A flaw that allows an unauthorised backup to be made? Shurely shome mishtake...

Bernd Marienfeldt has discovered that by booting a PIN protected iPhone, while it is connected to the USB port of an Ubuntu system, he could access

“music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker.”

 
This access was through the Ubuntu interface and did not require any PIN at all, furthermore the access was not simply read-only, but read/write.
 

Even on a standard Windows Vista, it's PIN not required

Photo from Julien Lozelli's photostream on Flicker - Creative Commons

“The mailbox was for the use of the Dragon TV’s internal employees only so it had simple passwords for easy communication.”

So, an internet-facing, shared mailbox containing highly confidential information with simple passwords? Normally at this point in a blog article I suppose I would begin to point out things that could have been done to limit the possibilities of such an event. It seems almost too incredible that the aforementioned combination of circumstances should even occur, but here you go…
 
If information is sensitive, do not allow access to it from the internet.
 
If information is sensitive do not store it in a shared mailbox, it is impossible to audit effectively
 
Never use simple passwords, for any reason, ever.
 
If you have a document worth almost half a million dollars… Encrypt it.

ELENA knows where you live.

From the beginning of 2010 every German employer must now submit detailed information on a monthly basis to the so-called ELENA database, ELENA is an acronym for Eleketronischer Entgeltnachweis which loosely translates to Electronic Payslip. This sounds innocent enough until you consider exactly what information employers are obliged to provide.

The information will cover every worker’s salary, all absenteeism and their participation in strike action whether legal or illegal. This data is to be submitted to a central hub and from 2012 it will be used to determine whether to pay out or refuse social benefits. Plans are in place to relieve employers of the necessity of printing paper-based pay statements for their employees and instead issuing each worker with a plastic “jobcard” again by 2012. This card would then need to be produced should the holder ever need to apply for benefits allowing for data retrieval to determine eligibility.

Peter Schaar, the German Information Commissioner is reported as saying

“I’ve got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed.”

My own (German) wife’s reaction to this news was more succinct “I thought these people had agreed that the Stasi was a bad thing?”. The German blogs I could find seemed to be equally opposed to the idea.

For now though, the legislation has entered into force and the reporting has begun. We can only hope that appropriate measures have been taken to store the data in a secure location, using appropriate encryption, that the data entry and retrieval mechanisms are protected with strong encryption and multi-factor authentication and that the appropriate organisational policies and procedures have been put in place to protect this highly sensitive data.

It is an absolute certainty that a centralised data repository of this size and significance will attract the hacking and cracking attentions of criminals, script-kiddies and “hobbyists” alike.

Deutsche Bahn HQ by Honza Soukup

 

  

The Berlin Data Protection Commissioner revealed that Deutsche Bahn were to be fined exactly 1,123,503.50 million Euros to cover a number of serious breaches of data protection legislation that date back over the past 10 years. According to the official press release from the Berlin Data Protection agency this is “highest penalty that a German Data Protection Inspectorate has established“.

The activity for which Deutsche Bahn is being fined relates to the mass screening of employee data including names, addresses, telephone numbers and bank details against those of suppliers. This screening was carried out on at least three separate occasions in 1998, 2002/3 and 2005/6, supposedly to detect fraudulent activity and employee fronted Scheinfirmen or shell companies. Deutsche Bahn also enlisted the services of a detective agency to assist in this screening activity and the Information Commissioner’s press release states that personal and banking information was illegally retained for “years” even after suspicions had been allayed. Particular weighting was given in the release to the monitoring of all external email communications of all employees in the years 2006 and 2007, ostensibly to discover who was leaking information to journalists and members of the German Bundestag or parliament. All of this was done without the knowledge or consent of the employees concerned.

The official press release does not mention further activity included in the Süddeutsche Zeitung article, snooping on management level employees in two separate incidents and also the collection of employee medical records. The newspaper report certainly appears to hint that this may not be the end of the financial penalties.

As a result of the incident, the CEO and several top execs were forced to resign. The new board has created a C-level position responsible for “Compliance, Data Protection & Justice” and promised to work on the development of new HR guidelines on data protection alongside the Works Council.

Deutsche Bahn’s heavy-handed tactics and the size of the resultant fine amply illustrate the need for enterprises to involve employees, works councils and unions from the outset, both when defining data protection policies and also when conducting sensitive investigations.

Effective training programs should inform the employees, but also check their understanding and gain their acceptance of the rights and obligations of the company and the employee. Effective security policies and technologies should include employee representatives in the design process and notify them when subsequent privileged searches are taking place. At the same time care must be taken not to expose the results of those searches to the employee representatives as this could in itself constitute a breach.

