Protocol design is hard β€” Flaws in ScatterChat

Cryptology, Internet censorship, Privacy technology

At the recent HOPE conference, the “secure instant messaging (IM) client”, ScatterChat, was released in a blaze of publicity. It was designed by J. Salvatore Testa II to allow human rights and democracy activists to securely communicate while under surveillance. It uses cryptography to protect confidentiality and authenticity, and integrates Tor to provide anonymity and is bundled with an easy to use user interface. Sadly not everything is as good as it sounds.

When I first started supervising undergraduates at Cambridge, Richard Clayton explained that the real purpose of the security course was to teach students not to invent the following (in increasing order of importance): protocols, hash functions, block ciphers and modes of operation. Academic literature is scattered with the bones of flawed proposals for all of these, despite being designed by very capable and experienced cryptographers. Instead, wherever possible, implementors should use peer-reviewed building blocks, as normally there is already a solution which can do the job, but has withstood more analysis and so is more likely to be secure.

Unfortunately, ScatterChat uses both a custom protocol and mode of operation, neither which are as secure as hoped. While looking at the developer documentation I found a few problems and reported them to the author. As always, there is the question of whether such vulnerabilities should be disclosed. It is likely that these problems would be discovered eventually, so it is better for them to be caught early and users allowed to take precautions, rather than attackers who independently find the weaknesses being able to exploit them with impunity. Also, I hope this will serve as a cautionary tale, reminding software designers that cryptography and protocol design is fraught with difficulties so is better managed through open peer-review.

The most serious of the three vulnerabilities was published today in an advisory (technical version), assigned CVE-2006-4021, from the ScatterChat author, but I also found two lesser ones. The three vulnerabilities are as follows (in increasing order of severity): Continue reading Protocol design is hard β€” Flaws in ScatterChat

Anonymous data that isn't

Legal issues, Privacy technology

AOL has recently been embarrassed after it released data on the searches performed by 658,000 subscribers. Their names had been replaced by numbers, but this was not enough to stop personal information leaking. The AOL folks just didn’t understand that protecting data using de-identification is hard.

They are not alone. An NHS document obtained under the Freedom of Information Act describes how officials are building a “Secondary Uses Service” which will contain large amounts of personal health information harvested from hospital and other records. It’s proposed that ever-larger numbers of people will have access to this information as it is progressively de-identified. It seems that officials are just beginning to realise how difficult it will be to protect patient privacy — especially as your deidentified medical record will generally have your postcode. There are only a few houses at each postcode; knowing that, plus a patient’s age, usually tells you whose record it is. The NHS proposes to set up an “Information Governance Board” to think about the problem. Meanwhile, system development steams ahead.

Clearly, the uses and limitations of anonymisation ought to be more widely understood. There’s more on the subject at the American Statistical Association website, on my web page and in chapter 8 of my book.

"Identity fraud" again

Banking security, Legal issues, News coverage, Security economics

The National Consumer Council has published a report on “identity fraud” which is rather regrettable.

Identity fraud is not fraud, from the consumer’s viewpoint. If someone pretends to be me, borrows 10K from the Derbyshire Building Society and vanishes, it’s the building society that’s the victim, not me. If Experian then says I’m a loan defaulter when I’m not, that’s libel. Suing for libel may be expensive, but the Information Commissioner has announced his willingness to issue enforcement notices against the credit agencies in such circumstances. The NCC should have advertised this fact and encouraged people to go to him.

“Identity fraud” is an objectionable concept, an attempt by the banks to dump some liability. The Home Office egg them on because they think that rebadging credit-card fraud as “identity fraud” will help sell identity cards. But it’s a bad show when consumer organisations collude with an attempt to make consumers the victims of bankers’ and credit reference agencies’ negligence.

Security Theater at the Grand Coulee Dam

Security engineering

Security theater” is the term that Bruce Schneier uses to describe systems that look very exciting and dramatic (and make people feel better) but entirely miss the point in delivering any actual real world security. The world is full of systems like this and since 9/11 they’ve been multiplying.

Bruce also recently ran a competition for a “movie plot” security threat — the winner described an operation to fly planes laden with explosives into Grand Coulee Dam.

As it happens, I was recently actually at Grand Coulee Dam as a tourist — one of the many places I visited as I filled in the time between the SRUTI and CEAS academic conferences. Because this is a Federal site, provision was made from the beginning for visitors to see how their tax dollars were spent, and you can go on tours of the “3rd Power House” (an extra part of the dam, added between 1966 and 1974, and housing six of the largest hydroelectric generators ever made).

