Last year when I wrote a paper about mitigating malware I needed some figures on the percent of machines infected with malware. There are a range of figures, mainly below 10%, but one of the highest was 25%.

I looked into why this occurred and wrote it up in footnote #9 (yes, it’s a paper with a lot of footnotes!). My explanation was:

The 2008 OECD report on Malware [14] contained the sentence “Furthermore, it is estimated that 59 million users in the US have spyware or other types of malware on their computers.” News outlets picked up on this, e.g. The Sydney Morning Herald [20] who divided the 59 million figure into the US population, and then concluded that around a quarter of US computers were infected (assuming that each person owned one computer). The OECD published a correction in the online copy of the report a few days later. They were actually quoting PEW Internet research on adware/spyware (which is a subtly different threat) from 2005 (which was a while earlier than 2008). The sentence should have read “After hearing descriptions of ’spyware’ and ‘adware’, 43% of internet users, or about 59 million American adults, say they have had one of these programs on their home computer.” Of such errors in understanding the meaning of data is misinformation made.

We may be about to have a similar thing happen with Facebook account compromises.

On Jan 4, ZoneAlarm published a blog article along with this graphic (I’ve provided a local copy because I hope that all other copies will get destroyed!). One of its key findings was:

• 4 million Facebook users experience spam on a daily basis.
• More than 20% of newsfeed links currently open viruses.
• 600,000 logins are compromised every day. That’s 7 logins every second.

The graphic now says:

• 4 million Facebook users experience spam on a daily basis.
• 20% of Facebook users have been exposed to a virus.
• Facebook sees 600,000 attempts to hijack logins a day and pre-emptively protects against them.

which, you have to agree is really rather different.

This blog article is sceptical, but not (entirely) corrected — I quote it because it mentions the PR reasons behind Zonealarm’s statistics (they sell a product which purportedly protects you), and because it mentions that other people had been confused about the 600,000 figure in the past.

So I looked into where the 600,000 figure originated, and found that it’s original source was Facebook!

This post by Graham Cluley at Sophos draws attention to Facebook’s graphic (original copy here) accompanying an Oct 27 2011 article about their security mechanisms which said:

• Less than 4% of content shared on Facebook is spam.
• Only .06% of over 1 billion logins per day are compromised.
• Less than .5% of Facebook users experience spam on any given day.

Graham did the simple multiplication required to produce the 600,000 compromise figure, which is the same sum as Zonealarm’s PR people have done. Similarly the “less than .5%” translates to the 4 million figure they use.

However, if you look at the official Facebook copy of the infographic accompanying their blog post today (copy here) then you can see they have revised it. It now just has the data points:

• Less than 4% of content shared on Facebook is spam.
• Less than .5% of Facebook users experience spam on any given day.

In fact they revised their report pretty much immediately after they first posted it, when journalists started ringing! In this article on the topic Facebook is quoted as saying that the 600,000 is a count of logins that are blocked because Facebook is not convinced it is the account owner who is doing the login — so if some criminal tries a brute force guessing attack on 850 accounts, getting around to each one every 2 minutes, they alone would create the 600,000/day figure!

Time will tell whether the original meme survives, but perhaps people searching for a source to cite will encounter this blog post (or indeed this one which looks at the spam data) and avoid promulgating misleading data the way that Zonealarm has done.

PS: So far I cannot source the Zonealarm “20% of newsfeeds figure” to see how that came about, but I’m keeping looking.

Every Christmas we give our friends in the banking industry a wee present. Sometimes it’s the responsible disclosure of a vulnerability, which we publish the following February: 2007’s was PED certification, 2008’s was CAP while in 2009 we told the banking industry of the No-PIN attack. This year too we have some goodies in the hamper: watch our papers at Financial Crypto 2012.

In other years, we’ve had arguments with the bankers’ PR wallahs. In 2010, for example, their trade association tried to censor one of our students’ thesis. That saga also continues; Britain’s bankers tried once more to threaten us so we told them once more to go away. We have other conversations in progress with bankers, most of them thankfully a bit more constructive.

