Archive

Archive for March, 2011

I think I probably got that wrong – an apology to Samsung

March 31, 2011 Leave a comment

Oops. I might need to offer Samsung an apology…

It sort of struck me that it’s a bit silly trying to install a known keylogger and expect to get away with it. So I started to ask a few AV companies if their software would detect the ‘Samsung keylogger’. First to reply was Kaspersky:

Yes, it detects it. But there’s no certainty at this stage that it has been pre-installed by Samsung.

Kaspersky referred me to the Samsung statement:

The statements that Samsung installs keylogger on R525 and R540 laptop computers are false.

Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft’s Live Application for a key logging software, during a virus scan.

The confusion arose because VIPRE mistook Microsoft’s Live Application multi-language support folder, “SL” folder, as StarLogger.
http://www.samsungtomorrow.com/1071

That actually makes sense. A genuine false positive is a far more likely culprit than an incompetent conspiracy.

Kaspersky

Just to demonstrate:

Firstly, the false positive from VIPRE

VIPRE

VIPRE recognising Windows/SL as StarLogger

And now AVG2011 correctly recognising the StarLogger keylogger:


The confusion is between WINDOWS/SL and WINDOWS/SL/WINSL.EXE

AVG

Categories: All, Security News

Factory farming our kids – or the EU and education

March 30, 2011 Leave a comment

Laugh or cry? If you’re not sure, just ask the EU. I’m sure it will tell you which way you should be thinking.

Education Ministers discussed active citizenship education, and related educational policy objectives… Minister of State Rózsa Hoffmann, pointed out, “We must answer the question, to whether our educational systems prepares the youth appropriately, to become active and responsible citizens.”

Whatever happened to education as a way of preparing youngsters for a fulfilling life? Now apparently education is designed to make good little European Citizens. Midwich Cuckoos?

The Minister of State for Education of the Ministry of National Resources stressed: the purpose of citizenship education is to teach students to think, and responsibly participate in economic, political, social and cultural life.

There was me thinking that the purpose of education was to teach us about Kafka; not to emulate his Castle. Now, all line up neatly and repeat after me: Credo in unum EU, EC omnipoténtem, factorem cæli et terræ, visibílium ómnium et invisibílium.

Still, we shouldn’t really have too much sympathy for our youth; after all, the current world economic crisis is entirely their fault:

The Minister of State did not conceal her opinion that “Perhaps the global economic crisis could have been less severe, if the youths had adopted a more conscious attitude to decision-making.”

We haven’t bequeathed our kids years of debt, because it was them as did it to us! Honestly, I’m not making up any of this. Please stop the world: I want to get off…

Youths need active citizenship education

Categories: All, General Rants, Politics

Buy a Samsung, get a free keylogger

March 30, 2011 2 comments

There is a short report of Samsung pre-installing spyware on its own laptops before sale:

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.
Samsung responds to installation of keylogger on its laptop computers

The report adds:

Samsung’s conduct may be illegal; even if it is eventually ruled legal by the courts, the issue has legal, ethical, and privacy implications for both the businesses and individuals who may purchase and use Samsung laptops. Samsung could also be liable should the vast amount of information collected through StarLogger fall into the wrong hands.

Frankly, I cannot see how this could possibly be anything but illegal in the EU. The report, however, doesn’t say whether this is worldwide or just North American – so clearly we need to know more. Frankly, I hope that the FTC in the States and the EDPS in the EU stamps very hard on Samsung. This is simply unacceptable.

What I can say for certain, however, is that the Samsung R540 I was looking at is now not going to happen. Ever.

Categories: All, Security News

EU-US Negotiations on an agreement to protect personal information exchanged in the context of fighting crime and terrorism…

March 30, 2011 Leave a comment

Yesterday, Viviane Reding, Vice-President of the European Commission, announced:

Today the European Union and the United States opened negotiations on an agreement to protect personal information exchanged in the context of fighting crime and terrorism. The negotiations will build on our longstanding, robust cooperation and agreements in this area. The United States and the European Union are committed to ensuring a high level of protection of personal information, while fighting crime and terrorism. The United States and the European Union are strongly determined to reach without delay an agreement that will advance our mutual goals.
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/203

This needs to be watched very closely – especially since just a day earlier Peter Hustinx (the European Data Protection Supervisor) had announced his dissatisfaction over Passenger Name Record (PNR) information being disclosed between EU members.

55. …He is however obliged to observe that the essential prerequisite to any development of a PNR scheme – i.e. compliance with necessity and proportionality principles – is not met in the Proposal. The EDPS recalls that in his view, PNR data could certainly be necessary for law enforcement purposes in specific cases and meet data protection requirements. It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns.

