Archive for December, 2010

Economists – wherein the most important syllable is CON

December 22, 2010 Leave a comment

I received one of those reports by serious economists commissioned by serious security firms for serious money. You’ll know the sort I mean. They state that if only we adopt this technology, or stop those bad practices, or prevent these bad people, then we’ll create this huge amount of wealth: probably enough to pay off European and North American national debts in just a few years.

Well, with all due deference and respect: baloney. You cannot create wealth. You can print or mint money – but that’s not wealth. Money is nothing more than a promise that is continually broken through inflation and devaluation.

I want you to consider the nature of wealth, and where it comes from. It is represented by money, but it is not money. It comes from trade. But where does trade come from? It comes from surplus food production.

Think about this. If you couldn’t go to the shops to buy food, you’d have to spend your time farming, hunting or gathering. It’s only because our farmers produce more food than they need for themselves that the rest of us have time and capacity to engage in manufacturing and trade. The better we are at the trade that is allowed by surplus food, the wealthier we become. There is, therefore, a direct relationship between wealth and food surplus: in fact, wealth equals food surplus. That is, there is a finite amount of wealth in existence at any time; and it is proportionate to the food surplus produced by the farmers.

If you think I’m wrong, try this thought experiment. Think of any industry you like, and imagine it ceases to exist for a year. Will the human race survive? Now cease all food production for a year. Will the human race survive? Quite simply, nothing whatsoever can increase wealth unless it increases or improves food production, upon which all else is built.

So what are the economists on about? ‘Economy’ as a science is simply the explanation for, and sometimes the facilitation of, the redistribution of the food surplus. Adopting this new technology will not increase wealth, it will redistribute what already exists. The difficulty with this approach is that if everybody adopts the new technology, then it will redistribute nothing – everything remains the same. That doesn’t mean you shouldn’t bother with the new technology; because if you don’t and your competitors do, then they gain advantage and the redistribution of wealth is from you to them. You lose.

So this is the contradiction in economic predictions. Adopting a new technology will not create wealth for you. It might redistribute the wealth of your competitors to you if you adopt and they do not; or it might redistribute your wealth from you to them if they adopt and you do not. It’s just a carousel of fallacious wealth – and the only group virtually guaranteed to accrue other people’s wealth are the eCONomists themselves.

Categories: All, General Rants

Cybernet-curtain-twitching: Europe’s latest pastime courtesy of Europol

December 17, 2010 1 comment

Rob Wainwright, director of Europol and once a leading figure in SOCA, has “briefed a Lords EU sub-committee on plans for a European cyber crime centre.”

It could operate along similar lines to America’s Internet Crime Complaint Center (IC3), a joint venture between the FBI and the National White Collar Crime Centre, which for the past 10 years has allowed victims of cyber crime to make a complaint online.
BBC: EU could turn to ‘crowd sourcing’ in cyber crime fight

But it is likely to go much further:

Europol strategic analyst Victoria Baines later explained to BBC News that the organisation was interested in eventually using a form of “crowd sourcing” to gather examples of suspected cyber crime so it could build up a fuller picture of illegal activity.

This would involve concerned net users scouring the net for possible examples of crime and reporting it, possibly through a dedicated website.


This is not my beautiful home

This scares me more than I can say. The idea that a million anoraks with a computer but no life will start a new pastime of cybernet-curtain-twitching is a little scary. Reporting a crime perpetrated against you is one thing; reporting an acquaintance who appears to be sending you pornographic material is something else. If security experts have difficulty tracking down the genuine criminals on the internet, how on earth will Joe Bloggs succeed? What will Europol’s software – you know, the stuff that seeks to find links and connections – make of a couple of false accusations, a subscription to Freeview’s adult channels, and a phone call to a friend who is the friend of someone under different surveillance, come up with?

We’ve had crowd sourcing before. The crowd was the FBI – and look what a mess the UK police made of Operation Ore:

New evidence I have gathered for my work as an expert witness in defence cases shows that thousands of cases under Operation Ore have been built on the shakiest of foundations – the use of credit card details to sign up for pornography websites. In many cases, the card details were stolen; the sites contained nothing or legal material only; and the people who allegedly signed up to visit the sites never went there.
Duncan Campbell, Guardian: Operation Ore flawed by fraud

I really hope that Mr Wainwright does not get his way in this. Crowd sourcing is no replacement for old-fashioned policing and genuine evidence. And, frankly, I don’t want to live in this Stasi-inspired shop-your-neighbour Orwellian society SOCA and Europol seem to want for us.

Categories: All, General Rants

Bank of America shows the need for effective provisioning

December 15, 2010 Leave a comment

When I was younger, with one foot on the corporate career ladder (before I subsequently fell off, permanently) we had what I thought was an American joke: if you came into the office in the morning and your desk was bare – no phone, no computer, no nothing – you’d been sacked. But it wasn’t a joke. It was the physical effect of material de-provisioning; and a necessary part, along with the security guard escorting you off the premises, of letting people go.

