Tag Archives: web security

A double family hack

Hacked Mac
Credit: Willy López on Flickr

In a rather odd coincidence, both my mum and mother-in-law’s computers have been hacked in the last couple of weeks.

My mum has a Mac and once the hacker got in (we think it was through an email attachment in Hotmail), they changed the computer system settings and the language – which was quite clever because my mum just left the computer on, clicking around trying to get the language back to English. I suspect the longer the computer was left on, the longer the hacker had to make more changes on the system.

Once the hacker had control of her Hotmail account, they sent out emails saying my parents were abroad and in distress, and required some cash to get them out of trouble. The email looked 80% genuine – good enough for some of my parents’ friends to call me and ask if they were OK.

Unfortunately for my mum, I don’t know very much about Macs, let alone being able to look at an Arabic version of Mac OS and get it back to English. She had to call a computer trainer to come over and help return her computer back to normal, including installing some security software.

Hackers managed to get into my mother-in-law’s Gmail account. We still don’t know how they did this. The first we knew of it was when hackers sent an email to my wife (they didn’t email everyone in the contacts – for instance I didn’t get the email). The email didn’t look like computer generated spam, so my wife phoned her mum and recommended she change the password straight away. The password was already complex – I had set it up originally, including a capital letter, numbers and letters, punctuation and a decent length.

My mother-in-law then called a few days later to say she hadn’t received any emails since the incident. I looked at her laptop and the hackers had set up a Gmail rule redirecting all email into the Bin straight away. This was clever because it meant that for all the emails sent from her account, if someone replied to ask whether it was genuine, the reply would have gone straight to the Bin without my mother-in-law seeing it.

I guess the key takeaways are to keep changing the password regularly, and keep it complex. Never ever open attachments in emails unless you really are expecting something and it looks genuine.

The operating system vendors, Apple and Microsoft, and now mobile operating system vendors too, have a tough balancing act. They have to provide a marketplace for third parties to produce security software, but they also have a duty of care to make their systems secure for users. The argument is that if say, Microsoft, bundled anti-virus software with Windows, the third parties would be out of business within days.

However the email providers don’t have such a balancing act, and really should be prohibiting certain attachments to emails, or checking their contents properly.

Five Key Internet Megatrends: 5. Trust

Credit: http://www.flickr.com/photos/brenda-starr/3509344100/
The quest for identity management continues
Credit: http://www.flickr.com/photos/brenda-starr/3509344100/

Key points:

  • We need a Single Sign On across the web, from a truly trusted brand
  • Sellers need to know who customers are, just as much as we need to identify real retailers
  • Web sites that build a reputation score will need to transfer their data

To give you an idea of how ridiculous passwords have become, let’s look at my bank. My bank is one of the most technically advanced banks, and has created some great innovations.

I use their website banking, which uses a log in process that has been designed to deter users from using the service. It takes two screens, a physical device to generate a random number, and various other forms of identity.

And then take their mobile app. With a simple 5 digit numerical passcode, I can do almost anything I can do via the website equivalent. Either the security department went on holiday when the mobile app was released, or they came to their senses to make it easier for customers to access their account. I hope it was the latter but it was probably the former.

Passwords are one of the biggest nuisances of the Internet. Another nuisance is multiple accounts. The number of accounts we have, and continue to keep creating, has got out of control. Not only is it out of control, but we then have security experts telling us not to use the same password on multiple sites. And personally I won’t use a password manager because I fear they are all run by some spotty (but clever) teenager from his bedroom, and one day he’ll have access to lots of people’s accounts and go on a spending spree at Amazon.

If I see a website offering to use my Facebook or Twitter credentials to register or login to a website, I’ll always take the offer. It’s so much easier.

The problem with websites offering Facebook or LinkedIn or Twitter is that the social network gets to keep the customer data, not the website we’re registering with. And also, whilst I’m happy to use a social network to log me on to various websites, I’m not sure I would use Facebook connect for my healthcare or pension site.

We need a Single Sign On system across the internet from a trusted party. It needs to be trusted by both users and website owners – from my bank to the Inland Revenue (whose authentication system is extremely rigid).

