Trojan Horse

This was too funny to pass up:

Trojan Horse

Trojan Horse

This had me laughing for quite a while.

Misguided Security Managers

In the July / August edition of Infosecurity Magazine, there is a fairly interesting article on security matters, and differences, in the public and private sectors. I cant find this article online so you will have to trust me.

There is a quote in the article, from an “anonymous” security manager which sadly echoes comments I have heard right across the public sector, when public servants discuss the need to protect public privacy:

One senior manager at a local council – who ask not to be named – told infosecurity that he would rather be brought before the courts for an information security charge, than because a child or other vulnerable person has been harmed as a result of data not being shared.

(Here, I get visions of Reverend Lovejoy’s wife crying out “wont anyone think of the children”)

In the article this is presented as a dilemma public sector information security professionals face on a regular basis. My experience of said individuals supports this. It is very tabloid friendly. It is also complete nonsense that infuriates me to the point of wanting to choke the life out of the idiots who say it. (note for any future court action – this is purely imaginary, I am not really planning to kill anyone now or in the future)

There are so many things wrong with this it is hard to know where to start.

This person is paid to be a security manager. They are not a child protection professional. They are there to manage the security of the information that the public have entrusted to the council. Nothing else. If their job description means they have to ensure that vulnerable persons are safe in their homes, then I suspect there is something seriously wrong going on.

As a public servant, this “senior manager” is paid by the public, who you would rightly assume should have some expectation of his behaviour. Unless we’ve moved into some weird world where the vulnerable pay more for their services he has no right to unilaterally assume what laws he will follow and what laws he will break. He has no right or authority to compromise my privacy and personal data because he thinks that doing so 100,000 times might save one vulnerable person.

Equally this “manager” (sneer quotes intended) has no way of knowing if he is placing the safety of vulnerable people in further danger. Privacy laws and restrictions on how your personal data can be handled are there to protect everyone. Yes this includes criminals but it also includes vulnerable people. If this senior manager feels sending a copy of the addresses of everyone “at risk” to an agency across town would be helpful sharing of their data, what would he do if it got lost? What is his defence if his information security failures allow a predator to get the details of the vulnerable people he seeks to protect?

Equally importantly, what about those who only become vulnerable because of his lackadaisical attitude? This idea that passing private information and personal data is inherently a GOODTHING™© is insane. An otherwise fine person who has their home address details passed into the hands of a criminal becomes a vulnerable person. They have, through no fault of their own, become open to a vastly different threat – one they may not be prepared for. Is this acceptable behaviour for public servants? Imagine a serial rapist who gets hold of modified electoral roll data indicating addresses (and telephone numbers) of every house in the area where a single female lives. Would you be happy with the response that he would rather be in court over an Infosec case?

I suspect the real problem is that privacy and information security statutes don’t have enough teeth. If this senior manager was facing 20 years in jail for an infosec compromise, I am sure he would think differently. As it stands, nothing he does will get him properly punished in a court of law, so he must be talking about the court of public opinion. This is, sadly, so seriously misled by the tabloids that it is easy to see he would be hounded to the brink of suicide if it turned out he had withheld data that might have possibly prevented the death of a child. In a similar manner, if it turned out he had lost a disk containing the personal details of 250,000 people it would get, maybe, a few column inches.

To an extent this is our fault. We want easy to digest news. We ignore the mights and possibilities in the first instance, so we can get to the meat of saving the child. In the second case, its too technical, too distant and probably doesn’t affect “us” so we don’t really care about it. We, the public, are stupid.

Security sense

This is quite an astonishing news item.

East Lancashire youngsters see film on terrorism danger
More than 2,000 10 and 11-year-olds will see a short film, which urges them to tell the police, their parents or a teacher if they hear anyone expressing extremist views.
The film has been made by school liaison officers and Eastern Division’s new Preventing Violent Extremism team, based at Blackburn….
The terrorism message is also illustrated with a re-telling of the story of Guy Fawkes, saying that his strong views began forming when he was at school in York. It has been designed to deliver the message of fighting terrorism in accessible way for children. (from the Lancashire Telegraph)

(h/t Bruce Schneier’s blog)

No, really. It’s a real news item. You can check. I didn’t make it up.

It seems that the area around Lancashire is quite fertile territory for anyone trying to get kids to do free police-work. This blog item is also about kids being recruited to provide low-level spying services in their community. A Sefton school designed posters for a Community Information Box initiative. These are displayed in libraries, buses and so on. Sadly, I can’t find an image of the winning poster online but I’ve had my attention drawn to one.

