I was pretty damning of the ICO in my post outlining Alex Owens’ witness statement to the Leveson Enquiry (looking into the phone hacking scandal). You can read that here: Something rotten in the state of the Information Commissioner’s Office – will Leveson act?
Well, surprise, surprise. Richard Thomas doesn’t remember it.
The informal meeting to which Mr Owens refers took place in this instance because (understandably) the team wished to share the nature and scale of their success with me. I recall that meeting as the occasion when I was informed about the volume and nature of the materials – the “treasure trove” – which had been discovered. I recall congratulating Mr Owens and the team for a job well done. I do not, however, recall any course of action being formally or informally recommended by Mr Owens or anyone else, let alone being “bemused”. Specifically, I do not recall any proposal, on that or any other occasion, that any journalists – nor indeed any other customers of Steve Whittamore and his associates – should be investigated. I not recall even any suggestion that any further investigations were under consideration. One of my central memories of that meeting is a recognition of the challenge presented for a very small team by the sheer bulk of the evidence, without any suggestion that even more should be obtained. I do not recall whether Francis Aldhouse was at that meeting, but I do not ever recall hearing the words attributed to him.
…I do not have any recollection or awareness whatsoever of preventing any Investigating Officer…
…Nor do I have any recollection of making any later “decision” or issuing any sort of instruction…
…Nor was I aware at any time of any grievance…
…Although I cannot recall any discussion…
Fourth Witness Statement of Richard Thomas CBE
That’s the defence. And now the attack:
Mr Owens has made a number of allegations about me and the ICO. It is therefore necessary for me to alert the Inquiry to the fact that there were a number of performance, disciplinary and grievance issues between Mr Owens and the ICO…
It’s all so predictable that any media relations person could have written it for him without ever needing to speak to him. The difference is that Owens states things happened, while Thomas doesn’t deny them, just can’t remember them.
When a security site is backed by several government departments (including the Home Office), by law enforcement (the Serious Organized Crime Agency) and the intelligence services (Centre for the Protection of the National Infrastructure, which holds hands with MI5 and CESG), then it should be taken seriously. So, when such a site (Get Safe Online) releases a grandiose report with a grandiose title (UK Internet Security: State of the Nation – The Get Safe Online Report, November 2011), we should expect something serious. This is, we are promised, the state of the nation.
But it is poor. It is trivial. Most secondary school magazines could do better simply by writing to the security industry and asking different companies to provide a brief comment on a particular security aspect. Because that’s all that this is – a series of separate contributed articles from some of the companies and agencies that sponsor Get Safe Online.
Coupled with the widespread use of advanced anti-spyware software provided by banks, as well as the excellent advice from Get Safe Online, HSBC believes our online customers are now safer than ever.
SOCA gives us this gem:
It would be good to think that we could arrest and prosecute every cyber criminal… [but] this will never happen. [So] an equally important activity is prevention and awareness.
Which just goes to show that law enforcement has forgotten its role: viz, we should prevent crime first, and arrest the remaining criminals. The modern version believes that we should arrest all the criminals we can, and then try to stop the ones we miss.
At VeriSign we’re constantly trying to educate people about online threats and raise awareness about the dangers of social engineering, which is the main trick used by cybercriminals.
Which is simultaneously horribly naive (all cybercriminality depends upon social engineering somewhere), and self-aggrandizing. Trend’s Rik Ferguson makes a serious attempt at saying something meaningful without blowing his company trumpet:
The volume of mobile malware has not yet reached the epidemic proportions of computer-based malware, but criminal interest is clearly there and growing. We are seeing multi-platform attacks distributed by the same criminal groups that traditionally have focused on conventional systems. Smartphone security, such as encryption and anti-malware, is available but not widely deployed. The need is already there for it to be commonplace.
But here’s the problem with a government-backed site taking sponsorship money from private companies. That company endorses the site – but there is a clear indication that the reverse is also true: the government sponsors that company. Since Trend Micro is the only anti-virus company mentioned in the State of the Nation report, it comes across that Trend Micro is the anti-virus company preferred and recommended by government. The same argument can apply to most of the other ‘contributors’.
So not only is this ‘state of the nation’ report both trivial and a possible contender for being prosecuted under the Trades Description Act, it is also an insult to the 99% of the security industry that has declined to spend its money on buying dubious government advertising. You may have gathered that I am not merely unimpressed by this report, I am frankly appalled.
ENISA, the European Network and Information Security Agency, has produced a new report: Appstore security – 5 lines of defence against malware. Its purpose is to help the burgeoning app store market protect against infiltration from malapps (not a widely used word yet, but watch it grow); smartphone apps pretending to be apps but really just plain malware.
The five lines of defence range from the bleeding-obvious through good-idea-but-don’t-hold-your-breath to illustrations of the-conflict-between-security-and-liberty. They are
- App review – bleeding obvious but not foolproof
- Reputation – not foolproof
- Kill switch – hang on a bit
- Sandboxed apps – bleeding obvious
- jailing – hang on a bit more
App reviews should obviously be done. But they’re not foolproof and are time-consuming and costly. New app stores will minimise them in order to reduce their own costs and speed the population of the store. Even where they are performed, with or without the help of automated testing, there is no guarantee against false negatives.
