Category Archives: Security

Anatomy of the Twitter Attack

Posted on by

TechCrunch has a riveting account of how Twitter’s security was compromised. It’s a salutary tale of how an ecosystem of Web 2.0 services contains holes that an astute and tireless attacker can exploit. The Summary reads:

1. HC [Hacker Croll, the culprit] accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.

2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.

3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.

4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.

5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text.

6. Even at this point, Twitter had absolutely no idea they had been compromised.

What could have happened next is that Hacker Croll could have used or sold this information for profit. He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.

It’s made me think hard about the approach I take to granting access to Web 2.0 services.

The BBC and surveillance of Iranian protesters

Posted on by

Further to that earlier post about Nokia-Siemens and the monitoring of Iranian protesters, I’ve just been reminded of something I had known, but had forgotten, namely that Siemens is the firm which runs the BBC’s own IT systems. You think I jest? Well, see the picture above. And here’s the BBC press statement announcing the deal (in October 2004):

BBC appoints Siemens Business Services to provide Technology Framework Contract for next decade

The BBC has announced today that it has completed the procurement for a 10-year Technology Framework Contract (TFC) with Siemens Business Services worth almost £2bn.

As part of the landmark deal, Siemens Business Services has acquired BBC Technology Ltd, a commercial subsidiary of the BBC.

Led by Tom White, Managing Director, Siemens Business Services, BBC Technology will be renamed Siemens Business Services Media Holdings Ltd.

The BBC has received approval for the sale from the Secretary of State for Culture, Media and Sport and approval from the BBC Governors for both the procurement and the sale.

Now let’s ponder the implications of this for a moment. We seem to have a situation where the Beeb is asking Iranians to risk imprisonment – and possibly worse – by uploading photos and videos to its websites. And yet the company that runs the BBC’s own IT services is a partner in the joint venture that supplied the monitoring system the Iranian regime is using to detect those who are doing this perilous uploading. Stand by for corporate reassurances of a (ahem) “Chinese Wall” between the Beeb’s journalism and its IT department.

Are Your “Secret Questions” Too Easily Answered?

Posted on by

In a word, yes.

In research to be presented at the IEEE Symposium on Security and Privacy this week, researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

“Secret questions alone are not as secure as we would like our backup authentication to be,” says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. "Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.”

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

Straw drops secret inquest plans

Posted on by

Hooray! According to BBC NEWS,

The government is dropping plans to hold secret inquests without juries, Justice Secretary Jack Straw has said.

In a Commons written statement, Mr Straw said the move did not command the necessary cross-party support, despite earlier government concessions.

It was included in the Coroners and Justice Bill earlier this year to cover cases involving sensitive information.

Civil liberties groups who feared cases like that of Jean Charles de Menezes would be affected, welcomed the move.

The government had argued that in some cases inquests should be held in private for national security, crime prevention or diplomatic reasons.

What’s going on in your browser window?

Posted on by

If you want a measure of how far we’ve moved from the days of simple HTML, then just install the NoScript add-on for Firefox. It detects every script that a site is running within the page and asks you to make a decision about whether to allow it or not. It’s an eye-opener. The image shows what happened when I opened a normal page from the Wall Street Journal.

The sad fact is that there’s so much AJAX-like stuff out there that running NoScript is a bit of a pain. The old adage about the price of liberty being eternal vigilance needs updating. The price of online security is endless hassle.

UK Photographers’ Rights

Posted on by
Paternoster Square (image from Wikipedia)

Paternoster Square (image from Wikipedia)

Given the increasing tolerance of security goonery in Mr Broon’s National Surveillance State, lots of photographers are reporting unpleasant harassment by officials and private-sector goons. The latest example I’ve heard about is of security guards confronting someone taking pictures in Paternoster Square in front of St Paul’s Cathedral in London and threatening to confiscate his camera if he didn’t stop taking pictures of the buildings lining the square. And A-level photography students at my daughter’s school report harassment of the same kind in other parts of London.

Most photographers don’t know what their legal position is, so this guide to UK Photographers Rights by a lawyer, linda Macpherson, is very useful and welcome. It’s designed as a short guide to the main legal restrictions on the right to take photographs and the right to publish photographs that have been taken. Worth printing a copy of the pdf and keeping it in your bag.

OK, so who’s the biggest security risk, then?

Posted on by

From Wired.com.

For years, members of the military brass have been warning that soldiers' blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.

The audits, performed by the Army Web Risk Assessment Cell between January 2006 and January 2007, found at least 1,813 violations of operational security policy on 878 official military websites. In contrast, the 10-man, Manassas, Virginia, unit discovered 28 breaches, at most, on 594 individual blogs during the same period.

