left: 0pt; margin-right: 10px; margin-top: 0pt;" width="200" /></a><br />
<br />
The Ipad2 launches in less than 48 hours in the UK.<br />
<br />
However what is even better mews is the drop in price by £30 pounds to £399 for the Wifi 16gb entry version.<br />
<br />
This is great marketing for Apple. £399 is a price which undercuts every other decent dual core 10inch Android device but still has the strong App Store specially designed for the Tablet orientation.<br />
<br />
And now that all the i related devices are undergoing FIPS 140-2 encryption evaluation it makes it a great time for the enterprise to invest also.<br />
<br />
Google is really missing a trick here. Sure it has its following and I too use the Nexus S, but in tablet form even I would not argue with the Ipad2.<br />
<br />
Its now thinner, lighter and supports Facetime too.<br />
<br />
Here is hoping there is enough stock at the UK launch.Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-73240055465452908342011-03-22T14:36:00.000+00:002011-03-23T08:03:50.331+00:00Leicester City Council - 2,000 Elder's front door code goes missing.<br><img src="http://lh6.ggpht.com/_3TZXU2QOwjo/TYi07ldzxwI/AAAAAAAAAC8/5okaPTsrJDQ/Leicester%20City%20Council%20-%202%2C000%20Elder%27s%20front%20door%20code%20goes%20missing._img_1.jpg"><br /><br><i>"Leicester City Council has misplaced a USB stick containing personal details of 4,000 vulnerable and often elderly users of its care service.</i><br /><br><i>The data has disappeared from LeicesterCare, the council's vulnerable residents' support service. Along with personal information, the stick also has key codes for 2,000 people, which are used to open boxes outside users' houses which contain their front door keys. - Reported by The Register"</i><br /><br> This is just sickening. It would be good to understand who within the Council actually thought that putting such sensitive information on to a USB Stick was acceptable.<br /><br>The Council has yet to confirm if the stick was encrypted or not, but if the Council had looked at this with a Business Impact Assessment mehtod for the loss of the data they would have discovered that the loss of 2,000 vulnerable adult's front door code has a very high impact against it if lost.<br /><br>Its amazing simple things like this are not conducted by the Council and still you keep hearing about such catagories of data loss.<br /><br>As the Data Owner, ultimately the Council's CEO should be held accountable, but yet again you can be sure that the ICO will not take any real action.<br /><br>Till the Data Protection ACT does not carry a criminal conviction Data Owners up and down the country will still keep taking large risks with other people's data.<br /><br>The Council knows even if it is fined, it simply has to pass this charge to the local residents as extra Council Tax. <br /><br>Due to the nature of the data loss in this case, it is simply shamefull and the CEO of Leicester City Council (as the Data Owner) should offer his resignation.  There is no justifiable business reason to take such sensitive data off onto a removable drive, encrypted or not, especially when you consider how easy it would have been to setup SECURE remote access to the data in the first place.<br /><br>I always insist on secure remote access to the data in the first instance with USB removable drive access to the data being the absolute last after all other options have been explored and exhausted.<br><br /><br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-33758479080645632172011-03-22T08:05:00.001+00:002011-03-22T08:25:20.362+00:00Dangers of Recycling Mobile Phones... Secure Data Erasure.<br><img src="http://lh5.ggpht.com/_3TZXU2QOwjo/TYhZLKn4EmI/AAAAAAAAAC0/D2H05i369Y8/Dangers%20of%20Recycling%20Mobile%20Phones...%20Secure%20Data%20Erasure._img_1.jpg"><br /><br>An interesting article in the Metro newspaper today.<br /><br>Apparently nearly 50% of people who have purchase or received recycled phone have contacted the original owner because of details left on the phone.<br /><br>In this day and age I am amazed how many people still don't understan<br><br />d why it is so important to factory reset a phone prior to giving it away. Current smartphones hold some dangerous amount of personal information on it. And then you have all the saved passwords and cookies for the likes if Facebook, Twitter, email accounts, etc.<br /><br><u>A</u> lot of it is enough to assist with ID theft.<br /><br>Although the onus is with the owner to delete all his details before giving his phone, the European Data Protection Directive makes it clear that the company doing the recycling should also delete all the data off the phone.<br /><br>Whatever the case this is a timely reminder to erase all information and ensure you actually know how to delete the data in the first place.