This year’s Christmas present is different: it’s a tale with a happy ending. Eve Russell was a fraud victim whom Barclays initially blamed for her misfortune, as so often happens, and the Financial Ombudsman Service initially found for the bank as it routinely does. Yet this was clearly not right; after many lawyers’ letters, two hearings at the ombudsman, two articles in The Times and a TV appearance on Rip-off Britain, Eve won. This is the first complete case file since the ombudsman came under the Freedom of Information Act; by showing how the system works, it may be useful to fraud victims in the future.

For your Christmas entertainment, we offer the bank statement which told Eve of the fraud; the initial exchange of letters between Eve’s lawyers and the bank; the ombudsman’s routine initial ruling against Eve, and her protest; the correspondence between the ombudsman and Barclays; Eve’s appeal and expert opinion; the verdict; and the offer of settlement. And let’s not forget the Thunder. A Merry Christmas to all!

I will be talking in London on Wednesday at a workshop on Anonymity, Privacy, and Open Data about the difficulty of anonymising medical records properly. I’ll be on a panel with Kieron O’Hara who wrote a report on open data for the Cabinet Office earlier this year, and a spokesman from the ICO.

This will be the first public event on the technology and policy issues surrounding anonymisation since yesterday’s announcement that the government will give wide access to anonymous versions of our medical records. I’ve written extensively on the subject: for an overview, see my book chapter which explores the security of medical systems in general from p 282 and the particular problems of using “anonymous” records in research from p 298. For the full Monty, start here.

Anonymity is hard enough if the data controller is capable, and motivated to try hard. In the case of the NHS, anonymity has always been perfunctory; the default is to remove patient names and addresses but leave their postcodes and dates of birth. This makes it easy to re-identify about 99% of patients (the exceptions are mostly twins, soldiers, students and prisoners). And since I wrote that book chapter, the predicted problems have come to pass; for example the NHS lost a laptop containing over eight million patients’ records.

The Sunday media have been trailing a speech by David Cameron tomorrow about giving us online access to our medical records and our kids’ school records, and making anonymised versions of them widely available to researchers, companies and others. Here is coverage in the BBC, the Mail and the Telegraph; there’s also a Cabinet Office paper. The measures are supported by the CEO of Glaxo and opposed by many NGOs.

If the Government is going to “ensure all NHS patients can access their personal GP records online by the end of this Parliament”, they’ll have to compel the thousands of GPs who still keep patient records on their own machines to transfer them to centrally-hosted facilities. The systems are maintained by people who have to please the Secretary of State rather than GPs, and thus become progressively less useful. This won’t just waste doctors’ time but will have real consequences for patient safety and the quality of care.

We’ve seen this repeatedly over the lifetime of NPfIT and its predecessor the NHS IM&T strategy. Officials who can’t develop working systems become envious of systems created by doctors; they wrest control, and the deterioration starts.

It’s astounding that a Conservative prime minister could get the idea that nationalising something is the best way to make it work better. It’s also astonishing that a Government containing Liberals who believe in human rights, the rule of law and privacy should support the centralisation of medical records a mere two years after the Joseph Rowntree Reform Trust, a Liberal charity, produced the Database State report which explained how the centralisation of medical records (and for that matter children’s records) destroys privacy and contravenes human-rights law. The coming debate will no doubt be vigorous and will draw on many aspects of information security, from the dreadful security usability (and safety usability) of centrally-purchased NHS systems, through the real hazards of coerced access by vulnerable patients, to the fact that anonymisation doesn’t really work. There’s much more here. Of course the new centralisation effort will probably fail, just like the last two; health informatics is a hard problem, and even Google gave up. But our privacy should not depend on the government being incompetent at wrongdoing. It should refrain from wrongdoing in the first place.

News travels fast. Blogs and other websites pick up a news story only about 2.5 hours on average after it has been reported by traditional media. This leads to an almost continuous supply of new “trending” topics, which are then amplified across the Internet, before fading away relatively quickly. Many web companies track these terms, on search engines and in social media.

However narrow, these first moments after a story breaks present a window of opportunity for miscreants to infiltrate web and social network search results in response. The motivation for doing so is primarily financial. Websites that rank high in response to a search for a trending term are likely to receive considerable amounts of traffic, regardless of their quality.

