Category Archives: Security economics

Social-science angles of security

Health IT Report

2006-07-28Legal issues, News coverage, Security economicsRoss Anderson

Late last year I wrote a report for the National Audit Office on the health IT expenditure, strategies and goals of the UK and a number of other developed countries. This showed that our National Program for IT is in many ways an outlier, and high-risk. Now that the NAO has published its own report, we’re allowed to make public our contribution to it.

Readers may recall that I was one of 23 computing professors who wrote to Parliament’s Health Select Committee asking for a technical review of this NHS computing project, which seems set to become the biggest computer project disaster ever. My concernes were informed by the NAO work.

Powers, Powers, and yet more Powers …

2006-07-22Banking security, Legal issues, News coverage, Security economicsRoss Anderson

Our beloved government is once again Taking Powers in the fight against computer crime. The Home Office proposes to create cyber-asbos that would enable the police to ban suspects from using such dangerous tools as computers and bank accounts. This would be done in a civil court against a low evidence standard; there are squeals from the usual suspects such as zdnet.

The Home Office proposals will also undermine existing data protection law; for example by allowing the banks to process sensitive data obtained from the public sector (medical record privacy, anyone?) and ‘dispelling misconceptions about consent’. I suppose some might welcome the proposed extension of ASBOs to companies. Thus, a company with repeated convictions for antitrust violations might be saddled with a list of harm-prevention conditions, for example against designing proprietary server-side protocols or destroying emails. I wonder what sort of responses the computer industry will make to this consultation 🙂

A cynic might point out that the ‘new powers’ seem in inverse proportion to the ability, or will, to use the existing ones. Ever since the South Sea Bubble in the 18th century, Britain has been notoriously lax in prosecuting bent bankers; city folk are now outraged when a Texas court dares to move from talk to action. Or take spam; although it’s now illegal to send unsolicited commercial emails to individuals in the UK, complaints don’t seem to result in action. Now trade and industry minister ‘Enver’ Hodge explains this is because there’s a loophole – it’s not illegal to spam businesses. So rather than prosecuting a spammer for spamming individuals, our beloved government will grab a headline or two by blocking this loophole. I don’t suppose Enver ever stopped to wonder how many spam runs are so well managed as to not send a single item to a single private email address – cheap headlines are more attractive than expensive, mesy implementation.

This pattern of behaviour – taking new powers rather than using the existing ones – is getting too well entrenched. In cyberspace we don’t have law enforcement any more – we have the illusion of law enforcement.

Security Economics

2006-07-12Security economicsRoss Anderson

We just hosted the fifth workshop on the economics of information security here in Cambridge. With very strong papers and a hundred delegates, this event is getting better every year. I have now upgraded my Economics and Security Resource Page with a load of new links to papers and authors. Enjoy!

The Rising Tide: DDoS by Defective Designs and Defaults

2006-06-07Security economics, Security engineeringRichard Clayton

Dedicated readers will recall my article about how I tracked down the “DDoS” attack on stratum 1 time servers by various D-Link devices. I’ve now had a paper accepted at the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’06) which runs in California in early July.

The paper (PDF version available here and HTML here) gives rather more details about the problems with the D-Link firmware. More significantly, it puts this incident into context as one of a number of problems suffered by stratum 1 time servers over the past few years AND shows that these time server problems are just one example of a number of incidents involving different types of system that have been “attacked” by defective designs or poorly chosen defaults.

My paper is fairly gloomy about the prospects for improvement going forward. ISPs are unlikely to be interested in terminating customers who are running “reputable” systems which just happen to contribute to a DDoS on some remote system. There’s no evidence that system designers are learning from past mistakes — and the deskilling of program development is meaning that ever more clueless people are involved. Economic and legal approaches don’t seem especially promising — it may have cost D-Link (and Netgear before them) real dollars, but I doubt that the cost been high enough yet to scare other companies into auditing their systems before they too cause a similar problem.

As to the title… I suggest that if a classic, zombie-originated, DDoS attack is like directing a firehose onto a system; and if a “flash crowd” (or “slashdotting”) is like a flash flood; then the sort of “attack” that I describe is like a steadily rising tide, initially easy to ignore and not very significant, but it can still drown you just the same.

Hence it’s important to make sure that your security approach — be it dams and dikes, swimming costumes and life-jackets, or wetsuits and scuba gear (or of course their Internet anti-DDoS equivalents) — is suitable for dealing with all of these threats.

ATMs and Disclosure Laws

2006-05-29Banking security, Legal issues, Security economicsRoss Anderson

My local freesheet had an article entitled ‘Skimming device found at Tesco’ (‘Bedfordshire on Sunday’, May 21, p 30). This managed barely 6 column inches, so common is the offence these days. What caught my eye was an appeal by the police for anyone who used the machine at Flitwick between 1030 and 1130 AM on Tuesday last week to check their accounts and report any unauthorised transactions.