Somewhere, with the evolution of the cyber office, we have forgotten the importance of de-provisioning – of cancelling online accounts, removing passwords and restricting access immediately on termination. There is a second line of defence. It’s the courts; and Bank of America has won a court injunction temporarily blocking use of its data by four ex-employees.

Bank of America Corp. won a court order temporarily blocking four former employees from using and sharing the bank’s client records at their new employer, New York-based Dynasty Financial Partners.
Bank of America Wins Order, Ex-Workers Can’t Take Data

Kurt Johnson

Kurt Johnson, vice president of strategy & corporate development, Courion

The problem is that this smacks rather of stable doors and horses, or genies and bottles. The courts are no alternative to adequate staff provisioning and de-provisioning. Kurt Johnson, vice president of strategy & corporate development at Courion, whose AccountCourier product does just this, comments:

This is not just another “employee gone bad” story; it’s a reminder to companies that if the proper access controls and monitoring tools are not put in place to protect sensitive data, they could suffer significant financial and operational losses.

Companies need to be one step ahead of a departing employee. In letting these staff members go, all administrative controls should have been shut off and changed immediately so that there was no opportunity to gain access to these sensitive files. Leaving even a short time gap between notice of termination and closing accounts creates vulnerabilities. For example, the Ponemon Institute has reported that 59 percent of terminated employees admitted to stealing confidential company information so the Bank of America is not alone. Implementing an automatic de-provisioning process is the only way to confidently avoid glaring lapses in security when your company’s data stores are vulnerable to attack.

Courion’s AccountCourier

Categories: All, Security Issues

Cameron, protesters, police and democracy

December 14, 2010 Leave a comment

Cameron, Clegg and the Coalition have been a huge disappointment to me. They came into power, with the help of my vote and a majority of the UK population, on a mandate for rolling back the authoritarian era of New Labour. It was a period of great hope. Now is a time of severe disillusion.

“Of course there is a right to protest peacefully, there always should be,” he [prime minister David Cameron] said.

“There is not a right to go on the streets of London, wanting to pursue violence…”
David Cameron in Police Oracle

He is correct. Everybody has a right to demonstrate peacefully. Nobody has a right to engage in violence other than in self-defence. So any protestors who were physically violent or damaged property need to justify their action to the courts.

I trust (a misuse of language, because I have little faith) that these policemen will also have to face the courts. If you haven’t seen the footage of the cerebral palsy sufferer being pulled from his wheelchair by the police, please watch it now.

And then, if you haven’t seen the most shameful piece of journalism I have come across in a long time, watch this interview with the wheelchair occupant.

This is not about students or even student fees. This is about freedom, liberty, the kind of Britain I want to live in, and democracy. I say to Cameron and Clegg, do not become Chaucer’s smiler. Stand up for freedom; do not complete the process started by New Labour: do not allow the UK to become a police state.

Categories: All, General Rants

Incapsula: using security from the Cloud to protect data in the Cloud

December 10, 2010 1 comment

The Cloud will dominate. It’s simple economics. The Cloud offers greater efficiency at lower cost; so if your competitor is in and you are out, he wins and you lose. But concern over security is currently delaying deployment: if you don’t know where your data is, how can you secure it?

Marc Gaffan

Marc Gaffan, VP Marketing, Incapsula

“One of the challenges of the Cloud,” said Marc Gaffan, VP Marketing with Incapsula, “is that you have to rely on the infrastructure that your Cloud provider offers.” And this is counter-intuitive, particularly since “most web application firewalls to date,” he continued, “have come in the form of an appliance. Typically, when you use a web application firewall, you take a physical server and attach the appliance to it, routing traffic through your physical appliance to your physical server. But when you move into the Cloud and use a Cloud provider, there is no physical rack for your physical appliance to connect to your physical server.” And it is this lack of physicality that worries us about the Cloud.

But in reality that’s because we misunderstand the nature of the internet itself. We think of the internet as some huge collection of interlinked separate computers to which we are connected, but do not belong. That misunderstands the nature of the beast. We should revisit Sun’s old motto: the network is the computer. Only now we should say: “The internet is the computer.” It is only when we start to look at the internet as just one huge multi-user amorphous computer that we will be able to harness its full potential. When we look at it like this, for example, it doesn’t really matter where the data is located.

Consider the computer on your desktop. We are accustomed to not knowing where our data is stored on this computer, because we don’t need to know. The filesystem knows. Access to our data is via the filesystem – and because of the filesystem we can still protect the data without knowing where it is situated and even though the operating system keeps moving it to different locations on the disk in our computer on the desk.

Now consider the internet. If the internet is the new computer, then DNS will be the filesystem and the service providers are the operating system (OK, loosely – don’t get too literal on me). And if the basic analogy holds, then we don’t need to know where our data is held (and will simply go mad if we try to find it and follow it), but we can still secure it via the DNS.

