Alastair Revell - Blog

LinkedIn Security Breach: 6M Hashed Passwords Potentially Leaked

Alastair Revell — Wed, 06 Jun 2012 17:38:54 GMT

There are claims circulating on the Web today, which have been reported by the BBC, stating that some six million passwords from LinkedIn have been leaked on a Russian Internet site in encrypted form.

LinkedIn, which has around 150 million users, has responded via a tweet that they are investigating these claims.

Graham Cluley, from Sophos, is reported by the BBC as saying: "We've confirmed there are LinkedIn passwords in the data. We did this by searching through the data for (hashed) passwords that we at Sophos use only on LinkedIn. We found those passwords in the data. We also saw that hundreds of the passwords contain the word 'Linkedin'."

This strongly suggests that LinkedIn may only be hashing and not salting their passwords properly (if at all). Hashing is a method that encrypts a password in such a way that it cannot be decrypted. The original password is not stored, only the encrypted version, making it near impossible to work out what the original was from just what was stored. Each time someone claims to be entering the password, that entry is hashed using exactly the same algorithm and compared with what was stored. If they match then the current entry is to all intents and purposes the same as the original password, which is a secret only known to the user.

The problem with just plain hashing is that the same algorithms are widely used by developers (simply because there aren't that many available), so all a hacker has to do is run possible passwords through the same hash algorithm to generate a simple (if not large) look up table that essentially marries hashes with passwords. If they have a hash with a corresponding password then they have struck the jackpot!

If the hacker has considerable computing power at their disposal for long periods of time then they can clearly build pretty comprehensive tables that cover (say) all eight letter passwords possible. Obviously, the longer or more complex a password is, the larger the effort needed to compromise it. The beauty from the hacker’s perspective is that once they have generated or otherwise acquired a table then it can be used to attack many different systems that use the same plain hashing algorithm.

Salting improves the security by amending the original password before it is hashed, usually by adding random characters to it in someway. This means that even if the hacker knows the hashing algorithm and the salts in use as well as how it was used to change the original password, their lookup tables will be useless because they now need a lookup table for each salt in use, which could be as many as one per password. Salting makes the hashes used by the system under attack almost unique to that system, greatly increasing the amount of effort needed to compromise it. Prospective hackers would essentially need to build a lookup table for each salt used. This approach frequently puts encrypted passwords beyond the economic reach of even the most determined hackers (although they could theoretically obtain them with a huge amount of resources). However, salting can be done badly by using the same salt for each password, which means once that is guessed or otherwise ascertained, then the problem is no more difficult than working on unsalted hashes.

The fact that Sophos has been able to ascertain that some of their LinkedIn passwords are amongst the stolen hashes strongly suggests that the passwords were only hashed and not salted particularly well (if at all). Consequently, it is going to be much easier for hackers to work out what the original passwords were by simply using a brute force approach until they strike gold.

Obviously, the longer the password and the wider the range of characters used in constructing it (upper and lower case letters, numbers, punctuation marks, etc) the more effort will be needed by the hackers. It’s also likely that those with short passwords based on real words will be cracked first.

I would join Graham Cluley in strongly urging people to change their password on LinkedIn and anywhere else that they have used the same password. (You would be wise to use a complex password.) Once a hacker has established your password and linked it to your identity then they are highly likely to try it elsewhere so that the fruits of their labour may be better rewarded, possibly with your hard earned cash!

This weblog is produced by Revell Research Systems.

Would You Risk the Wrath of the Information Commissioner?

Alastair Revell — Tue, 10 May 2011 16:00:10 GMT

The Information Commissioner's fining of solicitor Andrew Jonathan Crossley is interesting in several respects and contains an important message for many small businesses.

The £1,000 fine was announced by the Information Commissioner's Office (ICO) today in a press release.

Mr Crossley was the owner of the law firm ACS Law, which has recently ceased trading. The firm gained widespread exposure for its aggressive pursuit of those alleged to have infringed copyright through peer-to-peer file sharing activities in recent years. It seems that many of those pursued by the firm were probably innocent and I understand that the only successful prosecutions in this matter were won by default when the defendants failed to appear in court.

In September 2010, ACS Law's web site was seriously attacked, causing it to crash. In the subsequent aftermath, a backup file containing emails between ACS Law's employees and other parties appeared on the web site, which allowed anyone to access around 6,000 people’s sensitive personal information. These emails included credit card details as well as references to people’s sex life, health and financial circumstances.

The Information Commissioner, Christopher Graham, has made it very clear that had ACS Law still been trading then the fine could have been as much as £200,000: "Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach".

