We’ve replaced this hooker’s regular herpes with the Win32/Wisp.A BackDoor-EMN virus. Let’s see if anyone notices…

The headline: “First human ‘infected with computer virus‘”.

The truth: oh lordy, it’s Captain Cyborg’s protege.

Captain Cyborg is Kevin Warwick, loopy professor of cybernetics at Reading University, who has been inserting bits of electronics under his skin for some years and making extravagant claims about the implications. He is most famous for taking advantage of the Soham murders by offering to implant an electronic tracking device into an eleven year old girl, (an offer that I think should earn him a place on some register or other).

Gasson is Warwick’s sidekick, although it seems the major lesson he’s learnt from the Cap’n is how to be a media whore.

So what about these claims he’s infected himself with a computer virus? I had a few concerned friends forward me the URL, seeking comment. Well, if I put a pregnant rabbit inside my PC case and then issued a press-release: “Computer Gives Birth To Bunnies!” – that would be about the equivalent to Gasson’s little achievement. (Full disclosure: that analogy is not mine, but it is far too superb not to share.)

Gasson, in short, has repeated a fairly dull RFID experiment. But before doing so, he wedged the RFID under his skin. He could equally have poked it into a sausage, or up his arse, and the results of the experiment would have been just as meaningful, but he’d not have got the press exposure because people would have been laughing at him instead, which would be the right response.

Of course, underneath the trashy sensationalist journalism and craven publicity-seeking there is a serious implication to this experiment: implants (pacemakers and such) that are integrated into the human body may become vulnerable to attack using technologies not dissimilar to RFID, and it is incumbent on the manufacturers to bear this in mind.

But the key word there is “integrated”. You achieve the status of cyborg when the technology has been actually integrated with your body, not merely inserted into it. You do not become a cyborg by placing electronics under your skin, even if you then scurry off outside looking for Sarah Connor. Although the whole concept of humans being infected by computer viruses is specious at best, you’d assume that this kind of integration would be a prerequisite.

So, in response to the concerned e-mails I received: you do not need to install Norton Anti-Virus on yourself. Not just yet.

Not even…

Earlier in the month I gave a talk at the Info-Security Conference in Wanchai, defending the PCI DSS against claims that compliance is worthless and does not improve security. At around the same time, I had an article published that contained essentially the same argument (read the PDF here; original article here).

Every day, dishearteningly, I see more and more examples of the kind of businesses to which my presentation and article were referring. Specifically, the ones that are culpably negligent in terms of information security.

Check out, for example, this news story. Nothing particularly unusual about it, but I thought the merchant’s statement was especially illustrative of the kind of attitude of which I see so much. They portray themselves as utterly innocent victims of a “senseless” attack. Bullshit! A senseless attack is when someone randomly punches you in the face while you’re walking home from the pub. Heisting a load of cardholder data makes huge amounts of sense: it’s valuable. And they’re hardly innocent. Wearing a short skirt does not mean you are asking to be raped, but leaving your payment card database hanging out most certainly does mean you’re begging for someone to come along and make a copy or two.

But it’s okay: “authorities” say the attack wasn’t the result of any “wrongdoings” by staff or management. Bullshit again! Management are responsible for securing their data. They neglected to do so. That’s a good, solid piece of wrongdoing right there.

Now, I really don’t mean to single out this one small restaurant, but I see attempts to substitute investment in security with affronted and unconvincing protestations of innocence like this all too often, and that was what sparked my pro-compliance presentation and article.

I sometimes consult for businesses that have got sub-par security. The fact that they’re addressing their poor security absolves them of negligence. Businesses like the aforementioned restaurant are in a whole different league of shame. And so I’m proposing a new terminology for them. Based on Wolfgang Pauli’s dry observation that something can be “not even wrong“, I am choosing to label the security negligent as “not even incompetent”. After all, you can only be incompetent at something if you’ve tried it.

Sadly, this does not surprise me

Wikileaks recently released a video showing incriminating footage of an attack by an American helicopter gunship in Baghdad. Many were killed, including two Reuters journalists, and children were seriously wounded. The Americans claimed this was all within the rules of engagement, but the video footage tells a very different story.

