Archive

Archive for November, 2012

PRWeb gets it wrong twice; TechCrunch gets it wrong once – and right once

November 27, 2012 Leave a comment

PRWeb issued a press release stating that Google had taken over ICOA. TechCrunch ran a story on it. ICOA’s share price went through the roof on it. But it was all false and both were wrong about it.

We all make mistakes. Years ago when I was running ITsecurity.com I ran a news story on 1 April – I’d lost track of the date and fell for a cleverly phrased hoax. It happens. It’s what you do next that matters.

PRWeb issued a statement:

PRWeb transmitted a press release for ICOA that we have since learned was fraudulent. The release was not issued or authorized by ICOA. Vocus reviews all press releases and follows an internal process designed to maintain the integrity of the releases we send out every day. Even with reasonable safeguards identity theft occurs, on occasion, across all of the major wire services. We have removed the fraudulent release and turned the matter over to the proper authorities for further investigation.

That little word ‘sorry’ is soooooo hard to say. Instead, PRWeb removed the evidence, blamed the criminal, and spread the problem ‘across all of the major wire services’: it wasn’t really their fault. Bad show.

TechCrunch, however, left its original story intact, with an update saying:

We were wrong on this post, for not following up with Google and the other company involved but posting rather than… waiting on a solid confirmation beforehand from either source. We apologize to our readers, to the companies involved, and we’ll be sure to act in a more responsible manner for future stories…

but couldn’t quite resist adding a short stab at PRWeb:

rather than trusting the word of a website that doesn’t necessarily hold itself up to any journalistic standards.

Good show – well, 99% good show diminished only slightly by the quick stab at PRWeb.

So, all in all, kudos to TechCrunch for owning up to the mistake, apologising, and not trying to hide it. Shame on PRWeb for trying to avoid its responsibility – and especially for removing the offending fraudulent release. It happened. No true journalist would try to change history.

Which just leaves one small point. Who did it and why? Was it a simple hoax or an elaborate share fraud? I guess the financial authorities will be pouring over the details of who sold shares in ICOA when the price was high…

Categories: All

GCHQ and Southampton University – a partnership made in hell

November 26, 2012 Leave a comment

ZDNet has a brief story about GCHQ, which only goes to show how little GCHQ understands about business and security. The UK’s primary electronic spy agency is partnering with Southampton University to develop better biometric security. “GCHQ,” says the report, “will be working closely with the University of Southampton‘s new research hub on issues facing UK security, such as human identification and data privacy in a bid to help protect the country from cyberattacks.”

That’s good. Biometric access control at the door will stop people getting into secure facilities; biometric access at the keyboard will stop bad actors accessing the networks. So what are they working on? Fingerprints? Iris? Facial or vocal recognition? Hand scans? Finger vein prints? Any of those might work.

No. According to the report, “The new thing we’re looking at is soft biometrics,” said Professor Mark Nixon, an academic at the university, working in the new cybersecurity centre. “You can describe someone as tall, thin, or fat and then use that information to retrieve people from a video.”

“The two main themes we are looking at are data privacy and identity management,” added Professor Vladimiro Sassone.

This is where I think I need to explain some basic security facts to GCHQ: statement two is simply non sequitur to statement one. Unless you are videoing everybody in the country at all times (to catch the mobile cyberterrorist on his tablet in the street) and also have a video record of everybody in the country along with details of who they are to compare him/her with, then this is not going to work.

Unless… you don’t think… oh shit.

Categories: All, Politics, Security Issues

The evolution of a hack – South Carolina hack analysed by Mandiant

November 21, 2012 Leave a comment

In late October the South Carolina Department of Revenue disclosed that it had been hacked, and 3.6 million social security numbers together with 387,000 bank card details (many unencrypted) were stolen. (My report on Infosecurity Magazine is here.) A law enforcement agency, thought to be the Secret Service, notified the Department and recommended that Mandiant be brought in to clear things up.

