Tag Archive: security


Boeing 787


Way back in 2008 there were a number of stories floating around that the new Boeing 787, the first production airframe of which was delivered this week, had a serious security weakness. It turns out that Boeing, in their infinite wisdom, had decided to not segregate the flight control systems from the seat-back entertainment systems and would, instead, firewall them from each other.

I’ve been searching online but can’t find any up-to-date information whether this architecture was changed. Some good articles on this came from Wired and Bruce Schneier’s blog. Wikipedia’s 787 entry includes the following:

The airplane’s control, navigation, and communication systems are networked with the passenger cabin’s in-flight internet systems.In January 2008, Boeing responded to reports about FAA concerns regarding the protection of the 787’s computer networks from possible intentional or unintentional passenger access by stating that various hardware and software solutions are employed to protect the airplane systems. These included air gaps for the physical separation of the networks, and firewalls for their software separation. These measures prevent data transfer from the passenger internet system to the maintenance or navigation systems.

The reference to firewalls and air gaps leads me to suspect that these systems are not fully segregated. If this is the case, I really hope that they’ve had some seriously good information security advice.Process control systems, and this is a process control system of sorts, aren’t always as well implemented as they could be. Where there is a safety-critical element, air gaps or data diodes are the only ways to go.

Designing out the vulnerabilities has to be better than retrofitting security afterwards.

I’d welcome comments from anyone, especially those who know more about the actual implementation.

Update: I’ve added another post about this here.

Advertisements

Private Emails


Michael Gove is reported to have been using his private email account and won’t reply to emails sent to his official address. There are so many reasons why this is a bad idea. Here is my (almost certainly incomplete) list just in case the Rt. Hon. Michael Gove happens to pass by:

  1. It’s not based in the UK. In fact, Google pride themselves in not telling you were the data is held (just try finding out);
  2. Google is a US-headquartered company. As per Microsoft’s announcement, the US PATRIOT Act seemingly trumps EU and UK data protection law, even if the data was in the EU;
  3. You can’t encrypt the emails at rest;
  4. There’s no guarantee that the data will be there tomorrow, as this example from Yahoo amply demonstrates;
  5. While Gmail allows you to turn on HTTPS and a form of two-factor authentication, these are optional and probably turned off;
  6. The foreign governments are alleged to have already hacked into Gmail;
  7. On occasion, email accounts have been mixed up, where one person reads someone else’s mail;
  8. These emails may not be retrievable under the Freedom of Information Act.

You only risk what you don’t value. If Mr. Gove believes the emails he receives and send to be of such low importance to put them at this sort of risk, is he the best person to be a cabinet minister?

New Airport Security Scanners


The security systems at airports are an interesting example of security “theatre”, where much of what goes on is about re-assurance rather than being particularly effective. I’ve blogged before about this and had some interesting responses, especially around the intrusiveness of current processes versus their effectiveness and where vulnerabilities lie. For obvious reasons, I won’t go in to this.

However, the TSA in the United States is rolling out a new version of their full-body scanner, apparently in response to the criticism that the old-versions were a step too far: the TSA initially denied, for example, that pictures of people’s naked bodies could be stored until several incidents emerged of security staff doing exactly that. Apparently this will be available as a software upgrade. The question is, will the UK do the same?

The new scanner overlays identified potential threats from scans over a generic diagram representing the human form and so masking who the subject is. This has to be a good thing, but like I said in my earlier post, a reliance on technology rather than using intelligence-led investigations will always lead to vulnerabilities while inconveniencing that majority of people.

I’d rather the people who would do me harm never made it to the airport.

Targeted Trojans


A very particular problem that we face is around customised malware, aka targeted Trojans. These malicious programs are written specifically to avoid detection by our current anti-virus systems and are sent to carefully selected people within the institution. The purpose of these programs can only be inferred by the recipients.

LSE uses MessageLabs to protect our inbound email, primarily to reduce  the flood of spam to as small a trickle as possible. One of the systems that MessageLabs use is something called skeptic, that tries to identify previously unseen malicious software and to block it.

