The cyber security issue that has fascinated me most over the last few days has been the NHS data sharing story, not least because the “data privacy” and “sense about science” camps (both of which I normally strongly support) disagree about it. (I don’t think they are being played off against each other though.) Apparently all our medical data as currently held and controlled by GPs will be shared, in different ways for different forms (see an official NHS explanation), “red”, “amber”, and “green”, and we are asked to opt out if we don’t want this to happen.

First, opting out is clearly the wrong way around. Compare this to organ donation: “opting out” is still not a socially acceptable solution to this, despite it being more unequivocally medically essential and much less open to potential abuse than this data sharing. Not an appropriate comparison to make for everyone maybe – I’m probably too much of a “digital citizen”, caring more about my medical data when I’m alive than about my organs when I’ll be dead …

“Green” data looks relatively safe: it will be published publicly, and will consist of summarised medical info, excluding information (e.g. on rare diseases) that will come close to identifying people.

“Amber data” is pseudonymised, replacing non-medical identity data by meaningless pseudonyms. This is much more reason for worry. What is left is essentially behavioural data, some of which is similar to location data. If I can be uniquely identified from (typically) four locations visited during one day, I can also be uniquely identified from a small number of medical appointments (at given locations…!) Certainly anyone who can get hold of my mobile location data would be able to de-anonymise this. Given I have an Android phone, that list likely includes Google, the NSA, and GCHQ already.

So where will the amber data go? The NHS chief data officer says “many of the most innovative uses of amber hospital data have come from outside organisations, including universities, think tanks and data analytics companies“. Universities – fine, I have to and do believe in them generally.
Think tanks, though? I buy Monbiot’s line that many of these are disguised corporate lobbies, and thus don’t have my best interests at heart. Data analytic companies I have no reason to trust whatsoever.

Any data, including the “red” data (which retains all personal information) will be shared within the NHS, plus in what looks like limited and tightly controlled situations with others, such as researchers. A case against opting out is made by the director of the Wellcome Trust here, but it concentrates on that limited and less controversial scenario of red data for research. If I knew that the NHS would not get privatised in any way during my lifetime, I would be reasonably comfortable with this. The old argument is that you want any A&E to be able to get all your relevant data out immediately if you’re brought in unconscious. I’d still worry about adequate protection, what the NHS do with their laptops and USB sticks, and the spooks tapping in somewhere along the way, of course. Unfortunately, with backdoor privatisation going on and likely to get worse, with dubious oversight and accountability, I’m not sure I can even trust the NHS in the medium term.

The case for opting out is made clearly by Ross Anderson (read the comments too, and see also an earlier story).

Finally, there seems to be an odd gap in data governance going on. I don’t understand the law well enough to see whether this is a real problem or a technicality, but apparently the GPs remain the data controller for your data even after it has been uploaded to the NHS. See this description of a recent Information Commissioner verdict. In terms of exercising your data subject’s rights under the DPA, this would surely be problematic?

Update (29-1-2013) The data controller issue has been resolved by an Information Commisioner Office’s blog post: it’s the GP until the data has been uploaded, and after that HSCIC will be the data controller.
Meanwhile, my worries about this have been written up in a piece at The Conversation.

Are BT really asking us to switch off Trusteer Rapport protection for some websites?

The filters introduced by UK ISPs in response to Cameron’s request for porn filters have the internet buzzing with speculation and problems identified. Although experts had identified the problem already in the last century, this week even BBC’s Newsnight found out about overblocking (including, but not limited to false positives).

The BT service’s help pages are very useful in trying to find out what is really going on. Last night I stumbled upon a very interesting one indeed, called “I can’t access a number of websites that I’ve protected with the Trusteer application“. Relevant for me as my internet banking provider has provided me with Trusteer Rapport for protection. [I have considered the risks of disclosing that I use internet banking – yes I’m now a slightly more likely target, and security experts will possibly find me foolish for using it at all. So be it.]

The help page mentions as a symptom “You may receive a ‘You have tried to access a non-BT DNS server’ message when blocking with the Trusteer application.” I read this as: Trusteer redirects protected DNS requests [i.e. translating the wordy URL like blogs.kent.ac.uk into the numerical IP address of the server it represents] to its own DNS server instead of BT’s one. This is presumably done as a part of the protection package in order to prevent one particular kind of attack called “DNS hijacking”. However, this doesn’t work with BT filters because they operate at the level of the DNS server (likely given the main business of the third party provider, Nominum, that BT use for filtering, is indeed DNS servers, according to their webpage).

