STE WILLIAMS

Let’s revisit that old chestnut: “Is an IP address you use in an internet session personal data about you?” The reason: I have just come across two legal references which relate to copyright infringement where the argument that an IP address is personal data was accepted.

The first reference I found was the Monetary Penalty Notice that ACS Law obtained (and the £200K fine that later became a £1k fine…). The company used to send ISPs a list of IP addresses suspected of being involved in breaches of copyright on a regular basis. (The company went out of business because of its poor security, which is why the eventual penalty was reduced to £1K).

In the ACS Law Monetary Penalty Notice, the Information Commissioner’s Office (ICO) clearly states:

The Commissioner understands that the data requests sent to each ISP by the data controller (in this case) were for information populating a spreadsheet containing hundreds and sometimes thousands of IP addresses. … ISPs responded to the data controller by returning the spreadsheet with all the existing data, together with the name and address of the registered account holder that they had input alongside each entry.

So the ISPs mentioned above, presumably because they have blocks of IP addresses specifically allocated to them, were able to provide a link between a requested IP address and a specific individual account-holder. In this way, the IP address formed part of the personal data each ISP had in its possession.

This point was reinforced with a judicial review concerning the Digital Economy Act 2010, where it was claimed by many organiSations that some regulations enacted by Government were incompatible with a number of provisions of EU law. One part of this argument related to the Data Protection Directive (DPD) 95/46/EC.

The judgement states that, as common ground between the parties, an IP address is personal data. In detail, it states that:

It is common ground that… (various provisions in the Digital Economy Act)… are likely to require ISPs to process “personal data” within the meaning of Articles 2(a) and (b) of the DPD. The ISP must link the IP address provided by the copyright owner with an individual subscriber’s name and address, and write to them and compile lists… [that can be supplied to Third Parties – paragraph 152].

So suppose an ISP allows other organisations to capture or monitor a user’s IP address, eg, for the purpose of behavioral marketing. As the ISP is processing personal data (see above), isn’t it allowing part of the personal data under its control (eg, the IP address it has been allocated, and possibly owns, which also relates to the browsing habits of a known individual) to be used for third party marketing?

As all Tribunal determinations on third party marketing have stated that this needs the prior consent of each data subject (ie, each and every account-holder), shouldn’t the ISP be doing something to alert or protect its customers from the use of their IP addresses for third party marketing? Like getting their consent, perhaps?

Now look at the issue from the standpoint of those behavioral marketeers that arrange for a pop-up box to appear after monitoring IP addresses; for convenience, I show examples of these boxes posted on Wiki. What is the purpose of the pop-up box? Answer, of course, “marketing”.

Note that many pop-up boxes shown provide links to enable direct contact with the customer. So where organisations are using/monitoring the IP address to identify potential leads, they know that identifying information about an individual is likely to come into their possession.

If this is the case, then this too falls within the UK Act’s definition of personal data. It follows that personal data is being processed for a marketing purpose, without the data subject having been given the advance choice to opt out of the marketing purpose (eg, in a fair processing notice).

Is the release of IP addresses like the release of anonymous statistics?

There are those who would argue that an IP address, by itself, does not identify the individual. In support, they might quote recent judgements about “anonymous statistics”, which appear to suggest that the disclosure of anonymised information, extracted from personal data, is not a release of personal data.

I argue that the position the release of these “anonymous statistics” and IP addresses is not the same and can be distinguished very easily as follows.

Consider the ProLife Alliance Freedom of Information request to the Department of Health (DoH) for the release of abortion statistics concerning the number of late-term abortions. The DoH refused the request and claimed that the requested information was personal data, the Information Commissioner said the statistics were not personal data, the Tribunal said they were personal data, and Cranston J, in his judgement published in June, agreed with the Commissioner (but on different grounds).

Cranston J argued that to consider the requested data as personal data would establish a principle, which would prevent any publication of medical statistics, however broad. To justify his position, he then went on to examine whether identifiability was likely (a) in the hands of the data controller and (b) in the hands of recipients who get the statistics.

