Last year when I wrote a paper about mitigating malware I needed some figures on the percent of machines infected with malware. There are a range of figures, mainly below 10%, but one of the highest was 25%.

I looked into why this occurred and wrote it up in footnote #9 (yes, it’s a paper with a lot of footnotes!). My explanation was:

The 2008 OECD report on Malware [14] contained the sentence “Furthermore, it is estimated that 59 million users in the US have spyware or other types of malware on their computers.” News outlets picked up on this, e.g. The Sydney Morning Herald [20] who divided the 59 million figure into the US population, and then concluded that around a quarter of US computers were infected (assuming that each person owned one computer). The OECD published a correction in the online copy of the report a few days later. They were actually quoting PEW Internet research on adware/spyware (which is a subtly different threat) from 2005 (which was a while earlier than 2008). The sentence should have read “After hearing descriptions of ’spyware’ and ‘adware’, 43% of internet users, or about 59 million American adults, say they have had one of these programs on their home computer.” Of such errors in understanding the meaning of data is misinformation made.

We may be about to have a similar thing happen with Facebook account compromises.

On Jan 4, ZoneAlarm published a blog article along with this graphic (I’ve provided a local copy because I hope that all other copies will get destroyed!). One of its key findings was:

• 4 million Facebook users experience spam on a daily basis.
• More than 20% of newsfeed links currently open viruses.
• 600,000 logins are compromised every day. That’s 7 logins every second.

The graphic now says:

• 4 million Facebook users experience spam on a daily basis.
• 20% of Facebook users have been exposed to a virus.
• Facebook sees 600,000 attempts to hijack logins a day and pre-emptively protects against them.

which, you have to agree is really rather different.

This blog article is sceptical, but not (entirely) corrected — I quote it because it mentions the PR reasons behind Zonealarm’s statistics (they sell a product which purportedly protects you), and because it mentions that other people had been confused about the 600,000 figure in the past.

So I looked into where the 600,000 figure originated, and found that it’s original source was Facebook!

This post by Graham Cluley at Sophos draws attention to Facebook’s graphic (original copy here) accompanying an Oct 27 2011 article about their security mechanisms which said:

• Less than 4% of content shared on Facebook is spam.
• Only .06% of over 1 billion logins per day are compromised.
• Less than .5% of Facebook users experience spam on any given day.

Graham did the simple multiplication required to produce the 600,000 compromise figure, which is the same sum as Zonealarm’s PR people have done. Similarly the “less than .5%” translates to the 4 million figure they use.

However, if you look at the official Facebook copy of the infographic accompanying their blog post today (copy here) then you can see they have revised it. It now just has the data points:

• Less than 4% of content shared on Facebook is spam.
• Less than .5% of Facebook users experience spam on any given day.

In fact they revised their report pretty much immediately after they first posted it, when journalists started ringing! In this article on the topic Facebook is quoted as saying that the 600,000 is a count of logins that are blocked because Facebook is not convinced it is the account owner who is doing the login — so if some criminal tries a brute force guessing attack on 850 accounts, getting around to each one every 2 minutes, they alone would create the 600,000/day figure!

Time will tell whether the original meme survives, but perhaps people searching for a source to cite will encounter this blog post (or indeed this one which looks at the spam data) and avoid promulgating misleading data the way that Zonealarm has done.

PS: So far I cannot source the Zonealarm “20% of newsfeeds figure” to see how that came about, but I’m keeping looking.

Every Christmas we give our friends in the banking industry a wee present. Sometimes it’s the responsible disclosure of a vulnerability, which we publish the following February: 2007’s was PED certification, 2008’s was CAP while in 2009 we told the banking industry of the No-PIN attack. This year too we have some goodies in the hamper: watch our papers at Financial Crypto 2012.

In other years, we’ve had arguments with the bankers’ PR wallahs. In 2010, for example, their trade association tried to censor one of our students’ thesis. That saga also continues; Britain’s bankers tried once more to threaten us so we told them once more to go away. We have other conversations in progress with bankers, most of them thankfully a bit more constructive.