So what’s the solution? The help page says “You’ll need to remove or disable these manually added sites from the protected list within the Trusteer console.” That sounds a bit dubious, so we decided to protect these sites (for our internet banking or some other reason), and BT now tells us to remove this protection?

I’ve copied a helpful screen shot from this help page below. This is where you need to go in Trusteer Rapport to fix the problem. Note that there is a list of 345 “Trusted Partner Websites” which have a closer link with Trusteer (not with BT).

So my current best guess is that my bank is one of those 345 trusted organisations. The BT filters presumably load this list from Trusteer, and if they see a DNS request for one of these web pages redirected they’ll accept it – but not if it is a redirected DNS request for a site that you’ve manually added to Trusteer for protection.

Thus, it is likely that nobody’s internet banking has lost any protection yet, because banks would likely get themselves on the trusted organisations list before rolling out Trusteer Rapport to their customers. Relying on the customers configuring Trusteer Rapport themselves by manually adding the bank’s website adds another possible failure point. This is in a context where banks are drawing back from covering all losses incurred through internet banking crime. (Only the other day my colleage David Chadwick was on regional TV commenting on a case where NatWest had refused to cover a 20k internet banking crime loss because the recommended software hadn’t been installed by the customer.) Trusteer Rapport suggests to add this kind of protection to any web connection that carries sensitive data, but broad use of that functionality thus appears incompatible with the BT’s filters.

When I first spotted this I raised it through Twitter @btcare immediately. No reply yet.

Disclaimer: I have only basic rather than expert knowledge of DNS and hijacking, spoofing, etc. Maybe there’s a simple answer somewhere still.

Update: Duh. Is this a crude fix for an obvious way of circumventing the filter (install Trusteer Rapport and protect the website you want to visit)? Sounds like with the error message and with the help page BT have given away too much information.

Related posts: You can read my speculation about what will happen next in terms of internet censorship in “Anonymity will be the next victim of internet censorship“.
Earlier comments on using internet censorship to combat extremism are in
Blocking extremist sites is not the same as fighting child porn.

(17/12/2013) For Snowden-watchers, it has been an interesting few days.

CBS broadcast a “60 Minutes” program about the NSA (full transcript), with lots of little gems: some unnamed country has a BIOS attack that could brick all US computers; Snowden might well have 1.7 million documents; he might be offered amnesty in exchange for the rest; Gen. Alexander doesn’t think it’s a great idea and compares releasing documents to shooting hostages. The program’s tone, not very challenging of the NSA, was widely ridiculed across the net, and it didn’t help that the presenter looks to be taking on a job at the FBI any day now. Some of the character assassination attempted in the program was contradicted by an interview with a co-worker in Forbes. Did Snowden really wear the emblem below on his hoodie?

The biggest news was probably that a US judge ruled against the NSA’s surveillance (their hoovering up of all US phone metadata, more specifically). As this is based on the rights of US citizens, it doesn’t help us directly, but at least it’s a start and Glenn Greenwald was right to be gloating on Twitter yesterday.

Also, Snowden has written a letter to Brazil which I read as suggesting he’s offering to help them defend against surveillance which would work even better if he was given amnesty there.

With actions by Brazil, the EU, and the UN ongoing, you might be forgiven for thinking that the tide is turning in favour of Snowden and the people appalled by the practices he revealed.

Not so in the UK though, it seems. I wrote earlier about the Home Affairs Select Committee grilling of Rusbridger of the Guardian, and about the Cyber Security Strategy update. Yesterday, Theresa May attended the Home Affairs Select Committee (summary). Her explanation for refusing that committee’s access to intelligence chiefs appeared to be that the ISC already supervises them, and does so adequately because it does so adequately and behind closed doors. (Circularity intended on my part.) Despite repeated questioning, she failed to provide or even confirm the existence of evidence that “enemies of Britain are rubbing their hands with glee” after the Snowden revelations. It’s not just the Tories who are stuck in a groove there, though. Labour MP Ian Austin also remained worried that “information containing the names of agents had been sent around the world by the Guardian”. Can we move on, please?

Update (18/12/2013): MEPs asked interesting questions of Glenn Greenwald appearing at the EU enquiry into mass surveillance; only one of them threw accusations and inquired into the sources and security of documents. No prize for guessing that it was a UK MEP (Kirkhope, CON). Sigh. It then got worse, with Tory internet trolls misinterpreting the answers, ending with this statement from Greenwald.

