Measuring Overall Effectiveness of Data Security

Root Certificate update and software design

Recently, a member of PISA (also called Anthony) noticed that when using HK Post office website, FireFox displayed security warning saying the digital certificate used bu HK Post is invalid.


A detailed study by other PISA members showed that the reason HK Post (once is the root CA for HK) used their own root certificate. Root certificates are usually shipped with the browser installation and HK Post digital certificate was not included in their default software package. Hong Kong Post setup a page to teach users on how to add the root certificate to most used browsers . However, how many users know this link, willing to follow or could follow the instructions !!


It is quite clear that currently most browsers develop and distributed by US company or US-based community. The interest of adding other root certificates is likely lower than adding new functions. Having said that, FireFox developers have a process to add Root Certificates to their software package, for example this link shows the process for adding root certificate. In their pending lsit, China PRC "China Internet Network Information Center (CNNIC)", Hongkong Post and Taiwan Chunghwa Telecom (CHT) are listed.
Entry for HongKong post was added on 2008-10-08. However, it is interesting to see that Mozilla used their bug tracking system in their handling for Root Certificate Request from CA around the world. Look at the email trails from e-Mice ( Hong Kong PKI operator)

The first request was submitted by HK Post Staff back in 2007 Dec and 20 months passed, it was not yet included in the latest FireFox update !! Obviously, FireFox needs to handle request from many different parties but it was a long time.

Maybe, we could look at the how Adobe do it. Within their design, "Adobe products that support the AATL will automatically download this file every 90 days.⁽¹⁾ Before the contents are deposited into the client's Trusted Identity list, the AATL is verified to ensure it came from Adobe. " The approval process may still take a lot of administration time, roots certificate updates will be 90 days. It is a lot better than waiting for a bug-fix or software release!!

My comment is all comes down to good design and bad design!

Mutual recognition of electronic signature certificates issued by Guangdong and Hong Kong

http://www.cw.com.hk/content/hk-guangdong-sign-framework-suggestions-e-signature

New models on generating revenue from losing newspapers

I read an article about how a group of US newspapers plan to respond to failing revenue.

1st : considered a “presentation on technology/service to track content on the Web and to extract payments from third-parties and ad networks that have appropriated newspaper content.” If other online formats are stealing your copyrighted content, make them pay for it.

2nd Collecting enhanced online newspaper user data across newspaper properties and mining that data to aggressively sell target content to specific audience segments across the network.”

The core tech are tracking content (1st model) or user behavior (2nd model). But it is not technology that matters. It is the law that gives the newspaper to charge or sell these data that affect its success. The copyright law enforcement is tooooo expensive compare to maybe HKD 10 for a single reference. Privacy law is too restrictive for newpapers to sell their DB.

My personal opinion is that the current legal infrastructure prohibit QUALITY newpapers to profit. Internet enables instant, multi-media and around the clock FACTs reporting. But QUALITY news report need more than FACTs.

Bloomberg and Reuters are the only successful company as I see it.

Open Source has another dimension --J.P. Morgan's CDS Analytical Engine Available as Open Source

SDA Announces Agreement to Make J.P. Morgan's CDS Analytical Engine
Available as Open Source; Increases Transparency in CDS Pricing

At the centre of our current financial crisis is the CDS (credit default swap). ISDA is the trade association which draft standard contract for CDS.

The market was unable to give a reasonable and authority price for CDS in recent months. The open source decision is to make the price of CDS more stable and being open source, each one could validate the price components (market risk, liquidity risk, credit risk, FX risk and
others)

Open source when taking a transparent perspective could help to stable a market in crisis.

http://www.isda.org/press/press012909.html

Antony

Circumvention of Technological Protection Measures

Recently, I re-organised my research article on legislation on circumvention of TPM and published in PISA Journal. In this issue, there was an article on iSCSI Resilience and Security which is a very precise introduction for security professionals.

Thanks for SC Leung's editions.

Website as an economic indicators

A study was conducted to study the correlation between website usages and economy!! We now have all sorts of monitoring devices and data points that enable us to track human behavior.

It is conveninet to believe some activities (like visiting a particular type of website) will affected by economy. But would this correlation substanitable ? giving the fact that the web content changes constantly and new websites are created daily?

http://news.bbc.co.uk/2/hi/technology/7459055.stm

Top-level domain name and anthropology

I read two news articles today. One on SCMP which reported that Intel hired anthropologist to study user behavior and shape their strategy. One on BBC Technology, which said ICANN plan to open up top-level domain names. The result would be that everyone could register their website name with ending ranging from .bank to .worm.

