Security & privacy

Big news this week on the identity management front. Microsoft has purchased the well-respected but often-ignored identity technologies developed by Stefan Brands at Credentica. This technology allows someone to prove that they have some characteristic (e.g., age, citizenship) or privilege (e.g., club member, paying customer) without revealing any information about their actual identity. This is a key enabling technology for developing powerful, privacy-protecting identity systems, and the transaction this week suggests that Microsoft does get it.

Digital Identity, Privacy, and the Internet’s Missing Identity Layer

As Craig Burton pointed out many years ago, one key defining aspect of the Internet is that everything is equidistant from everything else.

That means we can get easily to the most obscure possible resources, which makes the Internet fantastic. But it also means unknown ”enemies” are as “close” to us as our “friends” – just a packet away. If something is just a packet away, you can’t see it coming, or prepare for it. This aspect of digital ”physics” is one of the main reasons the Internet can be a dangerous place.

That danger can be addressed by adopting a need-to-know approach to the Internet. As little personal information as possible should be released, and to the smallest possible number of parties. Architecturally, our infrastructure should lead naturally to this outcome.
…
Our goal is that Minimal Disclosure Tokens will become base features of
identity platforms and products, leading to the safest possible [Internet].  I don’t think the point here is ultimately to make a dollar. 
It’s about building a system of identity that can withstand the ravages
that the Internet will unleash. That will be worth billions.

There is an article in this morning’s Globe and Mail about a scandal that started when a movie actor took his laptop in for repairs. It seems that Edison Chen, a Vancouver actor with a strong following in Asia, was having trouble with his MacBook and took it in for repairs. Well, his hard drive contained 1,300 explicit photos of Mr.Chen and various sex partners, and someone at the repair shop decided to take copies and post them in the Internet.

The article goes on to quote Jesse Hirsh, described as a Toronto technology expert, who suggests that people should avoid taking their computers to a repair shop. Instead, they are supposed to “look for someone who makes house calls, and even pay close attention.”

I find this advice to be ludicrous! First, finding a good repair shop is hard, and finding one that will make house calls is even harder. Second, given that this was a laptop, it is likely that repairs will be needed when the owner is away from home, making house calls even more difficult to arrange. Third, it would be very difficult to watch a technician closely enough to be able to catch them copying your files to a USB drive, CD, or onto the Internet.

Most importantly, this advice does not address the fundamental problem – the photos were stored in a manner where they could be copied. If the photos had not been copied at a repair shop, they could have been copied when the laptop was lost or stolen. The news is full of stories about lost laptops containing large amounts of valuable information, and yet the message is not getting across.

Laptops, because they are portable, are easily lost and stolen. Plan for it. Adopt a plan for your laptop that says that nothing will be stored on it that cannot be lost. This means never having anything on a laptop that is not also somewhere else, be it another computer, or a USB stick, or an external hard drive.

It also means never having anything on a laptop that cannot be viewed by the world. Private information, such as sexy photos, should be encrypted. When the information is encrypted, it cannot be viewed by anyone who does not have the key. The files can be lost, stolen, and even posted on the Internet, but it people don’t have the key, then the information is useless.

Encryption tools are provided in many modern operating systems, including OS X used in the MacBook. FileVault can be used on the Mac to encrypt a user’s home directory, and the Disk Utility can be used to create a disk image for storing encrypted files. Other options include TrueCrypt, which is free and available for Windows, Mac, and Linux, and the products offered by PGP Corp.

Sure, encryption technology can be hard to setup, but it really is a necessity for laptop computers. Whole-disk encryption is better than encrypting certain folders since temporary files stored automatically by the operating system might also contain sensitive information (e.g., temporary copies of your mailbox), but encrypted folders are better than nothing.

And this brings us to our second piece of news. Disk encryption is not fool-proof. New research out this week from Princeton University shows that if a computer can be accessed while it is running, or in standby mode, then it is possible to copy the encryption keys from the memory. In fact, the keys stay in memory for a brief period of time (up to 10 minutes in special conditions) even after the computer is turned off. The lesson is to turn your laptop off when it is not in use and not to store it in standby mode.

There is no excuse for storing sensitive information on laptops, or any computers, without protecting it with encryption. If you are not using encryption now, it is time to start.

I monitor the funding “wish lists” that come out of the NSF in the US because they are an indicator of what some people think are the important issues. Today, the NSF wish list includes areas close to my heart: security, usability, and privacy. Hopefully, the funding will be granted, and other organizations will take notice.