56. The Impact Assessment gives elements aiming at justifying the need for PNR data to fight against crime, but the nature of this information is too general, and it fails to support the large scale processing of PNR data for intelligence purposes. In the view of the EDPS, the only measure compliant with data protection requirements would be the use of PNR-data on a case-by-case basis, when there is a serious threat established by concrete indicators.
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-03-25_PNR_EN.pdf

If we can’t protect personal data amongst ourselves, how on earth are we going to stop the USA demanding and getting far more? “Air passengers’ personal data could certainly be necessary for law enforcement purposes in targeted cases, when there is a serious threat supported by concrete indicators. It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns,” said Hustinx. And we all know that the US authorities are renowned for declining to use their personal databases in a systematic and indiscriminate manner.

My bet is that there will be a lot of huffing and puffing, and pretending to get what we (the European citizen) wants; but America will eventually get all that it seeks simply because it is America and is supported (through national interest) by most of the individual national governments in Europe. We will be told by the Vice-President of the European Commission that our personal data is protected – but it won’t be.

Categories: All, Politics

The Judiciary and the Media – by the Lord Chief Justice of England & Wales

March 29, 2011 Leave a comment

The Lord Chief Justice of England and Wales, Lord Judge, has been talking about The Judiciary and the Media. He says:

My overwhelming belief is that the most emphatic feature of the relationship between the judiciary and the media is that the independence of the judiciary and the independence of the media are both fundamental to the continued exercise, and indeed the survival of the liberties which we sometimes take for granted.

Oh, how right he is!

As far as I can discover, there never has been, and there is no community in the world in which an independent press flourishes while the judiciary is subservient to the executive or government, or where an independent judiciary is allowed to perform its true constitutional function while, at the same time, the press is fettered by the executive.

Oh, how misleading this is!

To a large extent this speech is about how new technology is affecting the media, and how that is affecting justice through the courts. It’s interesting but misleading: misleading because it is entirely predicated on two false assumptions. Firstly that we have in independent judiciary. And secondly that we have an independent press.

It’s true that neither are hamstrung by excessive legal restrictions. In that sense they are both independent. But legal restriction is not the traditional (traditional in the conservative – with both a big and little ‘c’) way we do things in Britain. The socialist way is to impose laws against everything. The conservative way – and Britain is a conservative country by nature – is to manipulate.

Both the media and the judiciary are under the control of the executive in the good old-fashioned British way: patronage, favour and bullying.

The future of freedom is no longer dependent upon the independence and freedom of the judiciary and the press – those are both long gone. The future of freedom is dependent upon the independence and freedom of the internet; the home of the individual blogger, tweeter and rebel not yet swayed by patronage and bullying.

That is why governments around the world seek to control the internet. Not because of terrorism and pedophiles and organised crime; but because it weakens executive control over the people. And that is why we must fight for net neutrality and keep it out of the hands of the executive and government lackeys.

The Judiciary and the Media
Speech by Lord Judge, Lord Chief Justice of England and Wales

VigilancePro – a new approach to cloud security

March 29, 2011 Leave a comment

A conversation with Ed Macnair, chief executive officer of Overtis

Ed Macnair

Ed Macnair, CEO, Overtis

“The challenge for companies moving into the cloud,” says Ed Macnair, CEO of Overtis, “is that the traditional IT model gets turned upside down and inside out. We’re outsourcing data; but we’re also outsourcing responsibility.” That gives us two problems: we lose control of our data; and we lose control of who can access it.

The first is because we no longer know where that data resides. “Most of the big SaaS players are American – so if we use them we’ve got the whole EU Data Protection thing to worry about.” The problem with the cloud is that the more we use it and the more we maximise the value we get from it, the more we abdicate control. And without that control we can be neither secure nor compliant.

The second problem is exacerbated by the new wave of consumerisation within computing. “The security officers I speak to,” says Ed, “are having kittens because employees are demanding, not asking but demanding, to be able to use their own devices. And it’s being allowed – which makes good business sense in a lot of areas. But we now have this plethora of different devices – iPhones and iPads, Androids, netbooks, Mobile 7 and more – all accessing our corporate data from we don’t know where. And how do we control that? And how do we know who’s holding those different devices”

The traditional silo model for security, says Ed,  has failed. “The silo model is all about point products. We can have email security products and web security products, and a firewall and our intrusion detection and prevention systems; and they can all only look at their own specific area. But they don’t understand the user. SIM and SEM tries to paper over the cracks but still doesn’t provide end-to end visibility of what the user is doing.” If silo doesn’t work in traditional computing, how on earth will it work in cloud computing?

Ed’s new product (VigilancePro Web Application Manager) takes a fresh approach. To get security in this new world, he says, “we have to invest security into the browser.” It’s the only common point across all the different access devices and all the different data locations. “And that’s what we’re doing,” he says. “VigilancePro is a secure browser plug-in currently available for Internet Explorer and Firefox (with Safari to follow soon).”

