Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 07/11/07

Wednesday, July 11, 2007

Insecure Bureaucracy in Germany

First, it was data mining 22 million credit cards to see who purchased access to a set of child porn sites to figure out the obvious - that the accounts were purchased with stolen credit cards, and now, declaring that hacking tools are illegal is nothing more but creating a bureaucratic safe heaven on the local scene. And while pen-testers in Germany will do password cracking with a paper and a pen to verify their passwords best practices are indeed enforced and taken seriously, script kiddies that just compiled yet another 5GB rainbow table will have a competitive advantage by default :

"The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are not properly covered in the legislation, critics argue. Taken as read, the law might even even make use of data recovery software to bypass file access permissions and gain access to deleted data potentially illegal."

The idea is greatly hoping that Germany's Internet is an isolated Intranet where if noone can have access to hacking tools than noone will be able to find vulnerable hosts and actually exploit them. But the reality is that it's all a matter of perspective. By not wanting to conduct a security audit of your assets, and with the lack of any (detected) breaches, you're enjoying a nice false sense of security. This story is a great example of bureaucrats evangelizing security through obscurity on a wide scale, where every single script kiddie on the other side of the world will have access to a commodity set of pen-testing tools to showcase age-old vulnerabilities in Germany's infrastructure. Of course, you're secure in your own twisted reality, but limiting access to pen-testing tools for a security consultant, and evil hacking programs to others, in order for you to improve security is nost just unpragmatic, but naive as well. Here's an interview with Marco Gercke, a local expert on the topic.

This is not just a seperate case in Germany, to what looks like a growing trends with a previous discussion on whether or not German law enforcement should code and use malware on a suspect's PC, something by the way the FBI is doing in the form of keyloggers to obtain passphrasess of impossible crack at least in respect to bruteforcing PGP and Hushmail accounts. So what could be a next? A law that would open up a cooperation with anti virus vendors doing business in the country in the form of either not detecting or delaying signatures of law enforcement coded malware? Or law enforcement will start bidding for zero day vulnerabilities right next to an intelligence agency without both of them knowing who's the challenging bidder?

Another bureaucratic development from the past is related to U.K's perspective on how to obtain access to encrypted material without coding malware and keyloggers - by requesting that everyone should provide their private encryption keys. It gets even more interesting with Australia joining the trend by using spyware on suspects.

Never let a bureaucrat do an ethical pen-tester's job.

Related articles:

Group: Anti-hacking laws can hobble Net security

Hacking or reverse engineering?

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

E-commerce and Privacy

Privacy should be a main concern for everyone, not because you have something to hide, but because you deserve it, it's your right, while on the other hand, the thin line between a sales department preservation of your purchasing history to later one contact you, or vice-versa to serve you better, is where the dilemma starts. Should you always have an opt-out capability, thus ruining someone's marketing data aggregation model, or should you be willing to share it in order to receive a better customer experience?

In a recently conducted study, researchers at Carnegie Mellon University came to the conclusion that people are in fact willing to pay more when their privacy is ensured, but mind you - in a merchant's privacy policy only. Is this a feasible protective measure or just a compliance-centered and automatically generated text you come across to on every merchant's web site? Or how harsh is in fact reality in this case?

"The study, led by Lorrie Cranor, director of the Carnegie Mellon Usable Privacy and Security (CUPS) Lab, found that people were more likely to buy from online merchants with good privacy policies, as identified by Privacy Finder and were also willing to pay about 60 cents extra on a $15 purchase when buying from a site with a privacy policy they liked."

One of the most famous breaches of personal data aggregators that really made it all over the world was Choicepoint, a U.S based personal data aggregator. Famous mainly because of the huge number of affected individuals, which doesn't mean a bigger breach hasn't happened somewhere around the world already, the thing is, across the world it is still not very popular to report a security breach, even regulated by law -- perhaps even if you were you wouldn't be able to report something you're not aware of at the first place, would you? Looking at a merchant's/data aggregator's privacy policy given you have enough experience to detect the authentic policy from the automatically generated one you often see something like this line in Choicepoint's privacy policy for instance :

"Once we receive personally-identifiable information, we take steps to protect its security on our systems. In the event we request or transmit sensitive information, such as credit card information or Social Security Numbers, we use industry standard, secure socket layer ("SSL") encryption. We limit access to personally-identifiable information to those employees who need access in order to carry out their job responsibilities."

The same is the case with Amazon, Ebay and the rest of the E-commerce icons. In 2007, even phishers use SSL certificates to make their spoofs look more legitimate, and again in 2007 the majority of reported data breaches are due to laptop losses compared to network or even insider related vulnerabilities. Therefore, even though compliance with law regarding the need for a privacy policy, having it doesn't mean privacy of purchasing history and personal data wouldn't get exposed.

Common privacy assurance criteria on major merchant's sites remain :

- TRUSTe certificate
- Hackersafe check
- Compliance with industry standard security best practices

Best practices are a necessary evil, evil because what they're missing is exactly what attackers are exploiting - the pragmatic vulnerabilities to obtain the data in question compared to entering the target through the main door. Back in the times of the dotcom boom when Web 2.0's mature business models were a VC's dream come true, the overall perspective of Internet crime had to do with the concept of directly transferring funds from the a hacked through network vulnerabilities bank, while in reality, from an attacker's point of view it's far more effective to target its customers directly. Which is exactly the same case with E-commerce and privacy, either the merchant will store your business relationship with them and expose it, or you will somehow leak it out.

Whatever the case, a privacy policy is words, and common sense obviously remains a special mode of thinking for the majority of web shoppers.

Related posts:
Afterlife Data Privacy
The Future of Privacy = Don't Over-empower the Watchers
Anonymity or Privacy on the Internet?
U.K's Telecoms Lack of Web Site Privacy
Big Brother Awards 2007
A Comparison of U.S and European Privacy Practices

Dancho Danchev