In this issue

The newsletter is a little short this month because of pressure of work.  However the affair of the CD with 25 million bank details going missing prompted me to think some more about security.

Featured article
This month - Internet Radio 
News from the web
This month in the internet world.

Security

This month's topic selected itself when 25 million names and bank details went walkabout because a lowly clerk allegedly took it into his/her head to dump names, addresses and bank details onto a CD and put it in the mail. No, I don't believe that either - more later.

Computer security is a very interesting topic because it involves both technology and social engineering. Unfortunately not many security experts are good at both of these, so we get nonsense like my bank requiring that I

1. use a long password containing letters and numbers 
2. change it monthly 
3. do not write it on a post-it note and stick it on my screen.

Actually the last one is mine, but it is where the social engineering bit comes in. As I am not some sort of savant I can't do numbers 1 and 2 without writing the latest password down, thus blowing a hole in the security setup.

The difficulty with security on the internet is that classically access to data should require two things:

1. something I know (like a password) 
2. something I hold (like a keycard)

So you can find out a password or you can steal a keycard, but to gain access you have to do both, which is much much more difficult. High security commercial systems have a variety of ways of dealing with both of these. There are various gadgets attached to computers in banks that read cards, USB 'dongles' and who knows what else. The classic is the bank cash machine where the 'what I know' is a very simple four digit PIN. This is a very weak password but OK because you have to have the card as well. Try more than a few times and the card is blocked. This is pretty much foolproof unless you are daft enough to write the PIN on the card.

Strong passwords

The problem with implementing this classic security strategy on the Internet is that there is no obvious 'what I hold' gadget that you can use. So the next best thing is the high strength password.

What do I mean by high strength? Well, your birthday or your mothers name is not high strength, these things are easy to crack. A password like A4fS?*56Z is high strength because it does not contain any common words and uses a full range of symbols, not just letters and numbers. The problem is that unless you use it every day I defy you to remember it. You have to write it down. The social engineering bit again.

One way round this is to think of a phrase and use the first letter of every word, Odd numbers of letters in the word in upper case even numbers lower case. So "There can be no white wash in the white house" becomes TCbnWwiTwh which is not bad but there are no numbers in it, so maybe the rule becomes every third letter use the number of letters in the word TC2nW5iT5h. The rule not too hard to remember, you can even write it down somewhere. Ideally you want a few special symbols as well but I will leave you to figure that out.

Beyond passwords

This would all become simpler if only there were some way of cracking the 'what I hold' piece.

There are gadgets that generate passwords that are good only for a few seconds. You get the password off a screen on the device and type it into the computer screen. This proves that you hold the device. These are however expensive and bulky.   Apparently some banks are distributing these for access to their e-banking.

In the early days of the Internet the banks decided to standardise on a smart card and a cheap card reader that would go into every PC. This was the SET project (Secure Electronic Transactions). The problem was that at that time the banks were not issuing smart cards (except in France), so the banks would have to re-issue every card and also mail out millions of card readers to every customer (most of whom at that time didn't own a PC or have Internet connected). Oh - and every e-commerce site had to be SET-enabled.

It was pretty obvious that this is a non-starter. I have always been amazed at the millions that were squandered on this project.

Of course everyone does have a smart card now, but the card reader is a bit of an issue. Personally I would put a contact-less radio chip (like the one in an oyster card) on every credit card, then distribute small USB readers to bank customers plus get the manufacturers to include them on new PCs. The project would take quite a few years, but with no card slot to get bunged up with dust and no moving parts, it would be very robust. The basic SET technology was pretty sound and could be resurrected.

Verified by Visa

Instead of this however the credit card networks have come up with Verified by Visa (VBV). You may have come across this when you were shopping online. In VBV you have a password (actually quite a weak one) but assumed to be more secure because you don't enter the password on the merchant's web site, but on some third party highly secure system. The ecommerce industry is avoiding it like the plague because the user interface is so bad that sites are losing large volumes of sales if they implement it. I have heard reports of 30% loss of sales. It has died in the US, but some UK banks are putting major pressure on their customers to use it, for example threatening fines. This is crazy.

This doesn't even solve the problem because a very common way of stealing passwords is Phishing. You must have had many mails puporting to be from various banks asking you to log in to their web site and verify your information. Of course the web sites you go to are fakes and the information you type in is going to used for fraudulent transactions. While they are asking you for password and mother's maiden name they might as well ask for your VBV PIN while they are about it.

Long-term protection

The best password control in the world is of course pointless if the data can be stolen from the merchant by some hacker. There are a large number of security controls that can and should be set up. There is a standard which the banks are requiring all merchants to adhere to. This goes by the name of PCI CSS.

However if some manager decides to download all the data onto a laptop and leave it in a taxi (much more common by the way than putting a CD in the post) all that security goes out of the window. The Revenue have been losing somewhere close to a laptop every 1-2 weeks and who knows what data was on them. The disk in the mail was according to Computer Weekly zipped and encrypted, but anything on a laptop probably isn't. 

Those CDs

OK back to those CDs. I don't believe for one minute that the single low-level individual carried out discussions with the National Audit Office and single-handedly downloaded the data onto CDs. Lowly administrative officers just don't do this off their own back. Lowly administrative officers however are often however not so good at covering their own backside as more experienced bureacrats, and so they are the ones to get hung out to dry.

If you want to read the whole correspondence plus a commentary on is check out http://www.ministryoftruth.me.uk/tag/child-benefit/ .  The conclusions which which I totally concur are:

• The CDs probably contained a zipped comma separated values file
• Even using some pretty basic tools, extracting the sensitive information shouldn't take more than a day or two
• EDS quoted £5,000 to do this work (according to The Telegraph)

HOW MUCH!!

£5,000 - I would say somewhere between a 500% to 1000% overcharge. 

So a second cause for concern here, largely ignored, is that EDS are routinely overcharging us, the taxpayers, to an incredible degree. 

The whole thing leads me to believe that the civil service has totally lost control of Information Technology.  If you really believe that this same organisation should be trusted with the information required for the ID scheme then frankly you will believe anything. 

Don't trust them, they are incompetent.

If you are as scared as I am of getting my data onto any more large government databases check out

• The big opt out.
• Our kingdom  

News

Google announced an open standard for writing applications that run on social networking sites. Partners include Linkedin and Plaxo and MySpace but not Facebook.

Google is also developing mobile phone software and shares broke $700 on news that they are in talks with US networks.  They have introduced the Android open-source platform for mobile devices. It is Linux-based

In another Google story, petrol pumps throughout the USA will be connected to the internet and show Google maps to help drivers find their destination.


Microsoft is releasing a new set of web services that seem to be a sort of hybrid Software as Service. Software running on your PC works with their web services to provide applications such as email and photo library. They call it Softawre plus services.

Jerry Yang - founder of Yahoo used to be a sort of hero of mine, but not any more. Yahoo was 'verbally lashed' by the US House Foreign Affairs Committee over their release of information to the Chinese authorities that led to a dissident being identified and arrested. "While technologically and financially you are giants, morally you are Pygmies,"

Microsoft is to release Silverlight 2.0 early next year. Silverlight is the new video player plug-in. Apparently version 2.0 is a big leap forward from version 1, which is a leap forward from Windows Media Player.

A new virus appears in the form of a popup with a scantily-dressed blond who vows to remove some clothing if you enter a sequence of letters and numbers which are shown as a wavy graphic. The wavy graphic comes from a web site somewhere and the code you type in is then used by a program to bypass a security check. Social engineering taken to new heights.