<br /><br>Many smart phones also offer the ability to remote erase a phone or fully encrypt all user data which should be considered too inadition to the basic pin <u>protection</u>.<br /><br>You have been warned!<br><br /><br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-92088604773438027872011-03-21T16:50:00.002+00:002011-03-23T08:07:58.453+00:00Google gets a €100,000 fine in France for Streetview.<br><img src="http://lh6.ggpht.com/_3TZXU2QOwjo/TYeDup50UhI/AAAAAAAAACw/arKhC4Fo5Hw/Google%20gets%20a%20%E2%82%AC100%2C000%20fine%20in%20France%20for%20Streetview._img_1.jpg"><a href="http://lh6.ggpht.com/_3TZXU2QOwjo/TYeDup50UhI/AAAAAAAAACw/arKhC4Fo5Hw/Google%20gets%20a%20%E2%82%AC100%2C000%20fine%20in%20France%20for%20Streetview._img_1.jpg"></a><br /><br>Finally some financial penalty for Google's Streetview debacle.<br /><br>The Data Protection Supervisor in France has ordered Google to pay the maximum penalty of €100,000.<br /><br>I am sorry but nobody saw through Google's bullshit*t of the code which collected raw unencrypted wireless data was accidentally introduced into the Streetview Production code. Google is far too big a company not to have a strict policy on how code is introduced into a production system.<br /><br>However what is surprising is the different reaction by the various Data Protection Supervisory authorities across the EU who are all supposed to implement and police the same EU Data Protection Directive. <br /><br>It just shows that the EU still does not operate in a single manner.<br /><br>I for one am happy to see Google brought down a peg who have not commented <u>on</u> the matter at all.<br /><br>Lets see how many other Data Supervisory Authorities follow France. I hope they do and soon.<br /><br>Although the fine is a drop in the ocean for Google it sends a very clear message to them, do not try your luck at processing personal data unless you have permission and are operating within the law.<br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-90374794450629875642011-03-21T13:55:00.001+00:002011-03-21T16:54:24.967+00:00London Olympics bans Food, Drinks and more in the name of Anti Terrorism.<a href="http://lh4.ggpht.com/_3TZXU2QOwjo/TYeCtJFApQI/AAAAAAAAACs/umrEaOGsXNA/London%20Olympics%20bans%20Food%2C%20Drinks%20and%20more%20in%20the%20name%20of%20Anti%20Terrorism._img_1.jpg"><img src="http://lh4.ggpht.com/_3TZXU2QOwjo/TYeCtJFApQI/AAAAAAAAACs/umrEaOGsXNA/London%20Olympics%20bans%20Food%2C%20Drinks%20and%20more%20in%20the%20name%20of%20Anti%20Terrorism._img_1.jpg" style="margin: 0pt 10px 10px 0pt; float: left cursor: pointer;" height="240px" width="215px" /></a><br><br>Everybody can see through this. Its the only way the Olympics Committee can promise greater profits for their sponsors.<br /><br>However the following items are banned yo be brought into the Olympics Village:<br /><br>Food<br><br />Drink<br><br />Mobile Phones<br><br />Umbrellas<br><br />Branded Caps<br><br />Branded Tops.<br /><br>Food and Drink is just shameless and the Olympics Committee should be ashamed. However EU law does require free water is distributed so lets see if this is done.<br /><br>I bet that the cost of a bottle of water within the Olympic Village will be atleast £2. <br /><br>The pursuit of profit knows no bounds when it comes to the biggest con - Olympics.<br /><br>Thank God the con only comes once every 4 years.<br><br /><br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-5930969669682197592011-03-18T11:02:00.001+00:002011-03-18T14:48:11.424+00:00Why are the Crown Jewels still being exposed... RSA SecurID Hacking<br><img src="http://lh4.ggpht.com/_3TZXU2QOwjo/TYM73tHC7hI/AAAAAAAAACo/3TWLPfAjp7Q/Why%20are%20the%20Crown%20Jewels%20still%20being%20exposed...%20RSA%20SecurID%20%20Hacking_img_1.jpg"><br /><br>RSA have announced publically that they have been subject to an Advanced Persistant Threat and that some information related to SecurID has been lifted by the hackers.<br /><br>This is all well and good making it public, but why does a Security Company which relies heavily on their single SecurID product to make money put their development work and source code on an area which is accessible to the internet. <br /><br>WHY?<br /><br>Cisco had a similar issue last year too. And these are two large firms which deal with Security.<br /><br>Things might change now at RSA but close the stable after the horse has bolted comes to mind.<br /><br>I see this time and time again and the only thing I can think off is that these guys have not done a business impact assessment of what would happen if their source code leaked. Its such a poor business practice to ignore this.<br><br /><br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-60558988057589968882011-03-17T10:43:00.000+00:002011-03-17T10:43:57.793+00:00GMail BackupA few weeks ago about 150,000 people lost access to thier GMail emails. GMail slowly restored the email and although they had no SLA to do so (free accounts) it was thier reputation on the line.<br />