They seemed unrelated but I wonder how people respond to an explosive growth top-level domain names. Top level domain names, like .com or .hk are limited and users accumulated a sense of trust after years usages. Will user trust citibank.bank more over citibank.bank ? or will user buy items from toyshop.com or toyshop.shop ?

What is missing in the current Internet infrastructure, after 10 years of development, is trust? How ICANN's proposal to open up top-level domain is helping to built trust in cyberspace ? The current status of DNS is far from satisfactory and phishing attacks are launched daily exploiting this weakness. Opening up top-level domain name for private registrations will create a new zone of chaos.

Cost of Identity Theft

There is a blog about Effects of ID theft.
It is quite a good reference but the whole process of cleaning up ID theft only after you know your identity was comprised.

Building cultural walls in Cyberspace

An article from Bloomberg News discussed how Google adjusted their web services with national cultures. In Thailand, they banned YouTue to show videos which offended King Bhumibol Adulyadej. In China, Google stopped offering Gmail to Chinese Citizen to avoid government demands for messages. To be able to stop user from using a specific web services, Google must rely on the programming codes. Now these codes with geo-sensitive information are used to build walls within Cyberspace, either due to political reason or to respect the natioanl cultures. The multinational enterprise is now taking the duty to fund the building of these walls using their codes. Cultural walls is not an entirely bad concept since a neigbhood enjoy more harmony when there are walls between them.

Contrast this to Lawrence Lessig's "Code wants to be free" concept, we could see that multinational enterprises were using codes to control information flow. The force to from multinational enterprises is gaining strengthen because these companies expand their influence by acquiring companies (like Google acquired YouTube and the planning integration of Yahoo & Microsft)

ISP guideline on Cybercrime investigation released

I wrote about US Senate's approval of Council of Europe Cybercrime Convention . Recently, the Cybercrime Committee of Council of Europe released a guideline on how ISP and law enforcement agencies should cooperate in cybercrime investigations.

Guidelines for law enforcement - service provider cooperation (adopted on 2 April 2008)

From this document, it could be see that there is a large gap between law enforcement and ISP on obtaining evidences. Both sides need to formalise their procedures (either request or giving evidences). If there is no force from the government or other external factor, I could see no reason for them to incur additional resource in this process.

Coming PISA events

I have been busy with my LLM study at The Hong Kong University in the past year. All goes well, I will graduate this year. The course I took covers Telecommunication, Cybercrime and IP. Will share about all these topic in the coming posts.

First, PISA will has several events in pipeline.
Today, we just finished an Oracle Security Seminar
On 31 May, there will be Data Protection Public Forum. Speakers from ISACA, ISOC and Privacy Commissioner will share their view on recent incidence on data breaches.

Then on 5 June, PISA invited Aloysius Cheang (Head of Security Services for Cable&Wireless Asia-Pacific) to share his experience on malware detections and preventions.

homophily part II - Social Capital

Below are some extracts from NY Times Blog
http://freakonomics.blogs.nytimes.com/2008/02/15/is-myspace-good-for-society-a-freakonomics-quorum/

"social capital", a concept that describes the benefits individuals receive from their relationships with others.

Bridging social capital reflects the benefits we receive from our "weak ties" — people we don't know very well but who provide us with useful information and ideas.

As our social networks are becoming increasingly more geographically fragmented, social network sites are a useful way for us to keep in touch and seek social contact with our friends.

When many students begin university, they find themselves with a group of ready-made acquaintances. Given people’s preferences for people who are like them, it could be that friendship networks become increasingly homogeneous. Is this a bad thing? It might be if, by choosing potential friends via their Facebook profiles, it means that folk cut themselves off from serendipitous encounters with those who are superficially different from them.

Social networking sites are affecting the labor market as well, because recruiters evaluating young professionals applying for jobs are now hacking into applicants’ profiles, and making hiring decisions based on profile photos in which applicants are drunk or inappropriately dressed.


they devalue the meaning of “friend.” Our traditional notion of friendship embraces trust, support, compatible values, etc. On social network sites, a “friend” may simply be someone on whose link you have clicked.

Anonymous network will be popular

There is a sad but true story that corporate-PR "corrected" wikipedia pages in order to downplay the mistakes done by company and government organizations. Some of the "corrections" may be a true account of history but there are deliberate censorship.

Most people think the network address (IP address) are useless and could not reveal the location or identity of individuals. However, most IP address is similar to telephone number and could be traced to specific organizations. This traceability enabled Wikiscanner (mentioned in the article) to find the editor of wiki.

There are some anonymous networks like Tor for people to conceal their identity. I believe the PR will continue their censorship on wikipedia with these anonymous networks.

