Category Archives: security

Google Health, Phorm, where next for your private data?

Let’s look at the fundamentals. Is an advertising company an appropriate place for sensitive personal data like health records? That’s easy to answer, no matter how many privacy assurances Google gives. Google is a specialist at mining personal data; and whenever I read its terms and conditions it is almost enough to stop me using its services. So Google Health? No thanks. Google, if you want to do this, split the company.

How about this idea: some of the UK’s largest ISP’s – Carphone Warehouse, BT and Virgin Media – intend to hand over their users Internet history to an advertising company called Phorm. The Reg has more details – read the comments to get fully spooked. Someone has setup a protest site here.

Phorm says it has strong privacy practices that safeguard user data, audited by Ernst and Young [PDF]. Safeguards include:

  • Deleting raw data after 14 days
  • Removing numbers longer than 3 digits
  • Not storing email addresses or IP numbers
  • Not storing form fields (thus no passwords)
  • Identifying users only by a random number
  • Analysing data only for predetermined keywords

Happy now? No. Some of these protections are weak. For example, the AOL search data debacle proved that replacing IP numbers with random identifiers is insufficient protection, because users can be identified solely by their activity. This applies even more strongly to an ISP’s data, which has everything you do on the Internet, not just your search history. Second, it is an opt-out system – it should be opt-in – and the opt-out on offer is weak; it merely stops you seeing the targeted ads, rather than preventing your data being sent to Phorm. Third, the data to be mined includes all your non-encrypted Internet activity, such as reading Google Mail, and not just URLs visited. While Phorm says it won’t read it, any additional use of this data makes it more vulnerable to interception and abuse.

What’s the answer? Change your ISP, of course; but also SSL, which encrypts your Internet traffic. Passwords themselves are inherently bad enough, without making it worse by sending them in plain text; further, we need to learn that anything we read or send in plain text over the Internet has been potentially been intercepted. This 2005 article spells out what that means. My hunch is that it is little better now. If we encrypt all the traffic that matters to us, then we won’t care so much that the ISP is selling it on.

[This post replaces an earlier draft].

Update: More details at the Reg today, complete with diagrams. Performance impact is also a concern.

Technorati tags: , , ,

Detailed look at a WordPress hack

Angsuman Chakraborty’s technical blog suffered a similar attack to mine – the malicious script was the same, though the detail of the attack was different. In my case WordPress was attacked via Phorum. Chakraborty offers a detailed look at how his site was compromised and makes some suggestions for improving WordPress security.

In both these cases, WordPress was not solely to blame. At least, that is the implication. Chakraborty thinks his attack began with an exploit described by Secunia, which requires the hacker first to obtain access to the WordPress password database, via a stray backup or a SQL injection attack. Nevertheless, Chakraborty says:

One of the challenges with WordPress is that security considerations were mostly an afterthought (feel free to disagree) which were latched on as WordPress became more and more popular.

I have huge respect for WordPress. Nevertheless, I believe its web site could do better with regard to security. The installation instructions say little about it. You really need to find this page on hardening WordPress. It should be more prominent.

Technorati tags: ,

Unanswered question: how’s Vista’s real-world security compared to XP?

Reading Bruce Eckel’s disappointing I’m not even trying Vista post (I think he should give it a go rather than swallow all the anti-hype) prompts me to ask: how’s Vista’s security shaping up, after 12 months of real-world use?

I could call the anti-virus companies, but I doubt I’ll get a straight answer. The only story the AV guys want to see is how we still need their products.

I’d like some stats. What proportion of Vista boxes has been successfully infected by malware? How does that compare to XP SP2? And has anyone analysed those infections to see whether User Account Control (Vista’s big new security feature) was on or off, and whether the infection required the user’s cooperation, such as clicking OK when an unsigned malware app asked for admin rights? What about IE’s protected mode – has it reduced the number of infections from compromised or malicious web sites?

Has anyone got hard facts on this?

Technorati tags: , , ,

The day my web site was hacked

Here are the gory details.

