Bluesnarfing From Across Town?

Some guys in California, Mike Outmesguine, John Hering and James Burgess, have managed to connect to an ordinary Bluetooth cellphone from 1 kilometer away, using off-the-shelf stuff, including a high-gain antenna connected to a Class 1 Bluetooth adapter kit. Their conclusion: “A typical unmodified cell phone can be reached at a distance of one kilometer by using slightly modified equipment on only one side of the link. Imagine the possibilities with modifications on both ends of the link!”

Some folk on Slashdot agree. Someone called Carbolic (who may or may not be related to the actual testers), points out the implication: “now it’s easy to Bluesnarf without even being near the target phone”. (Bluesnarfing is the trick whereby someone else can grab the contents of someone else’s phone — even make calls with it — using Bluetooth. Some more posts on that here.) I’m no techie, but it does seem to undermine those arguments that we keep hearing that somehow Bluetooth will never be a security issue because it only works within a few metres.

Blogging Bloggers Just Want To Blog Blogs

A fair summary of blogs?

Peter Hartlaub, Pop Culture Critic at The San Francisco Chronicle, writes today of the blogging phenomenon at the Democratic convention and, surprisingly, concludes that “for several moments in four days of sleepless and often stream-of-consciousness coverage, the collection of mostly young writers ably explained their existence — while raising questions about the established media’s ability to stay in touch with readers, viewers and listeners”.

Quite positive, but I’m not crazy about the other things he says. He seems to think the only valuable blogs are political: “Every Web log hosted by a good writer who can type an interesting account of their day (such as Wilwheaton.net) is matched by 100 that constantly hit up readers for money, link any article that predicts a bright future for Web logs and name-drop other sites that do the same thing. Yes, most bloggers blog about blogs. But the political bloggers, as a breed, are a more focused group.”

Hmmm. Are the rest of us interested only in perpetuating our species? I doubt it somehow. It’s the typical perspective of mainstream media, I suspect (of which I’m still a member, I guess). Turn it around: Judging blogging by the most inane, self-absorbed blogs you come across is a bit like judging the mainstream media from a selective reading of family newsletters, parish fliers, smalltown rags and Fox. Blogging covers every conceivable topic, and unlike academia and localized publications, breaks out of any geographical or generic boundary. Political bloggers may be more focused, but where’s the serendipity in that? OK, so not all bloggers are Renaissance figures but I can think of quite a few who are. Blogging breaks more molds than we give it credit for.

OK, I’m waxing again. I’ll stop.

Closing The Door After The Phish Has Bolted

MasterCard, one of several banks discovered to have flaws on their websites that would have allowed a phisher to capture passwords, says it has fixed the problem.

American Banker Online reported (subscription required) last week that MasterCard International “has confirmed finding and fixing a flaw on its web site’s ‘Find A Card’ tool that could have facilitated a phishing scam”. The flaw had been discovered by British programmer Sam Greenhalgh and published on his web site on June 28. Greenhalgh lists in a sidebar those web sites that have been fixed or the flawed code removed. It’s not yet over: He says that PayPal and several sub-domains of Microsoft.com “remain susceptible”.

Besides the failure of some web sites to tackle the problem, a few other things worry me. 

  • Why did it take MasterCard three weeks to remove the flawed code? American Banker reports that the tool was removed on July 20. As Greenhalgh writes it’s probably a case of closing the door after the horse has bolted. (American Banker quotes MasterCard as saying that “It does not believe that any scams were attempted”.)
  • Why is no mention made of the flaw or the fix in MasterCard’s own ‘newsroom’? There are two releases trumpeting MasterCard’s own ‘fight on phishers’ but nothing of its own vulnerabilities.
  • How many more vulnerabilities are out there? Did Greenhalgh’s discovery trigger a serious audit of all code on such websites, or did they just plug the holes he had found?

Anyway, plaudits should be offered to Greenhalgh (so far I’ve not seen any from the banking fraternity, but I could be wrong) for his work and others encouraged to hunt for more leaks. Such folk are not troublemakers looking for nits to pick. They perform a very useful service. Phishing has shown that all this is no longer just theory, if it ever was. Every one of these vulnerabilities will be found and exploited if the good guys don’t get there first.

