Category Archives: Security

USB: the new WMD?

Posted on by

Who’d have thought that the humble USB-drive could be so useful? First, it turns out that it’s the distribution medium for the Stuxnet worm. And now we find that it was a key element in Osama Bin Laden’s comms system. Here’s The Register’s version:

Osama bin Laden didn’t have a phone or internet connection, but for years he was a prolific user of email who frustrated Western efforts to track him by saving messages to a thumb drive and having them sent from a distant internet cafe, the Associated Press reports.

The process was so tedious that even veteran intelligence officials have marveled at the al-Qaida chief’s ability to maintain it for so long, the news service said. Bin Laden would type the messages on a computer that had no connection to the outside world and then instruct a trusted courier to drive to a cafe so they could be emailed. The courier would then save messages addressed to bin Laden to the same drive and bring it back so his boss could read them offline.

US Navy Seals seized roughly 100 flash memory drives when they killed bin Laden at his Abbottabad, Pakistan, compound a week and a half ago. Officials told the AP they “appear to archive the back-and-forth communication between bin Laden and his associates around the world.” The cache of messages is so big that the government has enlisted Arabic speakers from around the intelligence community to pore over them.

En passant:

The New York Times account of OBL’s daily life in his walled compound suggests that the lifestyle of a terrorist mastermind leaves something to be desired. He didn’t even have a guy to tidy up his power cables.

Homeland Security leans on Mozilla to take down the Firefox MafiaaFire Add-on

Posted on by

From Harvey Anderson’s blog.

Recently the US Department of Homeland Security contacted Mozilla and requested that we remove the MafiaaFire add-on. The ICE Homeland Security Investigations unit alleged that the add-on circumvented a seizure order DHS had obtained against a number of domain names. Mafiaafire, like several other similar add-ons already available through AMO, redirects the user from one domain name to another similar to a mail forwarding service. In this case, Mafiaafire redirects traffic from seized domains to other domains. Here the seized domain names allegedly were used to stream content protected by copyrights of professional sports franchises and other media concerns.

Our approach is to comply with valid court orders, warrants, and legal mandates, but in this case there was no such court order. Thus, to evaluate Homeland Security’s request, we asked them several questions similar to those below to understand the legal justification:

* Have any courts determined that the Mafiaafire add-on is unlawful or illegal in any way? If so, on what basis? (Please provide any relevant rulings)

* Is Mozilla legally obligated to disable the add-on or is this request based on other reasons? If other reasons, can you please specify.

* Can you please provide a copy of the relevant seizure order upon which your request to Mozilla to take down the Mafiaafire add-on is based?

To date we’ve received no response from Homeland Security nor any court order.

Privacy: the perfect storm of surveillance

Posted on by

From an Editorial in today’s Observer.

A pattern is emerging. A researcher discovers that a product or service offered by a large (generally US-based) company contains a security flaw or a feature that compromises the privacy of internet users. The revelations are confirmed by other experts across the internet. The company responsible then goes through a predictable series of steps: first, “no comment”, followed by indignant denial, then a PR-spun “explanation” and, eventually, an apology of sorts plus a declaration that the bug will be fixed or the intrusive practice terminated.

A recent example was Apple’s extraordinary contortions over the discovery that its iPhone was covertly collecting location data and storing it in unencrypted form. But last week also saw the revelation that devices made by TomTom, the leading manufacturer of GPS navigation systems, had effectively been spying on Dutch users and that the aggregated data had been sold to the police in order to guide the location of speed traps…

And now: the Android spyPhone

Posted on by

From yesterday’s Guardian:

Smartphones running Google’s Android software collect data about the user’s movements in almost exactly the same way as the iPhone, according to an examination of files they contain. The discovery, made by a Swedish researcher, comes as the Democratic senator Al Franken has written to Apple’s chief executive Steve Jobs demanding to know why iPhones keep a secret file recording the location of their users as they move around, as the Guardian revealed this week. Magnus Eriksson, a Swedish programmer, has shown that Android phones – now the bestselling smartphones – do the same, though for a shorter period. According to files discovered by Eriksson, Android devices keep a record of the locations and unique IDs of the last 50 mobile masts that it has communicated with, and the last 200 Wi-Fi networks that it has “seen”. These are overwritten, oldest first, when the relevant list is full. It is not yet known whether the lists are sent to Google. That differs from Apple, where the data is stored for up to a year.