Once we have the Single Sign On system, it needs to keep a track of our various reputation scores. I have an eBay account with 100% positive feedback amassed over a few years and over 500 ratings, both buying and selling. So when I join a site such as TripAdvisor, or AirBandB, that eBay should count for something.

As the Internet continues to become more complex, retailers need to know their customers are who they say they are, and can be trusted. We’ve been using SSL security certificates on the Internet for a long time now, and as a means of ensuring we are buying from a company who is who they say they are. It’s now time for the other way round – for customers to prove who they are.

This type of system is called VRM (Vendor Relationship Management). It’s all about making the Internet a level playing ground, establishing trust that we take for granted in the real world, and migrate it to the virtual one. All with the aim of being treated as a real human being rather than an IP address and cookie jar.

The Internet trust revolution – part 2

Internet_trust

Yesterday I started a two part post on trust. The UK has just experienced an abuse of trust in the food chain, and I’ll now discuss how trust works on the Internet.

The next few years will see the trusted relationship become two way. Individuals will have personal certificates to prove we are who we say we are.

Banks use a variety of physical devices to check we have our bank details and a PIN number. However If I want to vote online, I have to prove I am Bradley Howard to the government. Other companies will need to know I am definitely Bradley Howard before they’ll let me use their service or buy their products.

I went to an event this week discussing the new ‘Sharing Economy’. One of the speakers described the Sharing Economy as the third revolution of the Internet. The first revolution was e-commerce, the second was social networks and now there are marketplaces to share anything from homes (Air B&B), cars (Lyft) to tasks (Amazon Turk).

A sharing economy requires both people in the transaction to trust each other. If you book a room on Air B&B you don’t want to stay at a mass murderer’s house, and the house owner doesn’t want a mass murderer staying with them either. Both need to have a level of trust on the network – usually achieved by previous transactions being validated.

eBay did this successfully with feedback, percentage feedback, stars, Powerseller status and so on.

 

There is an opportunity here to use the trust earned on one network, such as eBay, to another site, such as Air B&B.

Otherwise you need to keep starting from scratch (i.e. untrusted) on each new site. And this may drive better behaviour across all sites because users won’t want a reputation earned over several years, eroded by silly behaviour on another sharing site.

 

How the Olympics team delivered London2012.com

Click to watch the London 2012 highlights video

The Olympics is like London buses – you don’t see anything about it for a while, and suddenly you get several opportunities at the same time.

On Monday I was very fortunate to meet with Alex Balfour, who was the Head of New Media at London 2012. If you haven’t seen Alex’s summary of London 2012 on slideshare yet, stop reading this and take a read straight away.

So I saw Alex on Monday, who for a man who has had one of the most stressful jobs in Digital Media for the last three years, didn’t look any worse for it (no grey hair or hair loss!); and this evening I was invited to an event hosted by Simon La Fosse where the guest speaker was Gerry Pennell, the CIO of London 2012.

Gerry spoke for around thirty minutes, which flew by quickly, and then there were literally dozens, dozens of questions from the audience. The thing that struck me was how each member of the audience was so polite and started off by congratulating Gerry and his team on such a successful event. This was refreshing because the IT community doesn’t congratulate one another – IT has such a high expectation that if it works, well, it’s expected to, and anything less is something to complain about.

Gerry described how important digital was such a key component of delivering the Games. Actually, he wanted to stick to ‘just’ the huge undertaking of delivering a live events service, but his presentation kept coming back to digital consumers. All wonderfully consumer focussed.

Some of the other key points he covered:

  • Just under a quarter of LOCOG’s budget went to IT
  • It was easy to motivate his team to get things done – everyone knew about the deadline, rather than many other IT organisations who have a degree of lethargy and motivation issues
  • Gerry’s teams had to create their own requirements four years ago, because the rest of the organisation didn’t know what it would want back then
  • Preparation was key. The team prepared via a large number of test events, scenario planning, disaster recovery planning, and so on
  • LOCOG knew that they were going to have a rough time with the press. He told a story about the day that the BlackBerry Messaging service went down, and a journalist in his office blamed Gerry for the outage!
  • The threat of cyber-attacks was taken extremely seriously, and some politicians were involved on this subject. There were six actual significant attacks during the Games which were dealt with, and Gerry was paid his compliments to their Content Delivery Network
  • To resolve IT issues immediately, rather than the usual IT call-fix resolution timescales, they had to ‘saturate’ the stadia with support staff and equipment – they would replace desktops and equipment rather than problem solve
  • Despite all the IT infrastructure, there is still a huge reliance on paper in the stadia – referees and other games staff wanted/ needed to have a sheet of paper. The last two Olympics have printed 50 million sheets of paper, and in London they produced 16 million. A full box of office printer paper has 2,500 sheets, so that’s still almost 6,500 boxes of paper!
  • LOCOG were shocked at the amount of mobile traffic. And this traffic wanted live results. For the first time, London was able to provide point by point score updates (as opposed to game or match results) – and the peak traffic period was the Murray final, where mobile users wanted point by point updates about the match
  • There were 40 university sandwich placements who worked for the LOCOG IT organisation. I had a sandwich placement in my third year at university, and I can only begin to imagine what an experience the Olympics must have been for these once-in-a-lifetime lucky students

Someone in the audience asked about the huge amount of data that LOCOG had collected during the summer, and whether there was a Big Data opportunity. Gerry answered that the team was disbanded straight after the Paralympics, so there wasn’t much of an opportunity or business desire (because the business was dismantled as well!)

We are seeing a world where the value of content is continually diminishing – there are so many sources of content that it’s easy to move to someone who’s giving it away for free as soon as one source starts charging. Technology also makes it easy to bypass traditional content funding models – such as the ability to fast forward during adverts on pre-recorded TV programmes.

Sport will continually increasing in value though. By its nature, it’s time sensitive, so it’s usually watched live. This makes the advertising much more valuable – for instance, think about the infamous Super Bowl ads.

This in turn makes the content more valuable – and one of the key reasons why the English Premiership’s rights rose 71% this year to over a billion pounds per season.

Sport – it’s only a game. Really???

Akamai’s latest State of the Internet report

I can’t believe it’s been two and a half years since I last wrote about the Akamai State of the Internet Report.

The latest Akamai State of the Internet report has been released and as usual it’s interesting reading. The Internet continues to grow at a fast rate, both in terms of the sheer number of users and connectivity speeds. Unfortunately the side effects of security also continue to increase.

Akamai is a huge cache network of servers that make it faster for end users to access websites, and usually cheaper for the website company.

This means that Akamai stores the pages that we visit on a server closer to our computer. So when you visit say, www.domain.com, you might go to an Akamai server to see the content rather than domain.com’s server.

Akamai serves approximately two trillion requests for Web content every day. In the second quarter of 2012, over 665 million devices with an IP address, from 242 countries/regions, connected to Akamai.

Bearing in mind that in some cases multiple individuals may be represented by a single IPv4 address (for instance everyone in your home will probably share a single IP address, and most companies work on this model too), so this is likely to equal around a billion users.

Some highlights from this quarter’s report are below.

Security

The top 3 countries with originating security attacks are (in order) China, USA and Turkey. These 3 account for 36% of the Internet’s security attacks.

Speed

The global average connection speed grew 13% to 3.0 Mbps, and the global average peak connection speed grew 19% to 16.1 Mbps

In the second quarter of 2012, average connection speeds on known mobile network providers ranged from a high of 7.5 Mbps down to 340 kbps. Average peak connection speeds for the quarter ranged from 44.4 Mbps down to 2.5 Mbps.

Mobile

For users of  mobile devices across all networks (Wifi and the various cellular data networks), Apple’s Mobile Safari accounts for approximately 60% of requests, indicating that significantly more users of iOS devices use these devices on Wi-Fi networks — heavily driven by iPad and iTouch usage.

Mobile_browsers_across_all_networks

If you look at pure cellular data, the most common web browser is Android Webkit, which indicates a significant number of iOS users only use Wifi.

Mobile_browsers

Amount of users (IP addresses)

  1. USA (142m IP addresses)
  2. China (93m)
  3. Japan (39m)
    UK is in 6th place with 26.5m
    Brazil grew the fastest – an extra 12% to 21.5m IPs

 

The full Akamai State of the Internet report can be found here.