The poster presents a list of things that public-spirited citizens should look out for and drop anonymous notes about in their local Community Information Box. The list is bizarrely inclusive: from swearing and dog-crap through to real crimes like physical attacks and terrorism.

(I hope that the anonymity is designed to protect the kids from life-threatening comebacks if they accidentally inform on some really vicious people. However, this only works if you assume that really vicious people are not just vicious but are also too stupid to make inferences about who reported them, from the content, context and timing of information. And I rather suspect some of them may have those skills. So, I hope that they also have a child witness protection programme in place. )

I really hope that the school students generated the volunteer informer’s checklist, rather than some adult with no sense of perspective. Because, although I am still womanfully resisting a fear of terrorism that is used to manipulate us out of any concern for our civil liberties, I can’t help but be filled with the fear of creeping totalitarianism.

What a wonderful tool for any authoritarian state – compliant children, ready to report any odd behaviour or unorthodox opinions to the authorities out of fear of potential terrorism.

So, what a good job that our democracy is so secure. It’s not as if real extremists – say, people promoting a myth of indigenous ethic Britishness, frinstance – are getting any spurious legitimacy as a result of a British population that has been driven half-mad by its fear of dicey expenses claims, or anything……… Well, that’s OK then isn’t it?

Banks continue to control us

Untouched by their reckless behaviour (and blatant lack of any real knowledge of the mystical “market forces”) the true leaders of the Western World continue to flex their muscles and show that the interests of ordinary people are, on the whole, irrelevant. They remain blind to contradiction in demanding huge public subsidies, then refusing any form of public control. They continue to assert, in the face of obvious evidence to the contrary, that “they know best” over the current financial crisis. They ignore the problem of begging money with one hand, and paying out huge bonuses to their own staff. They know they are so important that whatever they do we, the public, will continue to bow to their demands. It beggars belief how most banks haven’t been declared International Terrorist Organisations – they demand money and threaten global meltdown if we don’t comply, they have a non-democratic influence in governmental policy and are happy to crush small businesses; the only thing missing is they aren’t (on the whole) Islamic.

Anyway, enough of that rant. You could easily be excused for thinking that giving a bank your money (often paying for the privileged) would mean it stayed your money and the bank just looked after it (although they would use it to make more money for themselves). You would be excused for thinking that you should be able to get access to your money.  You would, however, be wrong.

Not content with charging customers £1.75 for cash withdrawals (except those customers well off enough to be able to get to the increasingly rare free cash machines [ATM], if they can find a working one), the banks are now unveiling measures to make it harder for you to use your cash/credit card. All in the name of security though… so that makes it ok…

A few years ago we heard how Chip and PIN was being brought in to prevent card fraud. Gone were the days in which your signature was enough to prove who you were, now all it took was a 4 digit PIN. This seemed like madness, and in fact creates the current situation where my wife can use my card without anyone noticing she is not a Mr, but the banks were adamant it would prevent fraud. They added to this the demand for every Cardholder Not Present (CNP) transaction to use the 3 digit verification number (CVV) on the back of the card (ironically where the pointless signature strip lives). It was claimed that this would reduce CNP fraud and the two measures would reduce fraud to such an extent that their costs would be negligible.

Except, it never worked out like that.

People buy things over the internet, and give out their CVV with alarming ease – every time you do an online transaction you are asked for it – so after a while it becomes impossible to use this as verification. You would like to think the people you are carrying out an online purchase from are PCI-DSS accredited, but do you check? Do you read through their audits to make sure your holy grail of card number and CVV are safe? Do you assume the credit card companies are doing that? The padlock icon is just to tell you that the data link between you and the shop is secure, it says nothing about the long term storage of your data. I have even seen companies that email out a receipt with the card number in full and the CVV code used – all in a plain text email… Far from secure.

Anyway, it seems that despite these new measures the banks are still suffering almost as much fraud as before (which begs the question…)  and have now unveiled new measures. Basically they will look at your transactions and if the bank thinks you are doing something unusual they will block your card. Its crucial to note here, that this happens if the bank thinks you are doing something odd. They will monitor your activity and then make a decision as to if your behaviour falls within their idea of what is normal. The BBC report on this is interesting:

A leading bank is introducing new technology that will mean every credit card transaction is scrutinised for fraud.
HSBC is introducing the programme, which will affect 10 million card accounts and millions of transactions.

Hmm. You have to wonder what other data the HSBC will be able to mine from this, but we will leave the big brother rant for another day.

The banking industry has warned that more legitimate transactions will be queried or cancelled as a result.