Phear Of Phishing Doesn’t Just Hit The Bankers

Beware The Fear. The blizzard of coverage about phishing (usually involving some awful pun) has done a lot to raise awareness about the problem, but is it enough?

A survey by Insight Express for Symantec of 300 people (no URL available yet, sorry) shows that while three quarters of folk are aware of spyware only a quarter of them have heard of phishing. This cloud of ignorance creates confusion and fear: 44.2 percent of respondents thought they had visited a fraudulent Web site but were not sure. 19.3 percent said they had definitely visited a fraudulent Web site. A little over half are somewhat concerned about online fraud, while 42 percent are ‘very concerned’. In other words, nearly everyone is worried.

This fear is already having an impact. Three quarters of folk will now only purchase purchase products through secure sites. That’s encouraging — and not bad for business — but the following figures are: nearly half will not now provide confidential data over the Internet while nearly a third won’t use the Internet for online banking. About 15% said they don’t trust the Internet.

This fear and distrust is not going to go away. More than half of respondents felt they knew how to protect themselves from online fraud and/or online identity theft, while a bit under half didn’t think they knew how to protect themselves. Taken with my own unscientific dabbling and MailFrontier’s recent survey which found that 28% of American adults “inaccurately identify phishing emails”, I’d say we have a problem. Or in fact several.

First off, many of those people who think they know how to protect themselves are easy prey. They are going to continue to be duped as phishing attacks grow more sophisticated. That’s going to keep the problem going, in part because of weak or misleading ‘solutions’ such as browser tools and software that supposedly ‘identifies’ fraudulent emails or links. These tools only raise people’s comfort levels and lower their guard.

The broader problem is this: As the number of victims rises, the number of people not giving confidential data over the Internet, not using Internet banking, and ‘not trusting the Internet’, is going to rise. This is already hurting retailers who have found major cost savings by shifting business over to the Internet. A piece yesterday by The Register’s John Leyden quotes a recent survey by LogicaCMG as saying that one in five British users would ”hesitate about booking trips online because of mistrust of the ability of travel companies to keep their financial and personal details secure”. Given it costs a travel agent 40 times more to take a booking by phone than online, this is hitting their bottom line hard. This will only get worse as more victims succumb, and phishing attacks are no longer one of the bad things that happen to other people.

Then there’s the banks. It’s been suggested to me that banks don’t really care about whether people use Internet banking, since if people start going back to their branches to do their business banks will make their money anyway. But, while appealing, that conspiracy theory fails to take into account the link between online commerce and online banking. If people don’t trust the Internet to do banking, it’s very unlikely they’ll buy something online. That will hit credit card business hard, a mainstay of retail banks. Like it or not, the fate of banks is inextricably tied to the fate of online retailing. So banks don’t have much choice.

Bottom line: The future of online commerce is not just about whether it’s viable for retailers to do some of their business online. For many retailers it is their business, or at least it’s the difference between being profitable or not. Phishing is not just an attack on banking and financial sites. It’s an attack on the future of online commerce, which, believe it or not, is still vulnerable because it relies on trust. And trust is not just about reassuring customers, or launching vague ‘education campaigns’ to give people a vague idea about whether they’re safe, and what to do to make themselves safer. It’s about making transactions secure, policing website registries for fraudulent domains, working together for a better way to communicate between retailer/bank and customer. All of these things, a year after phishing took off, haven’t been done. Hence The Fear.

This week’s column – OneNote Wonder

This week’s Loose Wire column is about the new release of OneNote:

THE FOLK AT MICROSOFT aren’t renowned for innovation, but it’s time we took our hats off to them for OneNote. OneNote (www.microsoft.com/onenote) is a note-taking and organizing program that came out last year, and is about to be revamped with a new release due soon. OneNote is a step up for Microsoft in several ways and we, who tend to be somewhat rude about the Redmond crowd, should be big enough to acknowledge it. 

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required; usually doesn’t appear until Monday. Sorry). Old columns at feer.com here.

(Since the column went to press Microsoft has announced they’re halving the price.)

RFIDs And Shoplifters

Could RFID tags be used by shoplifters?

