[SecurityRatty] tag: oliver

The Future of Ephemeral Conversation

Mon, 24 Nov 2008 11:06:41 +0000

When he becomes president, Barack Obama will have to give up his BlackBerry. Aides are concerned that his unofficial conversations would become part of the presidential record, subject to subpoena and eventually made public as part of the country's historical record.

This reality of the information age might be particularly stark for the president, but it's no less true for all of us. Conversation used to be ephemeral. Whether face-to-face or by phone, we could be reasonably sure that what we said disappeared as soon as we said it. Organized crime bosses worried about phone taps and room bugs, but that was the exception. Privacy was just assumed.

This has changed. We chat in e-mail, over SMS and IM, and on social networking websites like Facebook, MySpace, and LiveJournal. We blog and we Twitter. These conversations -- with friends, lovers, colleagues, members of our cabinet -- are not ephemeral; they leave their own electronic trails.

We know this intellectually, but we haven't truly internalized it. We type on, engrossed in conversation, forgetting we're being recorded and those recordings might come back to haunt us later.

Oliver North learned this, way back in 1987, when messages he thought he had deleted were saved by the White House PROFS system, and then subpoenaed in the Iran-Contra affair. Bill Gates learned this in 1998 when his conversational e-mails were provided to opposing counsel as part of the antitrust litigation discovery process. Mark Foley learned this in 2006 when his instant messages were saved and made public by the underage men he talked to. Paris Hilton learned this in 2005 when her cell phone account was hacked, and Sarah Palin learned it earlier this year when her Yahoo e-mail account was hacked. Someone in George W. Bush's administration learned this, and millions of e-mails went mysteriously and conveniently missing.

Ephemeral conversation is dying.

Cardinal Richelieu famously said, :If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." When all our ephemeral conversations can be saved for later examination, different rules have to apply. Conversation is not the same thing as correspondence. Words uttered in haste over morning coffee, whether spoken in a coffee shop or thumbed on a Blackberry, are not official pronouncements. Discussions in a meeting, whether held in a boardroom or a chat room, are not the same as answers at a press conference. And privacy isn't just about having something to hide; it has enormous value to democracy, liberty, and our basic humanity.

We can't turn back technology; electronic communications are here to stay and even our voice conversations are threatened. But as technology makes our conversations less ephemeral, we need laws to step in and safeguard ephemeral conversation. We need a comprehensive data privacy law, protecting our data and communications regardless of where it is stored or how it is processed. We need laws forcing companies to keep it private and delete it as soon as it is no longer needed. Laws requiring ISPs to store e-mails and other personal communications are exactly what we don't need.

Rules pertaining to government need to be different, because of the power differential. Subjecting the president's communications to eventual public review increases liberty because it reduces the government's power with respect to the people. Subjecting our communications to government review decreases liberty because it reduces our power with respect to the government. The president, as well as other members of government, need some ability to converse ephemerally -- just as they're allowed to have unrecorded meetings and phone calls -- but more of their actions need to be subject to public scrutiny.

But laws can only go so far. Law or no law, when something is made public it's too late. And many of us like having complete records of all our e-mail at our fingertips; it's like our offline brains.

In the end, this is cultural.

The Internet is the greatest generation gap since rock and roll. We're now witnessing one aspect of that generation gap: the younger generation chats digitally, and the older generation treats those chats as written correspondence. Until our CEOs blog, our Congressmen Twitter, and our world leaders send each other LOLcats – until we have a Presidential election where both candidates have a complete history on social networking sites from before they were teenagers– we aren't fully an information age society.

When everyone leaves a public digital trail of their personal thoughts since birth, no one will think twice about it being there. Obama might be on the younger side of the generation gap, but the rules he's operating under were written by the older side. It will take another generation before society's tolerance for digital ephemera changes.

This essay previously appeared on The Wall Street Journal website (not the print newspaper), and is an update of something I wrote previously.

Malware? We don't need no stinking malware!

Fri, 24 Oct 2008 10:25:00 +0000

Written by Oliver Fisher

"This site may harm your computer"
You may have seen those words in Google search results — but what do they mean? If you click the search result link you get another warning page instead of the website you were expecting. But if the web page was your grandmother's baking blog, you're still confused. Surely your grandmother hasn't been secretly honing her l33t computer hacking skills at night school. Google must have made a mistake and your grandmother's web page is just fine...