It is sad that when truth is the battlefield between individual and large organisations.

"science may be the main determinant of how a case is resolved"

The gap between law and science is ever widening. In the past, the court is a place for justice but now justice is bury among scientific experiments and mathematical calculations.


Judges trained to filter fake science from USA Today

Stealing credit card numbers via home Wifi network

The Hong Kong district court heard a computer crime case on 18th June 2007. An African visitor had rented a flat and stole credit card numbers from his neighbor using wireless sniffing, then he used the credit card information to do online shopping. The charge was brought under HK Crime Ordinance Chapter 200 s116 . More detailed information will be available when the judgment is posted online.

The 23-year old defendant was caught since he had used his home address for online shopping and the police were able to trace the delivery records. His ignorance of fraud detection systems and traceability of online shopping transactions seems to suggest that he is not a professional criminal. There are lots of ways to use stolen credit card numbers, buying cash coupons and delivering to an unoccupied house's mail box are common.

According to statistics , credit card fraudis increasing and costs 3 billion USD in 2006, up from 2.7 billion in 2005. Different measures (like adding chips or using an online password) are introduced to protect credit card transactions. However, these new measures are not effective if the network layer is circumvented.

When a malicious user has installed hacker tools on a network, the protection mechanism on the online application layer may not work at all. Man-in-the-middle attacks using fake servers to intercept Internet traffic were the most dangerous.Traditionally, to set up a man-in-the-middle attack or eavesdropping network traffic, the hacker needs to have access to the victim's physical network. However, with the availability of a wireless network, this physical constraint is no longer an obstacle. If the victim uses a non-encrypted wireless network (According to 2006 PISA wireless survey, 45% of wireless networks were not encrypted ), it is relatively easy to obtain his Internet traffic and the personal information transmitted (credit card information being included).

If the wireless network is not encrypted and users uses it to carry out online transactions or send credit card number via email, there is a high risk of stolen credit card information just like the criminal cases described above. If 45% of individually established access points in Hong Kong are not encrypted, what are the percentages of users having wireless security knowledge or awareness?

DDOS attacks are getting more frequent

On 7 June, there was a reported case of a successful botnet Distributed Denial of Services DDOS attack. This type of attack was difficult to prevent since current technology could only divert the traffic after the attack has been launched. Due to the fact that the sources of attack are highly distributed, we could never monitor nor stop the DDOS attack. Once the attack is launched, the affected system will be unable to response to normal users.

DDOS attacks are real and there were even reported cases on DDOS against a national body Estonia.

The scary thing about DDOS is the growing number of botnet . With the higher penetration of broadband internet, more computers will be connecting to the Internet 24x7. If the management of these computers is not done securely, they will be a breading ground for botnets and viruses. One area to pay special notice to is the growing trend of networked devices. Vetting machines, CD juke boxes and other everyday electronic devices are likely to be connecting to the Internet within the next 3 to 5 years. These devices will have a slim OS, but able to carry-out basic network activities, like ping and HTTP GET command. The sheer amount of these network devices will be a problem if the OS is not hardened.

Catch up with the Web

I saw an article on Yahoo news about "25 Web Sites to Watch " and the web advanced so rapidly that one could never be able to catch up. I grouped some of the web sites according to their features.

One thing I noticed is that the web is getting specialised and each website is good doing one particular domain. This fragmented development is the result of a distributed web but in history every development will eventually reverse its course.

" speculated that the Internet will become, in essence, a vast operating system"

1. Popfly
2. Yahoo Pipes
3. Goowy

Data/Opinion Site

1. BuzzDash
2. Swivel

Multimedia Web creation tools

1. SplashCast
2. Squidoo
3. Yodio

WAP Volumn in China

China Internet Network Information Centre released a survey result on the current usage of WAP in China. As of March 2007, there were 39M WAP (Wireless Acccess Protocol) users, about 28% of fixed Internet population in China.

Not too surprising, Guangdong Province has the large WAP population.

The report summary could be find here.

Transfer files on P2P is an offence in Hong Kong

The legal battle on BitTorrent cases reached an end on 18 May 2007 and the full judgement released on Hong Kong Legal Information Institute

On 12 Jan 2005, officers from HKSAR Custom Department raided thedefendant's (Mr. Chan) home after tracking his address from an online forum. Mr. Chan he had uploaded 3 .torrent files on 10 Jan 2005 and 11 Jan 2005 to the forum and these enabled BT users to download copies ofmovies. In first instance, Mr. Chan was charged by virtue of section118(1)(f) of the Copyright Ordinance, Cap 528 and of obtaining access to a computer with dishonest intent, contrary to section 161(1) (c) ofthe Crimes Ordinance, Cap 200. But in the final judgement in the Court of Final Appeal, the 5 judges unanimously dismissed Mr Chan appeal andhe was convicted of 118(1)(f) of the Copyright Ordinance only.

