Monthly Archives: May 2006

ATMs and Disclosure Laws

My local freesheet had an article entitled ‘Skimming device found at Tesco’ (‘Bedfordshire on Sunday’, May 21, p 30). This managed barely 6 column inches, so common is the offence these days. What caught my eye was an appeal by the police for anyone who used the machine at Flitwick between 1030 and 1130 AM on Tuesday last week to check their accounts and report any unauthorised transactions.

Now hang on. What can’t the bank that operates the machine help them? They have the definitive list of potential victims. Come to think of it, when a skimmer is found on Barclays’ machine, and they see that customer X from Lloyds just used it, why don’t they write to Lloyds suggesting they invite her to check her account? Well, you can imagine what Barclays’ lawyers would think of that, but where does the public interest lie?

The Americans do this sort of thing much better. California has a law mandating prompt notification of individuals potentially affected by information compromises, and many other states are trying to follow. According to survey reported by SANS, 71% of Americans want this to become a federal law, and 46% said that they would have serious doubts about political candidates who did not support improving the law.

I initially had my doubts about the Californian initiative, but Tescos in Flitwick are helping convince me.

What's a security problem?

On Wednesday I was driving back from Oxford and dropped off at Tesco to buy some food. They had an offer ‘5 for 4’ — buy any 5 items of packaged fruit or vegetables and get the cheapest of them for free. I bought seven items. I would have expected to get the fifth cheapest item free, but their computer instead gave me the seventh cheapest item. Here is the evidence.

A few years ago, it was common for website designers to make errors in logic that enabled customers to get unanticipated discounts. These were seen as ‘security failures’. Nowadays it seems that programmers err on the other side. Thankfully, this has stopped the security problems.

Or has it? Here’s how to attack Tesco if you don’t like them. Go and buy six packs of fruit and veg, then take the receipt to your local Trading Standards and make a formal complaint. If a hundred people do that, it’ll cost them plenty.

The Internet allows the rapid dissemination, and anonymous exploitation, of vulnerability information, as Microsoft has learned over the last five years. Maybe there are variants of this lesson that will be even more widely learned.

Watching them watching me

On and off for the past two years, I have been investigating anti-counterfeiting measures in banknotes, in particular the Counterfeit Detection Systems (CDS). At the request of the Central Banks Counterfeit Deterrence Group (CBCDG), this software was added to scanner and printer drivers, as well as to image manipulation packages, in order to detect images of currency and prevent them from being processed.

I wrote a webpage on some experiments I ran on the CDS and gave a talk presenting the results of reverse engineering. Unsurprisingly this drew the attention of the involved parties, and while none of them contacted me directly, I was able to see them in my web logs. In September 2005, I first noticed Digimarc, who developed the CDS, followed a few hours later by the European Central Bank and the US Treasury (both CBCDG members), suggesting Digimarc tipped them off.

However none of these paid as much attention as the Bank of England (also a CBCDG member) who were looking at my pages several times a week. I didn’t notice them for a while due to their lack of reverse DNS, but in December I started paying attention. Not only was their persistence intriguing, but based on referrer logs their search queries indicated a particular interest in me, e.g. Project Dendros Steven Murdoch (Dendros is one of my research projects).

Perhaps they just found my work of interest, but in case they had concerns about my research (or me), I wanted to find out more. I didn’t know how to get in contact with the right person there, so instead I rigged my webpage to show visitors from either of the Bank of England’s two IP ranges a personalised message. On 9 February they found it, and here is what happened…

Continue reading Watching them watching me

WEIS 2006

The Fifth Annual Workshop on the Economics of Information Security (WEIS) is coming to Cambridge on June 26-28. WEIS topics include the interaction of networks with crime and conflict; the economics of bugs; the dependability of open source and free software; liability and insurance; reputation; privacy; risk perception; the economics of DRM and trusted computing; the economics of trust; the return on security investment; and economic perspectives on spam. A preliminary program and accepted papers are available online.

Immediately following the conclusion of WEIS is the co-located Sixth Workshop on Privacy Enhancing Technologies, June 28-30. The last week of June is sure to be an exciting one in Cambridge.

Participation is open to all interested researchers, practitioners and policy-makers. Register by the end of the week for an early registration discount.

Cambridge Security Seminars

The Security Group organizes a series of seminars. They are open to anyone interested in security research, not just to staff and students of the Computer Laboratory. Travel directions are available for anyone wishing to attend, and an outline of the programme for this term is below.

If you would like to receive email announcements of forthcoming seminars, please contact me.