That’s what Marc Gaffan’s new Incapsula service does. It provides a virtual web application firewall that doesn’t care where your web is located. “In order to get the protection of Incapsula,” Gaffan explains, “all you need is control of your domain name server and five minutes. You change your DNS to route all incoming and outgoing traffic through Incapsula. From that point on, all your website visitors will first go through Incapsula, through our globally distributed network of servers, and we will proxy the traffic to you. We essentially front-end your website regardless of where it is hosted or who is hosting it, or whether you have control over that web server or not.”

This is using the Cloud and Cloud concepts to protect the Cloud. “A primary principle,” says Gaffan, “is pay as you grow. If you are a new company you can can start small; you don’t have to pay for excess capacity or provision for future growth, you just pay for what you need when you need it.”

But a second principle is collective or community strength. “By correlating information across our hundreds of customers and worldwide network of servers we create a community learning. If Incapsula sees someone doing something bad at one website; and minutes later that person goes to another website, Incapsula knows that nothing good is intended; and will instantly block access – and that correlation of experience across different Incapsula customers makes it a better service.”

This process of moving our security into the Cloud in order to protect our data in the Cloud has already started. First came spam-blocking services; then, inevitably, anti-virus products began to leverage the Cloud. Now Incapsula demonstrates the next step. “Once you get onto the Cloud, you must not be dependant on just the services that the Cloud provider offers you – you need the freedom to shop around and leverage services from other Clouds; like Incapsula. This process allows Cloud customers to take security back into their own hands, and not be forced to rely on or be constrained by the Cloud provider’s own offerings.”

Remember, the internet is the computer. You can indeed protect your data even if you don’t know where it is.


Categories: All, Security News

Do not let the bullies scare us into giving up democracy

December 7, 2010 2 comments

“And because sunlight is the best disinfectant, we will bring the operation of government out into the open so that everyone can see whether we are delivering good value for money.”
GovMonitor: David Cameron Lays Out Open Government And Transparency Plan

It gets better, because this is not an original comment from Cameron: it is a quite deliberate quote from US Supreme Court Justice Louis Brandeis, who said “Sunlight is the best disinfectant” when referring to openness and transparency in public policy as a condition of democracy.

So here we have both the USA and the UK (and the UK most recently, of course) stressing the value of openness in government. But what it really means is that government should be open about what it wants us to know, and secretive and dishonest about the rest.

At the moment, both the UK and USA would like us to believe that Wikileaks is endangering national security and threatening lives. Note that it is not the respective but hardly respectable governments that endanger lives by engaging in illegal wars, by furtively trying to play one country off against another, by lying to and deceiving its own electorate. No, it is not governments but Wikileaks – which, remember, has done nothing, absolutely nothing, other than tell us the truth – that is the criminal.

And on the same day that MasterCard and Visa refuse to process donations to Wikileaks; after Amazon and eBay sever ties with WikiLeaks; following the Swiss Bank closure of Assange’s account; and on the day that Assange is arrested on charges that have already been abandoned by one Swedish judge; so the US state department announces: “The United States is pleased to announce that it will host Unesco’s World Press Freedom Day event in 2011, from 1-3 May in Washington, DC.”

This is absolutely blatant bullying, probably orchestrated by the Obama Administration but with cowardice aforethought support from other toadying governments throughout the world, including I am ashamed to add, that of the United Kingdom. And we must not allow it to succeed, because it is not just Wikileaks that is at stake, it is not just Julian Assange – it is democracy that is on trial.

Wikileaks rocks

Categories: All, General Rants

Anti-virus and anti-spam: a technology update

December 7, 2010 1 comment

Anti-virus software is possibly the archetypal security product. It was the first, is the most ubiquitous and certainly the best known defence against the bad guys. But with so many high-profile malware successes (such as Stuxnet and Zeus and other botnets that comprise millions of infected computers) we need to ask ourselves if it is still up to the job. Are the bad guys winning the arms race? What are the latest developments in malware, and what is the AV industry doing to combat them? These are the questions we need to examine before answering the ultimate question: is anti-virus software still relevant?

This article was written for, first published by, and reprinted here with the kind permission of
Infosecurity Magazine.


In this article we are going to use ‘virus’ and ‘malware’ interchangeably. There is a technical difference between a virus and a worm and a trojan. But for the user, there is no meaningful difference: they are all malware and all bad for you. “The key thing to recognise,” says James Lyne, senior technologist at Sophos, “is that these things are now so inextricably linked together that this aged distinction between things like viruses, worms, trojans and spam actually doesn’t make a lot of sense at all – it’s all really just ‘bad stuff’”. For example, he explained, bots on compromised PCs are used to deliver spam that contains social engineering scams designed to trick users into visiting malicious websites that will infect the user with a trojan that opens a back door to allow in a root kit containing a keylogger and spyware. Anti-virus software doesn’t just seek to protect you from viruses – it seeks to protect you from all of this bad stuff. We’ll just call it all ‘malware’.

Current developments in malware: what are the attackers doing?