I feel this fine is important because it shows that the ICO is prepared to fine SME organisations large amounts and is also prepared to pursue their owners in cases of serious breach where the owner is a sole trader.

The Information Commissioner stated that: "The security measures ACS Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details". I am often shocked about how poor security is at SME organisations. Many SME business leaders do not listen to advice about security matters. I am also afraid to say that many IT suppliers also do not care about security, preferring to close a sale at any cost. They often fail to make their customers aware of the risks they face, taking a view that it is the customer’s problem if they don't recognise or understand the issues at stake.

Worse still, many SME firms run their IT systems on a shoestring, avoiding professional advice wherever possible, and only bring in competent support when things really become dire.

It is clear that Mr Graham takes a rather dim view of this approach to managing a company's IT infrastructure. He makes it clear that "Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law's web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure." The Information Commissioner clearly believes that if you are going to use IT systems then you should do it properly and not on a shoestring.

If anything, this fine also highlights the importance of taking proper advice and may presage a greater use of Chartered IT Professionals.

The message must be that if you use IT in your business (whatever your firm's size), you must take proper advice, you must not try to cut corners and you must not treat IT security in a cavalier fashion.

This weblog is produced by Revell Research Systems.

US Diplomatic ‘WikiLeaks’ Inevitable

Alastair Revell — Fri, 03 Dec 2010 10:42:12 GMT

I was interested in what Sir Christopher Meyer (HM Ambassador to the United States between 1997 and 2003) had to say about WikiLeaks on BBC Question Time last night.

I understand from what he was saying that the United States created a massive ‘intranet’ to share intelligence from around the world between their agencies as part of their response to 11th September 2001 attacks. They wanted a clearer picture of the emerging threats to the United States.

He suggests that over two and half million people have access to this ‘intranet’ and implies that leaks were inevitable.

I feel that there is an important lesson here for any government or commercial enterprise that tries to build massive databases. The more people who have access, the more likely there is to be a leak.

This weblog is produced by Revell Research Systems.

NHS: Can we trust them with the Patient Summary Care Record Data?

Alastair Revell — Wed, 02 Jun 2010 15:56:23 GMT

I find it worrying that the Information Commissioner’s Office (ICO) reports that the NHS is the United Kingdom’s worst offender in terms of keeping personal data, especially in light of the Patient Summary Care Record scheme, which will eventually hold details from most people’s medical records.

The question for me is simple: Can they be trusted to look after computerised medical records?

According to a spreadsheet accompanying the ICO’s press release of 28th May 2010, the NHS has reported more breaches than any other body to date. The data shows that these losses have largely been through either lost or stolen data/hardware rather than insecure disposal or accidental disclosure.

I agree absolutely with David Smith, the Deputy Commissioner, who said: “The ICO maintains it is essential that the protection of people’s personal information is part of organisations’ culture and DNA.”

However, the issue of data protection is clearly wider in scope than our trust in the NHS’ ability to keep our data secure.

The press release actually marks the 1,000th breach reported to the ICO, with the actual number now standing at 1,007. A rough calculation suggests that between one-in-two and one-in-three people in the United Kingdom have had their personal data compromised.

The ICO have said that although more personal data has been lost by the NHS, the largest ever breach reported was the loss of 25M people’s personal data by HMRC on two CDs in November 2007.

However, the data shows that the second largest offender collectively is the private sector, which doesn’t surprise me. Worse still, I suspect that most private sector breaches probably go unreported, so this figure might be the tip of the iceberg.

The ICO is keen to remind organisations that it can now levy fines of up to £500,000 per breach.

If you would like to know more about the new powers the Information Commissioner acquired in April 2010 and what the outcome might be should you be reckless with personal data then you might like to read my recent blog on data protection!

This weblog is produced by Revell Research Systems.

Thoughts on The Queen's Speech

Alastair Revell — Fri, 28 May 2010 20:46:40 GMT

I welcome the two IT related bills in the Queen’s Speech.

The Freedom (Great Repeal) Bill will limit the amount of time that the DNA profiles of innocent people in England and Wales can be held on the national database and will adopt the Scottish model. This seems to be much more proportionate than holding a blanket database of everyone’s DNA, which was where we seemed to be heading at one point. I believe that this would have led to all sorts of problems in the future. I think that this bill now strikes the right balance between bring criminals to justice and ensuring the privacy and freedom of innocent people.

The bill will also tighten the regulations on the use of CCTV cameras, which seem to be springing up everywhere. The United Kingdom already has more surveillance than any other society in the world and we need to be careful about how we are using this technology. In fact, we must become much more wary about using technology in general just because we can without first giving proper and due consideration to the longer-term consequences.

