Alastair Revell - Blog - Security

LinkedIn Security Breach: 6M Hashed Passwords Potentially Leaked

Alastair Revell — Wed, 06 Jun 2012 17:38:54 GMT

There are claims circulating on the Web today, which have been reported by the BBC, stating that some six million passwords from LinkedIn have been leaked on a Russian Internet site in encrypted form.

LinkedIn, which has around 150 million users, has responded via a tweet that they are investigating these claims.

Graham Cluley, from Sophos, is reported by the BBC as saying: "We've confirmed there are LinkedIn passwords in the data. We did this by searching through the data for (hashed) passwords that we at Sophos use only on LinkedIn. We found those passwords in the data. We also saw that hundreds of the passwords contain the word 'Linkedin'."

This strongly suggests that LinkedIn may only be hashing and not salting their passwords properly (if at all). Hashing is a method that encrypts a password in such a way that it cannot be decrypted. The original password is not stored, only the encrypted version, making it near impossible to work out what the original was from just what was stored. Each time someone claims to be entering the password, that entry is hashed using exactly the same algorithm and compared with what was stored. If they match then the current entry is to all intents and purposes the same as the original password, which is a secret only known to the user.

The problem with just plain hashing is that the same algorithms are widely used by developers (simply because there aren't that many available), so all a hacker has to do is run possible passwords through the same hash algorithm to generate a simple (if not large) look up table that essentially marries hashes with passwords. If they have a hash with a corresponding password then they have struck the jackpot!

If the hacker has considerable computing power at their disposal for long periods of time then they can clearly build pretty comprehensive tables that cover (say) all eight letter passwords possible. Obviously, the longer or more complex a password is, the larger the effort needed to compromise it. The beauty from the hacker’s perspective is that once they have generated or otherwise acquired a table then it can be used to attack many different systems that use the same plain hashing algorithm.

Salting improves the security by amending the original password before it is hashed, usually by adding random characters to it in someway. This means that even if the hacker knows the hashing algorithm and the salts in use as well as how it was used to change the original password, their lookup tables will be useless because they now need a lookup table for each salt in use, which could be as many as one per password. Salting makes the hashes used by the system under attack almost unique to that system, greatly increasing the amount of effort needed to compromise it. Prospective hackers would essentially need to build a lookup table for each salt used. This approach frequently puts encrypted passwords beyond the economic reach of even the most determined hackers (although they could theoretically obtain them with a huge amount of resources). However, salting can be done badly by using the same salt for each password, which means once that is guessed or otherwise ascertained, then the problem is no more difficult than working on unsalted hashes.

The fact that Sophos has been able to ascertain that some of their LinkedIn passwords are amongst the stolen hashes strongly suggests that the passwords were only hashed and not salted particularly well (if at all). Consequently, it is going to be much easier for hackers to work out what the original passwords were by simply using a brute force approach until they strike gold.

Obviously, the longer the password and the wider the range of characters used in constructing it (upper and lower case letters, numbers, punctuation marks, etc) the more effort will be needed by the hackers. It’s also likely that those with short passwords based on real words will be cracked first.

I would join Graham Cluley in strongly urging people to change their password on LinkedIn and anywhere else that they have used the same password. (You would be wise to use a complex password.) Once a hacker has established your password and linked it to your identity then they are highly likely to try it elsewhere so that the fruits of their labour may be better rewarded, possibly with your hard earned cash!

This weblog is produced by Revell Research Systems.

Would You Risk the Wrath of the Information Commissioner?

Alastair Revell — Tue, 10 May 2011 16:00:10 GMT

The Information Commissioner's fining of solicitor Andrew Jonathan Crossley is interesting in several respects and contains an important message for many small businesses.

The £1,000 fine was announced by the Information Commissioner's Office (ICO) today in a press release.

Mr Crossley was the owner of the law firm ACS Law, which has recently ceased trading. The firm gained widespread exposure for its aggressive pursuit of those alleged to have infringed copyright through peer-to-peer file sharing activities in recent years. It seems that many of those pursued by the firm were probably innocent and I understand that the only successful prosecutions in this matter were won by default when the defendants failed to appear in court.

In September 2010, ACS Law's web site was seriously attacked, causing it to crash. In the subsequent aftermath, a backup file containing emails between ACS Law's employees and other parties appeared on the web site, which allowed anyone to access around 6,000 people’s sensitive personal information. These emails included credit card details as well as references to people’s sex life, health and financial circumstances.

The Information Commissioner, Christopher Graham, has made it very clear that had ACS Law still been trading then the fine could have been as much as £200,000: "Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach".

I feel this fine is important because it shows that the ICO is prepared to fine SME organisations large amounts and is also prepared to pursue their owners in cases of serious breach where the owner is a sole trader.

The Information Commissioner stated that: "The security measures ACS Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details". I am often shocked about how poor security is at SME organisations. Many SME business leaders do not listen to advice about security matters. I am also afraid to say that many IT suppliers also do not care about security, preferring to close a sale at any cost. They often fail to make their customers aware of the risks they face, taking a view that it is the customer’s problem if they don't recognise or understand the issues at stake.

Worse still, many SME firms run their IT systems on a shoestring, avoiding professional advice wherever possible, and only bring in competent support when things really become dire.

It is clear that Mr Graham takes a rather dim view of this approach to managing a company's IT infrastructure. He makes it clear that "Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law's web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure." The Information Commissioner clearly believes that if you are going to use IT systems then you should do it properly and not on a shoestring.

If anything, this fine also highlights the importance of taking proper advice and may presage a greater use of Chartered IT Professionals.

The message must be that if you use IT in your business (whatever your firm's size), you must take proper advice, you must not try to cut corners and you must not treat IT security in a cavalier fashion.

This weblog is produced by Revell Research Systems.

NHS: Can we trust them with the Patient Summary Care Record Data?

Alastair Revell — Wed, 02 Jun 2010 15:56:23 GMT

I find it worrying that the Information Commissioner’s Office (ICO) reports that the NHS is the United Kingdom’s worst offender in terms of keeping personal data, especially in light of the Patient Summary Care Record scheme, which will eventually hold details from most people’s medical records.

