[SecurityRatty] tag: rigorous

Red Light Cameras Don't Work

Mon, 25 Aug 2008 08:19:23 +0000

Interesting: the solution to one problem causes another.

"The rigorous studies clearly show red-light cameras don't work," said lead author Barbara Langland-Orban, professor and chair of health policy and management at the USF College of Public Health. "Instead, they increase crashes and injuries as drivers attempt to abruptly stop at camera intersections."
Comprehensive studies from North Carolina, Virginia, and Ontario have all reported cameras are associated with increases in crashes. The study by the Virginia Transportation Research Council also found that cameras were linked to increased crash costs. The only studies that conclude cameras reduced crashes or injuries contained "major research design flaws," such as incomplete data or inadequate analyses, and were always conducted by researchers with links to the Insurance Institute for Highway Safety. The IIHS, funded by automobile insurance companies, is the leading advocate for red-light cameras since insurance companies can profit from red-light cameras by way of higher premiums due to increased crashes and citations.

And, of course, the agenda of the government is to increase revenue due to fines:

A 2001 paper by the Office of the Majority Leader of the U.S. House of Representatives reported that red-light cameras are "a hidden tax levied on motorists." The report came to the same conclusions that all of the other valid studies have, that red-light cameras are associated with increased crashes and that the timings at yellow lights are often set too short to increase tickets for red-light running. That's right, the state actually tampers with the yellow light settings to make them shorter, and more likely to turn red as you're driving through them.
In fact, six U.S. cities have been found guilty of shortening the yellow light cycles below what is allowed by law on intersections equipped with cameras meant to catch red-light runners. Those local governments have completely ignored the safety benefit of increasing the yellow light time and decided to install red-light cameras, shorten the yellow light duration, and collect the profits instead.

The cities in question include Union City, CA, Dallas and Lubbock, TX, Nashville and Chattanooga, TN, and Springfield, MO, according to Motorists.org, which collected information from reports from around the country.

Interview with Paul Cannon, Mozy Software Engineer

Wed, 16 Jul 2008 11:00:49 +0000

Mozy Awesome Process
Sometimes people come up to me and say, “Paul, how is it that Mozy has created such an unrelenting output of Awesome?”

Today I have been authorized to share with you some of the unique facets of the Mozy Awesome Process that until now have been tightly controlled trade secrets of Mozy, Inc. It all starts with giant robots (virtually perpetual sources of raw Awesome). We attach them to special Awesome Siphons of our own design and pipe the yield directly into our engineers’ development workstations. Further, peripheral Awesome needs are farmed from old He-Man reruns, a roomful of ninjas wailing on electric guitars, and our captive Happy Fun Ball.

The crude Awesome is skillfully transformed by Mozy engineers into powerful software and hardware configurations, then carefully inspected and regulated according to a host of eldritch acronyms: SWAGs, PMQs, PRDs, and the ever-inspiring CFRRCs. Once a successful creation is stamped with the Seal of Acronymic Approval for Mozy (SAAM), it is subjected to final endorsement by the mystical, revered Mozy Leprecorn*. Finally, a highly trained team of Box Monks put the new Awesomery into place in the Mozy systems, where it becomes available to you, the user.

Our rigorous Awesome Enforcement Policies and Magical Oversight have brought us to what we believe is the most Awesome-efficient development process in the world of backup software.

Be safe,
Paul Cannon
Mozy Software Engineer

*Leprecorn (noun): a rare but phenomenal creature; half Unicorn, half Leprechaun, and all magical.

Visit Mozy now for a great reliable online backup service, I use it myself.

Vote for Mozy
Lifehacker is currently holding an online backup showdown. Show your love for Mozy. Vote now.