This year’s Christmas present is different: it’s a tale with a happy ending. Eve Russell was a fraud victim whom Barclays initially blamed for her misfortune, as so often happens, and the Financial Ombudsman Service initially found for the bank as it routinely does. Yet this was clearly not right; after many lawyers’ letters, two hearings at the ombudsman, two articles in The Times and a TV appearance on Rip-off Britain, Eve won. This is the first complete case file since the ombudsman came under the Freedom of Information Act; by showing how the system works, it may be useful to fraud victims in the future.

For your Christmas entertainment, we offer the bank statement which told Eve of the fraud; the initial exchange of letters between Eve’s lawyers and the bank; the ombudsman’s routine initial ruling against Eve, and her protest; the correspondence between the ombudsman and Barclays; Eve’s appeal and expert opinion; the verdict; and the offer of settlement. And let’s not forget the Thunder. A Merry Christmas to all!

I will be talking in London on Wednesday at a workshop on Anonymity, Privacy, and Open Data about the difficulty of anonymising medical records properly. I’ll be on a panel with Kieron O’Hara who wrote a report on open data for the Cabinet Office earlier this year, and a spokesman from the ICO.

This will be the first public event on the technology and policy issues surrounding anonymisation since yesterday’s announcement that the government will give wide access to anonymous versions of our medical records. I’ve written extensively on the subject: for an overview, see my book chapter which explores the security of medical systems in general from p 282 and the particular problems of using “anonymous” records in research from p 298. For the full Monty, start here.

Anonymity is hard enough if the data controller is capable, and motivated to try hard. In the case of the NHS, anonymity has always been perfunctory; the default is to remove patient names and addresses but leave their postcodes and dates of birth. This makes it easy to re-identify about 99% of patients (the exceptions are mostly twins, soldiers, students and prisoners). And since I wrote that book chapter, the predicted problems have come to pass; for example the NHS lost a laptop containing over eight million patients’ records.

The Sunday media have been trailing a speech by David Cameron tomorrow about giving us online access to our medical records and our kids’ school records, and making anonymised versions of them widely available to researchers, companies and others. Here is coverage in the BBC, the Mail and the Telegraph; there’s also a Cabinet Office paper. The measures are supported by the CEO of Glaxo and opposed by many NGOs.

If the Government is going to “ensure all NHS patients can access their personal GP records online by the end of this Parliament”, they’ll have to compel the thousands of GPs who still keep patient records on their own machines to transfer them to centrally-hosted facilities. The systems are maintained by people who have to please the Secretary of State rather than GPs, and thus become progressively less useful. This won’t just waste doctors’ time but will have real consequences for patient safety and the quality of care.

We’ve seen this repeatedly over the lifetime of NPfIT and its predecessor the NHS IM&T strategy. Officials who can’t develop working systems become envious of systems created by doctors; they wrest control, and the deterioration starts.

It’s astounding that a Conservative prime minister could get the idea that nationalising something is the best way to make it work better. It’s also astonishing that a Government containing Liberals who believe in human rights, the rule of law and privacy should support the centralisation of medical records a mere two years after the Joseph Rowntree Reform Trust, a Liberal charity, produced the Database State report which explained how the centralisation of medical records (and for that matter children’s records) destroys privacy and contravenes human-rights law. The coming debate will no doubt be vigorous and will draw on many aspects of information security, from the dreadful security usability (and safety usability) of centrally-purchased NHS systems, through the real hazards of coerced access by vulnerable patients, to the fact that anonymisation doesn’t really work. There’s much more here. Of course the new centralisation effort will probably fail, just like the last two; health informatics is a hard problem, and even Google gave up. But our privacy should not depend on the government being incompetent at wrongdoing. It should refrain from wrongdoing in the first place.

In early November, a sophisticated fraud was shut down and a number of people arrested. Malware from a family called “DNSChanger” had been placed on around four million machines (Macs as well as Windows machines) over several years.

The compromised users had their DNS traffic redirected to criminally operated servers. The main aim of the criminals seems to have been to redirect search queries and thereby to make money from displaying adverts.

