Tuesday, November 20, 2012

Right Idea - Wrong Execution?

In my opinion, the Aussie government have always had a robust public stance on on-line child protection issues.  However, it seems that they've wobbled a bit recently and dropped their own detailed Australian Communications and Media Authority (ACMA) child abuse content lists for the rather flat-footed INTERPOL 'worst of' lists.  The Australian Financial Review has a detailed article on the politics behind the decision here - it makes for interesting reading especially as a foreigner with no axe to grind.

Better and more technically qualified people than I will tell you that the INTERPOL 'worst of' list is just that - it's also the slowest refreshed and the bluntest of tools.  Blocking entire domains and IP addresses at DNS level is a concept and technology that belongs in the bad old days. And more importantly, really doesn't provide adequate protection for anybody especially those who are affected by the abuse.

It is also surprising that the Aussies have taken this path as the technology, resources and the will exists all around the world to do battle with this global and persistent threat.  The guys at the Internet Watch Foundation and INHOPE (and their colleagues around the world) are delivering quantifiable results without adversely impacting on freedom of expression or access to legitimate content.

So - I applaud the Aussies for doing something - but I believe they (and we) can do better than implementing 'a just enough' policies on on-line child abuse content.

Monday, November 19, 2012

Block or Unlock?

With facebook's announcement that they're slowly opting all their users into HTTPS, yet another large chunk of the web gets a welcome layer of encryption.

Welcome, of course, as it helps protect users' highly personal data - often all to recoverable by network sniffing tools, and decreases the possibility of cookie hijack. It's by no means perfect, but it's a great addition.

On the other hand, this SSLization of the web universe does pose a threat in businesses and schools alike - with more traffic going over HTTPS, the requirement for web filtering to intercept and decrypt this traffic rises. In many instances, the stark choice is to either block a site completely, or perform an intrusive "Man in the Middle" inspection. These issues are always going to be most keenly felt on BYOD devices where the MitM decryption would be both more intrusive technically, and socially - hey, it's my device, my traffic, keep out!

There are no silver bullets here. Sure, we can identify most HTTPS traffic's ultimate destination (it's facebook, it's google), but many organisations need a finer level of policy of they are to allow these sites - forcing safesearch is an important one for Schools, or for businesses, maybe a restriction on facebook posts.

The creeping tide of HTTPS is not going away - the only thing keeping more large sites from going fully SSL is the cost/speed tradeoff (encryption on that scale can be computationally expensive), but the need for web filtering for an ever more varied set of organisations has yet to wane either.

This is going to be a long and interesting ride... and I would welcome any comments from our readers on what they are doing to work around these problems, or what they think would be the ideal scenario.

Friday, November 16, 2012

Whose views are they anyway?



Have a look at your various social media accounts – do any of them contain the name of the company you work for? Do you post a mixture of work and personal material? If so the decision of the High Court released on the 16th November is something you need to be aware of.

A bit of background; an employee, who identified his employer on his Facebook page, posted some comments following a news story about gay marriage. The comments reflected the employee’s strongly held religious convictions. Some co-workers complained and the employer determined the posts amounted to gross misconduct and imposed strong sanctions.

The English High Court considered the case and finally decided that the employer had been wrong to class the employee’s personal facebook pages as representing the views of the organisation. On this basis the action taken over the “gross misconduct” was unfounded and the employer was in breach of contract.

You might like to think that this decision was on the basis of the principles of freedom of expression, the human rights act or some equivalent legislation – you would be mistaken. What it came down to was the balance of the posts that could be seen to be related to work and those that were purely personal.

In other words, if you freely mix posts about your work and social life, you could be opening up your social media account to considerably stronger scrutiny that you imagined. There has been a rash of cases recently that demonstrate how the “written” character of social media transforms the responsibility you bear for firing your views into the ether.

So what should we do – either you need to keep your work and personal profiles separate, or recognise that anything you say could be seen in a bad light by your employer, other players in your industry or regulatory bodies. It’s worth spending a few minutes thought on the matter. Personally, I’ve just taken any reference to work off my Facebook account!

Monday, October 29, 2012

Your Money or Your Life?

Such was the typical refrain of the 18th century Highwayman on stopping a stagecoach full of wealthy but ill-prepared travelers. We'd like to think we don't have to make that choice today, but information superhighwaymen (I can't believe I just wrote that) are asking us to do so, and more surprisingly, we consistently make the wrong choice.

Many sensible people use online banking probably with 2 factor authentication, you may have one of the little devices that generates a code to enter when you log in. Personally, I wouldn't use online banking without it, and even the committed technophobes in my family are using it.

On the other hand, I am often still unable to protect my social identity with anything stronger than a password. I'd like to - and I already do for my email, thanks to Google's forward looking approach (no doubt because their corporate customers demanded it!). Facebook does now have "login approvals" under security options - not quite 2 factor but close enough, and will make pinching your password a lot harder. These sort of features are still not understood by most, or in some cases unavailable.

This leads to the strange situation where we protect our money, which is a terrible thing to lose, but eminently recoverable, more strongly than we protect our reputation, our personal information and our privacy. You cannot get this back. The cat will not go back in the bag. We still value security incidents in terms of a "dollar cost", when the cost of your personal pictures being made public could be much higher, and you cannot undo the harm that has been caused. The password issue is simply an indication of our priorities, and these are wrong.

