Digital Certificates

Lots of people have been discussing digital certificates with me lately, with several certificates having to be re-issued due to certificate chain problems. I thought I'd take the time to explain how these things work in simple terms.

Most people come into contact with certificates when either setting up a web server that uses SSL (Secure Sockets Layer) to encrypt data in transit or encrypted e-mail. The two main functions of a certificate are to provide encryption using the keys contained with them and provide assurance that the owner of the certificate is who they say they are. Certificates issued inside an organisation for solely internal use, the second point might not be so important as assurance can be gained through talking to the person who issued the certificate. However, under most circumstances, people need independent assurance that the owner is who they say they are.

Certificate Authorities

A request can be made to have a certificate digitally signed by an independent organisation (certificate authority) which people already trust, making the process of accepting a certificate as valid seamless. However, how does an end user trust the certificate authority? Surely, we still have the same problem in providing identity assurance with these organisations, otherwise we wouldn't be able trust their digital signatures? This has, in the most part, been solved by pre-installing the certificates of these organisations into applications like e-mail clients and web browsers that are likely to come across these signatures. If you want to take a look to see who you trust by default, try going into Tools -> Internet Options -> Content and click on the "Certificates…" button. One of the tabs across the top will be labelled "Trusted Root Certification Authorities". In Firefox in Windows, simply go to Tools -> Options -> Advanced -> Encryption (on a Mac, just go to Preferences -> Advanced -> Encryption) and click on the "View Certificates" button. One of the tabs will be entitled "Authorities". Different browsers and e-mail clients will have similar options.

The reason that these authorities are trusted is because they have stringent verification methods to ensure that certificates are only issued to the correct people or organisations.

However, there is a problem with this model, one which manifested itself at LSE, where a root Certification Authority changes its signing key and certificate pair to one that is not already present in all browsers or clients. The only way to automatically trust certificates signed with the Certificate Authority's new key is to manually install it, which is not recommended. Apart from the obvious danger that the person doing the installing has to do equivalent checks on the identity of the certificate to provide the same level of assurance as the other certificates in the root Certificate Authority list, having to get every client that may connect to that device is a nightmare.

It is by far safer to have certificates signed by a key that is already in the client. This is why most Certificate Authority's certificates have very long lifetimes, equivalent to the expected lifetime of the equipment of the client, to prevent manual updates.

The point of all this is that the client doesn't need to refer back to the root Certificate Authority every time it comes across a certificate signed by that particular CA. Nor do they even, necessarily, require a route back to the CA at any point, as long as the CA's credentials are held locally.

Expiry and revocation

Certificates all have an expiry date. It is assumed that the "private key" (that which is used to decrypt information or digitally sign other messages/certificates) will get compromised at some point. The more protection given to a certificate, the less likely it will be compromised and, therefore, the safer those certificates dependent on it will be. This paper describes the ways in which an organisation might protect its own certificate signing key.

If a private key does get compromised, it is possible (albeit hard) to revoke that certificate and any child certificates using a certificate revocation list (CRL) that is incorporated into the certificate itself. This process is, however, a bit flakey, as it defeats the purpose of being able to do offline verification of certificates based on locally-held, trusted credentials of CAs.

Trouble with unsolicited email

Many organisations have policies that state that it is unacceptable to send emails to large numbers of users either inside or outside the organisations if you don't have the recipients' consent. Mass emails present their own problems, especially with attachments. Here's a quick run down as to why.

Spam

The general term for mass unsolicited emails is "spam". The sorts of emails typically associated with spam are those for dodgy investments ("pump and dump" schemes), growth pills, religious messages, phishing attempts, viruses and everything in between. Many organisations have invested in anti-spam filtering technologies to reduce the amount of junk that they receive (see my previous posting relating to scam/phishing emails for some statistics). The technologies to identify spam is always a "best guess", using a variety of techniques, which means that some spam gets through and some legitimate emails get blocked.

At a very basic level, there are two main methods for preventing spam. Firstly, there are blacklists where servers who are known to send spam are prevented from sending any emails whatsoever to the organisation protected by anti-spam filtering. Secondly, emails that are received from "clean" servers have their content assessed to see if it matches the profile of known spam. If the score from this assessment is higher than the threshold decided upon by the protected organisation, it won't get through and, in many cases, the sender's servers are automatically added to the blacklist (or "greylist"). Rules vary for different products, but may include:

• Sending to a large number of people
  
• BCC'ing instead of sending to explicit addresses
  
• Not including a standard greeting ("Dear Sue," for example)
  
• Having a reply-to set differently to the sender's address
  

Organisation impact

A key point is that black-and greylists are shared and so if an organisation gets blacklisted it won't be able to communicate with any organisation using that black- or greylist. Members of an organisation can, quite unwittingly, get their organisation blacklisted, thereby causing a lot of inconvenience to their colleagues.