Part of the mitigation of DNSChanger involves ISC running DNS servers for a while (so that 4 million people whose DNS servers suddenly disappear don’t simultaneously ring their ISP helpdesks complaining that the Internet is broken).

To prevent bad people running the DNS servers instead, the address blocks containing the IPs of the rogue DNS servers which used to belong to the criminals (but are now pointed at ISC) have been “locked”.

This is easy for ARIN (the organisation who looks after North American address space) to acquiesce to, because they have US legal paperwork compelling their assistance. However, the Dutch police have generated some rather less compelling paperwork and served that on RIPE; so RIPE is now asking the Dutch court to clarify the position.

Further details of the issues with the legal paperwork can be found on (or linked from) the Internet Governance Project blog. The IGP is a group of mainly but not entirely US academics working on global Internet policy issues.

As the IGP rightly point out, this is going to be an important case because it is going to draw attention to the role of the RIRs — just at the time when that role is set to become even more important.

As we move to crypto-secured BGP routing, the RIRs (ARIN, RIPE etc) will be providing cryptographic assurance of the validity of address block ownership. Which means, in effect, that we are building a system where the courts in one country (five countries in all, for five RIRs) could remove ISPs and hosting providers from the Internet… and some ISPs [and their governments] (who are beginning to think ahead) are not entirely keen on this prospect.

If, as one might expect, the Dutch courts eventually uphold the DNSChanger compulsion on RIPE (even if the Dutch police have to have a second go at making the paperwork valid) then maybe this will prove the impetus to abandon a pyramid structure for BGP security and move to a “sea of certificates” model (where one independently chooses from several overlapping roots of authority) — which more closely approximates the reality of a global system which touches a myriad set of local jurisdictions.

The House of Commons Science and Technology Select Committee is currently holding an inquiry into malware.

I submitted written evidence in September and today I was one of three experts giving oral evidence to the MPs. The session was televised and so conceivably it may turn up on the TV in some strange timeslot — but if you’re interested then there’s a web version for viewing at your convenience. Shortly there will be a written transcript as well.

The Committee’s original set of questions included one about whether malware infection might usefully be treated as a public health issue — of particular interest to me because I have a published paper which considers the role that Governments might play in countering malware for the public good!

In the event, this wasn’t asked about at all. The questions were much more basic, covering the security of hardware and software, the role of the police (and at one point, bizarrely, considering the merits of the Amstrad PCW; a product I was jointly involved in designing and building, some 25 years ago).

In fact it was all rather more about dealing with crime than dealing with malware — which is fine (and obviously closely connected) but it wasn’t the topic on which everyone submitted evidence. This may mean that the Committee has a shortage of material if their report aims to address the questions that they raised today.

I spent the early part of this week at the London Conference on Cyberspace, organised by the UK Foreign Office.

Besides feel-good sessions on how wonderful the Internet can be for social engagement and economic growth, the two themes that had really drawn the participants were cybercrime and cyberwar (the latter being rebranded as ‘cyber security’ to avoid frightening the horses).

There was predictably little progress on the latter topic to be seen in public — Russia wants to strengthen national borders in cyberspace (and Evgeny Kaspersky spoke approvingly of strong online identity) and China’s position is similar (albeit their main intervention from the floor was an offer to investigate hacking attacks that came from their country).

Cybercrime was more straightforwardly condemned (which would not have surprised Calvin Coolidge) but the same fault-lines showed up in this topic as well.

In particular the 2001 Convention on Cybercrime (now often called the Budapest Convention) is endorsed by Europe and the US, but is unacceptable to others (notably Russia and China). Competing legal regimes are the Commonweath Cybercrime Initiative with its Model Law and the ITU (and now UN) Global Cybersecurity Agenda (they address Cybercrime, not Cyberwar) with its toolkit for legislation.

An important sticking point for many countries with the Budapest regime, is Article 32B, which says:

A Party may, without the authorisation of another Party [..] access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.

The problem for cybercrime investigators is that the data they need to progress their investigation is often held in another country. Accessing the data via a Mutual Legal Assistance Treaty (MLAT) can take months (at the London Conference, Scott Charney said that he’d once got the data five years after it was asked for), but having foreign law enforcement officers tramp around “your territory” is generally seen as an infringement of sovereignty.