The Apple spyPhone (contd.)

Posted on by

It’s fascinating to see what happened overnight on this story. Firstly, lots of people began posting maps of where their iPhones had been, which is a clear demonstration of the First Law of Technology — which says that if something can be done then it will be done, irrespective of whether it makes sense or not. Personally I’ve always been baffled by how untroubled geeks are about revealing location data. I remember one dinner party of ours which was completely ruined when one guest, a friend who had been GPS-tracking his location for three years, was asked by another guest, the late, lamented Karen Spärck Jones, if he wasn’t bothered by the way this compromised his privacy. He replied in the negative because he had “nothing to hide”. There then followed two hours of vigorous argument which touched on, among other things, the naivete of geeks, the ease with which the punctiliousness of Dutch bureaucracy made it easy to round up Dutch Jews after the Germans invaded Holland in the Second World War, the uses to which location data might be put by unsavoury characters and governments, Karl Popper and the Open Society, etc. etc.

Michael Dales has a couple of interesting blog posts (here and here) about the iPhone data-gathering facility. And, like all geeks, he’s totally unsurprised by the whole affair.

It seems rather than worry geeks, most of us find the data amazing. I suspect that’s because most of us know that this data could be got otherhow anyway – all it really shows is where your phone has been, and the phone operators know that anyway – and I typically trust them a lot less than I trust Apple (not that I think Apple is angelic, it’s a shareholder owned company, but I generally have a more antagonistic relationship with phone companies than I do Apple). So the fact the data resides on my phone is handy – if I was worried about people tracking where my phone goes then I’d never turn it on.

Michael also sees positive angles to this.

If you have a Mac and want to see where your iPhone has been (and then, like most people, post it to the Internet :) then you can get the tool to do so here. What I think is potentially really exciting is what you can do with the data now that you have access to it, not just your phone company. Quentin has already had the idea that you could use it to geotag your photos, which would be awesome, but how about things like carbon calculators, trip reports, and so on?

This post attracted a useful comment from ScaredyCat which gets to the heart of the problem:

The brouhaha isn’t just about the data being stored, it’s about the data being stored unencrypted. I love data like any geek but you do have to wonder why the data is being collected in the first place.

Precisely. What the data-logging and storage facility means is that your iPhone is potentially a source of useful confidential information for people who would have no hope of obtaining that information legally from a mobile phone network.

This point is neatly encapsulated by Rory Cellan-Jones in his blog post:

This obviously has intriguing implications for anyone who possesses one of these devices. What, for instance, if you had told your wife that you were off on a business trip – when in fact you had slipped off to the slopes with some mates – and she then managed to track down your iPhone location file? (I should stress that this is an imaginary scenario).

For divorce lawyers, particularly in the United States, the first question when taking on a new client could be “does your spouse own an iPhone?” And law enforcement agencies will also be taking a great interest in the iPhones – or iPads – of anyone they are tracking.

The other interesting thing about the spyPhone story is that, according to Alex Levinson, it’s an old story. He says that

Back in 2010 when the iPad first came out, I did a research project at the Rochester Institute of Technology on Apple forensics. Professor Bill Stackpole of the Networking, Security, & Systems Administration Department was teaching a computer forensics course and pitched the idea of doing forensic analysis on my recently acquired iPad. We purchased a few utilities and began studying the various components of apple mobile devices. We discovered three things:

* Third Party Application data can contain usernames, passwords, and interpersonal communication data, usually in plain text.
* Apple configurations and logs contain lots of network and communication related data.
* Geolocational Artifacts were one of the single most important forensic vectors found on these devices.

