Phillip Hallam-Baker's Web Security Blog

The Consumerist has become part of my daily security reading. Frauds are often apparent to the consumer before they are apparent to the business that was compromised.

A common consumer complaint is the enormous bill for services. The $50,000 cell phone bill, or the $6500 bill for Internet services.

Attempting to collect on such accounts is not likely to succeed for very long. Even if the business succeeds in the courts the consumers will ultimately prevail in Congress. And in the process large numbers of customers will refuse to open an account at all because they are worried that they might be subjected to a similar punitive bill.

Assuming that allowing consumers to run up such bills is not intentional on the part of the business, shouldn't per-account credit limits be a standard business practice? In addition to avoiding unpleasant public relations disasters, companies might find that they uncover frauds more quickly than they might otherwise.

And it would certainly help make consumers more confident when they open an account.

Posted by Phillip Hallam-Baker at 4:43 AM | Permalink | Comments (0)

A strange thing happened over the weekend. Suddenly the blogosphere was awash with pundits speculating on the relative merits of equity stakes, warrants or senior debt as alternatives to the Paulson bailout plan. Then this morning much of the same discussion has made it to the mainstream press.

What is strange here is not what is being debated but that a debate is taking place at all. Subject matter that a week ago was considered so obscure that even the anchors on CNBC would have to feign ignorance so that the 'experts' could explain it to them is now the talk of every water cooler and coffee shop.

So what would it take to make people consider computer security with the same degree of care and attention? Perhaps its best we don't find out.

Posted by Phillip Hallam-Baker at 9:45 AM | Permalink | Comments (1)

Perhaps the most important skill a security specialist needs is the ability to ask what might appear to be a stupid question.

• This new firewall you spent $100,000 on, is it actually configured to reject any traffic?

The reason this comes to mind is the current financial crisis which commentators appear to agree was due to a widespread failure to correctly quantify risk. In particular it appears that at least some of the frighteningly clever derrivative instruments involved were so frighteningly clever that nobody could quite explain them.

How did things get like this?

Well, someone has a bright idea selling futures in diesel powered nuns. They mention it to a friend who thinks it might be a good idea to buy. Others follow suit and a market is born. In practice this means that a twenty-something chap or chapess with a second class degree in PPE or classics from Oxford and a smart suit makes money for their employer by being slightly quicker to spot market trends and lay ten million dollar bets on diesel powered nunnery than the twenty something from Cambridge in the bank next door.

People who ask what a diesel powered nun is will receive a condescending lecture on the difficulty of understanding high finance instead of an explanation. But most people will not ask and many will take a perverse pride in their ignorance.

Nobody will ask that is, right up to the point where the whole artifice collapses and the flaws become obvious.

Posted by Phillip Hallam-Baker at 8:22 AM | Permalink | Comments (1)

Perhaps the biggest challenge in Information Security today is usability. However good the cryptography is, it does no good unless the user is prepared to actually use it.

Everyone agrees that usability is good, but very few people agree on what usability is. And no, the answer is not 'get a Mac'. I do have a MacBook Air, I like the hardware, but I don't see a tremendous difference in usability between the OS/X and Vista. And neither system allows me to send secure email with the same ease of use as insecure email.

Usability testing is a great way to determine user acceptance. Usability testing delivers an impressive return on investment for vendors because the lab testing conditions almost precisely match the conditions in the salesroom and to a lesser extent the type of testing a reviewer performs. But laboratory tests are not very effective in determining how users will behave six months later after using a system every single day.

Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?

And so for the past few months I have been thinking about ways to avoid the need to perform testing by raising the bar for security designers. We don't need to rely on security usability testing if we can add security to a system without impacting the user experience at all.

SSL is the most successful security protocol today, precisely because it is so easy to use. Visiting a secure site takes no more user effort than visiting an insecure site.

At first i was thinking of calling this approach 'zero impact'. But that does not capture the full set of requirements as there are situations in which we want a security system to cause a modification of the user's behavior. 'zero impact' implies that the user will never notice anything. This is one of the chief drawbacks of SSL today: the user may not notice anything at all. Hence the move to Extended Validation certificates and the 'green bar' experience.

So instead I am thinking that 'Zero Overhead' is a better description of what I think we need to achieve:

• Configuration of the security system should be entirely automatic.
• A security control is 'zero overhead' with respect to a particular task if and only if the number and complexity of user interactions required to perform the task under the security control are less than or the same as previously without the security control
• The user should be provided with all necessary and available required information to make a decision with security consequences.

In other words, security should work in the application 'out of the box'. It should not be necessary for the user to register for a client certificate, much less renew it every year. Nor should the user be tasked with configuring Webs of trust or choosing their roots of trust. If a protocol requires these features they MUST be performed transparently without user intervention.

I believe that the last criteria is also essential, but have not quite decided if it is a separate criteria or a subordinate one. Too often the user is not given the information they need to do a job securely and 'usability' is given as the excuse. Should this be a part of the 'zero overhead' criteria or is 'inform the user' a separate criteria?

Posted by Phillip Hallam-Baker at 6:16 AM | Permalink | Comments (0)

Congratulations to CERN for achieving first beam on the LHC.

