PRWeb issued a press release stating that Google had taken over ICOA. TechCrunch ran a story on it. ICOA’s share price went through the roof on it. But it was all false and both were wrong about it.
We all make mistakes. Years ago when I was running ITsecurity.com I ran a news story on 1 April – I’d lost track of the date and fell for a cleverly phrased hoax. It happens. It’s what you do next that matters.
PRWeb issued a statement:
PRWeb transmitted a press release for ICOA that we have since learned was fraudulent. The release was not issued or authorized by ICOA. Vocus reviews all press releases and follows an internal process designed to maintain the integrity of the releases we send out every day. Even with reasonable safeguards identity theft occurs, on occasion, across all of the major wire services. We have removed the fraudulent release and turned the matter over to the proper authorities for further investigation.
That little word ‘sorry’ is soooooo hard to say. Instead, PRWeb removed the evidence, blamed the criminal, and spread the problem ‘across all of the major wire services’: it wasn’t really their fault. Bad show.
TechCrunch, however, left its original story intact, with an update saying:
We were wrong on this post, for not following up with Google and the other company involved but posting rather than… waiting on a solid confirmation beforehand from either source. We apologize to our readers, to the companies involved, and we’ll be sure to act in a more responsible manner for future stories…
but couldn’t quite resist adding a short stab at PRWeb:
rather than trusting the word of a website that doesn’t necessarily hold itself up to any journalistic standards.
Good show – well, 99% good show diminished only slightly by the quick stab at PRWeb.
So, all in all, kudos to TechCrunch for owning up to the mistake, apologising, and not trying to hide it. Shame on PRWeb for trying to avoid its responsibility – and especially for removing the offending fraudulent release. It happened. No true journalist would try to change history.
Which just leaves one small point. Who did it and why? Was it a simple hoax or an elaborate share fraud? I guess the financial authorities will be pouring over the details of who sold shares in ICOA when the price was high…
ZDNet has a brief story about GCHQ, which only goes to show how little GCHQ understands about business and security. The UK’s primary electronic spy agency is partnering with Southampton University to develop better biometric security. “GCHQ,” says the report, “will be working closely with the University of Southampton‘s new research hub on issues facing UK security, such as human identification and data privacy in a bid to help protect the country from cyberattacks.”
That’s good. Biometric access control at the door will stop people getting into secure facilities; biometric access at the keyboard will stop bad actors accessing the networks. So what are they working on? Fingerprints? Iris? Facial or vocal recognition? Hand scans? Finger vein prints? Any of those might work.
No. According to the report, “The new thing we’re looking at is soft biometrics,” said Professor Mark Nixon, an academic at the university, working in the new cybersecurity centre. “You can describe someone as tall, thin, or fat and then use that information to retrieve people from a video.”
“The two main themes we are looking at are data privacy and identity management,” added Professor Vladimiro Sassone.
This is where I think I need to explain some basic security facts to GCHQ: statement two is simply non sequitur to statement one. Unless you are videoing everybody in the country at all times (to catch the mobile cyberterrorist on his tablet in the street) and also have a video record of everybody in the country along with details of who they are to compare him/her with, then this is not going to work.
Unless… you don’t think… oh shit.
In late October the South Carolina Department of Revenue disclosed that it had been hacked, and 3.6 million social security numbers together with 387,000 bank card details (many unencrypted) were stolen. (My report on Infosecurity Magazine is here.) A law enforcement agency, thought to be the Secret Service, notified the Department and recommended that Mandiant be brought in to clear things up.
Mandiant has now published a Public Incident Response Report, including a step-by-step history of the hack itself. The whole report (it’s really quite short) is worth reading; but the history of the hack should be required reading for all students of security:
- August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
- August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials.
- August 29, 2012: The attacker executed utilities designed to obtain user account passwords on six servers.
- September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.
- September 2, 2012: The attacker interacted with twenty one servers using a compromised account and performed reconnaissance activities. The attacker also authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
- September 3, 2012: The attacker interacted with eight servers using a compromised account and performed reconnaissance activities. The attacker again authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.
- September 4, 2012: The attacker interacted with six systems using a compromised account and performed reconnaissance activities.
- September 5 – 10, 2012: No evidence of attacker activity was identified.
