Category Archives: data protection

FUD Marketing*: How not to sell Burglar Alarms

For the Register, Alexander J Martin describes a nasty example of marketing through fear strangely reminiscent of support scams, though it was burglar alarms that were being marketed here, not security software.

Telemarketers hit with £70,000 fine for cold-calling pensioners

The Information Commissioner’s Office reported that Direct Security Marketing Ltd, a company based in Dudley, ‘made nearly 40,000 automated calls, with 9,775 being made between 1am and 6am.’

While the title of Martin’s article suggests that pensioners were specifically targeted, the article quotes ICO Group Enforcement Officer Andy Curry as saying that ‘Elderly people were among those who were left distressed after being woken up in the night by the automated calls’, so there’s no indication in the article that the calls were targeted (or, if they were, how).

On YouTube, Andy Curry talks about ‘the action the ICO took against automated calls by Direct Security Marketing and what action can be taken by people to block similar calls.’ Even if you weren’t bothered by this particular nuisance (happily, it seems the company is quietly sinking into the West…) you might find the step through some of the minutiae of the Data Protection Act useful.

* FUD: Fear, Uncertainty, Doubt. FUD Marketing: a sales pitch characterized by disinformation and the exploitation of insecurity and negative emotions.

David Harley

Sins of Omission

It’s not really related to malware, but this is an interesting article that brings up a few issues that should be highligthed.

http://www.bankinfosecurity.com/articles.php?art_id=2846

Firstly, the cheque images in question are used as a security feature, you can view them online to see when and where they were cashed, and they are attached to a specific transaction. Those who don’t have a US bank account might not be familiar with such a system – however, the fact that the cheque now exists online should be a red-flag for security, and you would expect it to be protected as part of the bank account (your cheques, after all, have your signature on them, along with your bank details and a sample of your handwriting). The key to the success of this breach was that the images were all stored in a single online database. This in itself is a huge vulnerability.

Secondly, just because something is not a regulatory requirement, doesn’t mean that it shouldn’t be done as a matter of course. Holding such a database, and knowing that it contains data that would be very useful in fraud, then it makes sense to use encryption to protect it - so in this case fact that they were not encrypted simply makes it worse. It’s like saying that we were only required to put locks on the doors, but the regulations didn’t state we needed to close the windows.

Many European banks are moving away from paper driven cheques, and that would of course reduce or eliminate this specific attack, but what doesn’t seem to be happening is any assumption by the banks of attack. For instance, my bank has implemented some rudimentary anti-phishing protections, but it still uses a very weak password based account entry, which any key-logger could get around (unless of course I’m using a secure browser like K7SecureWeb or SafeCentral), and that combined with  a screen-scraper could easily compromise the anti-phishing measures.

Probably, as things get more serious (in terms of fraud) for the banks, there will be much more concentration on securing things. For now, the sad fact is that the consumers are not driving this, because they don’t care – the losses are to the banks, because of consumer protection (at least in the EU and USA). The reason my bank (along with most other British and US banks) have such poor security is that at the moment, the customers aren’t demanding higher security. That, coupled with silly things like only implementing the letter, rather than the spirit of regulation, is not going to bode well for the online banking in the near future.

Meanwhile, the Anti-malware industry gets a harder and harder rap for not being able to clean up all the mess, while what really needs to happen is for everyone to take a bit more responsibility for their actions, and understand that there are real threats out there, that cannot just be addressed by anti-malware alone, nor indeed any purely technology based solution.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

http://www.virusbtn.com/seminar/index.xml

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

The great wall of Google

So, we hear the news that Google ‘really has’ ceased censorship in China. At least, that is the meme currently working its way around the internet. Actually, this is rather disingenuous, and shows a particularly unsavoury side of how the Google PR machine really works.

If you’ve been living on Mars or want some background, here are a couple of links on the story.

http://news.bbc.co.uk/1/hi/world/asia-pacific/8582233.stm

http://www.guardian.co.uk/technology/2010/mar/22/google-china-shut-down-censorships

Of course, a careful read of these articles shows that Google have done nothing more than redirect their front page to their existing Hong Kong search page, and that the censorship (which operates automatically between the mainland of China and…well…everywhere else) is still very much in place.

Users inside China have no greater freedom now, and this is a very different situation than if Google had really put its money where its (big) mouth is and uncensored its .cn site search results. Clearly they wouldn’t do that though, as not only would it be illegal in China, it very likely would have caused them to have to pull out of the lucrative market they so badly want a piece of – instead of getting a bit of bluster from the Chinese government and maybe a slap on the wrist.

Do a search for, say, ‘Tiananmen Square’ from inside China, and as the Guardian article points out, the internet connection will reset. Lest we forget, this is part of what Google is complicit in covering up. The Chinese government have been almost entirely successful in expunging this monstrous event from the consciousness of those living in their country, and Google (and others) have not only not done anything to stop this, they have actively aided them in their attempts at revisionist history.

This is a security blog, so I’ll get to the point that everyone seems to be missing. This whole story erupted because, allegedly, Google suffered attacks on its Gmail network from inside of China. Let’s leave aside for the moment, the whole “buzz” fiasco which probably did Google far more harm, but this is the rather grubby truth that Google is managing to cover up so well with its big talk about not “being evil” and opening up the freedom of the internet (which they so eagerly avoided doing for so long in order to get their hands on those lovely Chinese RMB).

The point is, that rather than look at what they were doing that was wrong and securing their network; or finding out what led to the compromises against their network, Google instead simply threw their toys out of the crib and made up a new story about solidarity and freedom and so on. Do you trust Gmail more now that they’ve engaged the NSA to help them secure it? I didn’t think so.