So, what they are basically saying is that because the banks are losing money, ordinary people will be inconvenienced even more than normal. Imagine the scene, you are on holiday in a foreign country (several time zones away), you go for a meal and pay with your card. Only to have your card rejected. What do you do? The banks don’t care. You have to do the running to get everything sorted and cant even claim back any costs incurred from the banks mistake. Outrageous. The standard banking advice is to tell your bank when you are going on holiday but this is crap. It rarely works. From the same BBC page:

When Sally Wiber went on holiday to Borneo, she followed industry advice and told her bank where she was going.
But her credit and debit cards were blocked when she tried to use them on her first day.
“I spent much of the first day trying to deal with my bank and getting internet access, and then had a rather frustrating phone call trying to make sure that I could use my cards for the rest of my holiday,” she said.

Wonderful eh? I can support this from personal experience. My employment has me travelling around Europe a lot. My bank know this. I have told them about my travel and they know my job. However, in France last year, despite my bank being told in writing about my travel, my card was blocked on the second day. I used it on the first day to withdraw cash and make purchases, but on the second day it was decided my activity was unusual. Apparently, as I was on a family holiday, I had been committing the heinous crime of buying presents… I had told the bank I was going on a family holiday. The first days purchases (to a greater value) were fine, but the second day triggered something. The biggest problem I faced here was being stuck, in France, with no phone and no bank account and no money. How do you resolve that?

Does the banking industry care? Again from the BBC:

But Mark Bowerman of the card issuers’ trade body APACS said it was something consumers would have to accept.

That is a “no” then. He continues:

“If we as customers expect banks to do something about this we have to expect that from time to time we’ll be in a shop and the transaction will be queried or card declined. These systems are designed to stop cards being used fraudulently, so if that’s the price we have to pay I think people should be prepared to pay that price,” he said.

Crikey, doesn’t that sound like the war on terror? It actually reads that because the banks want to put a stop to card fraud people have to pay the price. I love the glib way he says that from time to time we’ll have a transaction declined. Like it doesn’t mean anything. Like it doesn’t mean embarrassment and possible legal problems for you when it happens. Try paying for a meal, having your card declined and then explaining that’s just the price you have to pay. Please let me know how far it gets you.

The BBC continues:

Spending large amounts of money or using your card frequently can trigger the alarm at the user’s bank, and with so much fraud taking place abroad, the same goes for using a card outside the UK.

So, basically, using your card can trigger alarms. This happened to me a few weeks ago when I was buying a new suit. I used a credit card that gives me loyalty points, and as I pay it off in full each month I was well within my credit. I spent a while buying an expensive new suit in the January sales, with a shop assistant fawning over me. When it came to pay, I hand my card over (knowing I had a credit limit more than £2000 over the cost of the suit and coat) only for it to be rejected. Shame is an understatement. Queue of people behind me and a shop assistant now convinced I am a petty thief. All because I tried to spend £300 in one transaction, rather than lots of £50 transactions.

There is a solution, and one which may shoot the credit card companies in the foot, but one I am heading towards more and more. Give up with the card. Credit cards are different, as it enables you to spend money you dont have, but you can live without your bank card. This is the travel advice from ABTA on the BBC, to try and get round the problem of having your card blocked at random:

Take a range of payment methods. Take cash for immediate expenses, take two cards, preferably from different banks and take travellers’ cheques as well for extra security if it goes disastrously wrong.

Why go to all this trouble. The only reason you would take the cards is to spend your money abroad. If you take cards with cash and traveller’s cheques as “backup” you are mad. The card is a back up for the other two, but now you cant trust it. If you have a backup you cant rely on, it is worthless, so don’t take the cards. Go abroad with a bit of cash and traveller’s cheques. You don’t need anything else.

Equally, given the disastrous savings rates, you could probably live your day to day life cash only. Wouldn’t that be weird?

Just to show how effective the banks previous anti-fraud measures have been:

Card fraud is rising – up 14% in the first half of 2008 – and fraud abroad now accounts for 40% of all card crime.

Not very effective then. What is the future for these new checks? Will they learn enough to allow people to go on holiday? Will they work?

What we have seen with chip and pin – it was successful for 18 months, two years – the fraudsters have worked a way round it, so we are now looking at more sophisticated means.

So then, in 18 months we will be encumbered with a system causing us problems, making sure we cant rely on our cards (defeating the purpose of them) and it wont be stopping fraud.

Wonderful.

A big “d’oh,” maybe

It seems like only last week that I was whining that browsers were disintegrating like so many smashed plates at a Greek wedding. Oh yes, it was only last week.