Mandiant has now published a Public Incident Response Report, including a step-by-step history of the hack itself. The whole report (it’s really quite short) is worth reading; but the history of the hack should be required reading for all students of security:

  • August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
  • August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials.
  • August 29, 2012: The attacker executed utilities designed to obtain user account passwords on six servers.
  • September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.
  • September 2, 2012: The attacker interacted with twenty one servers using a compromised account and performed reconnaissance activities. The attacker also authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
  • September 3, 2012: The attacker interacted with eight servers using a compromised account and performed reconnaissance activities. The attacker again authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
  • September 4, 2012: The attacker interacted with six systems using a compromised account and performed reconnaissance activities.
  • September 5 – 10, 2012: No evidence of attacker activity was identified.
  • September 11, 2012: The attacker interacted with three systems using a compromised account and performed reconnaissance activities.
  • September 12, 2012: The attacker copied database backup files to a staging directory.
  • September 13 and 14, 2012: The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.
  • September 15, 2012: The attacker interacted with ten systems using a compromised account and performed reconnaissance activities.
  • September 16, 2012 – October 16, 2012: No evidence of attacker activity was identified.
  • October 17, 2012: The attacker checked connectivity to a server using the backdoor previously installed on September 1, 2012. No evidence of additional activity was discovered.
  • October 19 and 20, 2012: The Department of Revenue executed remediation activities based on short term recommendations provided by Mandiant. The intent of the remediation activities was to remove the attacker’s access to the environment and detect a recompromise.
  • October 21, 2012 – Present: No evidence of related malicious activity post-remediation has been discovered.

Bugger democracy

November 19, 2012 Leave a comment

Speaking to the CBI today, Big Dave let slip two things: that despite his Oxford education he lacks an Oxford education; and that he’s an authoritarian at heart.

Let’s get rid of the education bit first. Suggesting that his government had been both tough and radical, he added, “But there’s something else you desperately need from us, and that’s speed because in this global race you are quick or you’re dead.” Boris, several notches up on the IQ ladder, would never make this mistake: you can never, ever be anything but either quick or dead – and I suggest Big Dave revisits Oxford (sans Bullingdon) to understand the true meaning of ‘quick’.

Real live hint from Merriam-Webster:

Merriam Webster

The root meaning of ‘quick’

The second issue is just as worrying. Big Dave wants to limit the use of judicial reviews in order to make business more streamlined.

The Minister stands on a platform like this and announces a plan then that plan goes through a three month consultation period there are impact assessments along the way and probably some judicial reviews to clog things up further.

So one of the things he’s going to do is cut back on judicial reviews to make business more lively. That, my dear, is non sequitur (in my day, but not I think in Dave’s, you had to have Latin to get into Oxford – dumbing down started a lot earlier and spread a lot further than they like to pretend). Since two-thirds of judicial reviews relate to asylum and immigration, and they all tend to relate more to the fairness of procedures than the implementation of proposals, it will do little to streamline The Minister’s plans. What it will do, of course, is limit the embarrassment of the courts ruling against the government when Minister does more than or different from his plans.

Now, just in case it’s not clear where he’s going on this, the next thing he is going to do is reduce government consultations. So, firstly he’s going to ask our opinion less frequently whenever The Minister wants to build a high-speed rail link through our living room; and then, when he builds a four lane motorway through the kitchen as well, we are going to find it much harder to get a judicial review into the misuse of planning agreements by The Minister.

All of this is in the name of streamlined business – or in the immortal words of the Bard when King Lear explained his actions, “Bugger democracy”.

Categories: All, Politics

Google bashing in Europe: politics or business?

November 18, 2012 Leave a comment

Later this week Jeff Gould, the president of SafeGov.org, will publish an article titled European privacy ruling has far-reaching implications for Google Apps in Europe. It discusses the recent findings of the Article 29 group (the EU’s data protection working party) led by the French CNIL (equivalent to the UK’s ICO) on Google’s new privacy policy, and argues,

If fully applied, the ruling could effectively shut down deployments of Google Apps by European governments, schools and enterprises, at least until Google makes the changes the EU regulators are seeking.