Workshop on Privacy in the Electronic Society (WPES 2006)

I am on the program committee for the Workshop on Privacy in the Electronic Society (WPES), held in Alexandria, VA, USA on October 30, 2006. It is co-located with ACM Computer and Communication Security (CCS).

WPES discusses the problems of privacy in the global interconnected societies and possible solutions. We are looking for submissions from academia and industry presenting novel research on all theoretical and practical aspects of electronic privacy, as well as experimental studies of fielded systems.

We encourage submissions from other communities such as law and business that present these communities’ perspectives on technological issues.

The deadline for submissions is June 2, 2006.

Further details can be found in the call for participation [PDF].

The mythical tamper-proof PIN pad?

As reported in many places (BBC News and The Register amongst others), Shell have stopped accepting Chip and PIN transactions at all 600 of their directly owned petrol stations in the UK. It is reported that eight arrests have been made, but only a few details about the modus operandi of the fraudsters have reached the media.

Most reports contain a quote from Sandra Quinn, of APACS:

They have used an old style skimming device. They are skimming thecard, copying the magnetic details – there is no new fraud here. Theyhave managed to tamper with the PIN pads. These pads are supposed tobe tamper resistant, they are supposed to shut down, and so that has obviously failed.

It is not clear from the information that has been released so far whether the “magnetic details” were obtained by the attackers through reading the magnetic stripe, or by intercepting the communication between the card and the terminal. Shell-owned petrol stations seem to use the Smart 5000 PIN pad, produced by Trintech. These devices are hybrid readers: it is impossible to insert a card (for a Chip and PIN transaction) without the magnetic stripe also passing through a reader. With this design, there seem to be two possible methods of attack.

  1. A hardware attack. Given the statement that “[the attackers] have managed to tamper with the PIN pads”, perhaps the only technical element of the fraud was the dismantling of the pads in such a way that the output of the magnetic card reader (or the chip reader) could be relayed to the bad guys by some added internal hardware. Defeating the tamper-resistance in this way might also have allowed the output from the keypad to be read, providing the fraudsters with both the magnetic stripe details and a corresponding PIN. It seems fairly unlikely that any “skimming” device could have been attached externally without arousing the suspicion of consumers; the curved design of the card receptacle, although looking ‘suspicious’ in itself, does not lend itself to the easy attachment of another device.
  2. A software-only attack. The PIN pads used by Shell run the Linux kernel, and so maybe an attacker with a little technical savvy could have replaced the firmware with a version the relays the output of the magstripe reader and PIN pad to the bad guys. The terminals can be remotely managed — a successful attack on the remote management might have allowed all the terminals to be subverted in one go.

The reaction to the fraud (the suspension of Chip and PIN transactions in all 600 stations) is interesting; it suggests that either Shell cannot tell remotely which terminals have been compromised, or perhaps that every terminal was compromised. The former case suggests a “hardware attack”; the latter a (perhaps remote) “software attack”.

Even if the only defeat of the tamper resistance was the addition of some hardware to “skim” the magstripe of all inserted cards, corresponding PINs could have been obtained from, for example, CCTV footage.

Attacks like this look set to continue, given the difficulty of enabling consumers to check the authenticity of the terminals into which they insert their cards (and type their PINs). Even the mythical tamper-proof terminal could be replaced with an exact replica, and card details elicited through a relay attack. Members of the Security Group have been commenting on these risks for some time, but the comments have sometimes fallen on deaf ears.

Persec 2006 and Naccache on tapping mobile phones

Over the past couple of months I attended about half a dozen events around the world (Brussels, Pisa (x3), Tokyo, Cambridge, York, Milan), often as invited speaker, but failed to mention them here. While I won’t promise that I will ever catch up with the reporting, let me at least start.

I was, with Ari Juels of RSA Labs, program chair of IEEE PerSec 2006, the security workshop of the larger PerCom conference, held in March 2006 in Pisa, Italy. I previously mentioned the rfid virus paper by Rieback et al when it got the (second) best paper award: that was the paper I found most enjoyable of the ones in the main track.

Ari and I invited David Naccache as the keynote speaker of our workshop. This was, if I may say so myself, an excellent move: for me, his talk was by far the most interesting part of the whole workshop and conference. Now a professor at the École Normale SupĂ©rieure in Paris, David was until recently a security expert at leading smartcard manufacturer Gemplus. Among other things, his talents allow him to help law enforcement agencies tap the bad guys’s cellphones, read the numbers in their phone books and find out where they have been.

