Phillip Hallam-Baker's Web Security Blog

A rogue system admin for the city of San Francisco locked the city computer systems and was holding the access key to ransom.

Fortunately the admin changed his mind after a conversation with his lawyers in the city cells, but still refused to give the code to anyone other than the mayor, forcing Major Newsom to visit the prison in person to retrieve the keys.

The scale is unusual but not the crime. Any business can have a disgruntled employee, no mater how well run the business or how fair the management is. they don't even need to be upset by their employer to take revenge on them in place of their real target. Placing a logic bomb can be a tempting means.

Many businesses that are involved in these events never recover. For many small businesses the data stored on their computer systems is their business. The attack need not be very sophisticated either, taking the disks out of the RAID array and tossing them from a bridge will work as well as a sophisticated hack. Its only if the attacker wants the attack to be reversible that sophistication is needed.

What can a business do to protect themselves? Keeping offsite backups for a start. Backing up the server is the job of the system administrator but making sure that the system is backed up is the responsibility of the CISO - and higher.

In the San Francisco case it is clear that the city gave too much control to a single individual - if the reports are accurate. It should not be possible for one person to have that level of access no matter how senior they are.

So why are businesses run the insecue way? I believe that a large part of the reason is to do with usability, which is one reason I am off to SOUPS at CMU today.

Posted by Phillip Hallam-Baker at 8:06 AM | Permalink | Comments (0)

Interesting.

But as I point out in the dotCrime Manifesto, the mafia is old school. It uses the state of the art in business management being developed in the 1920s. The mafia was organized using line management before most US businesses had got there.

The organization of the cyber-gangs is fashioned after today's state of the art. They use online markets for outsourcing. The gangs are global and operate 24 hours a day. If a criminal in Russia finds some commercial information that is relevant in Brazil they can quickly connect to a local criminal who can make use of it.

In many ways the Internet crime rings are replacing the old-style mafia. And just as online commerce eventually merged with traditional e-tail, the same effect will occur in Internet crime. Those same facilities, for example money laundering, can be used for any criminal purpose. A drug ring can launder proceeds through the same network the Internet criminals developed for extracting stolen money.

Posted by Phillip Hallam-Baker at 5:36 AM | Permalink | Comments (0)

Millions of people around the world woke up to see this image from the Iranian news agency on the front page of the morning newspaper.

Although the image is now known to be fake, or to be strictly accurate, manipulated, the damage done by the exposure may be worse than the damage done by the original fakery.

The facts of the situation are now clear: Only three of the missiles were launched successfully, as another photograph taken earlier demonstrated. What appears to be the launch second missile from the right is actually a combination of the vapor trail from the other two rockets.

The fakers were caught, so what is the problem? Well the problem is that although the fakers were caught this time, we don't know how many times a fake photograph has been used without detection. During the 2004 US Presidential campaign, a photograph purporting to show John Kerry speaking with Jane Fonda was circulated. As with the Iranian forgery, far more people saw the original photograph than the subsequent rebuttal.

But the problem is not just that the fakers may achieve their objective, its that genuine evidence may be dismissed as fake. One does not need to be unduly Machiavellian to see how creating distrust in photographic evidence might suit a government whose grasp on power depends on control of information.

So what is the solution? Cryptography of course.

Adobe themselves have been concerned about the need to authenticate digital documents for many years. Adobe Acrobat has a built in document authentication feature that uses secure digital signatures.

The Adobe system is great, the only problem is that it only authenticates the document after editing. This is exactly what we want in the case of a contract, but not if the question is the authenticity of a photograph. What we need is a publicly verifiable means of authenticating the original photograph when it is taken by the camera.

While it is highly unlikely that the images taken by the original photographer will be the ones that end up on the Web site, the ability to authenticate the input to a process is essential if there is going to be a possibility of authenticating the process as a whole. For image authentication to be effective it must be integrated into the news-room workflow so that an editor knows which images are coming in from a stringer unmodified and which may have been altered and the reader knows which images came from the paper or wire service unmodified. Alteration may be necessary in some cases, a photograph taken in the field may be too light, too dark or have the wrong color balance because of the lighting used. But when an altered photograph is uploaded there should also be a source image available for verification.

As it happens, Nikon do implement a system of this type in their D3 and D300 cameras. Unfortunately, the details of the authentication scheme are not public and image verification requires an additional software package that requires use of a hardware key.

Posted by Phillip Hallam-Baker at 10:45 AM | Permalink | Comments (0)

In the past 24 hours I have received a lot of queries on the reports of the major DNS security patch. Since this is not my area of responsibility I asked Matt Larson, our DNS specialist to comment, here is his reply:

I'm aware of the vulnerability and know the details. It is not broader than DNS cache poisoning and only recursive name servers are vulnerable. These are the servers run by enterprises and ISPs to resolve DNS lookups on behalf of their employees' and customers' computers. Recursive name servers do the "heavy lifting" of DNS resolution by tracking down answers in authoritative name servers.

Because recursive name servers cache responses they receive to speed up subsequent lookups, they are potentially vulnerable to bad information getting into their caches, via an attack called "cache poisoning".

The important message is: for customer-facing services, VeriSign runs only authoritative name servers, not recursive name servers, and we are therefore completely unaffected by this vulnerability.

In short, core DNS is not affected (the root, major TLD servers). But Matt did also point out that the issue does affect enterprises and ISPs that run local recursive DNS servers and that it is important that these are appropriately patched or upgraded.

Posted by Phillip Hallam-Baker at 12:41 PM | Permalink | Comments (0)