Category Archives: Security

More on the Chinese backdoor in Skype

Posted on by

From Technology Review

Skype has previously acknowledged that its Chinese partner, TOM Online, blocks chat messages containing certain politically sensitive keywords. The new findings, however, reveal a level of surveillance that goes far beyond this.

Nart Villeneuve, a research fellow at the Citizen Lab at the University of Toronto’s Munk Centre for International Studies, uncovered the surveillance scheme by examining the behavior of the TOM-Skype client application. He used an application called Wireshark, which analyzes traffic sent over a computer network, to see what happens when different words are sent via chat using the software. Villeneuve discovered that an encrypted message was automatically sent by the client over the Internet when some words were entered. Following this encrypted packet across the Net, Villeneuve uncovered a directory of files on an open Web server. Not only was the directory publicly accessible, but the data within it could be unlocked using a password found in the same folder. Within these files were more than a million chat messages dating from August and September 2008.

Villeneuve used machine translation to convert the files he found from Chinese into English, and he analyzed the contents to determine likely trigger words. The list he came up with includes obscenities and politically sensitive words and phrases such as “Falun Gong,” “democracy,” and “Tibet.” But Villeneuve also found evidence that completely innocuous messages–one, for example, contained nothing more than a smiley face–were logged. This suggests that certain users were targeted for monitoring, he says.

Great Firewall of China (contd.)

Posted on by

Citizen Lab at the University of Toronto has just released its analysis of surveillance and security practices on China’s TOM-Skype platform. No surprises. They uncovered discovered a huge surveillance system that monitors and archives certain Internet text conversations that include politically charged words.

The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service.

John Markoff of the NYT has a report.

PDF of the Citizen Lab report available from here.

I’ve always assumed that Skype was compromised — which is why I would never use it for confidential conversations. Wonder what eBay have to say about it all?

The benefits of assuming the worst

Posted on by

From Technology Review. What should banks and other ‘secure’ services do when dealing with customers who are incapable of keeping their machines free of malware?

“Our premise,” Ledingham says, “is that, rather than trying to clean up the machines, assume the machine is already infected and focus on protecting the transaction that goes on between the consumer and the enterprise website.”

The problem of malware on users’ computers is “the number-one problem that the financial institutions are wrestling with today,” says Forrester Research senior analyst Geoffrey Turner, an expert on online fraud. Financial institutions can take steps to secure the connections between their servers and their customers’ PCs, Turner says; they can even ensure the security of the customer’s Web browser. But they’re stumped, he says, when it comes to the customer’s operating system. Most successful attempts to steal computer users’ identities, Turner says, involve using malware to capture their credentials or conduct transactions behind the scenes without their knowledge. “The challenge is, how do you secure the end-user computer?” he says. “Should you even, as a bank, be trying to do that?”

Needless to say, his answer is “yes”. But then he runs SiteTrust, a tool recently released by a data-security company, Verdasys, which aims to protect users from fraud, even when their computers have been compromised.

PA sacked by Ministry of the Interior

Posted on by

From The Register

The Home Office has today terminated a £1.5m contract with PA Consulting after it lost the personal details of the entire UK prison population.

In August the firm admitted to officials that it had downloaded the prisons database to an unencrypted memory stick, against the security terms of its contract to manage the JTrack prolific offender tracking system. The data included names, addresses and dates of birth, and was broken down by how frequently individuals had offended.

Following an inquiry into the gaffe, Jacqui Smith told the House of Commons today that PA Consulting’s £8m of other Home Office contracts are now also under review. She said: “The Home Office have decided to terminate this contract. My officials are currently working with PA to take this work back in-house without affecting the operation of JTrack.”

Data handling for JTrack has been taken on by the Home Office, and maintenance and training are due in-house by December.

The inquiry found the Home Office had transferred the data to PA Consulting securely, but that the firm then dumped it to unlabelled USB memory to transfer it between computers at its premises. The stick hasn’t been found. Smith said: “This was a clear breach of the robust terms of the contract covering security and data handling.”

What took them so long?

Apple’s paranoia: the downside

Posted on by

Good column by Bill Thompson…

Different calculations apply when it comes to dealing with people who already use its products, where Apple’s unwillingness to divulge details of security flaws or even the specifics of how flaws are fixed leaves customers confused, ignorant and possibly exposed to attacks that could be avoided.

Patches are simply distributed through Software Update, with little detail about the problems they address or the changes they make, and discussion of security is severely restricted.

We have seen this recently, as two Apple-related talks at the 2008 Black Hat hacker convention were pulled at short notice. A discussion of flaws in the Mac OS disk encryption system FileVault by Charles Edge was withdrawn because he has signed confidentiality agreements with Apple…

Thinking of taking your laptop to the US?

Posted on by

Might be worth considering this from Good Morning Silicon Valley.

