taint.org: Justin Mason’s Weblog

Security: Adam Shostack has been tracking the immense volume of recent bank disclosures of compromised customer data. Bruce Schneier has also commented, and an interesting question arose in his posting’s comments — why are there seemingly no similar problems with European banks?

One responder points to a WSJ article which broadly misses the point. It discusses the additional layers of security imposed by European banks above the usual username/password combo. This is true — Eurobanks generally have higher security at the ‘front gate’; for example, I recall Bank of Ireland even issued SecurID-type tokens in its earliest online banking system. However, that misses the ‘insider’ attack, as in the most recent case of these 676,000 accounts, so I think it misses the point.

Bruce Schneier’s take:

Personal data is 1) not collected as widely, and 2) much less valuable as a tool to commit fraud. The second reason is far more important.

I think he’s partially right. Access to new and existing accounts in the US often requires little more than an SSN or similar trivial, easily-discoverable, data which is used in common across multiple institutions, and can be performed online; whereas in Europe, one requires documentary proof of address, ID, and the act must be performed in person at a bank branch. (This is often exceedingly annoying, of course. ;) In general, identity theft seems to be at a greater level in the US, and this is one reason why, I’d guess.

Adam Shostack has another take: these disclosures have all arrived on the heels of California’s SB 1386. It’s very unlikely that these kind of breaches never occurred before this, and suddenly began recently — it’s more likely that they’ve always gone on, but are unreported in Europe (and of course were unreported in the US, pre-SB 1386).

I’d add another point — the US has a large population of targets, with banks sharing financial systems across the entire country. Europe, by contrast, has many individual countries which each have their own set of banks and banking systems, and less interoperability and cross-state data flow. The potential return from ID theft fraud is increased by the larger pool of candidate victims in the US, compared to what an attacker could achieve in each individual European country. This means both that (a) an attack will affect a smaller number of victims in Europe than the US, and (b) widening the scale of an attack becomes significantly harder when the attacker must deal with new systems. It’s the ’security monoculture’ issue again, applied to banking instead of operating systems.

Tags: bank, course, customer, online, point, reason, security, take, the, volume

Malware: spotted on NANOG — Six PCs caused BigPond problems:

Disconnecting six compromised personal computers on Tuesday evening eased the difficulties caused by bogus requests which clogged BigPond’s domain name servers (DNS), slowing customer e-mail and Web site access, Telstra said.

A Telstra spokesperson said the carrier had narrowed the list of malware that could have infected the computers to three, adding the problem could have been caused by a combination of those viruses or Trojans. He declined to name the suspects.

He said the PCs generated 95 percent of the bogus requests which caused the problems that evening.

The ‘problems’ in question are described here :

One forum participant (on Aussie forum Whirlpool), who claimed to be a BigPond customer, said on Monday: ‘I’m in Canberra and it’s been almost unusable all afternoon. I’m snowed under at the moment and it is really driving me crazy. Three out of four links fail to load first time and sometimes take eight or nine tries before it does.’

Another said: ‘I am having problems loading Web pages, I get the 404 error. I have to retry five to 10 times to get some places.’

Petri Helenius, in a post to NANOG, notes:

Consumer ISP’s who don’t proactively take care of security/abuse usually end up with harvesting-bots which consume significant amount of DNS resources, typically doing anything from a few dozen to a thousand queries a second. A few hundred of these will seriously hamper an usually provisioned recursive server.

Interesting. It’s been a long time since I’ve relied on an ISP’s recursive DNS servers; in my recent experience (Comcast, Cox.net) they’ve always been overloaded, and take aaaages to give me answers. Maybe this is why.

It makes sense; most Windows machines will indeed use the ISP’s NSes, because that’s what DHCP tells you to do; and setting up a BIND or djbdns instance locally to query the roots directly is still a UNIX-only trick, as far as I know.

The upshot?