He was satisfied that if identification in the hands of the recipient was “extremely remote”, then the information was not personal data.

Now we come to the difference that distinguishes the disclosure of statistics and the disclosure of IP addresses. With the former, the data controller might be able to identify an individual from the statistics in conjunction with other information in its possession. By contrast, the recipient of the statistical data, following the logic of Cranston J, is remote from making such an identification.

This starkly contrasts with the disclosure or capture of IP addresses. Although an individual cannot be identified from just the IP address, the user or recipient of that IP address has every intent to identify a potential customer as part of his marketing purpose.

Additionally, the holder of the IP address knows that in the hands of the ISP, the IP address definitely forms part of a collection of personal data. With statistics, this point might not be so clear-cut: for instance the public authority might create a set of statistics for release under FOI where it cannot perform the back-identification.

That is why I am increasingly drawn to the conclusion that IP addresses have to be treated as personal data by behavioral marketers, as there is a prior intent to identify the individual behind the IP address.

I am also coming to the conclusion that ISPs can do more to protect their customers from unwanted marketing, especially if they own a block of IP addresses.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

References

• DP extracts from R (BT Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin) can be downloaded at the Panopticon blog here.
• The Abortion stats case: R (DEPARTMENT OF HEALTH)-v-IC [2011] EWHC April 2011 was also discussed in the same article.
• The ACS Law Ltd Monetary Penalty Notice (10 May 2011) is on the ICO website.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/20/are_ip_addresses_personal_data/

People worried about a cyber-war should calm down and stop worrying because it will never happen, a war studies academic has said. In the paper Cyber War Will Not Take Place Dr Thomas Rid confidently argues that hacking and computer viruses never actually kill people.

An act of war must have the potential to be lethal, says Dr Rid, of King’s College London, writing in The Journal of Strategic Studies, but hacking and cyber-attacks have much more in common with spying than, say, nuclear bombs.

He believes that although a “cyber war” conforms to the traditional definition of a two-sided conflict, a lethal one will never take place.

“The threat intuitively makes sense,” Dr Rid says. “Almost everybody has an iPhone, an email address and a Facebook account. We feel vulnerable to cyber-attack every day. Cyber-war seems the logical next step.”

But worriers are misguided: Dr Rid states that to constitute cyber-warfare an action must be a “potentially lethal, instrumental and political act of force, conducted through the use of software”. Yet, he says, no single cyber attack has ever been classed as such and no single digital onslaught has ever constituted an act of war.

He concludes: “Politically motivated cyber-attacks are simply a more sophisticated version of activities that have always occurred within warfare: sabotage, espionage and subversion.”

Wait for those deadly country-wide digital infrastructure attacks, Dr Rid, just you wait.

The paper was published in The Journal of Strategic Studies ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/20/cyber_war_wont_be_real/

The European Anti-Fraud Office (OLAF) says its new whistleblowing website has helped it extinguish a cigarette-smuggling ring and sniff out falsely labelled garlic.

Since OLAF launched the internet-based Fraud Notification System last year, the number of fraud tip-offs has increased: previously, whistleblowers could leave a message on a freephone tip-line, but the system didn’t allow for any dialogue with the tipster which made it tough to follow up clues and launch probes, Olaf said in its annual report.

With the success of the online system, the office is closing its phone line:

This [online] system has the advantage of helping OLAF better to assess the credibility of anonymous reports of corruption and fraud. It also makes abuse of the system more difficult.

In 2010, with the help of both web fraud notifications, the phone line and other sources, as well as official reports from EU bodies and member states, OLAF received 983 different scraps of information on fraud and 225 new investigative and operational cases were opened.

Particular cases that OLAF highlighted in its report included consultants selling inside information to clients so that they could bid for contracts for the delivery of goods, and irregular use of European Regional Development Funds (ERDF) in Italy.