The results were obtained by the Electronic Frontier Foundation, after the digital rights group filed a lawsuit under the Freedom of Information Act.

"It's clear that official Army websites are the real security problem, not blogs," said EFF staff attorney Marcia Hofmann. "Bloggers, on the whole, have been very careful and conscientious. It's a pretty major disparity." The findings stand in stark contrast to Army statements about the risks that blogs pose.

Minimising the risk of credit/debit card fraud

Posted on by

Here’s a sobering way to start the new year — precautions you can/should take to minimise the risk of having your cards cloned or your bank account ripped off. By Saar Drinen of the Cambridge Computer Lab’s Security Group.

People often ask me what can they do to prevent themselves from being victims of card fraud when they pay with their cards at shops or use them in ATMs for on-line card fraud tips see e-victims.org, for example. My short answer is usually “not much, except checking your statements and reporting anomalies to the bank”. This post is the longer answer — little practical things, some a bit over the top, I admit — that cardholders can do to decrease the risk of falling victim to card fraud. Some of these will only apply to UK issued cards, some to all smartcards, and the rest applies to all types of cards.

Sobering because I’ve realised that I don’t take many of the precautions recommended.

Thanks to Charles Arthur for the link.

What might go wrong tomorrow

Posted on by

From Ed Felten

Long lines to vote: Polling places will be strained by the number of voters. In some places the wait will be long – especially where voting requires the use of machines. Many voters will be willing and able to wait, but some will have to leave without casting votes. Polls will be kept open late, and results will be reported later than expected, because of long lines.

Registration problems: Quite a few voters will arrive at the polling place to find that they are not on the voter rolls, because of official error, or problems with voter registration databases, or simply because the voter went to the wrong polling place. New voters will be especially likely to have such problems. Voters who think they should be on the rolls in a polling place can file provisional ballots there. Afterward, officials must judge whether each provisional voter was in fact eligible, a time-consuming process which, given the relative flood of provisional ballots, will strain official resources.

Voting machine problems: Electronic voting machines will fail somewhere. This is virtually inevitable, given the sheer number of machines and polling places, the variety of voting machines, and the often poor reliability and security engineering of the machines. If we’re lucky, the problems can be addressed using a paper trail or other records. If not, we’ll have a mess on our hands.

How serious the mess might be depends on how close the election is. If the margin of victory is large, as some polls suggest it may be, then it will be easy to write off problems as “minor” and move on to the next stage in our collective political life. If the election is close, we could see a big fight. The worse case is an ultra-close election like in 2000, with long lines, provisional ballots, or voting machine failures putting the outcome in doubt.

Let’s hope the opinion polls are right. The omens are not good on the voting machine front.

New Labour’s database nation

Posted on by

Cory Doctorow is one of this country’s most valuable immigrants. But, as this scarifying essay reveals, he will be leaving if Brown’s ID Card scheme is implemented.

A few years later, I was living with my partner, and had fathered a British daughter (when I mentioned this to a UK immigration official at Heathrow, he sneeringly called her “half a British citizen”). We were planning a giant family wedding in Toronto when the news came down: the Home Secretary had unilaterally, on 24 hours’ notice, changed the rules for highly skilled migrants to require a university degree…

My partner and I scrambled. We got married. We applied for a spousal visa. A few weeks later, I presented myself in Croydon at the Home Office immigration centre to turn over my biometrics and have a visa glued into my Canadian passport. I got two years’ breathing room. My family could stay in Britain.

Then came last week’s announcement: effective immediately, spousal visa holders (and foreign students) would be issued mandatory, biometric radio-frequency ID papers that we will have to carry at all times. And I started to look over my shoulder…

Now, we immigrants are to be the beta testers for Britain’s sleepwalk into the surveillance society. We will have to carry internal passports and the press will say, “If you don’t like it, you don’t have to live here – it’s unseemly for a guest to complain about the terms of the hospitality.” But this beta test is not intended to stop with immigrants. Government freely admits that immigrants are only the first stage of a universal rollout of mandatory biometric RFID identity cards. What happens to us now will happen to you, next.

Not me, though. If the government of the day when I renew my visa in 2010 requires that I carry these papers as a condition of residence, the Doctorows will again leave their country and find a freer one. My wife – born here, raised here, with family here – is with me. We won’t raise our British daughter in the database nation. It’s not safe.”

I’ve never voted Tory in my life, but next time I will if this proposal isn’t dropped. And so, I hope, will most of the country.

Many thanks to Ray Corrigan for pointing me to Cory’s article, which I’d missed in all the guff about the banking crisis.