Memex 1.1

Here’s a sobering way to start the new year — precautions you can/should take to minimise the risk of having your cards cloned or your bank account ripped off. By Saar Drinen of the Cambridge Computer Lab’s Security Group.

People often ask me what can they do to prevent themselves from being victims of card fraud when they pay with their cards at shops or use them in ATMs for on-line card fraud tips see e-victims.org, for example. My short answer is usually “not much, except checking your statements and reporting anomalies to the bank”. This post is the longer answer — little practical things, some a bit over the top, I admit — that cardholders can do to decrease the risk of falling victim to card fraud. Some of these will only apply to UK issued cards, some to all smartcards, and the rest applies to all types of cards.

Sobering because I’ve realised that I don’t take many of the precautions recommended.

Thanks to Charles Arthur for the link.

From Ed Felten…

Long lines to vote: Polling places will be strained by the number of voters. In some places the wait will be long – especially where voting requires the use of machines. Many voters will be willing and able to wait, but some will have to leave without casting votes. Polls will be kept open late, and results will be reported later than expected, because of long lines.

Registration problems: Quite a few voters will arrive at the polling place to find that they are not on the voter rolls, because of official error, or problems with voter registration databases, or simply because the voter went to the wrong polling place. New voters will be especially likely to have such problems. Voters who think they should be on the rolls in a polling place can file provisional ballots there. Afterward, officials must judge whether each provisional voter was in fact eligible, a time-consuming process which, given the relative flood of provisional ballots, will strain official resources.

Voting machine problems: Electronic voting machines will fail somewhere. This is virtually inevitable, given the sheer number of machines and polling places, the variety of voting machines, and the often poor reliability and security engineering of the machines. If we’re lucky, the problems can be addressed using a paper trail or other records. If not, we’ll have a mess on our hands.

How serious the mess might be depends on how close the election is. If the margin of victory is large, as some polls suggest it may be, then it will be easy to write off problems as “minor” and move on to the next stage in our collective political life. If the election is close, we could see a big fight. The worse case is an ultra-close election like in 2000, with long lines, provisional ballots, or voting machine failures putting the outcome in doubt.

Let’s hope the opinion polls are right. The omens are not good on the voting machine front.

Cory Doctorow is one of this country’s most valuable immigrants. But, as this scarifying essay reveals, he will be leaving if Brown’s ID Card scheme is implemented.

A few years later, I was living with my partner, and had fathered a British daughter (when I mentioned this to a UK immigration official at Heathrow, he sneeringly called her “half a British citizen”). We were planning a giant family wedding in Toronto when the news came down: the Home Secretary had unilaterally, on 24 hours’ notice, changed the rules for highly skilled migrants to require a university degree…

My partner and I scrambled. We got married. We applied for a spousal visa. A few weeks later, I presented myself in Croydon at the Home Office immigration centre to turn over my biometrics and have a visa glued into my Canadian passport. I got two years’ breathing room. My family could stay in Britain.

Then came last week’s announcement: effective immediately, spousal visa holders (and foreign students) would be issued mandatory, biometric radio-frequency ID papers that we will have to carry at all times. And I started to look over my shoulder…

Now, we immigrants are to be the beta testers for Britain’s sleepwalk into the surveillance society. We will have to carry internal passports and the press will say, “If you don’t like it, you don’t have to live here – it’s unseemly for a guest to complain about the terms of the hospitality.” But this beta test is not intended to stop with immigrants. Government freely admits that immigrants are only the first stage of a universal rollout of mandatory biometric RFID identity cards. What happens to us now will happen to you, next.

Not me, though. If the government of the day when I renew my visa in 2010 requires that I carry these papers as a condition of residence, the Doctorows will again leave their country and find a freer one. My wife – born here, raised here, with family here – is with me. We won’t raise our British daughter in the database nation. It’s not safe.”

I’ve never voted Tory in my life, but next time I will if this proposal isn’t dropped. And so, I hope, will most of the country.

Many thanks to Ray Corrigan for pointing me to Cory’s article, which I’d missed in all the guff about the banking crisis.

From Technology Review…

Skype has previously acknowledged that its Chinese partner, TOM Online, blocks chat messages containing certain politically sensitive keywords. The new findings, however, reveal a level of surveillance that goes far beyond this.

Nart Villeneuve, a research fellow at the Citizen Lab at the University of Toronto’s Munk Centre for International Studies, uncovered the surveillance scheme by examining the behavior of the TOM-Skype client application. He used an application called Wireshark, which analyzes traffic sent over a computer network, to see what happens when different words are sent via chat using the software. Villeneuve discovered that an encrypted message was automatically sent by the client over the Internet when some words were entered. Following this encrypted packet across the Net, Villeneuve uncovered a directory of files on an open Web server. Not only was the directory publicly accessible, but the data within it could be unlocked using a password found in the same folder. Within these files were more than a million chat messages dating from August and September 2008.