This raises a number of other questions – for example, is the European Commission’s love affair with the cloud heading for an impasse with its own regulators? Back in September the EC issued a ‘communication’, Unleashing the Potential of Cloud Computing in Europe. It concluded with a call

upon Member States to embrace the potential of cloud computing. Member States should develop public sector cloud use based on common approaches that raise performance and trust, while driving down costs. Active participation in the European Cloud Partnership and deployment of its results will be crucial.

Last week, ENISA published an excellent overview of the Privacy considerations of online behavioural tracking, which I thoroughly recommend. It tries to draw a distinction between behavioural tracking and behavioural advertising; but the reality is that this is probably a technical rather than practical separation. This is likely to become the crux of Europe’s problem: it wants to maximise the cloud, accepts that it must allow commercialisation, but politically needs to ensure privacy – and the two things might simply be incompatible. As Peter Hustinx, the European Data Protection Supervisor said in his Opinion on Friday,

the use of cloud computing services cannot justify a lowering of data protection standards as compared to those applicable to conventional data processing operations.

In other words, as of right now, the EC’s desire to unleash the potential of cloud computing is incompatible with the need to maintain existing data protection standards. But we needn’t worry too much: it will all, as King John might have said, come out in the wash. Big business will give a little, the regulators will give a little, and the EC will twist and squirm a lot – and we’ll all be able to use the cloud happily.

The question is, will it be with Google? That’s the second issue coming from the Article 29 working party: has Europe got it in for Google? In October, Ars Technica commented:

The French seem to have an appetite for regulating the Internet, and for going after Google in particular. A new proposed law would force Google to make payments when French media show up in news searches; but Google has responded, in a letter to French ministers, that it “cannot accept” such a solution and would simply remove French media sites from its searches.

Two weeks later, Le Canard Enchaîné reported that France had made a €1 billion tax claim against Google and was using this as a bargaining chip in the newspaper content dispute. France, of course, with its current socialist government, likes to tax everything that moves – but as one of the key movers and shakers within the EU, you have to wonder if it is merely spearheading a wider European antipathy; and if so, where does this come from?

Well, again back in October, Henrik Alexandersson [a ‘Swedish libertarian, working for the Pirate Party in the European Parliament’] attended a luncheon seminar organized by ICOMP, the Initiative for a Competitive Online Marketplace (funded, it would seem, by Microsoft).

However, already when we received the seminar documents at the entrance – we realized that this really was something else: A Microsoft-funded Google Bashing lunch.

Google Bashing is a very popular sport in the EU, these days.

Alexandersson was so annoyed by the initial talk by “one of Microsoft’s lawyers, Pamela Jones Harbour… speaking about everything that Google does wrong,” that he and his party got up and left. But privacy, he says,

is not what Google Bashing in Brussels is about. Here it is rather a question of a number of Google’s competitors trying to whip up political criticism, for business reasons. They simply don’t like that Google more or less own the search market.

So here’s a thought. Is that anti-Google sentiment in Europe ‘political exploited by business’, or ‘business exploited by politics’? It’s a moot point. Either way, Google should be in no doubt that it has powerful adversaries in Europe.

Categories: All, Politics

FUD marketing: a stick generated by the industry and wielded by governments

November 15, 2012 Leave a comment

One of the things that worries me is the steady stream of inflated or unprovable statistics showing how dire the cyber threat has become. I am not alone in this concern. Ross Anderson and his team at the Cambridge University Computer Lab famously objected to statistics prepared by Detica for the Cabinet Office. On being invited by the Ministry of Defence to come up with their own defensible statistics, they produced a report showing that, statistically, government would achieve much better security by catching the crooks than by applying increasingly more expensive and sophisticated security systems.

But government doesn’t want to do that. As far as government is concerned, security is achieved by control. Having control of the internet and control over the internet’s users will provide the security they want (and the megalomaniac satisfaction they crave).