The basic premise of this new product is that the user doesn’t know and doesn’t need to know his or her own secure log-in credentials – it’s all managed by the plug-in. “A new user coming into the organisation gets sent a link to a site from where he or she downloads and installs the browser plug-in. That browser plug-in has the user credentials and the user permissions that control which applications can be used and what can be done with them.” Complete security provisioning in a single step. “By logging into the browser plug-in, the plug-in automatically logs the user into all the web applications he or she is entitled to use. It doesn’t bypass any strong two factor authentication, it simply acts as a secure single sign-on to all the web applications that the user is entitled to use. And the plug-in has to be present before the user can access those applications.”

Needless to say, de-provisioning is just as easy. “Revocation is done centrally,” says Ed. “If someone leaves the company, a link to Active Directory decommissions the plug-in; and the user loses all access to the restricted areas.”

But useful as this is, it would be very wrong to think of VigilancePro as just a single sign-on system. Since it lies at the heart of the browser, it can provide tight control over what can be done via that browser; and detailed reporting on what has been done. “By implementing this as a browser plug-in, we not only get web single sign-on, but we get really granular management of all interactivity between the user and the web application – a full audit trail as to which page the user went to, and what he or she did on that page. But we also have the ability to block and actually prevent certain actions. We can control access to any tab, any URL or any view on a web page; and we can control the use of any HTML component. We can control any of the browser menu options – such as export, print, copy, cut, save as, and so on; and we have the ability to mask any regulated or sensitive data. We think this is a complete game-changer. So far we’ve been trying to manage identity in the cloud – but now we can manage user activity in the cloud.”

VigilancePro

VigilancePro in action - masking data and hiding tabs

The problem with the cloud is that you cannot secure your data because you don’t know where it is. Nor can you secure the users because you don’t know who they are. But you can secure the channel used by the users to get to the data. That channel invariably goes through the browser. Control the browser and you can control the user. Control the user, and it doesn’t matter where the data resides. In short, by controlling the browser you can get both security and compliance (this is not legal advice!) in the cloud. Almost all public cloud computing is done via the browser. Add security to the browser and you secure almost all public cloud computing.

Overtis

Categories: All, Security News

All in all just another brick in the wall

March 27, 2011 2 comments

I am ashamed to say that it took a Trades Union objection to alert me to this: the Education Bill. According to the BBC, NASUWT (National Association of Schoolmasters/Union of Women Teachers) general secretary Chris Keates said:

“The extra powers in the bill to search and confiscate and dispose of electronic equipment and data are disproportionate powers that teachers don’t really want, and actually could cause more conflict and more problems for schools rather than actually tackling discipline.

“In many respects they are reckless and they are putting teachers into confrontation with parents and with children and young people.”
NASUWT teaching union attacks school phone powers

So what’s this about? Well, according to the Bill itself:

(6E)   The person [eg, a teacher] who seized the item [eg, 'an electronic device' belonging to a pupil] may examine any data or files on the device, if the person thinks there is a good reason to do so.

(6F)   Following an examination under subsection (6E), if the person has decided to return the item to its owner, retain it or dispose of it, the person may erase any data or files from the device if the person thinks there is a good reason to do so.
Education Bill

What this means is that if a teacher finds a mobile phone (or an iPod or a tablet) on a pupil, that teacher can confiscate the device and examine any personal files it contains. Said teacher can then either delete the files or even destroy the device. That’s what it says. And it is a long time since I heard such a ridiculous, authoritarian, draconian, illiberal, high-handed and utterly absurd suggestion.

If a pupil is misusing an electronic device at school – confiscate it. Give it back at the school gates at the end of the day. But for God’s sake, Gove, you cannot really think you have the right to spy on young people’s personal data, to delete that data and even destroy the device? Next time you look at the Education Bill, have half a mind on the Freedom Bill.

And in the meantime, kids, you better look into two factor authentication to control access to your phones; and encryption to protect what you’ve got on them.

Categories: All, Politics, Security Issues

The police love affair with the DNA database

March 23, 2011 Leave a comment

Police warning: Rapists ‘to go free’ under DNA reform. Police chief warns 1,000 crimes a year, including murders and rapes, could go unsolved…

That’s the headline from The Times online. I couldn’t read any more because I’m neither a subscriber nor stupid. (Memo to Murdoch: why would I pay money to read police propaganda?) GeneWatch (biased, I know – but with the same bias I already have) comments on this report:

Today’s Times report was based on a statement by Chief Constable Sims about the number of matches with crime scene DNA that would be lost if innocent people’s DNA records are taken off the database. The figures are exaggerated because they are based on a false assumption that innocent people are as likely to commit future offences as people convicted of serious or multiple offences: in fact about eight out of ten offences are committed by a small number of repeat offenders. They are also estimates of database matches not convictions: only about a quarter of matches lead to convictions. Less that one per cent of crimes involving a DNA match are rapes and most rapes involve disputes about consent that cannot be resolved using DNA.

