Well, hope I got the Latin right. This is a bit unnerving (not this part–no application is perfect): “Antivirus software must open and inspect data in hundreds, if not thousands, of file formats. One bug in the software that does this can lead to a serious security breach. Zoller and his colleague Sergio Alvarez have been looking into this issue for the past two years and they’ve found more than 80 parser bugs in antivirus software, most of which have not yet been patched.”

“The flaws they’ve found affect every major antivirus vendor, and many of them could allow attackers to run unauthorized code on a victim’s system, Zoller said.”

It’s this part that is scary–the type of denial that has been the prelude to IT disasters for 20 years:

“Zoller says he has been criticized by his peers in the security industry for “questioning the very glue that holds IT security all together,” but he believes that by bringing this issue to the forefront, the industry will be forced to address a very real security problem. Between 2002 and 2005, nearly half of the vulnerabilities that were discovered in antivirus software were remotely exploitable, meaning that attackers could launch their attacks from anywhere on the Internet. Nowadays, that percentage is close to 80 percent, he said.”

Russ Cooper, a senior scientist with Verizon Business, had some criticism for the work of n.runs. “The research almost appears to be goading criminals into ‘getting better’ at attacking vulnerabilities… hardly helpful,” he said via instant message. “There’s no doubt that the list of vulnerabilities they have already published in security products looks daunting. However, historically, we have not seen this type of vulnerability exploited.”

And if I read this right, I do not want to do business with this company at all–he seems to be saying that there’s no need to fix it until it gets hacked: “Though Cooper agrees that antivirus file parsing vulnerabilities do pose a risk, he said there are several reasons they have not yet been the focus of widespread criminal attacks. For one, criminals are already being effective enough with their current tactics, such as sending malicious e-mail attachments. A second reason is that security software tends to get more scrutiny, meaning that any vulnerability that was being exploited would be quickly patched, and that any criminal involved in an exploit would be more likely to be caught.”

Coda

Security vendors have long known about vulnerabilities in their software, said Marc Maiffret, chief technology officer with eEye digital security. “Security software is just as vulnerable as any other software,” he said via instant message. “We all hire the same developers that went to the same colleges as Microsoft and learned the same bad habits.”

I have a piece in today’s Guardian (”Does antivirus software have a future?”) that was suggested to me by some comments Alan Cox made on one of the ORG lists. I think there are a couple of interesting points that emerged in researching the piece:

- the difficulty of finding an approximation of the truth between the natural tendency of vendors to deny (at least in public) that there is a problem and the natural tendency of researchers and journalists to want to find one

- the genuine escalation of threats

- new technology designs (virtualization, flashable firmware, software-controlled hardware) that create new opportunities (hardware you have to physically change is inherently secure from software threats)

- confusion because names stay the same while the technologies they represent change and the press does not alter its reviewing language or habits (antivirus software doesn’t work the way it did 10 years ago, but the press still tests AV software the same way and reports on it as though signatures were the key - several people complained about this)

The next stage seems to be leveraging the same connectedness that is bringing us botnets and infected Web pages to create collaborative intelligence that can identify the ever-stealthier, ever-more-targeted threats. (I discovered only afterwards that Google has started labelling pages it thinks are infected with a warning - while I can see the logic of their doing this, it’s a little worrying about the impact on a site or its business if Google gets it wrong - I see lawsuits of green…What a wonderful world…)

wg

Via the BBC: “US job website Monster.com has suffered an online attack with the personal data of hundreds of thousands of users stolen, says a security firm.
A computer program was used to access the employers’ section of the website using stolen log-in credentials. Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server.”

Oops. Is anybody keeping score on these things? It’d be great to be a journalist covering this subject. Write the story once, use search and replace on the company name, hit submit.

If this is happening to companies that live or die based on their security, what do we expect to happen in situations (such as some government applications) where security is a ‘tick the box’ annoyance? Don’t get me wrong, a lot of people in government are passionate about information security–but by no means is it universal.

What are the possible consequences? Well, the story continues: “The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords. More than 8,000 new variants of Trojans are found each month, according to internet security specialists Sophos.

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails. They threatened to reveal personal details unless she paid them.

Meant, ages ago, to put up links to these. Some interesting work that actually deserves more detail, but… For me, the best presentations of both events were:

- the guys that hacked the RDS-TMC feeds to car GPS systems, showing these systems can be used to reroute traffic at will

- the building access control hack by Zac Franken, which showed that no matter how fancy your new biometric system is, if it relies on an aging clear-text protocol it’s no more secure than the old one

- the car hacking that makes it possible to falsify emissions reports

All seem to me to revolve around the same Blindside issue: how to ensure that the output of a computer system can be trusted. In a physical system, you have to trust the inspector. There are many more failure points in a computer system.