In particular, the sole goal of many sites designed in response to trending terms is to produce revenue through the advertisements that they display in their pages, without providing any original content or services. Such sites are often referred to as “Made for AdSense” (MFA) after the name of the Google advertising platform they are often targeting. Whether such activity is deemed to be criminal or merely a nuisance remains an open question, and largely depends on the tactics used to prop the sites up in the search-engine rankings. Some other sites devised to respond to trending terms have more overtly sinister motives. For instance, a number of malicious sites serve malware in hopes of infecting visitors’ machines, or peddle fake anti-virus software.

Together with Nektarios Leontiadis and Nicolas Christin, I have carried out a large-scale measurement and analysis of trending-term exploitation on the web, and the results are being presented at the ACM Conference on Computer and Communications Security (CCS) in Chicago this week. Based on a collection of over 60 million search results and tweets gathered over nine months, we characterize how trending terms are used to perform web search-engine manipulation and social-network spam. The full details can be found in the paper and presentation.

We found that 18% of the trending terms included at least one search result flagged as malware within 72 hours of the term appearing in the Google’s list of trending terms. At any point in time, around 4% of the currently “hot” terms include results pointing to malware that has already been detected by Google. A further 2% of “hot” terms link to malware that has not yet been detected, on average. For consistently popular terms, the figures are considerably lower — 2% of such terms include links to detected malware and only 0.2% have links to malware not yet appearing in Google’s blacklist.

We also encountered many low-quality MFA sites such as eworldpost.com (screenshot here), which appeared high in Google’s search results for 549 distinct trending terms between July 2010 and March 2011. In all, around 40% of trending terms included MFA sites such as eworldpost.com in their results.

Looking at the terms themselves, we found that the less popular terms attract more malware and ads. One third of terms whose peak popularity was under 1,000 searches per month included malware in their results, compared to under 10% of terms attracting more than 100,000 monthly searches. We observed a similar effect for MFA sites. This suggests that search engines can choose from more legitimate options for the more lucrative terms, as compared to “long-tail” search terms.

We then estimated the number of visitors who are exposed to malware and MFA via trending search terms by linking our results to Google’s own estimates of visits per search term. We estimate that over 4 million users are exposed to low-quality MFA sites when searching for trending terms each month, compared to around 50,000 visits pointing to malware. We further estimate that these visits translate to monthly revenues of around $100,000 for MFA sites and $60,000 for malware-distributing sites. This is certainly a lower-bound on the revenues available to miscreants by poisoning search, given that there are many additional search terms to target in addition to those currently trending. Nonetheless, I do think these calculations provide additional empirical support to the argument that many estimates of cyber-criminal revenues are overblown.

Furthermore, when combined with our earlier finding that malware and MFA sites both target the search results of less popular terms, these revenue estimates suggest that MFA and malware could be viewed as economic substitutes by the purely profit-motivated adversary. Consequently, any crackdown on one monetization vector could make the other more attractive. This is important, because Google initiated a crackdown on low-quality ad-sites in February 2011, during the middle of our data collection. This fortunate timing allowed us to measure the impact of Google’s intervention. We found that traffic to MFA sites from trending terms fell by around half after the algorithm change, likely reducing the profitability of MFA sites.

What might this mean for the future? Perhaps malware distribution will be seen as more financially attractive to miscreants, in which case we could see more malware-distribution targeting trending terms. Such a shift in strategy is not without precedence. Several years ago, typosquatting was used to direct customers to pornographic websites and carry out phishing attacks. Following a crack-down on such practices, domain squatters settled on a more lucrative model — syndicating pay-per-click ads. Now, at least a million typo websites are in use, and the vast majority simply host ads, drawing in hundreds of millions of dollars of revenue annually.

The open question is whether a significant crackdown on low-quality ad sites might simply shift the economics in favor of distributing malware. However, search engines have already demonstrated a willingness to fight malware distribution, in addition to combating MFA sites. Consequently, we remain optimistic that search engines might be willing to crack down on all abuses of trending terms.

