April 19, 2009
The search of Damian Green MP's computer: he was given a list of which words were searched for
The police recently, very controversially, arrested opposition MP Damian Green, and searched his home, office etc. and his computer: with the stated purpose of looking for evidence re leaks he had received. They also, rather troublingly, searched for documents relating to the civil liberties campaigner Shami Chakrabarti. In addition to this controversy, I had a surprise yesterday morning - when I read Spy Blog making very troubling arguments re the competence of the Metropolitan Police:
Doing anything [other than create forensically copied disk images of the seized] computer or mobile phone etc. amounts to tampering with the evidence, which will make it useless in Court, and requires disciplinary action or criminal prosecution of the police or others who were involved.
A "search" for "Shami" on the original computer, could just as easily have been an attempt to plant forged incriminating evidence or to destroy or tamper with something that might establish the alibi of the accused.
If the police had carried out a search for 'Shami' or similar on Green's computer - rather than creating a disk image to search - this would have raised serious questions about their competence. This is very basic good practice - and failure to stick to it would have been extremely worrying.
However, I contacted Green to query this - and he very helpfully made clear that
they told me which words they were searching before they searched
I have contacted Spy Blog to clarify, but it sounds like - while there are a number of very legitimate concerns about Metropolitan Police actions here - the police at least did not make the very basic procedural mistake of turning on Green's computer in order to search it.
April 15, 2009
Poor security trade-off from Alliance and Leicester bank: accounts so secure that customers can't access them
UPDATE: Following a discussion with Alliance and Leicester, it looks like this is an issue affecting Firefox but not Internet Explorer. Alliance & Leicester have also informed me that dates do not need to be entered in long format (despite what their staff initially stated)
I find security - in the broad sense - fascinating, and have noticed a striking issue with the web security of Alliance and Leicester (part of the huge Santander banking group). Clearly, online banking is a very useful service, but also carries certain risks: everything from high-tech problems like keyloggers, to much more mundane issues like people writing down their log-in details and sticking them to their computer. As Bruce Schneier argues
Security is a trade-off...There's no such thing as absolute security, and any gain in security always involves some sort of trade-off...It makes no sense to just look at security in terms of effectiveness. "Is this effective against the threat?" is the wrong question to ask. You need to ask: "Is it a good trade-off?"
Alliance and Leicester have tried to enhance the security of their online banking through an interesting technique: if a user tries logging in from what their system views as "a different computer" (they seem to be working on the basis of cookies, rather than IP address) they ask them to enter "Memorable details". These 'details' comprise of four pieces of information users gave the bank when signing up: mother's maiden name, that type of thing. This system might, in itself, be a sensible enough security trade-off.
However, the implementation is problematic. The bank's system needs a specific one of these four pieces of memorable information to be entered before the account can be accessed, and users are not told which one: they have to guess. After three incorrect attempts, online access to the account will be blocked. This means that, even if a user knows exactly how the system works (the website does not tell them) and does not make any typos, they stand a 1/4 chance of being locked out of their account on any given access attempt. There are also additional issues: for example, dates must be entered in a specific long format (e.g. '6 September 1994') rather than a standard UK format like dd/mm/yy. When enhancing security means that legitimate users will likely be locked out on more than 1/4 occasions, this is not a good trade-off.
The poor implementation also, in itself, raises additional security risks. For example, if a keylogger has been surreptitiously installed, this will give hackers access to additional personal data. Also, if users get used to entering multiple different pieces of their memorable information on any given access attempt, they may be more ready to do this if they are tricked into going to a phishing site. This is therefore a poor security trade-off for numerous reasons.
I have mentioned this issue to Alliance and Leicester on the phone, and will e-mail them a link to this post to make sure that things are clear to them and to give them the opportunity to comment. It will be interesting to see whether they act to fix this problem.
April 09, 2009
New UK regulations re foreign students and workers
New regulations "requiring academics to monitor international students and report absences to immigration authorities" have proved controversial. Universities have tried to implement them in various ways, but I was surprised to hear one academic reporting that they were told that "Staff should not give immigration advice to students. To do so represents a high risk and is a criminal offence."
It seems that complex regulations which are implemented (or which people attempt to implement) in diverse ways can bring some rather striking results.