The potential impact of a this type of "social" security breach should not be underestimated. The tragic case of Amanda Todd shows how extreme the consequences can be, pictures she believed to be private were spread across the internet.  These pictures were not a traditional "security breach", but something which if it had happened in the days before indelible, freely copied pixels would have been forgotten.

This is perhaps even more important for young people - as heavy users of social media, often their attitudes and approach to online security is not where it should be - a combination of inexperience and, until very recently, little or no help from educators or parents.

Reader, stop thinking with your wallet for a moment, and make sure you put a value on your reputation, your health, your happiness and your life, because Facebook, linkedin, google, they've all got fragments of those things. If you can't be sure what you give these cloud services is secure, my advice would be not to give it at all.

Helpful hints
  •  Email - Gmail offers 2 factor, enable it. Hotmail.. update Jan '14 -Hotmail now supports 2fac!
  •  Facebook - turn on login approvals, and take extra care to log out of public computers, turning on secure browsing is helpful to protect session cookies 
  • Phone - use a screenlock PIN, this will foil a casual attacker. Have some way to wipe your phone if lost. Don't display text messages on the lockscreen.
  • Linkedin - You can check "always use a secure connection", but that's a marginal upgrade
  • Flickr - use federated authentication from Google or perhaps Facebook
  • Twitter - check "require personal information for a password reset", no 2 factor (yet) so take care with your data - update: May 2013, twitter introduces 2fac, thanks! 

Tuesday, October 23, 2012

The Internet Knows What You Did Last Summer.


What did you have for breakfast last Friday? No I can't remember either, though my choices are limited to nothing and a banana. What were you watching on tv five fridays ago? What were you searching for on google five fridays ago? What bar did you pop into five fridays ago? What computer game were you playing the following saturday afternoon?

If you know the answer to more than one of those questions, you've got a better memory than I do. More likely you don't but you could probably find out. Check the last Tesco online delivery for what cereal you bought. Sign in to netflix and check your history for the name of that tv programme, a little poking about in your browser history should reveal what you were searching for a few weeks ago, facebook can probably tell you which bar you went to, what you drank, who with and what happened 'afterwards'. Steam can tell you what you were playing that Saturday, and how well you were doing.

Five different pieces of information from five different services which on their own say very little. Put together they become a remarkably detailed snapshot of your life. These are just a few of the numerous things the internet knows about you. How much do you get paid (you do online banking right?). How much of that goes on bills? I bet you pay them online too. Last time you got lost, did you check google maps on your smartphone? Did it finish typing you sentence for you? How did it know you wanted directions to the Shell station in Leamington Spa? And how in the name of Jobs' turtleneck did it know where you were to within three feet?

We all use these services, and it's taken a remarkably short amount of time for them to go from novelty to luxury to basic human right ('Your phone doesn't have satnav? How do you survive?' coo some of my more gadget-o-philic friends). What many people don't realise is these services record everything. Google has your search history and probably most of your browsing history, Apple keep a record of everything you say to Siri and can share it with pretty much whoever they want (see section 4c), Facebook have been in hot water about their data retention practices and unless you permanently browse 'incognito', your PC will have a record of everything you've ever done online through it and probably a few things you haven't.

Before I start sounding like a luddite with a penchent for tinfoil hats, let me say I use several of the services mentioned, though not all of them. What makes me nervous is there are half a dozen companies that know more about my life than I do and the fact is that information isn't safe. Sony/PSN, LinkedIn, Apple, Blizzard and even RSA have all been compromised wholesale. The latter is a security company, clients of whom include financial institutions and defence contractors. If money and weapons can't be kept safe, what hope is there for a few blurry photos? If you're unlucky enough to be targeted individually you'll probably end up feeling like Mat Honan. If an organisation that holds your data is compromised, the information will probably be sold to the highest bidder.

Scared? You probably should be. Is there anything you can do about it? You can take some precations. Have a look at Tom's post about passwords and how not to form them. Use different ones for each service, or at least intelligent variatons on a theme. Lock down your facebook profile so that only friends can see it. Browse in 'privacy mode' (or whichever flavour is present in your browser). If you can't bear to do that, clear your history and cache every so often.

These are just good habits to get into. It's like locking your door and closing your curtains at night or putting timer switches on your lamps when you go on holiday. Oh and please, whatever you do, don't do this.

The services mentioned above are designed to enrich our lives in their own ways. My life would certainly be more difficult and tedious without the selection that I use. However, use them with an awareness of the risks. I'm now off for some lunch. I think I'll have what I had last Friday...

Wednesday, October 10, 2012

Finally: Anonymizer Caught "Up To No Good"

At Smoothwall we have long speculated why anyone would choose to host a proxy anonymiser. For those who don't know, these are services which allow a web user to browse anonymously, and often bypass any local network filters. You can see why the service may be in demand, but inevitably there are going to be bandwidth costs associated with making that extra hop between user and target website - and these costs could be non trivial. So why do people do this? Let's talk about three possibilities...

