Think of the children

News coverage, Social networks

Last week, the Times ran an article about a new website promising to be “Facebook for Kids”: School Together Now. According to the article, an ordinary mother of 3 got the idea for the site to allow parents to be more involved with their kids, and to give children aged 7-12 the benefits of social networking (Facebook, for example, limits membership to those older than 13). School Together Now is set to officially launch on the first of the year, but is already open for public registration and has been written up several times by the press.

We’ll leave the question of whether young children need a social network for sociologists and psychologists; there are difficult enough questions on how to design security for this vulnerable age group. Jonathan Anderson and I reviewed School Together Now and were disturbed with its lack of answers. The first thing we noticed was that logging in without entering any username or password provided full access via the account of the user “Amber Munt” (this works from the log-in box displayed after clicking “Children->Register/Login”). The next thing we noticed was the site’s About Us page, which states the goal of allowing advertisers to “Get themselves in front of their favourite customers (i.e. parents with deep pockets!)” Further investigation revealed a pattern of poor security choices driven by the desire for rapid commercialisation, which is inexcusable for a site specifically marketed at young children. Continue reading Think of the children

Forensic genomics

Academic papers, Legal issues, Politics, Privacy technology

I recently presented a paper on Forensic genomics: kin privacy, driftnets and other open questions (co-authored with Lucia Bianchi, Pietro Liò and Douwe Korff) at WPES 2008, the Workshop for Privacy in the Electronic Society of ACM CCS, the ACM Computer and Communication Security conference. Pietro and I also gave a related talk here at the Computer Laboratory in Cambridge.

While genetics is concerned with the observation of specific sections of DNA, genomics is about studying the entire genome of an organism, something that has only become practically possible in recent years. In forensic genetics, which is the technology behind the large national DNA databases being built in several countries including notably UK and USA (Wallace’s outstanding article lucidly exposes many significant issues), investigators compare scene-of-crime samples with database samples by checking if they match, but only on a very small number of specific locations in the genome (e.g. 13 locations according to the CODIS rules). In our paper we explore what might change when forensic analysis moves from genetics to genomics over the next few decades. This is a problem that can only be meaningfully approached from a multi-disciplinary viewpoint and indeed our combined backgrounds cover computer security, bioinformatics and law.

CODIS markers
(Image from Wikimedia commons, in turn from NIST.)

Sequencing the first human genome (2003) cost 2.7 billion dollars and took 13 years. The US’s National Human Genome Research Institute has offered over 20 M$ worth of grants towards the goal of driving the cost of whole-genome sequencing down to a thousand dollars. This will enable personalized genomic medicine (e.g. predicting genetic risk of contracting specific diseases) but will also open up a number of ethical and privacy-related problems. Eugenetic abortions, genomic pre-screening as precondition for healthcare (or even just dating…), (mis)use of genomic data for purposes other than that for which it was collected and so forth. In various jurisdictions there exists legislation (such as the recent GINA in the US) that attempts to protect citizens from some of the possible abuses; but how strongly is it enforced? And is it enough? In the forensic context, is the DNA analysis procedure as infallible as we are led to believe? There are many subtleties associated with the interpretation of statistical results; when even professional statisticians disagree, how are the poor jurors expected to reach a fair verdict? Another subtle issue is kin privacy: if the scene-of-crime sample, compared with everyone in the database, partially matches Alice, this may be used as a hint to investigate all her relatives, who aren’t even in the database; indeed, some 1980s murders were recently solved in this way. “This raises compelling policy questions about the balance between collective security and individual privacy” [Bieber, Brenner, Lazer, 2006]. Should a democracy allow such a “driftnet” approach of suspecting and investigating all the innocents in order to catch the guilty?

This is a paper of questions rather than one of solutions. We believe an informed public debate is needed before the expected transition from genetics to genomics takes place. We want to stimulate discussion and therefore we invite you to read the paper, make up your mind and support what you believe are the right answers.

Another link spammer

Security economics

Yet another link spammer is cluttering up my in-box. You’d think that after exposing this one, and this one, and this one, they’d know better.

The latest set of miscreants operates under the brand “goodeyeforlinks.com” and claim to “use white hat SEO techniques in order to get high quality, do-follow links to your website”. They also claim to be “professional” which in this case must mean you pay for their services, since sending out bulk unsolicited email is anything but professional.

Nevertheless, although their long term aim may indeed be to make money from legitimate, albeit foolish, businesses seeking a higher profile, the sites they have been promoting so far are anything but legitimate. In fact they’ve been fake sites covered with Google adverts (so-called “Made for AdSense” (MFA) sites).

They started by asking me to link to “entovation.net” which they claim is “page rank 3”. In fact it is page rank 3 (!) and a blatant copy of http://www.acentesolutions.com which appears entirely genuine (albeit only page rank 1). They have also been promoting “poland-translation-services.com“, which claims to be a site offering “A large team of 2,500 translators specializing in each sector, located in over 30 countries” …

However, this site is clearly fake as well. I haven’t tracked down where it all comes from, but much of this page comes from this Argentinian page, the text of which has been pushed through Google’s Spanish to English translation tools… which sadly (for example) renders

Comentarios: Se considera foja al equivalente a 500 palabras. Si el documento a traducir es menor a una foja, se lo considerará como una foja.

into

Comments: foja is considered the equivalent of 500 words. If the document is translated to a lesser foja, we will consider as a foja.

which makes the 2500 translators look more than a little bit foolish!