Robert Lemos of CNET’s News.com writes from Las Vegas that a German technology consultant believes the Radio Frequency Identification tags “could be abused by hackers and tech-savvy shoplifters”. He quotes Lukas Grunwald, a senior consultant with DN-Systems Enterprise Internet Solutions GmbH, as telling a discussion at the Black Hat Security Briefings that thieves could fool merchants by changing the identity of goods, he said.In time-honored fashion, Grunwald had the tools to prove it, unveiling during the session “a new software tool that he helped create that can be used to read and reprogram radio tags”.

The basic idea, it seems, is that such software — called RFDump, or sometimes RF-Dump — could be used on a PDA or laptop to mark expensive goods as cheaper items, allow underage folk to bypass age restrictions on alcoholic drinks and adult movies or create confusion in shops by randomly swapping tags.

How much of a threat is this to RFID? On first flush it sounds major. But I suspect that if it is going to be an issue it’s going to be more closely related to security than shoplifting. How many doors are already being opened by RFID? How many security passes are RFID? Luggage tags in airports? Of course these are probably encrypted but could these be reprogrammed?

OneNote’s Price Drop

I’m a fan of Microsoft’s OneNote, but a critical one, and one of my gripes has been the price. Now that’s all changed, according to Microsoft’s Asian PR:

Effective August, Microsoft has announced a price adjustment world wide for OneNote 2003 from US$199 to $99. The price adjustment will begin rolling out today with various retailers offering the new price at different points throughout the month. Volume license customers will also see a discount based on their licensing agreement with Microsoft. Academic pricing thru college bookstores ($49 ERP) and volume license programs will remain the same.

Microsoft is committed to providing the best software for the price. In response to positive customer feedback to the product being offered at $99 in Japan and $99 after $100 mail-in rebate in North America, Microsoft wanted to extend customers worldwide with the opportunity to take advantage of the lower price point.

Too late for my column on OneNote, but good news nonetheless. I felt $200 was just a bit too much for what was effectively a note-taking application.

What Are Plogs, And Should We Care?

What is a plog? Seems the term is currently being claimed by at least five groups:

It could get nasty agreeing on what a plog is. And I notice that Amazon are trademarking the term, so they’re not going to be too happy with other people stealing their name, even if they might not have been the first one there. I personally think they should win, since ‘plog’ sounds very similar to ‘plug’ which is clearly what Amazon is trying to do with their products.

Heinz Meanz Blogz

Here’s how not to use the blog as a promotional tool:

New Media Age reports that Heinz is launching its first ad campaign for baked beans in ten years this week. The campaign, aiming to “reinvigorate the brand with a newer, healthier image” revolves around an “energy-packed ‘Superbean’ character who will have his own blog on a specially created microsite”, heinzbeanz.com. Apart from promoting the, er, nutritional value of baked beans, Heinz is also, gasp, “swapping the plural ‘s’ in the Heinz Baked Beans brand for a ‘z’, integrating the famous ‘Beanz Meanz Heinz’ slogan into its first can redesign in Heinz’s 135-year history.” So now you know.

Sadly, though, the blog itself is a travesty of the genre. It’s viewable only in pop-up mode, which I suspect will not work with many browsers. There’s some Flash in there (a bean bouncing around a can), and frames to make the material itself virtually unreadable. The blog entries all carry the same date (today) as far as I can see, and are along these lines:

OK, listen, there’s something I’ve gotta share. I’m worried about your salt intake. Hey, the government’s worried about your salt intake, you’re worried about your salt intake! So what do we do? We cut back on the salt baby. I mean, we ain’t gonna tamper with the taste, don’t get me wrong. But since 2001 I’ve reduced my salt content by 30%.

Oh gawd. Isn’t there some law against this kind of thing being a blog? Or is the whole blogging thing going to be usurped by overpaid ad execs who think this is how to ride the blogging wave?

Exploring The Phaeton Site Map

I’m sure this isn’t new, but I just saw it and thought it was worth noting: The VW Phaeton’s UK site has an interesting 3D Flash sitemap where the pages are viewed in slices, with different coloured dots representing different kinds of content (in this case factory or car):

Phaeton

Clicking on a particular page will highlight it; moving the mouse over a blob will bring up a particular item which you can then access by double clicking on it.

Strictly speaking this layout is too fancy, and the content too specific, for general use, but it’s intuitive enough to be a great way to show navigational information in three dimensional form. It might be a nice way to navigate back through old blog material, for example, with different colours for different categories?

Or does this go against the idea of trying to improve content and reduce complexity in design and layout?