The office also aided Spanish Customs in “dismantling the largest ever counterfeit cigarette network uncovered in the EU”, and the slightly strange case of helping Austrian Customs to “identify misdeclared garlic”.

Falsely declared garlic may be somewhat peculiar to the average reader, but it’s nothing to turn your nose up at. OLAF explained:

Importers of fresh garlic of the species Allium sativum must pay 9.4 per cent in ad valorem customs duty plus a specific duty of €1,200 per tonne. Allium sativum is the species that the general public commonly considers ‘garlic’.

The fresh version of other garlic-like species, for instance Allium ampeloprasum, only attracts a 10.4 per cent ad valorem customs duty, with no specific duty in addition. Subsequently, by misdescribing fresh garlic, the importer can avoid paying nearly €1,200 per tonne or €30,000 per container.

Now you know.

After being alerted by Austrian Customs that there was something dodgy going on with garlic imports, OLAF naturally sent two specimens of the offensive material to independent DNA labs in Italy and Germany to be tested. They were both found to have been misclassified.

At this time, OLAF realised that these labs were among only three in the whole of Europe “able to undertake the DNA testing necessary to determine the species of the garlic”, so the office shouted out to all member states to gather up their garlic and send it in so the office could arrange for testing.

While all this sounds like an extremely odd detective melodrama, the testing actually found that all the samples had been misnamed to avoid customs, which, incredibly, cost the EU around €1.6m.

It is also not the first time someone has tried to slip Allium sativum past the European authorities; earlier this year OLAF seized 144 tonnes of Chinese garlic in Poland, which had been labelled as onions to pull the same switcheroo on Customs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/20/eu_whistleblowing_system/

Google is rolling out default end-to-end encryption to people who use the site to seek for images, news and general webpages, a change that will better protect search queries and results from eavesdroppers.

The SSL, or secure sockets layer, service will be offered by default to users who are signed into their Google accounts, beginning in the next few weeks, Google Product Manager Evelyn Kao wrote in a blog post published on Tuesday. The change, which will convert the default Google address to https://www.google.com (note the “s”), will encrypt search queries sent from a user’s computer to Google and the resulting links, which travel the other way. People eavesdropping on the connection won’t be able to easily read the traffic.

“This is especially important when you’re using an unsecured internet connection, such as a Wi-Fi hotspot in an internet cafe,” Kao wrote. “You can navigate to https://www.google.com directly if you’re signed out or if you don’t have a Google Account.”

The change comes 21 months after Google made SSL the default mode for Gmail and 17 months after the search behemoth introduced an SSL option for its primary search engine. A variety of other sites, namely Twitter and Facebook, quickly followed suit.

Google has also been at the forefront of the industry’s SSL conversion with research that can significantly reduce the cost of offering SSL connections, although cryptographer Nate Lawson of Root Labs has questioned whether the method, known as SSL False Start, comes with unintended security tradeoffs. The company has made SSL a priority following several sophisticated attacks on Gmail users that attempted to monitor their communications.

Noticeably absent from the default SSL party are Microsoft and Yahoo. While the companies offer some end-to-end encryption, Hotmail’s always-on SSL broke Microsoft’s own applications, the last time we checked. It’s not clear from Yahoo search results if the site’s webmail service offers always-on SSL. Neither Bing nor Yahoo offer SSL for general search.

The move to encrypt Google search queries and results by default is good news for users who want to keep such data private, but the change will have a big effect on millions of websites that count on Google to attract visitors to their pages.

Clicking on a result returned from Google’s SSL service won’t include the search terms used in the query, so webmasters will know the person arrived from Google but won’t know what terms she used to arrive at the result. This is true only when a user clicks on search results. Clicking on an ad will continue to reveal search terms, Kao said.