1. They're studying at a School with a URL list web filter which catches the majority of well known anonymisers. They think that running an anonymiser (which isn't on the filter's URL list, and unlikely to hit their radar) and sharing it with their friends will make them popular and seem cool. Neither of these benefits actually come to pass, however, but that doesn't stop them trying.
Motivation: Realistic
Incidence: Low - most schoolkids have neither the aptitude nor inclination
Usage/Impact: Very low - only a handful of people know it exists

2. They're hoping to help oppressed people get access to the web, in countries where you can get locked up for posting on Twitter (like Britain ;)). This shows a fair level of altruism, so naturally, i'm sceptical
Motivation: Unlikely
Incidence: Low - the costs put off all but the most hardened altruist
Usage/Impact: Low

3. To make money. Now we're talking. This is the reason 90% of proxy anonymisers exist.
Motivation: Universal
Incidence: High, there is little barrier to entry
Usage/Impact: Widespread and varied, often distributed through lists of 0-day proxies

So... how do these make money for their host? Well, advertising is a first port of call, and this is also extremely common. Advertising is made slightly harder by the fact that Google - whose ads are most lucrative - forbid their ads from being shown on proxies (though the homepage is generally exempt).

For this reason, we have long believed that some proxy anonymisers could be run by folks with much more nefarious intentions. Specifically, those with no visible means of support. No ads, no revenue... so who is paying for your bandwidth? Either it's an altruist or a student, and those are rare, so what is it? Well, we think either your browsing history is sold to the highest bidder, or you're getting a few bits of malware served in the mix.

Finally - we have proof of this long held suspicion:
http://threatpost.com/en_us/blogs/proxy-service-front-malware-distribution-100812

Moral of the story: Don't use anonymizer services, and don't let your users use them. Even ad supported  variants could be looking to make a few extra coins on the side.

Cybercrime: Tough Gig, or Easy Ride?

William Hague is to tell an international Cybercrime conference that "being a cybercriminal has never been easier."

Let's deal with these points in order. Firstly, for those of you reading this who hail from sunnier climes outside the UK, William Hague is a would-be UK Prime Minister who was constantly thwarted by unfortunate credibility issues, often involving peaked headgear. He's currently serving as Foreign Secretary, but since cabinet posts  change with alarming regularity, and seemingly require no qualification in your subject area, he'll probably be secretary for trouser pressing by the time I hit "publish".

So Mr. Hague is addressing a summit, or conference, or whatever else it is politicians do, and he intends to state that being a cybercriminal has never been so easy. I'm not sure I agree. In many ways, getting up to no good on the Internet has become much harder. For example, 10 years ago, if you wished to send an anonymous email, it was pretty easy to find an open relay. I've linked to the Wikipedia entry, because some of our younger viewers might be slightly incredulous that such a thing ever existed. You could fairly easily get hold of a free (or hacked) shell over telnet, to put another layer between your IP and the law (who wouldn't have known an IP address if it bit them). Finally, the recipient of your email would probably be much more receptive to offers of 10% of a pile of gold bullion from a Nigerian prince than they might be today.

So in the "Against" column, we have more tightly locked down systems, more savvy law enforcement, and users starting to wake up to risks on the Internet. We also have vulnerability reporting, and companies large and small beginning to take IT security seriously, as the clued-in customer base votes with their feet. I'm not saying we're even hitting "good" yet, but we're streets ahead of where we were 10 years ago.

How about the "For" column? What makes life easier for today's Inter-crim? A proliferation of victims, for one: Internet penetration continues to, er, penetrate, and more and more people are "connected". Wider ranging use of the Internet, particulary withe regard to money - I was an early adopter of Internet banking, and when I started using it, few of my peers were past "chequebook and pen". Now my parents use it (a good marker for when technology becomes pervasive perhaps?), and I am checking my balance on an eminently stealable, 24x7 connected, 3rd party software filled phone. Eek.  Finally, we should also consider the business side of web-based wrongdoing: you no longer need to be particularly clever to operate as an IT-fraudster, you can go out and buy off-the peg tools to bypass security restrictions.

So is it easier? Well, i'd argue it's probably easier to get into Cybercrime, but it's also easier to get caught. It's probably easier to find a victim, but the pool of victims is waking up to the threat. There are definitely more angles of attack, but software vendors are often starting with security in mind. No, I think it's probably no easier than it ever was.

Oh, wait. Our politicians are attending cybercrime conferences and talking about "files stolen by hackers which were equivalent to 20 million A4 pages" and "[telephone] international hotlines set up to help tackle emergencies". Cybercrims can get the cigars out and put their feet up, 2002 called, it wanted its tech back.



Thursday, September 27, 2012

0-Day - Always, “Just around the corner”

Sounds like something from a Bruce Willis blockbuster, or is Morgan Freeman about to shout down his colleagues? Unfortunately it’s real enough and it is part of everyone’s daily life. Devices like mobile phones, computers, servers and fridge magnets - ah, ok, not yet perhaps, but seriously - nearly everything connected to the WWW. No nuclear submarines or the TARDIS, it’s happening in your pocket through the air you breath.

So what is Zero-day? It is when a flaw in software is discovered by someone, somewhere, before the developers of the software. The zeroeth day of awareness of a vulnerability. There are many grey areas to consider. Let me provide a recent example:- Java is used by billions of devices. It is a cross-platform runtime environment. One development language that works on many different kinds of hardware and operating systems. Java is owned, maintained and supported by the giant, Oracle.

On the 26th of August, a US based security company reported that an unpatched Java vulnerability was being exploited, using the latest version of Java. This was confirmed by other security analysis organisations, including DeepResearch.org and reported globally by the Register. Metasploit, an IT security project, also confirmed. A bug was logged in the National Vulnerability Database as CVE-2012-4681. CVE-2012-4681 allowed an attacker to use a dedicated webpage for users to download and run a payload which could contain a keylogger or network scanner, for example. Oracle finally responded, four days later, on the 30th August. Two other vulnerabilities were discovered; these forced Oracle to make patches available outside of their usual release schedule.