Which is why organisations take it seriously.

Data Protection

All of the discussion above is quite apart from whether the email addresses should have been collected in the first place and then used for the purpose of sending emails. If in doubt, talk to your data protection manager.

Disk Space

I also have to put a short note in here about disk space. While most modern email systems will store a single copy of an email destined for multiple recipients on an email server, as soon as the email is copied off, forwarded or archived, a copy is made and the amount of space it takes up doubles. So, mass emails that have 1MB attachments can take up significant amounts of space if sent to a large number of people. And disk space is not free.

LSE resources

If you're at the LSE and do want to send emails to large numbers of people, please see the LSE's policy on internal email communications and the Conditions of Use for IT Facilities.

Internet Explorer vulnerability

UPDATED: A lot of people have been asking me about this in the last two days and I thought I'd summarise my observations here. Please leave a comment if you think I've got something wrong or I haven't answered a particular question.

The Issue

It seems that Microsoft have had a bug in Internet Explorer 5.01 (released in November 1999) that exists right up to the latest beta of IE 8. Essentially, someone can write a web page that references a non-existent page element causing an error within IE that allows code to be run on the local machine as if it were the current user of the machine. Usually this would manifest itself by using IE to download a piece of code from a 3^rd website and silently install it, compromising the PC. (Before anyone comments that I've over simplified the problem, I have no intention to get into invalid pointer dereferencing in DHTML arrays in this blog.)

This only affects Internet Explorer – not Firefox, Safari, Opera or Chrome (although I'm still a bit sceptical about the patching regime for Chrome at the moment and am hesitant to recommend it).

Impact

Because the vulnerability essentially means that an attacker can install anything they like on your machine, anything could have been happened. I don't mean to panic people, but I honestly don't have any idea how much information or how many machines have been compromised in this way since the vulnerability was discovered.

Let's get the issue into perspective. We know that at least 10,000 websites have been compromised and, if visited with a vulnerable web browser, will infect your PC. However, given that there are approximately 110.1 million websites being operated, with a total of 550 billion web pages on the Internet, the proportion of the total affected is small.

It's also fairly safe to say that most of the "big" sites like the BBC, Microsoft, Yahoo, Google, Blogspot and other sites that have big operations behind them will very quickly find compromises in their sites and fix them – they can't afford the publicity. Those sites being compromised are the smaller sites, being hosted in a chicken shed at the end of the garden.

I'm definitely not saying this isn't an issue – it is a huge problem. However, equally, I'm not saying we should all run for the hills.

What is happening and what can I do?

Microsoft have stated that they've brought forward a patch for this problem to 1pm EST. This will hopefully solve the problem. There are a few things that you can do, in addition to patching your machine by visiting the Microsoft Update Centre. IMPORTANT: if you're using a PC supported by LSE, or any other organisation, and it's on the corporate/work network, patching should be done automatically, as it is at LSE. There is a big difference between running a personal computer and having a reliable network with several thousand on at the same time on a corporate network. Please don't change the configuration of a work PC. If in doubt, contact your support team (at LSE, these can be found here).

If using your own PC, consider the following:

• Ensure your anti-virus product is up-to-date
  
• Make sure you have a properly configured firewall on your PC
  
• Consider using a different web browser
  
• Patch regularly
  
• Only visit web sites you trust
  
• Change your passwords regularly
  
• Don't use the same password for every website
  

It's also important to note that this whole sorry episode could well be repeated next week, with another vulnerability, or in a different browser. Please be sensible when surfing the web.

I'd welcome any feedback.

UPDATED (18.55, 17/12/2008): Microsoft have released an update page. See: http://support.microsoft.com/?kbid=960714

The Twelve Scams of Christmas

I know I'm a bit late getting to this topic (Philip Virgo got there first) but I think it's worth blogging about this, too. Here is the only (?) Christmas carol to be adapted for information security:

The Twelve Scams of Christmas

Twelve Phishers phishing
Eleven Spammers spamming
Ten Bots a' herding
Nine Virus writers coding
Eight Snoopers snooping
Seven Worms a' spreading
Six Crackers cracking
Five Tro-jan Horses
Four Logic bombs
Three Software patches
Two Denials of Service
And a hacker at your back door!

