Tag Archives: Electronic commerce

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

My War On ATM Spam and Other Annoyances

By Jeremy Wagstaff

(This is a copy of my weekly syndicated column)

You really don’t need to thank me, but I think you should know that for the past 10 years I’ve been fighting a lonely battle on your behalf. I’ve been taking on mighty corporations to rid the world of spam.

Not the spam you’re familiar with. Email spam is still around, it’s just not in your inbox, for the most part. Filters do a great job of keeping it out.

I’m talking about more serious things, like eye spam, cabin spam, hand spam,  counter spam and now, my most recent campaign, ATM spam.

Now there’s a possibility you might not have heard of these terms. Mainly because I made most of them up. But you’ll surely have experienced their nefarious effects.

Eye spam is when something is put in front of your face and you can’t escape from it. Like ads for other movies on DVDs or in cinemas that you can’t skip. Cabin spam is when flight attendants wake you from your post-prandial or takeoff slumber to remind you that you’re flying their airline, they hope you have a pleasant flight and there’s lots of duty free rubbish you wouldn’t otherwise consider buying wending its way down the aisle right now.

Then there’s hand-spam: handouts on sidewalks that you have to swerve into oncoming pedestrian traffic to avoid. Counter spam is when you buy something and the assistant tries to sell you something else as well. “Would you like a limited edition pickled Easter Bunny with radioactive ears with that?”

My rearguard action against this is to say “if it’s free. If it’s not, then you have given me pause for thought. Is my purchase really necessary, if you feel it necessary to offer me more? Is it a good deal for me? No, I think I’ll cancel the whole transaction, so you and your bosses may consider the time you’re costing me by trying to offload stuff on me I didn’t expressly ask for.” And then I walk out of the shop, shoeless, shirtless, or hungry, depending on what I was trying to buy, but with that warm feeling that comes from feeling that I stuck it to the man. Or one of his minions, anyway.

And now, ATM spam. In recent months I’ve noticed my bank will fire a message at me when I’m conducting my automated cash machine business offering some sort of credit card, or car, or complex derivative, I’m not sure what. I’ve noticed that this happens after I’ve ordered my cash, but that the cash won’t start churning inside the machine until I’ve responded to this spam message.

Only when I hit the “no” button does the machine start doing its thing. This drives me nuts because once I’ve entered the details of my ATM transaction I am usually reaching for my wallet ready to catch the notes before they fly around the vestibule or that suspicious looking granny at the next machine makes a grab for them. So to look back at the machine and see this dumb spam message sitting there and no cash irks me no end.

My short-term solution to this is to look deep into the CCTV lens and utter obscenities, but I have of late realized this may not improve my creditworthiness. Neither has it stopped the spam messages.

So I took it to the next person up the chain, a bank staff member standing nearby called Keith. “Not only is this deeply irritating,” I told him, “but it’s a security risk.” He nodded sagely. I suspect my reputation may have preceded me. I won a small victory against this particular bank a few years back when I confided in them that the message that appeared on the screen after customers log out of their Internet banking service—“You’ve logged out but you haven’t logged off”, accompanied by a picture of some palm trees and an ad for some holiday service—may confuse and alarm users rather than help them. Eventually the bank agreed to pull the ad.

So I was hoping a discreet word with Keith would do the trick. Is there no way, I said, for users to opt out of these messages? And I told him about my security fears, pointing discreetly to the elderly lady who was now wielding her Zimmer frame menacingly at the door. Keith, whose title, it turns out, is First Impression Officer, said he’d look into it.

So I’m hopeful I will have won another small battle on behalf of us consumers. Yes I know I may sound somewhat eccentric, but that’s what they want us to think. My rule of thumb is this: If you want to take up my time trying to sell me something because you know I can’t escape, then you should pay for it—the product or my time, take your pick.

Now, while I’ve got your attention, can I interest you in some of those Easter bunny things? They’re actually very good.

Podcast: HP, Palm, Spam and Social Media Cold Turkey

This podcast is from my weekly slot on Radio Australia Today with Phil Kafcaloudes and Adelaine Ng, wherein we discuss HP buying Palm, students going cold turkey on social media, and China no longer being the spam capital of the world?

To listen to the podcast, click on the button below. To subscribe, click here.

Loose Wireless 100430

I appear on Radio Australia Today every Friday at about 9.15 am Singapore time (that’s 0.15 GMT/UTC.) There’s a live stream of the broadcast here, or find out your local frequencies here.

Beware the SMS Premium Number Scam

An Indian phone company is warning users against a variation on the premium rate phone scam, whereby users are contacted by email or mail and asked to call a number to confirm winning a prize. The number is a premium number—either local or international—and the user has to sit through several expensive minutes of canned music before finding they haven’t won anything.