How are users and SysAdmins supposed to respond? Shout, “Disable Java” is a reasonable response. But then that is a big call. Most people took the risk and left Java enabled. Most out of ignorance of the issue. Ignorance is bliss! What is the incentive behind reporting the issue on the public WWW? - leaving the found hole, wide-open. Usually publishing the technical details ready for criminals to exploit. Instead of quietly knocking on Oracle’s door with the problem - then walking away. 

Why is there no agreed standard protocol in place so that discovered vulnerabilities like this are reported in silence? I once dreamed up an acronym; VDAP, Voluntary (or Vulnerability) Discovery Announce Protocol - after a rather nasty experience with a flaw discovered in the Linux kernel during 2009. VDAP may be a secure system that could be deployed and used by all major software developers to communicate, with encryption, vulnerabilities and their details. This relies on the principle of security through obscurity, Microsoft have perfected this principle anyway. It also relies on deep discretion. The kernel flaw was discovered by a Google software scientist, then posted on his personal blog.

The incentive to report newly found vulnerabilities and cause 0-day is many things; including glory, kudos, and sales. Sales of unofficial patches, services or scanning software - amongst others. One the other hand, the pressure on large vendors to provide a patch is automatically increased. Open source vendors and communities are often faster to respond with a patch. An agreed protocol might not work because people will choose, not to use it. The best solution, may not become clear for many years and this chicken and egg scenario will continue. As a Linux SysAdmin and Engineer, I have tools at hand; kernel level security, host based, firewall rules, MAC (mandatory access control) and application level security. Of these, the Firewall with proxy filtering, is the most powerful; the best security is a well balanced combination.

Monday, September 24, 2012

If you're 'sharing' a document, you could be doing it wrong!



A beginner’s guide to basic document management within a business using Google Drive, formerly known as Google Docs.

Sharing by group

It’s obvious really, but consider this example; you have a sales team and there’s some collected information about the sales process you’ve written.  So you share it with salesperson A, B, C, and D - individually.  Seems simple and easy.  However, what happens when one of those people moves department or is replaced?  Are you really going to go through all your documents that you manually shared with salesperson C who has now been replaced with salesperson E, and update the sharing?  I thought not.

What you need to do is share the document with a group and ensure that your normal sysadmin processes include adding new users to the appropriate groups.  That way, whenever anyone joins or leaves the group they will automatically have access to all the documents they should have had - with no effort whatsoever.

However if this is all you’re doing then you’re still doing it wrong, better, but wrong.

Sharing by collection

Sharing by collection is what you want to be doing.  This makes everything much easier, reliable and less error prone.  Basically what you do is set something up akin to how you might manage files in a file server.  Create a single, or few, root collections - perhaps one per department.  Within the collection create sub-collections as appropriate for project or other needs.  Set the sharing permissions, using groups.  You only need to do this once at the start of using Google Drive.  Then any time anyone needs to collaborate on a document, all they need to do is browse to the collection where it needs to sit and click create.  Simple.

No-one needs to actively share again, and all the mess that that entails.  Now you know why, if you’re sharing a document, you’re doing it wrong!

Putting a table of contents on it all using Sites

As well as keeping the documents in some organised, or even one, collection, you are highly likely to want to make a reference to it on your intranet, aka Google Sites.  One reason is covered in a gotchya later but one of the best is that it can be like a table of contents to your collections and sub-collections.  It also can be a convenient place to put your departmental information and procedures and document storage standards.  It’s a good idea to keep all that together in one place for new and old staff.

Sites is completely separate to Google Drive.  Don’t get confused between the two.  Sites is just like a wiki.  Its permission sharing does not suck, unlike Google Drive.

Pitfalls and gotchas

Unfortunately, Google Drive permissions suck.  They offer far too much flexibility to the user that they simply don’t need such as the ability to re-share or, indeed, to share at all - that is not needed.  Ideally it would work like a file server where the sysadmin sets up all the root folders and permissions and no one can change it or need to.  Because of this, follows some things you should do to avoid problems.

The collection has been shared but can’t be found - you have to see it to see it

For some reason Google Drive will not show you collections or documents that have been shared with a group that you are a member of.  Yes it’s that dumb.  Unlike Google Sites which works as you would expect it.

There are some fairly simple steps you can repeat to ensure users can see the collections they need.  The best thing you can do is include links to the document collections on your Google Site home page.  However the user is going to want to put the collection in their My Drive so they can go straight to Google Drive rather than having to go via your Google Site.  To achieve that, set up some simple instructions like this:

To access all department B collaborative documentation, follow these instructions:

  1. Click here: <A link to the contents of the collection, i.e. a link to the collection URL>
  2. Now click here: <A link to a search with the full collection name in>
  3. Right click on "<Full Collection Name>", click Organize.
  4. Tick My Drive


Why Google makes users jump through these hoops I don’t know.

Ability to change permission

When creating a root collection or important sub-collection, then change the permission so that only owners can change permissions.  No one should need to change permissions anyway and if you don’t then chaos ensues - often just by people organising folders shared with them.  You end up with incredibly messy permissions.

Files moved in to collections may not inherit the correct permissions

If you’ve created a file and already started sharing it around rather than simply placing it in the collection it needs to be in, then when you move the file there it will not inherit the correct permissions.  The solution is to unshare it with everyone, then move it in there.  Just a little thing but it can cause confusion.