<br />
I host all my Domains with Google Apps (the free version) so i also heavily rely on Google, except that it still appears as my domain rather than gmail.com.<br />
<br />
Google are reliable most of the time, but because you have no SLA with the free version of GMail you are relying purely on thier good will. <br />
<br />
However there are many ways of backing up GMail, especially with POP and IMAP access.<br />
<br />
However the best tool i have found so far is GMail Backup <a href="http://www.gmail-backup.com/">www.gmail-backup.com</a>. Its Freeware/Donateware, although i do suggest you help out the author so that the tool continues to evolve.<br />
<br />
What i really like about it, is that it runs under Windows 2008 Server too in addition to other versions of Windows, Linux and Mac. But the best part is that you can invoke it as a command line. So you can now easily schedule a Gmail Backup every one day or in my case, every 6 hours and truely forget about it. It even creates a file which shows which were the newer emails it backed up.<br />
<br />
It even allows restoring of the emails back to your GMail account or any other GMail account.<br />
<br />
And for thoes who dont like the command line, they do have a GUI, but obviously you cannot schedule the GUI, however the command line is a very simple single line command which simply needs to be invoked to start a backup.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh4.googleusercontent.com/-yMBI8e835Hk/TYHltrWUCFI/AAAAAAAAACg/cQG2RhmRrsk/s1600/gmb-0_107.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://lh4.googleusercontent.com/-yMBI8e835Hk/TYHltrWUCFI/AAAAAAAAACg/cQG2RhmRrsk/s320/gmb-0_107.bmp" width="298" /></a></div><br />
<br />
Further backups are all incremental, following the first full backup.<br />
<br />
I now have a proper scheduled Gmail backup for all my various GMail App accounts and for once i can forget about worrying if my email in the cloud is safe.<br />
<br />
Remember just because you put it into the cloud, does not mean you dont need to back it up, especially when you consider free versions which have no SLA such as GMail, Hotmail, Yahoo, etc.<br />
<br />
So go on, do a dialy backup of your GMail before its too late.Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-62990354937860634212011-03-17T08:18:00.001+00:002011-03-17T08:40:09.839+00:00When its personal....<a href="http://lh4.ggpht.com/_3TZXU2QOwjo/TYHI6KEaTkI/AAAAAAAAACY/QbUBHtLM6xQ/When%20its%20personal...._img_1.jpg"><img src="http://lh4.ggpht.com/_3TZXU2QOwjo/TYHI6KEaTkI/AAAAAAAAACY/QbUBHtLM6xQ/When%20its%20personal...._img_1.jpg" style="margin: 0pt 10px 10px 0pt; float: left cursor: pointer;" height="228px" width="228px" /></a><br><br>When you put your name against something and its in constant view by a large number of people it sort of forces you to fix the issues to maintain your image.<br /><br>For example Omega rushed across its best watch repairer from Switzerland simply because the Olympics Countdown clock had stopped and it had the word Omega on it.<br /><br>It would be great if Government IT projects also did this such that the name of the system integrator or consultancy firm was on the screen all the time. If the software was badly implemented atleast the users would constantly be reminded of who implemented it.<br /><br>When it comes to a report in the newspaper or in Parliament it is generally the name of the Govt department which has failed to implement the system correctly as opposed to also naming and shaming the System Integrator or Consultancy company.<br /><br>I agree that at times the Goggles Department is also to blame but both the department and the Integrator should be named and shamed together.<br /><br>It might help Government IT projects be implemented correctly, on time and to an acceptable budget.<br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-10037090655375814842011-03-16T17:05:00.003+00:002011-03-16T19:25:06.934+00:00Quality Assurance - The Wrong Prince.<img height="200" src="http://lh6.ggpht.com/_3TZXU2QOwjo/TYDtwJeRsFI/AAAAAAAAACM/EBeEmFOASoo/Quality%20Assurance%20-%20the%20wrong%20Prince._img_1.jpg" width="400" /><a href="http://lh6.ggpht.com/_3TZXU2QOwjo/TYDtwJeRsFI/AAAAAAAAACM/EBeEmFOASoo/Quality%20Assurance%20-%20the%20wrong%20Prince._img_1.jpg"></a><br />
<br />
<a href="http://www.guandongenterprisesltd.com/">wrong prince</a><br />
<br />
It's the wedding of the century for the UK royal family and this company has managed to make <u>commemorative</u> mugs with the wrong prince on it.<br />
<br />
Do they know something the rest down know? Can they predict the future?<br />
<br />
This is such poor quality assurance. It's not like the two brothers even look remotely alike.<br />
