What's worrying the spooks?

Internet censorship, Legal issues, News coverage, Politics

As I mentioned a few days ago, the security services have some concerns about the Digital Economy Bill:

If evading blocking systems becomes a mainstream activity (and there’s said to be 6-7 million illegal file sharers in the UK) then it will be used, almost automatically, by subversive groups — preventing the spooks from examining the traffic patterns and comprehending the threat.

There seems to be some confusion about quite what is worrying the security services. Last October, The Times reported that “both the security services and police are concerned about the plans, believing that threatening to cut off pirates will increase the likelihood that they will escape detection by turning to encryption”, and this meme that the concern is encryption has been repeated ever since.

However, I think that Patrick Foster, the Times media correspondent, got hold of the wrong end of the stick. The issue isn’t encryption but traffic analysis.

Continue reading What's worrying the spooks?

Cambridge Science Festival: Science research now!

Banking security, Seminars

The annual Cambridge Science Festival is running during 8–21 March, where there are over 150 talks, demonstrations and other events, open to the public.

On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on Alzheimer’s Disease, and Adrian Owen discussing his research on the awareness of brain-damage victims. The session will be hosted by The Naked Scientists.

For more details, see the event page — science research now!. The talk is free and no booking is required. It will be held in the Cockcroft Lecture Theatre.

A wrecking amendment ?

Internet censorship, Legal issues, News coverage, Politics

For the past few months the Digital Economy Bill (DEB) has been quietly making its way through the House of Lords. As is the way of these things, large numbers of amendments have been proposed, their lordships have had a series of mini-debates on each set of issues, and the Government have been busily amending the Bill in an attempt to fix all the things that they didn’t think through properly.

The main thrust of the DEB’s approach to dealing with unlawful file sharing of copyright material has been a “three strikes” policy. That is, should you be detected to be sharing some popular beat combo’s music without permission, then on the first two occasions you’d receive an admonishing letter, and on the third time then you would be subject to “technical measures” (ie: very slow Internet speeds) or disconnection, the latter doubtless annoying the rest of your family as they would be unable to visit DirectGov / keep up their social life / catch-up TV shows / do their homework / avoid being sacked from their work-from-home job!

However, the Government are concerned that this won’t be enough, and that unlawful sharing of copyright material might occur in new ways in future. So in clause 17 of the DEB they set out a scheme for amendment (in ways that would be decided as future circumstances required) of the Copyright, Designs and Patents Act 1988 through secondary legislation.

It is unusual to grant such open ended powers to amend primary legislation, because Parliament would be presented with an unamendable statutory instrument and invited to vote for it — no such SI has been defeated in the House of Lords since 2000, and the time before that was in 1968.

There was an outcry over the breadth of clause 17, and so the Government set out amendments to restrict it — but last week peers voted for an opposition amendment (120A) to have an alternative arrangement altogether, a regime of High Court injunctions that would force ISPs to block websites.

This is such a dumb (and dangerous) idea that it has all the characteristics of a wrecking amendment, added to the Bill just to eat up parliamentary time so that the whole Bill will fall at the dissolution for the upcoming election.

Continue reading A wrecking amendment ?

More on the SCR

Legal issues, News coverage, Politics

Two weeks ago I posted about the Summary Care Record, a project to centralise medical records in England and Wales under the pretext that central records might be useful in emergency care. At the time, I wrote to the Cabinet Secretary asking whether it was appropriate to use taxpayers’ funds to leaflet millions of homes on a politically sensitive topic during an election campaign; I haven’t yet got a reply.

Doctors’ leaders are now alarmed. Patients are being misinformed, and opt-out is being made difficult.

The information being given to patients is false and misleading. The SCR promotional leaflet says anyone who has access to your records … must be directly involved in caring for you. However, large numbers of officials will have access. And as I already noted, the SCR isn’t as helpful in emergencies as it’s spun. Its purpose is actually different: to provide the basis for a centralised electronic patient record for everyone.