Credits go to Philip Virgo, Margaret Smith (plus the other ISAF members) and the countless members of IT Services at LSE who had to endure this being actually sung to the music of "Twelve Days of Christmas".

The links go to GetSafeOnline. For more information, see the links on the right. I'll blog on each topic over the next few days.

The Anatomy of a Phishing Scam

We've been suffering from a plethora of phishing scams over the last few weeks at LSE. To put this into context, Messagelabs stop in excess of 250,000 spam e-mails from arriving at our mailboxes every week, which represents 25% of the total (1,108,000). So, when one does get through, it is a bit unusual. In the main, these don't cause a lot of disruption as most people are conditioned to ignore them. However, there's always someone who does reply and the IT department spends quite a bit of time clearing up the aftermath.

So, here is my one top tip to not getting caught:

Never, ever send your password to anyone by e-mail.

It's quite simple. No-one should ever ask you to disclose your password by e-mail and you should never, under any circumstances, give it to anyone.

What happens if you do

Here at LSE, we have a set of Conditions of Use for IT Facilities which clearly state that you shouldn't do this. Most organisations with an information security policy say the same thing. Generally, you can expect your account to be suspended as a minimum.

However, that's not all. Scammers will use the details that they have gained to abuse the account they have access to steal information and, most likely, send spam out from the account. This means that the account gets blacklisted. Which is a pain.

Phishing for Bank Details

This is obviously a subset of a much wider attempt to con people into handing out personal detail, either directly or trying to convince them that they are on a legitimate site. Many people have received e-mails, purportedly from their bank, asking them to log in by clicking a link in the e-mail and filling in all of their authentication information.

There is a simple way to avoid being duped by one of these e-mails. Never click on the links in the e-mail: always go directly to your bank by manually typing their website address in the address box of your browser.

Browser defences

On top of this, many web browsers now (or will soon) incorporate anti-phishing tools. For example, Mozilla Firefox has a feature that, if turned on, automatically blocks access to known phishing site.

If in doubt, don't click. And another tip: don't reply to these scam e-mails with some sarcastic comment: it only confirms your address and you'll end up getting more spam.

Encryption issues

Many people ask me about the issues surrounding encrypted devices and whether they can (or should) encrypt data. So, to clear up any confusion, here's my take on this issue.

First point: Encrypting data, especially on removable devices, is a good idea

Given recent events relating to the loss of sensitive data (like, the loss of nursery data on a USB stick, Government user IDs stolen from a parked car, the banks losing customer data, Number 10 staff losing their Blackberry's in China… This list is endless), it is blindingly obvious that some form of protection for data while not stored in a physically secure environment is needed. The losses actually reported are dwarfed by those that companies elect not to report. There is a great debate going on about whether companies should be compelled to report these sort of breaches under Data Protection legislation, as currently most organisations don't have to.

In addition, individuals should ensure that their own data is adequately secured. It's not just companies that have this problem. How many people store their passwords to their online banking on their laptops and then carry them around with them all over the place? And, given that most operating systems have built in encryption capabilities these days (Microsoft Windows XP and Vista do, as does Mac OS X), people should really consider turning these on.

Second point: There are lots of different applications for encryption

There's device encryption, full disk encryption, e-mail encryption, SSL encryption for websites and other types of traffic, VPNs… Plenty of different applications for very different purposes. And managing this becomes a bit of headache…

Third point: In an organisation, it's not that simple…

Having said all of the above, it would easy (but wrong) to assume that it's very simple to implement encryption in an organisation. It isn't. There are three choices: 1. Implement stand alone encryption for everyone who needs it, using a variety of different standards and without the capability to access these in the event of a disclosure requirement; 2. Implement an integrated encryption service, managing people's keys centrally (or at least having an administrative key for access in the event of a disclosure requirement), or; 3. Take the risk and don't do anything.

The trouble with option 1 is that the organisation is liable for everything that gets sent or stored from or on its systems. In the event that a request to disclose some information stored in an encrypted file or e-mail is made by the authorities, it is essential that, given the right safeguards, an organisation can access that data. If everything is set up in a standalone fashion, this becomes difficult.