Creating templates in a collection will not place them there

Normally, when you’re in a collection and you create a new document it will ask if you want to create it in the collection.  Very useful.  However when you choose Templates it navigates away from the collection and thus when creating the document it will end up in your My Drive.  You then need to drag it into the collection you intended it for.

Dragging a collection or document from somewhere to My Drive can unshare it

Yes really.  This can be minimised by setting the ability to change permissions and most significantly by training users to use Organize instead.




Friday, August 10, 2012

Cloudy outlook for jobs?


I recently came across a report from the London School of Economics about the impact of Cloud based applications on employment (you can read it here ). It’s no surprise that the report forsees growing numbers of jobs because of the cloud, but there is a bit of sting in the tail.
Firstly job growth is reckoned to be twice as fast in the US as in Europe and in the short term comes from the staff needed to set up and run the data centres that the cloud applications reside on. In the longer term job growth comes from formation of new companies providing software as a service. Larger businesses, the report envisages, will retrain “surplus” IT staff.

So far so good and this is the pretty much the new cloud orthodoxy. There are some nagging doubts though. For a start with a prospect of long term financial constraint can you really see the “surplus” IT staff, many of whom are already contractors, being retrained or isn’t more likely they’ll be looking for new jobs?

As far as the growth of new small businesses, those of us who have been around long enough will remember the dotcom bubble as people with great ideas saw the nominal value of their companies shoot through the roof only to turn over and fail when it came time to deliver.

Whilst the growth of cloud services seems inevitable, companies will need to be sure that they plan the migration and look at the contingencies before betting everything on the latest application. Unlike the dotcom explosion, it’s not just the jobs in the start-up that are at risk.

Thursday, July 26, 2012

Grab Bag


Couple of bits of news and links unworthy of a full blog post today, so you're getting the equivalent of grubbing around in my desk drawer for something when I forget your birthday... not a novelty paperclip and a stress ball, but instead...


First up, Greek triple-jumper Voula Papachristou is in hot water this week - not a hilariously mis-timed jump, but over a racist tweet. I'm not about to repeat what she posted here, but it was enough to get her booted from the Greek Olympic Squad. At the same time it probably wouldn't have triggered any "word filters" - no "obvious" racial insults there. Moral of the story, meanings come from context as well as the words, you won't easily guess sense with a machine, but you might really alienate a huge group of people really quickly. Think before you tweet. It may also be the case that an organisation is liable for a tweet sent from a corporate device... twitter can easily be made read-only.. just a thought. (See BBC News)
  

Secondly, for the developers amongst our loyal readership  I happened across a great post on "Coding Horror" listing new programming jargon from stack overflow. I particularly enjoyed "Yoda conditions" and the concept of "Stringly typed"... take a look: http://www.codinghorror.com/blog/2012/07/new-programming-jargon.html
 

Finally, one for the travellers amongst us. Apparently, some hotel swipe-locks are right up there in the security stakes with bits of string and XOR based encryption, as a hacker rather irresponsibly demonstrated without first disclosing the problem to the company concerned. Still, you might want to stick your valuables in the hotel safe as well, until someone backdoors that too. http://www.bbc.co.uk/news/technology-18968225

Monday, July 23, 2012

Trends on Twitter can Make You Look a T#t

In a recent flurry of fairly pointless "news", Microsoft was under the spotlight for including some slightly odd constants in their open-source code. The hex values, at least one of which, #B16B00B5 could be considered on the wrong side of sexist, were at the very best a little puerile.

Developers have been spelling things in hex for as long as we've been building software.  As hexadecimal numbers can contain the numeric digits 0-9 as well as letters A-F, the propensity for silliness is so much more than with decimal. One example you won't have to travel far to stumble across is #DEADBEEF, perhaps offensive to vegetarians?  FACE:B00C formed part of the address a popular social networking site used on world IPv6 day, and Microsoft have previous form, using 000FF1CE at the end of their product codes in MS Office.

In any case, it is probably sensible not to include anything likely to cause offence in your source code, though some of the comments in the Linux kernel sources range from the hilarious to the downright vulgar with some crossover in between - indeed the "F-word" was (is? I haven't checked) used as a placeholder to search for in one bit of source. I guess the largest software companies aren't used to having their work looked at in so much detail.

This story did have a useful point to it, however. The widespread reporting caused #bigboobs to trend on twitter, and whilst a good section of the tweets were having a sly dig at Microsoft, some were, well, what you'd normally expect from a reference on the Internet to boobs.

Twitter does have a control to prevent you opening adult content - however, as it seems to rely on users self-tagging tweets, it ranges in efficacy from chocolate teapot through fishes on bicycles. I've  had a look, and reckon the only reasonable way to keep twitter clean is to filter at search-term level, indeed going after the #bigboobs hashtag from behind guardian gets you no tweets. It's not perfect, but it will remind users to be careful what they click, and provide another backstop against liability and e-safety issues.

Wednesday, July 18, 2012

What does your password say about you?

Last week, Yahoo became the latest in a long list of sites to have a chunk of password data stolen. Read all about the breach at Computerworld, the cause at SC magazine, and Yahoo's response at Techworld.

This is a particularly nasty example of the breed - a month or so ago, we were busy shaking our heads and tutting at LinkedIn for failing to salt their passwords - a process which makes it harder for an attacker to recover plaintext passwords from encrypted ones. Sadly, Yahoo's problems go a step further, their list was leaked in plain text. There is a special circle of hell for developers who store passwords in plaintext.