The question for me is simple: Can they be trusted to look after computerised medical records?

According to a spreadsheet accompanying the ICO’s press release of 28th May 2010, the NHS has reported more breaches than any other body to date. The data shows that these losses have largely been through either lost or stolen data/hardware rather than insecure disposal or accidental disclosure.

I agree absolutely with David Smith, the Deputy Commissioner, who said: “The ICO maintains it is essential that the protection of people’s personal information is part of organisations’ culture and DNA.”

However, the issue of data protection is clearly wider in scope than our trust in the NHS’ ability to keep our data secure.

The press release actually marks the 1,000th breach reported to the ICO, with the actual number now standing at 1,007. A rough calculation suggests that between one-in-two and one-in-three people in the United Kingdom have had their personal data compromised.

The ICO have said that although more personal data has been lost by the NHS, the largest ever breach reported was the loss of 25M people’s personal data by HMRC on two CDs in November 2007.

However, the data shows that the second largest offender collectively is the private sector, which doesn’t surprise me. Worse still, I suspect that most private sector breaches probably go unreported, so this figure might be the tip of the iceberg.

The ICO is keen to remind organisations that it can now levy fines of up to £500,000 per breach.

If you would like to know more about the new powers the Information Commissioner acquired in April 2010 and what the outcome might be should you be reckless with personal data then you might like to read my recent blog on data protection!

This weblog is produced by Revell Research Systems.

McAfee Update Causes Windows XP SP3 Machines to Fail Worldwide

Alastair Revell — Wed, 21 Apr 2010 20:34:45 GMT

I imagine that 21st April 2010 will be a day that McAfee will remember for sometime to come and probably one they would much prefer to forget!

The antivirus vendor issued its daily security update DAT5958 at 06:00 PDT (GMT-7), but by 13:00 BST (GMT+1) the update was wreaking havoc on many corporate networks in the United Kingdom, let alone the rest of the world!

The update affected Windows XP machines with Service Pack 3 applied, falsely detecting the svchost.exe file as Win32/wecorl.a. The vendor’s VirusScan product essentially prevented the svchost.exe file from running, causing Windows to endlessly reboot in many cases.

McAfee acted fairly quickly by pulling the affected virus definition file (DAT5958) from their download servers, preventing more customers from becoming involved in what must be one of the worst update issues to impact corporate networks for some time.

They released DAT5959 to replace the affected virus definition file at around 10:15 PDT (GMT-7).

This incident comes on the back of reports that many modern anti-virus products are failing to detect malware. I’ve just been reviewing Cyveillance’s February 2010 Cyber Intelligence Report, which suggests McAfee detects around 37% of emerging threats on a daily basis (based on data from the last half of 2009). Kaspersky came out on top with a daily detection rate of 38%, but many were much poorer - such as Symantec on 25%.

The time for relying on straight-forward anti-virus products seems to be coming to an end…

This weblog is produced by Revell Research Systems.

More on the Exeter University Virus

Alastair Revell — Wed, 20 Jan 2010 21:11:14 GMT

Just a quick update to my earlier blog regarding the problems currently being faced by the University of Exeter. It seems the virus is exploiting known flaws in the Microsoft Vista and Microsoft Server 2008 platforms.

Zack Whittacker, who blogs for ZDNet, has a source inside the university here in Exeter. Apparently, the virus is mainly targeting Vista SP2 machines and the IT staff at the university are trying to use patch MS09-050 to reduce the attack surface.

It is understood that this virus has not been seen outside of the Exeter campus, but clearly demonstrates the disruption that a carefully crafted attack can cause.

There is a suggestion in Whittacker's blog that some critical patches had not been applied (using the Microsoft System Update Service).

We strongly believe that machines should regularly be checked to ensure that patches that should have been applied, actually have been applied. If the loop is not closed in this manner then these sorts of problems are eventually inevitable.

We are concerned that many SMEs, who often do not patch properly, may be at considerable risk if this virus escapes the Exeter campus.

In addition, I remain concerned about the zero-day virus threat. A virus that spreads quickly and easily such as this one, that exploits a flaw such as the one in Internet Explorer that saw Google hacked in China, with a drive-by infection capability on a site such as any of the international versions of Google would lead to huge economic disruption across the globe.

For starters, many people set Google as their home page, so in this apocalyptic scenario, they would be infected and spreading such a virus internally inside the organisational firewall without detection or defence the moment they went online...

This weblog is produced by Revell Research Systems.

Exeter University Shutdown!

Alastair Revell — Wed, 20 Jan 2010 17:02:17 GMT

It seems that the University of Exeter is currently in the middle of a major virus outbreak, which has led to their IT team shutting down the entire campus network, including their telephone system in an attempt to contain the problem.

The attack appears to have started on Monday. The campus network was shutdown at around 2:00pm as a direct response to the threat. However, the problems seem to be continuing today (Wednesday).

The university’s home page suggests that staff and students are only able to access email externally using home computers and the like.

The communications advice issued by the university says that it “is currently experiencing a severe IT incident, and as a precautionary measure we’ve taken much of our network offline. Parts of the University are being brought back online today as soon as it is safe to do so. The University switchboard is online and can accept calls, but we are unable to transfer them to some affected areas of the University.”

Sources in Exeter suggest that the virus has not been identified, but it is thought that the university was deliberately targeted. Stuart Franklin, a spokesman for the university, speaking to the local evening paper, the Express & Echo, said: “We were attacked by a virus. It was a malicious attack. It is the first time I have known such an attack to succeed.”

It seems clear that this virus is extremely virulent and has managed to spread quickly and easily. This strongly suggests that it managed to circumvent the university’s antivirus systems and may have been akin to a zero-day virus.

Although a difficult decision, I believe that closing down the infrastructure in such circumstances is the right thing to do.