It is made worse by a huge security industry that can only survive if we buy its products. And the more afraid we are, the more money we will spend and the richer they will get.

So the poor bloody user is caught in an inescapable pincer: both the government and industry want us to be afraid – and horrific statistics and hyped up warnings created by industry and spread by government will do just that.

Here’s an announcement that came out the other day from NCC. Headline: “Hacking attempts to exceed one billion in the final quarter of 2012”. That’s pretty scary.

Rob Cotton, CEO of NCC Group, comments later in the announcement,

We’ve had copious initiatives and plans announced in the last quarter from bodies and governments aimed at addressing this issue, but the urgency just doesn’t seem to correlate with the growing threat… but these initiatives alone are not going to solve the problem. Public and private sector must work together, strategically and tactically, if we are going to be able to realistically defend against a billion hacks a quarter.”

Notice two things: government initiatives (including, I assume, the Communications Bill and GCHQ’s Incident Response Scheme and the Digital Economy Act and RIPA and Baroness Howe’s internet censorship – and that’s just in the UK) are not yet enough to tackle the hacking that has suddenly morphed from ‘attempts’ to “a billion [actual] hacks a quarter”.

A hack is generally speaking the unauthorised access of a computer. According to Mr Cotton, we are currently suffering from more than 333,000,000 every month (or more than 10,000,000 every day). Clearly the government must pass more laws and we must spend more money with the security industry so that we don’t suffer another 10 million hacks tomorrow.

It is only at the very end of the announcement we find the rider, “Stats do not necessarily indicate successful access, just unauthorised attempts.” On this basis, the quoted figure will include automated port scans. (I remember watching such scans click up on my PC at one every few seconds and being stopped by a very early version of ZoneAlarm – say, 5 per minute or 300 per hour or 7200 per day or around or 216,000 per month or around 648,000 per quarter – just for little me and all stopped by my little free firewall.) Add to this every spam email that carries a link to an exploit kit – which can be described as a hacking attempt – and suddenly the one billion figure seems rather conservative but not particularly frightening.

But this is what government and those parts of the security industry close to government do. Its called FUD marketing – they get what they want by disseminating fear, uncertainty and doubt; and they do that by huge, poorly defined and not often defended, scary figures and statistics. If you think we’re being manipulated, it’s because we are.

Categories: All, Politics, Security Issues

Is Vupen black hat or white hat?

November 14, 2012 7 comments

I was talking to GFI Software about the new patch management module added to their VIPRE Business product – but as so often happens in interesting conversations we got side-tracked. Since patches are often forced by researchers’ vulnerability disclosures, I asked GFI for its position on full vs responsible disclosure. This led to the difference between black hat and white hat researchers: basically, Jong (Jong Purisima, antivirus lab manager) told me, “black hat researchers sell their vulnerabilities for money, while white hat researchers report the vulnerability to help the user be more secure and gain the kudos for the discovery.”

Incidentally, as a vendor, GFI would like a couple of days prior warning before a white hat researcher goes public, but believes that a fortnight is more than reasonable – a refreshing attitude compared to the ‘don’t ever disclose’ hysteria promoted by some vendors.

Anyway, a black hat researcher sells his discoveries to make money. So where does that put Vupen? Vupen is a sort of zero-day broker. It buys or develops zero-day exploits and sells them to governments. We are told it doesn’t sell them to anyone else; but that is pretty difficult to prove or disprove. (Even there, given the US Olympic Games project, and the Stuxnet and Flame episodes, there seems little difference between governments and criminal gangs anyway.)

So that’s the question. Is Vupen black hat or white hat? John said, “technically, they’re black hat.” Mark (Mark Patton, general manager of the Security Business Unit) suggested, “Grey hat? Perhaps dark grey hat?” To me, Vupen is simply a black-as-night hat. Any takers?

