"Aid to the Church in Need", 2000 donors to charity, "personal details"

Not sure if the personal details obtained by hackers include CC#s, but names and addresses are certainly involved in this breach at a UK charity. A couple of interesting twists to this one, as reported at Silicon.com. First, the thieves weren’t content with just stealing the info — they used it to extort victims directly:

the hackers have used these details to contact the benefactors directly to try and extract more money

Second, the National Director of the charity makes a trenchant observation:

Apart from the obvious distress to benefactors, we’re concerned that our charity identity has been stolen. However it’s the beneficiaries, those who need the money the most, who will ultimately suffer.

In other words, get breached and your brand gets damaged. Get breached, and your revenue drops. Less money coming in means less aid to the needy going out.

Web Certificate Economics


In a comment on “Build Irony In,” “Frank Hecker writes:”

First, note that the “invalid certificate” message when connecting to
buildsecurityin.uscert.gov using Safari is *not* because the certificate is from
an unknown CA (or no CA at all); it’s because the certificate is issued to the
server/domain buildsecurityin.us-cert.gov (note the dash) and thus doesn’t match
the hostname you specified. So IMO at least this particular problem has less to
do with the presumption that “identity needs to be ‘rooted’ at a certificate
authority”; it’s more analogous to the SSH error you get when you connect to a
host and the public key presented is different from what is cached at your end
for that site.

Second, regarding this notion that it’s “expensive to deploy cryptographic keys,
which should be cheap”: Usable SSL/TLS server certificates are now available for
as low as $15 to $30 per year, comparable to the cost of the corresponding
domain name; see for example LiteSSL.com and the TurboSSL offering from
GoDaddy.com. I think there are still significant barriers to SSL/TLS adoption,
most notably the problem with supporting the use of virtual hosts sharing a
single IP address, but I think cost per se is rapidly becoming a non-issue.

Frank is absolutely correct on the first point, that the issue is a dash missing.I’ll note that, four days later, its not fixed, and I’d like to take a swing at why that might be. I don’t think its an issue of how many dollars it costs, but it is an economic issue, driven by the policies embedded in web browsers.

[That issue is explained in detail after the break.]

[Update: News.com has an article on the same subject, “Browsers to get sturdier padlocks.”]

Continue reading

Tracking Graz (Austria)

pic4.jpgSpeaking of tracking and databases:

Mobile Landscape Graz in Real Time harnesses the potential of mobile phones as an affordable, ready-made and ubiquitous medium that allows the city to be sensed and displayed in real-time as a complex, pulsating entity. Because it is possible to simultaneously ‘ping’ the cell phones of thousands of users – thereby establishing their precise location in space at a given moment in time – these devices can be used as a highly dynamic tracking tool that describes how the city is used and transformed by its citizens. The polis is thus interpreted as a shifting entity formed by webs of human interactions in space-time, rather than simply as a fixed, physical environment. Mobile Landscape provides a platform upon which the contemporary city can register the flux and traces its self-constructing and open-ended nature.

Planespotters vs. the CIA

tail-n85vm.jpgEver-increasing requirements that every item be uniquely identifiable are combining with the power of the internet to invade everyone’s privacy. The Guardian (UK) has a story about how ‘planespotters’ are gathering data that allows the after-the-fact tracking of CIA torture planes. (“How planespotters turned into the scourge of the CIA.”)

Paul last saw the Gulfstream V about 18 months ago. He comes down to Glasgow airport’s planespotters’ club most days. He had not seen the plane before so he marked the serial number down in his book. At the time, he did not think there was anything unusual about the Gulfstream being ushered to a stand away from public view, one that could not be seen from the airport terminal or the club’s prime view.

The picture is an executive jet, owned by an owner of the Boston Red Sox, and used for moving people to be tortured. (“Red Sox Owner’s Jet Used for CIA Extraordinary Rendition.”) More on the story at Farber’s IP List. I’ve also covered the story in the past in “Choicepoint vs CIA.”

Just remember, when you give up privacy for a little security, it’s the CIA who suffers.

Passwords: Lessons for Japan Airlines from Harry Potter


This is weak authentication in all its glory. The password is shared by every member of a House. It is a static password, changed annually. Moreover, the fat lady’s password challenge never asks students for identity. I cannot recall any incident where a house ghost barred entrance to a student because he was a member of a different house and thus had no business entering. which could imply that facial recognition (biometric) is used. But if the house ghosts use a biometric, what’s the purpose of the password?

