An ISSA UK chapter meeting was held in early December in London and in attendance was Fujitsu's James Gosnold.
Opening the event, Lord Toby Harris discussed 'How insecure is the UK?' and articulated a message about the ever increasing cyber threat and the context in which it is evolving. Aspects such as political extremism and environmental radicalism will apparently lead to an all round 'riskier' landscape, and our propensity for looking at what has gone before rather than at what may come will not help society's fight against cyber crime.Mike St John-Green, a director at the UK Cabinet Office and formerly at the OCSIA (the Office of Cyber Security and Information Assurance), who clarified that he "was not speaking on behalf of the government", addressed Neelie Kroes' EU Digital Agenda team. He said that they had 'more or less' decided on intervention in cyber space, something that didn't seem likely at the Information Security Forum conference earlier in November. St John-Green also mentioned Project Auburn and the high hopes for that area of work.
The audience were also told to expect a UK National Cert next year – at the behest of the EU.
Jason Steer, solution architect for EMEA at Silver Tail Systems, gave an interesting talk on real world attacks on websites. After explaining to gathered members that the UK has the largest online economy in the world (eight per cent of trade is apparently online) and that companies spend more money on coffee than application security, Steer gave some examples of business logic abuse, including one on a company issuing online 'mystery discount' vouchers giving anything from a ten to 50 per cent discount. However there were only four unique codes and people quickly worked out which of those gave the 50 per cent discount and the company ended up giving much more away than they ever intended.
Another example was given of a PC manufacturer whose website had a 90-day basket expiry. Discount/promotional codes could be applied to the items in the basket throughout the 90 days – continuing to reduce the item value - and nobody at the company ever noticed until a 60,000 order was placed that they were losing money on.
The final speaker of the evening was comedian Bennett Aaron. Seemingly an odd choice to close out an information security event, Aaron's account of how he had his identity stolen and the impact it had on his life was both entertaining and touching. He made a documentary on the subject for Channel 4, which can be watched via his website.