The change will also have no effect on the reams of personal information Google collects about its users. Google logs storing the time and queries for each search work the same under SSL as they do for unencrypted search. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/google_default_ssl/

First State Super, the company that called the police and fired off legal threats when a security researcher notified it of vulnerabilities in its online funds management application, is reportedly softening its stance.

According to Australia’s Financial Standard, the company has decided against further legal action, and instead is setting up a meeting with Patrick Webster, who notified the company that its use of direct object references in the URL bar meant any logged-in user could view other users’ information merely by changing the ID number.

After originally welcoming the notification, the company then called police and sent legal letters threatening Webster.

The ensuing media storm, which began when Webster told his story to security podcaster Patrick Gray and was broken on his Risky Business site, has apparently helped bring about the change of heart. While the fund still needs to ensure that Webster has not retained any of the records he downloaded when crafting his proof-of-concept, FSS has now arranged a meeting with him.

However, FSS is still subject to criticism for other aspects of its response to the security breach. Its decision to notify only those users whose data was downloaded by Webster has come under fire from acting NSW Privacy Commissioner John McAteer, who believes that all of its customers should have been notified.

The Australian Privacy Commissioner, Tim Pilgrim, has also launched an investigation into the matter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/first_state_super_tones_it_down/

Trusteer continues to spar with researchers at Digit Security over claims that it might be possible to bypass Trusteer’s online banking security technology Rapport.

Digit Security said Trusteer has responded to concerns over the effectiveness of its technology with marketing claims, rather than meaningful dialogue. This is after the infosec firm presented research at the 44Con conference last month arguing that Rapport’s anti-logging technology could be ‘switched off’ using functionality built into the software.

In the presentation, and a follow-up piece in The Times, Digit Security said that shortcomings in the anti-keylogging system are the result of design weaknesses rather than security bugs as such.

Trusteer told El Reg last week that it had addressed the flaws discovered by Digit Security. It disputed whether the flaws could have ever led to practical attacks (not least because secondary protection mechanisms built into Rapport would have blocked it) and criticised Digit Security for failing to follow “responsible disclosure” guidelines by going public about a vulnerability without giving software developers adequate time to fix it.

Digit Security strongly disputes that it acted irresponsibly, saying that it provided Trusteer with complete information on its presentation at 44Con days after the event and two weeks before it released a proof-of-concept demo on 21 September. The demo used Trusteer code to decrypt keys.

“The information disclosed at 44Con related to the implementation of the anti-keylogging protections in Trusteer Rapport,” Neil Kettle of Digit Security told El Reg. “I reverse-engineered the functionality and thus demonstrated that the ability to decrypt keys was present and available to any program running on the system on both Windows and OS X.”

Kettle claimed that Trusteer had been ineffective in dealing with the threat his company had discovered. Kettle explained: “With respect to the ‘fix’ for OS X, there have been two so far that I have been able to obtain. The first of those was trivially subverted, with only minor changes to the code. The second was subverted within 30 minutes. I have not been able to verify the many Windows versions, but the last one didn’t fix anything, for instance the ‘SetWindowHookEx’ protections.”

Kettle added that Trusteer has yet to even address other aspects of Digit Security’s research, including allegations that the firm uses a rudimentary substitution cipher for “keyboard encryption”. A blog post by Digit Security explaining its continuing reservations about the effectiveness of Trusteer’s technology can be found here.

In a statement, Oren Kedem, director of product marketing at Trusteer, said it had already responded to the Digit Security original research. He said Trusteer would review further representations, providing they are shared responsibly:

Trusteer has already provided our response to Mr Kettle’s claims. If Mr Kettle believes he has additional comments on our recent fix, he is welcome to share them with us in a responsible manner and we will review and take the appropriate steps to address them.

Trusteer Rapport is a transaction security technology, a component of Trusteer’s fraud prevention system used by more than 150 financial institutions around the world to detect and block fraudulent transactions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/trusteer_rapport_follow_up/

The publication on Pastebin of the supposed login details of more than 10,000 Facebook users fails to pose any security risks, at least on the social network, because the data is bogus, according to Facebook.