The links:
Black Hat day 1

Black Hat day 2

Defcon day 1

Defcon days 2-3

wg

Tom raised the possibility of satellite failures a couple of days ago; turns out that as usual the worries were too modest. This Black Hat session features Andrea Barisani and Daniele Bianco explaining their project to hack satellite navigation systems via RDS-TMC to make them give the “victim” false information using off-the-shelf components and cheap electronics. Their presentation is beyond my technical ability to follow - a lot of detailed explanations and coding - but the point is clear enough: drivers trust the information they get from their in-car satellite navigation systems including the real-time traffic information RDS sends. Capture an hour of traffic messages, plot on Google Maps…(”Getting laid drives our research,” they say. “Your experience may differ.”)…sniff the RDS packets. Using a commercially available RDS encoder…FM transmitter…TX antenna (which got them a TSA tag for inspection on their way into the US)…AFAICT you find a channel that provides RDS-TMC and obscure it, then fake a broadcast (either exist an exiting channel or find an unused frequency and use that). It’s pretty involved and complicated, but you know the way these things go: it’s hard today and involves a lot of custom stuff, but the next generation just needs to download a software pack and buy a few pieces of electronics.

The overall message from Black Hat is pretty clear: over and over again people build things with little thought to security (in the case of satnav, it probably never occurred to them anyone could hijack it DESPITE Captain Midnight and HBO way back in 1980)…yet we go right on basing massive corporate/government/commerce systems on top of these things. The Web being the most notorious example, of course.

In this case, they can create accidents, weather, traffic jams…

wg

This is why we need you. This has jumped up in conversation with the CPNI (the Centre for Protection of the National Infrastructure), and we are confident that many hands will make light work of this:

Premise: Almost all critical industrial infrastructures and processes are managed remotely from central control rooms, using computers and communications networks. The flow of gas and oil through pipes; the processing and distribution of water; the management of the electricity grid; the operation of chemical plants; and the signalling network for railways. These all use various forms of process control or “supervisory control and data acquisition” - SCADA technology. Until recently the term SCADA was unknown outside its niche area in industry. Today it is one of the key issues for infrastructure protection.

Question: Of the 63 subject areas we explore on our wiki and here, which are directly relevant to SCADA (it might be easier to list the ones that are not). How would emerging ICT help SCADA work better? Which emerging technologies are likely to pose a threat to SCADA systems, and how will that threat manifest itself?

If you would like to learn more about this, go here. Here is our chance to provide practical assistance to someone who wants it.

Here’s our preliminary assessment of the main categories of emerging technology issues, along with an impact rating. Each is discussed in more preliminary detail on the Blindside Wiki. We will be reporting to the Cabinet Office in mid-July on those that assessed as having an impact level of 3, and need full expert descriptions by that date.

This is your chance to tell us we’re on the wrong track: to add stuff; to argue that somethings missing, over-rated or under-rated. Don’t miss it!

Category Impact (from 3/high to 1/low)
————————
CCTV 3
Convergence 3
Location-based services 3
Mobile and Pervasive Computing 3
Open Standards 3
Anonymity 3
Data breaches 3
E-Voting 3
Human rights (intersection with emerging technology) 3
Identity management 3
NHS IT 3
Non-bank payment service providers 3
People and IT 3
Mission Critical Legacy Systems 3
Rampancy: AI gone wrong 3
Surveillance society effects 3
Semantic Web 3
Self-reproducing technologies: the “GRINs” 3
- *Geno- 3
- *Robo- 3
- *Info- 3
- *Nano- 3
Social media 3
APIs 2
Bandwidth - massive wireless and cable bandwith to the home 2
Shared Service Management 2
Ultraportable devices 2
Automated number-plate recognition (ANPR) 2
Bad sysadmin procedures 2
Bad procedures - other 2
Changes to daylight saving time in the US 2
Public sector databases on children 2
Keyloggers 2
Phishing 2
Phones as bugs 2
Technologies for Non-Repudiation 2
Underground economy servers 2
Unencrypted email 2
Biometrics - unencrypted 2
Windows Vista and other operating systems 2
Government IT projects 2
DNA terrorism 2
On demand computing (ODC) 2
Grid Computing 2
Quantum Computing 2
plus in the lower impact categories (please use the search box if you want to add to these):
Aeronautical cabin services 1
OpenDocument 1
Service-oriented architecture 1
APIs that change without warning 1
Cybercrime 1
Electronic banking 1
Fraud Websites 1
Search Engine Logs 1
Spam 1
Computing Monoculture 1
DRM and its side-effects 1
Environmental side-effects 1
Exploding Batteries 1
Optical Computing 1
User-generated content 1
Virtualisation 1
Generation C - the knowledge nomads 0

Thank you for any help, comments, suggestions.