Let me add my thanks to the great guys at phorum.org for their help in trying to work out what went wrong. The WordPress folk seemed less interested, maybe because the forums there are so busy that a hack report makes barely a ripple. Further the WordPress code itself was not to blame, so it was not their problem to solve.

I loosened the permissions on the WordPress uploads folder in order to upload images with Live Writer. Lesson learned; I’m back to using SCP.

Technorati tags: , ,

Zoho users logging into other accounts by accident

Zoho users beware. There appears to be a nasty bug whereby a user logs in with their own credentials, but finds themselves logged into another user’s account:

I have the last couple of weeks experienced that I get logged on into another account that I do not know!
I can see the other account documents. Just a few minutes ago I tried to use my own logon but was logged in to the account of <…>

says a user on the Zoho forums.

Zoho says it is fixing this urgently:

We have analyzed the logs and found some race conditions that could happen under high load. We have a fix in, and are continuing to monitor it very closely. We have also launched a complete review of security, so that this type of issue does not recur. We are taking it very seriously and apologize profusely.

Food for thought nonetheless. This is the kind of reason people cite for sticking with on-premise applications. I argue that data is often safer in the cloud, but this kind of incident makes you wonder.

Technorati tags: , ,

15m UK bank details lost – but what’s the risk?

The UK is in a panic right now because data containing 15m recipients of child benefit has been lost. It’s a serious incident and the chairman of HM Revenue and Customs has resigned.

Even so, I’m a little confused. I watched TV news over lunch and several identity theft experts came on and warned us to scrutinize our bank statements with extra care because of what has happened.

So what is in these records? We don’t know, yet, though the BBC says:

names, addresses, date of birth and bank accounts

Now, none of these experts has explained to me how Mr Fraudster takes these details and translates them into cash extracted from my bank account. Perhaps he approaches my bank, posing as myself, and asks to withdraw money? He would have to produce some kind of additional fake identity to do so. Perhaps he embarks on a more complex fraud involving, say, a change of address and a replacement debit card? Fair enough, but it is non-trivial.

Further, how difficult is it to obtain such details anyway? Names and addresses are easy enough to find; so are dates of birth. Nor are bank account details normally regarded as highly confidential. They are on every cheque you sign. Some companies include bank details on their invoices or on their web site for all to see.

I’d have thought that credit card details were far more valuable to criminals, especially when they include things like expiry dates. But they won’t be part of these records, surely, and nor will passwords or PIN numbers, unless there is a lot that we have not yet been told.

I don’t mean to diminish the seriousness of the incident. This is a huge amount of confidential information to lose. But I’d like a bit more explanation about why these details are so dangerous in the wrong hands, before I rush out and close all my accounts.

Security expert Bruce Schneier would I think call these details “semi-secret”. His consistent message is that you should authenticate the transaction, not the person. See his (old) post on Identity Theft in the UK.

Update

Here’s the official advice:

What can an ID fraudster do with this data?
No password, security details or card details have been compromised, so a fraudster cannot access your bank, building society or card account. However, HMRC is advising customers that if they use any personal data, like child’s name or date of birth in their password, they may wish to consider changing their password.

If this data were in the hands of a fraudster – and at present there is no evidence that it is – this type of information might help them to commit account takeover fraud, although additional information would be needed. There is also a risk of a fraudster using those details to set up other credit or financial agreements, e.g. mobile phone accounts.

Further postscript

As it happens, I was at a meeting this evening and spoke to someone who works for a bank. He says there are several risks. A smooth-talking fraudster might persuade a cashier to release funds, though it would be a failure of policy. We also discussed direct debits. These are vulnerable, because the bank might not be involved in checking the authenticity of the instruction at all. In both cases though, these are existing weaknesses in the system. It’s possible that heightened risk of fraud could result in better procedures, so some good may come out of it.

Another thought: surely a smart thief would have copied the data and returned the CDs to the envelope. That way, nobody would know. Put another way, how much data theft occurred without it ever coming to light? It just happens that this one is very large and very public.