PS do tell me if some links on this page die – some are copied from the @CyberSecKent twitter feed and were subjected to Twitter’s link abbreviation, not sure if they will survive forever.

Never start with an apology, but I’ll have to: no, I haven’t discovered a spectacular new type of cybercrime that catches many out at once, but given this news story somebody had to come up with this particular headline …

Unlike me, my colleagues did get seriously into banks and cybercrime this week. David Chadwick featured in a solid BBC South East news story (iplayer version now expired) on an internet banking theft. Banks are moving away fast from covering all losses incurred through internet banking related cyber crime. Watch this space as David and Julio Hernandez-Castro have not just been talking to this one journalist.

My comment piece this week is once again scarily close to politics. When the Cabinet Office published its update on the Cyber Security Strategy this week, I noticed that it didn’t refer to the effects of the Snowden revelations at all. In my piece at The Conversation I explain why that is silly. Some of my sneers at the Tories concentrating on irrelevancies like FedEx Terms and Conditions and outing gay GCHQ members (and attacking the Guardian in general) didn’t make it into the final edit. (The magical 1000 words!) There are also more petitions calling for less surveillance than I had space to list – the writers and big tech companies are mentioned, but there’s also an Academics Against Surveillance petition ongoing (no website yet – email Frederik Zuiderveen Borgesius), one by Index on Censorship addressed to the EU, and I particularly support the one by privacy and human rights organisations.

I watched the grilling of Alan Rusbridger by the Home Affairs Select Committee on Tuesday with fascination. I hadn’t expected FedEx, Disneyland, gay GCHQ members, or Black & Decker to feature in that! I looked at it with “security” glasses on, so I was fascinated by the MPs’ attempts to establish that the transmission and storage of the files had been insecure. Rusbridger declined to answer in detail except to say everyone had been aware of the uniquely sensitive nature of the materials, and that they had used “military-grade” encryption. None of the questions asked did anything to establish security or not – they might have probed about algorithms, key storage, etc. In any case I haven’t seen any evidence they would have had the competence to draw sensible conclusions. Still afterwards the Cabinet Office presented the non-secure storage and transport as a fact. Based on what? Some thoughts and speculations on that in my latest piece at TheConversation (same story also on Kent comments site). Comments on TheConversation are getting interesting.

My piece doesn’t touch on press freedom – on purpose, enough being said elsewhere and not my expertise. It seems most of the world, like me, finds many aspects of this entire thing rather shocking. It looks like the government is unwilling to prosecute the Guardian for posting 26 embarassing stories based on secret documents that they “shouldn’t have”, but instead they might be going for what feels to me a technicality: the copy of Snowden files sent to New York Times was unredacted (i.e. had names in it, unlike any of the published stories) and was sent to a foreign country (the US, where most of the files originated!) in an allegedly insecure way. It is unclear to me after watching the session whether this might also apply to the files seized off David Miranda: Greenwald c.s. were acting as free-lance journalists in this, so that copy of the files may not have been “under control of the Guardian”. Discussion about “only Greenwald having all the files” suggests as much. Legality of that seizure is still being determined, but nothing suggests that that has stopped police and/or GCHQ from trying to decrypt for the last nearly 4 months. How can Rusbridger be so sure they have not succeeded? Interesting questions in all of this.

Finally … Rusbridger’s throwaway comment about Afghanistan and Iraq may have been an implicit threat to the government, but it also predictably got Wikileaks wound up.

Last week had the blocks on internet searches in Google and Bing, and my piece on that ended on the question of whether this wasn’t getting a bit close to censorship already. Also, it seemed like a simplistic media-attention grabbing solution that didn’t address the real problem.

Move on a week, and guess what. Now the government is going to counter extremist thought by blocking extremist websites. Of course I had to write a follow-up piece on this, which appeared yesterday at The Conversation: Blocking extremist sites is not the same as fighting child porn. This time there is no question in my mind about whether the internet censorship goes too far. And once again it won’t bother the savvy baddies much. I don’t tend to go for “it drives them underground” arguments, but in this case you might even wonder whether hiding basic communications using VPNs, ToR, and crypto is a first learning step for the development of future cyber terrorists. (That’s a blog post rather than comment piece type of idea.)