Villeneuve used machine translation to convert the files he found from Chinese into English, and he analyzed the contents to determine likely trigger words. The list he came up with includes obscenities and politically sensitive words and phrases such as “Falun Gong,” “democracy,” and “Tibet.” But Villeneuve also found evidence that completely innocuous messages–one, for example, contained nothing more than a smiley face–were logged. This suggests that certain users were targeted for monitoring, he says.

Citizen Lab at the University of Toronto has just released its analysis of surveillance and security practices on China’s TOM-Skype platform. No surprises. They uncovered discovered a huge surveillance system that monitors and archives certain Internet text conversations that include politically charged words.

The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service.

John Markoff of the NYT has a report.

PDF of the Citizen Lab report available from here.

I’ve always assumed that Skype was compromised — which is why I would never use it for confidential conversations. Wonder what eBay have to say about it all?

From Technology Review. What should banks and other ’secure’ services do when dealing with customers who are incapable of keeping their machines free of malware?

“Our premise,” Ledingham says, “is that, rather than trying to clean up the machines, assume the machine is already infected and focus on protecting the transaction that goes on between the consumer and the enterprise website.”

The problem of malware on users’ computers is “the number-one problem that the financial institutions are wrestling with today,” says Forrester Research senior analyst Geoffrey Turner, an expert on online fraud. Financial institutions can take steps to secure the connections between their servers and their customers’ PCs, Turner says; they can even ensure the security of the customer’s Web browser. But they’re stumped, he says, when it comes to the customer’s operating system. Most successful attempts to steal computer users’ identities, Turner says, involve using malware to capture their credentials or conduct transactions behind the scenes without their knowledge. “The challenge is, how do you secure the end-user computer?” he says. “Should you even, as a bank, be trying to do that?”

Needless to say, his answer is “yes”. But then he runs SiteTrust, a tool recently released by a data-security company, Verdasys, which aims to protect users from fraud, even when their computers have been compromised.

From The Register…

The Home Office has today terminated a £1.5m contract with PA Consulting after it lost the personal details of the entire UK prison population.

In August the firm admitted to officials that it had downloaded the prisons database to an unencrypted memory stick, against the security terms of its contract to manage the JTrack prolific offender tracking system. The data included names, addresses and dates of birth, and was broken down by how frequently individuals had offended.

Following an inquiry into the gaffe, Jacqui Smith told the House of Commons today that PA Consulting’s £8m of other Home Office contracts are now also under review. She said: “The Home Office have decided to terminate this contract. My officials are currently working with PA to take this work back in-house without affecting the operation of JTrack.”

Data handling for JTrack has been taken on by the Home Office, and maintenance and training are due in-house by December.

The inquiry found the Home Office had transferred the data to PA Consulting securely, but that the firm then dumped it to unlabelled USB memory to transfer it between computers at its premises. The stick hasn’t been found. Smith said: “This was a clear breach of the robust terms of the contract covering security and data handling.”

What took them so long?

Good column by Bill Thompson…

Different calculations apply when it comes to dealing with people who already use its products, where Apple’s unwillingness to divulge details of security flaws or even the specifics of how flaws are fixed leaves customers confused, ignorant and possibly exposed to attacks that could be avoided.

Patches are simply distributed through Software Update, with little detail about the problems they address or the changes they make, and discussion of security is severely restricted.

We have seen this recently, as two Apple-related talks at the 2008 Black Hat hacker convention were pulled at short notice. A discussion of flaws in the Mac OS disk encryption system FileVault by Charles Edge was withdrawn because he has signed confidentiality agreements with Apple…

Might be worth considering this from Good Morning Silicon Valley.

If you’re looking to get outraged by a government’s intrusion into the electronic lives of its citizens, you don’t need to look all the way to China. The U.S. Department of Homeland Security recently revealed its current border policy on laptops, iPods and other gadgets carried into the country by returning travelers or foreign visitors, and it boils down to this: Without explanation, we can seize your laptop or any device capable of storing information (including cell phones, thumb drives, video tapes, and old-fashioned analog paper). We can keep it as long as we want. We can look through the contents, and we can share them with other agencies or private entities. And we can do all this whenever and to whomever we want — no reasonable cause needed, not even a vague suspicion of wrongdoing. And, of course, this is all OK because we are protecting our treasured American freedom.

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?