This incident should provide food for thought for many organisations. The cost of closing down a network is extremely expensive in terms of lost revenue and opportunities, even before the sheer amount of professional time spent checking systems and returning them to service is taken into consideration.

In fact, this sort of attack can cause immense damage to an organisation and is relatively easy to perpetrate, which has not escaped the notice of Lloyd’s of London Emerging Risks Team in their October 2009 report: ‘Digital Risks: Views of a Changing Risk Landscape’. The report states that “The value of data can vary enormously, but for some organisations it could mean bankruptcy.”

The interesting aspect to this attack is that the university believes it was “hit by the virus deliberately”.

I think we may see an increase in this sort of attack in the future. The recession has been very deep and many people with criminal intent and technical capability across the world may turn to cyber-crime.

In the first two weeks of January, we’ve seen the national governments of France and Germany warn their citizens about security flaws in Internet Explorer after an attack on Google’s site in China (along with some 20 other organisations), which Microsoft admitted late last week were part of the attack mechanism. The code that exploits these particular flaws were published on Monday, 18th January 2010 and there are already some reports of it being used maliciously.

Although the problems at the University of Exeter and the issues with Internet Explorer are probably not connected, the trend for increased, malicious attacks is clear.

This weblog is produced by Revell Research Systems.

Rural Payments Agency: More Government Data Loss

Alastair Revell — Sat, 31 Oct 2009 15:01:56 GMT

Farmers Weekly has reported that the Rural Payments Agency (RPA) has lost the payment details of every farmer in the United Kingdom that has ever claimed a farm payment. The details include names and addresses, bank details, passwords and security questions and apparently were not encrypted. The number of farmers affected is believed to be around 100,000.

The details were leaked to Farmers Weekly by frustrated civil servants working on the single payments system and an external consultant who was advising on the system.

The whistle-blowers allege that 39 backup tapes went missing last year when they were transferred from offices in Reading to Newcastle. Thirty-seven tapes have been recovered, but two are still unaccounted for.

The whistle-blowers were concerned that the RPA and DEFRA would remain tight-lipped over the incident. According to Farmers Weekly, DEFRA has admitted that tapes went missing, but has told them that the data was not lost in transit and was instead misplaced within the data centre.

DEFRA has also admitted that the data on the tapes was not encrypted, but insists information could not be accessed without specialised technical equipment and knowledge. The government department has also insisted that the risks posed to farmers are very low.

Apparently, the tapes were last seen in June 2008, but were discovered as missing by the contractor, IBM, in May 2009. There loss has only just become public knowledge in late October 2009.

Obviously, this will do little to bolster the general public’s justifiable lack of confidence in the government’s ability to safe-guard their data. The question is soon going to be what data has the government not lost!

However, as I have said before, I do not believe that the government is actually anymore cavalier with data than the private sector. It is just that the government is an easier target to expose. I believe the data handling procedures of many commercial organisations are equally poor.

This most recent loss has barely hit the headlines, probably because it is no longer newsworthy to say that the government leaks like a colander. The next organisation to be vilified by the press for data loss may well come from the private sector…

This weblog is produced by Revell Research Systems.

IT Security: No Symptoms? No Problems?

Alastair Revell — Tue, 19 May 2009 18:37:15 GMT

I periodically battle with SME clients who argue that no one really would want to “hack” their organisation – they are simply too small or too insignificant to warrant the effort. I suspect I am not alone and that many other advisers on IT have the same trouble persuading their clients of the very real risks they face.

The argument that is often recited is that when the partner or director was employed elsewhere, their previous firm was much slacker with their IT security and had no problems whatsoever. The issue, of course, is that the goal in hacking has changed from destruction to utilisation. The aim is to take unseen control of the computing resources of an organisation and to use those resources for crime. It simply doesn’t surprise me that there never are any signs of compromise!

The BBC recently reported that security firm Finjan had tracked down a botnet with over two million machines under its control to a group of criminals working in the Ukraine. This particular botnet had even ensnared computing resources inside both the UK and US governments, which in itself raises concerns.

I suspect that firms that take few steps to lock down their workstations will have background malware undertaking all sorts of malicious activities. These infections will probably have managed to enter their sites via the web or email, which is increasingly carrying malicious content.

The so-called drive-by attacks using infected third party web sites is particularly worrying. Few organisations seem to scan inbound data over the web for vulnerabilities, partly because of the impact on browsing speeds that this would have. Those organisations that then don’t lock down their desktops so users cannot install software run very real risks of users innocently and unknowingly installing something they really don’t want. Once such software is on the inside of the firewall, most SME organisations simply have little or no defence, especially if the software is not strictly considered a “virus” and ignored by their anti-virus product.

A technical colleague in another firm drew my attention recently to Sophos’ Security Threat Report 2009, which provides examples of firms that have suffered attacks on their web sites. Some of these web sites would have posed risks to casual browsers of those sites as well as to those who had previously provided them with confidential information.

The list included such well-known names as ITV, a site selling Euro 2008 football championship tickets, the anti-virus firm Trend Micro, Cambridge University Press, Sony’s US Playstation site, the Association of Tennis Professionals’ web site as Wimbledon opened in the UK in June 2008 and the Business Week web site.

Unfortunately, I doubt few SME business leaders that have small (if any) indigenous IT staff will actually ever get to read it.

However, the difficulty simply persists that many SME organisations believe that no symptoms means no underlying problems. I can see their dilemma – a bunch of (often external) IT professionals becoming excited about dangerous threats and advocating the spending of money in a recession is far from appealing, especially when the risks from a naïve perspective seems minimal.

I was recently a guest at The Institution of Analysts and Programmers Spring Seminar in the London Docklands at which Microsoft’s Chief Security Advisor in the United Kingdom, Ed Gibson, spoke. He is an engaging speaker, an attorney in the United States and a practising solicitor in England and Wales, as well as a former FBI agent. He has for sometime been trying to raise awareness of these issues in the United Kingdom.

While listening to him and while mulling over his thoughts at the (excellent) lunch that followed, I believe that we really do need some form of reliable reporting mechanism for attacks of the sort documented by Sophos and these need to become highly publicised, even if in an anonymous form.

