Are BT really asking us to switch off Trusteer Rapport protection for some websites?

The filters introduced by UK ISPs in response to Cameron’s request for porn filters have the internet buzzing with speculation and problems identified. Although experts had identified the problem already in the last century, this week even BBC’s Newsnight found out about overblocking (including, but not limited to false positives).

The BT service’s help pages are very useful in trying to find out what is really going on. Last night I stumbled upon a very interesting one indeed, called “I can’t access a number of websites that I’ve protected with the Trusteer application“. Relevant for me as my internet banking provider has provided me with Trusteer Rapport for protection. [I have considered the risks of disclosing that I use internet banking – yes I’m now a slightly more likely target, and security experts will possibly find me foolish for using it at all. So be it.]

The help page mentions as a symptom “You may receive a ‘You have tried to access a non-BT DNS server’ message when blocking with the Trusteer application.” I read this as: Trusteer redirects protected DNS requests [i.e. translating the wordy URL like blogs.kent.ac.uk into the numerical IP address of the server it represents] to its own DNS server instead of BT’s one. This is presumably done as a part of the protection package in order to prevent one particular kind of attack called “DNS hijacking”. However, this doesn’t work with BT filters because they operate at the level of the DNS server (likely given the main business of the third party provider, Nominum, that BT use for filtering, is indeed DNS servers, according to their webpage).

So what’s the solution? The help page says “You’ll need to remove or disable these manually added sites from the protected list within the Trusteer console.” That sounds a bit dubious, so we decided to protect these sites (for our internet banking or some other reason), and BT now tells us to remove this protection?

I’ve copied a helpful screen shot from this help page below. This is where you need to go in Trusteer Rapport to fix the problem. Note that there is a list of 345 “Trusted Partner Websites” which have a closer link with Trusteer (not with BT).

So my current best guess is that my bank is one of those 345 trusted organisations. The BT filters presumably load this list from Trusteer, and if they see a DNS request for one of these web pages redirected they’ll accept it – but not if it is a redirected DNS request for a site that you’ve manually added to Trusteer for protection.

Thus, it is likely that nobody’s internet banking has lost any protection yet, because banks would likely get themselves on the trusted organisations list before rolling out Trusteer Rapport to their customers. Relying on the customers configuring Trusteer Rapport themselves by manually adding the bank’s website adds another possible failure point. This is in a context where banks are drawing back from covering all losses incurred through internet banking crime. (Only the other day my colleage David Chadwick was on regional TV commenting on a case where NatWest had refused to cover a 20k internet banking crime loss because the recommended software hadn’t been installed by the customer.) Trusteer Rapport suggests to add this kind of protection to any web connection that carries sensitive data, but broad use of that functionality thus appears incompatible with the BT’s filters.

When I first spotted this I raised it through Twitter @btcare immediately. No reply yet.

Disclaimer: I have only basic rather than expert knowledge of DNS and hijacking, spoofing, etc. Maybe there’s a simple answer somewhere still.

Update: Duh. Is this a crude fix for an obvious way of circumventing the filter (install Trusteer Rapport and protect the website you want to visit)? Sounds like with the error message and with the help page BT have given away too much information.

Related posts: You can read my speculation about what will happen next in terms of internet censorship in “Anonymity will be the next victim of internet censorship“.
Earlier comments on using internet censorship to combat extremism are in
Blocking extremist sites is not the same as fighting child porn.

(17/12/2013) For Snowden-watchers, it has been an interesting few days.

CBS broadcast a “60 Minutes” program about the NSA (full transcript), with lots of little gems: some unnamed country has a BIOS attack that could brick all US computers; Snowden might well have 1.7 million documents; he might be offered amnesty in exchange for the rest; Gen. Alexander doesn’t think it’s a great idea and compares releasing documents to shooting hostages. The program’s tone, not very challenging of the NSA, was widely ridiculed across the net, and it didn’t help that the presenter looks to be taking on a job at the FBI any day now. Some of the character assassination attempted in the program was contradicted by an interview with a co-worker in Forbes. Did Snowden really wear the emblem below on his hoodie?

The biggest news was probably that a US judge ruled against the NSA’s surveillance (their hoovering up of all US phone metadata, more specifically). As this is based on the rights of US citizens, it doesn’t help us directly, but at least it’s a start and Glenn Greenwald was right to be gloating on Twitter yesterday.

Also, Snowden has written a letter to Brazil which I read as suggesting he’s offering to help them defend against surveillance which would work even better if he was given amnesty there.

With actions by Brazil, the EU, and the UN ongoing, you might be forgiven for thinking that the tide is turning in favour of Snowden and the people appalled by the practices he revealed.

