A Lesson From the Underground

Security is as much about giving people information as it is about building security systems. That’s the message from the managing director of the London Undergound, Tim O’Toole, but it could as easily apply to personal computer security. Don Phillips’ piece in today’s International Herald Tribune could offer useful lessons to software developers and anyone trying to keep trojans, viruses and spyware at bay:

Tim O’Toole, the managing director of the London Underground, who said a terrorist attack last summer was the greatest Underground crisis since the Nazi blitz of World War II, was telling U.S. transit and rail officials they should avoid the temptation to spend lavishly on new security systems just to reassure the riding public.

Instead, he said, spend first on human resources, including constant training and a system to lavish fresh information continually on every employee in the system during a crisis, even if there is a chance some information could fall into the wrong hands.

O’Toole’s message may not have gone down very well since, “outside the hall where he spoke were many exhibits of expensive new equipment to battle terrorism on transit and rail systems.” One could imagine the same thing happening at a computer security conference. But here, I think, a difference emerges. What I think firewall and antivirus vendors need to think about is this: giving timely, useful and intelligible information to users so they can make good decisions. It’s not about locking everything out, because that’s clearly impossible.

Neither is it about ‘educating the user’. Vendors usually complain that they try to do this but fail, so go the other way — software that does everything silently, behind the scenes, and automatically, with an interface that gives only the barest information or choice to the user. Neither option — education or invisibility — works. Instead, the secret is like the Underground lesson: let people know what’s happening in the context of the situation and threat.

Back to Don’s piece:

O’Toole said the greatest mistake the London Underground had made after the bomb attacks of July 7 was its “poor performance” in keeping employees fully informed of everything that was happening even if that information is sensitive and could not be released to the public right away. In an information vacuum, employees may grow suspicious of authorities just at the time they need to be full members of a crisis team, he said. Management did a “poor job” of information flow during last summer’s attacks, he said. In the future, “We will be pumping everything we know out internally. Some of it may get out, but that’s O.K.”

There’s a clear parallel, in my mind, to Internet threats. Don’t hide knowledge about newly discovered vulnerabilities — newly found holes in existing software that might let bad guys in, if they knew about it — until a fix is found. It’s clear that attacks happen too quickly for antivirus vendors and software developers to be able to cover all contingencies, so better to inform customers and let them assess the risk. The trick is, how to do this?

I would suggest the following guidelines:

  • Most people now have firewalls installed on their desktop computers. These programs — or anti-virus programs, or antispyware programs, or combinations thereof — could become a sort of signalling service giving timely information to the user. For example, the current Kama Sutra worm, Nyxem.E or Grew.A, could be flagged with a small pop-up message informing the user of the danger and offering suggestions.
  • Make the information relevant to the situation. How do I know whether the new updates to my firewall keep me safe from the WinAmp bug identified by Secunia? If something big is happening, letting people know quickly might be more worthwhile than feverishly working on an update which doesn’t reach the user in time. Worst case scenario, the user can just unplug their computer for the rest of the day. Let them make that decision, but give them the information first.
  • The text of such alerts or advisories has got to be useful and clear. ZoneAlarm and other vendors often leave their messages too vague to be meaningful for us ordinary folk, scaring us out of our wits the first few times and then, gradually, just like the wolf crying scenario, we get blasé.

Sadly we’ve become accustomed to ignoring messages we don’t understand. This needs to change. Just like in the ordinary world, we’ve become both numb and constantly terrorized at the same time because of poor or insufficient information. We need to learn lessons about security from other fields. I don’t recommend bombarding users with alerts, but if they are used sparingly, judiciously and with good solid guidance contained inside, I think they are the best way to keep the user in the loop.

Phishing Victim Fights Back

It had to happen some time. Phishing victims are fighting back — against their banks. A Miami Businessman is sueing Bank of America according to AccountingWEB.com and other sources:

 Joe Lopez, a Miami businessman who regularly conducts business over the Internet, is suing Bank of America for negligence and failure to provide protection for online banking risks of which he claims the bank was aware. Last April, Mr. Lopez’s computer system was hacked into and $90,348.65 was wired from his account at Bank of America to a bank in Riga, Latvia without his approval.

Ralph Patino, Mr. Lopez’s lawyer, claims Bank of America had knowledge of a virus called coreflood, a Trojan horse virus known for infiltrating and compromising security systems and enabling unauthorized access to infected computers, and therefore the bank had a responsibility to inform its customers of the virus.

Coreflood, according to The Register, is primarily designed to conduct Denial of Service (DoS) attacks, but the theory is that the backdoor access it enabled criminals to extract banking passwords and account details entered into Lopez’s PC. This remains unproven.