For almost as long as I can remember, I have been concerned about the introduction of a centralised identity database. Government has not had a good track record in keeping people’s personal data secure and I could see all sorts of abuses developing around the proposed National Identity Register.

I was alarmed by just how many people initially welcomed the proposals introduced by the Labour Government in the wake of the recent terrorism atrocities. Many people were saying that they had “nothing to hide” and that it was a “small price to pay” for safety and security. However, it is clear that the British People have woken up to the fact that their personal data is extremely valuable and that such a database would have proved to have been highly intrusive. I think it has also become increasingly clear just how little protection these measures would actually offer against terrorism in any event.

Consequently, I welcome the Identity Documents Bill which will cancel identity cards, the National Identity Register and the next generation of biometric passports. These were always going to be expensive projects which, in the current economic climate, we can ill-afford. It was also clear to many IT professionals that the whole programme was likely to cost far more than the politicians were hoping.

While it might be unpopular with IT practitioners, I also welcome the new administration’s jaded view of using information technology as a silver bullet and I am glad that the government is looking to shelve a good number of other expensive and ill-conceived projects. It is not that I think government should avoid IT altogether. It is just that I am mindful that most government projects do not really deliver the intended benefits to the public who pay for them.

The simple truth is that government does not have a good track record in implementing IT projects on time and inside budget. This is partly due to a propensity amongst politicians to view IT as some sort of “magic wand” that they can wave over complex issues with the hope that everything will be magically sorted. However, it is also, I am afraid, partly due to a lack of ethical practice by many so called professionals within IT that lead government (and no doubt a good number of private sector organisations too) into the belief that IT can solve almost everything. As Michael Cross said on the Guardian web site some time ago (23rd September 2009): “the IT industry is not shy about talking up its abilities.”

The latter point is why I am an ardent advocate of Chartered IT Professionals (CITP) because central to the ideas that underpin this registration is the need to work in the public interest and to always take an ethical stance when providing advice. As I said in my article “IT Professionals must be Assertive!”, professionalism is about telling the truth whether the client likes the message, or not. The problem with government (and others) is that they infinitely prefer to be told something is possible and even better, that it is cheap. The complexities involved in modern IT means that most politicians and civil servants must rely on the advice they receive from their IT advisors. For an unscrupulous consultant, it is easy to promise the earth and forget to mention until much later that it will also cost the earth.

This weblog is produced by Revell Research Systems.

McAfee Update Causes Windows XP SP3 Machines to Fail Worldwide

Alastair Revell — Wed, 21 Apr 2010 20:34:45 GMT

I imagine that 21st April 2010 will be a day that McAfee will remember for sometime to come and probably one they would much prefer to forget!

The antivirus vendor issued its daily security update DAT5958 at 06:00 PDT (GMT-7), but by 13:00 BST (GMT+1) the update was wreaking havoc on many corporate networks in the United Kingdom, let alone the rest of the world!

The update affected Windows XP machines with Service Pack 3 applied, falsely detecting the svchost.exe file as Win32/wecorl.a. The vendor’s VirusScan product essentially prevented the svchost.exe file from running, causing Windows to endlessly reboot in many cases.

McAfee acted fairly quickly by pulling the affected virus definition file (DAT5958) from their download servers, preventing more customers from becoming involved in what must be one of the worst update issues to impact corporate networks for some time.

They released DAT5959 to replace the affected virus definition file at around 10:15 PDT (GMT-7).

This incident comes on the back of reports that many modern anti-virus products are failing to detect malware. I’ve just been reviewing Cyveillance’s February 2010 Cyber Intelligence Report, which suggests McAfee detects around 37% of emerging threats on a daily basis (based on data from the last half of 2009). Kaspersky came out on top with a daily detection rate of 38%, but many were much poorer - such as Symantec on 25%.

The time for relying on straight-forward anti-virus products seems to be coming to an end…

This weblog is produced by Revell Research Systems.

Data Protection Act 1998

Alastair Revell — Wed, 27 Jan 2010 16:21:41 GMT

I suspect many businesses and probably most members of the general public are unaware that the fees for notification under the Data Protection Act 1998 were changed with effect from 1st October 2009. The change was made through The Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 Statutory Instrument 2009/1677 laid before Parliament by Michael Willis, Minister of State in the Ministry of Justice, on 6th July 2009.

The annual notification fee has been £35 for all data controllers, regardless of their size, since 2000. However, from 1st October 2009, two-tiers of fees have been in force.

Essentially, small and medium sized-organisations with fewer than 250 employees or less than £25.9M turnover continue to pay £35 annually and are now defined as “Tier 1” organisations. All other bodies (including any public authorities defined in the 1998 act) will now fall into “Tier 2” and must pay £500 annually.