After presenting that project to Professor Stackpole’s forensic class, I began work last summer with Sean Morrissey, managing director of Katana Forensics on it’s iOS Forensic Software utility, Lantern. While developing with Sean, I continued to work with Professor Stackpole an academic paper outlining our findings in the Apple Forensic field. This paper was accepted for publication into the Hawaii International Conference for System Sciences 44 and is now an IEEE Publication. I presented on it in January in Hawaii and during my presentation discussed consolidated.db and it’s contents with my audience – my paper was written prior to iOS 4 coming out, but my presentation was updated to include iOS 4 artifacts.

Thanks to David Smith for passing on the link to the Levinson post.

The Apple spyPhone

Posted on by

Oxford to Cambridge and then London from Alasdair Allan on Vimeo.

Fascinating video of location data routinely and covertly gathered by an iPhone belonging to research Alasdair Allen. I came on it via an intriguing Guardian story which reported that

Security researchers have discovered that Apple’s iPhone keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner’s computer when the two are synchronised.

The file contains the latitude and longitude of the phone’s recorded coordinates along with a timestamp, meaning that anyone who stole the phone or the computer could discover details about the owner’s movements using a simple program.

For some phones, there could be almost a year’s worth of data stored, as the recording of data seems to have started with Apple’s iOS 4 update to the phone’s operating system, released in June 2010.

“Apple has made it possible for almost anybody – a jealous spouse, a private detective – with access to your phone or computer to get detailed information about where you’ve been,” said Pete Warden, one of the researchers.

Only the iPhone records the user’s location in this way, say Warden and Alasdair Allan, the data scientists who discovered the file and are presenting their findings at the Where 2.0 conference in San Francisco on Wednesday. “Alasdair has looked for similar tracking code in [Google’s] Android phones and couldn’t find any,” said Warden. “We haven’t come across any instances of other phone manufacturers doing this.”

Lots more information (plus a downloadable open source application that enables you to locate the file containing your location data history) on Pete Warden’s site. He’s got some helpful FAQs, including these:

What can I do to remove this data?

This database of your locations is stored on your iPhone as well as in any of the automatic backups that are made when you sync it with iTunes. One thing that will help is choosing encrypted backups, since that will prevent other users or programs on your machine from viewing the data, but there will still be a copy on your device.

Why is Apple collecting this information?

It’s unclear. One guess might be that they have new features in mind that require a history of your location, but that’s pure speculation. The fact that it’s transferred across devices when you restore or migrate is evidence the data-gathering isn’t accidental.

Is Apple storing this information elsewhere?

There’s no evidence that it’s being transmitted beyond your device and any machines you sync it with.

What’s so bad about this?

The most immediate problem is that this data is stored in an easily-readable form on your machine. Any other program you run or user with access to your machine can look through it.

It’s interesting that the mobile operators also keep this data, but the cops have to get a special order to access it. (Which they often do, as we find out in evidence to murder trials, for example.) But anyone who gets access to an iPhone (or, it turns out, a 3G-enabled iPad) can get it without going through any legal palaver.

Interesting, ne c’est pas? n’est-ce pas?

(Thanks to Duncan Thomas for correcting my French.)

Federated social networking

Posted on by

There’s a useful piece on the Electronic Frontier Foundation’s site about federated networking, seen as a way of counteracting the centralising power of outfits like Facebook.