I work with the team that helps put the warning in Google's search results, so let me try to explain. The good news is that your grandmother is still kind and loves turtles. She isn't trying to start a botnet or steal credit card numbers. The bad news is that her website or the server that it runs on probably has a security vulnerability, most likely from some out-of-date software. That vulnerability has been exploited and malicious code has been added to your grandmother's website. It's most likely an invisible script or iframe that pulls content from another website that tries to attack any computer that views the page. If the attack succeeds, then viruses, spyware, key loggers, botnets, and other nasty stuff will get installed.

If you see the warning on a site in Google's search results, it's a good idea to pay attention to it. Google has automatic scanners that are constantly looking for these sorts of web pages. I help build the scanners and continue to be surprised by how accurate they are. There is almost certainly something wrong with the website even if it is run by someone you trust. The automatic scanners make unbiased decisions based on the malicious content of the pages, not the reputation of the webmaster.

Servers are just like your home computer and need constant updating. There are lots of tools that make building a website easy, but each one adds some risk of being exploited. Even if you're diligent and keep all your website components updated, your web host may not be. They control your website's server and may not have installed the most recent OS patches. And it's not just innocent grandmothers that this happens to. There have been warnings on the websites of banks, sports teams, and corporate and government websites.

Uh-oh... I need help!
Now that we understand what the malware label means in search results, what do you do if you're a webmaster and Google's scanners have found malware on your site?

There are some resources to help clean things up. The Google Webmaster Central blog has some tips and a quick security checklist for webmasters. Stopbadware.org has great information, and their forums have a number of helpful and knowledgeable volunteers who may be able to help (sometimes I'm one of them). You can also use the Google SafeBrowsing diagnostics page for your site (http://www.google.com/safebrowsing/diagnostic?site=) to see specific information about what Google's automatic scanners have found. If your site has been flagged, Google's Webmaster Tools lists some of the URLs that were scanned and found to be infected.

Once you've cleaned up your website, use Google's Webmaster Tools to request a malware review. The automatic systems will rescan your website and the warning will be removed if the malware is gone.

Advance warning
I often hear webmasters asking Google for advance warning before a malware label is put on their website. When the label is applied, Google usually emails the website owners and then posts a warning in Google's Webmaster Tools. But no warning is given ahead of time - before the label is applied - so a webmaster can't quickly clean up the site before a warning is applied.

But, look at the situation from the user's point of view. As a user, I'd be pretty annoyed if Google sent me to a site it knew was dangerous. Even a short delay would expose some users to that risk, and it doesn't seem justified. I know it's frustrating for a webmaster to see a malware label on their website. But, ultimately, protecting users against malware makes the internet a safer place and everyone benefits, both webmasters and users.

Google's Webmaster Tools has started a test to provide warnings to webmasters that their server software may be vulnerable. Responding to that warning and updating server software can prevent your website from being compromised with malware. The best way to avoid a malware label is to never have any malware on the site!

Reviews
You can request a review via Google's Webmaster Tools and you can see the status of the review there. If you think the review is taking too long, make sure to check the status. Finding all the malware on a site is difficult and the automated scanners are far more accurate than humans. The scanners may have found something you've missed and the review may have failed. If your site has a malware label, Google's Webmaster Tools will also list some sample URLs that have problems. This is not a full list of all of the problem URLs (because that's often very, very long), but it should get you started.

Finally, don't confuse a malware review with a request for reconsideration. If Google's automated scanners find malware on your website, the site will usually not be removed from search results. There is also a different process that removes spammy websites from Google search results. If that's happened and you disagree with Google, you should submit a reconsideration request. But if your site has a malware label, a reconsideration request won't do any good — for malware you need to file a malware review from the Overview page.

How long will a review take?
Webmasters are eager to have a Google malware label removed from their site and often ask how long a review of the site will take. Both the original scanning and the review process are fully automated. The systems analyze large portions of the internet, which is big place, so the review may not happen immediately. Ideally, the label will be removed within a few hours. At its longest, the process should take a day or so.

Malware? We don't need no stinking malware!

Fri, 24 Oct 2008 10:25:00 +0000

BlackHat Picks, Day 2

Mon, 04 Aug 2008 13:48:24 +0000

Here’s the rest of my list:

10:00-11:00 FX, Developments in Cisco IOS Forensics.

11:15-12:30 Oliver Friedrichs, Threats to the 2008 Presidential Election (and more).

13:45-15:00 Option 1: Scott Stender, Concurrency Attacks in Web Applications. Option 2: Travis Goodspeed, Side-channel Timing Attacks on MSP430 Microcontroller Firmware.