Modern malware has evolved from a demonstration of personal prowess into a serious, organised, criminal business; and is driven by the same motives as any legitimate business – a desire to maximise ROI. This explains the two primary characteristics of today’s malware: it follows the market; and is increasingly sophisticated.

Follows the market

Wherever there are large concentrations of users, there will also be malware. This explains the malware campaigns on Facebook and Twitter. But it also tells us what is likely to happen next, which will start with increasing malware for the Mac (a new Mac version of KoobFace is discovered by Intego, a Mac security specialist, as I write this article). The criminals will follow the numbers, and as the Mac and other Apple products increase in popularity, so will the criminals start to attack them. One of the biggest computing movements today is ‘mobilization’ – the growth of mobile computing using smartphones and tablets. As these markets grow, so will they attract malware. Similarly, market growth in virtual machines will lead to attacks on the hypervisor. The AV industry is aware that there are proof of concept attacks on virtual machines, but nothing has yet been found in the wild. But it will happen; and is an area where all AV companies are watching – and waiting.

James Lyne

James Lyne, senior technologist at Sophos

It is only with a degree of tongue in cheek that Luis Corrons, technical director of PandaLabs, comments, “We’re becoming evermore interconnected. Everything is connected to everything else – and it’s all connected to the internet. I don’t know that we’re going to install anti-virus for the fridge – but who knows.” Basically, when there are enough fridges connected to the internet, there will be fridge malware.

Technical sophistication

James Lyne described one example of the increasing sophistication in malware. “Polymorphism,” he said, “has been around for about 20 years. It’s where the malware continually changes itself to avoid detection – but it has been easy for the AV vendors to defeat it. We’d get hold of a copy, extract and analyse the engine that creates the new copies and work out all the possible future versions. That would give us generic detection for that whole polymorphic family. But today the bad guys are using server-side polymorphism where the engine is not in the malware but on legitimate business websites. Every time it is refreshed, what is downloaded is different in content to the previous download – and after a couple of hundred downloads, they kill that site and move on to another. That way none of us vendors can get hold of the engine to write any form of generic protection.”

Current developments in anti-malware: what are the defenders doing?

There doesn’t appear to be a major advance in AV technology on the near horizon. “Right now,” says David Harley, ESET research fellow & director of malware Intelligence, “it’s more a case of multiple/hybrid technologies (found in nearly any modern AV) advancing by improving individual components. Obviously, some products stress certain components more than others.”

Has the AV industry shot itself in the foot?
We’ve all seen the adverts and claims: “Our product detects 99% (or even 100%) of viruses.” And yet we still get infected. And we still hear of new viruses being missed by almost all of the AV products when tested against VirusTotal. Something is clearly wrong.
When you look at the small print, you see that what appears to be “100% of viruses in the wild” is actually “100% of viruses that are included in the WildList”: and “in the wild” and “in the WildList” are two completely different things. I don’t believe it was designed to be misleading; but it is misleading and I believe that AV companies know that it is misleading.
This might have worked ten years ago, when users were more technically naive. But today’s user can see the anomaly: and the result is a loss of trust in the AV companies that will only increase unless and until they start to be more honest in their claims. The AV marketing bods need to be more like the AV technical bods; who are far more likely to tell you how it really is.

Christopher Boyd, GFI senior threat researcher, suggests “virtual sandboxing, which allows threats to be intercepted and executed inside a virtual machine running a Windows-like pseudo environment, allowing for more accurate detection and safer quarantine and disposal.”

Reputation-based classification

But probably the biggest single development has been the evolution of product-based reputation feed back (not to be confused with community-based reputation systems such as the Web of Trust). Rik Ferguson Trend Micro’s, senior security advisor, explains his own company’s reputation system. It is born out of the marriage, in the cloud, of three separate databases: bad emails, bad URLs and bad files. “Let’s take a hypothetical worst-case scenario,” he said. “You get an email from a bot that has only just been infected – and the email is well-crafted so that it looks OK. We can’t see anything wrong with it, so we allow it. In this case, email reputation has failed. The email contains a link to a malicious website that has only just been registered. Again, we don’t yet know it’s bad – so we allow you to click the link, and again the reputation system has failed. You click the link and visit the website which uses a zero-day exploit to infect you with a new trojan that the bad guys have already tested against all the AV products. We haven’t seen this trojan, so we allow you to download it – and you’re infected. Email, URL and file reputation systems have all failed. But,” he stresses, “the first thing that the trojan will seek to do is phone home, either to tell its owner that it has landed, or to download additional components. At this point we will almost certainly recognise this as suspicious behaviour and block it.  We will also relay the URL source of the suspect file to TrendLabs who will download the page content and analyse it.” Instantly, the URL database and file database are updated with the new reputations. And, “if a new email comes in pointing to that URL that we now know to be suspicious, we can recognise the email as also suspicious and can add details to our email reputation system. And all of this is based on the behaviour of a file that we had previously thought was OK; and all of these new reputations are, thanks to the cloud, instantly available to all of our other customers.”

