Presumed security is an interesting thing. Although not something that's commonly discussed, it's actually the other side of "security through obscurity". Security through obscurity refers to a system that's made so deliberately complex that it (in theory) deters attacks simply due to that complexity. In other words, it's so difficult to understand that an attacker doesn't have a chance of finding a security flaw in it. Hopefully. However any decent security professional will immediately pop up and tell you that security through obscurity is actually no security at all, because you're relying on smoke and mirrors to keep you safe. And that's fair enough. Because it's true.

Presumed security, on the other hand, is almost never talked about in IT security circles. It's very simple to understand and is best demonstrated by this recent BBC News article: Illegal immigrant stows away on Sandhurst coach. Sandhurst, for those of you not aware, is the premier military officer training academy, renowed worldwide for the calibre of officers it produces. As the BBC article explains, an Afghan illegal immigrant was able to simply jump on a coach in Germany, enjoy a trip to the UK, and get off the other end actually inside Sandhurst before being discovered. Straight through security, no questions asked. This was possible because of one simple fact: the presumed security of Sandhurst is so great it actually doesn't need much security at all.... (Read More)

Over recent years it seems that employers and organisations are increasingly looking towards standardised testing to dig into people's capabilities and personalities. Companies often ask prospective interviewees to take a verbal reasoning test before even getting an interview, and at the other end of the scale MENSA is beloved of the IQ test to control membership (although one might wonder why people with high IQs need to pay a £45 membership fee to access a social network).

What does all this have to do with security? That's a very good question.... (Read More)

I've never been a big fan of Vista. Back in those heady days before service pack 1 I gave it a whirl and found it slow, bloated, and zero improvement on Windows XP. To this day I quite happily run Windows 2000 (honestly, I know, but it's stable and fast), Windows XP and Windows Server 2003 on my various personal and business machines. Add to that a couple of SuSE Linux boxes and one Ubuntu laptop and I've got everything I need, as well as a hefty electricity bill.

A while ago, though, I bought some new computers for a security test lab. Normally I just buy components and build computers myself but in this case I needed four machines quickly, so buying pre-built made sense. I ordered three without an operating system but checked the little box to have Vista Business pre-installed on the fourth. I needed to do some "real work" on these machines, so three years too late I thought I'd take the opportunity to give Vista a proper evaluation. After all, it's easy and fashionable to bash Microsoft without giving their products a proper chance.

Unfortunately I had no idea of the disaster in store. Not because Vista is a bad operating system - far from it - but because of another nightmare awaiting me. This wasn't a driver issue, or a software compatability problem. It wasn't even a bug, flaw or vulnerability. It was something far more insidious, and it's an issue that's becoming increasingly severe across the entire technology spectrum.... (Read More)

Phishing is a very real, very annoying pain for security professionals. It's exceptionally easy for a would-be scammer to set up a fake website and send out a few million spam emails, catching a few unlucky victims in the process. Fortunately these days most Internet users know what a phishing scam is even if they can't always spot them every time. 100% accuracy is always a difficult thing to aim for, but when you sit back and consider the problem it's quite an interesting issue. From a security point of view it should be absolutely possible for every Internet user being to spot 100% of the phishing scams 100% of the time.

A contentious claim? Perhaps, but it's clear what's preventing us from even getting close. It's the fault of legitimate companies, who are making it far too easy for the phishers to scam us all. ... (Read More)

Virtualisation is a fascinating subject. Simply by installing a piece of software like VMWare or Virtual PC you can instantly host multiple virtual computers on your one, single physical computer. To the vast majority of software and operating systems a virtual PC is indistinguishable from a physical one. But because the entire virtual PC is stored in files on disk it makes backing up, rolling back and swapping between installations as simple as clicking the mouse. This makes virtualisation perfect for home users who want to try a new o/s or application without risking damage to their physical PC's configuration, or for businesses who want to build large test environments without tying up lots of servers.

But virtualisation isn't just for demo labs, training courses and home users. It's being used as a core component of large, critical, commercial and government IT infrastructures, and when a solution is used in a live environment security becomes of paramount concern. VMWare realise this and, at VMWorld 2008, ran a security track within their "breakout" (presentations, to you and I) sessions. I was an avid follower of this track because I have one fundamental concern about virtualisation: it causes security risk to grow silently and exponentially. ... (Read More)

After the influx of email over the last few days, I feel it's time for a few words on a topic close to my heart - recruitment agencies. Although some may disagree, I've always believed that unless you have a direct, personal contact within a company it's always a good bet to use a recruitment agency when looking for a new role. When they do their job right (and, fortunately, I've been lucky enough to find a few that do) the end result is a happy employer, a happy employee and a recruiter with a nice commission. When they do their job wrong though, it goes very, very wrong.

The problem I've been suffering for a while - and with increasing regularity over the last 2 years - is the all-seeing, all-knowing... (Read More)