Reputations can be manipulated. Cyber criminals have shown that they are willing to play the long game. With enough time and resources it would be easy enough to release a few genuine and good apps before slipping in, backed by a good reputation, the bad one.
Kill switch. I don’t want one. And they don’t necessarily work. If I buy something, it is mine (I’m sick of the industry selling me something and then revealing later or in the small print that I only rented it). If I buy it, it’s mine. Therefore only I should be able to remove it. Not the software developer, not the app store, not the device manufacturer, not law enforcement and not the government. And anyway, they don’t work. DroidDream foiled the Android kill switch by simply operating outside of the sandbox. Here’s a good security principle: if something can be set up by software, it can be taken down by software. And another thing:
in a military setting, apps may be mission-critical and the app revocation mechanism may need to be turned off.
I’m not sure that I like being told that only the military has mission critical apps. My apps are critical to me.
Sandboxing. Now that is a good idea. It probably has more to do with the OS developer than the app store provider, but it’s still a good idea. It may not work nor be possible in all cases; but it’s still a good idea.
Jailing. Again, this has more to do with the OS developer and the hardware manufacturer than the app store itself. And again, if something is mine, I don’t want a third party telling me what I can do with it. It may be good security but it infringes my rights as a human being.
You may think I’m being overly critical and a bit frivolous, but I’m not. This report will make not one iota of difference to the app market. I wish ENISA and all the myriad other European agencies would spend the time and money we spend on them on something more worthwhile. Especially when the solution to malapps is easy: make the app stores liable. Make them liable for any losses incurred through malapps bought or downloaded from them. And where there is no measurable loss, simply fine the pants off them. That will stop malapps from app stores in their tracks.
As if we didn’t already know it, where security is concerned, the user is the flaw. Guido has published the perfect example:
Everyone has to carry around not only their government communications network issued Blackberry phone, but a Blackberry Smart Card Reader too, with another SIM card in it. If the two are separated by more than ten metres or so the Blackberry stops working. So if a pickpocket stole the Blackberry, it would stop working. Carrying two units is a little cumbersome and inconvenient. Unfortunately from a security point of view, the wonks and spinners have taken to just sello-taping the two of them back to back…
Downing Street’s iSpAd Blackberry Security Flaw
That’s our problem, folks.
Two separate bits of news that caught my eye are Google’s purchase of PittPatt (a face recognition company as reported by the WSJ), and Entrust’s release of a digital certificate system for smartphones.
Google has acquired a seven-year-old company that develops facial-recognition technology for images and video, though the Web-search giant didn’t say what it plans to do with it.
Google Acquires Facial Recognition Technology Company
What will it do with it? Is it going to add it to Google+ in the same way Facebook introduced face recognition last year? Or will it be built into Android? (Could be both, of course, just like it could equally hive off into a new profit centre offering facial biometrics and recognition to law enforcement and border agencies…).
Moving on, Entrust yesterday announced and claimed that ‘Entrust IdentityGuard strengthens mobile security with device authentication, network access (VPN), SMIME and application security — all with self-service capabilities’.
You have to look at the detail here. This is a self-service digital certificate for smartphones: “Authorised employees, staff or contractors simply log in to the Entrust IdentityGuard Self Service Module to enroll their mobile device — compatible platforms include the Apple iPhone, Apple iPad, Android, BlackBerry, BlackBerry PlayBook and more — and are issued a digital certificate.”
The problem is that a digital certificate authenticates the identity of the device, not the person using it. I asked Bill Connor, President and CEO of Entrust, to elaborate on the security of the digital certificates themselves.
The Entrust IdentityGuard Self-Service Module offers end users a simple and consistent way to enrol for and install certificates and keys for network access and secure email on their mobile devices. The certificates and keys are stored within the devices’ native certificate stores and can therefore be leveraged by native device applications such as VPN clients and email clients. Private keys are thus protected according to the mechanisms employed by the mobile device OS.
But what if the device is lost, stolen or cloned? Could it be used as an authenticated device by an unauthenticated user?
As the private keys are stored natively by the mobile device, they are protected against device cloning and theft according to the mechanisms employed by the mobile device vendor, including device PIN protection, password protection and hardware-derived keys for the certificate store. Certificates issued to mobile devices may be easily and immediately revoked by both administrators, through IdentityGuard WebAdmin, and users, via the IdentityGuard Self-Service Module, if/when users become aware of device theft or compromise.
Notice those two key phrases: ‘according to the mechanisms employed by the mobile device OS’ and ‘according to the mechanisms employed by the mobile device vendor’.
So what we have here is an excellent product from Entrust that will authenticate the device and is perfect for business use; but is reliant on other systems for authenticating the user to the device. But the only way you can really authenticate the user is with biometrics – so we’re back to PittPatt.
It is coincidence rather than conspiracy that I learnt of these two developments on the same day – but what a co-incidence. Put the two together: facial recognition built into the operating system for user authentication and Entrust’s easy-to-use and established certificate system for device authentication and the result would be genuine security for mobile devices.