Technorati tags: ,

How to write secure (and less buggy) code

Thought-provoking paper [PDF] from Daniel J Bernstein, the author of qmail, covering software security and addressing topics such as premature optimization and bug reduction along the way.

In March 1997, I took the unusual step of publicly offering $500 to the first person to publish a verifiable security hole in the latest version of qmail: for example, a way for a user to exploit qmail to take over another account. My offer still stands. Nobody has found any security holes in qmail. I hereby increase the offer to $1000.

He attributes his success to minimizing the amount of trusted code, in contrast to running code with least privilege which he says is ineffective.

(from Schneier on Security).

Kim Cameron hacked, commenters make fools of themselves

Kim Cameron has an amusing post on the aftermath of his blog being hacked and defaced over the weekend.

The reason for the hack: a security bug in WordPress. More proof of the problem posed by millions of apps out there on the internet with no update mechanism in place. Security fixes are made available, but not applied. WordPress has improved this somewhat by introducing an alert when you log-in to an out-of-date installation, but it needs to go further and provide something more automated. Personally I recommend the Subversion install, for those with command-line access; I used it for the 2.3.1 update and it worked well.

But I digress. The amusing part of Cameron’s post is his link to the comments on a news report describing the defacement. I believe in the value of comments, but some of the leading news sites are afflicted by knee-jerk commenters with time on their hands, who twist every post into another salvo in the OS wars. An news item about a Microsoft “security” expert being hacked seemed an ideal candidate (though I don’t believe identity is the same as security). “This is a shining example why you should host on Linux + Apache,” says one comment.

As Cameron observes, his site and blog is hosted by a third-party and runs on FreeBSD + Apache.

Conclusions? First, the thoughtless commenters on this kind of site are doing the community a disservice, by discouraging others with more interesting contributions.

Second, it shows what some have to put with just because of their association with a particular company.

Third, keep your WordPress patched.

Technorati tags: , ,

UK Government resists Peer pressure on internet security

In July this year the House of Lords reported on personal internet security. I read the report and was impressed. I don’t agree with all of it, but I found it well-researched and mostly sensible. You can download it here [PDF]; I recommend it if you’ve not yet read the actual document.

The UK Government’s response [PDF], on the other hand, reads more like a series of excuses for doing nothing (or perhaps I have watched too much Yes Minister). So I guess that is that.

See Richard Clayton’s blog here (he was one of the advisors to the Lords committee), and this Register article.

Technorati tags: , ,

Paying on the web? Look for the small padlock, not the big one

A friend drew my attention to a security issue on thetrainline.com, a UK website for purchasing train tickets.

She planned her journey and then entered her credit card details, noting that the browser confirmed that she was on a secure page:

In this case, Internet Explorer shows the url in green, which means it uses an Extended Validation (EV) SSL certificate, giving extra confidence that all is well. Indeed, in normal circumstances it would have been.

Unfortunately she made a small error with the card details. The site then bounced her to an insecure page, inviting her to re-submit her details but this time over HTTP. The image below shows part of the web page, including the credit card details (albeit with whatever errors caused the validation to fail) and the IE property dialog confirming that the page is not encrypted:

Now the comforting green url is gone, replaced by plain black on white:

However, the big padlock graphic is still in place, along with logos for Verified by Vista and MasterCard SecureCode.

It looks to me as if the card details are sent in plain text twice, first when bounced back to the user for correction, and second when re-submitted.

The site was advised of the problem 24 hours ago, but I was able to replicate the issue just now. Moral: look for the small padlock in the address bar, not the big reassuring graphic on the page itself.

Is this a big security risk? As far as I’m aware, the chance of a criminal intercepting internet traffic to look for useful information is slim. That’s just as well, given the number of sites that do bad things like emailing password reminders in plain text. The risk is not just theoretical though; the traffic could be logged or intercepted.

Let me emphasise: thetrainline.com is a respectable web merchant and I am sure this is no more than a bit of careless coding. After all, there is no advantage to the web site if you send your card details unencrypted. They get them anyway.

Technorati tags: , ,