The Indian variation is that victims are sent an SMS containing the phone number they should call. They’re then charged Rs500 ($10) a minute as they navigate their way through an automated phone tree.

Control Enter » Blog Archive » Beware of false lottery winning claims via SMS

SMS, Toilets, Bike Theft and Cars

image

I remember an instructive conversation with a guy who developed services for the mobile phone. I was suggesting some fancy service or other that involved a small app sitting on the phone. He said it wouldn’t fly with users. “No downloads, no registration, keep it simple,” he said. “Or it won’t stick.”

Maybe that’s why SMS is so powerful and why, still, it’s the method of choice for services on the cellphone. Emily over at textually.org has found some more, illustrating how SMS is not just about simplicity, but flexibility.

Tackling a more urgent problem there is SMS toiletting, where text messages help you relieve yourself. In London, Shanghai, and, via MizPee, anywhere in the U.S., those caught short can SMS for the address of the nearest loo. To guarantee you  have a pleasant experience, some toilets in Finland are locked. Of course, then you can open the door of a locked loo by SMS.

Then there’s what I’d call, for want of a better term, conditional SMS: You’ll only get your SMS depending on certain factors:

  • An SMS service that delivers text messages based on the recipient’s location. JotYou  lets you specify a location so your friends get your message only when they arrive at school or the mall. Yeah, I can’t quite figure out the use for this yet either, but I’m sure there are some.
  • Or a service, yet to be launched, that will ensure the sender knows when his message has been read. More on this anon.

When you marry the SMS with other tools, you can dream up some great services. Like this one from the UK:

  • A system that combines a motion detector and SMS is being used to deter and catch bicycle thieves in Portsmouth, England (picture above). When the bicycle owner locks up their bicycle they send a text to a security office to trigger the system to guard it. Then if someone then moves, or tries to move the bicycle, a sensor in the lock emits a silent alarm which triggers a CCTV camera to zoom in and take a picture. Result: bike theft down by 90%.

Bottom line. SMS still has a lot of leg left to it. Why? Because it’s simple. Because every phone can do it. Because it’s cheap. Because it’s tied to the most versatile device we’ve yet come up with: The mobile phone.

Your Phone as Stalker

Phone spam feels like it’s getting worse.

I and my wife have been receiving numerous calls from the local arm of ANZ Bank — a bank I am happy to identify by name because I’ve sought comment from them without reply for nearly a week now. Our mobile phone numbers were probably sold by another bank or possibly by the cellphone company.

Nokia researcher Jan Chipchase starts picking up SMS and phone spam on Hutch in India within a day of activating his SIM card, and finds that the company is three times as slow at removing his number from their spam lists:

Locals in the know send a text message to opt out, a process that, according to Hutch’s automated response takes at least three days to activate: “We respect your privacy. Please give us 72 hours to include your number on our Do Not Disturb list. Thank you” and an unspecified amount of time this to filter through to the companies that already have you on their disturb list.

I’m quite aggressive at fighting SMS and phone spam, but not always successful. One nightclub spammed me regularly until I got upset. Now they don’t. (Embarrassingly, it turned out to be owned by a friend of mine.) Now a lot of people here don’t answer their phone unless they recognize the number on the display.

Still, there’s nothing is quite as bad as this case of cellphone stalking in the U.S., where one family claim to feel harassed to the point of paralysis through their cellphone. A good clear-eyed view of the mess here.

Protect Your Privacy With Twiglets

laplink

I really hate being asked for lots of private details just to download a product. In short: People shouldn’t have to register to try something out. An email address, yes, if absolutely necessary.

But better not: just let the person decide whether they like it. It’s the online equivalent of a salesperson shadowing you around the shop so closely that if you stop or turn around quickly they bump into you. (One assistant in Marks & Spencer the other day tailed me so closely I could smell his breath, which wasn’t pleasant, and then had the gall to signal to the cashier it was his commission when I did, without his help, choose something to buy.) I nearly put some Marks & Spencer Twiglets up his nose but that branch doesn’t sell them.

Anywhere, latest offender in this regard is Laplink, who ask for way too much personal information just to download trial versions of their products, including email address, full name, address, post code, company name. Then they do that annoying thing at the end of trying to trick you into letting them send you spam with the old Three Tick Boxes Only One of Which You Should Tick if You Don’t Want To End In Every Spammers List From Here To Kudus Trick:

laplink2

Rule of thumb there is to tick the third one in the row because it’s always the opposite of the other ones. As if we’re that stupid.

The other rule of thumb is never to put anything accurate in the fields they do require you to fill out. Not even your gender. Childish? Yes, maybe, but not half as childish as their not trusting you enough to decide whether you like the product on your own terms and not fill their spamming lists.