But that’s not what this posting is about. It’s about Facebook’s censorship of this very important subject matter.

The web site Collateral Murder was set up to ensure that the video could reach a wide audience. But interestingly, if you try to post a link to Collateral Murder on Facebook, you get:

“Blocked Content”? Now how did that happen?

Green dambusters

It’s not all over the news any more, but that doesn’t mean it’s gone away. I’ve been pondering the Green Dam situation a lot recently, because – for whatever crazy libertarian reason – I find that I simply cannot agree 100% with its detractors.

Actually, I love the idea. This is one of the two areas in which I am in agreement with the Chinese Communist Party, the other being persecution of Falun Gong. (I should add, though, that my motives for both are quite different from the CCP’s.)

See, I find the “protect the children” brigade thoroughly tiresome. The Australians went as far as trying to implement ISP-level porn-blocking to “protect the children”. Apparently Kevin Rudd didn’t just pick up some Mandarin while he was in China. But “protect the children” is an international problem, not just antipodean.

So we have this group who opine that the Internet needs to be “child-friendly”, i.e. everything unsuitable for children should be removed. That’s going to make the Internet pretty useless. You wouldn’t expect adults to watch nothing except childrens’ television, would you? Or just read childrens’ books? Then why would you expect them to approve of a “childrens’ Internet”? I’m all in favour of not letting kids watch porn, but if that means that adults can’t watch porn too, then something’s gone awry.

Call me a cynic, but isn’t “protect the children” a badly-concealed excuse for skirting around the true aims of the campaigners? I have a measure of respect for good old-fashioned bigots who are prepared to be honest about how they just want things that they disapprove of to be banned. Compare that to the dissembling of a “Focus on the Family” type organisation which has exactly the same agenda but hides it behind their “for the children” rubric. And, of course, “for the children” is rebuttal-proof. You can’t argue against a measure that is “for the children”, or else you’re a vile child-hater. You approve of Internet porn? Why do you hate children!? Etc etc etc.

I’ve debated with a few of these types and asked why they don’t just take action to protect their children. The usual answer is that their kids are very well protected, but what concerns them more are all the other kids who don’t have the benefit of insane parents. And with that reasoning, they’ll continue their campaign to have porn blocked at the ISP level and make sure we all get nothing more taxing than Sesame Street on YouTube.

Hence, the logic of Green Dam was instantly attractive when I first heard about it. It’s the perfect solution: a content filter that is installed (or at least shipped) with all PCs, which will prevent the underage from stumbling on www.analmidgets.com, and which can be disabled or uninstalled by grown-ups with a tolerance for such things. It won’t shut the prudes up, but it might force them to admit the real reason for their complaints, and that makes them easier to debate. And critically, it moves the role of censorship away from the network and onto the workstations.

Of course, successful implementation relies on the software (a) not being filled with stupid security glitches that show a total lack of software quality control, (b) not being largely stolen from another company, (c) not being full of government back-doors (open source would be a sine qua non, I think), and (d) not being way, way too sensitive so that your applications are constantly shut down without warning just because you typed something slightly frowned-upon.

So: ten out of ten for the idea, but minus several million for the execution. I’m anticipating the release of version 2 of Green Dam with genuine curiousity. Of course, it will still be intrusive and flawed, but if it reduces the argument in favour of the Great Firewall of China even one iota, then it’s a step in the right direction.

Red herring

I have had a re-think about the assertions in my recent entry about phishing. I’ve not recanted them, as such, but in an unusually paranoid moment it occurred to me that I’d overlooked something.

What if the phishing gangs aren’t dumbasses after all?

So, why would a non-dumbass send out 22 almost identical unconvincing e-mails to a single target? Psyops, that’s why. A sophisticated criminal attack would focus on lowering the inhibitions of the victims by creating a false sense of security. If past experience leads me to believe that all phishing scams are flawed and easy to spot, then in my hubris I become the ideal target for a well-executed and professional phishing scam. The firewall in my brain can be fooled.