His talk was very informative and entertaining, full of fascinating war stories such as the tricks used to steal covertly an expired session key from the phone of a suspect to decrypt a recorded phone call that had been intercepted earlier as cyphertext. The target was asleep in a hotel room, with his phone under recharge on his bed table, and the author and his agents were in the next room, doing their electronic warfare from across the wall. What do you do in a case like this? pretend to be the base station, reissue the old challenge so that the SIM generates the same session key, and then listen to the electromagnetic radiation from the pads of the SIM while the key is being transmitted to the handset via the SIM’s electric contacts. Brilliant. And just one in a rapid-fire sequence of other equally interesting real life stories.

David, like many of the other speakers at the workshop, has kindly allowed me to put up his paper and presentation slides on the workshop’s web site. It won’t be as good as his outstanding live talk, but you may still find it quite interesting.

On the same page you will also find two more papers by members of the Cambridge security group: one on multi-channel protocols by Ford-Long Wong and yours truly, and one attacking key distribution schemes in sensor networks by Tyler Moore.

Why so many CCTVs in UK? (again)

I previously blogged about Prof. Martin Gill’s brilliant talk on CCTV at the Institute of Criminology.

I invited him to give it again as a Computer Laboratory seminar. He will do so on Wed 2006-05-17, 14:15. If you are around, do come along—highly recommended, and open to all. Title and abstract follow.

CCTV in the UK: A failure of theory or a failure of practice?

Although CCTV was heralded as something of a silver bullet in the fight against crime (and by two Governments) scholarly research has questioned the extent to which it ‘works’. Martin Gill led the Home Office national evaluation on CCTV and has subsequently conducted more research with CCTV schemes across the country. In this talk he will outline the findings from the national evalaution and assess the views of the public, scheme workers and offenders’ perspectives (including showing film clips of offenders talking at crime scenes) to show just why CCTV has not worked out as many considered. Martin will relate these findings to the current development of a national strategy.

The Internet and Elections: the 2006 Presidential Election in Belarus

On Thursday, the OpenNet Initiative released their report, to which I contributed, studying Internet Censorship in Belarus during the 2006 Presidential Election there. It even has managed a brief mention in the New York Times.

In summary, we did find suspicious behaviour, particularly in the domain name system (DNS), the area I mainly explored, but no proof of outright filtering. It is rarely advisable to attribute to malice what can just as easily be explained by incompetence, so it is difficult to draw conclusions about what actually happened solely from the technical evidence. However, regardless of whether this was the first instance the ONI has seen of a concerted effort to hide state censorship, or simply an unfortunate coincidence of network problems, it is clear that existing tools for Internet monitoring are not adequate for distinguishing between these cases.

Simply observing that a site is inaccessible from within the country being studied is not enough evidence to demonstrate censorship, because it is also possible that the server or its network connection is down. For this reason, the ONI simultaneously checks from an unrestricted Internet connection. If the site is inaccessible from both connections, it is treated as being down. Censorship is only attributed if the site can be reliably accessed from the unrestricted connection, but not by the in-country testers. This approach has been very successful at analysing previously studied censorship regimes but could not positively identify censorship in Belarus. Here sites were inaccessible (often intermittently) from all Internet connections tried.

Ordinarily this result would be assumed to simply be from network or configuration errors; however the operators of these sites claimed the faults were caused by denial of service (DoS) attacks, hacking attempts or other government orchestrated efforts. Because many of the sites or their domain names were hosted in Belarus, and given the state strangle-hold on communication infrastructure, these claims were plausible, but generating evidence is difficult. On the client side, the coarse results available from the current ONI testing software are insufficient to combat the subtlety of the alleged attacks.

What is needed is more intelligent software, which tries to establish, at the packet level, exactly why a particular connection fails. Network debugging tools exist, but are typically designed for experts, whereas in the anti-censorship scenario the volunteers in the country being studied should not need to care about these details. Instead the software should perform basic analysis before securely sending the low-level diagnostic information back to a central location for further study.

There is also a place for improved software at the server side. In response to reports of DoS and hacking attacks we requested logs from the administrators of the sites in question to substantiate the allegations, but none were forthcoming. A likely and understandable reason is that the operators did not want to risk the privacy of their visitors by releasing such sensitive information. Network diagnostic applications on the server could be adapted to generate evidence of attacks, while protecting the identity of users. Ideally the software would also resist fabrication of evidence, but this might be infeasible to do robustly.

As the relevance of the Internet to politics grows, election monitoring will need to adapt accordingly. This brings new challenges so both the procedures and tools used must change. Whether Belarus was the first example of indirect state censorship seen by the ONI is unclear, but in either case I suspect it will not be the last.