 

Updating the voting system

Media_http26mediatumb_mdjbj
via borisjohnsonftw.tumblr.com

The low voter turnout throughout the UK for the local elections last week is a sad statistic, especially when the news is also reporting Middle Eastern states where citizens are attempting to topple dictators and replace them with democratically elected leaders.

One of the main causes of low voting turnout is that people can’t be bothered to vote, and that the vote feels too far removed from their lives.

I think the whole voting system is woefully outdated. For the last couple of centuries it was perfectly fine, and probably very efficient, to ask citizens to go to a local meeting place and vote in a private booth. However it’s now one of the only things in modern life where we have to go to a specific place, at a specific time, to do something.

We should replace the now-inefficient voting process with an electronic system.

If it’s good enough for me to file a tax return (I’m letting myself calm down before writing a blog post on that topic after the ordeal I’ve recently been through!); fill in medical advice for my local doctor; and do all of my insurance, mortgage and banking online, why can’t I vote online?

For a while, security has been the main issue, however my bank feels the web is safe enough for me to lend me a mortgage, and I’ve even leased a car online from a company which I never met.

One of the dangers for politicians is that as soon as voting becomes electronic, it could become almost too quick and easy, and the public will then want to vote for smaller issues. For instance, imagine in say, 50 years’ time, there’s a debate in Parliament which then asks MPs to vote. The MP could then ask their constituents for their opinion using the public voting infrastructure on that debate.

5 child safety online tips

Capture

I remember that when I started studying Computer Science at University (in those days it was a Polytechnic), in the first lecture we were told that at any social gathering we shouldn’t tell anyone we were studying Computer Science because the conversation would either stop immediately, or follow the route of “ah, that’s interesting, do you know how I can fix my [insert electrical item here]?

One of the questions I get asked a lot is how I help my kids stay safe online.

I’ll start these tips with the viewpoint that the Internet is 99.9% a good thing for kids. I think it’s better than television, which is a passive, brain-switch-off experience. It’s a type of entertainment as much as educational experience for children (and adults) which should be embraced.

My kids range between five and nine years old although I think this advice is useful for any children up to about twelve. Here are my top tips:

  1. Keep the family computer in a visible place. I don’t agree with kids (under twelve) having a PC in their bedroom, or for that matter, a laptop which can move around the house. We have a family computer on the corner of our living room and kitchen, so we can always glance across and see what the kids are doing.
  2. Enable fast escalation. Our kids can approach my wife or I at any time and say “Why is this happening?” on the computer and we’ll always try to help. Like anything with children, if they feel they might be told off, they won’t talk to an adult, so whatever happens online we’ll always make them aware it’s not their fault.
  3. We use free Family filtering software – the Windows Live Family Safety filter. Each of the kids has their own user accounts and we have another one for guests. Family Safety provides time limits (which we enable for weekday mornings) as well as stopping some sites. For our five year old, it’s on maximum control setting and for the nine year old it’s set to block anything adult and allow most other sites. At the moment none of the kids are allowed Facebook, although we do allow YouTube because they like listening to music and you’d be surprised how young kids don’t realise that YouTube contains videos that aren’t music related. 
  4. Using the family filtering software we regularly check their accounts (it takes seconds) and make it very clear that we check what they’ve been doing online.
  5. Stay aware of latest scams, websites and general web trends and behaviour. This is easier for our household because of my job, but my wife is still aware of most online ‘problem areas’.

Even with all these tips, my wife phoned me at work last week to say one of the girls had asked her to look at a website she’d been using. On the site, which is a Flash games-based website aimed at young girls, there is a chat functionality, and someone on the site had been chatting to our daughter and been totally vulgar.

My wife took a number of screenshots, of which part of the chat window is shown above. I contacted the website to make them aware of the incident and haven’t heard anything back from them.

I started off with these tips saying how the Internet is 99.9% a good thing for kids. Our experience highlighted that you need to be extremely vigilant of that 0.1% element.

Voice mail hacking vs website security

Thankyou1

Whilst I think the actions of the journalists at News of the World (and perhaps other ‘press’ organisations) have been totally guilty of their conduct, I find it interesting how the phone companies have managed to get away relatively unscathed.