SME business leaders need to have independently verified facts about the IT security risks they face that are both readily available and easily digested; and in a form that brings the message home.

This weblog is produced by Revell Research Systems.

Bletchley Park

Alastair Revell — Tue, 23 Sep 2008 10:29:01 GMT

I was pleased to hear recently that both IBM and PGP have between them made a grant of £57,000 towards the upkeep of Bletchley Park. The BBC has reported that the “donation will help curate and restore exhibits at the National Museum of Computing in Bletchley Park, Bucks”.

However, I suspect a good deal more is needed to keep the museum going.

A group of 100 eminent scientists, lead by Dr Sue Black, head of the computer science department at the University of Westminster wrote to The Times in July 2008 to condemn the neglect of the museum. She visited Bletchley earlier in the summer and was so moved by its sorry state that she wrote to her fellow heads of department at universities around the United Kingdom. She was surprised by the level of support she received, which led directly to the letter being written.

I agree with her comments that it is a “national disgrace” that such an historic site is being allowed to fall into decay because of a lack of finance. Dr Black has proposed that the museum should receive funding from the government, which is certainly something that I would endorse.

Bletchley Park is an incredibly important part of our computing heritage. It was at Bletchley that the German Enigma Code was broken, which hastened the end of World War II.

It was also at Bletchley Park that arguably the first working modern computer was built, the so-called Colossus.

Nigel Stanley, who is a fellow-blogger at IT Director and the IT Security Practice Leader for Bloor Research, has visited the museum and blogged a few weeks ago that: “Touring the various huts and getting the story of Bletchley Park brought to life by a guide was awe inspiring as was the demonstration of the early electro mechanical computers that helped bring forward the end of the war by 2 years.”

Computing is certainly still a modern discipline, but I do not think future generations will thank us if we manage to let some of its most pioneering early work simply fade from memory because we were immature enough as an industry to realise its significance to history.

The Bletchley Park web site has a facility for UK tax payers to make credit card gift-aid donations.

This weblog is produced by Revell Research Systems.

Internet Attacks: It Won’t Happen to Us…

Alastair Revell — Mon, 11 Feb 2008 21:35:25 GMT

The lack of understanding of IT-related security issues in many small-to-medium sized businesses that I encounter as a management and technology consultant often worries me.

There seems to be a mindset amongst senior managers (often at partner and director level) that security breaches are only perpetrated by external human hackers and that their firms are not sufficiently important enough to attract attention.

These senior managers miss the fact that almost all initial external attacks are automated and that although many of these attacks may be unsuccessful in compromising their organisation’s data security, they may nonetheless seriously damage their internal infrastructure, resulting in significant costs in order to rectify the damage.

It would be a lucky organisation indeed that did not have its Internet defences probed at least once every couple of minutes. The most recent log I inspected for a small organisation was receiving an attack per minute in what appeared to be an attempt to swamp instant messaging clients with spam. The log also revealed port scans and other nefarious activity once every 10 minutes. These more serious attacks are often scanning for weaknesses through which to inject malware.

We have conducted occasional exercises in assessing just how bad this type of wanton vandalism is by simply connecting an unprotected set of newly built PCs to the Internet. Our somewhat primitive research shows that it takes around 15 minutes before machines in this condition are crippled with malware. Much of the malware also seems to be aimed at stealing credit card details and the like; and could cause enormous damage to an organisation’s reputation.

I’m often confronted by SME senior managers that argue that they have nothing of value on their networks, but my immediate retort is that neither did the machines mentioned above, but the cost of putting them back together again was expensive. It is clear from the subsequent discussions with these managers just how valuable having an operating computer system actually is to their organisations.

The irony is, of course, that the sort of dubious activity I see time and time again in firewall logs is the equivalent of a criminal gang casually walking down the road trying the doors and windows of each building they encounter for weaknesses, with a view to coming back later to investigate the weaker buildings further. I have little doubt if our streets were full of such marauding gangs then there would be huge public concern. The problem for IT is that this kind of behaviour is literally “out of sight, out of mind”.

I believe, like many other observers in the profession, that there is a discernible shift away from writing viruses for the sheer devilment of it to one of seriously making money out of it.

Indeed, Joe Telafici, vice president of operations for McAfee’s Avert Labs, recently said in a BBC interview that he felt 2007 had effectively seen the extinction of young hackers who wrote viruses and other malicious programs for fun and that writing Windows malware was now all about money.

This weblog is produced by Revell Research Systems.

Personal Details of 25M People Compromised by UK Government

Alastair Revell — Tue, 20 Nov 2007 21:28:24 GMT

I suspect the loss of 25 million child benefit records by HM Government in the United Kingdom will have considerable, long-term ramifications.

I understand that the compromised data represents the details of all the recipients of Child Benefit in the United Kingdom and includes names, addresses, dates of birth, national insurance numbers and, in many cases, the banking details of the parents or guardians involved.

According to a BBC news report, HM Revenue & Customs (HMRC) sent a couple of CDs with this highly sensitive data to the National Audit Office on 18th October 2007, but didn’t discover the information was missing until 24th October 2007. Apparently, the CDs were sent by internal mail without being registered or recorded in any way. It was clearly an accident waiting to happen.

Worse still, when they didn’t turn up, it seems from the statement made to the House of Commons by the Chancellor of the Exchequer, Alistair Darling MP, that a further copy was sent by recorded delivery, which apparently he believes should not have happened either!

It needs a moment or two just to reflect on the enormity of what was done here, not once, but twice. Sensitive details of just under half the UK population were sent by internal post between two offices with little consideration for its security. It seems the first reaction of those who discovered that the data hadn't arrived was to resend it, not to ask what had happened to it!

Furthermore, it seems that Mr Darling knew of the security breach on 10th November 2007, but did not instruct HMRC to inform the police for four days. Exhaustive searches have not found the missing CDs, although by their very nature, no comfort can be drawn from their recovery. They could easily have been copied at any time in transit, let alone after they had been lost. The data has been compromised!