15:15-16:30 Option 1: Alexander Sotirov and Mark Dowd, How To Impress Girls With Browser Memory Protection Bypasses. Option 2: Karsten Nohl, Mifare - Little Security, Despite Obscurity. This is one of the toughest time slots as you also have McFeters/Carter/Heasman and Grossman/Evans in the lineup. Choices, choices.

16:45-18:00 Option 1: Bruce Dang, Methods for Understanding Targeted Attacks with Office Documents. Option 2: Christopher Tarnovsky, Inducing Momentary Faults Within Secure Smartcards/Microcontrollers.

Lots of intriguing hardware talks on Day 2. A lot of it is probably over my head and my first options are more applicable to my day job. There might have to be some room hopping.

I fly out to Vegas tonight — see you all there!

BlackHat Picks, Day 2

Mon, 04 Aug 2008 13:48:24 +0000

Here’s the rest of my list:

10:00-11:00 FX, Developments in Cisco IOS Forensics.

11:15-12:30 Oliver Friedrichs, Threats to the 2008 Presidential Election (and more).

13:45-15:00 Option 1: Scott Stender, Concurrency Attacks in Web Applications. Option 2: Travis Goodspeed, Side-channel Timing Attacks on MSP430 Microcontroller Firmware.

Lots of intriguing hardware talks on Day 2. A lot of it is probably over my head and my first options are more applicable to my day job. There might have to be some room hopping.

I fly out to Vegas tonight — see you all there!

Phila. Gives Up on EarthLink

Wed, 14 May 2008 16:55:06 +0000

IDG News Service reports that Philadelphia won't pursue further efforts to keep the EarthLink network up and running: The last paragraph is quite classic:

Without going into details, city spokesman [Douglas] Oliver said there clearly were maintenance and upgrading challenges that came with the free infrastructure. "How many times has someone not taken $17 million worth of something without there being a pretty good reason?" he said.

PCI Co and ASVs

Fri, 21 Mar 2008 20:53:00 +0000

Talking of PCI SSC - We all know VISA has been the biggest contributer to the cause so far and has donated loads of time and IP towards PCI - which has been adopted by PCI Co - but what neither VISA nor PCI Co have been able to successfully do so far - is to monitor the ASVs / QSAs to do their jobs correctly. Meaning QSAs should not be allowed to recommend vendor products or have relationships with vendors. That is so completely unethical. And ASVs should understand security. Seriously. I was completely aghast when I noticed Anurag's and Jermiah Grossman's blog entries about ScanAlert saying YOU DON'T HAVE TO FIX XSS ISSUES TO BE PCI COMPLIANT. Symantec and ScanAlert really need Security 101.

"XSS vulnerabilities do present a serious risk. However, to date their real-world use has been limited," said Oliver Friedrichs, director of Symantec Security Response in an e-mail. "XSS vulnerabilities can result in the theft of session cookies, Web site login credentials, and exploitation of trust. XSS vulnerabilities are site-specific, and therefore their life cycle is limited; they become extinct once they're discovered and repaired by the Web site owners."

Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server. He maintains that XSS vulnerabilities aren't material to a site's certification. "Cross-site scripting can't be used to hack a server," he said. "You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."

Pierini dismisses the suggestion that certifying a site as "Hacker Safe" when it remains vulnerable to XSS attacks could be confusing to consumers. He insists that the meaning of the certification is clear and notes that his company's scanning service reports the XSS flaws it finds to its clients.

"We definitely identify this [XSS] and we definitely bring this to our customers' attention," he said." And we provide our customers with the information. Our customers are allowed to make the decision where to put their resources. I personally want them to put their resources where they're needed most, in things that can affect the confidentiality, the integrity, or the availability of that system that we're certifying. Cross-site scripting can be used to do a variety of things, but it's all on the client side. And that's an area that we don't have control over."

Top 10: Spitzer falls, Bebo goes to AOL, Gates to DC

Thu, 13 Mar 2008 21:00:00 +0000

1. Eliot Spitzer: High-tech felt his impact and Oliver North ridicules Spitzer, calls on IT to hire war vets: It might not have seemed at first that the saga of almost-former New York Governor Eliot Spitzer had any connection to IT, but when he was attorney general of that state, he targeted the high-tech and networking industries in various investigations, including participating in the RAM price-fixing probe.

Oliver North ridicules Spitzer, calls on IT to hire war vets

Mon, 10 Mar 2008 21:00:00 +0000

ORLANDO -- At a security conference in Orlando Tuesday, Col. Oliver North mocked the plight of New York Gov. Eliot Spitzer, caught up in a prostitution-ring scandal that may end his political career.