National Science Foundation Requests $6.85 Billion for Fiscal Year 2009

The FY 2009 request includes $116.9 million for cybersecurity research and education, with $30.0 million specifically devoted respectively to research in usability ($10 million), theoretical foundations ($10 million), and privacy ($10 million) to support the Comprehensive National Cybersecurity Initiative. These investments in cybersecurity and information security and privacy will produce research results that allow society to more fully exploit the potential benefits of an increasingly networked world. In addition, the Scholarship for Service program, which funds scholarships to build a cadre of federal professionals with skills required to protect the nation’s critical information infrastructure, increases by 30 percent to $15 million. (emphasis added)

I got a mention in the Financial Post today. This was an article on how small businesses can handle their data securely.

How do you manage and secure data cost-effectively?

Among the biggest threats to small businesses is data loss through theft and equipment failure, says Andrew Patrick, scientist at the National Research Council’s Institute for Information Technology in Ottawa.

“Recently, the U.K. government lost personal records of millions of people through computer disks being sent through its internal mail system.”

The solution here is to limit the amount of data stored on laptops and portable storage devices…

One method being used to protect online bank transactions is to use out-of-band authentication. Here a message is sent to a pre-registered cell phone number seeking confirmation of a transaction. The legitimate account owner is supposed to receive the text message and enter the authorization code into the bank website. But what if the bad guys have taken over the cell phone number of the legitimate bank customer, so they receive the authentication request instead? Apparently, this is being done using phishing attacks and a SIM card swop.

Victim’s SIM swop fraud nightmare

Derick Lindsay was playing golf in George in the Western Cape when his cellphone number was hijacked almost 1 200km away in Soweto.

Four days later, on Christmas Day, he went online to check his email and discovered a shocking message from his bank confirming a R80 000 payment to an unknown property company.

The transaction had taken place on the day his SIM card was swopped, but, because he was on holiday, Lindsay hadn’t switched on his laptop in days.

The transfer was possible as the crooks had received an SMS once-off password from his bank, via Lindsay’s hijacked cellphone number – a security measure used by banks to authorise payments to new beneficiaries.

Here is an article from Symantec describing a new Trojan for conducting Internet banking fraud. This program will insert itself into banking sessions, after the user has done single or two-factor authentication, and then alter the sessions to conduct fraud. The Trojan is dynamic and updates itself to include more banks around the world.

This reinforces my interest in using Boot CD’s for Internet banking.

Banking in Silence

Targeting over 400 banks (including my own) and having the ability to circumvent two-factor authentication are just two of the features that push Trojan.Silentbanker into the limelight. The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis.

This Trojan downloads a configuration file that contains the domain names of over 400 banks. Not only are the usual large American banks targeted but banks in many other countries are also targeted, including France, Spain, Ireland, the UK, Finland, Turkey—the list goes on.

I have been predicting this problem for some time, and it has now happened.

There are very few controls on who can create a Facebook application (or widget), and what they can be programmed to do. Also, Facebook users are being trained to accept a collection of permission settings each time they install a new application. The result seemed inevitable — someone would create a nasty application that did bad things.

This article describes how the “Secret Crush” widget installs spyware on Facebook users’ computers without them knowing. This is bad, and it is just the beginning of Facebook application problems.

Facebook Widget Installing Spyware

Fortinet Global Security Research Team discovered a malicious Facebook Widget (officially, a “Platform Application”) actively spreading on the social networking site which ultimately prompts users to install the infamous “Zango” adware/spyware.
…
As of writing, the widget is already being used by 3% of the Facebook community, which amounts to over one million users – all in a very small time-frame. This demonstrates the effectiveness of the propagation strategy employed by the widget, as well as the potential capitalization on a large user base such as Facebook’s.

Understanding modern Internet risks means understanding how the money flows. This article describes how cyber criminals recruited bank customers to help them transfer money obtained through phishing attacks. Internet fraud involves not only the technical hackers and confidence artists, but also “mules” who carry the money.

Alleged Phishing ‘Mules’ Arrested – Desktop Security News Analysis – Dark Reading

Dutch authorities have arrested 14 ABN AMRO customers who allegedly let cybercriminals use their bank accounts to hide and transfer stolen money from other customers of the bank.

The 12 men and two women were paid for their “services” by the Russian and Ukrainian cybercriminals, but reportedly did not actually steal the information themselves. They instead acted as “mules,” storing and eventually transferring the stolen money overseas to Russia and other countries.