Happily for readers of this blog, having nearly half a million plaintext passwords gives us an opportunity to peer into the minds of the people who set them.

Firstly, lets look at the year. It is suggested that this database table wasn't live, and that it only referred to accounts created prior to 2010, and wasn't used for validation of any user passwords. Poor housekeeping! If we assume many people set a password containing the current year, and look at the passwords with a year in them (I looked at all 4 digit strings starting 19 or 20) we see a peak at 2008, though there's still many more 2012s than there are 2013s...  i'll let you make your own mind up, but it doesn't look great does it?


The data gives another little hump in the 1980s, which I assume is users' birth years. Seriously, don't do this. If your birth year makes up half of your password, you've given an attacker a lot to go on. There's barely a break in the 200 year span I chose, so it's clear some of those numbers are part of a longer string, perhaps (all digit passwords? yuck!), and some may be chosen more arbitrarily. If your password contains 2087, you should be ok for a while as a sensible attacker will concentrate on past years... and by 2087 I am quite sure password encryption of today will be seen as quaint.

What else can we learn about the users of this service?

6 people thought "secure" was a secure password - too literal, I'm afraid! While 4 more chose "insecure" or a variant - maybe this is a throwaway account, but it's all leverage to a hacker who will try and escalate privilege further and get to something of value - amazon, ebay, your credit card, even World of Warcraft.

Then we peer a little more deeply into what makes these folks tick - 16 felt strongly enough to include "hitler" in their passwords, and a handful of others made the sort of statements about race and sexual orientation which aren't suitable for a family blog like this one. Over 150 are just general "haters" with varying targets from "you", through names ("John" is unpopular) to life (sad isn't it!), school (predictable) and food(!).

Over 1000 chose passwords containing "god", though any religious overtones are tempered by both godzilla and the godfather. Just under 1000 picked "jesus", and these are much less polluted by the secular. Good advice: keep your faith out of passwords, it will make them easy to crack! FWIW, almost 200 passwords were based on the deities of other religions. Satan comes in bottom with 26 - obviously the bad PR of being the devil does nothing for your popularity as a password.

For a bit of local colour, we find 4 passwords almost certain to refer to Leeds United, but more like 30 which are manchester - that's what a few years in the lower leagues will do for you! Chelsea (108) are streets ahead of London rivals Arsenal (57), though not all will be related to the football club.

Sport is eclipsed by sex it seems, having over 1000 sex related passwords ranging in levels from polite admiration, through to some quite graphic suggestions.

Only about 3% of users chose a password which contained anything other than alphabetic or numeric characters. This would seem typical of a consumer service where passwords are chosen on convenience rather than security. Of course if the service you choose to use happens to store your password in the clear, much of your hard work choosing a decent password is undone.

Updated for 2013: Breaking news, password habits still diabolical. Thanks to those inadvertently generous folks at Adobe, there's a whole new bunch of purloined passwords to play with. The BBC have reported that right at the top of the top 20 sits old favourite "123456", with "photoshop" and "adobe" making guest appearances (yes, this is up there with using your sort code as your banking password!). Interestingly "azerty" pops up alongside "qwerty", showing we've got similarly bad habits regardless of keyboard layout. Reload this page next year to see that nothing ever changes!

Wednesday, June 13, 2012

Why Facebook is like a Fork...

At this year's Edugeek EDIT conference in Preston, I gave a presentation on why Facebook is like a dinner fork - so here's the idea, blogified.

Way back when, in the mists of time, somewhere between "dinosaurs roam the earth" and "electric light", people of various cultures invented the fork as an eating implement. Prior to this, food had been eaten with the hands, and often with a knife - which was the must-have multi-purpose tool. Perfectly acceptable,  we believe, to go out and slay a dragon in the morning, and then eat your lunch with the same bit of pointy metal.

Anyway - some chap invented the fork. Maybe the last civilised thing to come out of Sheffield? Suddenly, a whole host of new rules sprang up around the dining table. Which hand was it suitable to hold a fork in? Americans still use the right hand - some folk thought it unsuitable to hold an eating implement in your left. The fork was used to signify you'd finished eating (again, different cultures arrange their knife and fork in different patterns for this one). Soon, the fork bred - there were different forks, and associated knives, and more etiquette blossomed around which to use first. Today, if we went to a restaurant (for those who consider McDonalds a restaurant, you can quit reading here, you won't get this!) and found any of our culture's "rules" broken, we'd find it quite odd.

So, Facebook.. and other social networks like Twitter. They're like an early fork. Most people can easily grasp the idea, and see what the tool is for, and how to use it, at least in a rudimentary way. However, Social Media has yet to socialise - there's no etiquette, no canon of rules, no cultural influences to tell us how to behave.

Things happen on-line  which we wouldn't tolerate in person, there are incredibly loud and boring people, who won't STFU about their farm. There are bullies. There are gossips, and scuttlebutt is traded as fact. Why is this accepted more easily online? It isn't because of lack of oversight - this happens in front of the most important people to all of us - our peers. The reason is because there's no culture. No rules have grown. And there are no rules because rules take time, and they need to evolve fairly naturally.

What should we do about this? Well, one thing the social media sites can do for us is give a bit of power to the network. Right now, there is very little you can do to express your displeasure at someone's actions. Things you'd do in the "meat world" if someone transgressed our culture, our manners, just aren't there - the subtleties don't exist. In some ways, a "dislike" button  on Facebook might actually help the situation. Right now, the only "sanction" we can take against an offender is to unfriend or unfollow them. They may not even notice, and it's a big step - and you can't do it twice. This could do with a fix - Facebook, Twitter - over to you - empower our peers.