We think that this has been quite successful, although it is impossible to know how many attacks have managed to get through. Using the information we get from this system, we can discuss the implications of being on the list with the people being targeted.

The uncomfortable facts are that:

  1. LSE is a major target
  2. academia is being systemically attacked by a number of groups
  3. the threat is growing all of the time

There is no foolproof way of blocking every attack, but the intelligence gained from knowing the areas of interest of the attackers allows us to focus our efforts of the people at highest risk.

If you want more information on this or are at LSE and want specific advice, please contact me.

UPDATE: Martin Lee and I are proposing doing a talk about this at the RSA Conference 2012 in San Francisco. See the teaser trailer here.


This week, LSE received a couple of calls from “Microsoft”, stating that they had detected a virus on the PC that the user was using and could they install an update. Luckily, the person they called is in our support team and she managed to string them along for a bit. We have managed to get the originating telephone number, apparently a Croatian number, and have passed it on to the Police.

It’s worth following up on these calls, which are blatant social engineering attempts and informing staff. We have had reports that Skype users are also being targeted.

Sony’s Woes


Sony continue to get attacked. Over, and over again. In different countries with different impacts. Searching Google News for “sony hack” comes up with 1880+ articles (6th of June 2011).

It seems to me that Sony don’t have an effective, consistent strategy for dealing with the security of their global online presence. These attacks have gone beyond what the attackers can achieve in terms of compromising systems and are now almost simply providing Sony’s brand and reputation a beating. Even if a script-kiddie were to deface a small-scale, country specific website, the mere fact that it happens to be a Sony site guarantees headlines.

As I have said in previous posts, the biggest change the Internet brings is that distance is no longer a factor when dealing with crime: a hack can look like it’s coming from the other side of the world when, in fact, it’s actually being performed in a coffee shop down the road.

Companies facing these types of issues really have to do some serious work in limiting the impact of future attacks. The first issue is identifying all of the targets, however tenuous a link they may have with the parent brand, and prioritise them in terms of their connectivity to back-end systems or sensitive data. Classify them and review existing controls then implement consistent controls making best use of limited security resources.

I’ve heard senior executives at various organisations state that they don’t see the point of implementing good security because they don’t believe they are a target. It’s impossible to say what motivates every hack, but it’s definitely true to say that it costs organisations less in the long run if they do things properly from the start rather than trying to bolt on security processes after a major incident.

Just look at Sony.

Student Loan Scam


There is news today of another scam, targeting students. From the article, it seems that several students fell victim to this and are several thousand pounds out of pocket. In essence, this is just another phishing scam but specifically aimed at students, offering them the possibility of a bursary if they fill in a form with their personal details.

The Student Loan’s Company have been the bait for a number of scams over the last few years.

Unfortunately, this has happened before and will happen again. The Government have put some advice up here about what to look out for and some general advice on staying safe online here.

IPv6 Challenges


There’s been a lot of discussion about the advantages of IPv6 in the press in recent months, focusing mainly on the huge increase in address space that a migration will give. But there are other features of IPv6 that are both a boon for the individual user and a headache for an IT department. Like many things, it’s a bit of a double-edged sword, one that cannot be ignored indefinitely.

The wonders of IPv4

IPv4 is one version of the “Internet Protocol“, an integral part of TCP/IP which was developed in the mid-1970s as a set of scalable communications protocols. The intention was to keep it as simple as possible, allowing any type of equipment with the right protocol stack installed to communicate with any other device, regardless of what those devices were. In those days, four billion addresses seemed like “enough”.

One of the consequences of this design strategy was to include no provision for security in general, with unencrypted networks, no authentication and any number of potential ways of attacking a victim. To be fair, in those days, people had a very different attitude to these networks; it was never envisaged that anyone would want to attack someone else. It just wasn’t “the done thing”.