Even… no, especially in the security industry, it benefits us to remember that we are all susceptible to social engineering. Let us not become smug, and let our guard down.

Plenty more phish in the sea

Why are phishing gangs so dumb?

I received some phishing spam today, targeting HSBC Hong Kong customers. They did one thing right – they targeted .hk e-mail addresses. Pity I use a .com e-mail for my banking, really. But that’s not the dumbness, that’s just bad luck on the phishers’ part.

The dumbness takes two forms. Firstly, the English. Yes, I know they’re Russian. Or Chinese. Or at least, that English is not their native language. But how much would it cost them to employ an actual English speaker to proof-read their spam? Unemployment is over 2 million in the UK, so it wouldn’t be hard for them to find one! I mean, just take a look:

Subject: HSBC Hong Kong All advanced forum features are available;
Date: Tue, 17 Feb 2009 04:34:16 +0200
From: HSBC Hong Kong <manager@hsbc.com.hk>
To: me
HSBC Hong Kong:

New user interface features and a new user interface for the HSBC Hong
Kong Users, were designed in order to reduce the high cognitive and
physical load that users experience when controlling the HSBC Hong Kong.

These interface features, and the new interface, were evaluated for
their  performance. The following results were obtained.

Proceed to view details:

[URL removed for sanity]

Sincerely, Freida Porter. Customer Service Department.
Copyright hsbc.com, inc. All rights reserved.

Not very convincing, eh? Also, there’s no attempt to sell me a loan. I can’t remember the last time HSBC communicated with me and didn’t try to sell me a loan on the side.

So, a little investment in a suitably fluent proof-reader who can imitate real HSBC e-mails would have paid off here.

Dumbness number two is just plain incompetence. In order to circumvent spam filters, the spammers fire out multiple copies of almost the same message… with different subject lines and different, randomly-generated, names at the bottom (none of which were even vaguely Chinese, incidentally). I received fifteen or so in the space of an hour (all flagged as spam, so they failed there too). The sheer quantity should make even the most gullible pause and think: that’s weird.

Interestingly, the phishing web site linked from the e-mail was very well done, looked convincing, and had a trojanised “You need the latest Adobe Flash Player” download. It’s odd that the criminals should put so much effort into their web site and then waste it with a half-arsed e-mail campaign. (Strictly, this means it’s not phishing, which is an attempt to get a user name and password. HSBC’s synchronous authentication defeats keylogging, so the trojan is probably a man-in-the-middle attack that waits for the user to authenticate with HSBC and then patches the criminals into the session. I didn’t get time to download it to a virtual machine and try it out.)

It goes without saying that they’re only after a tiny number of victims, that they expect 99.9% of their e-mails to be ignored. And of course, their incompetence and laziness is a boon to those grey-area types out there who just might fall for a well-constructed phishing scam. But still, it pains me to see shoddy work, even when it’s crime!

I should take my own advice

I’ve lost count of the number of times I’ve declaimed (to clients, to journalists, to conferences, even on this blog) that the majority of security incidents occur because someone fails to take a simple, straightforward action that would have prevented the incident; it’s rarely anything complicated, and it’s often overlooked because “it’s never been a problem before, so it should be alright this time too”.

Today I have been hoist by my own petard. I have had a significant quantity of money taken from my wallet while it was unattended in my hotel room. Of course there was a safe, but I’d become complacent. I reported the theft to the hotel so they could investigate it, but I refused (to the bemusement of some friends) to request compensation or reimbursement. This attitude that we must be somehow protected from our errors and bad luck baffles me. You can buy protection, of course, from the insurance industry, but several friends were unable to understand why I didn’t storm the hotel manager’s office, demanding my money back. As I explained: whoever took it is a criminal, I’m a dumbass, so the responsibility is shared. The hotel’s an innocent third-party. Why should they pay anything?

This appears to be a minority view.

I’m in a very windy Miami now, exhausted from jetlag and travel. Time for some kip.

Not fare!

In the light of yet another resurgence of newspaper articles about the weakness in the London Oyster card system, nearly all of which claim that our own beloved Octopus is also vulnerable, let me set the record straight.