The astounding reality is that just under half the nation’s personal and banking details have been compromised by employees of the government.

The BBC’s summary of Mr Darling’s statement suggests: "The missing information contains details of 25m individuals, 7.25m families - including children’s names, addresses, dates of birth, NI numbers and where relevant bank and building society account details.”

I believe that this amounts to the biggest loss of personal data in the United Kingdom to date and by far the most serious.

The Treasury seems to be blaming junior staff at HM Revenue & Customs, but I am extremely surprised to learn that junior staff have access to the banking details of pretty much every parent with a child under the age of sixteen in the United Kingdom. It seems that there are some exceptionally lax mechanisms for handling sensitive data at HMRC, who are still reeling from two earlier security breaches, including the loss of a laptop holding sensitive data.

The Information Commissioner, Richard Thomas, has apparently remarked that: “This is an extremely serious and disturbing security breach.”

Mr Darling suggests in his statement that the junior employees had breached internal rules for data security, but what I find incredible is that this seems to be routine. For instance, Paul Lewis of the BBC Radio 4 Programme Money Box reported on 3rd November 2007 that 15,000 Standard Life customers' details had been lost in very similar circumstances. Mr Lewis' article states:-

"A month ago a CD containing the names, national insurance numbers, dates of birth and pension plan numbers of nearly 15,000 Standard Life customers was lost by a courier taking it from the Revenue national insurance contributions office in Newcastle to the insurer's headquarters in Edinburgh."

According to Alistair Darling’s statement (as reported by the BBC) on the most recent data loss: “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”

The simple phrase “password protected” really worries me. I would have been much happier had he said “securely encrypted”. The difference is immense.

My immediate reaction is, given the manner in which the data was sent in the first place, just how secure were those passwords? I have horrible images of Microsoft Excel spreadsheet files being locked with a flimsy password known to at least the sender and the recipient. Tools to unlock Excel files proliferate on the Internet and are readily available to anyone who cares to look for them using Google. (It is important to note that the exact file format and security mechanism used in this case does not appear to be public at present.)

The current media focus seems to be on the “banking details”, but I am worried about how this data could be used both now and in the future to compromise all sorts of information. For instance, a large number of people use their date of birth as the basis for their passwords and many organisations use date of birth questions as part of their online security.

If this data becomes widely available on the black market, then 25 million people (statistically more or less every other British reader of this article) may find their data being used fraudulently, possibly to compromise the likes of their ebay account, their email account, their online utility bill facilities, even their MySpace account.

My advice to anyone that uses any of the compromised data as the basis for their passwords is to change them immediately. If it has fallen into the wrong hands, they have probably had it for more than a month...

I certainly agree with Avivah Litan of the Gartner Group who is quoted by the BBC as saying: “The data lost - bank account numbers, names and addresses - represents a gold mine for the thieves and is much more valuable to them than credit card numbers or taxpayer id numbers.” She went on to suggest that “In fact, in the black market, bank account numbers sell for the highest price, or between $30 and $400 (£15 to £200), which is significantly more than the fifty cents to five dollars that criminals pay for credit cards.”

These disks, which are still missing, are clearly worth a fortune. If Avivah Litan is right then they have a black market value of at least £108M. If these disks fall into the wrong hands then it seems reasonable to expect considerable identity theft and fraud to follow for a long time to come. Certainly, there is sufficient detail in these files to seriously compromise the identity of many children in the United Kingdom for a very long time to come.

I can’t imagine that the UK population will feel too enamoured about identity cards and the national identity database when HM Government is currently sending their identity backwards and forwards en-masse on poorly protected CDs. There must be questions raised about how secure people’s personal data is throughout government.

The BBC has already reported that Douglas Thomson and his wife believe that £2,800 was removed from their Alliance & Leicester account using this data on 5th November 2007. According to Mr Thomson: “At the time, our bank was at a loss to explain how such detailed info was somehow available to someone else. At least we now know how.” It must be said that the Alliance & Leicester maintains that this incident is completely unrelated to the HMRC data loss.

The problem is that we all seem to have a problem assessing the importance of data. How many people have important data stored on their computers at home, which isn't backed up? How many students have lost their dissertations and essays to disk corruption, but had no backup? How many people lose mobile phones with the personal details of their friends in their address book? How many people send sensitive material by (intrinsically insecure) Internet email?

As I reflect on this issue, I realise I am not unduly surprised about this latest revelation. Many organisations, let alone people, are extremely cavalier with data. I think the problem is that data really doesn’t look very impressive when it is stored on a couple of CDs. The sheer magnitude of 25 million records doesn’t really hit home until its lost, stolen or printed out.

The Information Commissioner, Richard Thomas has said: "The alarm bells must now ring in every organisation about the risks of not protecting people's personal information properly."

Perhaps this incident is just the wake up call we all need.

This weblog is produced by Revell Research Systems.

WiFi Theft

Alastair Revell — Wed, 18 Apr 2007 13:29:51 GMT

The recent caution of a man in Redditch by West Mercia Police for "dishonestly obtaining electronic communications services with intent to avoid payment" raises some interesting questions.

According to the BBC News Web Site: "He attracted attention from neighbours in the early morning, as he had put up cardboard around his car windows but the light from his computer could be seen through the back window." This was clearly suspicious behaviour, but there are plenty of open wireless access points where their owners are quite happy for people to "borrow" their bandwidth since (I assume) they would hope to do likewise elsewhere themselves.

Indeed, this very notion of "scratch my back and I'll scratch yours" is one of the key underpinning elements of the early and non-commercial Internet, where connected organisations and individuals utilised each others equipment on a quid quo pro basis.

What concerns me and which raises an important issue is how do you know that a particular wireless hotspot is open for free access? In a residential area, it is not plausible to put up signs everywhere stating that Number 16's is free, but Number 17 will sue you...!!

Furthermore, a lot of existing Wifi-enabled equipment will enumerate and try to connect to any access point. Does that constitute an offence?