If you’re looking to get outraged by a government’s intrusion into the electronic lives of its citizens, you don’t need to look all the way to China. The U.S. Department of Homeland Security recently revealed its current border policy on laptops, iPods and other gadgets carried into the country by returning travelers or foreign visitors, and it boils down to this: Without explanation, we can seize your laptop or any device capable of storing information (including cell phones, thumb drives, video tapes, and old-fashioned analog paper). We can keep it as long as we want. We can look through the contents, and we can share them with other agencies or private entities. And we can do all this whenever and to whomever we want — no reasonable cause needed, not even a vague suspicion of wrongdoing. And, of course, this is all OK because we are protecting our treasured American freedom.

Does Skype have a back door?

Posted on by

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?

Oyster card hack can be revealed

Posted on by

Bet this wouldn’t happen in the US. The Register reports that:

Dutch researchers will be able to publish their controversial report on the Mifare Classic (Oyster) RFID chip in October, a Dutch judge ruled today.

Researchers from Radboud University in Nijmegen revealed two weeks ago they had cracked and cloned London’s Oyster travelcard and the Dutch public transportation travelcard, which is based on the same RFID chip. Attackers can scan a card reading unit, collect the cryptographic key that protects security and upload it to a laptop. Details are then transferred to a blank card, which can be used for free travel.

Around one billion of these cards have been sold worldwide. The card is also widely used to gain access to government departments, schools and hospitals around Britain.

Chipmaker NXP – formerly Philips Semiconductors – had taken Radboud University to court to prevent researchers publishing their controversial report on the chip during a the European computer security conference in Spain this autumn. Spokesperson for NXP Martijn van der Linden said that publishing the report would be “irresponsible” – understandably, the company fears criminals will be able to attack Mifare Classic-based systems.

However, the judge today ruled that freedom of speech outweighs the commercial interest of NXP, as “the publication of scientific studies carries a lot of weight in a democratic society”.

The researchers have always said they don’t intend to include details of how to clone the card and that publications could prevent similar errors occurring in the future. NXP says it is disappointed with the ruling…

I bet they are.

Sweden caves in to Osama

Posted on by

Osama bin Laden’s campaign to eliminate civil liberties in the West has notched up another victory — this time in Sweden, formerly a paragon of sweetness and light in these matters.

Sweden this evening voted in favour of its controversial snoop law, after the proposal was amended earlier today.

Under the new law, all communication across Swedish borders will be tapped, and information can also be traded with international security agencies, such as America’s National Security Agency.

A total of 143 members of parliament voted to pass the bill into law, with 138 delegates opposed.

Earlier today, prime Minister Fredrik Reinfeldt failed to win the backing of his four-party coalition: the draft was sent back to the committee for revision. Key members of parliament who were likely to vote against the proposition were put under pressure by their parties, according to some reports.

Despite receiving copies of George Orwell’s book 1984 from protesters earlier this week, MPs from Sweden’s ruling party believe the law does not constitute the final nail in the coffin of democracy.

Media groupthink and Mr Davis

Posted on by

Here’s a good journalistic rule: whenever you find a consensus, look out for rodent smells. When David Davis stunned the Westminster village with his resignation on Thursday, I watched and listened to most of the mainstream broadcast coverage that evening. It was scarily uniform, which didn’t square at all with my own hunch that Davis’s move is a game-changer. Which is very welcome, because it’s clear that the great British public is sleepwalking into an authoritarian nightmare and something very dramatic is needed to provide a wake-up call. My hope is that the hoo-hah which will surround the by-election might provide such a call.

It’ reassuring to find that my Observer colleague, Henry Porter, sees it the same way, not least because he was been a forceful critic of Labour’s creeping authoritarianism from the beginning. In a terrific column this morning he observes that

The political classes don’t like this sort of thing. There’s too much raw emotion involved. Like nervous prefects, they dismissed Davis as vain, egotistical, narcissistic and irresponsible. He was, said one commentator of my acquaintance, suffering from a mid-life crisis and probably knew he didn’t have the brains to be Home Secretary, which is why he had bailed out.

That very much captures what is wrong with the Westminster village, which is so consumed with the talk of power, the jockeying for power, the acquisition and loss of it, that there is very little space left in the minds of journalists and politicians for principles and ideas. Yet that was what so much of last week in the House of Commons was about. Let us not forget that the Prime Minister won 42 days pre-charge detention by buying votes from nine hard-faced men from Northern Ireland, while 36 members of his own party stood up for the fundamental freedoms of our country. This was a moral defeat, not for Labour, but for Gordon Brown.

Then the unthinkable occurred. Davis appeared like Cyrano de Bergerac with his sword drawn at St Stephen’s entrance to the House of Commons – a venue occasioned by Speaker Martin’s undemocratic refusal to allow him to address the chamber – and challenged anyone and everyone…

Like Henry, I am sending Davis a cheque and a letter of support.