It bloody isn’t.

Oyster uses the Dutch MiFare Classic chip. The designers committed the cardinal sin of security when they put that together: they invented their own encryption technique. Moreover, they relied on the uniqueness and obscurity of that encryption technique to protect the card and prevent the thousand natural hacks that currency-cards are heir to, and they were so confident that this would work that they made the encryption key a fixed value. Of course, it didn’t take very long for a bunch of bright young things to reverse-engineer the encryption (which wasn’t very good, really), after which the card was fatally holed.

Of course, Octopus would be just as badly affected if it used MiFare. Only it doesn’t. It uses the Sony FeliCa chip. The FeliCa does not rely on a half-arsed but vaguely obscure encryption algorithm; it uses standard and widely trusted encryption, and to preserve the confidentiality and integrity of the transactions, it changes the encryption key every single time it is used. In other words, it doesn’t matter that you know how the data is encrypted: by the time you’ve cracked it, the key’s already changed.

So, no need to be concerned about your Octo. It’s just the Oyster that’s shucked.

Big Brother is watching you surf

Most mornings my commute begins with an E11 bus that has to orbit Tung Chung twice in order to achieve escape velocity and set course for the vertical wilds of Hong Kong island; and since the bus isn’t heavily used (nor accurately scheduled) it’s fairly normal for me to end up loitering at the bus stop, marvelling quietly at the genius of JCDecaux, for anything up to 20 minutes. These last few mornings, I’ve been particularly enjoying a bus stop advertisement for Hong Kong’s new Wifi.gov service, bringing you, the citizen, free wireless Internet in selected government locations!

(“Selected”, incidentally, is insidious marketing-speak. Cathay Pacific’s in-flight magazine claims that the full range of in-flight movies is available on all 747 and 777 aircraft and selected A330s. Did somebody actually select them? Why can’t they just use the perfectly adequate and considerably more honest word, “some”?)

Anyway, I have digressed. The Government Wifi’s advertisement claims three security measures to be in place on their public networks. I quote:

  • Encrypted channel
  • Content filtering
  • Peer-to-peer blocking

Did you recognise the handwriting of the Ministry of Truth? Only one-and-one-third of these is a security measure. To wit:

Encrypted channel: I guess they mean WEP or WPA, i.e. encrypted wireless traffic. This is a bona fide security control which will protect the confidentiality and integrity of the users’ wireless traffic. This guy is off the hook.

So what of the other two? Peer-to-peer blocking is almost a security measure. Peer-to-peer traffic can consume a lot of bandwidth, thereby having an impact on the availability of the system. But how on earth is content filtering a security measure? Say I want to surf http://www.midgetsanddonkeys.com. Using my laptop at home, I can do so; using my laptop in HK Central library, I can’t. In what way does that make me more secure? Of course, it doesn’t.

I’m being disingenuous, of course. The government’s intention is clear and in fairness I support their technical constraints. People in public libraries shouldn’t Torrent movies, nor should they surf the kinds of web sites that might frighten the horses (especially if the horses are taking part).

All I’m objecting to is the rebranding of “censorship” as “security”. We have enough of this to deal with in airports, and in the other avenues of our daily life. Inconvenience is not the same thing as security; restrictions are not the same thing as security; surveillance is not the same thing as security; and censorship certainly isn’t.

It’s perfectly simple…

Since I’m a security professional and occasional commentator, I’ve been hassled a fair bit over the last couple of days for comment on the British Inland Revenue’s astonishingly careless loss of squillions of records of personal information belonging to child-benefit recipients.

In all cases, my comment has been very straightforward. It’s procedures. Every time I see a major security incident like this, it’s caused by someone failing to follow existing procedures (which are usually both reasonable and undemanding). And that’s the only lesson that I’ve advised journalists and clients to take away from this fiasco. Do not deviate from your procedures, because that’s when bad things happen.

As an aside, I would be interested to find out what they mean by the disks being “password-protected”. That could range from a ZIP file with the password of “password” right up to 448-bit blowfish with a long and complex passphrase. It makes a big difference!