<br />
There is a reason why following assurance standards can pay off. In the case of this company they have lost out on thousands of €.Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-45750399063325337082011-03-16T13:13:00.001+00:002011-03-17T08:05:15.104+00:00University of York exposes 17,000 student's private information.<br><img src="http://lh6.ggpht.com/_3TZXU2QOwjo/TYEC-ju2q_I/AAAAAAAAACQ/YlqMlZpFIZE/University%20of%20York%20exposes%2017%2C000%20student%27s%20private%20information._img_1.jpg"><a href="http://lh6.ggpht.com/_3TZXU2QOwjo/TYEC-ju2q_I/AAAAAAAAACQ/YlqMlZpFIZE/University%20of%20York%20exposes%2017%2C000%20student%27s%20private%20information._img_1.jpg"></a><br /><br>Due to a vulnerability on their website, the University ended up leaking 17,000 student's private information including:<br /><br>Name and addresses<br><br />Phone numbers<br><br />A level results<br><br />Names of next of kin<br /><br>The ICO have been informed but I don't hold hope of them doing much.<br /><br>Questions to ask:<br><br />Why was private data on a public website<br><br />When was the last time the site was pen-tested<br><br />When was the last time the server's OS and webserver were patched.<br /><br>Lets hope the ICO do get serious about such breaches.<br /><br>The problem with the ICO is that the Data Protection Act they have to police has not been implemented correctly in line with the EU Data Protection Directive. Also the ICO is not sufficiently independent from Government to actually be a real threat or to be taken seriously.<br /><br>There might be a simple fine here and all the University will simply pay it and move on. If on the otherhand there was a criminal conviction attached to the breach of the DPA like they do for the Health and Safety Law then Data Owners would take looking after data a lot more seriously.<br /><br>The European Court of Justice is considering taking infraction proceedings against the UK for failing to implement the Data Protection Directive, personally the sooner this happens the better as this will force the overhaul of the Data Protection Act in the UK.<br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-70154126778564522652011-03-16T08:49:00.001+00:002011-03-16T12:52:19.836+00:00Facebook for Android gets SSL support.<br><img src="http://lh5.ggpht.com/_3TZXU2QOwjo/TYCI2eGngII/AAAAAAAAACI/0ZqgDXaSEnA/Facebook%20for%20Android%20gets%20SSL%20support._img_1.png"><br /><br>Finally after months of waiting Facebook have rolled out SSL support for their Android Client.<br /><br>This was a much needed security feature as previously they only hashed the user password before sending it across the airwaves.<br /><br>Nice to see a social networking site taking SOME parts of security seriously.<br /><br>Now quickly hit the market place and force the update.<br><br /><br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0tag:blogger.com,1999:blog-4175975756422932109.post-89698570682384142752011-03-16T08:07:00.001+00:002011-03-16T08:17:38.047+00:00Testing, testing, testing... Visa card glitch for the 2012 Olympics website.<a href="http://lh4.ggpht.com/_3TZXU2QOwjo/TYByIG53w3I/AAAAAAAAACA/zdoL-DAgWmU/Testing%2C%20testing%2C%20testing...%20Visa%20card%20glitch%20for%20the%202012%20Olympics%20website._img_1.jpg"><img src="http://lh4.ggpht.com/_3TZXU2QOwjo/TYByIG53w3I/AAAAAAAAACA/zdoL-DAgWmU/Testing%2C%20testing%2C%20testing...%20Visa%20card%20glitch%20for%20the%202012%20Olympics%20website._img_1.jpg" style="margin: 0pt 10px 10px 0pt; float: left cursor: pointer;" height="240px" width="215px" /></a><br><br>Apparently the website provider for the worlds most important website during this time did not test correctly with the payment provider Visa that all cards which expire in 4 months from the 17th of March (July 2011) would be rejected as a form of payment.<br /><br>All such customers need to use offline payment by walking into a Lloyd's bank branch and pay by cheque or cash and select the games they wish to see.<br /><br>Remember as Visa is the official payment provider you can only use Visa cards for paying for tickets and buying anything in the Olympics Village during the games.<br /><br>Who does not for see such a situation - a very bad Testing strategy.<br /><br>This is yet another fail after the Olympics Omega 500 day countdown clock stopping in under 24 hours.<br /><br>I am amazed that large programmes such as the Olympics still cut corners on something like testing.<br /><br>There is no replacement for a very good Testing strategy and an equally good testing team.<br /><br>I just hope the Olympics go off without a hitch, but atleast after 2 public fails the Olympics Programme should have learnt something and they do have 499 days left still.<br><br /><br />Dr Rishi Shahhttp://www.blogger.com/profile/04432837532892124368noreply@blogger.com0