Until 9/11 you could park on top of the dam itself and wander around on a self-guided tour. Now, since the site is of such immense economic significance, you have to park outside the site and go on guided tours, of limited capacity. You walk in for about 800 yards (a big deal for Americans I understand) and must then go through an airport style metal detector. You are not allowed to take in backpacks or pointy things — you can however keep your shoes on. The tour is very interesting and I recommend it. You get to appreciate the huge scale of the place, the tiny looking blue generators are 33 feet across!, and you go up close to one of the generators as it spins in front of you, powering most of the NorthWest and a fair bit of California as well.

The security measures make some sense; although doubtless the place the bad guys would really like to damage is the control center and that isn’t on the tour. However….

… on the other side of the valley, a quarter of a mile from the dam itself, is a “visitor arrival center“. This contains a number of displays about the history of the dam and its construction, and if you have the time, there’s films to watch as well. On summer nights they project a massive laser light show from there (a little tacky in places, but they run white water over the dam to project onto, which is deeply impressive). You don’t have to go through any security screening to get into the center. However, and that’s the security theater I promised — you cannot take in any camera bags, backpacks etc!

No purses, backpacks, bags, fannypacks, camera cases or packages of any kind allowed in the visitor center.

What’s the threat here? I went to a dozen other visitor centers (in National Parks such as Yellowstone, Grand Teton, Glacier, Mt. Rainier and Crater Lake) that were generally far more busy than this one. Terrorists don’t usually blow up museums, and if, deity forbid, they blew up this one, it’s only the laser lights that would go out.

Stolen mobiles story

Legal issues, News coverage, Security economics

I was just on Sky TV to debunk today’s initiative from the Home Office. The Home Secretary claimed that more rapid notification of stolen phone IMEIs between UK operators would have a significant effect on street crime.

I’m not so sure. Most mobiles stolen in the UK go abroad – the cheap ones to the third world and the flash ones to developed countries whose operators don’t subsidise handsets. As for the UK secondhand market, most mobiles can be reprogrammed (even though this is illegal). Lowering their street price is, I expect, a hard problem – like raising the street price of drugs.

What the Home Office might usefully do is to crack down on mobile operators who continue to bill customers after they have reported their phones stolen and cancelled their accounts. That is a scandal. Government’s role in problems like this is to straighten out the incentives and to stop the big boys from dumping risk on their customers.

Health IT Report

Legal issues, News coverage, Security economics

Late last year I wrote a report for the National Audit Office on the health IT expenditure, strategies and goals of the UK and a number of other developed countries. This showed that our National Program for IT is in many ways an outlier, and high-risk. Now that the NAO has published its own report, we’re allowed to make public our contribution to it.

Readers may recall that I was one of 23 computing professors who wrote to Parliament’s Health Select Committee asking for a technical review of this NHS computing project, which seems set to become the biggest computer project disaster ever. My concernes were informed by the NAO work.

Growing epidemic of card cloning

Banking security, Legal issues, News coverage

Markus points us to a story on card fraud by German TV reporter Sabine Wolf, who reported some of our recent work on how cards get cloned.She reports a number of cases in which German holidaymakers had cards cloned in Italy. In one case, a sniffer in a chip and PIN terminal at a skilift in Livigno sent holidaymakers’ card and PIN details by SMS to Romania. These devices, which apparently first appeared in Hungary in 2003, are now becoming widespread in Europe; one model sits between a card reader and the retail terminal. (I have always refused to use my chip card at stores such as Tesco and B&Q where they want to swipe your card at the checkout terminal and have you enter your PIN at a separate PIN pad – this is particularly vulnerable to such sniffing attacks.)

According to Hungarian police, the crooks bribe the terminal maintenance technicians, or send people round stores pretending to be technicians; the Bavarian police currently have a case in which 150 German cardholders lost 600,000 Euro; the Guardia di Finanza in Genoa have a case in which they’ve recovered thousands of SMSs from phone company computers containing card data; a prosecutor in Bolzano believes that crooks hide in supermarkets overnight and wire up the terminals; and there are also cases from Sweden, France, and Britain. Customers tend to get blamed unless there’s such a large batch of similar frauds that the bank can’t fail to observe the pattern. (This liability algorithm gives the bankers every incentive not to look too hard.)