To understand how federated social networking would be an improvement, we should understand how online social networking essentially works today. Right now, when you sign up for Facebook, you get a Facebook profile, which is a collection of data about you that lives on Facebook's servers. You can add words and pictures to your Facebook profile, and your Facebook profile can have a variety of relationships — it can be friends with other Facebook profiles, it can be a ‘fan’ of another Facebook page, or ‘like’ a web page containing a Facebook widget. Crucially, if you want to interact meaningfully with anyone else’s Facebook profile or any application offered on the Facebook platform, you have to sign up with Facebook and conduct your online social networking on Facebook’s servers, and according to Facebook’s rules and preferences. (You can replace “Facebook” with “Orkut,” “LinkedIn,” “Twitter,” and essentially tell the same story.)

We’ve all watched the dark side of this arrangement unfold, building a sad catalog of the consequences of turning over data to a social networking company. The social networking company might cause you to overshare information that you don’t want shared, or might disclose your information to advertisers or the government, harming your privacy. And conversely, the company may force you to undershare by deleting your profile, or censoring information that you want to see make it out into the world, ultimately curbing your freedom of expression online. And because the company may do this, governments might attempt to require them to do it, sometimes even without asking or informing the end-user.

How does it work?

To join a federated social network, you’ll be able to choose from an array of “profile providers,” just like you can choose an email provider. You will even be able to set up your own server and provide your social networking profile yourself. And in a federated social network, any profile can talk to another profile — even if it’s on a different server.

Imagine the Web as an open sea. To use Facebook, you have to immigrate to Facebook Island and get a Facebook House, in a land with a single ruler. But the distributed social networks being developed now will allow you to choose from many islands, connected to one another by bridges, and you can even have the option of building your own island and your own bridges.
Why is this important?

Why does this matter?

The beauty of the Internet so far is that its greatest ideas tend to put as much control as possible in the hands of individual users. And online social networking is a powerful tool for the many who want a service that compiles all the digital stuff shared by family, friends, and colleagues. But so far, social networking has grown in a way that concentrates control over that information — status posts, photos, and even your relationships themselves — with individual companies.

Distributed social networks represent a model that can plausibly return control and choice to the hands of the Internet user. If this seems mundane, consider that informed citizens worldwide are using online social networking tools to share vital information about how to improve their communities and their governments — and that in some places, the consequences if you’re discovered to be doing so are arrest, torture, or imprisonment. With more user control, diversity, and innovation, individuals speaking out under oppressive governments could conduct activism on social networking sites while also having a choice of services and providers that may be better equipped to protect their security and anonymity.

Vorsprung durch Technik (nein)

Posted on by

This morning’s Observer column.

Those whom the Gods wish to destroy, they first make infatuated with their own ingenuity. Witness the heady talk about “the internet of things”. The basic idea is that we are moving from an era when the network connected human beings to one where a majority of the nodes on it will be devices: printers, cameras, monitoring devices, domestic appliances – yea even unto the humble toaster.

Two forces are driving this trend…

The WikiLeaks phenomenon reviewed

Posted on by

From my review of two of the current wave of books about WikiLeaks.

Experience showed, however, that often mere revelation was not enough: the world yawned and turned away. Often the leaked material was complex and unintelligible to the lay browser. It needed expert interpretation – and corroboration. So gradually it dawned on Assange and his colleagues that the best way of making an impact on the world might be to collaborate with journalistic organisations, which could provide the interpretation and the checking needed to ensure that people believed what was being leaked. This is the value that the Guardian, the New York Times, Der Spiegel and the other media partners added to the vast troves of documents that Assange brought to them.

But if it turned out that WikiLeaks needed conventional journalism, it has also become clear that conventional journalism needs what WikiLeaks created, namely a secure technology for enabling people to upload confidential material that they believe should be in the public domain. So it's important that serious media organisations now build that kind of technology themselves, just in case WikiLeaks is overcome by the fragility of its finances, its managerial problems or the legal vulnerability of its founder. In a world increasingly dominated by secretive, unaccountable corporations and in which authoritarian regimes continue to flourish, we will need robust technologies for ensuring that some secrets cannot be kept…

Messenger refuses to be shot

Posted on by

Heart-warming story in The Register.