I think the general public have come to realise over the last couple of years just how important their data is and how easily it can be lost by cavalier organisations (including government departments!)

I welcome the change in the fee structure provided the extra funds taken are used to increase the Information Commissioner’s capability to ensure all of our private data is kept more securely by those with whom it is entrusted and that those who flagrantly breach the rules are brought to task.

Many businesses see the current fee as a stealth tax and I suspect a good number of the general public too. However, I hope with the increased funding that the Information Commissioner will be seen to be doing more to actively protect the public from cavalier data controllers by everybody.

These fee increases have been introduced ahead of new powers that will come into effect in April 2010 that will allow the Information Commissioner to fine people and organisations that recklessly breach any of the eight principles that underpin the act.

These new powers were introduced as part of the Criminal Justice and Immigration Act 2008, but will only come into force in April 2010. The Information Commissioner will only be able to fine data controllers when one or more of the eight principles have been seriously breached in cases where the breach was deliberate, or where the controller knew (or ought to have known) that the risk of such a breach was likely to cause substantial damage or distress; and the controller failed to take action to stop it.

Hopefully, these new teeth will work in tandem with the new funding to ensure all of our personal data is kept much more safely.

This weblog is produced by Revell Research Systems.

More on the Exeter University Virus

Alastair Revell — Wed, 20 Jan 2010 21:11:14 GMT

Just a quick update to my earlier blog regarding the problems currently being faced by the University of Exeter. It seems the virus is exploiting known flaws in the Microsoft Vista and Microsoft Server 2008 platforms.

Zack Whittacker, who blogs for ZDNet, has a source inside the university here in Exeter. Apparently, the virus is mainly targeting Vista SP2 machines and the IT staff at the university are trying to use patch MS09-050 to reduce the attack surface.

It is understood that this virus has not been seen outside of the Exeter campus, but clearly demonstrates the disruption that a carefully crafted attack can cause.

There is a suggestion in Whittacker's blog that some critical patches had not been applied (using the Microsoft System Update Service).

We strongly believe that machines should regularly be checked to ensure that patches that should have been applied, actually have been applied. If the loop is not closed in this manner then these sorts of problems are eventually inevitable.

We are concerned that many SMEs, who often do not patch properly, may be at considerable risk if this virus escapes the Exeter campus.

In addition, I remain concerned about the zero-day virus threat. A virus that spreads quickly and easily such as this one, that exploits a flaw such as the one in Internet Explorer that saw Google hacked in China, with a drive-by infection capability on a site such as any of the international versions of Google would lead to huge economic disruption across the globe.

For starters, many people set Google as their home page, so in this apocalyptic scenario, they would be infected and spreading such a virus internally inside the organisational firewall without detection or defence the moment they went online...

This weblog is produced by Revell Research Systems.

Exeter University Shutdown!

Alastair Revell — Wed, 20 Jan 2010 17:02:17 GMT

It seems that the University of Exeter is currently in the middle of a major virus outbreak, which has led to their IT team shutting down the entire campus network, including their telephone system in an attempt to contain the problem.

The attack appears to have started on Monday. The campus network was shutdown at around 2:00pm as a direct response to the threat. However, the problems seem to be continuing today (Wednesday).

The university’s home page suggests that staff and students are only able to access email externally using home computers and the like.

The communications advice issued by the university says that it “is currently experiencing a severe IT incident, and as a precautionary measure we’ve taken much of our network offline. Parts of the University are being brought back online today as soon as it is safe to do so. The University switchboard is online and can accept calls, but we are unable to transfer them to some affected areas of the University.”

Sources in Exeter suggest that the virus has not been identified, but it is thought that the university was deliberately targeted. Stuart Franklin, a spokesman for the university, speaking to the local evening paper, the Express & Echo, said: “We were attacked by a virus. It was a malicious attack. It is the first time I have known such an attack to succeed.”

It seems clear that this virus is extremely virulent and has managed to spread quickly and easily. This strongly suggests that it managed to circumvent the university’s antivirus systems and may have been akin to a zero-day virus.

Although a difficult decision, I believe that closing down the infrastructure in such circumstances is the right thing to do.

This incident should provide food for thought for many organisations. The cost of closing down a network is extremely expensive in terms of lost revenue and opportunities, even before the sheer amount of professional time spent checking systems and returning them to service is taken into consideration.