Categories: All, Security Issues

Apple shows a lack of integrity

November 12, 2012 Leave a comment

Back on 29 October, I commented that Apple obeys the letter but not the spirit of the law in fulfilling its court order to say that Samsung had not breached its design patent. I was wrong. In a new ruling announced on Friday, Judges Longmore, Kitchin and Jacob announced a damning verdict on Apple’s behaviour. Samsung had complained to the court that Apple’s compliance with the court order was lacking – and the court agreed. Apple had not even obeyed the letter, never mind the spirit, of the ruling.

Firstly, the court decided that Apple had not complied with the instruction to place adverts in newspapers and magazines (specifically, the “Financial Times, the Daily Mail, The Guardian, Mobile Magazine and T3 Magazine” “within seven days of the date of this Order.”

The new ruling notes that “there was self-evident non-compliance with the newspaper/magazine aspect of the publicity order.”

But the court is more concerned with the page Apple published on its website (now long since altered to fit the original ruling). In his new ruling, Sir Robin Jacob takes the trouble to work through Apple’s ‘apology’ line by line. It’s worth reading the judgement in full, which you can do here. Firstly he objects to Apple adding new material within the statement ordered by the court. “I do not consider it was open to Apple to add matter in the middle of the notice we ordered to be published,” he ruled on Friday. “A notice with such matter is simply not the notice ordered.”

His most damning comments are, however, reserved for the final paragraph added by Apple. “Here what Apple added was false and misleading.” Of the first sentence he rules, “That is false…” Of the second sentence he rules, “That is misleading by omission.” Of the third sentence he concludes, “This is calculated to produce huge confusion.”

The court, to put it mildly is not amused. The announcement of the court ruling had to be just the ruling without embellishment. This Apple has now done: Samsung / Apple UK judgment. But in what can only be viewed as punishment for turning an adverse court ruling into a pro-Apple advert, the court also demanded that a new statement be added to Apple’s home page:

Given our finding that the Contested Notice did not comply with our order and did not achieve what was intended there was no dispute but that we should order it be removed. There was dispute as to what should go up in its place. Apple contended that no more was needed on its home page. We thought otherwise. The Contested Notice had had over a million hits. It was necessary that the fact it was misleading be brought home. Only a notice on Apple’s homepage could be sure to do that. We were of course conscious that a notice on the homepage was highly undesirable from Apple’s point of view, but its own actions had made it necessary. We also thought that a rather longer period was needed than the one month period of the original order. We ordered that the notice and link should stay up until 15th December. The notice on the homepage had to make it clear that the Contested Notice was inaccurate and did not comply with the first order.

Apple has now complied:

click for full size

Apple’s new additional statement on its home page

Adding salt to the wound, the court also awarded costs (for this particular round of the struggle) to Samsung on an indemnity basis. “Such a basis,” wrote Sir Robin Jacob, “(which is higher than the normal, ‘standard’ basis) can be awarded as a mark of the court’s disapproval of a party’s conduct, particularly in relation to its respect for an order of the court. Apple’s conduct warranted such an order.”

And finally, the last sentence of Sir Robin’s judgement, says, “I hope that the lack of integrity involved in this incident is entirely atypical of Apple.” The damning nature of this judgement suggests that I may have got a second posting wrong: Yes, Microsoft is still more evil than Apple. I may need to revise my opinion now.

Categories: All

Pfizer loses its Canadian patent on Viagra

November 11, 2012 Leave a comment

Pfizer is a US company with corporate headquarters in New York and research headquarters in Connecticut. It is not a Canadian company.

Pfizer’s US patent on Viagra was due to expire this year.

But when generic companies moved to enter the market, Pfizer piled on a ‘method-of-use’ patent over the same drug, set to expire in 2019. A federal judge upheld that patent after a bench trial last year, so Pfizer will be the only company allowed to sell [Viagra] in the US for at least seven more years, and prices will remain high.
Pfizer caught “gaming the system,” loses Viagra patent in Canada

One could call that ‘gaming the system’. The US courts did not.