Daniel Solove on the New FISA Law

Mon, 14 Jul 2008 08:08:40 +0000

From his blog:

Future presidents can learn a lot from all this -- do exactly what the Bush Administration did! If the law holds you back, don't first go to Congress and try to work something out. Secretly violate that law, and then when you get caught, staunchly demand that Congress change the law to your liking and then immunize any company that might have illegally cooperated with you. That's the lesson. You spit in Congress's face, and they'll give you what you want. The past eight years have witnessed a dramatic expansion of Executive Branch power, with a rather anemic push-back from the Legislative and Judicial Branches. We have extensive surveillance on a mass scale by agencies with hardly any public scrutiny, operating mostly in secret, with very limited judicial oversight, and also with very minimal legislative oversight. Most citizens know little about what is going on, and it will be difficult for them to find out, since everything is kept so secret. Secrecy and accountability rarely go well together. The telecomm lawsuits were at least one way that citizens could demand some information and accountability, but now that avenue appears to be shut down significantly with the retroactive immunity grant. There appear to be fewer ways for the individual citizen or citizen advocacy groups to ensure accountability of the government in the context of national security. That's the direction we're heading in -- more surveillance, more systemic government monitoring and data mining, and minimal oversight and accountability -- with most of the oversight being very general, not particularly rigorous, and nearly always secret -- and with the public being almost completely shut out of the process. But don't worry, you shouldn't get too upset about all this. You probably won't know much about it. They'll keep the dirty details from you, because what you don't know can't hurt you.

Laptop stolen from the home of a BearingPoint employee

Thu, 19 Jun 2008 11:38:38 +0000

Technorati Tag: Security Breach

Date Reported:
6/5/08

Organization:
BearingPoint, Inc.

Contractor/Consultant/Branch:
None

Victims:
Independent BearingPoint contractors

Number Affected:
Unknown

Types of Data:
"first and last name and Social Security Number"

Breach Description:
On May 14, 2008 a BearingPoint company-issued laptop was stolen from the residence of an employee. The laptop contained sensitive personal information belonging to a number of BearingPoint independent contractors.

Reference URL:
The Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

BearingPoint recognizes the importance of safeguarding the personal information it handles in the course of conducting business.
[Evan] As demonstrated on their web site. The number "8" followed by "The number of years in a row that identity theft has been the #1 internet crime"

To that end, we have implemented safeguards for the information.
[Evan] OK, I am following so far.

Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] Well, I think "rigorous safeguards" needs to be quantified somewhat. What are "rigorous safeguards" and how do they apply to this breach?

The Company was recently victimized by such conduct and we are writing to inform you that this criminal conduct might have a direct impact on you.
[Evan] Uh oh, here it comes. Not only was "The Company" recently victimized, but just as importantly, the owners of the personal information were victimized as well.

On May 14, 2008, the residence of one of our employees was burglarized and the company-issued laptop computer was taken amongst other personal property.

The employee promptly reported the theft to the Atlanta Police Department, which is investigating the break in.

The investigation into the burglary is on-going and BearingPoint is cooperating fully.

BearingPoint worked diligently to reconstruct the information stored on the stolen laptop.

BearingPoint has been able to determine that the computer contains the name and social security number of independent contractors.
[Evan] Recognizing the importance of safeguarding personal information, is storing personal information on a laptop (presumably without encryption due to the fact that there is no mention of it) a prudent practice?

The stolen laptop did not contain credit or debit card numbers, or financial account numbers.
[Evan] So a criminal would have to open his/her own accounts using the other information that WAS on the laptop.

We have no reason to believe that the information stored on the stolen laptop was the target of the burglary or that the information has been misused.

The personal information on the laptop can be accessed only with two passwords and two forms of authentication.
[Evan] The "passwords" are the authentication. I am guessing that BearingPoint meant two forms of identification (probably usernames). Again, I am guessing that one of the username/passwords is for the operating system itself which takes less than 10 minutes to bypass in most instances and I am guessing that the other username/password combination is file access for which there are known workarounds in many common applications (Word, Excel, PowerPoint, etc.). Either way, I think that this excerpt is meant to minimize the situation with a strong bias towards saving face.

In addition, the personal information was not stored in a single file or spreadsheet but dispersed among numerous files.
[Evan] Information security personnel know better than to argue the security through obscurity defense.

To date, we have received no report indicating that the information stored on the laptops has been accessed or misused.
[Evan] I think "laptops" in the breach notification is a typo

BearingPoint recognizes this development, and any related inconvenience, might be upsetting.