Two developments to watch, I think!
We in the self-righteous and self-congratulatory West tend think little of personal freedom and privacy rights in the Far East (with obvious exceptions here and there, of course). So it comes as a bit of a shock that a lawyer in South Korea has successfully sued Apple for breaching privacy on his iPhone.
Apple Korea said it had paid one million ($950) to iPhone user Kim Hyung-Suk, complying with a compensation order from a court in the southern city of Changwon.
Kim, a 36-year old lawyer, filed suit against Apple on April 26. He said the smartphone’s location recording infringed on his constitutional rights to privacy and freedom and caused psychological stress.
Apple makes first S. Korea payout over tracking
It’s going to be worth watching this to see whether the issue quietly goes away or balloons. If Kim Hyung-Suk’s privacy was illegally violated, did the same happen to every other South Korean iPhone user? And what about us here in Europe, with our much-vaunted privacy protections?
Mobile phone usage depends on the user telling the supplier where he is so that the conversation/data can be routed via the nearest mast. So some invasion of privacy is a requirement. And we know from German Green politician Malte Spitz’s FOI demand, that can be a staggering amount:
Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts. The results were astounding. In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times.
Slashdot: German Politician Demonstrates Extent of Cellphone Location Tracking (T-Mobile Realizes Hitler’s Wet Dream)
But is this collection implicit (or even explicit in the small print) of any agreement with the service provider, and how long can they keep it? I don’t know. It would take the courts and our EC masters to proclaim on this. But it’s certainly something that needs to be sorted. Although Apple may not be the service provider in this case, it and other phone vendors must surely be reigned back in what data they collect from us. Alternatively, let’s hope that every iPhone user in the world manages to get $1000 dollars from them. That would make them sit up and think.
Commenting on an article in Computerworld, Phil Lieberman, President and CEO of Lieberman Software, agrees that Android’s upcoming m-wallet (mobile phone wallet) is ‘a disaster waiting to happen’. The original article by Ira Winkler comments:
A smartphone’s operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment.
Mobile payment systems: A disaster waiting to happen
Phil adds to this
Ira’s comments are bang on the money. Whilst it’s great to hear that m-wallet solutions will be Visa PayWave or MasterCard PayPass-compatible – meaning that the wireless data transmissions are encrypted – the problem comes if the smartphone itself in less than secure.
But are the doom-mongers correct? Well, yes they are – but any use of any computer for any purpose is a disaster waiting to happen. Since m-wallets will happen (they’re cool and useful, the two primary drivers for any commodity), the real question is whether the m-wallet is significantly less secure than any other method of payment. And I’m not at all sure this is true. Like everything else in security, it is user-behaviour that makes something more or less secure.
Phil comments that
…with large numbers of Apple iPhone users jailbreaking their handsets to escape network locks, it looks like that most flavours of smartphones will be susceptible to security faux pas for some time to come.
That’s what I mean about user behaviour. Using a jailbroken iPhone as an m-wallet is like walking through a crowded mall with an open bag and a visible purse/wallet: it is the user rather than the wallet that is at fault. So what are the alternatives to the m-wallet, especially since cheques are being phased out by the banks (and we can expect them to do the same with cash over the next couple of decades)?
For now we have cash in a purse. Well, that’s less secure than a smartphone. Most people realise that they have lost their phone within minutes, and can switch it off remotely in an instant. The cash in the m-wallet cannot be used.
Bank cards? Well, they’re hardly secure are they? They can be stolen/lost and cloned. Cambridge university has demonstrated a device able to trick the system into accepting any PIN number on any valid card. And contactless cards really are a disaster waiting to happen.
Mobile banking on a laptop? Just as easily lost or stolen; and just as easily hacked. Zeus/SpyEye anyone?
Personally I can see our entire lives migrating to smartphones. Our front door key, car key, kicking the house into action before we get home, e-government and proof of identity. Trying to stop this happening will be like standing in front of a bulldozer. The requirement is not to prevent it, but for the security industry to improve security, and for users to improve behaviour.
Which will leave me with a problem: I don’t have a smartphone; and won’t have one until they invent one that won’t fry my brains – or worse if it’s in my pocket.
Just to prove the point of my previous post suggesting that government “keeps us in constant fear of terrorists, pedophiles, drug runners, gun runners…” is a report in the NewAmerican. In an article discussing the alleged practice of the Michigan State Police to illegally extract personal data from mobile phones during ‘routine stops’, it mentions Senator Ron Wyden’s draft Geolocational Privacy and Surveillance Act. This act would require the police to obtain search warrants before using GPS geolocation data to track Americans.
Not surprisingly, the Obama Justice Department has argued in court that warrantless tracking should be permitted because Americans have no “reasonable expectation of privacy” in the cell phones they carry or the data stored therein or transmitted wirelessly thereby.
Law enforcement agents testified that requiring a search warrant before tracking criminals “will have a significant slowing effect on the processing of child exploitation leads.”
Michigan State Police Reportedly Extracting Personal Info From Cellphones
Oh, look, what a surprise! Pedophiles are being used to scare us into accepting the loss of liberty.