I was pretty damning of the ICO in my post outlining Alex Owens’ witness statement to the Leveson Enquiry (looking into the phone hacking scandal). You can read that here: Something rotten in the state of the Information Commissioner’s Office – will Leveson act?
Well, surprise, surprise. Richard Thomas doesn’t remember it.
The informal meeting to which Mr Owens refers took place in this instance because (understandably) the team wished to share the nature and scale of their success with me. I recall that meeting as the occasion when I was informed about the volume and nature of the materials – the “treasure trove” – which had been discovered. I recall congratulating Mr Owens and the team for a job well done. I do not, however, recall any course of action being formally or informally recommended by Mr Owens or anyone else, let alone being “bemused”. Specifically, I do not recall any proposal, on that or any other occasion, that any journalists – nor indeed any other customers of Steve Whittamore and his associates – should be investigated. I not recall even any suggestion that any further investigations were under consideration. One of my central memories of that meeting is a recognition of the challenge presented for a very small team by the sheer bulk of the evidence, without any suggestion that even more should be obtained. I do not recall whether Francis Aldhouse was at that meeting, but I do not ever recall hearing the words attributed to him.
…I do not have any recollection or awareness whatsoever of preventing any Investigating Officer…
…Nor do I have any recollection of making any later “decision” or issuing any sort of instruction…
…Nor was I aware at any time of any grievance…
…Although I cannot recall any discussion…
Fourth Witness Statement of Richard Thomas CBE
That’s the defence. And now the attack:
Mr Owens has made a number of allegations about me and the ICO. It is therefore necessary for me to alert the Inquiry to the fact that there were a number of performance, disciplinary and grievance issues between Mr Owens and the ICO…
It’s all so predictable that any media relations person could have written it for him without ever needing to speak to him. The difference is that Owens states things happened, while Thomas doesn’t deny them, just can’t remember them.
When a security site is backed by several government departments (including the Home Office), by law enforcement (the Serious Organized Crime Agency) and the intelligence services (Centre for the Protection of the National Infrastructure, which holds hands with MI5 and CESG), then it should be taken seriously. So, when such a site (Get Safe Online) releases a grandiose report with a grandiose title (UK Internet Security: State of the Nation – The Get Safe Online Report, November 2011), we should expect something serious. This is, we are promised, the state of the nation.
But it is poor. It is trivial. Most secondary school magazines could do better simply by writing to the security industry and asking different companies to provide a brief comment on a particular security aspect. Because that’s all that this is – a series of separate contributed articles from some of the companies and agencies that sponsor Get Safe Online.
Coupled with the widespread use of advanced anti-spyware software provided by banks, as well as the excellent advice from Get Safe Online, HSBC believes our online customers are now safer than ever.
SOCA gives us this gem:
It would be good to think that we could arrest and prosecute every cyber criminal… [but] this will never happen. [So] an equally important activity is prevention and awareness.
Which just goes to show that law enforcement has forgotten its role: viz, we should prevent crime first, and arrest the remaining criminals. The modern version believes that we should arrest all the criminals we can, and then try to stop the ones we miss.
At VeriSign we’re constantly trying to educate people about online threats and raise awareness about the dangers of social engineering, which is the main trick used by cybercriminals.
Which is simultaneously horribly naive (all cybercriminality depends upon social engineering somewhere), and self-aggrandizing. Trend’s Rik Ferguson makes a serious attempt at saying something meaningful without blowing his company trumpet:
The volume of mobile malware has not yet reached the epidemic proportions of computer-based malware, but criminal interest is clearly there and growing. We are seeing multi-platform attacks distributed by the same criminal groups that traditionally have focused on conventional systems. Smartphone security, such as encryption and anti-malware, is available but not widely deployed. The need is already there for it to be commonplace.
But here’s the problem with a government-backed site taking sponsorship money from private companies. That company endorses the site – but there is a clear indication that the reverse is also true: the government sponsors that company. Since Trend Micro is the only anti-virus company mentioned in the State of the Nation report, it comes across that Trend Micro is the anti-virus company preferred and recommended by government. The same argument can apply to most of the other ‘contributors’.
So not only is this ‘state of the nation’ report both trivial and a possible contender for being prosecuted under the Trades Description Act, it is also an insult to the 99% of the security industry that has declined to spend its money on buying dubious government advertising. You may have gathered that I am not merely unimpressed by this report, I am frankly appalled.
ENISA, the European Network and Information Security Agency, has produced a new report: Appstore security – 5 lines of defence against malware. Its purpose is to help the burgeoning app store market protect against infiltration from malapps (not a widely used word yet, but watch it grow); smartphone apps pretending to be apps but really just plain malware.
The five lines of defence range from the bleeding-obvious through good-idea-but-don’t-hold-your-breath to illustrations of the-conflict-between-security-and-liberty. They are
- App review – bleeding obvious but not foolproof
- Reputation – not foolproof
- Kill switch – hang on a bit
- Sandboxed apps – bleeding obvious
- jailing – hang on a bit more
App reviews should obviously be done. But they’re not foolproof and are time-consuming and costly. New app stores will minimise them in order to reduce their own costs and speed the population of the store. Even where they are performed, with or without the help of automated testing, there is no guarantee against false negatives.