In Hungary, banks now routinely confirm all card transactions to their customers by SMS. Maybe that’s what banks here will be doing in a year or two (Barclays will already SMS you if you make an online payment to a new payee). It’s not ideal though as it keeps pushing liability to the customer. I suspect it might take an EU directive to push the liability firmly back on the banks, along the lines of the US Federal Reserve’s Regulation E.

Powers, Powers, and yet more Powers …

Banking security, Legal issues, News coverage, Security economics

Our beloved government is once again Taking Powers in the fight against computer crime. The Home Office proposes to create cyber-asbos that would enable the police to ban suspects from using such dangerous tools as computers and bank accounts. This would be done in a civil court against a low evidence standard; there are squeals from the usual suspects such as zdnet.

The Home Office proposals will also undermine existing data protection law; for example by allowing the banks to process sensitive data obtained from the public sector (medical record privacy, anyone?) and ‘dispelling misconceptions about consent’. I suppose some might welcome the proposed extension of ASBOs to companies. Thus, a company with repeated convictions for antitrust violations might be saddled with a list of harm-prevention conditions, for example against designing proprietary server-side protocols or destroying emails. I wonder what sort of responses the computer industry will make to this consultation πŸ™‚

A cynic might point out that the ‘new powers’ seem in inverse proportion to the ability, or will, to use the existing ones. Ever since the South Sea Bubble in the 18th century, Britain has been notoriously lax in prosecuting bent bankers; city folk are now outraged when a Texas court dares to move from talk to action. Or take spam; although it’s now illegal to send unsolicited commercial emails to individuals in the UK, complaints don’t seem to result in action. Now trade and industry minister ‘Enver’ Hodge explains this is because there’s a loophole – it’s not illegal to spam businesses. So rather than prosecuting a spammer for spamming individuals, our beloved government will grab a headline or two by blocking this loophole. I don’t suppose Enver ever stopped to wonder how many spam runs are so well managed as to not send a single item to a single private email address – cheap headlines are more attractive than expensive, mesy implementation.

This pattern of behaviour – taking new powers rather than using the existing ones – is getting too well entrenched. In cyberspace we don’t have law enforcement any more – we have the illusion of law enforcement.

New card security problem?

Banking security, Hardware & signals, Legal issues, Security engineering

Yesterday my wife received through the post a pre-approved unsolicited gold mastercard with a credit limit of over a thousand pounds. The issuer was Debenhams and the rationale was that she has a store card anyway – if she doesn’t want to use the credit card she is invited to cut the credit card in half and throw it away. (Although US banks do this all the time and UK banks aren’t supposed to, I’ll leave to the lawyers whether their marketing tactics test the limits of banking regulation.)

My point is this: the average customer has no idea how to ‘cut up’ a card now that it’s got a chip in it. Bisecting the plastic using scissors leaves the chip functional, so someone who fishes it out of the trash might use a yescard to clone it, even if they don’t know the PIN. (Of course the PIN mailer might be in the same bin.)

Here at the Lab we do have access to the means to destroy chips (HNO3, HF) but you really don’t want that stuff at home. Putting 240V through it will stop it working – but as this melts the bonding wires, an able attacker might depackage and rebond the chip.

My own suggestion would be to bisect the whole chip package using a pair of tin snips. If you don’t have those in your toolbox a hacksaw should do. This isn’t foolproof as there exist labs that can retrieve data from chip fragments, but it’s probably good enough to keep out the hackers.

It does seem a bit off, though, that card issuers now put people to the trouble of devising a means of the secure disposal of electronic waste, when consumers mostly have neither the knowledge nor the tools to do so properly

Downtime

Meta

Light Blue Touchpaper will be inaccessible for around 19 hours due to building maintenance. The server will be powered off at 22:00 UTC, Saturday 15 July and should be restarted at 17:00 UTC, Sunday 16 July. However, potential problems with the server or networking equipment on restoration of power may prevent access to the site until Monday.

Update: 17:30 UTC, Sunday 16 July
The power is on, the electronic locks let me in, network connectivity, DHCP and DNS works and the coffee machine is up and running. So that is the Computer Lab critical infrastructure in operation and LBT is back online.

Update: Tuesday 25 July
There will be another downtime for the Light Blue Touchpaper server on Wednesday 26 July, 7:00–10:00 UTC, due to work on our electricity supply.