The fake websites are hosted by EuroAccess Enterprises Ltd. in The Netherlands (which is also where the email spam has been sent from). I’m not alone in receiving this type of email, further examples can be found here, and here, and here, and here, and here, and here, and even here (in Spanish).

EuroAccess have a fine ticketing system for abuse complaints… so I’m able to keep track of what they’re doing about my emails drawing their attention to the fraudsters they are hosting. I am therefore fully aware that they’ve so far marked my missives as “Priority: Low”, and nothing else is recorded to have been done… However, the tickets are still “Status: Open”, so perhaps a little publicity will encourage them to reassess their prioritisation.

How can we co-operate to tackle phishing?

Academic papers, Banking security, Security economics

Richard Clayton and I recently presented evidence of the adverse impact of take-down companies not sharing phishing feeds. Many phishing websites are missed by the take-down company which has the contract for removal; unsurprisingly, these websites are not removed very fast. Consequently, more consumers’ identities are stolen.

In the paper, we propose a simple solution: take-down companies should share their raw, unverified feeds of phishing URLs with their competitors. Each company can examine the raw feed, pick out the websites impersonating their clients, and focus on removing these sites.

Since we presented our findings to the Anti-Phishing Working Group eCrime Researchers Summit, we have received considerable feedback from take-down companies. Take-down companies attending the APWG meeting understood that sharing would help speed up response times, but expressed reservations at sharing their feeds unless they were duly compensated. Eric Olsen of Cyveillance (another company offering take-down services) has written a comprehensive rebuttal of our recommendations. He argues that competition between take-down companies drives investment in efforts to detect more websites. Mandated sharing of phishing URL feeds, in his view, would undermine these detection efforts and cause take-down companies such as Cyveillance to exit the business.

I do have some sympathy for the objections raised by the take-down companies. As we state in the paper, free-riding (where one company relies on another to invest in detection so they don’t have to) is a concern for any sharing regime. Academic research studying other areas of information security (e.g., here and here), however, has shown that free-riding is unlikely to be so rampant as to drive all the best take-down companies out of offering service, as Mr. Olsen suggests.

While we can quibble over the extent of the threat from free free-riding, it should not detract from the conclusions we draw over the need for greater sharing. In our view, it would be unwise and irresponsible to accept the current status quo of keeping phishing URL feeds completely private. After all, competition without sharing has approximately doubled the lifetimes of phishing websites! The solution, then, is to devise a sharing mechanism that gives take-down companies the incentive to keep detecting more phishing URLs.
Continue reading How can we co-operate to tackle phishing?

Liberal Democrat leader visits our lab

Banking security, News coverage, Politics, Privacy technology

This week, Nick Clegg, leader of the UK Liberal Democrat Party, and David Howarth, MP for Cambridgeshire, visited our hardware security lab for a demonstration of Chip & PIN fraud techniques.

They used this visit to announce their new party policy on protections against identity fraud. At present, credit rating companies are exempt from aspects of the Data Protection Act and can forward personal information about an individual’s financial history to companies without the subject’s consent. Clegg proposes to give individuals the rights to “freeze” their credit records, making it more difficult for fraudsters to impersonate others.

See also the Cambridge Evening News article and video interview.

Non-cooperation in the fight against phishing

Academic papers, Banking security, Security economics

Tyler Moore and I are presenting another one of our academic phishing papers today at the Anti-Phishing Working Group’s Third eCrime Researchers Summit here in Atlanta, Georgia. The paper “The consequence of non-cooperation in the fight against phishing” (pre-proceedings version here) goes some way to explaining anomalies we found in our previous analysis of phishing website lifetimes. The “take-down” companies reckon to get phishing websites removed within a few hours, whereas our measurements show that the average lifetimes are a few days.

These “take-down” companies are generally specialist offshoots of more general “brand protection” companies, and are hired by banks to handle removal of fake phishing websites.

When we examined our data more carefully we found that we were receiving “feeds” of phishing website URLs from several different sources — and the “take-down” companies that were passing the data to us were not passing the data to each other.

So it often occurs that take-down company A knows about a phishing website targeting a particular bank, but take-down company B is ignorant of its existence. If it is company B that has the contract for removing sites for that bank then, since they don’t know the website exists, they take no action and the site stays up.

Since we were receiving data feeds from both company A and company B, we knew the site existed and we measured its lifetime — which is much extended. In fact, it’s somewhat of a mystery why it is removed at all! Our best guess is that reports made directly to ISPs trigger removal.

The paper contains all the details, and gives all the figures to show that website lifetimes are extended by about 5 days when the take-down company is completely unaware of the site. On other occasions the company learns about the site some time after it is first detected by someone else; and this extends the lifetimes by an average of 2 days.

Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

Not surprisingly, our paper suggests that the take-down companies should be sharing their data, so that when they learn about websites attacking banks they don’t have contracts with, they pass the details on to another company who can start to get the site removed.

We analyse the incentives to make this change (and the incentives the companies have not to do so) and contrast the current arrangements with the anti-virus/malware industry — where sample suspect code has been shared since the early 1990s.

In particular, we note that it is the banks who would benefit most from data sharing — and since they are paying the bills, we think that they may well be in a position to force through changes in policy. To best protect the public, we must hope that this happens soon.

Making bank reimbursement statutory

Banking security, Legal issues, Politics, Security economics

Many of the recommendations of the House of Lords Science and Technology Committee report on Personal Internet Security have been recycled into Conservative Party policy [*] — as announced back in March. So, if you believe the polls, we might see some changes after the next election or, if you’re cynical, even before then as the Government implements opposition policy!

However, one of the Committee recommendations that the Conservatives did not take up was that the law should be changed so that banks become liable for all eBanking and ATM losses — just as they have been liable since 1882 if they honour a forged cheque. Of course, if the banks can prove fraud (for cheques or for the e-equivalents) then the end-user is liable (and should be locked up).

At present the banks will cover end-users under the voluntary Banking Code… so they say that there would be no difference with a statutory regime. This is a little weak as an objection, since if you believe their position it would make no difference either way to them. But, in practice it will make a difference because the voluntary code doesn’t work too well for a minority of people.

Anyway, at present the banks don’t have a lot of political capital and so their views are carrying far less weight. This was particularly clear in last week’s House of Lords debate on “Personal Internet Security”, where Viscount Bridgeman speaking for the Conservatives said:

“I entirely agree with the noble Lord, Lord Broers, that statutory control of the banks in this respect is required and that we cannot rely on the voluntary code.”

which either means he forgot his brief! or that this really is a new party policy. If so then, in my view, it’s very welcome.

[*] the policy document has inexplicably disappeared from the Conservative website, but a Word version is available from Microsoft here.

Lords debate "Personal Internet Security"

News coverage, Politics, Security economics

Last Friday the House of Lords debated their Science and Technology Committee’s report on Personal Internet Security (from Summer 2007) and — because the Government’s response was so weak — the additional follow-up report that was published in Spring 2008. Since I had acted as the specialist adviser to the Committee, I went down to Westminster to sit “below the bar“, in one of the best seats in the House, and observe.

Lord Broers, the Committee Chairman during the first inquiry, kicked things off, followed by various Lords who had sat on the Committee (and two others who hadn’t) then the opposition lead, Viscount Bridgeman, who put his party’s point of view (of which more in another article). Lord Brett (recently elevated to a Lord in Waiting — ie a whip), then replied to the debate and finally Lord Broers summarised and formally moved the “take note” motion which, as is custom and practice, the Lords then consented to nem con.

The Government speech in such a debate is partially pre-written, and should then consist of a series of responses to the various issues raised and answers to the questions put in the previous speeches. The Minister himself doesn’t write any of this, that’s done by civil servants from his department, sitting in a special “box” at the end of the chamber behind him.

However, since the previous speeches were so strongly critical of the Government’s position, and so many questions were put as to what was to be done next, I was able to see from my excellent vantage point (as TV viewers would never be able to) the almost constant flow of hastily scribbled notes from the box to the Minister — including one note that went to Lord Broers, due to an addressing error by the scribblers!

The result of this barrage of material was that Lord Brett ended up with so many bits of paper that he completely gave up trying to juggle them, read out just one, and promised to write to everyone concerned with the rest of the ripostes.

Of course it didn’t help that he’d only been in the job for five days and this was his first day at the dispatch box. But the number of issues he had to address would almost certainly have flummoxed a five-year veteran as well.

Amusing though this might be to watch, this does not bode well for the Government getting to grips with the issues raised in the reports. In technical areas such as “Personal Internet Security”, policy is almost entirely driven by the civil servants and not by the politicians.

So it is particularly disappointing that the pre-written parts of the Minister’s speech — the issues that the civil servants expected to come up and which they felt positive about addressing — were only a small proportion of the issues that were actually addressed in the debate.

It still seems as if the penny hasn’t dropped in Whitehall 🙁

Privacy Enhancing Technologies Symposium (PETS 2009)

Academic papers, Call for papers, Privacy technology

I am on the program committee for the 9th Privacy Enhancing Technologies Symposium (PETS 2009), to be held in Seattle, WA, USA, 5–7 August 2009. PETS is the leading venue for research on privacy and anonymity, offering an enjoyable environment and stimulating discussion. If you are working in this field, I can strongly recommend submitting a paper.

This year, we are particularly looking for submissions from topics other than anonymous communications, so if work from your field may be applied, or is otherwise related, to the topic of privacy, I’d encourage you to consider PETS as a potential venue.

The submission deadline for the main session is 2 March 2009. As with last year, we will also have a “HotPETS” event, for new and exciting work in the field which is still in a formative state. Submissions for HotPETS should be received by 8 May 2009.

Further information can be found in the call for papers.