So writes Dave Piscitello in “Harry Potter and the Group Password.” Maybe Japan Airlines should pay attention, before someone reports “Airport Passcodes Leaked from Virus-Infected PC:”

Passcodes needed to enter secure areas at 16 Japanese airports and one in Guam have appeared on the Internet after a virus infected a computer belonging to a Japan Airlines Corp. co-pilot, the airline said Friday.

JAL has regulations regarding the downloading of sensitive corporate information to personal computers. However, the airport codes didn’t fall within this category because they are so widely known among aircrews, ground staff, maintenance workers, cleaners and other airport staff.

Oops! Too late. PS to Dave: “I feel a series coming on!”

Star Wars and Separation of Privilege

As we continue the series, illustrating Saltzer and Schroeder’s classic paper, “The Protection of Information in Computer Systems,” we come to the principle of separation of privilege.

Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The relevance of this observation to computer systems was pointed out by R. Needham in 1973. The reason is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals made responsible for them. From then on, no single accident, deception, or breach of trust is sufficient to compromise the protected information. This principle is often used in bank safe-deposit boxes. It is also at work in the defense system that fires a nuclear weapon only if two different people both give the correct command. In a computer system, separated keys apply to any situation in which two or more conditions must be met before access should be permitted. For example, systems providing user-extendible protected data types usually depend on separation of privilege for their implementation.

This principle is hard to find examples of in the three Star Wars movies. There are lots of illustrations of delegation of powers, but few of requiring multiple independent actions. Perhaps the epic nature of the movies and the need for heroism is at odds with separation of privileges. I think there’s a strong case to be made that heroic efforts in computer security are usually the result of important failures, and the need to clean up. Nevertheless, I committed to a series, and I’m pleased to be able to illustrate all eight principles.

This week, we turn our attention to the Ewoks capturing our heroes. When C3-P0 first tries to get them freed, despite being a god, he has to negotiate with the tribal chief. This is good security. 3P0 is insufficiently powerful to cancel dinner on his own, and the spit-roasting plan proceeds. From a feeding the tribe perspective, the separation of privileges is working great. Gods are tending to spiritual matters and holidays, and the chief is making sure everyone is fed.


It is only with the addition of Luke’s use of the force that it becomes clear that C3-PO is all-powerful, and must be obeyed. While convenient for our heroes, a great many Ewoks die as a result. It’s a poor security choice for the tribe.

Last week, Nikita Borisov, in a comment, called “Least Common Mechanism” the ‘Least Intuitive Principle.’ I think he’s probably right, and I’ll nominate Separation of Privilege as most ignored. Over thirty years after its publication, every major operating system still contains a “root,” “administrator” or “DBA” account which is all-powerful, and nearly always targeted by attackers. It’s very hard to design computer systems in accordance with this principle, and have them be usable.

Next week, we’ll discuss the principle of open design, and then close on that question of psychological acceptability.

Estimating breach size by fraud volume

Much is being made of a press release from ID Analytics. Based on results from that firm’s fraud detection products, a conservative estimate is that one of every 1000 pieces of PII lost in a data breach results in an actual fraud. An additional finding is that the likelihood of a fraud being committed using a given piece of revealed PII is inversely proportional to the size of the breach.
These results are being spun as suggesting that large breaches are not so bad, and that the “real risk” of ID theft is low.
Well, I won’t comment on that, but the credence afforded the ID Analytics numbers cuts both ways. For example, if they are right, than the Sam’s Cub breach exposed the information of about 600,000 people.

Is the Database Half-Wrong, or Half-Right?

More than 8,000 people have been mistakenly tagged for immigration violations as a result of the Bush administration’s strategy of entering the names of thousands of immigrants in a national crime database meant to help apprehend terrorism suspects, according to a study released on Thursday.

The study, conducted by the Migration Policy Institute, a research group in Washington, relied on statistics released by the Department of Homeland Security that covered 2002 to 2004. The study found that the national crime database was wrong in 42 percent of the cases in which it identified immigrants stopped by the local police as being wanted by domestic security officials.

From “Crime Database Often Wrong on Immigration, Study Finds.” (The 42%-full glass picture is from Lemonlight, who has a gorgeous photo bl.)

Friday Star Wars security blogging will be late today, and will cover separation of privilege.

0Day on Ebay

Brand new Microsoft Excel Vulnerability:”

The lot: One 0-day Microsoft Excel Vulnerability

Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

If that makes any sense, read the auction while you can. Its not Gobbles, but it’s pretty funny. [Update: Gone, but not forgotten. See “Selling Vulnerabilities: Going once..” for the text.