Reputations can be manipulated. Cyber criminals have shown that they are willing to play the long game. With enough time and resources it would be easy enough to release a few genuine and good apps before slipping in, backed by a good reputation, the bad one.
Kill switch. I don’t want one. And they don’t necessarily work. If I buy something, it is mine (I’m sick of the industry selling me something and then revealing later or in the small print that I only rented it). If I buy it, it’s mine. Therefore only I should be able to remove it. Not the software developer, not the app store, not the device manufacturer, not law enforcement and not the government. And anyway, they don’t work. DroidDream foiled the Android kill switch by simply operating outside of the sandbox. Here’s a good security principle: if something can be set up by software, it can be taken down by software. And another thing:
in a military setting, apps may be mission-critical and the app revocation mechanism may need to be turned off.
I’m not sure that I like being told that only the military has mission critical apps. My apps are critical to me.
Sandboxing. Now that is a good idea. It probably has more to do with the OS developer than the app store provider, but it’s still a good idea. It may not work nor be possible in all cases; but it’s still a good idea.
Jailing. Again, this has more to do with the OS developer and the hardware manufacturer than the app store itself. And again, if something is mine, I don’t want a third party telling me what I can do with it. It may be good security but it infringes my rights as a human being.
You may think I’m being overly critical and a bit frivolous, but I’m not. This report will make not one iota of difference to the app market. I wish ENISA and all the myriad other European agencies would spend the time and money we spend on them on something more worthwhile. Especially when the solution to malapps is easy: make the app stores liable. Make them liable for any losses incurred through malapps bought or downloaded from them. And where there is no measurable loss, simply fine the pants off them. That will stop malapps from app stores in their tracks.
As if we didn’t already know it, where security is concerned, the user is the flaw. Guido has published the perfect example:
Everyone has to carry around not only their government communications network issued Blackberry phone, but a Blackberry Smart Card Reader too, with another SIM card in it. If the two are separated by more than ten metres or so the Blackberry stops working. So if a pickpocket stole the Blackberry, it would stop working. Carrying two units is a little cumbersome and inconvenient. Unfortunately from a security point of view, the wonks and spinners have taken to just sello-taping the two of them back to back…
Downing Street’s iSpAd Blackberry Security Flaw
That’s our problem, folks.
Two separate bits of news that caught my eye are Google’s purchase of PittPatt (a face recognition company as reported by the WSJ), and Entrust’s release of a digital certificate system for smartphones.
Google has acquired a seven-year-old company that develops facial-recognition technology for images and video, though the Web-search giant didn’t say what it plans to do with it.
Google Acquires Facial Recognition Technology Company
What will it do with it? Is it going to add it to Google+ in the same way Facebook introduced face recognition last year? Or will it be built into Android? (Could be both, of course, just like it could equally hive off into a new profit centre offering facial biometrics and recognition to law enforcement and border agencies…).
Moving on, Entrust yesterday announced and claimed that ‘Entrust IdentityGuard strengthens mobile security with device authentication, network access (VPN), SMIME and application security — all with self-service capabilities’.
You have to look at the detail here. This is a self-service digital certificate for smartphones: “Authorised employees, staff or contractors simply log in to the Entrust IdentityGuard Self Service Module to enroll their mobile device — compatible platforms include the Apple iPhone, Apple iPad, Android, BlackBerry, BlackBerry PlayBook and more — and are issued a digital certificate.”
The problem is that a digital certificate authenticates the identity of the device, not the person using it. I asked Bill Connor, President and CEO of Entrust, to elaborate on the security of the digital certificates themselves.
The Entrust IdentityGuard Self-Service Module offers end users a simple and consistent way to enrol for and install certificates and keys for network access and secure email on their mobile devices. The certificates and keys are stored within the devices’ native certificate stores and can therefore be leveraged by native device applications such as VPN clients and email clients. Private keys are thus protected according to the mechanisms employed by the mobile device OS.
But what if the device is lost, stolen or cloned? Could it be used as an authenticated device by an unauthenticated user?
As the private keys are stored natively by the mobile device, they are protected against device cloning and theft according to the mechanisms employed by the mobile device vendor, including device PIN protection, password protection and hardware-derived keys for the certificate store. Certificates issued to mobile devices may be easily and immediately revoked by both administrators, through IdentityGuard WebAdmin, and users, via the IdentityGuard Self-Service Module, if/when users become aware of device theft or compromise.
Notice those two key phrases: ‘according to the mechanisms employed by the mobile device OS’ and ‘according to the mechanisms employed by the mobile device vendor’.
So what we have here is an excellent product from Entrust that will authenticate the device and is perfect for business use; but is reliant on other systems for authenticating the user to the device. But the only way you can really authenticate the user is with biometrics – so we’re back to PittPatt.
It is coincidence rather than conspiracy that I learnt of these two developments on the same day – but what a co-incidence. Put the two together: facial recognition built into the operating system for user authentication and Entrust’s easy-to-use and established certificate system for device authentication and the result would be genuine security for mobile devices.
Two developments to watch, I think!