We regret this incident has occurred and we apologize for any inconvenience it may cause you.

As a result of this incident, we have taken immediate steps to review our current policies and procedures to further enhance security for personal data we handle and to reduce the risk of recurrence.
[Evan] Restrict ability to store confidential information on mobile devices? Encryption? Two-factor authentication?

To lessen the potential inconvenience to you and reduce the risk that you might be subjected to attempts to steal your identity, we have engaged ConsumerInfo.com Inc., and Experian company, to provide you with one year of credit monitoring, at no cost to you.

Please contact BPt-FMGOICPrivacy@bearingpoint.com should you have additional questions regarding the cirumstance of the incident.

BearingPoint currently anticipates notifying affected individuals on or before June 6, 2008, of this incident.

Commentary:
Marketing on the BearingPoint web site boasts "BearingPoint has demonstrated some of the biggest advancements in risk consulting services among the large number of providers in this market" - Forrester Wave: Risk Consulting Services, Q2, June 2007 Report.

It is disappointing to read about a well-respected company losing control of confidential information, but what makes this worse is the fact that it happened through the actions of a leading information security and risk consulting company. It is important to point out that one incident DOES NOT define a company.

No encryption or mention of it as a matter of policy, and the attempts to minimize the possible impact by mentioning ineffective controls (passwords and obscurity) is troubling.

Past Breaches:
Unknown

European Backup Services Vulnerable to Attack

Wed, 11 Jun 2008 07:49:32 +0000

Online backup is seen as a good strategy for preventing data loss, in case of a disaster at a local datacenter or on a local machine. But apparently the software used by over 100 services is vulnerable to a man in the middle attack, even though it uses SSL to secure the connection:

Tests by heise Security show that four of the six services tested were vulnerable to attack.

While all of the tested systems encrypt communication with the backup server using SSL, external attackers can sniff the access code as plain text by acting as a man-in-the-middle (MITM) if the locally installed backup software does not perform sufficiently rigorous checks on the authenticity of the server’s certificates. In the vulnerable systems, we were able to hijack the connection from the client software to the backup servers.

Four of six may not be a large test sample, but it does raise concerns about trust between customers and their service providers. If you’re providing or purchasing this kind of service, you might want to look into it closely to make sure your data is secure.

Stolen laptop affects thousands of current and former Stanford employees

Sun, 08 Jun 2008 19:12:08 +0000

Technorati Tag: Security Breach

Date Reported:
6/6/08

Organization:
Stanford University

Contractor/Consultant/Branch:
None

Victims:
current and former employees hired before September 28, 2007

Number Affected:
as many as 72,000

Types of Data:
Some or all of the following; First and last name, gender, birthdate, Social Security Number, Business title and office location, Work and home phone numbers, Home address, Salary, Stanford email address, Stanford ID card number and Stanford employee number

Breach Description:
"Stanford University determined yesterday that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way."

Reference URL:
Stanford News Service
San Francisco Chronicle
KPIX Channel 5 News

Report Credit:
Stanford News Service

Response:
From the online sources cited above:

STANFORD (BCN) ? The personal information of as many as 72,000 people working for, or formerly employed by, Stanford University could be at risk after officials determined a recently stolen laptop contained confidential personnel data.
[Evan] Even a prestigious school like Stanford University is not immune. 72,000 confidential personal records on a laptop that appears to have not been encrypted is not representative of good information security practice.

The computer contained personal records of Stanford employees hired before Sept. 28, 2007

data on the laptop included some or all of the following: employees' names, birth dates, Social Security numbers, business titles, work and home phone numbers, home addresses, salaries, and Stanford e-mail addresses and employee identification numbers.

While the university does not believe the thief was aware of the records' existence on the machine, it is taking steps to assist anyone whose information might be misused.
[Evan] How many times have we read this in a breach notification? It is almost like a breach notification isn't a breach notification without it.

