Moving Home

Right, after months of inactivity and struggle with Blogger, I have moved myself to Wordpress:
http://stephanfreeman.wordpress.com

I've had all sorts of problems here and have decided that I'll be more able to update my blog from there.

Hope to see you soon!

Webamil insecurity

There are reports today that Google is considering quitting China after many Gmail accounts were hacked, belonging to human rights activists, both inside and outside China, apparently by the Chinese government. This poses an interesting question: how many people using Gmail or any other free, web-based mail system, are sending and receiving information that they consider confidential, with little or no idea about whether their accounts are secure.

You get what you pay for
It’s true: if you don’t pay for a service, why should you have any expectation that the provider is under any obligation to you? If you look at Microsoft’s “Terms of Service” for Hotmail, it clearly states that it provides no warranties for the service. In addition, the content may be stored pretty much anywhere in the world. So, how can people assess the risk of storing confidential information in these systems?

Auto forwarding mail
I have also come across people who automatically forward all of their work emails to an external Gmail or Hotmail account as they find it easier to use than the company-provided mail system. It might have more features; have a prettier user interface; whatever... However, this could potentially create a serious headache for the company or organisation concerned. Authentication to web-based mail systems is usually weaker, employing simple password-reset routines, where people can set their own questions (I saw one who had written, as his secret question “What is Captain Kirk’s middle name”. Not exactly the hardest thing to find out).
People routinely using webmail for very sensitive information, where the implications of disclosure include risks to people’s lives, should really reconsider whether using something like Gmail, Yahoo mail or Hotmail is a good idea in the first place.

There are a few solutions. Stick to your company’s mail system and consider using encryption, or try to use encrypted mail with webmail accounts. Encryption brings a whole new raft of issues I won’t go into here, but some companies already provide an integrated, but paid for, service to do this, like Hushmail.

But never forward email out of a company automatically to an external source without checking with your IT department first – there may be many more serious implications than you might realise.

Why patching is so important (even for Mac users)

All software has bugs. Some are never found. Some aren’t important. A few are dangerous. It is estimated that Windows XP had 40 million lines of code and Mac OS X 10.4 had about 80 million. It is sadly inevitable that some of these bugs will be exploitable by people who want to hijack your machine for their own reasons.

You might ask yourself “why?”. It’s a perfectly reasonable question. Most of us have far better things to do with their time than to try to get into other people’s computers. You might also suggest that you haven’t got anything worth stealing on your PC anyway, so even if someone did take the time to create an exploit, why bother?

There are a number of reasons for all of this, but it all boils down to one thing: money. The criminal economy on the Internet is huge. And increasing. These criminals don’t care who they target as they operate, mainly, on scale. They ensnare vast numbers of machines, unknown to their owners, to do their bidding through the use of bot nets. Essentially, they use these huge networks of computers to attack company websites and to extort protection money from them. They are also used to send spam, break encryption codes and hide child pornography. As a sideline, they also harvest personal information from the machines they infect and often steal passwords to bank accounts.

So, what can you do about it?

Patch! In Windows, make sure automatic updates are enabled. In Mac OS X, check the Software Update link from the Apple menu (more information).But not just the operating system... If you’re using a PC, download the Secunia Personal Software Inspector. It’s free and shows you all of the programs installed on your PC and whether it’s insecure.

Macs are vulnerable. Even Apple themselves recommend using anti-virus products on OS X. I personally have seen a number of Macs infected with bot nets and Apple have been slow, in the past, to update software that has known bugs in it.

Patching is no substitute for running an anti-virus scanner, but is equally as important. AV scanners will often stop an exploit from working, so it’s best to remove the vulnerable code. It’s worth bearing in mind that AV scanners will also stop things from being installed intentionally by a user of a machine if it’s infected with something.

LSE provides free anti-virus for home use to students and staff here. Other free and paid-for anti-virus products exist.

I’d be interested to know your experiences. Do you patch? Have you had problems in the past with malicious software? Send in your comments...

Web Passwords

Passwords can be a pain. There are thousands of websites across the Internet that require passwords. Traditional advice has been to use different passwords for different applications. This is plainly impossible. A typical user of the Internet probably has passwords for their MSN, Gmail, YahooMail, Flickr, Picassa, Facebook, MySpace, Bebo accounts, as well as for their bank, mobile phone company, energy company, and innumerable other sites, some of which they've probably forgotten that they signed up for.

So, instead of saying each account should have a different password, I'd suggest that the best thing to do is to have a few passwords, but to have some rules around the ones that you use regularly.

1. Always pick a good password. There's a guide here that offers some ideas.
   
2. Don't use the same password for a mail account that you used to set up a social networking account with. For example, if you use the same password for Hotmail as you do Facebook, and one or the other gets "broken in to", it's likely the other will, too. And then it's incredibly difficult to regain control of either.
   