What we should do as a society is bring online etiquette and behaviour into our everyday lives, and into the schooling of children. Sure, things move fast enough that Facebook is likely to be irrelevant by the time today's 6 year old is a moody 16, but some of the lessons learned will hold. This means "decriminalising"social networks in Schools, and encouraging parents to engage with the technology their children have to grow up with.

Tuesday, May 8, 2012

Will web connections fail to cross the line during the Olympics?


There has been much talk about cyber-attackers planning to disrupt the forthcoming Games. However, a bigger threat will come from the unprecedented demand that will hit networks and web connections during this period.  

The major risks at the Olympics will come from the huge surge of web traffic that will occur as millions of sports fans stream events during the working day. This unprecedented demand will put many networks under a huge amount of pressure and some connections could simply grind to a halt which will impact on businesses throughout the UK.  

In addition, whilst the major broadcasting networks have good security measures in place, there is lots of potential for malware to be attached to videos from YouTube and other sharing sites and the positive publicity surrounding the games is likely to mean that people will be less discriminating about the items they choose to watch.  This could result in a huge surge of IT problems for both personal and business users during the Games.

Not sure what your views are, but it would be great to find out……..

Sunday, April 22, 2012

Testing Times Ahead For Online Security?

A little while back a group of Germans known as "The Hackers Choice" released a piece of software that "specifically targets deficiencies within SSL". In light of the many groups currently who assume to be our cyber-saviours, I'm a little skeptical. Whilst I fully agree with the principal that on the whole we should be able to rely on any given security standard to keep our most prized data safe, recent events have shown anything other but this (SSL Cracked).  I really don't think they're going to reach the masses. I mean, how many people actually know what SSL stands for anyway? As long as it doesn't hamper their online shopping, facebook/twitter oriented existence they just don't care.

As with plenty of other technologies that have gone by the wayside, at their peak they were the best thing since sliced bread; vhs, walkmans, CRTs... you get my drift.
Is it perhaps time we added some of our dated encryption methods to that pile of bygones too?

You only have to look at the history of various encryption algorithms, developed as far back as the late 80's or early 90's (RC4, AES). Half of us don't own cars that old (well, I may be an exception to that one!) so why are we trusting clearly out-dated encryption standards? Perhaps Convergence is the new generation of security we really need. 


I realise that not just anyone can open up their system and set about wiring half of the UK's GDP to their offshore account in under thirty minutes. However, the fact that weaknesses (many) have been highlighted is enough for me to question the viability of things like online banking, do I really need it? The answer to that is no, I don't need it, but I want it all the same it's a convenience. That's what everything is built upon, convenience. With a little security thrown in for good measure. Well maybe I want a lot of security, after all I'm using your website to buy goods with my credit card, I'd like to be able to rely on you when you say it's secure.....



Firefox12 - Enough Versions Already, but This One I Like...

I notice firefox 12 is on the horizon. I'm sure I am not the only one to be irritated by the version numbering game. As Smoothwall's Web Filtering Product Manager, keeping up with which versions of popular browers we need to support is like shooting moving targets with a fairground rifle whilst wearing comedy nose glasses.


Version 12 though has a special place for me, as it's going to save me a job - updating my parents' web browser! Being a fairly security minded type chap, I have had them using Firefox - yeah, I know, there's not a lot of difference between the major browsers any more, but when I set their first PC up, it was night and day. I also never gave them admin rights - there's just no need. Or there shouldn't be. The one thing that's been missing all these years though is background updates. Finally, 12 has Silent Service Update - so they'll be able to have the latest version, and I won't have to scoot round the house with my admin creds when I pop in for Sunday lunch!


Great start by Mozilla - and good to see they're going to offer SSU to other software vendors, I always thought it was a shame other products couldn't use Windows Update. I instinctively uninstall Adobe's bloated PDF reader in favour of Sumatra (which is still an Admin-only update, but a lot less prone to attack), but my arch enemy lives on - Java. Next time I am in Wakefield, I'll be working out whether my folks really need a JVM.


PS. Yes, I know Chrome does this already, but I wasn't up for the support overhead of a new browser!

Wednesday, March 14, 2012

DfE Passes Buck on e-Safety

My kids are pretty safe at school - they are cared for by people who often go a beyond their remit to make their day as safe as it can be.  They are taught by qualified teachers who are in turn monitored by OFSTED (as a School Governor I'll not go there today).  The equipment and services in their school are of the safest kind;  electrical installations by NIC EIC accredited contractors, we've got BS Standard fire alarms, they eat nutritionally balanced meals created in monitored and carefully managed kitchens.  They even go on school trips in Department of Transport inspected buses driven by trained drivers with licences.  Schools are probably about the most regulated part of our society.


So, today we find out that the UK Department for Education have finally decided that they are not responsible for setting national minimum standards for e-safety provision (read web filtering and security technology) in schools.  A bit of a shocker - as huge bits of their curriculum is delivered using on-line systems and tools - and our kids are now more digital than most of us.


The sad thing is that the DfE were once responsible and (in their Becta guise) really good at it. They put vendors through the wringer to make sure any system they supplied actually did what it said it would do - protect creative, inquisitive kids from the more savoury bits of the web when their hard pressed teachers had their backs turned for a second.  And, they gave solid advice on what actually worked and what was good value - very hard for an individual school or LA to do in a tech environment that changes by the day and with local budgets pared to the bone.