Well it looks as if some of this may not be a unique personal experience but is caused by a vulnerability in IE. Microsoft’s Security Advisory describes the flaw they’ve just found. The way it seems to operate sounds uncannily like what’s happened to my browser in IE.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. (from Microsoft’s Technet)

“invalid pointer reference in the data binding function.” I understand all the words individually but I got lost as soon as I tried to understand them when they are linked together.

But, causing IE to “exit unexpectedly”. That sounds like what IE has been doing randomly for weeks. Often failing to release the memory that it was using – which I don’t find out until too late. I didn’t really consider that it might be a new form of browser attack. How naive is that? D’oh.

Not that’s any excuse for Firefox. But I’m not convinced that FF is so magically free from being affected by the same attack attempts, that it won’t crash and die when it bumps into them, even if it doesn’t let an intruder in. In any case, I only ever use IE when Firefox has decided to commit suicide a few times.

I know that using Linux would mean that attacks like this would never work but it’s not completely intrusion-proof. This PC is pretty well on its last legs, as it is. It’s a few more bad reads away from hard disk failure, anyway. (And that’s in the not-completely “legacy” disk drive, not the really old disks that are also still in it.) The graphics card should be in the “Museum of graphics cards that were state of the art in 2003” If I change its OS, my software won’t work, I’ll lose all my passwords, the cable connections will have to be reset and so on. When I’m forced to get a new PC, it will use Linux, but until then, no.

Microsoft Technet page warns site owners that SQL injection attacks might turn their sites into unwitting distributors for the malcode and directs worried site owners to a scrawlr, a free HP tool that is supposed to check your site for SQL injection code. Every site that uses something like php is fair game for that.

So it sounds like a plan and the scrawlr page has a good cartoon. But I end up far from convinced there’s any value in downloading scrawlr, after reading the comments. Like this one from leon:

The comic is xkcd
The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn’t find a thing… seriously, if you take anything away from this, let it be the comic.

(That link is to the comic, in general. The scrawlr page has the relevant cartoon.)
MarkH says:

Doesnt’ support POST forms or Javascript. In other words, this demo tool can’t actually test anything that any web developer would have written since, oh, say 2001.
Epic fail.

Doesn’t let you check POST forms? 🙂 I think I’ll pass, then.

A report on the BBC’s tech page had a “security expert” saying “don’t use IE ” and Microsoft – unsurprisingly – warning against that particular course of action. 🙂

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.” (from the BBC)

As soon as “security experts” start talking up threats, I tend not to believe them. 10,000 websites sounds as unconvincing as the UK government’s “30 terror plots.” And so far the exploit has stolen game passwords. Hmm. Hardly a cause to panic about your e-bay sales or your online banking, then. Do you care if you find yourself playing World of Warcraft alongside an unaccredited troll?

Still, Microsoft’s idea of advice doesn’t inspire much confidence, either.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

How exactly am I supposed to be vigilant? I could try to check every invalid pointer reference in the data binding function, could I? Even if this wasn’t so far over my head that I could call it an “umbrella”, IE would have to become Open Source before I could even hope to identify the databinding function.

I thought I’d already pushed the intrusion detection boat out by running Ethereal and Snort whenever I feel mildly obsessive. (And they piss me off because half the transactions that my computer indulges in can’t be fathomed anyway. So I stick to using them for purposes like getting my passwords off the traffic stream, in plain text, which is surprisingly helpful when I’ve forgotten them but annoys me all the same Why on earth have passwords that are hidden from the bloody user by asterisks but easily readable by anyone with a packet-sniffer? Cue another rant.)

This “data-binding function” of IE needs a whole new set of skills that I really don’t believe would hold much entertainment value. So I don’t intend to get them. And “invalid pointers”? Can Microsoft or someone direct me to the Girl’s Big Book of Valid Pointers so I can be properly “vigilant”?

Privateers to battle pirates

Anyone who learned some Tudor history at school has probably heard of “privateers”. (Licensed pirates,)

Plus ca change etc. According to Voice of America,

Private Contractors May Protect Against Somali Pirates

Pirates have captured 20 ships in and around the Gulf of Aden so far this year.

Naval vessels from about 10 nations will soon be patrolling the waters off the Somali coast, trying to prevent pirates from hijacking cargo ships.

The international efforts may soon be extended to include “private contractors”.

Now, Blackwater, a firm providing thousands of private contractors in Iraq, is offering its services to battle pirates.

VoA (somewhat unaccountably) interviewed a Maryland college professor for a view on this. (Is Maryland twinned with the Yemen?)

“I think it’s important to note first that historically this has been done. In fact, several hundred years ago, when piracy was rampant off the coast of Africa, it brought English trade in that region to a standstill. And the East India Company actually employed private convoys to protect their ships from pirates..