There seems to be an attempt to revive the “Trusted Computing” agenda. The vehicle this time is UEFI which sets the standards for the PC BIOS. Proposed changes to the UEFI firmware spec would enable (in fact require) next-generation PC firmware to only boot an image signed by a keychain rooted in keys built into the PC. I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user, and it would be required for OS badging. There are some technical details here and here, and comment here.

These issues last arose in 2003, when we fought back with the Trusted Computing FAQ and economic analysis. That initiative petered out after widespread opposition. This time round the effects could be even worse, as “unauthorised” operating systems like Linux and FreeBSD just won’t run at all. (On an old-fashioned Trusted Computing platform you could at least run Linux – it just couldn’t get at the keys for Windows Media Player.)

The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly unlawful and must not succeed.

Unauthorized online pharmacies that sell prescription drugs without requiring a prescription have been a fixture of the web for many years. Given the questionable legality of the shops’ business models, it is not surprising that most pharmacies resort to illegal methods for promoting their wares. Most prominently, email spam has relentlessly advertised illicit pharmacies. Researchers have measured the conversion rate of such spam, finding it to be surprisingly low. Upon reflection, this makes sense, given the spam’s unsolicited and untargeted nature. A more successful approach for the pharmacies would be to target users who have expressed an interest in purchasing drugs, such as those searching the web for online pharmacies. The trouble is that dodgy pharmacy websites don’t always garner the highest PageRanks on their own merits, and so some form of black-hat search-engine optimization may be required in order to appear near the top of web search results.

Indeed, by gathering daily the top search web results for 218 drug-related queries over nine months in 2010-2011, Nektarios Leontiadis, Nicolas Christin and I have found evidence of substantial manipulation of web search results to promote unauthorized pharmacies. In particular, we find that around one-third of the collected search results were one of 7,000 infected hosts triggered to redirect to a few hundred pharmacy websites. In the pervasive search-redirection attacks, miscreants compromise high-ranking websites and dynamically redirect traffic different pharmacies based on the particular search terms issued by the consumer. The full details of the study can be found in a paper appearing this week at the 20th USENIX Security Symposium in San Francisco.

Search-redirection attacks combine several well-worn tactics from black-hat SEO and web security. First, an attacker identifies high-visibility websites (e.g., at universities) that are vulnerable to code-injection attacks. The attacker injects code onto the server that intercepts all incoming HTTP requests to the compromised page and responds differently based on the type of request:

Requests from search-engine crawlers return a mix of the original content, along with links to websites promoted by the attacker and text that makes the website appealing to drug-related queries.

Requests from users arriving from search engines are checked for drug terms in the original search query. If a drug name is found in the search term, then the compromised server redirects the user to a pharmacy or another intermediary, which then redirects the user to a pharmacy.

All other requests, including typing the link directly into a browser, return the infected website’s original content.

The net effect is that web users are seamlessly delivered to illicit pharmacies via infected web servers, and the compromise is kept hidden from view of the affected host’s webmaster in nearly all circumstances.

Upon inspecting search results, we identified 7,000 websites that had been compromised in this manner between April 2010 and February 2011. One quarter of the top ten search results were observed to actively redirect to pharmacies, and another 15% of the top results were for sites that no longer redirected but had previously been compromised. We also found that legitimate health resources, including authorized pharmacies, were largely crowded out of the top results by search-redirection attacks and blog and forum spam promoting fake pharmacies.

We observed the median lifetime of infected websites to be 47 days, but that 16% of the websites remained infected at the end of our study. Furthermore, we found that websites on the .edu and .org TLDs are infected disproportionately more often and the infections persist for far longer than websites in other domains. The median lifetime of .edu infections was 113 days, for example.

Using estimates of the popularity of drug-related search terms and the payment-processing websites used by the pharmacies, we are able to derive a ballpark figure for the conversion rate of between 0.3% and 3.2%. Consequently, while email spam promoting pharmacies has attracted more attention, we conclude that the bulk of pharmaceutical sales are likely dominated by referrals from web search. This is not surprising, given that most people find it more natural to turn to their search engine of choice than to their spam folder when shopping online.