Newly established Nepalese hacking crew Team Swastika caused a stir when they dumped the supposed Facebook login data on Wednesday, a development picked up by security researcher Rik Ferguson of Trend Micro. However, Facebook said that no hack had taken place and that the information posted is garbage.

Facebook said in a statement:

This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of email and password combinations that are not associated with any live Facebook accounts.

In reality these emails/passwords are the result of standard phishing activities where people were tricked into giving away their credentials.

It’s unclear whether the data released is actually phishing data from an unidentified third-party site or complete garbage. Facebook’s statement would appear to preclude the possibility that the data is the fruit of a phishing scam, even a spectacularly unsuccessful and widely gamed one, against the dominant social network itself.

Team Swastika has only been around for a week but has already caused a stir by publishing database tables and user credentials that were supposedly stolen from the websites of the Indian Embassy in Nepal and the government of Bhutan using an SQL injection attack. It is unclear whether or not this data is genuine.

More commentary on the “Facebook hack” that never was, and on the appearance of yet another hacking crew can be found in a blog post by Trend Micro here. The advice on the perils of password re-use by Ferguson is worth reading despite the fact that in this particular case, the security breach advertised never took place. ®

Bootnote

Swastikas are a sacred symbol of luck in Hindu culture with their use going back centuries before the Third Reich appropriated the symbol. So the use of the term Team Swastika does not necessarily imply neo-Nazi sympathies.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/bogus_facebok_login_dump/

Malware coders have created a Mac-specific Trojan that is designed to attack anti-malware defences built into Apple’s Mac OS X operating system.

The Flashback.C trojan disables the automatic update component of XProtect, OS X’s anti-malware application, net security firm F-Secure reports. By wiping out files, the malware prevents future updates, making it more likely that the devilish code will be able to stick around for longer.

The approach mimics a tactic long seen in the world of Windows malware, where attempts to disable security software have been commonplace for years as well as illustrating the growing sophistication of crooks targeting Macs with malware.

“Attempting to disable system defences is a very common tactic for malware — and built-in defences are naturally going to be the first target on any computing platform,” F-Secure notes.

The Flashback.C Trojan poses as a Flash Player installer. In reality, the malware sets up a backdoor connection to a remote host. Although currently inactive, the remote host linked to the malware might be used to push any manner of crud onto infected machines.

Previous versions of the Flashback Trojan shunned virtual machines, a technique designed specifically to frustrate anti-virus analysis. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/mac_trojan_attacks_apple_defences/

Certain underground hacking forums are acting as training academies and tech-support networks for cybercriminals as well as creating a marketplace for a vast array of cybercrime tools, say researchers.

Database security firm Imperva has been keeping close tabs on an unnamed hacking message board with nearly 220,000 registered members since 2007. It discovered that the forum is used by hackers of varying abilities for “training, communications, collaboration, recruitment, commerce and even social interaction”. Chat rooms are filled with discussions on everything from attack planning to requests for help with specific campaigns. Newbies can use the forums to find “how-to-hack” tutorials.

Meanwhile the forum’s marketplace acts as an underground bazaar for the sale of either stolen data or attack tools. Other studies by the likes of Symantec have focused on the price of stolen credit card numbers or licensing prices for ZeuS banking Trojan toolkits, for example. Imperva by contrast has paid closer attention to the content of conversations, picking up clues about evolving hacking tactics and approaches in the process.

The forum’s discussions of electronic onslaughts increased during the four-year period of analysis, growing an average of 157 per cent year-on-year between 2007 and 2010. The most chatted about topics in the forum between June 2010 to June 2011 were DoS and DDoS attacks, which were in 22 per cent of discussions, followed by SQL injections (a very common technique for hacking websites), which made up 19 per cent of all chatter. A quarter of discussions over the year up to June 2011 focused on “beginners’ hacking”, with experienced members sharing how-to tutorials and discussing basic methodologies with newbies. Mobile hacking, particularly focused on the iPhone, also figured heavily in discussions.

“Studying hacker forums is important to providing insights into hacker psychology and technical strategies,” explained Imperva CTO Amichai Shulman. “Hacker forums are still not well understood by many in the security community, and we believe that studying and quantifying what happens in these online communities can lead to the development of strategies to combat cybercrime.”

Imperva’s latest Hacker Intelligence Initiative report, which was published on Monday and billed as its most comprehensive to date, can be found here.

The security outfit is careful to say that while the forum it probed is not itself typical, it does provide valuable clues about what’s happening in other less accessible and more hardcore underground forums.

Though there are many forums that are small and solely focused on committing cybercrime, we don’t have access to these. The site we examined is not a hardcore crime site, but it’s not entirely softcore either. New hackers come to this site to learn and on the other hand more experienced hackers teach to gain “street cred” and recognition. In the past, this forum has helped security researchers identify illicit cyber activity. Typically, once hackers have gained enough of a reputation they go to a more hardcore, by-invite-only forum.

Hacking forums continue to the popular hangouts even after incidents where one or two forums have been revealed as being run by hacker turncoats acting as FBI moles or even undercover FBI agents posing as “carders”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/hacking_forums_exposed/

Firefox developers said Tuesday that they have no plans to keep the browser from working with the Java software framework now that Oracle has released a patch the prevents it from being used to decrypt sensitive web traffic.

In a blog post published in late September and updated on Tuesday, Mozilla recommends that Firefox users update their Java plug-in to lower their chances of falling victim to attacks that silently decrypt data protected by the SSL, or secure sockets layer, protocol used by millions of websites. Firefox developers had said previously that they were seriously considering disabling the Java plug-in as a way of preventing the exploit.

Short for Browser Exploit Against SSL/TLS, BEAST was first demonstrated late last month at a security conference in Argentina, where researchers Juliano Rizzo and Thai Duong used the attack to recover an encrypted authentication cookie used to access a PayPal user account in less than two minutes. Oracle has more about the Java update here.

Their attack exploits a vulnerability in version 3.1 of SSL and version 1.0 of the SSL successor known as TLS, or Transport Layer Security. To make their code work, they needed a means to breach what’s known as the same-origin policy, a mechanism built into browsers that prevents websites set by one domain from accessing or modifying data set by another site. Rizzo and Duong ultimately employed a Java applet that exploited a same-origin policy flaw in Oracle’s software framework.

The possibility of real-world attacks that silently recovered authentication cookies, social security numbers, and other sensitive data encrypted by SSL was troubling enough to Firefox developers that they considered blocking Java plug-ins in the open-source browser. The move could have caused a variety of serious problems for users, because it would have prevented their browsers from working with virtual private networks, intranet tools, and web-conferencing applications such as Cisco Systems’ WebEx.

“We will not be blocking vulnerable versions of Java at this time, though we will continue to monitor for incidents of this vulnerability being exploited in the wild,” Mozilla said in Tuesday’s update.

But Java isn’t the only way to bypass the same-origin policy, so it doesn’t foreclose the possibility that Rizzo and Duong’s exploit won’t be carried out using other means.

“There will be other methods for doing this, so it doesn’t fix the BEAST attack itself,” Nate Lawson, a cryptographer and principal of Root Labs, told The Register. “You need a TLS/SSL fix for that.”

Firefox developers, often working with developers of Google’s Chrome browser, have experimented with other ways to stop BEAST attacks. Beta versions of Chrome, for instance, split messages into fragments to reduce an attacker’s ability over the plaintext about to be encrypted.

As Lawson pointed out, a more effective fix would be for all websites and browsers to update to TLS 1.1 or SSL 3.2 or higher. Making the transition has proved extremely problematic because huge numbers of websites and browsers will fail to work as expected unless everyone upgrades all at once. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/oracle_patches_java/