Businesses across Europe have a real motivation to get this right as data protection authorites across the continent are rapidly increasing in power and scope.

This is often thorny question for parents to consider. How intrusive should my monitoring of my children’s internet activity be? How can I be sure that I am helping them to stay safe online and still maintain their sense of independence and, perhaps more importantly, the privacy which is so important to kids as they are growing up? Would you consider the sale of their private conversations a fair price?

There are several different levels that we as parents can consider in attempting to protect our children online; URL filtering by category can stop your children from visiting unwanted content either accidentally or deliberately, data protection functionality can stop them from giving away sensitive or inappropriate information online (I’m thinking of things like addresses, telephone numbers, or even their parents credit card numbers).

It seems also that some parents are willing to install software that allows them to do everything from logging the full content of all instant messaging conversations to remotely viewing their child’s computer activity with real time video.

The software that I am referring to in this instance is called Sentry Parental Controls from a company that was until recently called SearchHelp Inc. It gives parents the ability to closely monitor how their children are using their computers, who they are interacting with and how. There is of course a much wider ethical debate around whether or not it is acceptable to do the online equivalent of reading your own children’s diaries, or tapping into their telephone calls, but that is perhaps for another day.

Sentry Parental Controls has been in the news over the last couple of days for the way in which it uses data collected by the monitoring software to partly fuel a second service offered under the new company name, ECHOMETRIX, strapline – “When kids talk, we listen”

In a story first published on ZDNet in German, Larry Magid reports that the data collected by Sentry Parental Controls is in part sold on to subcribers through a new service called Pulse.

Pulse was launched by the rebranded ECHOMETRIX at the end of June this year and promises to offer “a real-time digital content platform that reveals the truth driving the $190 Billion teen market.” They even go on to boast “The unmatched ability to get inside privileged IM chats positions PULSE as a far more accurate predictor of the teen mindset.”

Isn’t that exactly the point though, that the content of these chats is *privileged*? Doesn’t it follow that privileged information is not to be exploited for commercial gain? 

In the German language article Mr Greene, the CEO of ECHOMETRIX explains that the data that is collected and mined by Pulse is anonymised and that no individual user’s identity is at risk of being exposed. In the same article, Trend Micro’s own David Perry is quoted as saying “This is a serious case of what we would call spyware” and I would have to agree with him. It is also relevant to consider, even if chat data is anonymised is it also sanitised? Could the chat itself contain personally identifiable information? A phrase that is used repeatedly on the ECHOMETRIX site is “unfiltered user generated content” they explain that their product ”delivers the unsolicited raw conversations in real time”

So I ask you, what price the online safety of your child? If you as a parent are prepared to make the moral leap necessary to monitor your children’s communications word for word, are you also prepared to knowingly share those communications with a stranger? Are you prepared for them to be used to turn a profit?

According to Jeffrey Greene, CEO, “The name change to ECHOMETRIX better reflects what the company does — we echo what kids are saying and we measure it.”

I would suggest that if you want to protect your family online, you contact a reputable security software vendor. If you need “opinion mining and sentiment analysis applications for user-generated digital social media content” then ECHOMETRIX might be better suited to help you out…

If you do have concerns about the safety of your children while online you will find a lot of helpful information and free tools, in Trend Micro’s Internet Safety Centre (just try not to click on the video of me!).

The results of an investigation carried out by Sky News should be enough to worry anyone who is put in the unfortunate position of having to entrust their computer to a stranger.

Researchers from Sky News set up a laptop with a keylogger and webcam enabled surveillance software. They gave the laptop a very common, easy to diagnose and remedy fault, by slightly unseating a memory chip. The laptop was then taken to various computer repair shops around London and the results monitored.

Almost unsurprisingly some of the shops gave misleading diagnoses and overcharged for the repairs. I say unsurprisingly because this immediately puts me in mind of all the well-known horror stories about car repairs rip-offs.

Knowledge = Power = Money and it is certain, and now proven, that some people will abuse their position of power to maximise their financial return. 

More worrying though was the subsequent data theft from this rigged laptop that followed once it had been repaired. The laptop was also honeytrapped with a collection of lady-in-a-bikini photos and personal data including bank logins and passwords for online services. This data was reportedly copied onto a USB stick by staff at one of the shops and the banking logon details were also used to try and access the online banking service.