To those who aim to reduce unauthorized pharmaceutical sales, the implication is clear: more emphasis on combating transactions facilitated by web search is warranted. The existing public-private partnership initiated by the White House has so far focused on areas other than search-redirection attacks. Domain name registrars (led by GoDaddy) can shut down maliciously registered domains, while Google has focused on blocking advertisements (but not necessarily search results) from unauthorized pharmacies. Unfortunately, no single entity speaks for the many webmasters whose sites have unknowingly been recruited to drive traffic to illicit pharmacies.

We think that search engines can take a more active role, and indeed Google has begun issuing notices of suspected compromised websites in search results. However, this does not go nearly as far as the interstitial warnings that actively block visiting web servers that distribute malware. Furthermore, by examining the redirection chains from infected hosts to pharmacies, we have found that taking down a few key redirectors could disrupt the affiliate network promoting pharmacies.

In sum, we think that it is essential for any future countermeasures to involve important intermediaries such as web search engines, and to target malicious activity in the search results, not just their ads.

Britain’s phone hacking scandal touches many issues of interest to security engineers. Murdoch’s gumshoes listened to celebs’ voicemail messages using default PINs. They used false-pretext phone calls – blagging – to get banking and medical records.

We’ve known for years that private eyes blag vast amounts of information (2001 book, from page 167; 2006 ICO Report). Centralisation and the ‘Cloud’ are making things worse. Twenty years ago, your bank records were available only in your branch; now any teller at any branch can look them up. The dozen people who work at your doctor’s surgery used to be able to keep a secret, but the 840,000 staff with a logon to our national health databases?

Attempts to fix the problem using the criminal justice system have failed. When blagging was made illegal in 1995, the street price of medical records actually fell from £200 to £150! Parliament increased the penalty from fines to jail in 2006 but media pressure scared ministers off implementing this law.

Our Database State report argued that the wholesale centralisation of medical and other records was unsafe and illegal; and the NHS Population Demographics Service database appears to be the main one used to find celebs’ ex-directory numbers. Celebs can opt out, but most of them are unaware of PDS abuse, so they don’t. Second, you can become a celeb instantly if you are a victim of crime, war or terror. Third, even if you do opt out, the gumshoes can just bribe policemen, who have access to just about everything.

In future, security engineers must pay much more attention to compartmentation (even the Pentagon is now starting to get it), and we must be much more wary about the risk that law-enforcement access to information will be abused.

I’m planning to liveblog WEIS 2011, as I did in 2010 and 2009. This is the tenth WEIS with over 100 people, 20 refereed talks, 2 invited talks and one panel. I’ll blog each session in a follow-up to this post.

Sometime last week, Sony discovered that up to 77 M accounts on its PlayStation Network were compromised. Sony’s network was down for a week before they finally disclosed details yesterday. Unusually, there haven’t yet been any credible claims of responsibility for the hack, so we can only go on Sony’s official statements. The breach included names and addresses, passwords, and answers to personal knowledge questions, and possibly payment details. The risks of leaking payment card numbers are well-known, including fraudulent payment transactions and identity theft. Sony has responded by offering to provide free credit checks for affected customers and notifying major credit ratings bureaus with a list of affected customers. This hasn’t been enough for many critics, including a US Senator.

Still, this is far more than Sony has done regarding the leaked passwords. The risks here are very real—hackers can attempt to re-use the compromised passwords (possibly after inverting hashes using brute-force) at many other websites, including financial ones. There are no disclosure laws here though, and Sony has done nothing, not even disclosing the key technical details of how passwords were stored. The implications are very different if the passwords were stored in cleartext, hashed in a constant manner, or properly hashed and salted. Sony customers ought to know what really happened. Instead, towards the bottom of Sony’s FAQ they trail off mid sentence when discussing the leaked passwords:

Additionally, if you use the same user name or password for your PlayStation Network or Qriocity service account for other [no further text]

As we explored last summer, this is a serious market failure. Sony’s security breach has potentially compromised passwords at hundreds of other sites where its users re-use the same password and email address as credentials. This is a significant externality, but Sony bears no legal responsibility, and it shows. The options are never great once a breach has occurred, but Sony should at a minimum have promptly provided full details about their password storage, gave clear instructions to users to change their password at other sites, and notified at least the email providers of each account holder to instruct a forced password reset. The legal framework surrounding password breaches must catch up to that for financial breaches.