Commercial hotspots simply redirect all web accesses to a login screen until payment has been accepted. Other hotspots that are intended for private use only and that are properly configured will make it very difficult for anyone else to use (and certainly trying to would clearly be abusive behaviour).

The problem is poorly configured wireless access points. You cannot be sure whether you have the owner's permission to use their service.

One interesting idea is whether future wireless access points should have a simple web server that displays a "usage notice" and runs a "well-known" web service stating whether or not the access point is free for use. If this was enshrined in a standard then Wifi devices could assess whether they were connecting to a hotspot that they could freely use. This would probably also invoke a greater degree of protection from the Computer Misuse Act in the United Kingdom and similar acts in other jurisdictions.

Indeed, perhaps the web-service concept could be extended to other Internet services such as email. If Internet standards were established so that the "usage policy" service became well-known, then connecting devices could query whether their access or use of a particular service was acceptable or not. Failure to comply would then leave the owner of the device wide open to prosecution (although catching them might be difficult!)

At least the honest would know whether they were abusing a free resource or not...

This weblog is produced by Revell Research Systems.

Wireless Hacking

Alastair Revell — Wed, 28 Mar 2007 18:56:07 GMT

I read recently that laptops are becoming more popular than ever and, based on sales, are likely to overtake the humble desktop in the nearing future in terms of units shipped.

Other than the fact the laptops tend to be much more expensive to run, I am increasingly concerned about how they really are often the "security backdoor" into the corporate network.

I've read several reports of concerns about classic middleman attacks in open wifi hotspots, such as those in most cafes, motorway service stations and airports. Are you really sure you've connected to the hotspot or a rogue unit being used to probe your PC?

Most desktop PCs are well protected in the corporate world behind sophisticated firewalls and advanced antivirus scanners that check pretty much everything that passes in and out of the organisation.

The laptop, in comparison, is unlikely to have such a sophisticated firewall and is unlikely to have had its antivirus system updated since leaving the office, which could well be weeks.

The idea of running a bogus hotspot near one that sees frequent use is probably an attractive proposition to a hacker. A machine that doesn't have a particularly sophisticated firewall and which has some of its critical defences lower than it should be is clearly an easier target.

It is probably even more desirable as a means of attacking the corporate network it belongs to. If the machine is compromised while out of the office, it will literally be a Trojan horse when it next docks back inside the corporate environment.

Alarmingly, experience suggests that many businesses do not take laptop security seriously, particularly when they only have the odd one or two for senior executives - precisely the people who are likely to carry important and confidential data on them.

Revell Research Systems most definitely recommends treating all corporate laptops with considerably more suspicion than your average PC!

This weblog is produced by Revell Research Systems.

Beware: HM Revenue and Customs Phishing Scam

Alastair Revell — Tue, 20 Feb 2007 16:53:22 GMT

I would just like to warn business people in the United Kingdom who might have recently completed a Self-Assessment Tax Return of a particularly ingenious (if not nasty) phishing scam.

Technically, it is not much as far as phishing scams go, but its timing and content might just lull some people into acting on it.

The email advises the recipient that HM Revenue and Customs have just completed their calculation of the recipient's tax return and notifies them that they have actually overpaid some tax.

The deadline for the submission of self-assessment tax returns is the 31st January, so such an email is at least plausible in February - and who would not be pleased to receive a tax rebate?

The email lures the victim to a repayment page, which asks for their account details, and I suspect that this is where their nightmares would really start if they did provide their details...

The actual email contains absolutely no information relating to the recipient, which should ring the alarm bells of those receiving them.

My comments on another (technically much nastier) phishing scam earlier this month about looking out for and including "shared interactions" in your emails apply here, so if you think you might have been lured, then you should read that blog entry too.

You have been warned!!

This weblog is produced by Revell Research Systems.

Another Phishing Scam

Alastair Revell — Wed, 07 Feb 2007 15:34:53 GMT

There is a particularly nasty phishing scam in circulation, which has been reported on by Tom Young of Computing (6th February 2007).

Apparently, the scam involves an email with a (fraudulent) link to an "as yet" un-named British bank. Most such links in this sort of scam email actually point to an address that is different to that of the bank's real web site. It may be very similar to the real thing, but nonetheless, it is different.

Although such links are often in text and frequently look like the real thing, most email clients will reveal the true target address of the link when the mouse is hovered over it.

This new scam manages to appear to be targeting the correct web site, even under close scrutiny, but actually redirects the user to a fraudulent site.

I would strongly advise people to always manually type in the address of web links received in unexpected emails that cannot be verified to have been sent by the sender, rather than just to glibly click on them.

I would also encourage email users who need to send unexpected emails (especially those with links or attachments) to colleagues to mention some form of "shared interaction" in the opening preamble of their emails.

The sort of thing I mean by "shared interaction" is a reference to an earlier email or meeting or some other event that both parties know about and would be difficult for someone else to forge.

Most scam emails are automated, so it would be nigh on impossible to include this sort of detail. In some respects, the traditional "Further to my letter of ..." type of opening to standard written correspondence is particularly useful in this context. It is natural and unobtrusive, but reassures the reader that the writer is who they say they are!

This weblog is produced by Revell Research Systems.

Laptop and PDA Security

Alastair Revell — Sat, 18 Nov 2006 11:59:15 GMT

This morning's article on the BBC News website that 11 million customers of the Nationwide Building Society in the UK have had their identities put at risk is a reminder to businesses that laptop and PDA security should be high on their agendas.

A considerable amount of similar data is held on many organisations' laptops and PDAs across the country. Indeed, most laptops are only secured with a password and anyone familiar with the various cracking tools readily available on the Internet will know just how easy it is to gain access to such machines.

Very few firms actually consider encrypting data on their laptops to defend against exactly this sort of scenario, but doing so would mitigate the risk considerably.

Many firms are allowing and even encouraging their staff to carry PDAs (which I do believe is more than appropriate, being something of an advocate for them). However, I am often alarmed at just how few insist that they should even be minimally secured with a simple password and even more alarmed at the poor grasp of the security issues that those that carry them actually have. As a matter of course, PDAs carry names and addresses of individual contacts, which obviously is a data protection issue.