When a website user database is hacked, the press consider the lack of security of the website to be the guilty party. In the voicemail scenario, I’ve hardly seen any commentary around the mobile phone operators.

There are two main ways of hacking voicemails:

  1. The first method is to use the remote dial in number to access voicemails, enter the phone number of the person you’re trying to gain access to, and guess the PIN code. The PIN is usually 4 digits, and companies simply ‘brute force’ their way into mailboxes. Brute force is simply a case of guessing 0000, then 0001 and so on.
  2. The second method is to clone a user’s phone number using a proxy-style service. It’s very simple – you dial a phone number (the proxy) and you’ll hear a message asking what number you want your phone number to appear to be to the person you’re about to call. You stay on the call and then enter the phone number you want to call, and the recipient sees the ‘new’ phone number you entered earlier. A number of offshoring cold call sales companies use this type of service to make it look like they are calling you from the UK. Voicemail hackers phone a proxy, enter the phone number of the person they are trying to hack, and the mobile phone voicemail thinks the incoming call is from that victim’s number (and there’s no need to enter a PIN number).

Neither of these methods are particularly elaborate. A simple Google search provides a long list of companies who offer the proxy service (although to be fair all the ones I went to said they didn’t allow the service to be run for UK phone numbers).

In my opinion, the phone companies should do the following:

  1. Every time the remote voicemail is accessed a text message should be sent to the phone number. At the very least, each unsuccessful PIN number attempt should send a text message to the mobile warning of the attempt.
  2. If the wrong PIN number is entered more than say, four times, the voicemail should be “locked”.
  3. Phone companies should be able to work out if a phone number has been cloaked (run through the proxy) more accurately.

Census completed

Logo-census-landing1

Last night I completed the census form online. If you haven’t filled in the census yet, I recommend completing it online because it will be a much quicker experience. No worrying about conditional questions such as ‘Now skip to question 7’.

The website is fast, and although I didn’t need them, there are helpful ‘bubbles’ on each questions.

Despite having many children, and the census needs to be completed for each one, the entire process took less than 10 minutes.

Well done to the Information Architect(s) and whoever implemented the website.

The next stage is voting. Why can’t we vote online? The census felt very secure (long PIN number to enter the site and SSL throughout the site). It’s 2011 – half the country should be voting online and via mobiles by now.

The next step after online voting is micro-voting. Richard Watson described this in his book, where citizens constantly vote on detailed topics. E.g. should the UK be involved in Libya? 

The step after that is where citizens of one country are able to vote on international issues – such as an English person voting on whether the US should be involved in Libya.

The technology is already here – as the census proves. Politics needs to catch up with the technology.

 

Data security: unsexy now yet soon vital

3460993750_7b81638f6d_z1

To most people the phrase ‘Data security’ is boring and irrelevant to them.

Expect over the next few years to see this being pushed higher up the marketing agendas of web sites that users register their details with.

You can already buy login details to 50,000 iTunes accounts to buy music, videos or book on these users’ accounts:

 

For merely 200 yuan ($30) a pop, an Internet user in China can purchase up to $200 worth of digital products at Apple Inc’s vast music, movie and applications vault.

Far from being a benevolent offer by the fruit-favoring giant, this offer is the result of the theft of iTunes user account details stollen by hackers who then auctioned them online.

The Global Times discovered Wednesday that about 50,000 illegal accounts are being sold at taobao.com, China’s largest online store, at prices ranging from 1 yuan to 200 yuan.

Source: http://china.globaltimes.cn/society/2011-01/609351.html

 

I predict that within the next 2 years similar lists will be available for the major social networking sites as well. These credentials don’t enable users to do a great deal at the moment, however as soon as a currency is available within the networks, these account details will become highly valuable.

The social networks need to start planning security measures quickly. Security teams need to review processes and procedures quickly.

As users, if the website ‘loses’ login data, there’s nothing that can be done. If users set long, complicated passwords it won’t work. Regularly changing a password will only help if you change your password quicker than a list has been resold.

As a developer it’s one thing being agile in a garage environment, it’s another thing when you are responsible for millions of user accounts. 

Photo courtesy of keummi