Option 2, therefore, looks much more attractive, but it does come at a cost, both in terms of infrastructure and management. Many organisations opt for option 1, but ensure that each user of encryption software sign a disclosure agreement that warrants their co-operation in the event the organisation is requested for data held in a system that they, themselves, control.

Finally, option 3. I would not recommend going down this route. The Information Commissioner seems to be blowing hot and cold over the absolute requirement for device encryption, but it looks likely that principle 7 of the Data Protection Act 1998 will be breached if laptops and other personal data aren't encrypted.

Fourth point: Travelling with encrypted files

This may come as a bit of a surprise, but different countries have wildly different laws about encryption, so it is essential that people check out what the legislation is in the country that they are travelling to, in case they are accused of espionage activities (I'm not kidding!). For a comprehensive overview, the University of Tilburg, in the Netherlands, is hosting a page on the Wassenaar Arrangement. This details how different countries license the export and import of different levels of military materials. To quote:

"The Wassenaar Arrangement controls the export of weapons and of dual-use goods, that is, goods that can be used both for a military and for a civil purpose; cryptography is such a dual-use good."

As an example, I've picked Russia. It states: "A license is required for the importation of encryption facilities manufactured abroad. The export of cryptography is subjected to a tightened state control. Importers and exporters need licenses by the Ministry of Trade."

I am not a lawyer, and I suggest getting legal advice rather than ever relying on something you've read in a blog.

More information:

Surfing Safer: Advice on choosing encryption products

Laptop encryption in Russia, China

20 Years of Worms, Viruses, Trojans…..

It may come as a bit of a surprise that the first piece of malware to use the Internet to spread was released into the wild in 1988. The "Morris Worm" was written by Robert Tappan Morris, then a student at Cornell University in the US and who, embarrassingly, was the son of Robert Morris, the former Chief Scientist at the US's National Security Agency (NSA). His worm infected roughly 10% of all systems connected to the Internet at that time (bearing in mind that in 1988, the Internet had a grand total of 60,000 connections; today, this figure lies somewhere around 1.1 billion) and still holds the record for the largest percentage infection of the Internet.

Why is this relevant?

The explosion in the numbers of devices connected to the Internet has resulted in an explosion in the number of programs designed to compromise the devices connected to it. Ever since people started using the Internet, others have been trying to subvert them. It's an ongoing battle and anti-virus companies have been making large sums of money by trying to protect people from them. Sophos recently reported that they are receiving 20,000 new samples of malware every single day. And it's not the traditional e-mail attachment, promising titillating pictures of the latest B-list celeb, either; in the same report, Sophos say that they see over 16,000 new website infections every day. This means that simply by looking at a website, often from a genuine and reputable company, a machine can be infected without any interaction from the user.

It's not about fame anymore

In the good old days of virus writing, authors would write something that would throw up messages, immediately telling the user of the machine that they were infected. Some examples can be found on F-Secure's virus screenshot archive. These days, however, the whole malware space has become much darker. Viruses, worms and Trojans no longer advertise their presence but rather attempt to lurk on a users PC without their knowledge, quietly subverting the machine.

Why the shift in MO? Simple: Money.

These days, most malware is written to infect machines in order to take control of them. These "zombie" machines are then part of a "botnet", controlled by a "bot herder", who sells time on his/her botnet to the highest bidder. Essentially, these zombie machines can be used to do anything. The faster the machine and faster the Internet connection, the better. They can be used to launch "Distributed Denial of Service" attacks, where vast amounts of junk data are thrown at a particular company or website, with the intention of taking them off the net as part of an extortion exercise, or for the storage of porn. Far worse is the ability for paedophiles to store their collections on the infected PCs of unsuspecting users, allowing them to keep distance between themselves and their images.

Storm

The largest of these botnets that has been found to date is known as "Storm". According to some sources, up to 50,000,000 devices are zombies were part of Storm in September 2007. It has been reported that the bot herders running Storm were making profits of $9,600 daily, with spam being the main revenue generator.

What can I do?

Really, it comes down to ensuring your anti-virus is up to date (and this includes Mac and Linux users! I'll come on to why in another posting), ensuring your firewall is enabled and patch, patch, patch! I have been made aware of a free tool to tell you which programs installed on your PC need patching, and not just those written by Microsoft. Potentially any vulnerable component could be used to crack open the machine and zombiefy it. I really recommend downloading this application and updating those things it finds.