Like many IT guys, my first job was desktop support, where my days consisted of dealing with computer malfunctions. The company I worked for had mainly identical desktops for each department, which were delivered in batches and ghost images then applied. However, there was always one or two which wouldn’t accept the image or randomly decided not to work properly. I remember at the time thinking it seemed crazy to put in place so many computers that can individually go wrong, when systems like mainframes that employ a terminal topography, are being made redundant.

I’m clearly not the only person to have thought this, and the trend for thin client services, and now cloud computing, have grown in popularity (I’m going to look at cloud computing in my next blog).

Over the last 5 years, I’ve seen this technology really mature, and the speed of connections improve so much, that when we put together the new service offering from Vigilante Bespoke (VB), I decided to have a serious look at whether we could offer a secure desktop environment for our clients; and thoroughly review the pros and cons of doing this.

VB offers tailored security solutions for people that fall outside the usual corporate structure, but deal with important and valuable information; such as celebrities, authors, and current and previous politicians. The idea of the virtual desktop is to enable our clients to connect from anywhere in the world, through and internet connection, and work on their desktop, with their files, e-mails and applications, which are all ready to use.

Let us start with the obvious major security concern; to access a virtual desktop you need to connect via the internet, rather than straight on to your laptop or corporate PC / server. This makes people feel nervous. However the other side of this argument is that having your desktop centralised, does remove some of the need for information to be stored on USB keys, laptops and other types of mobile devices, which can be lost, or stolen. It also removes the need for costly software or hardware encryption of these devices.

The next concern is authentication. If I’m sitting in a cybercafé on holiday in Spain and type in my credentials, will a backdoor or keyboard sniffer installed on the host I’m using, be able to copy my credentials? The solution is to use token-based security. So even if my credentials are copied, the hacker will not be able to replicate that third factor.

The next point of discussion: What about an external hack? Could a buffer overflow or other vulnerability be exploited in the software, to allow an attacker access to the environment? Well, this is a fear that every organisation faces, and the usual measures must be put into place. We operate a multi-tiered environment, with industry leading security devices, IDS, and 24×7 monitoring – to name a few!

So we’ve looked at external security risks, what happens if there is an internal issue, and one user is accidently allowed to view another data? We looked long and hard at the products available, and we have found a solution which logically separates both desktops and storage. There is no way that one user can stumble upon another user’s data.

The last aspect to consider was physical security. Will a customer allow us to store their information rather than keep it at home, or at their business? Well a major consideration when setting up VB, is that we must have a secure environment to host our IT equipment. We chose an ex-military nuclear bunker for this. The facility is incredibly secure, with ID, biometric validation, 24×7 guards, wired perimeter fence, and pre-authenticated validation control. The premises have systems to deal with fires, floods, and power-cuts, and are kept at a constant temperature to minimise kit failure. Finally the unit has several inbound and outbound network streams, with EMP protection. How many homes and businesses can offer the same? On top of this, our storage is encrypted, and multiple factor authentication mechanisms are required to access the systems.

So in conclusion; if properly implemented, with the right investment made on the right solution, virtual desktops can be secured to allow our clients a central place to view and store their information.

For many people their mobile device is now becoming the centre of their universe.  Mobile e-mail, Facebook and twitter allowing them to keep their friends updated with their every movements.

One new aspect to our mobile addiction we expect to see emerging shortly is based around Near Field Communication. Near Field Communication or NFC, is short-range high frequency wireless communication technology, which enables the exchange of data between devices over about a 10-centimeter (around 4 inches) distance.

This proximity technology has many possible uses, payment being the obvious one. Wave your phone at the bar tender, type in a PIN and your drinks bill appears on your next mobile statement.  Once you’ve had your fill of beer you can head off home on the train using your phone to connect to the ticketing system. Airlines are also looking at this technology.

This is exciting stuff but what if someone steals or clones your phone? Some attacks have already been found in this technology. Like most security issues keeping yourself safe for the most part comes down to good old common sense. Not using 1234 as your PIN, making sure you have a password on the device! It’s amazing how many people don’t on their Blackberry or iPhone.  At Vigilante Bespoke we can erase your phone remotely if lost, removing the worry out of the situation.

This technology is just around the corner with trials already running worldwide. Make sure you don’t get caught out and apply some simple security measures to your mobile devices.

For more information on Near Field Communication the Wikipedia entry is useful http://en.wikipedia.org/wiki/Near_Field_Communication

The recent publicity about Kanye West’s e-mail account being hacked made me think about how one account can lead to so many more. A quick scan through anyone’s Gmail account is likely to show various welcome e-mails from other accounts such as twitter and facebook.

These accounts are linked to an e-mail account for alerts or password reset functions. Sometimes the welcome e-mails will show the full credentials that the user signed up with, sometimes just the username. Most websites will have a password reset functions that sends an e-mail to the users e-mail account so a hacker could quite easy perform this operation once the first account is hacked.

So you can see if someone has an account they generally use for signing up to other websites, one hack will definitely lead to more compromise.

What can you do? This is a tricky one. Until more websites ask for security information during reset functions and stop sending credentials in e-mails this will always be a problem. The real advice is to make sure you protect your e-mail as much as possible and use good quality passwords that can’t easily be guessed. Avoid any computer that isn’t your own, particularly Internet cafes and public computers which are likely to harbour key logging software. The use of third factor authenticaiton such as token is also highly recommended where available.

Being an ethical hacker for 10+ years usually raised a few eyebrows when answering the ‘what do you do for a living’ question. People have a genuine interest in what’s seen as a secretive and bizarre cyber world. During these conversations it seems most computer literate people are now fully aware of Anti-Virus and Firewalls and the need for security software but are completely unaware of some of the latest and most sophisticated nasties.

Local attacks as I’ll categorise these nasties are vulnerabilities within software packages such as Microsoft Office, Adobe PDF reader and Flash player. We first saw these being used to target specific individuals in powerful and influential positions but are now being used for widespread use.

Simply by opening a hackers Word or PDF document for example you could give them full access to your beloved laptop. This principle also stands if you browse a website with an exploit written into the code. I have some great examples of these nasties downloaded from the Internet or created with a hacking/exploit toolkit which is readily available on the web called Metasploit. Anti-virus software will generally not touch these files and often gets disabled when they execute their payload.

No single software package can protect against these issue now matter what the vendors would have you believe.

Just be aware next time you open document from an unknown source or browse an erhhh non-corporate Internet site you might leave yourself open for attack.

Twitter could arguably be the facebook’esk Internet phenomenon of 2008 with millions of information hungry users tracking their favourite friends and organisations through a series of status updates.

As with many new fads the early technology rarely accounts for security until they get hacked. Twitter is no exception, some notable names including Britney spears had their accounts hijacked this week in what appears to be simple password guessing attack on an Twitter admins account.

This old school hack uses a principle of trying many password combinations until the right one is found, usually with the use of a simple script or tool. Twitter accounts do not enforce any password lockouts, policies or the use of CAPTCHA (those annoying wiggly letters you have to type in) making them prone to this kind of attack. The use of a decent password however would have stopped this attack in its tracks. Passwords should be of 8 or more characters, uppercase, lowercase, numbers and special characters.

Base them around a saying to make them more memorable for example $RobRul3s007$ which is my twitter password (joking) which is very unlikely to ever be found in this kind of attack.

The alleged photos are of William and Kate swimming intimately, cuddling, and making out. According to a London newspaper The Sun, two men, John and George contacted them in an attempt to sell the photos.

http://www.hollywire.com/celebrity-scandal/prince-williams-intimate-photos-are-stolen/