This makes the case a bit more complicated than if Lopez was hoodwinked by a phishing email designed to look like something from Bank Of America. Still, the the AccountingWeb piece quotes Avivah Litan, vice president and research director for research firm Gartner Inc. and an online fraud expert, as saying

banking cybercrime cases such as this one may result in banks adopting stricter security measures in the future. “Banks can’t reasonably expect consumers to protect themselves from cybercriminals,” said Ms. Litan. She believes that consumers need banks to offer greater security if they want online banking to increase. Gartner Inc. predicts that within two years, “50 percent of today’s stronger methods for customer authentication will no longer be strong enough to be a safeguard against phishing and malware.”

In other words, banks have got to find a better way to keep their customers secure, and arguing that cases like Lopez’ are nothing to do with them may not impress customers already increasingly nervous about doing business and banking online.

Could Plaxo Be Phished?

(For more discussion, and expansion of some points in this posting, go here.)

For those folk already concerned about privacy with Plaxo’s contact updating service, this is not good news.

ZDNet reports that Plaxo has “plugged a serious security hole in its Web site on Monday that left its members’ contact lists vulnerable to be stolen, modified or deleted.” The security flaw, which was discovered by British-based Web application security company Lodoga, was reported to Plaxo on Monday evening. Lodoga’s security test engineer Jeremy Wood told ZDNet it took him less than an hour after discovering the weakness to build an attack script that could exploit the vulnerability. The attack uses a form of phishing — spoofing the website’s sign-on page to extract passwords — which could then be used to access their account.

Plaxo told ZDNet UK that the Web site was fixed a few hours after the problem was highlighted and was “fairly certain” that the vulnerability had not been exploited by anyone. There was no information about this on Plaxo’s website at the time of writing this, a few days after the event. (I think there should be. Their last piece of ‘news’ was on December 17 2003, about reaching the 1,000,000 user mark. Plaxo should, in my view, do a better job of informing its users of security issues, as much as about how many users it has signed up.) This is, needless to say, a bit scary. As ZDNet points out, Plaxo are almost certainly not alone in this vulnerability, but it’s absolutely crucial that they, and other companies that store user data, are ahead of the curve on security. Since a lot of phishing attacks are based on targeted social engineering  – figuring out enough about you so their lure is persuasive — the detailed kind of information about individuals stored on Plaxo’s servers would be gold to a phisher.

Which echoes the question raised by someone who posted a comment to one of my earlier Plaxo posts: What do you do if you don’t want one of your contacts to store all your contact details at a place like Plaxo? Well the short answer is you contact the person who is storing your details there, and ask them not to.  Alternatively, Plaxo says, we would be happy to make this request directly to a specific user on your behalf. (Here’s the relevant page on Plaxo’s website.) Plaxo says it cannot delete anything itself, because, among other things, this information remains private to the user. “In no event will we delete information from our users’ address books, regardless of whether that information is stored on a user’s home computer or contained in their Plaxo address book stored on our servers.”

 

This is fine — or more or less fine — if the data is secure. But that clearly wasn’t the case until Monday night. As Plaxo says: ”This information is protected with best practice security systems and is not accessible by anyone other than the owner of the information and anyone to whom that owner gives access.” So what does someone concerned about the security of their personal data do to stay out of Plaxo?

 

What some folk have done, and we’ve mentioned this before, is to either fill in a Plaxo auto-reply, which means you won’t get any future update request emails from Plaxo every time someone with you in their address book starts using Plaxo. Others will actually create a profile for themselves with only their name and their email address in (I’ve noticed a few Microsoft employees do this). This means they won’t be bugged to fill in all their other details.

 

But, and it’s an important but, it won’t prevent their personal data from being stored: If I store all Oliver’s personal details in Plaxo (and if I use Plaxo, I don’t have any choice about this, whether or not I decide to email Oliver and ask him to update his data) that information will be stored in Oliver’s contact details on Plaxo’s servers in addition to whatever data he adds. If he only gives me his email address, there’s still all his other contact details I’ve stored there, potentially up for grabs by a phisher. Remember, Plaxo automatically stores your whole Outlook address book on its servers, whether or not you decide to ping someone to update their details.

 

And there are other problems. There’s no way for a non-user to tell whether your data is being stored at Plaxo unless you email all your contacts — anyone, basically, who may have your email address in their Outlook address book, and ask them. As that is tantamount to spamming, you probably are going to think hard before doing that. And just because one person removes your data, doesn’t mean you’re clean. There are still all the other folk storing your data there, since none of these contacts is linked to another. As Plaxo itself points out, “Plaxo service does NOT create a public accessible directory — each user’s address book is unique, each user may have entered different information about individuals in their address book. We do not share information from one user’s address book with other users, and we do not attempt to cross-check the accuracy of the data in our users’ address books (e.g., there might be thousands of entries for “John Smith”, but no way to determine whether these entries refer to the same person, etc.).” Bottom line: Unless you’re actually a Plaxo member, Plaxo may have duplicated your contact details a dozen times over.

 

I’m going to invite Plaxo to comment on this post, and will post their thoughts. But in this age of phishing data security has got to be top of the list of Plaxo’s concerns. It’d be good to hear that from them.