• 1. Yet another good reason why ISPs should proactively disconnect infected customers, as they deny service to other users of the ISP.
• 2. A good demonstration of yet another way the techie community’s experience of web surfing and internet use differs from that of the unwashed masses in the hinternet — that ’shanty-town of pop-ups and porn adware’, as Danny O’Brien puts it.
• 3. Sometime soon, if it hasn’t happened already, someone’s going to bundle up an ‘Internet Accelerator’ lump of shareware that sets up a local recursive NS on Windows which queries the roots, and it’ll become the latest popular Windows download. Then the load on the root servers will really start rising.

(PS: top tip — ever wanted a publically-queriable recursive nameserver, or a good IP address for pinging, that’s easy to remember? 4.2.2.1 is what you’re after.)

Tags: bigpond, customer, dns, evening, forum, isp, malware, nanog, telstra, time, web

Names: Popbitch sez ‘Microsoft are just about to launch their new Windows Server 2003. The project manager who oversaw its development? Todd Wanke.’

Sure enough, it’s true. But that’s not all he did — he was also involved with the Windows 2000 Customer Love Team. No smutty jokes please, I’m being perfectly serious here…

Tags: customer, development, love, manager, microsoft, names, popbitch, project, server, sez, windows

Frank Bergmann forwards some bits on FoRK that are quite interesting:

The failed Niagara power station belongs to National Grid USA. This power supplier is listed as a reference customer of Northern Dynamics — who refer to themselves as the ‘home of the OPC experts’. … OPC stands for OLE for Process Control.

(I cleaned up some of the translation from this Heise.de article.)

Tags: customer, fork, grid, national, niagara, opc, power, reference, station, supplier

Chuq van Rospach has a great idea — instead of a do not spam list, an I am your customer, not your asset, and quit treating me like one list:

Where do-not-spam lists are useful (and ought to be mandatory) are third party sales and rentals. Any time someone buys or rents a list, that list has to be filtered against the do-not-spam list. If you’re on it, you fall out of the transfer. that would include any time that information moves from one company to another, the do-not-spam restrictions apply. (ditto, IMHO, for phone and other personal information. I’ll go further, actually. I think there ought to be a generic ‘do not sell me as an asset’ list, preventing transfer of personal information of any kind without permission. Or more correctly, a I am your customer, not your asset, and quit treating me like one list.

Great idea. Really, the resale of contact information for marketing purposes sounds fantastic to marketers — but as The Story of Nadine demonstrates, it only takes two years for the contact information to be sold (via a chain of increasingly dodgy operators) from DeliverE, a subsidiary of Excite to horse bestiality porn spam.

Tags: asset, chuq, contact, customer, idea, information, list, spam, time, transfer

A bit of black humour for you, from the IrelandOffline forums. This is a true story.

“This chap explained to my Dad that one of the main reasons for the slowness of technologies like ADSL getting rolled out in Ireland was because of (hinderances) like the weather … My dad went on to tell him about Canada. …”

“Yer man of course had no answer to this and eventually he gave in and admitted that Eircom are failing in so many areas that he’s actively seeking employment elsewhere. He’s had his fill of being managed by so many different managers and being told different things from different people every day and and (every) time he’s tried to be helpful to a customer by bringing the matter up with someone senior he gets fobbed off to some other manager and so on and so forth until in the end he has no option but to give up and just tell the customer there is nothing he can do even though he can do it but not without permission and this permission is impossible to get.”

There’s plenty more like this. “The bad weather in Ireland prevents Eircom from rolling out DSL”. You can only laugh. The best bit is, of course, that DSL is basically a modem and a few DSLAMs installed in the exchange.

Maybe that’s why it’s a problem? Could be Eircom forgot to install a roof on their exchanges — and telco equipment typically is not at its best when fully exposed to the elements. sounds likely enough to me…

Tags: bit, course, customer, dad, dsl, eircom, humour, irelandoffline, permission, weather