I will try to temporarily ignore the fact that “several hundred years ago,” English trade off the coast of Africa was the Triangle Trade (manufactured goods taken from England to Africa; slaves from Africa to the Americas; and sugar from the American plantations back to England.) All the same, this could hardly be seen as “trade” in any good sense.

I am also a bit confused by this particular historical parallel. The East India Company? My foggy memory of history had me thinking that the East India Company had something to do with India – indeed basically colonised India on a for-private-profit basis, not to mention caused any number of wars in its wake. Indeed, Wikipedia seems to share my delusion.

Maybe protecting the East India Company sounds a more respectable instance of the use of private naval warfare contractors than if you think of privateers in terms of the Pirates-of-the-Caribbean. Indeed, maybe, international co-operation can’t stamp out piracy in the Gulf of Aden. But in that case, what chance would an ad hoc private navy have?
More from VoA:

Cost of the private escort duty may outweigh the risk of sailing unprotected.
Berube says, “That would depend I think on the contracts themselves, but if you are a shipping company, for example, you would have to balance off the cost of providing that extra protection versus the potential loss of revenue… …
Berube says that his research shows most agree private contractors would provide escort duty and not hunt down pirates. “This is really simply just an extension of security that is already provided on some ships. We have armed riders for example. Some shipping companies are providing people on board to protect themselves from pirates,” he says.
He says, however, they must comply with international law, as well as local agreements

Hmm, Somalia has been in a state of complete chaos on and off for a couple of decades. International law doesn’t seem very big there. If it was – there wouldn’t be any pirates…… Or the UN would be able to stamp out the piracy threat, using member states’ existing navies. Without recourse to any private navy. Anyway, what is international law on the high seas? Who enforces it?

Are international governments like cash-strapped Tudor monarchs, forced to pursue their international objectives through fortune-seekers who’ll do the monarchs’ dirty work while enriching themselves?

It’s not just 1984 any more. Welcome to the Realpolitik of the 15th century.

Fear, fear and more fear

It seems that some members of the government are not happy that legislation to allow innocent people to be sentenced to 42 days in jail failed. From the BBC:

[Security Minister Lord West] told peers that while some measures had been taken over the past 15 months to make Britain safer “this does not, I’m afraid, mean we are safe”.

he said: “The threat is huge. The threat dipped slightly and is now rising again with the context of ‘severe’, large complex plots, because we unravelled one the damage it caused to al-Qaeda actually faded slightly.

“They are now building up again. There is another great plot building up again and we are monitoring this.”

Now, I am not fully sure what Lord West’s point in all this was, other than he is a supporter (albeit in strange circumstances) of the 42 day internment detention plans.

With this in mind, it seems that Lord West is trying the age old trick of making people worried about a nebulous threat with the hope it will cloud their judgement. For this to work, you need to whip people up into a panic, then explain that “doing nothing” is bad so doing anything has to be good. (Sounds familiar)

As is often the case, this is massively flawed.

For longer than I have been alive the UK has been under threat of a “huge, complex” terrorist plot. Since we became weak and frightened (and the terrorists stopped looking like “one of us”) there has been huge spending on the security services along with a massive increase in technical and legislative procedures to surveil and control the public. All of this has been done on the premise that it would reduce the threat from terrorists.

Despite this, we are constantly told by the government that the threat is as bad as ever with what appears to be a steady state 200 terrorist networks operating in the country. Often (such as now) we are told the threat is increasing. The “Terrorist Threat Level” in the UK has been at Severe for around five years now with no signs it will drop.

Nothing we have done has reduced the threat from terrorist attacks. Nothing we have done has reduced the number of terrorist networks. Even when the terrorists kill themselves (such as at Glasgow) the numbers remain the same. Nothing has changed for the better (*), in fact the more laws we enact the more we hear “DANGER, DANGER” and the more we are urged for more sweeping legislation.

When will we learn – it is not working. Doing more of it wont magically make it work.

If the huge anti-terrorist effort since 7/7 has made no perceptible dent in the terrorist threat, it really is time to find a different way.

However, as it seems the security minister (et al) are more interested in telling the House of Lords and the House of Commons the sky is about to fall on our heads, it is unlikely they have the time to think of a way to be successful. Instead, it seems they would rather pander to the readership of the Daily Mail and be seen to be “tough on terrorism.” The fact it is having no effect is, basically, irrelevant….

* I am aware the security organisations may be working in the background to prevent attacks and destroy terrorist cells – that is what they are there for after all. However, if they are being successful, why hasnt the threat level changed and why aren’t we hearing that it is (even a little bit) safer today than it was yesterday?