Future solutions for the malware problem

We have a choice. We can carry on as we are, trying to improve our anti-malware defences in a perpetual leapfrogging process with the bad guys – or we can think out of the box and be radical. One approach could be Trusteer’s Rapport product. It’s purpose is not primarily to find and eliminate viruses; but to specifically protect online bank transactions from malware (such as Zeus). Rapport is anti-malware; but not as we know it. Its primary purpose is to protect the browser. It doesn’t go looking for malware on your PC. Rather it defines a browser behavioural policy – and if the browser tries to behave differently, it knows that there is malware involved. “It’s like behavioural detection,” explains Amit Klein, Trusteer’s chief technology officer, “but it’s not behavioural in the sense that we monitor all the behaviour of a suspicious binary – rather we wait for the malware to come to us – for it to ‘attack’ the browser; and that’s where we stop it cold.”

Scott Charney’s Internet Health Certificate

A more radical approach could be  the Internet Health Certificate proposal put forward by Microsoft’s Scott Charney (Collective Defense – Applying Global Health Models to the Internet). Charney’s idea is that we should take a lead from the World Health Organization: you may need to prove your health before you can do certain things or go to certain places. In other words, users may need a health certificate for their computers before they are allowed access to the internet. The AV industry is not generally impressed. Who says a computer is healthy? Who defines computer health. “I’d be pretty unhappy if it turned out that the health of my systems was being certified by someone whose knowledge of security wasn’t much higher than the average,” comments ESET’s David Harley. “Or even the sysadmin responsible for the Microsoft servers that are used to relay spam…”

Nor is the technical problem trivial. “The technical issue is the volume of edge cases,” continues Harley. “I don’t think a ‘just about good enough’ heuristic approach combines well with a utilitarian ‘greatest good for the greatest number’ approach, in this case.”

Rik Ferguson

Rik Ferguson, senior security advisor, Trend Micro

Trend Micro’s Rik Ferguson raises a practical issue. “What happens,” he asks, “in the case of false positives? if users are incorrectly quarantined, will they be able to claim something back in lost productivity, lost purchases on eBay, or whatever it may be?”

“It’s an interesting idea,” concedes Trusteer’s Klein. “But with the current infection rates where your machine can be clean one day and infected the next, I’m worried about the implications for an ISP handling millions of customers, some of whom keep getting re-infected. In practice, I’m not sure how we can really adopt this – I’m not sure how the ISP, where the rubber meets the road, will be able to handle this under current pricing structures.”

With apparently so little going for this idea, you have to wonder how it got air time. The answer might be in Scott Charney’s title: vice president of trustworthy computing. Microsoft, of course, is a leading member of the Trusted Computing Group (TCG). The TCG has developed specifications for how to control what can and cannot run on a computer – and this can already be achieved via Intel chips (Intel is another member of the TCG) installed on the majority of the world’s PCs. So if a third-party (your company? Microsoft? Intel? Your ISP? the Government?) defines what can run on your PC for you to be allowed access to the internet, you automatically have a health certificate because nothing else, neither malware, nor pirated software, nor illegal music, nor porn, nor any new software not sanctioned by the controlling organization, is capable of running. The problem is solved. Some might say at the cost of personal freedom.


Some of the marketing hype around anti-virus products seems to imply that AV software is all you need to be safe. It is not. You need layers of different security. In fairness to them, none of the anti-virus technologists will suggest that AV is enough. You need to complement it with data loss prevention technologies, ID theft prevention, firewalls, URL filters and more. How will the market develop? “Slowly and painfully,” says Harley. “Customers who expect 100% success will continue to be disappointed. Pure AV will become rarer: the technology will continue to be further integrated with other defensive technologies.”

New technologies such as Rapport can help in niche areas; ideas such as trusted computing could solve the problem but at the cost of personal liberty. Now I am not the biggest fan of the way in which the anti-virus industry markets itself. But of this I am certain: we cannot, and must not try to, do without it. The anti-virus industry is not merely relevant; it is still essential.


Developments in consumer anti-virus
The biggest single development in consumer anti-virus product is the growth of the free product. Many companies now provide free online scanners – Trend Micro’s HouseCall and Symantec’s Security Check are good examples. There is also a growing number of free products you download and install on your computer: AVG and Avira are the best known. More recently Panda has launched a new free version.
Petter Lautin, Panda Security’s MD for UK and Ireland, explains the rationale: “A Morgan Stanley survey in America has shown that 46% of consumers rely on free security software, and that’s expected to increase to nearer 60%. I’d be surprised if things in Europe are very different; so that’s a fact of life we can’t ignore. Secondly, believe it or not, there are many people out there who are still not using any anti-virus product at all. For them, this is a perfect way to start because it gives you the basic anti-malware protection that everyone needs to have. From there we can start to talk about what you should have rather than must have: a firewall, ID theft protection and all sorts of things on top of that.”
ESET’s David Harley has a pragmatic view. “The economics of the marketplace, though, are that the consumer market isn’t really profitable. It costs more than some companies can afford to support those customers, measured against the profit margin. That’s why some companies make single-user licences so expensive compared to their corporate deals. So for years, the deal with free AV has been a trade-off: fewer bells and whistles and often less detection/disinfection, and restricted support (forums, but not telephone support).
There is a rider to this – there is still a dearth of free AV software for the Mac. “There is a limited number of free antivirus tools for Mac,” explains Laurent Marteau, CEO of Intego, one of the relatively few Mac AV vendors, “but they have not had a major effect on the market. With Mac antivirus software, none of the companies offering free tools have the infrastructure to find Mac malware and update their software in a timely manner.”
But expect this to change. Panda has now entered the Mac market – and I suspect it will offer a free Mac version in the future. [And since this was written, see: Sophos launches free Mac anti-virus for home users].