This is far from being a localised issue as the Edison Chen sex photo scandal over in Hong Kong proved earlier this year, where as ABC News put it:

“Say Britney Spears, Lindsay Lohan, and Paris Hilton took it all off for Justin Timberlake and his camera, who promised the tabloid queens that no eyes but his own baby blues would ever see evidence of their tryst. Say J.T. kept some of those photos on his laptop. Say that laptop fell into the wrong hands.

You might have a sex scandal on the level of what’s rocking Hong Kong right now.“

An important lesson to take from all this (other than the “never trust a tradesman” one I mean) is the need for a secure place for people to store their personal data.

More and more enterprises are making investments in various types of device encryption technologies, but these kinds of stories demonstrate the need for this technology to filter into consumer and small business products as well.

As information becomes more digitised, like the photos and the logins;  and computers ever more portable (think netbooks and PDAs) the potential for mischief grows. The odds of a mobile device being handed over to a third-party for service or repair are increasing. If that device contains personal or corporate sensitive information then we need to provide people with technologies that enable them to keep their own data secure while still allowing the repair shop access to the machine to diagnose faults.

Importantly, if the problem is a software related one, then this security cannot be achieved through full disk encryption which is an all or nothing encryption methodology.

Consumer security suites need to offer people the ability to keep their most sensitive data in a secure location on the hard drive, while still allowing  the engineers to get their heads under the digital bonnet to fix software related issues.

Perhaps more crucially, we as consumers need to start actually using the features we pay for.

Both Jakob and Bruce agreed that there was a net lowering of security caused by masking passwords. Jakob argues that masking passwords runs counter to basic usability principles on the one hand, and on the other:

“Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)

The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.”

 

On his blog, Bruce Schneier added a short post to say that he agreed with Nielsen’s point of view, adding

“Shoulder surfing isn’t very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can’t see what I type: in Windows logins, in PGP, and so on.”

 

I have a couple of issues with this, firstly “Shoulder surfing isn’t very common”? I really want to know what empirical evidence Bruce is basing that sweeping statement on. Nielsen added “More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office”.

The vast majority of the global office population are definitely not fortunate enough to be sitting secure in their own private office. If I think back through the many office environments I have worked in, and how many screens were directly in my line of site and readable without even moving from my seat, the opportunities for (even accidentally) reading unmasked passwords seem clear. Even if it were true that shoulder-surfing is not common, isn’t that partly because it serves little purpose when passwords are masked? Chicken or egg Mr. Schneier, Mr Nielsen?

Password masking has always been the default because, given the choice between masked and unmasked, it is the most secure, and “secure by default” is a long established goal of system and infrastructure design. I fact in a blog post earlier this year Schneier himself said

“The solution is to better design security systems that assume uneducated users: to prevent them from changing security settings that would leave them exposed to undue risk, or—even better—to take security out of their hands entirely.”

It’s difficult to reconcile that point of view with allowing users to disable password masking…

Secondly, password masking is also an effective method of defeating malware which is designed to take snapshots of the users screen, which has long been a way that banking Trojans have overcome virtual or on-screen keyboards. Should we make it even easier by just letting the password sit there in plain text.

If it is simply because masking passwords makes a system less “usable”; then maybe I should remove the lock from the front door of my house? After all it is awfully inconvenient to have to fish my door-key out of my pocket when I have my hands full of shopping.

Maybe I could replace it with a PIN entry system, that reads the numbers back to me as I punch them in, because “Providing feedback and visualizing the system’s status have always been among the most basic usability principles” according to Nielsen.

After all, no-one’s listening, right?

UPDATE:

Bruce Schneier posted a second blog on this topic in response to the large amount of feedback he received, he has reconcsidered his initial “snap reaction” and written a much lengthier and more considered view on the subject. here: http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html

 ”I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection <…> one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.”

He supported the claim with several screen shots such as the one below, showing that he had accessed the accounts of celebrity Twitterers such as Barack Obama, Lily Allen, Ashton Kutcher and Britney Spears. The interface gives the administrator (or the hacker) access to a large amount of personal information stored in the Twitter accounts database, for example Lily Allen’s mobile phone number…

So question number one for Twitter has to be, why is this kind of information available to account administrators? Surely it’s enough to be able to reset this type of data, without being able to view it? Shouldn’t it be stored in a secure format so that curious employees and malicious intruders both cannot get access to it?

But the real concern, over and above that for me, is the function visible in the next shot where the hacker was inspecting Barack Obama’s account.

What reason is there for a Twitter employee having a function labelled “Become“, and how happy will Twitter users be knowing that at any time someone can assume their identity at the click of a button?

Despite Twitter’s assurances that “no account information was altered or removed in any way“, I am fairly certain that several high profile users will be having to modify their email addresses and mobile phone numbers as a result.