Doctors have noted that in the pilot areas, seven out of ten patients are unaware that an SCR was created for them. The patient information packs don’t contain an opt-out form; you’re supposed to phone the call centre for one. Over two hundred thousand people have downloaded an opt-out letter from www.thebigoptout.org; now the NHS says it wants doctors to ignore this and get everyone who wants to opt out to use this form instead (which GPs can’t order in bulk).The roll-out is rushed and displays typical incompetence: for example, some patients have been sent other patients’ letters. I am sure this story will run and run.

Evaluating statistical attacks on personal knowledge questions

Academic papers, Authentication, Security engineering

What is your mother’s maiden name? How about your pet’s name? Questions like these were a dark corner of security systems for quite some time. Most security researchers instinctively think they aren’t very secure. But they still have gained widespread deployment as a backup to password-based authentication when email-based identification isn’t available. Free webmail providers, for example, may have no other choice. Unfortunately, because most websites rely on email when passwords fail, and email providers rely on personal knowledge questions, most web authentication is no more secure than personal knowledge questions. This risk has gotten more attention recently, with high profile compromises of Paris Hilton’s phone, Sarah Palin’s email, and Twitter’s corporate Google Documents occurring due to guessed personal knowledge questions.

There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess. In a joint work with Mike Just and Greg Matthews from the University of Edinburgh published this week in the proceedings of Financial Cryptography 2010, we’ve examined the more basic question of how secure the underlying answer distributions are to statistical guessing. Put another way, if an attacker wants to do no target-specific work, but just guess common answers for a large number of accounts using population-wide statistics, how well can she do?

Continue reading Evaluating statistical attacks on personal knowledge questions

Reliability of Chip & PIN evidence in banking disputes

Academic papers, Banking security, Legal issues

It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere.

One of the topics which has come up is the effect of the no-PIN vulnerability on the consideration of evidence in disputed card transactions. Importantly, we showed that a merchant till-receipt which shows “PIN verified” cannot be relied upon, because this message will appear should the attack we presented be executed, even though the wrong PIN was entered.

On this point, the spokesperson for the banking trade body, the UK Cards Association (formerly known as APACS) stated:

“Finally the issuer would not review a suspected fraud involving a PIN and make a decision based on the customer’s paper receipt stating that the transaction was “PIN verified”, as suggested by Cambridge.”

Unfortunately card issuers do precisely this, as shown in a recent dispute over £9,500 worth of point-of-sale transactions, between American Express and a customer. In their letter to the Financial Ombudsman Service, American Express presented the till receipt as the sole evidence that the PIN was correctly entered:

“We also requested at the time of this claim, supporting documents from [the merchant] and were provided a copy of the till receipts confirming these charges were verified with the PIN.”

Requests to American Express for the audit logs that include the CVR (card verification results), which would have shown whether or not the no-PIN attack had been used, were denied. The ombudsman nevertheless decided against the customer.

The issue of evidence in disputed transaction cases is complex, and wider than questions raised by just the no-PIN attack. To help bring some clarity, I wrote an article, “Reliability of Chip & PIN evidence in banking disputes”, for the 2009 issue of the Digital Evidence and Electronic Signature Law Review, a law journal. This article was written for a legal audience, but would also be suitable for other non-technical readers. It is now available online (PDF 221 kB).

In this article, I give an introduction to payment card security, both Chip & PIN and its predecessors. Then, it includes a high-level description of the EMV protocol which underlies Chip & PIN, with an emphasis on the evidence it generates. A summary of various payment card security vulnerabilities is given, and how their exploitation might be detected. Finally, I discuss methods for collecting and analyzing evidence, along with difficulties currently faced by customers disputing transactions.

Opting out of health data collection

Legal issues, News coverage, Politics

The Government is rolling out a system – the Summary Care Record or SCR – which will make summaries of medical records available to hundreds of thousands of NHS staff in England. Ministers say it will facilitate emergency and unscheduled care, but the evidence in favour of such systems is slight. It won’t be available abroad (or even in Scotland) so if you are allergic to penicillin you’d better keep on wearing your dogtag. But the privacy risk is clear; a similar system in Scotland was quickly abused. Colleagues and I criticised the SCR in Database State, a report we wrote on how government systems infringe human rights.

