Monday, October 29, 2012

Your Money or Your Life?

Such was the typical refrain of the 18th century Highwayman on stopping a stagecoach full of wealthy but ill-prepared travelers. We'd like to think we don't have to make that choice today, but information superhighwaymen (I can't believe I just wrote that) are asking us to do so, and more surprisingly, we consistently make the wrong choice.

Many sensible people use online banking probably with 2 factor authentication, you may have one of the little devices that generates a code to enter when you log in. Personally, I wouldn't use online banking without it, and even the committed technophobes in my family are using it.

On the other hand, I am often still unable to protect my social identity with anything stronger than a password. I'd like to - and I already do for my email, thanks to Google's forward looking approach (no doubt because their corporate customers demanded it!). Facebook does now have "login approvals" under security options - not quite 2 factor but close enough, and will make pinching your password a lot harder. These sort of features are still not understood by most, or in some cases unavailable.

This leads to the strange situation where we protect our money, which is a terrible thing to lose, but eminently recoverable, more strongly than we protect our reputation, our personal information and our privacy. You cannot get this back. The cat will not go back in the bag. We still value security incidents in terms of a "dollar cost", when the cost of your personal pictures being made public could be much higher, and you cannot undo the harm that has been caused. The password issue is simply an indication of our priorities, and these are wrong.

The potential impact of a this type of "social" security breach should not be underestimated. The tragic case of Amanda Todd shows how extreme the consequences can be, pictures she believed to be private were spread across the internet.  These pictures were not a traditional "security breach", but something which if it had happened in the days before indelible, freely copied pixels would have been forgotten.

This is perhaps even more important for young people - as heavy users of social media, often their attitudes and approach to online security is not where it should be - a combination of inexperience and, until very recently, little or no help from educators or parents.

Reader, stop thinking with your wallet for a moment, and make sure you put a value on your reputation, your health, your happiness and your life, because Facebook, linkedin, google, they've all got fragments of those things. If you can't be sure what you give these cloud services is secure, my advice would be not to give it at all.

Helpful hints
  •  Email - Gmail offers 2 factor, enable it. Hotmail.. update Jan '14 -Hotmail now supports 2fac!
  •  Facebook - turn on login approvals, and take extra care to log out of public computers, turning on secure browsing is helpful to protect session cookies 
  • Phone - use a screenlock PIN, this will foil a casual attacker. Have some way to wipe your phone if lost. Don't display text messages on the lockscreen.
  • Linkedin - You can check "always use a secure connection", but that's a marginal upgrade
  • Flickr - use federated authentication from Google or perhaps Facebook
  • Twitter - check "require personal information for a password reset", no 2 factor (yet) so take care with your data - update: May 2013, twitter introduces 2fac, thanks! 

Tuesday, October 23, 2012

The Internet Knows What You Did Last Summer.


What did you have for breakfast last Friday? No I can't remember either, though my choices are limited to nothing and a banana. What were you watching on tv five fridays ago? What were you searching for on google five fridays ago? What bar did you pop into five fridays ago? What computer game were you playing the following saturday afternoon?

If you know the answer to more than one of those questions, you've got a better memory than I do. More likely you don't but you could probably find out. Check the last Tesco online delivery for what cereal you bought. Sign in to netflix and check your history for the name of that tv programme, a little poking about in your browser history should reveal what you were searching for a few weeks ago, facebook can probably tell you which bar you went to, what you drank, who with and what happened 'afterwards'. Steam can tell you what you were playing that Saturday, and how well you were doing.

Five different pieces of information from five different services which on their own say very little. Put together they become a remarkably detailed snapshot of your life. These are just a few of the numerous things the internet knows about you. How much do you get paid (you do online banking right?). How much of that goes on bills? I bet you pay them online too. Last time you got lost, did you check google maps on your smartphone? Did it finish typing you sentence for you? How did it know you wanted directions to the Shell station in Leamington Spa? And how in the name of Jobs' turtleneck did it know where you were to within three feet?

We all use these services, and it's taken a remarkably short amount of time for them to go from novelty to luxury to basic human right ('Your phone doesn't have satnav? How do you survive?' coo some of my more gadget-o-philic friends). What many people don't realise is these services record everything. Google has your search history and probably most of your browsing history, Apple keep a record of everything you say to Siri and can share it with pretty much whoever they want (see section 4c), Facebook have been in hot water about their data retention practices and unless you permanently browse 'incognito', your PC will have a record of everything you've ever done online through it and probably a few things you haven't.

Before I start sounding like a luddite with a penchent for tinfoil hats, let me say I use several of the services mentioned, though not all of them. What makes me nervous is there are half a dozen companies that know more about my life than I do and the fact is that information isn't safe. Sony/PSN, LinkedIn, Apple, Blizzard and even RSA have all been compromised wholesale. The latter is a security company, clients of whom include financial institutions and defence contractors. If money and weapons can't be kept safe, what hope is there for a few blurry photos? If you're unlucky enough to be targeted individually you'll probably end up feeling like Mat Honan. If an organisation that holds your data is compromised, the information will probably be sold to the highest bidder.

Scared? You probably should be. Is there anything you can do about it? You can take some precations. Have a look at Tom's post about passwords and how not to form them. Use different ones for each service, or at least intelligent variatons on a theme. Lock down your facebook profile so that only friends can see it. Browse in 'privacy mode' (or whichever flavour is present in your browser). If you can't bear to do that, clear your history and cache every so often.