"We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them,"

"Often, such thefts are property crimes in which the laptop's hard drive is erased before the laptop is resold."
[Evan] Robert Richardson, director of the San Francisco-based Computer Security Institute responds "In the past, if a laptop was stolen from a cafe, it was reasonable to think it would be reformatted and sold as a new machine," "Now I wouldn't make that assumption. Even the dumbest criminals out there are on to the fact that the data is where the money is." I have stated this numerous times on The Breach Blog. Now you don't have to take my word for it. Check out the CSI blog.

While there is no evidence that any of the information on the stolen laptop has been accessed, the University is committed to taking steps to assist individuals whose personal data may be misused

The university is not disclosing the details of the crime, as an investigation is still under way.

This matter has been reported to law enforcement.

Stanford sent out an e-mail message Friday to all the current and former employees it could reach, advising them of the theft.

The university is sending e-mails and letters to current and former employees whose personal information may be at risk, as well as posting information on the Stanford homepage at: www.stanford.edu, and notifying the media.

The university said it will provide additional credit monitoring to help employees respond to the possible data breach and protect their identities from fraud.

"We will have services in place next week and Stanford is committed to assuming this cost,"

It is also looking at how to protect employee data better in the future.
[Evan] I hope that mobile device encryption is in the mix.

While the university has rigorous policies and guidelines designed to protect confidential information, events such as this demonstrate the need for heightened vigilance in this area.
[Evan] Information security always requires a "heightened vigilance". It is a continuous effort.

Vice President for Business Affairs and Chief Financial Officer Randy Livingston will lead a task force to review policies and practices regarding the safety and security of sensitive data.

Livingston said: "The university has guidelines that prohibit keeping sensitive information on unsecured computers. This effort will be redoubled after this incident."

We sincerely apologize for this incident.

You can call (650) 736-0099 and leave your contact information for a return call. You can also go to the Stanford home page for updates or email privacyquestions@stanford.edu with your full name and date of birth.

Commentary:
If an organization employs laptops and other mobile devices, it is only a matter of time that one (or more) will be lost or stolen. It is a fact of life, and it really doesn't matter how aware the users are. We either need to make sure that confidential information does not get stored on mobile devices, encrypt them (with secure key management) or preferably both. This is a simplistic view, but you get the point.

Breaches like this get old, but they still tick me off.

Past Breaches:
Unknown

SDL Training

Thu, 29 May 2008 11:22:00 +0000

Hi everyone, Shawn Hernan here. Being a security guy is incredibly rewarding because you get to look at virtually any part of a product, from kernel drivers to web services to user education to sales and servicing. You have to do that because a failure in one of those areas can endanger the security of our customers. Microsoft’s SDL process reflects that reality. The process is structured so that you really do have to look at each piece before you can sign off. But sometimes when others want to emulate the success of the SDL, they want to skip steps. They try to boil the SDL down into its component parts, like training, or tooling, or security response. Maybe the most common form of that mistake is training, but you see that same thinking applied to code scanning, security response, and just about every phase of the SDL. “Let’s just train everyone, and all our security problems will go away.” If only it were so easy. I’d like to take a few minutes to try to explain why it’s not really that easy from my own experience.

Have you ever sat in a corporate training? Some are good, some are bad, but did you ever say, “man I can’t wait for training today.” What about mandatory training? What about mandatory training in a subject that you really don’t think is your area? What if you had to do it every year, and got harassed if you didn’t do it? What if you were, say, an audio engineer and were dragged into a security class?

I ran the SDL training program at Microsoft for a long time, and developed and taught a big chunk of the training. I spent hundreds of hours in front of thousands of developers, testers, and program managers. I got some really good reviews (and a few bad ones) on the classes I offered. And I tried to do a lot of things to try to make the trainings interesting. I handed out dozens of fresh peaches in an early class on fuzz testing, for example. The room smelled really nice after that, and there are probably still a few people around Microsoft who think of fuzz testing when they see a peach.

But even on my best day, I was under no illusion that the majority of the audience was excited to be there, and I was certain that they weren’t going to go back to their offices and spend weeks applying the lessons from the class, setting aside other things that are causing present and immediate problems in favor of something that is far off into the future.