- September 11, 2012: The attacker interacted with three systems using a compromised account and performed reconnaissance activities.
- September 12, 2012: The attacker copied database backup files to a staging directory.
- September 13 and 14, 2012: The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.
- September 15, 2012: The attacker interacted with ten systems using a compromised account and performed reconnaissance activities.
- September 16, 2012 – October 16, 2012: No evidence of attacker activity was identified.
- October 17, 2012: The attacker checked connectivity to a server using the backdoor previously installed on September 1, 2012. No evidence of additional activity was discovered.
- October 19 and 20, 2012: The Department of Revenue executed remediation activities based on short term recommendations provided by Mandiant. The intent of the remediation activities was to remove the attacker’s access to the environment and detect a recompromise.
- October 21, 2012 – Present: No evidence of related malicious activity post-remediation has been discovered.
If fully applied, the ruling could effectively shut down deployments of Google Apps by European governments, schools and enterprises, at least until Google makes the changes the EU regulators are seeking.
This raises a number of other questions – for example, is the European Commission’s love affair with the cloud heading for an impasse with its own regulators? Back in September the EC issued a ‘communication’, Unleashing the Potential of Cloud Computing in Europe. It concluded with a call
upon Member States to embrace the potential of cloud computing. Member States should develop public sector cloud use based on common approaches that raise performance and trust, while driving down costs. Active participation in the European Cloud Partnership and deployment of its results will be crucial.
Last week, ENISA published an excellent overview of the Privacy considerations of online behavioural tracking, which I thoroughly recommend. It tries to draw a distinction between behavioural tracking and behavioural advertising; but the reality is that this is probably a technical rather than practical separation. This is likely to become the crux of Europe’s problem: it wants to maximise the cloud, accepts that it must allow commercialisation, but politically needs to ensure privacy – and the two things might simply be incompatible. As Peter Hustinx, the European Data Protection Supervisor said in his Opinion on Friday,
the use of cloud computing services cannot justify a lowering of data protection standards as compared to those applicable to conventional data processing operations.
In other words, as of right now, the EC’s desire to unleash the potential of cloud computing is incompatible with the need to maintain existing data protection standards. But we needn’t worry too much: it will all, as King John might have said, come out in the wash. Big business will give a little, the regulators will give a little, and the EC will twist and squirm a lot – and we’ll all be able to use the cloud happily.
The question is, will it be with Google? That’s the second issue coming from the Article 29 working party: has Europe got it in for Google? In October, Ars Technica commented:
The French seem to have an appetite for regulating the Internet, and for going after Google in particular. A new proposed law would force Google to make payments when French media show up in news searches; but Google has responded, in a letter to French ministers, that it “cannot accept” such a solution and would simply remove French media sites from its searches.
Two weeks later, Le Canard Enchaîné reported that France had made a €1 billion tax claim against Google and was using this as a bargaining chip in the newspaper content dispute. France, of course, with its current socialist government, likes to tax everything that moves – but as one of the key movers and shakers within the EU, you have to wonder if it is merely spearheading a wider European antipathy; and if so, where does this come from?
Well, again back in October, Henrik Alexandersson [a ‘Swedish libertarian, working for the Pirate Party in the European Parliament’] attended a luncheon seminar organized by ICOMP, the Initiative for a Competitive Online Marketplace (funded, it would seem, by Microsoft).
However, already when we received the seminar documents at the entrance – we realized that this really was something else: A Microsoft-funded Google Bashing lunch.
Google Bashing is a very popular sport in the EU, these days.
Alexandersson was so annoyed by the initial talk by “one of Microsoft’s lawyers, Pamela Jones Harbour… speaking about everything that Google does wrong,” that he and his party got up and left. But privacy, he says,
is not what Google Bashing in Brussels is about. Here it is rather a question of a number of Google’s competitors trying to whip up political criticism, for business reasons. They simply don’t like that Google more or less own the search market.
So here’s a thought. Is that anti-Google sentiment in Europe ‘political exploited by business’, or ‘business exploited by politics’? It’s a moot point. Either way, Google should be in no doubt that it has powerful adversaries in Europe.