The chaotic present and hopeful future of information systems exists in a microcosm about 30 minutes by tube from my flat, and I daily watch a stately procession of airliners descending to Heathrow Airport, a beautiful, if not quite silent, parade. It is at Heathrow airport that the current need for better performance on every topic covered in this blog is demonstrated. It is a non-sterile testing environment and the ultimate pilot project to test the ability of information systems and information assurance to integrate modern technology to meet the needs of a mass public. You may have noticed that I ticked every category we use in assigning this blog post its proper place in our own information hierarchy. It’s not a coincidence.

Let’s walk through the daily issues faced at Heathrow from an information standpoint:

1. About half of all tickets to fly are booked via the Internet, and that information must be completely available to several very different systems immediately and be perfectly accurate.
2. Parking systems must provide availability, administrative and financial information.
3. Public transportation systems must send and receive useful information about current operations and schedule changes, and receive and use similar information from several different airport systems.
4. The logistics of welcoming, feeding, watering and moving 67.7 million people per year (and taking care of 70,000 employees) are an interesting challenge, as is maintaining 48,000 square metres of retail space. Private security, first aid, tourist information, all of these have information issues attached.
5. Oh yes–core business–mustn’t forget–90 airlines, 186 destinations, 469,000 ‘air transport movements’ (er, would that translate to flights in English?) annually. Information requirements include weather at each destination, status of all airports and traffic, passenger information (but more on that below…)
6. On-time status of flights relating to connecting flights.
7. Correlating information from HMRC (well, more the C part than the R) with the Home Office (now with both parts of the newly divorced members of what was once one) and probably discreet communications with agencies using numbers as well as initials.
8. Communicating with the Civil Aviation Authority, National Air Transport System, HM Immigration–of course I’m sure they all use the same electronic forms that grab data smoothly from Heathrow systems… right?
9. Communicating with the media–and having the capability of communicating with international media
10. Having co-ordinated disaster preparedness programmes that are up to date as well as up to snuff.

Probably missed half a dozen supremely vital information systems there… but it’s Sunday morning, so it’s okay. (Did somebody say baggage?)

Lots of things to go wrong there. Amazingly, not much does. (Did somebody say baggage–again?) That’s why when things do go wrong it’s news.

Notice they don’t have an uber-contractor trying to integrate all systems and dictate technology standards and usage. Strange, that. And I’ll bet they often use trainer-net(where some employee puts on trainers and walks information to diverse destinations). But that’s how functional communities develop–and despite grumbling and glitches, Heathrow functions as an information community: People get to destinations, planes don’t fall out of the sky. Successful information communities do seem to develop from the ground up, not the top down.

I guess the point I’m trying to make is that information systems and information assurance issues develop in an ecosystem not a vacuum. Complexity in information management is probably a geometric rather than arithmetic function relating to the number of actors involved. And yet don’t we often see government requirements for information systems that are internally oriented and indeed self-referential? The box must be this big with holes here and here, and those holes must be guarded in this way. I think more than anything else, government’s inability to get value for money from IT investment is based on this issue.

Please feel free to contribute complaints about Heathrow in the comments–I’ve suffered there myself. My praise is directed at a higher level, at finding a community that functions. Your nominations?

Every technology breeds its opposite. In response to a comment by Katherine Albrecht that she didn’t want anyone reading RFID tags to find out what kind of bra she is wearing, a group is working on RFID Guardian, which allows RFID tags to be selectively jammed.

Two things:

1) Ubiquitous (CA) / Pervasive (IBM) / Ambient (EU) computing creates vast, new, poorly understood and anticipated security risks

2) Any technology created and deployed will - not may - be cracked and countered in unexpected ways.

wg

Further to recent conversation about RFID, we don’t like to quote the Daily Mail as a source but its 5 March story on passport cracking is worth bearing in mind:

‘Safest ever’ passport is not fit for purpose In just four hours, the Mail hacked into a new biometric passport and stole the details a people trafficker or illegal migrant would need to set up a life in Britain. With out even opening the envelope containing the passport.

There are less fishy uses to which put RFID chips can be put, like library books - even the Vatican uses them.