Now hang on. What can’t the bank that operates the machine help them? They have the definitive list of potential victims. Come to think of it, when a skimmer is found on Barclays’ machine, and they see that customer X from Lloyds just used it, why don’t they write to Lloyds suggesting they invite her to check her account? Well, you can imagine what Barclays’ lawyers would think of that, but where does the public interest lie?

The Americans do this sort of thing much better. California has a law mandating prompt notification of individuals potentially affected by information compromises, and many other states are trying to follow. According to survey reported by SANS, 71% of Americans want this to become a federal law, and 46% said that they would have serious doubts about political candidates who did not support improving the law.

I initially had my doubts about the Californian initiative, but Tescos in Flitwick are helping convince me.

What's a security problem?

2006-05-26Banking security, Legal issues, Security economicsRoss Anderson

On Wednesday I was driving back from Oxford and dropped off at Tesco to buy some food. They had an offer ‘5 for 4’ — buy any 5 items of packaged fruit or vegetables and get the cheapest of them for free. I bought seven items. I would have expected to get the fifth cheapest item free, but their computer instead gave me the seventh cheapest item. Here is the evidence.

A few years ago, it was common for website designers to make errors in logic that enabled customers to get unanticipated discounts. These were seen as ‘security failures’. Nowadays it seems that programmers err on the other side. Thankfully, this has stopped the security problems.

Or has it? Here’s how to attack Tesco if you don’t like them. Go and buy six packs of fruit and veg, then take the receipt to your local Trading Standards and make a formal complaint. If a hundred people do that, it’ll cost them plenty.

The Internet allows the rapid dissemination, and anonymous exploitation, of vulnerability information, as Microsoft has learned over the last five years. Maybe there are variants of this lesson that will be even more widely learned.

WEIS 2006

2006-05-11Privacy technology, Security economicsTyler Moore

The Fifth Annual Workshop on the Economics of Information Security (WEIS) is coming to Cambridge on June 26-28. WEIS topics include the interaction of networks with crime and conflict; the economics of bugs; the dependability of open source and free software; liability and insurance; reputation; privacy; risk perception; the economics of DRM and trusted computing; the economics of trust; the return on security investment; and economic perspectives on spam. A preliminary program and accepted papers are available online.

Immediately following the conclusion of WEIS is the co-located Sixth Workshop on Privacy Enhancing Technologies, June 28-30. The last week of June is sure to be an exciting one in Cambridge.

Participation is open to all interested researchers, practitioners and policy-makers. Register by the end of the week for an early registration discount.

Why so many CCTVs in UK? (again)

2006-05-08Privacy technology, Security economicsFrank Stajano

I previously blogged about Prof. Martin Gill’s brilliant talk on CCTV at the Institute of Criminology.

I invited him to give it again as a Computer Laboratory seminar. He will do so on Wed 2006-05-17, 14:15. If you are around, do come along—highly recommended, and open to all. Title and abstract follow.

CCTV in the UK: A failure of theory or a failure of practice?

Although CCTV was heralded as something of a silver bullet in the fight against crime (and by two Governments) scholarly research has questioned the extent to which it ‘works’. Martin Gill led the Home Office national evaluation on CCTV and has subsequently conducted more research with CCTV schemes across the country. In this talk he will outline the findings from the national evalaution and assess the views of the public, scheme workers and offenders’ perspectives (including showing film clips of offenders talking at crime scenes) to show just why CCTV has not worked out as many considered. Martin will relate these findings to the current development of a national strategy.

Covert conflict in social networks

2006-04-27Security economicsShishir Nagaraja

Last summer Ross Anderson and myself published a technical report titled “the topology of covert conflict” with preliminary results on attacks and defences in complex networks. We explored various tactical and strategic options available to combatants involved in conflict. The paper has now been accepted for publication at WEIS 2006.

This work has also been under discussion at various blogs and websites:

Bruce Schneier’s Blog.
Global Guerrillas — a blog on networked tribes, infrastructure disruption, and the emerging bazaar of violence — discusses attacks and defences in guerrilla networks.
A Theory of Power, Jeff Vail’s Critique of Hierarchy & Empire talks about the battle between hierarchy and rhizome.

D-Link settles!

2006-04-27Security economicsRichard Clayton

All the fuss about D-Link’s usage of the Danish-based stratum 1 time server seems to have had one good result. Poul-Henning Kamp’s web page has the following announcement this morning:

“D-Link and Poul-Henning Kamp announced today that they have amicably resolved their dispute regarding access to Mr. Kamp’s GPS.Dix.dk NTP Time Server site. D-Link’s existing products will have authorized access to Mr. Kamp’s server, but all new D-Link products will not use the GPS.Dix.dk NTP time server. D-Link is dedicated to remaining a good corporate and network citizen.”

which was nice.

Time will tell if D-Link has arranged their firmware to avoid sending undesirable traffic to other stratum 1 time servers as well, but at least the future well-being of Poul-Henning’s machine is assured.

Light Blue Touchpaper

Security Research, Computer Laboratory, University of Cambridge