In fact, this sort of attack can cause immense damage to an organisation and is relatively easy to perpetrate, which has not escaped the notice of Lloyd’s of London Emerging Risks Team in their October 2009 report: ‘Digital Risks: Views of a Changing Risk Landscape’. The report states that “The value of data can vary enormously, but for some organisations it could mean bankruptcy.”

The interesting aspect to this attack is that the university believes it was “hit by the virus deliberately”.

I think we may see an increase in this sort of attack in the future. The recession has been very deep and many people with criminal intent and technical capability across the world may turn to cyber-crime.

In the first two weeks of January, we’ve seen the national governments of France and Germany warn their citizens about security flaws in Internet Explorer after an attack on Google’s site in China (along with some 20 other organisations), which Microsoft admitted late last week were part of the attack mechanism. The code that exploits these particular flaws were published on Monday, 18th January 2010 and there are already some reports of it being used maliciously.

Although the problems at the University of Exeter and the issues with Internet Explorer are probably not connected, the trend for increased, malicious attacks is clear.

This weblog is produced by Revell Research Systems.

IT Professionals must be Assertive!

Alastair Revell — Wed, 02 Dec 2009 17:46:49 GMT

I’ve been mulling over Michael Cross’ article of 23rd September 2009 for the Guardian web site for a while now, which was written in response to The British Computer Society rebranding itself as BCS The Chartered Institute for IT and announcing that it was revising its process for Chartered IT Professional (CITP) registration.

The article sported the contentious title: “IT can have its professionals, if they don’t get stroppy” with a subtitle of “Government and employers will not recognise IT ‘professionals’ if they are demanding as doctors and lawyers.”

Mr Cross’ article highlights the tight rope that the Chartered Institute for IT walks as it tries to raise the level of professionalism in IT. The government is currently very supportive of the Institute’s moves to raise the bar in the IT profession, but Mr Cross rightly points out that “the trend could swiftly go into reverse if a new government finds IT professionals to be as stroppy and independent-minded as they find doctors and lawyers today.”

He continues: “Governments like taking expert advice – but only if it’s ‘Yes, minister’”, which certainly seems to be true with the recent resignations from various expert advisory panels because they apparently didn’t say what the current government wanted to hear.

The problem, of course, is that so called “stroppiness” is an important aspect of professionalism. A professional has a duty to their client to advise them when their actions are contrary to their professional advice and to point out the probable consequences.

It is precisely this lack of professional ethics that causes much of the damage to the public purse and, no doubt, many private purses too. As Cross chides in his article, “the IT industry isn’t shy about talking up its abilities” and he rams the point home with the anecdote that he has a corporate t-shirt that boasts a company slogan of “Mission impossible achieved”.

A major problem with the IT industry is that it is too heavily driven by sales hype that plays on the naivety of easily persuaded customers. Professionalism, on the other hand, is about telling the truth, whether the client likes the message, or not.

This weblog is produced by Revell Research Systems.

Rural Payments Agency: More Government Data Loss

Alastair Revell — Sat, 31 Oct 2009 15:01:56 GMT

Farmers Weekly has reported that the Rural Payments Agency (RPA) has lost the payment details of every farmer in the United Kingdom that has ever claimed a farm payment. The details include names and addresses, bank details, passwords and security questions and apparently were not encrypted. The number of farmers affected is believed to be around 100,000.

The details were leaked to Farmers Weekly by frustrated civil servants working on the single payments system and an external consultant who was advising on the system.

The whistle-blowers allege that 39 backup tapes went missing last year when they were transferred from offices in Reading to Newcastle. Thirty-seven tapes have been recovered, but two are still unaccounted for.

The whistle-blowers were concerned that the RPA and DEFRA would remain tight-lipped over the incident. According to Farmers Weekly, DEFRA has admitted that tapes went missing, but has told them that the data was not lost in transit and was instead misplaced within the data centre.

DEFRA has also admitted that the data on the tapes was not encrypted, but insists information could not be accessed without specialised technical equipment and knowledge. The government department has also insisted that the risks posed to farmers are very low.

Apparently, the tapes were last seen in June 2008, but were discovered as missing by the contractor, IBM, in May 2009. There loss has only just become public knowledge in late October 2009.

Obviously, this will do little to bolster the general public’s justifiable lack of confidence in the government’s ability to safe-guard their data. The question is soon going to be what data has the government not lost!

However, as I have said before, I do not believe that the government is actually anymore cavalier with data than the private sector. It is just that the government is an easier target to expose. I believe the data handling procedures of many commercial organisations are equally poor.

This most recent loss has barely hit the headlines, probably because it is no longer newsworthy to say that the government leaks like a colander. The next organisation to be vilified by the press for data loss may well come from the private sector…

This weblog is produced by Revell Research Systems.