Categories: All, Security Issues

Selling Biometrics to the masses

December 5, 2010 1 comment

In August 2010 the Ponemon Institute published the results of a survey commissioned by Vodafone and F-Secure: Return on Prevention Study Measuring the value of security technologies, controls and governance practices[1]. In reality it was a survey on attitudes towards cost-effective security for mobile devices; and its relevance here is that biometrics just don’t figure. Not, notice, that biometrics provide a poor return on investment for security, but that biometrics are not considered for security at all. And although the survey was for mobile devices, this attitude is indicative of the public’s general perception of biometrics.

Why is this? We’re going to discuss what’s right; what’s wrong; and what needs to be done to sell biometrics to the masses?

This article was written for, first published by, and reprinted here with the kind permission of
Infosecurity Magazine.


What’s right with biometrics?
The use of biometrics for user authentication is a seductive argument, and is often described as the third factor in user identification. The first is something you know (like a password or PIN). The second is something you have (like a smart card or other token). And the third is something you are – a unique metric from a universal characteristic, such as your fingerprint, or your iris pattern, or your voice characteristics. CESG defines biometrics in authentication as “the automated means of recognising a living person through the measurement of distinguishing physiological or behavioural traits”[2].

“Biometrics is the automated means of recognising a living person through the measurement
of distinguishing physiological or behavioural traits.”

The biometric argument is that if we have a secure record of the user’s biometric feature (called the template) and can verify the current user against that template, then we can be 100% certain that this user is the authorised user. At first glance, this argument is irrefutable and almost irresistible; and there are many examples of biometrics already in use. International travellers are becoming increasingly aware of the value of biometric verification for rapid transit through the airport; and biometrics are more and more mandated for national passports.

There is also much research going on to find cheaper and more effective approaches to biometric authentication. An example of current research is Manchester University’s work on facial recognition. This is specifically for mobile devices. “A video of your face contains useful information such as who you are, where you are looking and how you are feeling. If we can extract this information from the video, it potentially paves the way for automatic face verification (i.e. determining whether you are who you claim to be)…” claims Dr. Philip A. Tresadern at Manchester University.

Andrew Cardwell

Andrew Cardwell, security consultant

Security consultant Andrew Cardwell believes that such research could lead to a wider adoption of biometrics: “Biometrics will succeed providing they offer continuing, transparent and positive identification in a non-intrusive manner.  One such system perhaps is a camera on your PC that is programmed to check the operator identity every 30 seconds.  It opens a 5 second window to acquire a good picture and if it can’t acquire the data or doesn’t authorize the individual the screen can be locked.  This is ideal if someone else sits down at a PC or an individual gets up for a coffee because as soon as the individual comes back the system authenticates a valid user once more and provides access.”

What’s wrong with biometrics?
But there are also problems with the adoption of biometrics. Andrew Cardwell, again: “Biometrics are often seen as costly and overkill for most applications.” Remember the Nationwide ATM iris-scanning trials in Swindon? More than a decade ago (1998) biometric access to building society ATM trials were started and soon abandoned – too expensive with too little business benefit.

“People also tend to distrust individuals or corporations holding biometric details on them and I think these two arguments are the main reasons for lack of take up,” he adds. Most people’s practical knowledge of biometrics is limited to police fingerprint databases and national identity registers – neither of which offers a very reassuring view on the use of the technology.

Phil Booth

Phil Booth, the national co-ordinator for No2ID

Phil Booth, the national co-ordinator for No2ID (the organization that has led the fight against the National (biometric) Identity Register) thinks there is another problem: over-hyping by the industry. “‘Overclaiming’ or allowing others, say the Home Office, to overclaim for you is something I’ve been warning the industry about at the Biometrics conferences for several years now.” And right on cue comes an example: “In the future, whether it’s entering your home, opening your car, entering your workspace, getting a pharmacy prescription refilled, or having your medical records pulled up, everything will come off that unique key that is your iris,” said Jeff Carter, CDO of Global Rainmakers (August 2010). “Every person, place, and thing on this planet will be connected [to the iris biometric database system] within the next 10 years,” he said. Such claims, and similar claims that biometrics are infallible, are patently absurd; and do nothing to increase confidence in the technology.