You have to work at getting people’s attention – especially as it relates to security and privacy. From time to time, I would see people reading their mail in class, and I would point to them and ask them a question. That did not endear me to the audience as much as the peaches, but embarrassment is always fresh and in season. J

One student wrote of one of my classes, “the basics for secure design - could be replaced by non-anonymous site-wide exam with open material.” He was not alone, I assure you.

Is that an indication that our training, or any training, is pointless? Hardly, but training alone is not a change agent.

Richard Derwent Cooke wrote, “It is a first principle of Change Management that people will act in what they perceive as being their best interests.”

At best, training can provide people with insight into what they need to do to solve a security problem if they believe that solving that security problem is in their best interests.

To be effective, training needs to happen in an environment:

· Where expectations are clearly set (the SDL sets specific minimum requirements).

· People have appropriate incentives and consequences (security is a great career path at Microsoft, and nobody wants to be the one holding up a ship schedule for failure to meet a security requirement).

· Where tools and resources to accomplish the goals are available (we build a whole variety of tools that map to the SDL requirements).

· Where management models the behavior (recall the original BillG TWC memo).

· Where the environment reflects and supports the values presented in the training (apparent in everything Microsoft does).

Don’t make the mistake of thinking that a bunch of training, even really high quality training done periodically, will result in actual behavior change. It won’t. You have to build an environment where people perceive solving security problems as being in their best interests. You have to make security their problem – not in the sense of passing the buck, but in the sense of changing their behavior so they will bring security problems to you.

To illustrate further, I’ll cite two examples. First, fuzz testing. Fuzz testing has been a success story here at Microsoft. Tools arise spontaneously to solve new fuzzing challenges, written by people who believe the challenges are their challenges. There are people who feel ownership for our fuzzing strategy and on-going research and science, there are specific goals and requirements, we have training (remember the peaches?), and internally developed fuzzers have won prestigious awards within the company, handed out by members of the executive staff, and all of this gets revisited periodically as part of the SDL.

By contrast, I’ll choose a less successful area – defect estimation. On my own volition, I created (based mostly on some excellent material from Microsoft Research) and taught a class called “Defect Estimation and Management” and added it to the SDL curriculum. Microsoft is a great place to work in that regard. It was pretty close to the best-reviewed class I taught. But, we have not yet been able to establish a set of tools to estimate security defect density effectively, and establish a fair set of expectations, incentives, and consequences, or even decide what we should do if we had the data. We discovered some things, though. For example, based on what I observed (which should not be construed as rigorous research), it does not appear as if the density of general defects correlates closely with the density of security defects. And Microsoft Research found higher code coverage in testing correlates with higher bug rates in the field.

And so even though people like the idea of defect estimation, and we’ve got some interesting and surprising data, we’ve not yet been successful in changing people’s behavior. Generally speaking, an individual test manager does not feel that establishing a high quality estimate of their defect density is in his or her best interests, as compared to, say, improving the time in which an established series of tests can be performed .

We need to build an environment that has the tools, training, rewards and incentives, and expectations and consequences to change people’s behavior. Not that we’re not trying. But training won’t solve it alone, nor would tools, trophies, rants, testing, code review, or some edict from on high. The SDL is as much about changing the culture and influencing the behavior of individual engineers as it is anything else.

I’m convinced that Microsoft’s SDL process works because it addresses the end-to-end problem - from training through servicing, and provides a complete environment where people feel ownership of their part of the security problem and have the resources to solve it.

So the next time you find yourself sitting in some mandatory training, remember the lessons of the SDL (and most of the research on human performance management): training alone won’t cut it. If you want real behavior change, there have to be things outside the lecture room to influence people to change their behavior.

Sandown Health Centre backup tape is missing

Tue, 27 May 2008 09:14:16 +0000

Technorati Tag: Security Breach

Date Reported:
5/19/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)

Victims:
Patients

Number Affected:
38,650

Types of Data:
Medical records

Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."

Reference URL:
Isle of Wight NHS Primary Care Trust News
The Press Association
BBC News
eHealth Insider

Report Credit:
The Press Association

Response:
From the online sources cited above:

The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.

The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.

They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.

Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.

Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.