For the last decade or so, the practical fix for email records has been a two stage process. The service provider (usually in the US) is asked for the relevant data (for example the IP addresses used to operate the account) and this is provided within a few hours on an “intelligence” basis. If the data will be needed for a trial then a formal application is made under the MLAT process and with a following wind (and the usual delay of most of a year before the case is listed) the data will arrive in time to be disclosed to the defence and used as “evidence” in the courtroom. This all falls under the voluntary consent scheme envisaged in 32B.

It gets a bit more complex with a search warrant. Imagine an investigation where a company in Cambridge has been served and a sysadmin is accessing centrally stored files to an officer up from the Met who is investigating a complex fraud. If the sysadmin stays silent then there is no problem. If she volunteers the information that the downloading of the files is slow because the server is miles away in Manchester then all is fine because the London issued warrant is good throughout England. If the sysadmin explains that this is Manchester, New Hampshire then the Met officer must immediately call a halt to the download (to avoid a diplomatic incident) and use MLAT to ask the US authorities to obtain the data for her.

If the data was stored “in the cloud” it would be even more complicated. It might take some time to establish which country (or countries) that the data was stored in, so an MLAT approach might not even be possible.

In the “cloud” session on Wednesday morning, Baroness Neville-Jones (recently the Security Minister), suggested that the Government might consider how they could regulate to discourage the use of clouds where data was stored in countries without MLAT arrangements with the UK!

My own view is that we need to completely rework the MLAT arrangements and extend 32B to permit compelled access across borders (ie not just voluntary regimes) provided that the data was lawfully available before the compulsion occurred — ie: the sysadmin can be compelled to download the files from the cloud, but the regime would not permit law enforcement to ‘hack’ into systems on foreign territory.

Now of course those countries that already reject 32B are not going to sign up for this extended version, but it does not seem that much of a stretch for this limited extension to the existing voluntary regime. Unfortunately, the Baroness told me, the UK is one of the countries which is ultra-sensitive — hence we have the European Investigation Order (whereby UK police act on behalf of foreign forces) rather than allowing foreign officers to operate on our soil. However, if we’re serious about tackling cybercrime then we’re going to have to be rather less sensitive — the criminals don’t stop at borders and so any small steps we can take to remove barriers for the police will be well worth tackling.

Back in July I wrote a blog article “Will Newzbin be blocked?” which discussed the granting of an injunction to a group of movie companies to force BT to block access to “Newzbin2“.

The parties were back in court this last week to hammer out the exact details of the injunction.

The final wording of the injunction requires BT to block customer access to Newzbin2 by #1(1) rerouting traffic to relevant IPs and #1(2) applying “DPI based” URL blocking. The movie companies have to tell BT which IPs and which URLs are relevant.

#2 of the injunction says that BT can use its existing “Cleanfeed” system (which I wrote about here and at greater length in my PhD thesis here) to meet the requirements of #1, even though Cleanfeed isn’t believed to use DPI at all !

#3 and #4 of the injunction allows the parties to agree to suspend blocking and to come back to court in the future, and #5 relates to the costs of the court action.

One of the (few) upsides of this injunction will be to permit lawful experimentation as to the effectiveness of the Cleanfeed system, assuming that it is used — if the studios ask for all URLs on a website to be blocked, I expect that null routing the website entirely will be simpler for BT than redirecting traffic to the Cleanfeed proxy.

Up until now, discovering a flaw in the technical implementation of Cleanfeed would result in successful access to a child sexual abuse image website. Anyone monitoring the remote end of the connection might then draw the conclusion that images had been viewed and a criminal offence committed. Although careful experimental design could avoid law-breaking, it might be some time into the investigation process before this was properly understood by the criminal justice system, and the intervening period would be somewhat stressful for the investigator.

There is no law that prevents viewing of the contents of Newsbin2, and so the block circumvention techniques proposed over the past few years (starting of course with just using “https”) can now start to be evaluated as to their actual effectiveness.