Doctors have acted at last. The SCR is being rolled out across London, and the Local Medical Committees there have produced a poster and an opt-out leaflet for doctors to use in their waiting rooms. The SCR is also political: while Labour backs it, the Conservatives and the Lib Dems oppose it. Its roll-out means that millions of leaflets will be distributed to voters, pardon me, patients in London extolling its virtues. A cynic might ask whether this is a suitable use of public funds during an election campaign.

Measuring Typosquatting Perpetrators and Funders

Academic papers, Legal issues, Security economics

For more than a decade, aggressive website registrants have been engaged in ‘typosquatting’ — the intentional registration of misspellings of popular website addresses. Uses for the diverted traffic have evolved over time, ranging from hosting sexually-explicit content to phishing. Several countermeasures have been implemented, including outlawing the practice and developing policies for resolving disputes. Despite these efforts, typosquatting remains rife.

But just how prevalent is typosquatting today, and why is it so pervasive? Ben Edelman and I set out to answer these very questions. In Measuring the Perpetrators and Funders of Typosquatting (appearing at the Financial Cryptography conference), we estimate that at least 938,000 typosquatting domains target the top 3,264 .com sites, and we crawl more than 285,000 of these domains to analyze their revenue sources.
Continue reading Measuring Typosquatting Perpetrators and Funders

Call for papers: WEIS 2010 — Submissions due next week

Call for papers, Security economics

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense.

The ninth installment of WEIS will take place June 7–8 at Harvard. Submissions are due in one week, February 22, 2010. For more information, see the complete call for papers.

WEIS 2010 will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. How should information risk be modeled given the constraints of rare incidence and high interdependence? How do individuals’ and organizations’ perceptions of privacy and security color their decision making? How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders?

If you have been working to answer questions such as these, then I encourage you to submit a paper.

What's the Buzz about? Studying user reactions

Privacy technology, Social networks

Google Buzz has been rolled out to 150M Gmail users around the world. In their own words, it’s a service to start conversations and share things with friends. Cynics have said it’s a megalomaniacal attempt to leverage the existing user base to compete with Facebook/Twitter as a social hub. Privacy advocates have rallied sharply around a particular flaw: the path of least-resistance to signing up for Buzz includes automatically following people based on Buzz’s recommendations from email and chat frequency, and this “follower” list is completely public unless you find the well-hidden privacy setting. As a business decision, this makes sense, the only chance for Buzz to make it is if users can get started very quickly. But this is a privacy misstep that a mandatory internal review would have certainly objected to. Email is still a private, personal medium. People email their mistresses, workers email about job opportunities, reporters email anonymous sources all with the same emails they use for everything else. Besides the few embarrassing incidents this will surely cause, it’s fundamentally playing with people’s perceptions of public and private online spaces and actively changing social norms, as my colleague Arvind Narayanan spelled out nicely.

Perhaps more interesting than the pundit’s responses though is the ability to view thousands of user’s reactions to Buzz as they happen. Google’s design philosophy of “give minimal instructions and just let users type things into text boxes and see what happens” preserved a virtual Pompeii of confused users trying to figure out what the new thing was and accidentally broadcasting their thoughts to the entire Internet. If you search Buzz for words like “stupid,” “sucks,” and “hate” the majority of the conversation so far is about Buzz itself. Thoughts are all over the board: confusion, stress, excitement, malaise, anger, pleading. Thousands of users are badly confused by Google’s “follow” and “profile” metaphors. Others are wondering how this service compares to the competition. Many just want the whole thing to go away (leading a few how-to guides) or are blasting Google or blasting others for complaining.

It’s a major data mining and natural language processing challenge to analyze the entire body of reactions to the new service, but the general reaction is widespread disorientation and confusion. In the emerging field of security psychology, the first 48 hours of Buzz posts could provide be a wealth of data about about how people react when their privacy expectations are suddenly shifted by the machinations of Silicon Valley.