The problem is that it doesn't become an issue until a laptop or PDA is lost or stolen. It is then that the reality dawns about just how bad the situation could be, but by then the damage has already been done.

Although I doubt that the laptop's data was looked at in this case, with the laptop probably being reformatted and sold on by the thief as quickly as possible, it won't be long before criminals start considering the potential value of the data on stolen devices. I suspect we will start to see cases where companies are blackmailed and an accelerating trade in illegally obtained data. Indeed, I am prepared to predict that we will see laptops and PDAs stolen to order because the potential value of the personal banking details of 11 million people is considerably greater and apparently easier to obtain than other items that might traditionally be stolen in a domestic burglary (which according to the BBC was how the Nationwide's laptop was stolen).

It also occurs to me while writing this article that this builds on a theme that seems to be unintentionally developing in this blog concerning the general cavalier attitude that financial institutions seem to have towards their customer's security. (For instance, my article on Bank Fraud in July.) I note from the BBC's article that the Nationwide have taken three months getting around to telling their customers about the incident.

Another alarming factor about the Nationwide case is the sheer number of people that must be affected. 11 million people represents almost one in five of the UK population, which is very close to every household in the country being affected statistically speaking.

Furthermore, I find it staggering that the Nationwide actually allowed an employee to leave their offices with so much data. It would have been considerably more alarming if the data had contained authentication details such as PIN numbers and passwords...

The problem with data like this is that its just another file on the disk - something pretty insignificant to look at in Windows Explorer and easily forgotten about. My experience is that most people have considerable difficulty in remembering what files they do have on their disks, so I am a bit alarmed that this data might not have been the only important things stored on the Nationwide laptop.

One would imagine that banks and building societies take considerable care in securing their customers' data. Indeed, the same level of care that the government might take storing the details on each and everyone of us in the proposed national identity card database.

The casual ease with which this data fell into the wrong hands has important ramifications for us all...

This weblog is produced by Revell Research Systems.

MS06-055 Released

Alastair Revell — Wed, 27 Sep 2006 11:33:18 GMT

Further to my blog yesterday about the VML Exploit in Internet Explorer, Microsoft have released overnight (UK time) an out-of-band patch. Early news of the release was reported by Microsoft's Craig Gehre on the Microsoft Security Response Center Blog.

Microsoft clearly consider this vulnerability to be serious, since they rarely issue patches outside the normal monthly cycle.

Microsoft are taking advantage of the need to release MS06-055 by re-releasing MS06-049, which apparently needs some alterations.

This weblog is produced by Revell Research Systems.

Flaw in Internet Explorer (VML Exploit)

Alastair Revell — Tue, 26 Sep 2006 14:54:16 GMT

Sunbelt Software have recently (21st September 2006) discovered a serious flaw in Internet Explorer that potentially allows vulnerable machines to be completely compromised.

According to yesterday's BBC report, Microsoft are still considering whether the flaw is sufficiently serious to release a patch to remedy the flaw sooner than the next scheduled tranche of patches, due on Tuesday, 10th October 2006.

Worryingly, the flaw has already been exploited according to researchers at Sunbelt Software. They have visited web sites which implement the so-called VML Exploit that have downloaded large amounts of spyware and other malware to otherwise fully protected and patched machines.

Alex Eckleberry of Sunbelt Software mentions in his blog of 25th September 2006 that the firm has started to see spam emails (in the guise of Yahoo greetings cards) that lure victims to web sites with the exploit code. The Sunbelt Blog currently has a lot of information on this vulnerability. (The SecuriTeam Blog has a FAQ for those interested in some of the more technical aspects of the exploit.)

Thankfully, this doesn't get that close to our "zero-day scenario" in which a mass-mailed virus is automatically triggered on arrival in end-user's inboxs, exploiting unpatched flaws, but it is another timely reminder that known flaws are being actively exploited before official patches are made available.

We currently do not generally advise applying third party patches that are fast becoming the rage, simply because they could cause as much trouble as they are meant to prevent.

We would advise people to be particularly vigilant when handling email. We strongly advocate ensuring that end-users remain alert. It has often been human vigilance that has saved the day rather than automated protection.

If you would like further advice, please contact us.

This weblog is produced by Revell Research Systems.

Ransomware

Alastair Revell — Thu, 14 Sep 2006 15:46:33 GMT

There seems to be a growing interest in the media of ransomware. Ransomware is malware (viruses and the like) that encrypts the victim's data so that they can't access it. The perpetrator then offers a ransom to recover it for them.

My first thought was that this would not be a long-lived problem since the perpetrator will have to reveal sufficient detail about themselves to collect payment and I initially thought that this would clearly lead to their apprehension.

However, it did occur to me that if they did this from a country whose laws do not recognise the crime or where there was no extradition treaty, they might get away with it...

This weblog is produced by Revell Research Systems.

Cardiff University Researchers Claim HSBC's Online Security Flawed

Alastair Revell — Fri, 11 Aug 2006 17:07:06 GMT

I was interested to read the BBC article highlighting the concerns of Professor Antonia Jones and her team at Cardiff University regarding the security of the HSBC Online Banking Web Site, particularly in light of my earlier blog entry.

It seems that Professor Jones believes that there are serious flaws in the way that HSBC's online customers access the bank's web facilities. These seem to centre around key logging (the recording of key strokes by either hardware or software tools). The problem with key logging is that the keystrokes are captured before they are encrypted as part of the secure connection between the user's web browser and the bank's web site. This means that user names and passwords are easily captured and can be relayed to the perpetrator.

Personally, I no longer use third party computers (except those where we are responsible for their security) to conduct any confidential transactions. The risks are simply too great and I would certainly not recommend anyone else doing so either.

According to the BBC, the bank says that the "problem does not pose a serious threat to its customers", although the Cardiff researchers suggest that anyone exploiting the flaw would gain access to an account within nine attempts.