3. Do change them occasionally.
   
4. Consider what you're protecting. Don't use the same password for all your important accounts (e.g. bank, email) and use a separate password for account for sites you're not overly bothered about (e.g. that Fraggle Rock appreciation site you signed up to)
   
5. Don't share them! I know this sounds obvious but don't let anyone else have your password – think about what you're giving the access to. This is especially true for passwords at university or in the workplace – the risk is much greater than simply to your data as it could impact the whole organisation.
   

These aren't simply theoretical risks. In the last few months, I have dealt with situations including the hijacking of a Facebook and related Hotmail account – believe me when I say that this is not easy to resolve – and several instances where people have sent their usernames and passwords to scammers.

The reason scammers want your username and password in a place like a university is because they want to send spam through the universities mail system. Unfortunately, this can lead to the whole university being blacklisted as a spammer and no-one will be able to send or receive email.

Please take care of your passwords.

Webmail Passwords

It was bound to happen. Large lists of account details have been leaked that were compromised through phishing, where the owners of the accounts replied to emails requesting their passwords and, in some cases, the login details to alternative accounts. We put out a message at LSE fairly frequently that people should never hand out their usernames and passwords to anyone – hopefully a fairly unambiguous statement. And yet, we still get people doing it.

I have tried to do a little research into why people continually reply to these messages, and the answer I usually get is that the email making the request "looked official".

If you have any ideas on how to get the message across, I'd be very interested.

Hacking Facebook

I just got pointed towards an article that shows that your Facebook account password is worth $100. It's impossible to tell whether this is genuine or not without sending $100 via Western Union to the Ukraine (and what is it about Western Union and scams??) but it does raise some interesting questions about how much people would be willing to pay to hack into someone else's account. I have had people come to me with this same issue and it's really difficult to regain control - it is a free service, after all.

More on this soon...

Digital Certificates

Lots of people have been discussing digital certificates with me lately, with several certificates having to be re-issued due to certificate chain problems. I thought I'd take the time to explain how these things work in simple terms.

Most people come into contact with certificates when either setting up a web server that uses SSL (Secure Sockets Layer) to encrypt data in transit or encrypted e-mail. The two main functions of a certificate are to provide encryption using the keys contained with them and provide assurance that the owner of the certificate is who they say they are. Certificates issued inside an organisation for solely internal use, the second point might not be so important as assurance can be gained through talking to the person who issued the certificate. However, under most circumstances, people need independent assurance that the owner is who they say they are.

Certificate Authorities

A request can be made to have a certificate digitally signed by an independent organisation (certificate authority) which people already trust, making the process of accepting a certificate as valid seamless. However, how does an end user trust the certificate authority? Surely, we still have the same problem in providing identity assurance with these organisations, otherwise we wouldn't be able trust their digital signatures? This has, in the most part, been solved by pre-installing the certificates of these organisations into applications like e-mail clients and web browsers that are likely to come across these signatures. If you want to take a look to see who you trust by default, try going into Tools -> Internet Options -> Content and click on the "Certificates…" button. One of the tabs across the top will be labelled "Trusted Root Certification Authorities". In Firefox in Windows, simply go to Tools -> Options -> Advanced -> Encryption (on a Mac, just go to Preferences -> Advanced -> Encryption) and click on the "View Certificates" button. One of the tabs will be entitled "Authorities". Different browsers and e-mail clients will have similar options.

The reason that these authorities are trusted is because they have stringent verification methods to ensure that certificates are only issued to the correct people or organisations.

However, there is a problem with this model, one which manifested itself at LSE, where a root Certification Authority changes its signing key and certificate pair to one that is not already present in all browsers or clients. The only way to automatically trust certificates signed with the Certificate Authority's new key is to manually install it, which is not recommended. Apart from the obvious danger that the person doing the installing has to do equivalent checks on the identity of the certificate to provide the same level of assurance as the other certificates in the root Certificate Authority list, having to get every client that may connect to that device is a nightmare.

It is by far safer to have certificates signed by a key that is already in the client. This is why most Certificate Authority's certificates have very long lifetimes, equivalent to the expected lifetime of the equipment of the client, to prevent manual updates.

The point of all this is that the client doesn't need to refer back to the root Certificate Authority every time it comes across a certificate signed by that particular CA. Nor do they even, necessarily, require a route back to the CA at any point, as long as the CA's credentials are held locally.

Expiry and revocation

Certificates all have an expiry date. It is assumed that the "private key" (that which is used to decrypt information or digitally sign other messages/certificates) will get compromised at some point. The more protection given to a certificate, the less likely it will be compromised and, therefore, the safer those certificates dependent on it will be. This paper describes the ways in which an organisation might protect its own certificate signing key.

If a private key does get compromised, it is possible (albeit hard) to revoke that certificate and any child certificates using a certificate revocation list (CRL) that is incorporated into the certificate itself. This process is, however, a bit flakey, as it defeats the purpose of being able to do offline verification of certificates based on locally-held, trusted credentials of CAs.