Phone Hacking

BBC News – Phone hacking probe by Met faces scrutiny

What’s interesting to me about this ongoing story (how many years is this now?!) is the lack of detail and information from a security perspective and even the basics about what has been alleged.

From following the story I’m still not entirely sure what is meant by “phone”; does it refer to a handset itself, or a telecoms network? I’m also not sure what is meant by “hacking” in this case although I’m assuming it’s not someone jailbreaking an iPhone…

Either way this is less of an individual privacy story and more one related to criminal misuse of computer systems. Where are the network operators involved in all this? Shouldn’t they be the ones calling for an investigation, or at the very least demonstrating that the networks they run are not so easy to “hack”?

The media coverage of this whole “event” is pathetic. A sample line from the BBC Q&A (linked to from the above story) is –

Who do we know was hacked?

I’d go so far as to say that, with regards to this, nobody has been hacked, unless there are some related battery and ABA charges related to this.

What’s missing is clear and concise information about what has happened. This affects all of us – individuals and businesses – who use commercial telecoms networks, not just celebrities and politicians (although I’d include them in the former category nowadays). At the very least there’s a fantastic upsell opportunity for someone…

In these days when Google and Facebook are slammed for not providing satisfactory privacy controls (even though users willingly share information on those services) I find it disgusting to see the people responsible for controlling these systems are not being questioned.

Update (27 Jan 2010 @18:47): Some more information from The Register. The comments on this story indicate that there’s not really “hacking” in any true sense, but taking advantage of the ability to access voicemail from other ‘phones, along with easily guessable PINs. Perhaps there’s an easy lesson to be learnt here.

Kilt Wearing

The Big Bear in Your Mind: “The TSA: fondling fat men’s balls since 2010,” or “I got felt up by a guy with a community college security degree, and all I got was this lousy blog topic”

Bravo!

SubliminalPanda gives a great account of his experience as a “kilted fat man” going through airport security in the states and makes a few good points about the stupidity of the checks and the fact that he was put through a traditional scanner instead. As I pointed out here this “security” system cannot easily cope with these scenarios.

Things, thankfully, are still a little more sane in most European airports. Let’s hope it stays that way.

 

Airport Security

New aviation risk: pleats – Boing Boing

If this is true (and I have no reason to suspect that it isn’t) it would be typical of the process used for “securing” our shared transport infrastructure. Recent comments by Martin Broughton about the state of this hinted towards the ad-hoc nature of the rules (is an ipad a laptop?)(although as a side note, this is an accusation I would level at legislative bodies more generally), which of course are applied differently in different airports (do I take my shoes off? what about my belt?) and lead to confusion on all travellers, including those of us who fly a lot.

Whilst taking off over-clothes (jackets, &c) is natural and expected there will be incidents with clothing of multiple layers and pleats (or maybe just thick material) where this will lead to difficulties. I can also imagine a number of cultural implications of this – within English law, during a stop and search, for instance there are items of clothing that can be removed in public and others that must be removed in private (as you’d expect). I have never seen (in any airport) facilities for me to remove clothing in private, then pass through the scanners (and maintaining my modesty from other passengers). The reality is that this isn’t an issue for me, but I can easily imagine persons of certain culture where this would be inconvenient or offensive – without picking out the obvious situations where someone may be fully covered, what about a Scotsman in traditional dress (kilt and nothing underneath).

As I write there’s a comment on the boing boing page linked to about restrictions on clothing in future which is interesting. For regular travellers I wonder already how much clothing choice is dictated by the demands of airport security – slip on shoes, non metallic items (never mind the liquids – not that the security people ever notice) etc. How much inconvenience are people willing to put with?

Ultimately there will need to be changes – this relentless march towards “security” can’t last forever.

Facebook Security

There’s been a lot said about privacy on Facebook recently, that I won’t go over or comment on at the moment.

Given Google’s recent move to supporting HTTPS on the search page I was starting to check other sites for the same. I was slightly surprised to find that Facebook does indeed allow HTTPS connections and then even more surprised to find that chat doesn’t work (“disabled on this page”) – possibly an area this would be most warranted.

I can’t think of a good reason why this would be the case – perhaps more investigation is required!

Vehicle Identity

There have been a couple of identity related stories in the media over the past couple of days that grabbed my attention. First was the (long awaited, on my part) “identity” connection with John Darwin, in which it’s finally been revealed that he used a “Day of the Jackal” style identity switch to get a new passport.

For those that don’t know, this method is simply one of getting a replacement birth certificate for someone born roughly the same time as yourself (so your physical age appears right for your new identity), preferably one who doesn’t have too many other formal records attached to them (Darwin managed to get a certificate for someone who died at a few months of age). All one needs to apply for a passport is, essentially, a birth certificate (which are public record). What I find amusing is that this sort of “attack” was supposed to have been stopped – the BBC has a story on it from over four years ago… (although I confess that I’ve not checked exactly when Darwin got his new passport).

Darwin’s exploits were only secondary in my thoughts in comparison to the latest scandal involving UK Government departments and data leakage. This time round it’s the DVLA (Driver and Vehicle Licensing Agency) in Northern Ireland who sent unencrypted disks, via public courier to the agency’s head office (Swansea), which have gone missing.

Whilst there was a huge outcry over the recent events involving child benefit data this seems to have attracted less attention, but still may result in some major problems. I concede that events involving people directly, especially bank account details and even more when it involves children’s details are more emotive, but much of the data leaked there was public record anyway (for anyone who thinks handing your bank details to a stranger is a bad idea I suggest you look at your chequebook sometime).