Five-year-old wanders into bank branch after-hours

Wed, 06 Feb 2008 07:24:03 +0000

Technorati Tag: Security Breach

Date Reported:
2/6/08

Organization:
HSBC Group (UK)

Contractor/Consultant/Branch:
Market Place, Easingwold

Victims:
Potentially customers, but no confirmed loss or theft occurred

Number Affected:
Unknown

Types of Data:
Potentially customer banking records

Breach Description:
The HSBC branch in Easingwold was found unlocked during non-business hours on Saturday, February 2nd. A five-year-old boy wandered into the bank while his father was using the cash machine. The bank was closed and unattended since 4:30 the previous day and no alarms were sounded.

Reference URL:
The Northern Echo online story
The Press online story

Report Credit:
The Northern Echo

Response:
From the online sources cited above:

Little Oliver was at the HSBC with mum, Alison, and dad Daniel, when the family visited the cash machine at Easingwold, North Yorkshire, on Saturday afternoon.

Mrs Pettigrew said: "We usually go into the bank and so Oliver just pushed the door and wandered in.

"I was at the cash machine and it was Oliver's dad who started saying, 'where's Oliver? where's Oliver?' "Then Oliver appeared again. He and his dad ended up wandering around the place, which was totally deserted. There were computers everywhere and there was no alarms sounding.

The HSBC tried to downplay the breach saying the emergency services would have been summoned automatically if someone stepped inside.
[Evan] This did not appear to have happened. According to the news story, emergency services were not even aware of this physical breach until notified by the Pettigrews.

However North Yorkshire Police have confirmed that the only call received was from Daniel Pettigrew.

The bank had been closed for business at 4.30pm on Friday and Oliver opened the door at lunchtime on Saturday.

A spokeswoman for the bank said there had been a malfunction with the catch on the door.
[Evan] A malfunction is not an acceptable reason for a breach. System malfunctions need to be taken into account when designing secure systems (physical and technical), especially at a bank.

"When I realised the bank was empty and the service times said Monday to Friday I phoned 999."

He and Oliver also walked right up to the door of the vault where money is kept.
[Evan] It is important to note that they walked up to the door, not THROUGH the door. This would be a more sensational story if the vault were open too.

There were computers and walkie talkies lying around in there. Anyone could have stolen them.

"The hard drives were in there too. In the current climate it makes you wonder if anyone could have got the database with bank customers' details on it.
[Evan] There is chatter that HSBC employs centralized and secure data storage, meaning that there should be no sensitive information on the client computers. This may be true, but often there is much more information on these computers than people realize. I would guess that there is also a substantial amount of sensitive paperwork in the branch.

The Pettigrews stood guard at the bank until police officers arrived.

A spokesman for HSBC, which made profits of about £11bn in 2006, said there was no danger to bank customers.
[Evan] Not so. There WAS a danger to bank customers. It may not exist in this instance anymore, but the danger was there.

She said: "Basically, what happened was there was a malfunction with the door catch. Once the door was pushed open it would have alerted the police anyway.
[Evan] This was obviously not so. Malfunctions must be detected at the time of the occurrence.

She said: "There would have been no danger to customers in terms of cash or information being stolen. Obviously we don't want security issues but sometimes these things happen."
[Evan] Again, I disagree.

From Simon Davies, director of Privacy International:

"extraordinary state of affairs" which could have exposed thousands of customers to a "grave risk"

"I cannot believe that a bank would not have procedures in place to make sure all exits are sealed at close of business."

"This is a situation I have never encountered before. It is a failure on multiple levels, on the human level and on the technical level and what it does is expose thousands of customers to a grave risk."

"It could be that the computers are part of a central control system and are password protected and contain no information locally, in which case you don't have the same level of threat."

"But if they are just password protected then someone could have gained access to the whole central resource of data."

Commentary:
I added this breach to The Breach Blog because the potential for lost data confidentiality and intergrity was real and present. There appear to have been no customer-related victims, which is a very good thing. HSBC and/or their security team should have detected the door malfunction well before a five-year-old did.

How many times have we used a cash machine at the bank after-hours? Most of us just assume that the bank doors would be locked. Even if the door were unlocked, most of us would assume that alarms would go off as soon as I opened it.

I don't suggest that you drive from bank to bank looking for unlocked doors because this might get you in a lot of trouble.

Past Breaches:
Unknown