Of course the better rule of thumb is not to have anything to do with companies that employ such intrusiveness and trickery, but we’d never do anything then.

Technorati Tags: ,

Sponsoring Theft

Are companies like eBay knowingly peddling stolen goods? Surely not, but I wonder about their advertising strategy.

I get confused about how sponsored results work. You know, those textual ads that appear alongside search results or on a webpage. I mean, I thought I knew how they worked: someone buys a word and when that word appears they get their ad next to it. But when I look for “laptop stolen” on Yahoo! Answers, I get this:

So what keyword are eBay, DealTime and Shopping.com sponsoring here? Or do they really have good stolen laptops for sale? And if so, wasn’t I told? Or these poor folks, whose tales of woe appear right next to these add:

Interestingly, trying the same search but for “laptop vomit” throws  up no sponsored ads at all. So “stolen” must be a sponsored word? (It does throw up, so to speak, cases of people feeling unwell over their keyboard. I guess that’s the Yahoo! Answers type of crowd. )

Technorati tags: , , , ,

Measured vs Spewed: The New Reviewers

(A podcast of this can be downloaded here.)

The walls of elite reviewers come tumbling down, and it’s not pretty. But is it what we want?

I belatedly stumbled upon this piece in The Observer by Rachel Cooke on a new spat between editors, reviewers and blogger reviewers, and not much of it is new. There’s the usual stuff about how bloggers are anonymous (or at least pseudonymous) and the usual tale of how one writer got her spouse to write an anonymous positive review on Amazon (why hasn’t mine done one yet!) to balance against all the negative stuff.

As Tony Hung points out, the piece gets rather elitist by the end, although I have to like her description of Nick Hornby, a great writer and careful reviewer: “[H]is words are measured, rather than spewed, out; because he is a good critic, and an experienced one; and because he can write.” Measured vs spewed is a good way of putting it. It’s also a good way of thinking about the two very different beasts we’re talking about here.

There are two different kinds of reviews, serving two different purposes. The point here is that there are two different kinds of purposes here. If Nick Hornby likes a book, I may well buy it because I like Nick Hornby’s work. Of course, I’ll also enjoy his review as a piece of writing in its own right; chances are he’s put a huge amount of effort into it. It’s all about who writes the review. (And we need to always keep in the back of our mind the tendency, noted down the years in Private Eye, that reviewers in big name newspapers often seem to end up reviewing books by people they know, often rather well. It’s a small world, the literary one.)

If I’m reading about a book on Amazon I’m less picky about who and more about how many, and what. If 233 out of 300 people like a book on Amazon I am going to be more impressed than if 233 out of 300 people hated it. I’ll scan the reviews to see whether there are any common themes among the readers’ bouquets or brickbats. Take Bill Bryon’s latest, for example: Most reviewers loved it, and quite a few fell out of their chair reading it. Take Graeme Hunter, who writes: “Bill has managed yet another work of ‘laugh-out-loud’ ramblings, but this is his first to make me cry at the end.” That tells me that regular readers of Bryson are probably going to like it. But not everyone. One reviewer, J. Lancaster, wrote that while he was a big fan, he found the book “slow and ponderous and lacks the wit, insight and observation of, well, all his other books.” That tells me something too: Don’t expect to be dazzled all the way through.

Now note that these reviewers have attached their real names. They’re not anonymous, pseudonymous or fabrications of someone’s imagination or close family. Their writings may not be that literary, but that’s not what I’m looking for in an Amazon review. With Amazon, I’m looking to mine the wisdom of the crowd — the aggregate opinion of a group of people all with the same interest as myself in mind: not wasting our money on a dud book.

Compare what they write to the two snippets of blurb from big name publications on the same Amazon page:

New York Times
‘Outlandishly and improbably entertaining…inevitably [I] would
be reduced to body-racking, tear-inducing, de-couching laughter.’

Literary Review
‘Always witty and sometimes hilarious…wonderfully funny and
touching.’

Useful, but not much more useful than the Amazon reviews.

The bottom line is that reading a review on Amazon is like polling a cross section of other people who’ve read the same book. It’s like being able to walk around a bookshop tapping strangers on the shoulder and asking what they think of the book you have in your hand. Their responses are likely to be as spewed as an Amazon or blog review. But it doesn’t lessen their value. If all you want to know is whether the book is worth reading, you may be better served than some ‘measured’, self-conscious professional review.

This is the difference that the Internet brings us. It’s not either/or, it’s about consumers having more information about what they’re buying, and having a chance to give feedback on what they have bought. That all this is a little unnerving to those writers used to being far removed from the book-buying mob, and the pally/bitchy relationship they have with reviewers should come as no surprise. My advice: get used to it.

PS I spewed this piece out in 27 minutes. (You can tell – Ed)