These are just good habits to get into. It's like locking your door and closing your curtains at night or putting timer switches on your lamps when you go on holiday. Oh and please, whatever you do, don't do this.

The services mentioned above are designed to enrich our lives in their own ways. My life would certainly be more difficult and tedious without the selection that I use. However, use them with an awareness of the risks. I'm now off for some lunch. I think I'll have what I had last Friday...

Wednesday, October 10, 2012

Finally: Anonymizer Caught "Up To No Good"

At Smoothwall we have long speculated why anyone would choose to host a proxy anonymiser. For those who don't know, these are services which allow a web user to browse anonymously, and often bypass any local network filters. You can see why the service may be in demand, but inevitably there are going to be bandwidth costs associated with making that extra hop between user and target website - and these costs could be non trivial. So why do people do this? Let's talk about three possibilities...

1. They're studying at a School with a URL list web filter which catches the majority of well known anonymisers. They think that running an anonymiser (which isn't on the filter's URL list, and unlikely to hit their radar) and sharing it with their friends will make them popular and seem cool. Neither of these benefits actually come to pass, however, but that doesn't stop them trying.
Motivation: Realistic
Incidence: Low - most schoolkids have neither the aptitude nor inclination
Usage/Impact: Very low - only a handful of people know it exists

2. They're hoping to help oppressed people get access to the web, in countries where you can get locked up for posting on Twitter (like Britain ;)). This shows a fair level of altruism, so naturally, i'm sceptical
Motivation: Unlikely
Incidence: Low - the costs put off all but the most hardened altruist
Usage/Impact: Low

3. To make money. Now we're talking. This is the reason 90% of proxy anonymisers exist.
Motivation: Universal
Incidence: High, there is little barrier to entry
Usage/Impact: Widespread and varied, often distributed through lists of 0-day proxies

So... how do these make money for their host? Well, advertising is a first port of call, and this is also extremely common. Advertising is made slightly harder by the fact that Google - whose ads are most lucrative - forbid their ads from being shown on proxies (though the homepage is generally exempt).

For this reason, we have long believed that some proxy anonymisers could be run by folks with much more nefarious intentions. Specifically, those with no visible means of support. No ads, no revenue... so who is paying for your bandwidth? Either it's an altruist or a student, and those are rare, so what is it? Well, we think either your browsing history is sold to the highest bidder, or you're getting a few bits of malware served in the mix.

Finally - we have proof of this long held suspicion:
http://threatpost.com/en_us/blogs/proxy-service-front-malware-distribution-100812

Moral of the story: Don't use anonymizer services, and don't let your users use them. Even ad supported  variants could be looking to make a few extra coins on the side.

Cybercrime: Tough Gig, or Easy Ride?

William Hague is to tell an international Cybercrime conference that "being a cybercriminal has never been easier."

Let's deal with these points in order. Firstly, for those of you reading this who hail from sunnier climes outside the UK, William Hague is a would-be UK Prime Minister who was constantly thwarted by unfortunate credibility issues, often involving peaked headgear. He's currently serving as Foreign Secretary, but since cabinet posts  change with alarming regularity, and seemingly require no qualification in your subject area, he'll probably be secretary for trouser pressing by the time I hit "publish".

So Mr. Hague is addressing a summit, or conference, or whatever else it is politicians do, and he intends to state that being a cybercriminal has never been so easy. I'm not sure I agree. In many ways, getting up to no good on the Internet has become much harder. For example, 10 years ago, if you wished to send an anonymous email, it was pretty easy to find an open relay. I've linked to the Wikipedia entry, because some of our younger viewers might be slightly incredulous that such a thing ever existed. You could fairly easily get hold of a free (or hacked) shell over telnet, to put another layer between your IP and the law (who wouldn't have known an IP address if it bit them). Finally, the recipient of your email would probably be much more receptive to offers of 10% of a pile of gold bullion from a Nigerian prince than they might be today.

So in the "Against" column, we have more tightly locked down systems, more savvy law enforcement, and users starting to wake up to risks on the Internet. We also have vulnerability reporting, and companies large and small beginning to take IT security seriously, as the clued-in customer base votes with their feet. I'm not saying we're even hitting "good" yet, but we're streets ahead of where we were 10 years ago.

How about the "For" column? What makes life easier for today's Inter-crim? A proliferation of victims, for one: Internet penetration continues to, er, penetrate, and more and more people are "connected". Wider ranging use of the Internet, particulary withe regard to money - I was an early adopter of Internet banking, and when I started using it, few of my peers were past "chequebook and pen". Now my parents use it (a good marker for when technology becomes pervasive perhaps?), and I am checking my balance on an eminently stealable, 24x7 connected, 3rd party software filled phone. Eek.  Finally, we should also consider the business side of web-based wrongdoing: you no longer need to be particularly clever to operate as an IT-fraudster, you can go out and buy off-the peg tools to bypass security restrictions.

So is it easier? Well, i'd argue it's probably easier to get into Cybercrime, but it's also easier to get caught. It's probably easier to find a victim, but the pool of victims is waking up to the threat. There are definitely more angles of attack, but software vendors are often starting with security in mind. No, I think it's probably no easier than it ever was.

Oh, wait. Our politicians are attending cybercrime conferences and talking about "files stolen by hackers which were equivalent to 20 million A4 pages" and "[telephone] international hotlines set up to help tackle emergencies". Cybercrims can get the cigars out and put their feet up, 2002 called, it wanted its tech back.