Not so in the UK though, it seems. I wrote earlier about the Home Affairs Select Committee grilling of Rusbridger of the Guardian, and about the Cyber Security Strategy update. Yesterday, Theresa May attended the Home Affairs Select Committee (summary). Her explanation for refusing that committee’s access to intelligence chiefs appeared to be that the ISC already supervises them, and does so adequately because it does so adequately and behind closed doors. (Circularity intended on my part.) Despite repeated questioning, she failed to provide or even confirm the existence of evidence that “enemies of Britain are rubbing their hands with glee” after the Snowden revelations. It’s not just the Tories who are stuck in a groove there, though. Labour MP Ian Austin also remained worried that “information containing the names of agents had been sent around the world by the Guardian”. Can we move on, please?

Update (18/12/2013): MEPs asked interesting questions of Glenn Greenwald appearing at the EU enquiry into mass surveillance; only one of them threw accusations and inquired into the sources and security of documents. No prize for guessing that it was a UK MEP (Kirkhope, CON). Sigh. It then got worse, with Tory internet trolls misinterpreting the answers, ending with this statement from Greenwald.

PS do tell me if some links on this page die – some are copied from the @CyberSecKent twitter feed and were subjected to Twitter’s link abbreviation, not sure if they will survive forever.

Never start with an apology, but I’ll have to: no, I haven’t discovered a spectacular new type of cybercrime that catches many out at once, but given this news story somebody had to come up with this particular headline …

Unlike me, my colleagues did get seriously into banks and cybercrime this week. David Chadwick featured in a solid BBC South East news story (iplayer version now expired) on an internet banking theft. Banks are moving away fast from covering all losses incurred through internet banking related cyber crime. Watch this space as David and Julio Hernandez-Castro have not just been talking to this one journalist.

My comment piece this week is once again scarily close to politics. When the Cabinet Office published its update on the Cyber Security Strategy this week, I noticed that it didn’t refer to the effects of the Snowden revelations at all. In my piece at The Conversation I explain why that is silly. Some of my sneers at the Tories concentrating on irrelevancies like FedEx Terms and Conditions and outing gay GCHQ members (and attacking the Guardian in general) didn’t make it into the final edit. (The magical 1000 words!) There are also more petitions calling for less surveillance than I had space to list – the writers and big tech companies are mentioned, but there’s also an Academics Against Surveillance petition ongoing (no website yet – email Frederik Zuiderveen Borgesius), one by Index on Censorship addressed to the EU, and I particularly support the one by privacy and human rights organisations.

I watched the grilling of Alan Rusbridger by the Home Affairs Select Committee on Tuesday with fascination. I hadn’t expected FedEx, Disneyland, gay GCHQ members, or Black & Decker to feature in that! I looked at it with “security” glasses on, so I was fascinated by the MPs’ attempts to establish that the transmission and storage of the files had been insecure. Rusbridger declined to answer in detail except to say everyone had been aware of the uniquely sensitive nature of the materials, and that they had used “military-grade” encryption. None of the questions asked did anything to establish security or not – they might have probed about algorithms, key storage, etc. In any case I haven’t seen any evidence they would have had the competence to draw sensible conclusions. Still afterwards the Cabinet Office presented the non-secure storage and transport as a fact. Based on what? Some thoughts and speculations on that in my latest piece at TheConversation (same story also on Kent comments site). Comments on TheConversation are getting interesting.

My piece doesn’t touch on press freedom – on purpose, enough being said elsewhere and not my expertise. It seems most of the world, like me, finds many aspects of this entire thing rather shocking. It looks like the government is unwilling to prosecute the Guardian for posting 26 embarassing stories based on secret documents that they “shouldn’t have”, but instead they might be going for what feels to me a technicality: the copy of Snowden files sent to New York Times was unredacted (i.e. had names in it, unlike any of the published stories) and was sent to a foreign country (the US, where most of the files originated!) in an allegedly insecure way. It is unclear to me after watching the session whether this might also apply to the files seized off David Miranda: Greenwald c.s. were acting as free-lance journalists in this, so that copy of the files may not have been “under control of the Guardian”. Discussion about “only Greenwald having all the files” suggests as much. Legality of that seizure is still being determined, but nothing suggests that that has stopped police and/or GCHQ from trying to decrypt for the last nearly 4 months. How can Rusbridger be so sure they have not succeeded? Interesting questions in all of this.

Finally … Rusbridger’s throwaway comment about Afghanistan and Iraq may have been an implicit threat to the government, but it also predictably got Wikileaks wound up.