However, there is more to #1 of the injunction, in that it applies to:

[...] www.newzbin.com, its domains and sub-domains and including payments.newzbin.com and any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website.

I don’t expect that publishing circumvention experience here on LBT could be seen as the predominant purpose of this blog… so I don’t really expect these pages to suddenly become invisible to BT customers. But, since the whole process has an Alice in Wonderland feel to it (someone who believes that blocking websites is possible clearly had little else to do before breakfast), it cannot be entirely ruled out.

We’re steadily learning more about the latest Trusted Computing proposals. People have started to grok that building signed boot into UEFI will extend Microsoft’s power over the markets for AV software and other security tools that install around boot time; while ‘Metro’ style apps (i.e. web/tablet/html5 style stuff) could be limited to distribution via the MS app store. Even if users can opt out, most of them won’t. That’s a lot of firms suddenly finding Steve Ballmer’s boot on their jugular.

We’ve also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs’ gmail, then I expect they’ll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware. Hey, I removed the Tubitak key from my browser, but how do I identify and block all foreign governments’ UEFI keys?

Our Greek colleagues are already a bit cheesed off with Wall Street. How happy will they be if in future they won’t be able to install the security software of their choice on their PCs, but the Turkish secret police will?

This morning the Department for Culture Media and Sport (DCMS) have published a series of documents relating to the implementation of the Digital Economy Act 2010.

One of those documents, from OFCOM, describes how “Site Blocking” might be used to prevent access to websites that are involved in copyright infringement (ie: torrent sites, Newzbin, “cyberlockers” etc.).

The report appears, at a quick glance, to cover the ground pretty well, describing the various options available to ISPs to block access to websites (and sometimes to block access altogether — since much infringement is not “web” based).

The site also explains how each of the systems can be circumvented (and how easily) and makes it clear (in big bold type) “All techniques can be circumvented to some degree by users and site owners who are willing to make the additional effort.”

I entirely agree — and seem to recall a story from my childhood about the Emperor’s New Blocking System — and note that continuing to pursue this chimera will just mean that time and money will be pointlessly wasted.

However OFCOM duly trot out the standard line one hears so often from the rights holders: “Site blocking is likely to deter casual and unintentional infringers and by requiring some degree of active circumvention raise the threshold even for determined infringers.”

The problem for the believers in blocking is that this just isn’t true — pretty much all access to copyright infringing material involves the use of tools (to access the torrents, to process NZB files, or just to browse [one tends not to look at web pages in Notepad any more]). Although these tools need to be created by competent people, they are intended for mass use (point and click) and so copyright infringement by the masses will always be easy. They will not even know that the hurdles were there, because the tools will jump over them.

Fortuitously, the DCMS have provided an illustration of this in their publishing of the OFCOM report…

The start of the report says “The Department for Culture, Media and Sport has redacted some parts of this document where it refers to techniques that could be used to circumvent website blocks. There is a low risk of this information being useful to people wanting to bypass or undermine the Internet Watch Foundation‟s blocks on child sexual abuse images. The text in these sections has been blocked out.”

What the DCMS have done (following in the footsteps of many other incompetents) is to black out the text they consider to be sensitive. Removing this blacking out is simple but tedious … you can get out a copy of Acrobat and change the text colour to white — or you can just cut and paste the black bits into Notepad and see the text.

So I confidently expect that within a few hours, non-redacted (non-blocked!) versions of the PDF will be circulating (they may even become more popular than the original — everyone loves to see things that someone thought they should not). The people who look at these non-blocked versions will not be technically competent, they won’t know how to use Acrobat, but they will see the material.

So the DCMS have kindly made the point in the simplest of ways… the argument that small hurdles make any difference is just wishful thinking; sadly for Internet consumers in many countries (who will end up paying for complex blocking systems that make no practical difference) these wishes will cost them money.

PS: the DCMS do actually understand that blocking doesn’t work, or at least not at the moment. Their main document says “Following advice from Ofcom – which we are publishing today – we will not bring forward site blocking regulations under the DEA at this time.” Sadly however, this recognition of reality is too late for the High Court.