Finally, we should mention another problem: the security of biometrics itself. With voice biometrics, could someone record your voice and use that? With facial biometrics could you fool the system with a mask – or your doppelgänger? With fingerprints, could an imprint fool the system? But even where ‘fooling’ the system isn’t an option, biometrics remains as susceptible to hacking as anything else. The template of the biometric used still has to be digitized and stored electronically; and it then becomes as open to alteration or misappropriation as any other stored data.

The future for biometrics
In essence, the arguments against the use of biometrics for the majority of current applications tend to outweigh the arguments in favour; and that, quite simply, is why biometrics are only used in specific niche areas (airports), or where mandated by a higher authority (passports). Is this, then, the future for biometrics: a nearly technology that remains a solution looking for the right problem?

Biometrics: a nearly technology that remains a solution looking for the right problem?

Chuck Buffum

Chuck Buffum, VP, Authentication Solutions, Nuance Communications

Possibly; but there are those who think not. Chuck Buffum, VP, Authentication Solutions, Mobile & Enterprise Division of Nuance Communications explains that “there is a new angle that is motivating biometrics in the enterprise, and making security people take a fresh look at it: banking.” Nuance has the platform that lies behind much of the world’s speech recognition technology that is increasingly used for voice-based user authentication. The demand is clear: mobile banking has exploded. “Over the last three or four years we have a new growth in the number of people doing telephone transactions. In the largest banking institutions it’s hundreds of millions of phone calls per year, and in many institutions it is tens of millions of phone calls per year. The risk exposure has shifted from the internet channel to the voice channel; and this has been the motivation for the banks to say we’ve got to find some way to make our telephone banking more secure.”

Nick Ogden was the original founder of WorldPay. He’s moved on, and now runs The Voice Commerce Group. “It’s very much what it says on the tin,” he explains, “looking at how the voice and the use of mobile phones and various other devices are going to change the way that we interact with a range of different services.”

VCG’s first product was VoicePay, which allows you to use your mobile phone to make a purchase. VoicePay “guarantees all payments made on an account against fraud or personal information loss and offers a simple and secure way to issue transactions.” The problem, explained Ogden, “is how do we know that it is Nick Ogden on the end of this phone and that Nick Ogden is authorizing us to make a payment on his behalf?”

Nick Ogden

Nick Ogden, Chairman and CEO of Voice Commerce Group

He started to look at voice biometrics. “Initially I was one of the biggest cynics of this technology – but we went and looked at a range of different suppliers and ended up partnering with a company called Nuance, who had developed a voice biometric platform. Interestingly, we found that not only did it work, it had never been hacked, even though Rory Bremner had tried to hack it – so I grew from being a cynic to a passionate adopter of this technology.

“One of the real benefits that voice biometrics has in identity and verification,” he continues, “is that it will work today on the 4.7 billion handsets that are in circulation because we don’t need to install any software – all we need is the ability for people to talk.” (In fact, mobile technology specialist Goode Intelligence believes that “by the end of 2010 there will be over 6.9 billion mobile phone subscribers in the world…”[3] And all of these will be able to use voice biometrics without any further hardware costs. In most cases, of course, the same argument will apply to Manchester University’s facial biometric approach.

So what do we need to do to sell biometrics to the masses? Probably nothing. Probably it’s going to happen anyway, courtesy of mobile devices. Consider the comments of Ric Merrifield, sometimes known as the ‘Business Scientist’ at Microsoft: “Our mobile devices will be the ‘credit card’ of the future. You would ‘beam’ some information to the merchant about yourself (it could even be your PayPal account – which, at a restaurant you could include in your OpenTable reservation and skip the ‘beam’ step) they then transmit to you the amount you owe, you click some sort of ‘agree to pay’ button and that’s it. It would also ask you if you want to pay a gratuity, which you could also have pre-programmed to calculate percentages so you don’t have to do that math in your head after a glass of wine.”[4]

Nick Ogden is already working on this. “What we’re doing is designing systems whereby the consumer decides how much money, effectively cash, they’re going to put onto their mobile phone – let’s say £20 because I’m going into town and will want some coffee at Starbucks. With RFID ‘pay and wave’ capability – which might not meet the security rigours that some professionals might demand, but remember that this is just £20 and has to be a safe as the £20 note in my wallet – I can spend it straight off my phone.”

The banks will demand at least three factor authentication for this process – and that means biometrics. Voice and possibly facial biometrics in the future, are a particularly easy and inexpensive way of introducing the third factor to mobile devices. This will make biometrics finally acceptable: mobile banking will change biometrics from a cost without benefit to a positive enabler without cost.