This case of data leakage contains car information – makes, models, colours, registration plates, chassis numbers &c – all of which is incredibly useful to someone wishing to clone a vehicle. Vehicle cloning is, apparently, on the increase, and the way that our systems handle this needs to be looked at. With the right information it wouldn’t be too difficult to make any of the same model car look like another – a quick respray and plate change should do it. The victim wouldn’t know until the fines start rolling in (or worse – the cloned vehicle is used for a more serious crime and the police come knocking at the door). Aside from the stupidity of sending unencrypted, critical, data through public networks (whatever the channel), there are two things that come to mind about this situation.

Firstly, this highlights the problems caused by having an automated justice system with a reliance on cameras, IT systems and “business logic”. It’s something I’ve commented on before, but we’ve lost the human touch in security and law enforcement – a well trained, experienced (and well paid) policeman with the ability to make decisions and trust their own judgement is far better than a computer – when something is “wrong” they can tell and take action, when someone innocent is “bending” the law they can take action without over-penalising them. If a vehicle is being used illegally there may be other ways to tell it’s cloned – most likely by cross-referencing the driver and car. This would require a stop and search, but with appropriately targetted action I don’t see the issue – and we take a far more scattergun approach to drink driving…

The second point is related to a comment I made previously about biometric identifiers in humans. Once an identifier has been cloned these are very difficult to correct for the victim – unenrollment is simply not possible. If someone uses my fingerprints for regular nefarious activity I can’t just change mine to avoid being arrested every few days – likewise, if my car is cloned I can’t (easily) change the major identifiers for it.

Essentially, in almost all areas of life, it is the reliance on automated systems, computers and oversight that creates the environment where identity fraud, car cloning (and worse crimes like human trafficking) can thrive. The presence of a human touch is the best deterrent to these crimes. I realise that modern life means a return to the days of seeing your bank manager to get a loan is unlikely – we have to deal with processes that scale well, but there has to be some element of humanity in every system – preferably close to where it interfaces with the people that really matter. Like everything else in security, it’s a trade-off.

Fingerprinting Children

Over the past week the use of biometrics in schools (in particular) has received a lot of media attention – one of the key uses being to “pay” for school meals. Such a system has some big advantages – the reduction in bullying and the loss of stigma for those children who receive subsidised meals are two key benefits (the social inclusion element was a matter actually mentioned at this event).

The usual arguments for both sides were bandied around the media. My own initial thought on the matter was that it probably isn’t such a bad thing – after all, the full fingerprint isn’t stored in the system and as long as data isn’t shared with other systems (the criminal justice IDENT1 programme, for instance) and is deleted at the appropriate time, then the privacy of the child can be maintained and the benefits realised (not that I have any faith at all in our Government to not actively encourage should data leakage).

It seems I wasn’t alone in this belief – Kim Cameron has written a series of posts on the topic (starting here in which some of the myths about convention biometrics are dealt with. This post in particular is instructive and shows how current biometric systems work – producing a template of the biometric with a known algorithm – against which a result is matched. For some reason I’d assumed that these systems worked more in the way of what I now know to be Biometric Encryption (link to PDF by Ann Cavoukian and Alex Stoianov), but this is obviously not the case!

Kim follows this up with a further explanation from Cavoukian and Stoianov which describes how easily standard biometric templates can be matched across discrete databases – even when there is no explicit link between them!

“The linking of the databases can be done offline using template-to-template matching, in a very efficient one-to-many mode.”

Kim concludes with the statement

I had not understood that you can so easily correlate conventional biometric templates across databases. I had thought the �fuzziness� of the problem would make it harder than it apparently is. This raises even more red flags about the use of conventional biometrics.

This is where my provisos on when this is acceptable come in – identity data and biometrics in particular need to handled with sensitivity (even more so when it concerns children), but even with the right political and economic safeguards the technology has to be correct. As things stand we have a scenario where inadequate technology is being used for unsuitable purposes under the umbrella of a “higher goal” that is ill advised at best.

Open or Siloed Identity?

Kim Cameron’s Identity Weblog » GOOGLE’S AUTHENTICATION VERSUS MICROSOFT’S LIVE ID

I was fortunate enough to hear Kim talk at the MS Security Summit I attended today. Whilst I thought I had a pretty good understanding of Infocards/”Cardspace” and the Identity Metasystem, hearing it explained in this way was very useful and I’ve left with an even greater understanding. Whilst the demo’s were obviously using the Microsoft implementation of the ideas the open-ness of the system was evident and the effect that this will have on our industry in the future. I’ve a couple of technical questions that have come up, but I’ll get back to those later (and unfortunately I’d been booked to be elsewhere this afternoon so was unable to hang around for questions in person!)

Having seen this post tonight (one of the best things about RSS feeds is that I can miss a few days and have everything sat waiting for me to catch up!), it’s a striking comparison between the two giants’ approaches to the problem. I’ve previously written about how the trust in the two companies is different and it’s been noted again that, perhaps at least part of the reason for the new Microsoft open approach is the failure of Passport (as an Internet-wide universal Identity, at least) whereas Google thinks it can avoid those same mistakes with its siloed identity systems (Google seems to be increasingly arrogant in all areas of its business).

One thing that does worry me is that one of the reasons, IMHO, that Passport failed was that by that time, Microsoft’s reputation was already low – security was always a problem in Windows. In contrast, Google has an almost unhealthy positive reputation amongst most web users. They are quite capable of churning out substandard products and services that somehow get rave reviews in the media and from a certain group of people – whilst there is another group becoming more suspicious (and critical) of Google and everything it does. Unfortunately I get the feeling that this second group is suffering from the echo-chamber effect of the blogosphere and not much is getting out to the wider world. Given this, it’s entirely possible that the Google way could gain some traction, despite the activities of all those involved in the work so far – maybe some more publicity is required to prevent this from happening..?

Rohan Pinto also points to Kim’s post.

Addendum: Paul has already asked the questions I wanted to.