It’s a shame that so many tech bloggers have focused on the smokescreen political issues and ignored slamming Google for the real issues, that its approach to the privacy and security of its users is time and time again a huge disaster. The real problem is that they’ve got the money and the PR machine to cover it up with a different story, and swamp all those dissenting voices to avoid having to have that brief moment of introspection that might acutally change things for the better…rather like a certain government, don’t you think?

Andrew Lee
AVIEN CEO

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Who owns you?

David recently blogged here (http://avien.net/blog/?p=253) on his concerns over the ways that our personal data is increasingly online and available to everyone who might want it.

On a similar theme, a site called “Web 2.0 Suicide Machine” has recently been sent a cease and desist order by Facebook on the grounds that by “collecting login credentials, the site violates its Statement of Rights and Responsibilities”. This sort of controversy raises the question of who owns an account on a site – not just a social networking site – what about a webmail account? But, more on that shortly. It’s a tricky question, and I suspect that the answer is that the information is jointly owned once you give the information, you enter a contract to allow the recipient to use your info according to their terms and conditions (which could be to publish it all over the place, or just to change your password and never let you back into the account).

It’s only recently that Facebook provided its members with a facility to fully delete (rather than deactivate) their accounts. As someone who spends a lot of time on social networking sites, I’ve often felt the urge to be able to ‘get away from it all’. The idea of being able to commit ‘Web 2.0 suicide’ is in some ways quite appealing, and it does remove the awful problem of trying to delete all that data yourself – and avoids the thorny problem of always being able to get back in and start again. I did actually do this at one point, I entirely deleted my accounts on MySpace and Bebo, removed as much as I could from Orkut (more on Google below) and deactivated (the only option available at the time) my Facebook account. However, after some time after constant messages still arriving from Facebook I succumbed and reactivated my account (although I’m much less obsessive about it, and used the privacy controls to lock it down far more than had been the case before). I’ve never revived the other accounts, basically because I’m to lazy to set them up again. I’m pretty sure that I’d not have come back to Facebook had my account been actually deleted – but Web 2.0 Suicide Machine (and similar services) are in some ways even better, they leave you no option but to start again, because they change your password, and your profile will still exist, only you can’t get to it.

Of course, giving a third party (whether an SN site like Facebook or a service like W2.0SM) your account information is a risk, because you don’t really know what they’re going to do with it, maybe W2.0SM are going to sign you up to all sorts of groups or services on FB, or use your account to click through on site advertising to raise revenue, maybe they’ll harvest  your email addresses and send them to spammers, maybe they’re going to use your phone number and address to do all manner of things. I doubt it, but it’s possible were less ethical people in charge of it. At least, if you’re going to use such a service, remove your most critical private information first.

You can read more on this story here: http://news.bbc.co.uk/1/hi/technology/8441080.stm

Sometime last year, I got an invitation to Google Wave (http://wave.google.com) and had a play around with it. It’s interesting in many ways – not all of them obvious. There has been plenty of comment in other places about what Google Wave does, or what it doesn’t do, but I’m not really interested in that. As far as I’m concerned it was pretty much a failure because nobody could really think of a problem that it solved in a better way than existing technologies. But, what does interest me is what that sort of platform offers to Google. In a collaboration system you have multiple people working on topics. They will discuss the topic, and the group will be focused on a single issue (or set of issues). This is a goldmine for a company like Google which makes money from selling advertising. Nearly everything that Google does is ‘free’ to the user, and the cost is that everything you do is tracked and monetized somehow for Google’s advertising clients. The more services Google provides, and the more you sign up to use, the more exposed you are (and therefore the more useful to Google). I have Gmail (and therefore Gmail Chat), Picasa, Google Wave, Google Apps, a Google Books library, a Google Calendar and so on (as mentioned above I also have a Google Orkut account, though relatively denuded of information). Now, all of those things provide information about me and my interests to Google, allowing targeted advertising to be delivered, and useful demographic information to be collected.

Google wave is a whole different beast, because it doesn’t just connect a few random parts of my life that may or may not be current (for instance, me posting photographs of me with funny hair as a teenager isn’t really that interesting to Google – nor anyone else I should think), it connects people who are discussing a topic of mutual interest, in real time. Planning a trip to India? Great, in real time, to your group specifically, Google can target advertising from firms offering travel services in India. Working on a conference in Sydney? Google can target advertising from firms in the area. Even better, your conference is at the Four Points Sheraton? Great, Google can advertise a room discount, the restaurants withing walking distance, a limo service, the theaters, cinemas etc. About to go for a coffee break? Google can pop up the location of the nearest StarCostaPacket coffee store and offer a 50c discount good for the next two hours.

It’s clear that corporations are interested in getting the most relevant information to consumers, and what better way than exploiting real time data on topics currently under discussion. It’s a goldmine, or would be, if only there was a problem that only Google Wave could fix.

Andrew Lee CISSP
AVIEN CEO, CTO K7 Computing Pvt Ltd.

The Internet Book of the Dead (pointer)

I’ve just put up an article at ESET’s blog page that you might find interesting. In fact, if I wasn’t desperately trying to clear a backlog of stuff so that I can take a couple of days off, I’d have posted more on the topic here, but I am desperate, so here’s a simple pointer instead.

http://www.eset.com/threat-center/blog/2009/12/12/the-internet-book-of-the-dead

It’s basically a mock-up of an interview for the BBC that unfortunately didn’t take place, concerning the way your data outlive you.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/