Categories: All, Security Issues

Ransomware: Kaspersky’s David Emm explains the threat to small business and home users

December 5, 2010 Leave a comment

Rogueware, which is malware that pretends to be legitimate anti-virus software, is one of the biggest threats we currently face. Inherent in all rogueware is a hidden warning: if you don’t buy our software, you will continue to suffer from viruses and trojans. It’s a short step from the ‘buy our product for your security’ warning, to a ‘buy our product or else’ extortion.

But now the ‘threat as a by-product’ is morphing into pure blackmail: ransomware. It’s been around for a few years, but a recent Kaspersky blog highlights the return of GpCode-like ransomware, which makes no pretence to being legitimate: it encrypts your files and won’t let you have them back unless you pay a ransom.

We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008…

As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive.
Blog entry

David Emm

David Emm, senior security researcher, Kaspersky Lab

With the earlier versions Kaspersky managed, in some cases, to recover the data as well as remove the trojan. This time it’s more difficult. David Emm, senior security researcher at Kaspersky Lab, explained the basis of ransomware, and the difference between the earlier version and this new ransomware; and in particular why this new version is more dangerous.

“The GpCode trojan is one of the main examples of ransomware. It is code used to extort money from people. The way it works is to encrypt files on the computer: documents, presentations, spreadsheets, anything really. It encrypts them and then either pops up a message on the screen, or maybe just writes a text file to the disk, so that when the user notices he cannot access something, then he gets the message. It says something like ‘I’ve encrypted your data, and if you want to get it back, you’ll need to decrypt it; and that means sending me an email message.’ So you send the email message to the address given, and then whoever it is replies, ‘Right, well I can soon fix that and decrypt everything, but it will cost you…’

“The Trojan encrypts your files with 1024-bit RSA and AES 256 cryptography,” he said, both of which are pretty well uncrackable. “In the older versions, the code encrypted the files, and then deleted the originals. We didn’t crack the cryptography, we managed to recover the deleted files. So we could remove the trojan and recover the files. But this new version doesn’t work like that; and we haven’t yet found a way to recover any lost data.”

His advice is unchanged. “Their MO is that they prey on someone who is vulnerable – extortion, online or offline, always works like this – and the vulnerability in this case is that you don’t have a back-up of your data. So if you haven’t got back-up, and you find you cannot access your files, or you get a pop-up message or email telling you that payment of £10, €20, $50 or whatever will get you a decryption method, turn off your computer immediately and contact a reputable anti-virus company.” The more you use your system, the more unlikely it is that any deleted files can be recovered. The old method of recovery doesn’t work with this new ransomware; but the AV and data recovery companies might yet find an alternative solution.

Cure, of course, is never as good as prevention. “It’s the small businesses and home users that are going to suffer,” David explained. “In a medium-sized business or larger, anyone who gets infected can just go to the IT guys, and they’ll rebuild the system and data from the company back-ups. But small businesses and home users often don’t have any backup. And restoring from backup is the only way you can guarantee to get encrypted files back.”

Don’t wait to get caught by ransomware. If you do, it may be too late and your only choice will be to pay the criminals or lose your data. You need to

  • behave securely in cyberspace to avoid infection
  • and use mainstream anti-virus to minimize infection
  • and get adequate backup to recover from infection
  • else contact a mainstream anti-virus company in the event of infection.

Do not just rely on the last of these.

Kaspersky Lab

BLOG: The Golden Hour of Phishing Attacks

December 2, 2010 Leave a comment

Amit Klein, CTO at Trusteer, has an interesting blog on the incidence of successful phishing:

We recently conducted research into the attack potency and time-to-infection of email phishing attacks. One of our findings was eye-popping, namely, that 50 per cent of phishing victims’ credentials are harvested by cyber criminals within the first 60 minutes of phishing emails being received. Given that a typical phishing campaign takes at least one hour to be identified by IT security vendors, which doesn’t include the time required to take down the phishing Web site, we have dubbed the first 60 minutes of a phishing site’s existence [as] the critical ‘golden hour’.

Trusteer phishing graph

Trusteer’s solution is for the security industry to recognise and react to phishing campaigns with greater speed:

As an industry, our goal should be to reduce the time it takes for institutions to detect they are being targeted by a phishing attack from hours to within minutes of the first customer attempting to access a rogue phishing page. We also need to establish really quick feeds into browsers and other security tools, so that phishing filters can be updated much more quickly than they are today. This is the only way to swiftly takedown phishing websites, protect customers, and eliminate the golden hour.
Blog entry

But as users, we cannot simply rely on the industry to protect us. That is a dereliction of responsibility when we need to accept more, not less, personal responsibility for our behaviour online. Amit Klein is right – the industry needs to be as effective as possible. But just as the industry needs to block phishers, we as users need to ignore phishers.

There are two primary actions we can take. The first is increased security awareness; and that means continuous staff training. The second is to make it more difficult to be phished, by preventing the automatic running of scripts by our browsers. For example, Firefox users can install the NoScript add-on (see here for an interview with its developer, Giorgio Maone). Non-Firefox users should become Firefox users.


Categories: All, Blogs

Get every new post delivered to your Inbox.

Join 137 other followers