This weblog is produced by Revell Research Systems.

Bank Fraud

Alastair Revell — Tue, 18 Jul 2006 10:05:29 GMT

I have been very concerned for sometime about the rather blasé attitude that banks sometimes take towards security when dealing with their customers.

They are correctly insistent in verifying who they are speaking to on the phone and now maintain that they never ask for PIN number details in full, although I have been asked for these details in the past.

However, what they fail to do is provide a mechanism to verify who they are. I have had several occasions where banks and credit card companies have rung up asking to verify who I am before continuing their conversation. However, when asked to prove who they are, they often have become very defensive.

Indeed, calling out of the blue and asking people to verify their details could easily form the basis of a phishing scam that aims to furnish the perpetrator with someone's credentials.

Apparently, it is obvious who they are, which suggests to me a basic inability to assess risk from any other perspective than their own, which is worrying.

On some occasions, I have been asked to call back using an 0800-like number if I am anxious about an inbound call. I remember one occasion in particular (at least 18 months ago) where I had the gall to suggest this might be insecure, pointing out that anyone can easily set up such a number and implement a simple computer system that asks you to enter your account and PIN details before being put through to an operator.

I remember the call, in particular, because it was a sales call. Why they insisted on verifying who I was so they could try to sell me a financial product I did not want I do not know. I ended up being told the details were needed for Data Protection purposes, which is of course rubbish. The credit card company concerned apologised, but it worries me that such organisations don't think these things through first.

I recently complained to one bank that asked me to provide personal details in the name of account verification using a letter that was so badly produced that I did initially think it was a scam. Ironically, this had been issued by their compliance unit, which one would have thought would have had such matters under careful scrutiny. Furthermore, there was a London number to call if I felt that anything was untoward. I have no idea if the number belonged to the bank in question and worse still, when I called the branch, they reached the same conclusion.

I think it is time for banks to think through some mechanism that can be easily used to identify them to their customers as well as the other way round. Mutually authenticating each other must be more secure than one-way authentication. It could be as easy as providing the bank with a secret word that they could be challenged for parts of when they call.

It seems from a BBC article today that the hacking community have already started to exploit this lack of basic security. The alarming fact is that telephone calls made using the Internet are free and this largely removes the financial barrier for this type of telephone fraud.

This weblog is produced by Revell Research Systems.

Proxying User Authentication for Administrative Purposes

Alastair Revell — Thu, 13 Jul 2006 22:50:30 GMT

I believe that a really useful administrative facility that should be built into Microsoft Windows is the ability to login as a user by using an administrator's credentials.

System Administrators would often benefit from being able to log into a user's account to test the user's environment. Currently, this would either be done by either knowing the user's credentials or by resetting the password on the user's account to gain access. The former method works well for small business, but does have obvious security implications. The latter is a pain for the end-user when "strict" password procedures are in place governing their use of previous passwords and the like.

I envisage that an administrator faced with the CTRL-ALT-DEL dialogue should be able to press a button to extend the dialogue with an extra "Login As" textbox. They should then be able to provide their own username and password as well as the account name they are intending to login to. I would expect that this would require the administrator concerned to have been granted a "proxy right" and that its use would be written into the system's security event log.

This would then allow an administrator to use the account without any elevated privileges. It would also be useful if the administrator had the ability to login and opt out of group policies or to login to the account with their own administrative rights.

This weblog is produced by Revell Research Systems.

EMail Based Denial of Service

Alastair Revell — Mon, 05 Jun 2006 02:07:51 GMT

I remain concerned about the possibility of "taking out" a Microsoft Exchange server, especially one installed as part of Small Business Server.

I've just finished checking over a (small) client's server that had taken on board something like 27,000 emails over the weekend. These emails were sent to spurious addresses at the domain concerned. The server naturally responded by sending out a Non-Delivery Receipt (NDR) to the apparent sender. The problem is that the sender's email was forged. It seems apparent that these emails were sent with the specific intention of causing problems for the person whose email was forged. They (presumably) will also receive 27,000 emails via my client alone. Why do it? Because the attacker's identity is carefully masked from the perpetrator by the middleman (my client).

This is extremely dangerous to both the middleman and the victim if their respective servers run low on disk space, potentially causing their email systems to fail. This might be worse on a Small Business Server (where appropriate precautions have not been taken) because it is, by its very nature, the domain controller (DC) as well, potentially bringing down the internal network too.

This is the second such attack we have seen in the last seven days.

The spurious NDR problem seemed to be limited to virus replication mechanisms in the past, but now there seems to be a new and more dangerous trend emerging towards using the NDR process for denial of service (DoS) attacks.

A recent judgement in the United Kingdom (that I mention recently in an earlier blog entry) makes it clear that such attacks are not currently illegal under English Law. One of my current undergraduates, Sara Sheridan, touches on these issues in her recent blog entry.

There are some mechanisms that can be put in place to prevent systems being exploited like this. The most obvious is to switch the NDR response off on servers, but this seems to be an important part of the Internet email system (albeit most NDR receipts are difficult for end-users to interpret).

What we need is for major systems such as Microsoft Exchange to start shipping with logic that is able to identify such attacks and to suspend NDR responses to the purported sender while the emails are being received. One is surely enough for most human senders to get the message...!

This weblog is produced by Revell Research Systems.

Hackers Hit Swedish Police

Alastair Revell — Fri, 02 Jun 2006 17:08:46 GMT

According to a news article being carried by the BBC (http://news.bbc.co.uk/1/hi/technology/5041848.stm), a group of hacker have hit a web site operated by the Swedish police.

It seems that this was simply a denial of service attack, which swamped the machine with requests.

Unfortunately, denial of service (DoS) attacks seem to be becoming more prominent and I suspect we will soon need to be helping smaller clients ensure that their boundary devices are capable of withstanding such attacks.

I suspect it will also come as something of a shock to people when they learn how expensive some of these security devices are in comparison to "bog standard" equipment.

This weblog is produced by Revell Research Systems.