I was present at first beam for HERA and LEP. It takes a great deal to make these things work.

Update: Contrary to the claims being made in the popular press, no this is not an atom smasher, it is a proton-proton smasher. No atoms are harmed during this experiment (unless you count ionizing hydrogen atoms in the proton beam generator). No this is not recreating the big bang. Nor was there the slightest chance that this test would have created a mini-black hole that would eat up the earth, the beams never collided. That comes later in the year.

Folk need not worry however as equally energetic collisions are taking place in the upper atmosphere all the time. If 80 GeV electron-proton collision were sufficient to create a stable black hole we would have been eaten up years ago.

Update II: Yes, LEP was an electron-proton smasher, the Large Hadron Collider is just protons. It is actually the same tunnel. My point was that you can accelerate leptons or hadrons with a synchrotron like the ones at DESY or CERN. An atom has no charge, so it is going to be difficult to accelerate. There are still a few atom smashers around, but most of the physics of atoms is known. The LHC is designed to study particles at much smaller scale.

Posted by Phillip Hallam-Baker at 4:09 AM | Permalink | Comments (0)

United Airlines shares plummeted to 1 cent this morning after news that the company was in bankruptcy.

Only problem was, the report was untrue.

We don't yet know the source of this misinformation, whether it was a mistake or a deliberate plot to manipulate the share price. But as any policeman investigating fraud knows, what happened once by accident can be made to occur repeatedly on purpose.

When the New York Times was published on paper, distribution of a fake edition would be next to impossible. Today the New York Times is published on the Web and if there is a difference between the online and print editions, most people will assume that the online edition is the most up to date, and therefore the most trustworthy.

We have cryptography for bank transactions but almost none of the information channels that people receive financial information from are protected. Certainly not the New York Times, or Bloomberg or Income Securities Investor, the site cited as the source of the mistaken UAL report.

Shouldn't we start insisting on security here as well?

A final thought, in the past it has always been assumed that the threat of cyber-terrorism would come in the form of a denial of service attack or the like against the financial markets. The old anarchist strategy of destroy the bourse and you destroy the system. But what if the attackers are smarter than that and instead of trying to take the NASDQ and NYSE offline they attack it by feeding it bogus information?

Update It appears that the stock's rapid decline was driven by stop-loss orders. The original source of the article appears to be a Chicago Sun/Sentinel story on the original UAL bankruptcy six years ago. How the story got out is still unclear. But with 27 million shares traded, lawsuits are sure to follow.

Posted by Phillip Hallam-Baker at 8:41 AM | Permalink | Comments (0)

Jim Macdonald writes on why 1,600 people died in the Titanic disaster: failure of the imagination

Before radio, lifeboats were more or less useless as rescue craft. Unless the ship was sinking in sight of another ship the choice was to go down with the ship or die of dehydration on the life boat. The chance of being picked up by another vessel was highly improbable.

After radio, you could call for help. Provided there were enough lifeboats for the passengers, and rescuers were on the way, the changes of survival were good.

Similar questions are raised every time there is a natural disaster: how can the Internet help? Today a major limitation on the help possible is the fact that it takes a considerable amount of time for the Internet social structures to turn a crowd into a community. Most Internet users are looking to do the best they can to help but there is always a small number looking to game the system or to profit from a scam.

The Internet provides relief workers with plenty of information but much less actionable knowledge. A report that food and water are urgently needed in location X may be legitimate or may be the work of a hoaxer looking to make a profit by diverting scarce supplies and selling them on at extortionate prices.

If we could inject some accountability and authentication infrastructure into the Internet ahead of a disaster it would become much easier to turn information into actionable knowledge. Instead of directing an aid worker to go out on the ground and verify the claim, the request can be directed to a local co-ordinator already on the ground.

Posted by Phillip Hallam-Baker at 6:18 AM | Permalink | Comments (0)

For some people the complexity of a gadget is half the pleasure of it.

In Victorian times, the ordinary bicycle (Penny Farthing) was the epitome of chic. When John Dunlop invented the pnuematic tire that made the utility 'safety' bicycle practical, the 'wheelmen' were unimpressed but the result was bought and used by the masses.

Too many computer systems and computer-controlled systems today are gadgets rather than tools. That they work at all is the miracle. I can turn on a light switch without understanding how the generator at the power station works. Why do people imagine that a knowledge of how the Internet works should be necessary to use it?

Posted by Phillip Hallam-Baker at 6:16 AM | Permalink | Comments (0)

Some politicians are becomming obsessed with power.

Electrical power that is. And in particular the fragility of much of the US electricity distribution infrastructure.

Take out the Internet for a week and there would be complaints. Take out electricity for a week and the police will start worrying about the possibility of riots. And it gos without saying that without electricity there is no Internet. Even if the major Internet hubs have backup power, the local loop distribution does not. Cable companies have never needed to worry about being able to deliver their service when the power is out.

The reverse is not necessarily true. A failure of the Internet would not necessarily result in power outages. But a failure of Internet security might. The control systems of many power stations are hooked up to the Internet. And even when the systems are suposedly airgaped, penteration testing has tended to result in the discovery that they are not.

Posted by Phillip Hallam-Baker at 9:51 AM | Permalink | Comments (0)