In Canada, Israeli generic drug company Teva Pharmaceuticals challenged Pfizer’s Canadian patent. The Canadian court found that Pfizer’s patent did not include required information on the central compound, sildenafil citrate.

The disclosure failed to state in clear terms what the invention was. Pfizer gained a benefit from the Act — exclusive monopoly rights — while withholding disclosure in spite of its disclosure obligations under the Act. As a matter of policy and sound statutory interpretation, patentees cannot be allowed to “game” the system in this way. This, in my view, is the key issue in this appeal. It must be resolved against Pfizer.
Teva Canada Ltd. v. Pfizer Canada Inc.

“I would therefore allow the appeal with costs and hold that Patent 2,163,446 is void,” said the judge.

One is forced to ask if there is a pattern here. The US courts found in favour of Apple (US company) and fined Samsung (non-US company) $1 billion. The London courts found in favour of Samsung. The US courts allow Pfizer (US company) to game the system against non-US generic manufacturers; the Canadian courts do not allow Pfizer to game the system.

Categories: All, Politics

The problem with GCHQ’s Cyber Incident Response scheme

November 9, 2012 Leave a comment

Earlier this week the UK’s primary electronic spy agency, GCHQ, announced the launch of its pilot Cyber Incident Response scheme. This worries me.

GCHQ

GCHQ – more of a crashed alien flying saucer really

Firstly, I have doubts about a spy agency taking the lead over a criminal issue. Spies spy; and that’s what GCHQ does and is good at. If it wants to increase its cyber stance, all it can do is increase its spying capabilities. That means more spying on more of us – which is what the Communications Bill is all about; spying on all innocent UK citizens in the hope of catching a few criminals.

Surely criminal issues should be dealt with by some arm of the police? Perhaps focused on the Met’s Police Central eCrime Unit (PCEU)? But a comment from Ross Anderson of the Cambridge university computer lab puts government priorities into perspective. “In the UK,” he told me, “the extra £640m promised for cyber-security mostly went to GCHQ, and most of the rest to the MoD. Yet GCHQ admits that they can’t hire anybody useful. Only £5m a year went to the police, where it might actually do some good in terms of catching crooks.”

The next problem is that I just don’t get it. What is this scheme all about? “‘Cyber Incident Response’ services provide access to organizations certified by CESG/CPNI to respond effectively to cyber incidents,” explained Chloë Smith, the minister for cyber security. Does this mean that all of the companies not certified are not capable of responding ‘effectively to cyber incidents’? That is clearly rubbish. But other security companies cannot complain because GCHQ controls one of the largest procurement budgets in the world, never mind the UK – so they will fear being excluded in the future.

BAE hardware

There are four ‘certified’ companies so far. You can guarantee that GCHQ did not evaluate all of the available companies and conclude only these four are able ‘to respond effectively to cyber incidents’. Instead it invited applications for certification. So we come down to a few select companies large enough to afford the GCHQ certification process, and preferably with an existing relationship with spy agencies. What we get is government endorsing a few companies – and I am absolutely certain that government should not be endorsing its favourite vendors above the others. That just reeks of a cosy relationship that will promote corruption.

More BAE hardware

Finally, who are these four companies? Well, for a start, only two are basically British: Detica and Context. Of the others, Mandiant is out-and-out American, and Cassidian is European. Detica belongs to the UK’s primary military hardware company, BAE. Cassidian is part of Europe’s primary military hardware company, EADS. Mandiant is already in bed with the US Secret Service (it is the company called in by the Secret Service to take over the forensic response to South Carolina’s Department of Revenue breach). I know less about Context, but it has offices in Cheltenham enough said. Put bluntly, these four companies seem more likely to provide services to GCHQ than to companies suffering a security incident.

The UK’s Cyber Incident Response scheme isn’t just wrong; it is very, very wrong.

Categories: Politics, Security News
Follow

Get every new post delivered to your Inbox.

Join 139 other followers