Sims was giving evidence to the committee of MPs considering the Protection of Freedoms Bill. GeneWatch subsequently also gave evidence, and comments:

The Bill will remove an estimated one million innocent people’s DNA and fingerprint records from police databases, including about 100,000 innocent children’s records. People accused but not convicted of minor offences with have their records removed at the end of an investigation, but the police will be allowed to keep the DNA and fingerprint records of some people accused but not convicted of serious offences for up to five years after their arrest. The proposals are similar to the current law in Scotland which is supported by the Scottish police. Everyone who is added to the database will have their DNA profile compared with all past crime scene DNA profiles and only be removed if they have not committed any of these offences.

Furthermore, GeneWatch believes that “perhaps as few as a dozen crimes a year are likely to have delayed or lost convictions as a result of the new law. These are not murders and rapes but volume crimes such as thefts and burglaries.” Most independent analyses suggest that very few crimes are ever solved by DNA, and very few criminals are convicted because of it. So why are we including DNA records of a 12-year old-schoolboy arrested for allegedly stealing a pack of Pokemon cards; a grandmother arrested for failing to return a football kicked into her garden; a ten-year-old victim of bullying who had a false accusation made against her; a 14-year-old girl arrested for allegedly pinging another girl’s bra; a 13-year-old who hit a police car with a snowball, and on and on?

Frankly I’m not sure which worries me most: that such a database ever came into existence, or that our police force wishes to cling on to it.

Categories: All, Politics

Defence Cyber Operations Group and the Ministry of Attack

March 18, 2011 2 comments

In the world of Doublespeak, Government is always the greatest linguistic operative; and the defence of the realm a happy hunting ground. First and foremost is the Ministry of Defence, which should really be called the Ministry of Attack. Just look at recent history.

But now we have a new title for a new organization: Head of the Defence Cyber Security Group. The Minister of State for the Armed Forces, Nick Harvey, has announced that the post will be given to a high ranking military figure. This makes little sense to me. Our military tends to occupy foreign streets; it is the police who defend our own streets.

Perhaps we need to consider the speech Harvey gave last November. The new Group would “also be responsible for developing, testing and validating cyber techniques as a complement to traditional military capabilities.” In other words, with typical Doublespeak, this new Defence Cyber Operations Group is actually an Attack Group.

I’m not saying that the UK should not have offensive cyber capabilities; but I am saying it should not be so closely allied to the Ministry of Attack. That’s a bit worrying.

If, for example, we were able to switch off the lights for a window of opportunity, then this would provide decision makers with greater options.

Those lights could just as easily be our own. I would be far happier if the head of this new Defence Cyber Security Group were to be a leading security academic with a genuine understanding of cyber defence, than a high ranking military figure with offensive training – and I would like some guarantee that any offensive cyber capabilities will not be used against UK citizens without at least some form of judicial oversight.

Categories: All, Politics, Security Issues

The inexorable and execrable march of government intrusion into our privacy

March 12, 2011 Leave a comment

On 11 March, according to the EFF

A federal magistrate judge in Virginia ruled today that the government can collect the private records of three Twitter users as part of its investigation related to WikiLeaks, and that those users and the public can be prevented from seeing some of the documents that the government submitted to the court to justify obtaining their records.

Firstly I find it deeply worrying that the government of the Land of the Free is able to conduct so much personal intrusion in secret. And secondly, I find it intensely arrogant that one country can demand the private information of a legally elected representative of the people of another nation (one of the three, Birgitta Jonsdottir, is an Icelandic parliamentarian).

“This ruling gives the government the ability to secretly amass private information related to individuals’ Internet communications. Except in extraordinary circumstances, the government should not be able to obtain this information in secret. That’s not how our system works,” said Aden Fine, staff attorney with the ACLU Speech, Privacy, and Technology Project. “If this ruling stands, our client may be prevented from challenging the government’s requests to other companies because she might never know if and how many other companies have been ordered to turn over information about her.”

Even more worrying, we might never have known about this had not Twitter specifically warned its users about what was happening. Had it been just Facebook, the government would more than likely have got its way in secret.

Bit by bit, democratic governments are reasserting the control over us that the internet briefly, all too briefly, loosened.

EFF: Court Rules Against Privacy in Battle Over Twitter Record

Categories: All, Security Issues
Follow

Get every new post delivered to your Inbox.

Join 137 other followers