I find it very useful to run the initial ideas for these pieces past colleagues in the Cyber Security Centre. This time, Robin Mackenzie of the Kent Law School provided encouragement, and Magali Barnoux of the Forensic Psychology Group gave some useful feedback – thanks!

In each comment piece I have written recently I found myself mentioning Edward Snowden’s revelations one way or another. In one sense it’s no surprise whatsoever: it’s just a big thing for the security world. Ross Anderson talked about the revelations about backdoors being a “9/11 moment for the [crypto] community“. No wonder we talk about it if it’s on all our minds a lot of the time.

There is another aspect to this, though. As I said in a post to our local cyber security enthusiasts’ facebook group: “I feel we need to make sure these stories keep getting shared online – as beyond the Guardian, UK media have been successfully intimidated into keeping quiet through a DA-notice.” A useful description of the story around that is here. As such notices are voluntary to start with, and they didn’t send the University of Kent one as far as I know, I don’t feel in the least bit naughty for mentioning that DA-notice when it’s usually kept quiet about.

I think to show our appreciation of the way in which Edward Snowden, Glenn Greenwald, and friends have opened our eyes – to (respectively) huge and significant detriment in their personal lives (David Miranda!) – we have to keep hammering on about this. Of the “formal” media, The Guardian have been standing mostly alone in this in the UK, not even getting much defence from others when their press freedom is under attack from Cameron and his cronies. When our network of UK cryptographers made a fuss about NSA backdoors, the Times declined our letter, only the Guardian reported on it. Least I can do is return the favour.

Another reason to keep at it in the informal media is that some stories do not even make it into the UK press. I don’t think the Belgacom revelations (GCHQ/NSA snooping on the EU’s ISP) have made it fully into the UK press yet. I’ve refered to a Spiegel piece on NSA smartphone attacks that I haven’t seen elsewhere. It was a pleasure to see the Dutch newspaper NRC join in with Snowden stories last weekend, with their recent story about 50,000 dormant NSA-infected networks also a novelty. (And, like with the Spiegel story, conveniently published in English.) Funny they were being apologetic on Twitter already today for not coming out faster with more stories.

There has been a welcome change in the UK in the last week or so though. The BBC, usually appearing painstakingly conformant, appear to have changed policy. They covered the NRC story, and now also report a story from Huffington Post on the NSA using porn internet histories for blackmail. Who knows the Daily Mail may eventually end up standing alone defending Cameron’s attack on Snowden and the Guardian.

Published yesterday on The Conversation (and likely to spread from there on previous experience): “Blocks just move child porn under the counter“. Cheeky comment self-censored out: if they’re so good at deciding which search queries relate to child porn, why don’t GCHQ apply these techniques to their stash of mass surveillance metadata?

This note profited from useful comments from David Chadwick (who suggested “under the counter” instead of my original “on the top shelf”) and Robin Mackenzie.

A week of firsts it is then. This blog was created a few months ago, today finally a first real post. The reason to create the blog was to have a space for short comment pieces which didn’t make it into external sites, I’ll add posts later pointing at the pieces that did get published elsewhere, of which there have been a fair few recently,

The other “first” was that I was advised to open a Twitter account for the Kent Cyber Security Research Centre to publicize our activities. I’d searched Twitter occasionally in the past, but now I’ve also opened an account @KentCyberSec. This needed a “profile picture” which couldn’t be me, couldn’t be the non-existent logo of the centre (suggestions welcome!), and I didn’t want it to be one of the standard images such as this. Instead I used the image below. No one has asked yet why, but this blog post is dedicated to answering anyway!

On my recent visit to Hyderabad (Andhra Pradesh, India), I visited the ancient and well-known Golconda Fort, a Unesco world heritage site. It was started in the 13th century, and heavily fortified from the 16th century onwards. The picture above shows a water pipe from that era, part of the extensive system to ensure that in case of a siege the fort’s inhabitants would not run out of water. Several reservoirs like the one pictured below would be pumped full by camels driving pumps at the ground level.

In 1687, the Muslim king Abul Hasan Qutb Shah ruled the Golconda fort, and the Mughal emperor Aurangzeb besieged the fort. The fort held out for 8 months, thanks to its food supplies, water supply infrastructure, and extensive fortifications. The fall of the fort after 8 months was because the officer Sarandaz Khan in the Qutb Shahi’s army was bribed and opened a secret door.

The security lesson from 1687 is thus a very familiar one, about weakest links and insider attacks …