So what happens now?  The DfE claim that the Accreditation scheme was just a starting point and that now schools should chose the system that suits them (and their budget).  Tell me if I'm being dense but it sounds like - 'trust the computer sales man because they always tell the truth' and 'buy the cheapest system because they all do the same thing'.  Oh, and if something goes wrong (and things do) blame somebody else (as a Head Teacher/ Governor / LA there isn't anybody else to blame - sorry).


We can all appreciate that must be really hard to make decisions to cut vital services because you don't have the money.  But, to abandon existing e-safety standards because you haven't the vision to see the consequences looks a bit negligent to me.  But what do I know?


http://epetitions.direct.gov.uk/petitions/31372



Monday, February 27, 2012

Time for Social Media Tools in Government?


The web is now woven intricately through our everyday lives -  it helps us be more connected, better informed, allows us to react faster and provide information more accurately (except maybe at work)
Top down decisions on who can do what (and when and where) stops us from fixing problems, communicating effectively and building close relationships with our colleagues - and more importantly the people we are trying to serve.  The technology we use at work needs catch up with the on-line tools we use everyday at home.
So, if you give your people access to the parts of the web they actually need to do their jobs in this century – what’s the problem?
Let’s be clear here - we’re not advocating a free for all discussion on national security on Twitter or Facebook – but, letting people know that the bins aren’t going to be collected because of snow, or the outcome of a local service review was positive or even that the local hospital is looking for volunteers – where’s the harm in that?
The IT guys will tell if you give your people access to the web the sky will fall in – your legal department will sternly inform you that you are ‘being brave’ – but in reality your people will get on and get stuff done efficiently and quickly using web tools and services they already know and use intimately.
Oh, and fooey to the doom merchants - the world won’t stop on its axis because you’ve put in sensible policies (managed by people you trust) and appropriate controls, filtering, monitoring and reporting.  You know exactly who’s allowed to access what, where and when - so they’ll not be catching up on the football, watching a cookery program on their laptop or updating their personal status on duty.
We think it's time to help governments make the social bits of the web useful and productive.

Tuesday, February 7, 2012

Safer Internet Day: Passwords and Protection

Today is Safer Internet Day - an event organised by Insafe to help people, particularly young people, become and stay safe in today's interconnected society.


Instant interconnectivity can be daunting to the uninitiated. Within a few minutes, you can have Facebook and Myspace tied into lastfm, twitter, flickr, blogspot, stumbleupon, reddit and literally hundreds of other third party games, apps and sites, all of which come together to help us connect to more people, more quickly, more of the time … every connection you make increases the amount of people that can see information about you – information that could be used to target you. If you have up to date anti-virus software and a firewall it will help protect you against many software based threats, keyloggers, botnets and the like, but it can’t protect you from the malicious and hurtful people you meet on and off-line. Passwords are the key to your on-line life. One of the easiest ways to break into your computer system is to guess your password. Especially if that password is on a post-it note, stuck to the screen. With the word 'password' next to it in block capitals.


Is your Facebook password the same as your computer login? It's easier to remember that way isn't it? So now, because of that post-it, someone knows your personal email address, date of birth, where you went to school, where you work, where you live, who all your friends are, every club you've been to in the past 6 months (and on what dates), what car you drive, when you bought it and exactly what your next door neighbours cat had for breakfast. In isolation, none of this information would be particularly useful in the hands of someone with nefarious intentions, but put it all together and it wouldn't be too difficult for them to impersonate you on-line. I hope your banking password is different...

Aside from the material risks, there is also the danger of someone manipulating your social life. Abusive messages to friends, offensive posts about others and publicised subscriptions to ‘entertainment’ sites you woudn't normally touch with a barge pole can all produce a pretty uncomfortable social backlash. This applies to all age groups, but the most quoted problem area is teenagers and cyberbullying.

Cyberbullying is real, hurtful and dangerous. The faceless nature of the attacker can make it even more disturbing than a bloody nose in the playground or superglued books. How do you fight something intangible? The first step is to know what tools you have at your disposal. Every social website (twitter, lastfm, facebook, myspace et. al.) has a ‘block person’ function to stop people contacting you – and for serious incidents a ‘report this person’ process. Most have a setting to make this the default behaviour, and only those you select can get in touch. If you don't want to communicate with someone on-line, you don't have to - the tools are there and very easy to use.


I know several teachers that have have students who have experienced cyberbullying/cyberstalking incidents that have spilled over into the school environment. By this point, the victim had been terrorised for several weeks or even months beforehand. A trying time for everyone – especially the victims, but the trauma and fallout could have been averted with a few clicks had they only known how to protect themselves on-line.

Internet safety is not just about protecting your computer - it’s about knowing how and why to protect yourself. You wouldn’t walk down a dark alley on your own late at night, even if there was a sign at the entrance saying ‘Play for free now!’ Yet the same sign on the internet flashing red and yellow is often treated as a risk free invitation. A little trepidation is all that’s needed. A slight shift in your mentality from ‘why not’ to ‘why should I?’. Why should I give someone I don’t know the means to contact me any time they please? Why should let them see everything I’ve done and everywhere I’ve been? Why should I keep talking to someone if they’re making me feel uncomfortable?

Just as the internet has become an everyday thing, internet safety should be something that’s considered every day.

Have a look here for some useful information about password practice.