This was a high profiled case and the HKSAR government launched propaganda on their determination on combating the copyright battle. Since charges was brought to the court in 2005, the number of BT seeds decreased in Hong Kong. It was a success and a few points must clarify.

First, back in 2005 the prosecution charged Mr. Chan with "obtaining access to a computer with dishonest intent". This charge was totally wrong and stimulated many critics on the legal ground ofthis copyright case. Mr Chan was using his own computer to store andupload BT files. There was no hacking or illegal access on thecomputer he owned. By bring this charges, the prosecution misused the law and most ridiculously was that the judge agreed this charges. In the Court of Final Appeal, both the prosecution and judges corrected this mistake.

Second, the criminal offence from section 118(1)(f) of the CopyrightOrdinance was enacted before peer-to-peer ever existed and yet this section was able to catch distributing infringed copies via BTnetwork. The major argument by the defendant was that the detail mechanism of P2P does not constitute "distributing" since Mr. Chan was passively waiting owner to locate the media files and there were nophysical medium exchanged, only electronic currents. The judgesdisagreed and said if (1) the infringing copies were created by thedefendant and (2) his action enabled others to obtain the infringingcopies (in any way technologies allows and with full knowledge), then the defendant's action falls into the definition of "distribution"under Copyright Ordinance.

Control points missed in Symantec

This morning I heard astounding news about Symantec. It released a faulty virus definition that deleted (or quarantined) two essential files on Windows XP (Simplified Chinese Version). The result was that around 3 millions computers were unable to start and must restore the deleted files from the original Microsoft installation CD. SANS and Sina confirmed this news. They claimed that only people who downloaded the updates from the Symantec China webpage between 01:00 a.m. and 02:30 p.m. on May 18th AND have MS06-070 installed on their computer were affected.

This incident has many implications. The one that worries me the most is that people will try to download these files on the web in order to repair their computers. The integrity of these files is in question (if they do not come from an authenticated source). A malicious hacker may plant a virus or backdoor in these system files and offer them in discussion groups. As an auditor, I always think of process control. There are actually two control points within the release process of a virus definition. The first one is the approval and verification process for adding a system file to their blacklist. System files are high- risk files since they impact the whole system, instead of a single application. The second control point is the testing of the definition before publishing to the public. Does Symantec test all their definitions with all versions of OS? It is an extremely challenging and costly task to release timely virus definitions and, at the same time, to have all OS versions tested (different languages, times, services packs). Although it is a costly testing process, the risk is too great to ignore.

There is always a lesson to be learned from mistakes. Hopefully, the whole anti-virus industry will benefit from Symantec's mistakes.

The root of China SMS-based Payment

McKinsey recently released an article on the prospect of a SMS-basedpayment system in China rural area. The arguments were that China has a low level of non-cash payments when compared to other countries and the Chinese government is keen to develop non-cash payments in order to simulaterural spending. There are both economical and political reasons to have an efficient rural payment system.

I agree with the article's contention that ATM and POS are not the right products for Chinese farmers. The main reason is cost. While the annual income of the averagefarmer in China is below USD 2000, it is relatively costly to acquire and maintain an ATM or POS, which usually costs more than USD 20000. Apart from cost, there is also a trend in other countries of declining rates of ATM adoption. According to the BIS statistics, the number of automated banking machines per million inhabitants decreased by 1123 in the year 2000to 1069 in 2005.

However, the picture portrayed by McKinsey seems to be of the distant future. The China Union Pay website reports that there are 86000 ATM and 608000POS installed. In 2005 alone, the transaction volume was more than five billion RMB (USD 670 M). However, there are only 14 cities in China enabled with mobile payment and with only 2.7 million users.

One major type of money flow in rural China areas is the money transfer from workers in urban cities. Urban city like ShangHai and ShenZhen attract millions of farmer who go to work there and their wages are usually"carried or transferred" back to the villages. This type of transaction is the root of many rural payments. So, the critical success factor may not be in the branches of payments in rural areas, but inthe root of most payments, which is in the cities.

CFCA -- the China next payment infrastruture

There was a news about 16 China Banks released a press release about a coordination framewrok between banks against online fraud (網上銀行反欺詐聯動機制)

The banks will share their fraud information with China Financial Certification Authority CFCA, which was found by the banks in year 2000. CFCA is a certificate authority (i.e. a PKI service provider) and from ChinaTechNew.com 25 banks uses their certificates in 2005.