Computer scientists from Cambridge University have rebuffed attempts by a banking association to persuade them to take down a thesis covering the shortcomings of Chip-and-PIN as a payment verification method.

Omar Choudary’s masters thesis contains too much information about how it might be possible to fool a retailing terminal into thinking a PIN authorising a purchase had been entered, as far as the bankers are concerned. Noted cryptographer and banking security expert Professor Ross Anderson gives short shrift to the argument that publishing the research exceeds the bounds of responsible disclosure, politely but firmly telling the UK Cards Association that the research was already in the public domain and that Choudary’s work would stay online.

Anderson is one of Choudary’s supervisors in the latter’s research…

Ross Anderson is one of the most imperturbable guys I know, and his response to the bankers’ impertinence is right in character. It reads:

The bankers’ trade association has written to Cambridge University asking for the MPhil thesis of one of our research students, Omar Choudary, to be taken offline. They complain it contains too much detail of our No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”; they also complain about Omar’s post on the subject to this blog.

Needless to say, we’re not very impressed by this, and I made this clear in my response to the bankers. (I am embarrassed to see I accidentally left Mike Bond off the list of authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

This highlights an issue that also came up with WikiLeaks. The US government used a system for holding its confidential communications that was intrinsically insecure (a unified database with something like two million officials authorised to use it). When its insecurity is finally revealed by Bradley Manning (and then WikiLeaks), the response is to rage against the breach whereas the rational thing to do is to rethink the security architecture. Governments are entitled to keep some secrets. But if those secrets are important, then they ought to be seriously protected, not put at risk in such a clueless way. So exposure fulfils a vital function, however annoying it may be at the time.

One wonders, though, if anyone in the UK Cabinet Office is paying attention to all this. As far as I know, the Coalition is still committed to the computerisation of NHS medical records embarked upon by New Labour. This means that the UK is constructing the same kind of intrinsically-insecure system as that breached by WikiLeaks. If the NHS system is built, the UK will have a centralised database of highly confidential documents — the medical records of every citizen — to which upwards 100,000 people of different organisational grades will have routine rights of access. Imagine the fuss there will be when the News of the World pays some bent geek to access the medical records of Cabinet ministers, celebrities and the like.

The only way to keep systems secure is what Ross calls compartmentation. In a way, that’s what the US government abandoned in the aftermath of 9/11 as it struggled to respond to the damaging discovery that its intelligence agencies had failed to “join up the dots”. The system that Bradley Manning accessed and WikiLeaks published was the government’s response to the criticisms.

But at least governments have some options available to them; they can change — or abandon — their systems. If the Coalition is wise, it will rethink the NHS database. Banks, however, don’t have as many options because they are caught in a special trap. On the one hand, customers can’t be persuaded to use online systems unless the banks swear blind that they are 100% secure. But no system can be that secure and so banks have to perpetuate the illusion of such security — which is the worst scenario of all because that encourages people to trust everything to it.

The only rational attitude to online systems is cautious scepticism about their security. By constantly reminding us of the vulnerabilities in these systems, Ross and his group are performing a valuable public service, even if the bankers don’t like it.

UPDATE: Excellent piece in the Guardian which includes this:

In view of the UKCA’s letter, Anderson has authorised Choudary’s thesis to be published as a Computer Laboratory technical report.

“This will make it easier for people to find and cite, and will ensure that its presence on our website is permanent,” his reply to the UKCA states.

“It is outrageous that the banking industry should try to censor a student’s thesis even though it was lawful and already in the public domain,” Anderson told the Guardian.

“It was particularly surprising for its chair, Melanie Johnson, to make this request; as a former MP she must be aware of the Human Rights Act, and as a former Cambridge graduate student she should have a better understanding of this university’s culture.

“Her intervention was completely counterproductive for the banks who employ her: Omar’s thesis will now be read by thousands of people who would otherwise not have heard of it,” he said.