The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.

A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."

It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.

The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.

It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.

It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".

the risk of the tape being misused is extremely small

The tape requires specialist computer equipment to run it and the data is password protected.

In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted. Is the "specialist programme"? If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.

The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.

a dedicated telephone helpline has been set up and can be contacted on 0845 602 6834 between 8am and 8pm from Monday to Friday

The Interim Chief Executive of the PCT, Margaret Pratt, said: "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.

"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening. It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."

"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing. However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."

Dr Peter Randall, Senior Partner at the Sandown Health Centre, added: "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."

"My own view is also that the risk of any harm resulting is minimal. My own family are registered as patients at this practice which means their details are amongst those on the tape. I have no worries about the information falling into the wrong hands and being used improperly."

The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive. Better late than never. He should be commended in regards to the directive. My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).

Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement. The encryption mention comes in the eHealth Insider report. It is also not clear what "medical records" entails exactly.

Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

Planning a company social network? Don't forget privacy issues

Thu, 10 Apr 2008 09:00:00 +0000

Jay Cline believes corporations need to undergo a rigorous privacy risk assessment before jumping onto the Web 2.0 bandwagon.

Adding webwise.net into the CNI

Sat, 05 Apr 2008 10:13:01 +0000

The way in which the Phorm system works (see yesterday’s blog post) creates an interesting, and possibly unexpected, risk for the ISPs that decide to go ahead and deploy the system.

Quite clearly, web browsing from within these ISPs now depends on the correct functioning of the “Layer 7 switch” and Phorm’s “Anonymiser” machine. This should not be too much of a concern. Network engineers are used to designing out “single points of failure“. Thus, for example, the BT schematics obtained by The Register show parallel systems and cross-coupling of components, so that a single failure will not take out the system. Add in the fact that what are apparently single machines will almost certainly be clusters fronted by intelligent load-balancing devices, and the system is expensive, but extremely resilient.

However, there’s another rather less obvious issue that needs to be addressed.

The bouncing of all web requests back and forth with HTTP 307 redirections means that the system is critically dependent upon the correct resolving of the webwise.net domain. If, for whatever reason, the domain name system (DNS) didn’t return the correct answer when asked for the IP address of webwise.net, then everyone at that ISP would find that their browsing was seriously affected.

If the incorrect address came back as 127.0.0.1 then the customers wouldn’t be able to reach any websites at all — if it came back as the IP address of a machine in downtown St Petersburg, then that site could redirect their web sessions at will — and there’s likely some criminals in that city with some innovative ideas of what could happen next.

So the webwise.net domain has suddenly been promoted to become part of the Critical National Infrastructure (CNI).

The domain is currently hosted at GoDaddy, an american registrar. Last summer the rock-phish gang spent a week running phishing attacks not just against banks, as they usually do, but also against GoDaddy. The immediate reaction was that the criminals wanted to use captured credentials to purchase domain names for free — but wiser heads pointed out that with the login details for a GoDaddy account you were in full control of any domain names that had already been bought : the security of the websites of thousands of major companies (and a great many banks) was resting on the security of eight-character registrar login passwords.

However, firms that have considered the risk don’t buy $10 domain names, but spend rather more, and their registrar will insist on rigorous security checks before altering any details. We must obviously assume that webwise.net is not at risk from registrar phishing in this simplistic way.

The more likely way of subverting what webwise.net resolves to is called “DNS cache poisoning”. There are several ways of doing this (this Wikipedia article provides a helpful summary), most of which shouldn’t work if the ISP has configured their DNS server correctly.

However fundamental weaknesses in the DNS protocol (relying on 16bit values matching to show authenticity) means that DNS forgery attacks can only be made harder, not prevented altogether. Making it harder may currently be sufficient to make phishing attackers use simpler methods — but if the prize is the disruption of web browsing for millions of people…?

There are things that the ISPs can do to improve security — such as each of them making themselves authoritative for webwise.net, which should address the DNS forgery issue. Let’s hope that they haven’t overlooked this.

[[with acknowledgments to Matt Johnson and others involved in understanding this particular design risk]]