One of the things that worries me is the steady stream of inflated or unprovable statistics showing how dire the cyber threat has become. I am not alone in this concern. Ross Anderson and his team at the Cambridge University Computer Lab famously objected to statistics prepared by Detica for the Cabinet Office. On being invited by the Ministry of Defence to come up with their own defensible statistics, they produced a report showing that, statistically, government would achieve much better security by catching the crooks than by applying increasingly more expensive and sophisticated security systems.
But government doesn’t want to do that. As far as government is concerned, security is achieved by control. Having control of the internet and control over the internet’s users will provide the security they want (and the megalomaniac satisfaction they crave).
It is made worse by a huge security industry that can only survive if we buy its products. And the more afraid we are, the more money we will spend and the richer they will get.
So the poor bloody user is caught in an inescapable pincer: both the government and industry want us to be afraid – and horrific statistics and hyped up warnings created by industry and spread by government will do just that.
Here’s an announcement that came out the other day from NCC. Headline: “Hacking attempts to exceed one billion in the final quarter of 2012”. That’s pretty scary.
Rob Cotton, CEO of NCC Group, comments later in the announcement,
We’ve had copious initiatives and plans announced in the last quarter from bodies and governments aimed at addressing this issue, but the urgency just doesn’t seem to correlate with the growing threat… but these initiatives alone are not going to solve the problem. Public and private sector must work together, strategically and tactically, if we are going to be able to realistically defend against a billion hacks a quarter.”
Notice two things: government initiatives (including, I assume, the Communications Bill and GCHQ’s Incident Response Scheme and the Digital Economy Act and RIPA and Baroness Howe’s internet censorship – and that’s just in the UK) are not yet enough to tackle the hacking that has suddenly morphed from ‘attempts’ to “a billion [actual] hacks a quarter”.
A hack is generally speaking the unauthorised access of a computer. According to Mr Cotton, we are currently suffering from more than 333,000,000 every month (or more than 10,000,000 every day). Clearly the government must pass more laws and we must spend more money with the security industry so that we don’t suffer another 10 million hacks tomorrow.
It is only at the very end of the announcement we find the rider, “Stats do not necessarily indicate successful access, just unauthorised attempts.” On this basis, the quoted figure will include automated port scans. (I remember watching such scans click up on my PC at one every few seconds and being stopped by a very early version of ZoneAlarm – say, 5 per minute or 300 per hour or 7200 per day or around or 216,000 per month or around 648,000 per quarter – just for little me and all stopped by my little free firewall.) Add to this every spam email that carries a link to an exploit kit – which can be described as a hacking attempt – and suddenly the one billion figure seems rather conservative but not particularly frightening.
But this is what government and those parts of the security industry close to government do. Its called FUD marketing – they get what they want by disseminating fear, uncertainty and doubt; and they do that by huge, poorly defined and not often defended, scary figures and statistics. If you think we’re being manipulated, it’s because we are.
I was talking to GFI Software about the new patch management module added to their VIPRE Business product – but as so often happens in interesting conversations we got side-tracked. Since patches are often forced by researchers’ vulnerability disclosures, I asked GFI for its position on full vs responsible disclosure. This led to the difference between black hat and white hat researchers: basically, Jong (Jong Purisima, antivirus lab manager) told me, “black hat researchers sell their vulnerabilities for money, while white hat researchers report the vulnerability to help the user be more secure and gain the kudos for the discovery.”
Incidentally, as a vendor, GFI would like a couple of days prior warning before a white hat researcher goes public, but believes that a fortnight is more than reasonable – a refreshing attitude compared to the ‘don’t ever disclose’ hysteria promoted by some vendors.
Anyway, a black hat researcher sells his discoveries to make money. So where does that put Vupen? Vupen is a sort of zero-day broker. It buys or develops zero-day exploits and sells them to governments. We are told it doesn’t sell them to anyone else; but that is pretty difficult to prove or disprove. (Even there, given the US Olympic Games project, and the Stuxnet and Flame episodes, there seems little difference between governments and criminal gangs anyway.)
So that’s the question. Is Vupen black hat or white hat? John said, “technically, they’re black hat.” Mark (Mark Patton, general manager of the Security Business Unit) suggested, “Grey hat? Perhaps dark grey hat?” To me, Vupen is simply a black-as-night hat. Any takers?