If this alliance is successful and continues its development, I think CFCA has the potential to be the center of China payment network. A secure PKI is important, especially for using client-side authentications. When the banks establish a cross-banks PKI process and agreements, the payment network may function a bit like VISA in plastic card business. For China, the development and innovations are unlimited.

Internet Law -- A US testmonial

When we talk about Cyberspace, we usually think of US. Partly due to there technology innovations and partly due to their obsession about Internet. Then it is not surprise to know US has many legislations on regulating the Internet and citizens' cyber-activities.

Below is an snapshot of the status of Internet regulations in US and quite interesting.
http://www.imanet.org/technotes/stnewsb.asp

When there is no choice .. ...

I joined a discussion forum oragnised by Legislator CK SIn on 26 Apr at HKPC where a group of industry leaders are invited to express their view on Hong Kong Government consultation paper on new copyright legislations.

The speakers concentrated on two major themes:
1 Criminalisation of infringing downloading
2 Requiring ISP to keep IP-to-Physical Address records

One important discussion item was that almost everyone acknowledged the fact that a viable business model is needed for substantial development of online contents. But when there is no widely adopted business model, legislations are considered necessary.


PISA is monitoring these developments and will submit our views to the government.

IEEE 1667

The IEEE is working on a standard for USB and other flash authentications. The new protocol is a standardization on how a USB disk could authenticate against a computer. That is how you could limit which portable disk to be able to store your data. It is a long-waited protocol and is vital for protection against data-theft.

Authentication in Transient Storage Device Attachments

The standard will be published in June 2007

RFID ticket in China

I saw some puzzling situations when I traveled to GuangZhou (southern China) this weekend. GuangShen Railway installed a RFID ticketing system and all tickets are embedded with a electronic circuit (photo 1). RFID application on train ticket is quite advance. In last winter,I traveled to UK and Sweden but did not see any RFID application in transportation system (even airlines).


What puzzling me is the ticket-checking in Photo 2. You could see there are two railway staff standing behind a gate to check passengers ticket. The narrow opening is to prevent people from passing the gate. Except the tickets embedded with a electronic circuit, very little has changed. The railway staff still need to validate passenger's ticket one by one. When a few hundred passengers passing through the small gate, one can image the chaos it created!

China being late in infrastructure investment projects are applying advance technologies but this example shows that the benefit of technology may not be realized.



Another puzzling issue is why do they need a RFID ticket for a one hour journey where 99% of passengers do not check-in their luggages !!

PCI Industry standard audit checklist

IT Compliance Institute just released PCI Industry standard audit checklist. It also include a self-assessment questionniare.

Poorly regulated DNS services

For most of the telecom service (from dial-up, broadband, network TV), the services are regulated by country government. Consumers depend on the government to ensure proper operation of telecom services since these services affect a large scope of the society and the services are very technical.

However, domain-name registrars are poorly regulated according Business-Week. Not that government-regulation must be good; it could be self-regulated (like the industry-associations). The current state of DNS is worrying.

This phenomena is not unique in US. In HK, Hong Kong Internet Registration Corporation Limited is also a commercial organisation but the government sent one senior official to sit on its broad.

User education is missing !

The reports on China as a centre of Cybercrime and SPAM is appearing. In this Western media article, cybercrime problem is associated with use counterfeit software ! I think more importantly is that the user educations is weak.
The OGCIO has radio drama to teach HK people to protect against phising and other online risk. But do we have similar radio broadcast or media attentions in China! Is there a government division work on user educations!!


http://www.businessweek.com/globalbiz/content/feb2007/gb20070221_774722.htm?link_position=link2

Anti-Online Game Addiction System implemeted in China (country-wide)

I am not in the online game industry and not sure about the statistics about online game addiction. But China government is serious about stopping online game to become a social problem.

According the Chinese article below, a country-wide anti online game addiction system will go live in Jan 2007. The system will monitor user activity in RPG games. When a user spend more than 3 hours per day playing games, their gaming-scores will reduced to 50%. All online game company will need to modify their system to enable the monitoring.

China is not leak of innovation when it comes to online monitoring and controls.

http://www.ce.cn/cysc/tech/yw/200701/18/t20070118_10130593.shtml

Internet Blackout Seminar @ PISA

2 weeks after the earthquake strike Taiwan, Hong Kong is still suffering slow internet surfing, although 70% of website is not accessible.

To understand the impact of this event to our society, PISA organized a seminar and invite industry experts.

Panel Discussion: Internet Blackout - Lesson Learned from Large Scale Network Disruption

Date 20-Jan-2007 (Sat)
Time 2:00pm - 5:00pm