Fast forward 30 years and a number of things have happened: an explosion in the number of devices connecting to the Internet, malicious software, Denial of Service attacks holding on-line companies hostage and the fear of being snooped on by anyone who has access to your data connection (anyone from the Government to Phorm).

The issue of a fast-reducing available address space was identified, and to some extent mitigated by using Network Address Translation, to allow organisations to use reserved IPv4 address ranges, (192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8) and only use a limited number of properly routable addresses on the Internet, effectively hiding the machines they have on their internal networks; all consumer equipment these days is configured to use NAT.

IPv6 – a new era

In 1998, the IETF published RFC2460 that outlined IPv6 which had a number of features not included in IPv4, including:

  • a vastly increased address space – IPv4 had a total of 4,294,967,296 addresses. IPv6 has 2128 (approximately 340 undecillion or 3.4×1038) this amounts to approximately 5×1028
    addresses for each of the 6.8 billion people alive in 2010 (taken from Wikipedia)
  • integration of IPSec, including packet authentication and encryption
  • stateless address autoconfiguration

These are real advances over IPv4. However, there are some things that companies do routinely that may become a whole lot more complicated:

Penetration testing: LSE, for example, has been allocated an IPv6 address space which has more available addresses than are available in IPv4 in total. The length of time to scan a space of this size is enormous.

Firewalling: subnetting works differently in IPv6 to IPv4 and there is provision for frequent address changes. In addition, having every outbound connection effectively opening up a VPN into an organisation’s network means that banned traffic can be transparently tunnelled through a firewall which would otherwise block it.

Deep packet inspection: this becomes very difficult if all packets are encrypted

Web filtering: again, with packet-layer encryption, how can traffic be inspected before it hits the end device?

SSL has always been difficult to monitor on IPv4 networks, with companies needing to inspect this traffic having to simulate a man-in-the-middle attack to terminate a connection from a user on a device and re-establish a secured connection to the requested resource, e.g. a bank, to create a break in the session to inspect the traffic. It’s a messy solution and doesn’t go down well with users. In a full IPv6 world, this type of challenge will be with us every day.

There’s a really great paper on some of these issues here.


I had an interesting conversation yesterday about the concept of eliminating risk completely. It seems that the population at large have been conditioned into thinking everything is safe, that nothing can befall them and, if it does, they should sue.

One great example of this is the anti-vaccine movement in the US. There’s a really interesting article in Wired about this. Essentially, a group of people including several well-known, high-profile people are trying to convince parents not to vaccinate their children against particular diseases, citing statistics that show that there is a (very low) risk of their children developing complications as a result. What they fail to understand is that the alternative represents a much higher risk of the same children having complications or dying from the disease they would otherwise be vaccinated against.

The conversation yesterday revolved around airports: as stated in previous posts, I believe that much of the security around airports is misplaced. An awful lot of money is spent on technology to detect very specific threats rather than taking a more holistic approach. The problem with having specific controls for specific threats are those threats you don’t have controls for. That’s not to say that threat-focused controls don’t have a place: of course they do.

However, where there is money that can be spent on lowering the risk, spending it on devices like the 3D body scanner may not be the most useful (which, incidentally, apparently could raise the risk of you getting cancer more than it lowers the risk of you dying in a terrorist incident) but drawing a line and saving the money isn’t the solution either.

I truly believe that we have a responsibility for lowering the likelihood of incidents happening where we can, effectively and not intrusively. And this is the perennial security problem: where do you draw the line?


Interesting news about Gawker and passwords. For those that don’t know, Gawker is a news aggregation site and seems to have been subject to some sort of attack recently whereby its entire password database seems to have been compromised. The impact of this is that lots of Twitter accounts have been hacked.

Two things are of interest here:

1. The types of user on the site are quite technically savvy, and yet still have very poor passwords

2. People are still using the same password on different sites

If you take anything away from this, please seriously consider using different passwords on different sites as if one gets hacked another becomes vulnerable. Password vaults are potential solutions to this problem, like LastPass or 1Password (recommendations from Graham Cluley of Sophos).

%d bloggers like this: