Tech Risk & Security

Measuring Overall Effectiveness of Data Security

2010-05-04T17:50:00.000+08:00

Root Certificate update and software design

2009-08-30T10:20:00.009+08:00

Recently, a member of PISA (also called Anthony) noticed that when using HK Post office website, FireFox displayed security warning saying the digital certificate used bu HK Post is invalid.

A detailed study by other PISA members showed that the reason HK Post (once is the root CA for HK) used their own root certificate. Root certificates are usually shipped with the browser installation and HK Post digital certificate was not included in their default software package. Hong Kong Post setup a page to teach users on how to add the root certificate to most used browsers . However, how many users know this link, willing to follow or could follow the instructions !!

It is quite clear that currently most browsers develop and distributed by US company or US-based community. The interest of adding other root certificates is likely lower than adding new functions. Having said that, FireFox developers have a process to add Root Certificates to their software package, for example this link shows the process for adding root certificate. In their pending lsit, China PRC "China Internet Network Information Center (CNNIC)", Hongkong Post and Taiwan Chunghwa Telecom (CHT) are listed.
Entry for HongKong post was added on 2008-10-08. However, it is interesting to see that Mozilla used their bug tracking system in their handling for Root Certificate Request from CA around the world. Look at the email trails from e-Mice ( Hong Kong PKI operator)

The first request was submitted by HK Post Staff back in 2007 Dec and 20 months passed, it was not yet included in the latest FireFox update !! Obviously, FireFox needs to handle request from many different parties but it was a long time.

Maybe, we could look at the how Adobe do it. Within their design, "Adobe products that support the AATL will automatically download this file every 90 days.⁽¹⁾ Before the contents are deposited into the client's Trusted Identity list, the AATL is verified to ensure it came from Adobe. " The approval process may still take a lot of administration time, roots certificate updates will be 90 days. It is a lot better than waiting for a bug-fix or software release!!

My comment is all comes down to good design and bad design!

Mutual recognition of electronic signature certificates issued by Guangdong and Hong Kong

2009-06-10T09:21:00.000+08:00

http://www.cw.com.hk/content/hk-guangdong-sign-framework-suggestions-e-signature

New models on generating revenue from losing newspapers

2009-06-02T11:13:00.002+08:00

I read an article about how a group of US newspapers plan to respond to failing revenue.

1st : considered a “presentation on technology/service to track content on the Web and to extract payments from third-parties and ad networks that have appropriated newspaper content.” If other online formats are stealing your copyrighted content, make them pay for it.

2nd Collecting enhanced online newspaper user data across newspaper properties and mining that data to aggressively sell target content to specific audience segments across the network.”

The core tech are tracking content (1st model) or user behavior (2nd model). But it is not technology that matters. It is the law that gives the newspaper to charge or sell these data that affect its success. The copyright law enforcement is tooooo expensive compare to maybe HKD 10 for a single reference. Privacy law is too restrictive for newpapers to sell their DB.

My personal opinion is that the current legal infrastructure prohibit QUALITY newpapers to profit. Internet enables instant, multi-media and around the clock FACTs reporting. But QUALITY news report need more than FACTs.

Bloomberg and Reuters are the only successful company as I see it.

Open Source has another dimension --J.P. Morgan's CDS Analytical Engine Available as Open Source

2009-01-30T22:01:00.001+08:00

SDA Announces Agreement to Make J.P. Morgan's CDS Analytical Engine
Available as Open Source; Increases Transparency in CDS Pricing

At the centre of our current financial crisis is the CDS (credit default swap). ISDA is the trade association which draft standard contract for CDS.

The market was unable to give a reasonable and authority price for CDS in recent months. The open source decision is to make the price of CDS more stable and being open source, each one could validate the price components (market risk, liquidity risk, credit risk, FX risk and
others)

Open source when taking a transparent perspective could help to stable a market in crisis.

http://www.isda.org/press/press012909.html

Antony

Circumvention of Technological Protection Measures

2009-01-18T15:26:00.005+08:00

Recently, I re-organised my research article on legislation on circumvention of TPM and published in PISA Journal. In this issue, there was an article on iSCSI Resilience and Security which is a very precise introduction for security professionals.

Thanks for SC Leung's editions.

Website as an economic indicators

2008-06-23T22:28:00.002+08:00

A study was conducted to study the correlation between website usages and economy!! We now have all sorts of monitoring devices and data points that enable us to track human behavior.

It is conveninet to believe some activities (like visiting a particular type of website) will affected by economy. But would this correlation substanitable ? giving the fact that the web content changes constantly and new websites are created daily?

http://news.bbc.co.uk/2/hi/technology/7459055.stm

Top-level domain name and anthropology

2008-06-23T21:01:00.005+08:00

I read two news articles today. One on SCMP which reported that Intel hired anthropologist to study user behavior and shape their strategy. One on BBC Technology, which said ICANN plan to open up top-level domain names. The result would be that everyone could register their website name with ending ranging from .bank to .worm.

They seemed unrelated but I wonder how people respond to an explosive growth top-level domain names. Top level domain names, like .com or .hk are limited and users accumulated a sense of trust after years usages. Will user trust citibank.bank more over citibank.bank ? or will user buy items from toyshop.com or toyshop.shop ?

What is missing in the current Internet infrastructure, after 10 years of development, is trust? How ICANN's proposal to open up top-level domain is helping to built trust in cyberspace ? The current status of DNS is far from satisfactory and phishing attacks are launched daily exploiting this weakness. Opening up top-level domain name for private registrations will create a new zone of chaos.

Cost of Identity Theft

2008-06-17T23:35:00.001+08:00

There is a blog about Effects of ID theft.
It is quite a good reference but the whole process of cleaning up ID theft only after you know your identity was comprised.

Building cultural walls in Cyberspace

2008-06-03T22:24:00.005+08:00

An article from Bloomberg News discussed how Google adjusted their web services with national cultures. In Thailand, they banned YouTue to show videos which offended King Bhumibol Adulyadej. In China, Google stopped offering Gmail to Chinese Citizen to avoid government demands for messages. To be able to stop user from using a specific web services, Google must rely on the programming codes. Now these codes with geo-sensitive information are used to build walls within Cyberspace, either due to political reason or to respect the natioanl cultures. The multinational enterprise is now taking the duty to fund the building of these walls using their codes. Cultural walls is not an entirely bad concept since a neigbhood enjoy more harmony when there are walls between them.

Contrast this to Lawrence Lessig's "Code wants to be free" concept, we could see that multinational enterprises were using codes to control information flow. The force to from multinational enterprises is gaining strengthen because these companies expand their influence by acquiring companies (like Google acquired YouTube and the planning integration of Yahoo & Microsft)

ISP guideline on Cybercrime investigation released

2008-05-28T13:27:00.004+08:00

I wrote about US Senate's approval of Council of Europe Cybercrime Convention . Recently, the Cybercrime Committee of Council of Europe released a guideline on how ISP and law enforcement agencies should cooperate in cybercrime investigations.

Guidelines for law enforcement - service provider cooperation (adopted on 2 April 2008)

From this document, it could be see that there is a large gap between law enforcement and ISP on obtaining evidences. Both sides need to formalise their procedures (either request or giving evidences). If there is no force from the government or other external factor, I could see no reason for them to incur additional resource in this process.

Coming PISA events

2008-05-27T23:42:00.004+08:00

I have been busy with my LLM study at The Hong Kong University in the past year. All goes well, I will graduate this year. The course I took covers Telecommunication, Cybercrime and IP. Will share about all these topic in the coming posts.

First, PISA will has several events in pipeline.
Today, we just finished an Oracle Security Seminar
On 31 May, there will be Data Protection Public Forum. Speakers from ISACA, ISOC and Privacy Commissioner will share their view on recent incidence on data breaches.

Then on 5 June, PISA invited Aloysius Cheang (Head of Security Services for Cable&Wireless Asia-Pacific) to share his experience on malware detections and preventions.

homophily part II - Social Capital

2008-02-21T09:36:00.004+08:00

Below are some extracts from NY Times Blog
http://freakonomics.blogs.nytimes.com/2008/02/15/is-myspace-good-for-society-a-freakonomics-quorum/

"social capital", a concept that describes the benefits individuals receive from their relationships with others.

Bridging social capital reflects the benefits we receive from our "weak ties" — people we don't know very well but who provide us with useful information and ideas.

As our social networks are becoming increasingly more geographically fragmented, social network sites are a useful way for us to keep in touch and seek social contact with our friends.

When many students begin university, they find themselves with a group of ready-made acquaintances. Given people’s preferences for people who are like them, it could be that friendship networks become increasingly homogeneous. Is this a bad thing? It might be if, by choosing potential friends via their Facebook profiles, it means that folk cut themselves off from serendipitous encounters with those who are superficially different from them.

Social networking sites are affecting the labor market as well, because recruiters evaluating young professionals applying for jobs are now hacking into applicants’ profiles, and making hiring decisions based on profile photos in which applicants are drunk or inappropriately dressed.

they devalue the meaning of “friend.” Our traditional notion of friendship embraces trust, support, compatible values, etc. On social network sites, a “friend” may simply be someone on whose link you have clicked.

Anonymous network will be popular

2007-08-19T16:51:00.000+08:00

There is a sad but true story that corporate-PR "corrected" wikipedia pages in order to downplay the mistakes done by company and government organizations. Some of the "corrections" may be a true account of history but there are deliberate censorship.

Most people think the network address (IP address) are useless and could not reveal the location or identity of individuals. However, most IP address is similar to telephone number and could be traced to specific organizations. This traceability enabled Wikiscanner (mentioned in the article) to find the editor of wiki.

There are some anonymous networks like Tor for people to conceal their identity. I believe the PR will continue their censorship on wikipedia with these anonymous networks.

It is sad that when truth is the battlefield between individual and large organisations.

"science may be the main determinant of how a case is resolved"

2007-07-03T21:59:00.000+08:00

The gap between law and science is ever widening. In the past, the court is a place for justice but now justice is bury among scientific experiments and mathematical calculations.

Judges trained to filter fake science from USA Today

Stealing credit card numbers via home Wifi network

2007-07-01T10:52:00.000+08:00

The Hong Kong district court heard a computer crime case on 18th June 2007. An African visitor had rented a flat and stole credit card numbers from his neighbor using wireless sniffing, then he used the credit card information to do online shopping. The charge was brought under HK Crime Ordinance Chapter 200 s116 . More detailed information will be available when the judgment is posted online.

The 23-year old defendant was caught since he had used his home address for online shopping and the police were able to trace the delivery records. His ignorance of fraud detection systems and traceability of online shopping transactions seems to suggest that he is not a professional criminal. There are lots of ways to use stolen credit card numbers, buying cash coupons and delivering to an unoccupied house's mail box are common.

According to statistics , credit card fraudis increasing and costs 3 billion USD in 2006, up from 2.7 billion in 2005. Different measures (like adding chips or using an online password) are introduced to protect credit card transactions. However, these new measures are not effective if the network layer is circumvented.

When a malicious user has installed hacker tools on a network, the protection mechanism on the online application layer may not work at all. Man-in-the-middle attacks using fake servers to intercept Internet traffic were the most dangerous.Traditionally, to set up a man-in-the-middle attack or eavesdropping network traffic, the hacker needs to have access to the victim's physical network. However, with the availability of a wireless network, this physical constraint is no longer an obstacle. If the victim uses a non-encrypted wireless network (According to 2006 PISA wireless survey, 45% of wireless networks were not encrypted ), it is relatively easy to obtain his Internet traffic and the personal information transmitted (credit card information being included).

If the wireless network is not encrypted and users uses it to carry out online transactions or send credit card number via email, there is a high risk of stolen credit card information just like the criminal cases described above. If 45% of individually established access points in Hong Kong are not encrypted, what are the percentages of users having wireless security knowledge or awareness?

DDOS attacks are getting more frequent

2007-06-19T20:22:00.000+08:00

On 7 June, there was a reported case of a successful botnet Distributed Denial of Services DDOS attack. This type of attack was difficult to prevent since current technology could only divert the traffic after the attack has been launched. Due to the fact that the sources of attack are highly distributed, we could never monitor nor stop the DDOS attack. Once the attack is launched, the affected system will be unable to response to normal users.

DDOS attacks are real and there were even reported cases on DDOS against a national body Estonia.

The scary thing about DDOS is the growing number of botnet . With the higher penetration of broadband internet, more computers will be connecting to the Internet 24x7. If the management of these computers is not done securely, they will be a breading ground for botnets and viruses. One area to pay special notice to is the growing trend of networked devices. Vetting machines, CD juke boxes and other everyday electronic devices are likely to be connecting to the Internet within the next 3 to 5 years. These devices will have a slim OS, but able to carry-out basic network activities, like ping and HTTP GET command. The sheer amount of these network devices will be a problem if the OS is not hardened.

Catch up with the Web

2007-06-19T11:02:00.000+08:00

I saw an article on Yahoo news about "25 Web Sites to Watch " and the web advanced so rapidly that one could never be able to catch up. I grouped some of the web sites according to their features.

One thing I noticed is that the web is getting specialised and each website is good doing one particular domain. This fragmented development is the result of a distributed web but in history every development will eventually reverse its course.

" speculated that the Internet will become, in essence, a vast operating system"

Data/Opinion Site

Multimedia Web creation tools

WAP Volumn in China

2007-05-29T09:01:00.000+08:00

China Internet Network Information Centre released a survey result on the current usage of WAP in China. As of March 2007, there were 39M WAP (Wireless Acccess Protocol) users, about 28% of fixed Internet population in China.

Not too surprising, Guangdong Province has the large WAP population.

The report summary could be find here.

Transfer files on P2P is an offence in Hong Kong

2007-05-28T14:57:00.000+08:00

The legal battle on BitTorrent cases reached an end on 18 May 2007 and the full judgement released on Hong Kong Legal Information Institute

On 12 Jan 2005, officers from HKSAR Custom Department raided thedefendant's (Mr. Chan) home after tracking his address from an online forum. Mr. Chan he had uploaded 3 .torrent files on 10 Jan 2005 and 11 Jan 2005 to the forum and these enabled BT users to download copies ofmovies. In first instance, Mr. Chan was charged by virtue of section118(1)(f) of the Copyright Ordinance, Cap 528 and of obtaining access to a computer with dishonest intent, contrary to section 161(1) (c) ofthe Crimes Ordinance, Cap 200. But in the final judgement in the Court of Final Appeal, the 5 judges unanimously dismissed Mr Chan appeal andhe was convicted of 118(1)(f) of the Copyright Ordinance only.

This was a high profiled case and the HKSAR government launched propaganda on their determination on combating the copyright battle. Since charges was brought to the court in 2005, the number of BT seeds decreased in Hong Kong. It was a success and a few points must clarify.

First, back in 2005 the prosecution charged Mr. Chan with "obtaining access to a computer with dishonest intent". This charge was totally wrong and stimulated many critics on the legal ground ofthis copyright case. Mr Chan was using his own computer to store andupload BT files. There was no hacking or illegal access on thecomputer he owned. By bring this charges, the prosecution misused the law and most ridiculously was that the judge agreed this charges. In the Court of Final Appeal, both the prosecution and judges corrected this mistake.

Second, the criminal offence from section 118(1)(f) of the CopyrightOrdinance was enacted before peer-to-peer ever existed and yet this section was able to catch distributing infringed copies via BTnetwork. The major argument by the defendant was that the detail mechanism of P2P does not constitute "distributing" since Mr. Chan was passively waiting owner to locate the media files and there were nophysical medium exchanged, only electronic currents. The judgesdisagreed and said if (1) the infringing copies were created by thedefendant and (2) his action enabled others to obtain the infringingcopies (in any way technologies allows and with full knowledge), then the defendant's action falls into the definition of "distribution"under Copyright Ordinance.

Control points missed in Symantec

2007-05-21T08:51:00.000+08:00

This morning I heard astounding news about Symantec. It released a faulty virus definition that deleted (or quarantined) two essential files on Windows XP (Simplified Chinese Version). The result was that around 3 millions computers were unable to start and must restore the deleted files from the original Microsoft installation CD. SANS and Sina confirmed this news. They claimed that only people who downloaded the updates from the Symantec China webpage between 01:00 a.m. and 02:30 p.m. on May 18th AND have MS06-070 installed on their computer were affected.

This incident has many implications. The one that worries me the most is that people will try to download these files on the web in order to repair their computers. The integrity of these files is in question (if they do not come from an authenticated source). A malicious hacker may plant a virus or backdoor in these system files and offer them in discussion groups. As an auditor, I always think of process control. There are actually two control points within the release process of a virus definition. The first one is the approval and verification process for adding a system file to their blacklist. System files are high- risk files since they impact the whole system, instead of a single application. The second control point is the testing of the definition before publishing to the public. Does Symantec test all their definitions with all versions of OS? It is an extremely challenging and costly task to release timely virus definitions and, at the same time, to have all OS versions tested (different languages, times, services packs). Although it is a costly testing process, the risk is too great to ignore.

There is always a lesson to be learned from mistakes. Hopefully, the whole anti-virus industry will benefit from Symantec's mistakes.

The root of China SMS-based Payment

2007-05-03T13:16:00.000+08:00

McKinsey recently released an article on the prospect of a SMS-basedpayment system in China rural area. The arguments were that China has a low level of non-cash payments when compared to other countries and the Chinese government is keen to develop non-cash payments in order to simulaterural spending. There are both economical and political reasons to have an efficient rural payment system.

I agree with the article's contention that ATM and POS are not the right products for Chinese farmers. The main reason is cost. While the annual income of the averagefarmer in China is below USD 2000, it is relatively costly to acquire and maintain an ATM or POS, which usually costs more than USD 20000. Apart from cost, there is also a trend in other countries of declining rates of ATM adoption. According to the BIS statistics, the number of automated banking machines per million inhabitants decreased by 1123 in the year 2000to 1069 in 2005.

However, the picture portrayed by McKinsey seems to be of the distant future. The China Union Pay website reports that there are 86000 ATM and 608000POS installed. In 2005 alone, the transaction volume was more than five billion RMB (USD 670 M). However, there are only 14 cities in China enabled with mobile payment and with only 2.7 million users.

One major type of money flow in rural China areas is the money transfer from workers in urban cities. Urban city like ShangHai and ShenZhen attract millions of farmer who go to work there and their wages are usually"carried or transferred" back to the villages. This type of transaction is the root of many rural payments. So, the critical success factor may not be in the branches of payments in rural areas, but inthe root of most payments, which is in the cities.

CFCA -- the China next payment infrastruture

2007-05-02T20:08:00.000+08:00

There was a news about 16 China Banks released a press release about a coordination framewrok between banks against online fraud (網上銀行反欺詐聯動機制)

The banks will share their fraud information with China Financial Certification Authority CFCA, which was found by the banks in year 2000. CFCA is a certificate authority (i.e. a PKI service provider) and from ChinaTechNew.com 25 banks uses their certificates in 2005.

If this alliance is successful and continues its development, I think CFCA has the potential to be the center of China payment network. A secure PKI is important, especially for using client-side authentications. When the banks establish a cross-banks PKI process and agreements, the payment network may function a bit like VISA in plastic card business. For China, the development and innovations are unlimited.

Internet Law -- A US testmonial

2007-05-01T22:08:00.000+08:00

When we talk about Cyberspace, we usually think of US. Partly due to there technology innovations and partly due to their obsession about Internet. Then it is not surprise to know US has many legislations on regulating the Internet and citizens' cyber-activities.

Below is an snapshot of the status of Internet regulations in US and quite interesting.
http://www.imanet.org/technotes/stnewsb.asp

When there is no choice .. ...

2007-04-29T21:48:00.000+08:00

I joined a discussion forum oragnised by Legislator CK SIn on 26 Apr at HKPC where a group of industry leaders are invited to express their view on Hong Kong Government consultation paper on new copyright legislations.

The speakers concentrated on two major themes:
1 Criminalisation of infringing downloading
2 Requiring ISP to keep IP-to-Physical Address records

One important discussion item was that almost everyone acknowledged the fact that a viable business model is needed for substantial development of online contents. But when there is no widely adopted business model, legislations are considered necessary.

PISA is monitoring these developments and will submit our views to the government.

IEEE 1667

2007-04-21T15:14:00.000+08:00

The IEEE is working on a standard for USB and other flash authentications. The new protocol is a standardization on how a USB disk could authenticate against a computer. That is how you could limit which portable disk to be able to store your data. It is a long-waited protocol and is vital for protection against data-theft.

Authentication in Transient Storage Device Attachments

The standard will be published in June 2007

RFID ticket in China

2007-04-15T23:22:00.000+08:00

I saw some puzzling situations when I traveled to GuangZhou (southern China) this weekend. GuangShen Railway installed a RFID ticketing system and all tickets are embedded with a electronic circuit (photo 1). RFID application on train ticket is quite advance. In last winter,I traveled to UK and Sweden but did not see any RFID application in transportation system (even airlines).

What puzzling me is the ticket-checking in Photo 2. You could see there are two railway staff standing behind a gate to check passengers ticket. The narrow opening is to prevent people from passing the gate. Except the tickets embedded with a electronic circuit, very little has changed. The railway staff still need to validate passenger's ticket one by one. When a few hundred passengers passing through the small gate, one can image the chaos it created!

China being late in infrastructure investment projects are applying advance technologies but this example shows that the benefit of technology may not be realized.

Another puzzling issue is why do they need a RFID ticket for a one hour journey where 99% of passengers do not check-in their luggages !!

PCI Industry standard audit checklist

2007-04-13T14:10:00.000+08:00

IT Compliance Institute just released PCI Industry standard audit checklist. It also include a self-assessment questionniare.

Poorly regulated DNS services

2007-03-18T20:03:00.000+08:00

For most of the telecom service (from dial-up, broadband, network TV), the services are regulated by country government. Consumers depend on the government to ensure proper operation of telecom services since these services affect a large scope of the society and the services are very technical.

However, domain-name registrars are poorly regulated according Business-Week. Not that government-regulation must be good; it could be self-regulated (like the industry-associations). The current state of DNS is worrying.

This phenomena is not unique in US. In HK, Hong Kong Internet Registration Corporation Limited is also a commercial organisation but the government sent one senior official to sit on its broad.

User education is missing !

2007-02-24T18:47:00.000+08:00

The reports on China as a centre of Cybercrime and SPAM is appearing. In this Western media article, cybercrime problem is associated with use counterfeit software ! I think more importantly is that the user educations is weak.
The OGCIO has radio drama to teach HK people to protect against phising and other online risk. But do we have similar radio broadcast or media attentions in China! Is there a government division work on user educations!!

http://www.businessweek.com/globalbiz/content/feb2007/gb20070221_774722.htm?link_position=link2

Anti-Online Game Addiction System implemeted in China (country-wide)

2007-01-18T20:36:00.000+08:00

I am not in the online game industry and not sure about the statistics about online game addiction. But China government is serious about stopping online game to become a social problem.

According the Chinese article below, a country-wide anti online game addiction system will go live in Jan 2007. The system will monitor user activity in RPG games. When a user spend more than 3 hours per day playing games, their gaming-scores will reduced to 50%. All online game company will need to modify their system to enable the monitoring.

China is not leak of innovation when it comes to online monitoring and controls.

http://www.ce.cn/cysc/tech/yw/200701/18/t20070118_10130593.shtml

Internet Blackout Seminar @ PISA

2007-01-08T08:58:00.000+08:00

2 weeks after the earthquake strike Taiwan, Hong Kong is still suffering slow internet surfing, although 70% of website is not accessible.

To understand the impact of this event to our society, PISA organized a seminar and invite industry experts.

Panel Discussion: Internet Blackout - Lesson Learned from Large Scale Network Disruption

Date 20-Jan-2007 (Sat)
Time 2:00pm - 5:00pm

Undersea cable damage bring an issue of operantion risk in Basel

2006-12-28T09:01:00.000+08:00

The earthquake stoke southern Taiwan on 26 Dec caused a major disruption of network communication in Hong Kong. It is believed that several cable connecting Taiwan, Japan and US were damaged and the restoration will take days.

As banks and stocker brokers rely heavily on electronic settlement and straight though system, their operation are affected. Especially cross country trading, i.e. accepting oversea order to be executed in Hong Kong Exchange and at the same time, placing order to the US market. One of my broker in HK informed me that they will not be able to accept buy order until the network is restored (sell order is possible since they will execute instruction with telephone).

The real issue is with STP system, there is a timeout value for each data transmissions and the timeout value is usually set to a reasonable time under normal network connections. The system may retry after timeout but the number of retry will only create more traffic on an already congested network.

There are many issues with this kind of disruptions but I like concentrate on the operation risk of Basel. Banks intended to use the Advanced Measurement Approach (AMA) will need to calculate their regulatory requirement as the sum of expected loss (EL) and unexpected loss (UL). In order to do accurately calculate, the bank must track relevant event linked to their operations, technology process and settlements are one of them.

Network disruption due to services provider unable to meet SLA may be classified as one loss. But it is not the biggest one. I am thinking of the sudden increase of manual settlements and the inability of pricing provider to provide accurate pricing.

It will be a lesson for regulators and banks to learn how AMA of operation risk will work under extraordinary conditions. The lesson is not finished yet as the network connections will not restore to normal for a few days .

Latest developments in digital media distribution

2006-12-21T00:14:00.000+08:00

These two days a bunch of news related to the digital media distribution appears across the globe. These news seems unrelated and did not go to the frontpage but their total effect will shape our future and the economy.

Companies are committed to protect and capitalize their intellectual properties. An regulations is one of the way.

Sony BMG settles suit over CDs

BBC moves to file-sharing sites

The HKSAR Government CITB announced yesterday the following consultation paper which discussed a lot of Internet related copyright issues.

UK banned DOS

2006-12-04T10:45:00.000+08:00

I wrote an article in PISA Journal about UK proposed legislation in banning Denial of Services (DOS). Last week UK enacted a law of similarnature, you can read the comments and full legislation below.

UK enacted Police And Justice Act 2006

The definition of a criminal offence is broad and includes "hinder access" !
"(a) to impair the operation of any computer,
(b) to prevent or hinder access to any program or data held in any computer, or
(c) to impair the operation of any such program or the reliability ofany such data,"

US Release guidance data discovery in civil litigation.

2006-11-17T09:18:00.000+08:00

There are many discussions/articles on the web about the US Federal Rules of Civil Procedure (FRCP) Rule 26, 33, or 34.

Below is a good summary. The rule set a 90 days period for lawyers of both parties to agree what needs to be prepared for the court. After this 90-days period, any data discovery request will likely be rejected by US court.

New E-discovery Rules

Cybersecurity Workshop at Singapore

2006-11-13T22:18:00.000+08:00

I attended a Cybersecurity on 31 Oct and 1 Nov and the presentations are available online now.

http://www.itsc.org.sg/downloads/presentations.html.

The presentation from Koji on Monitoring Cyber Attacks showed many 3D visualization of attack patterns.

A New Blog

2006-11-11T12:59:00.000+08:00

I have been quiet in the Blogsphere since I was busy with ISO SC27 activities and also PISA.

PISA has a new blog created for discussion of local IT security matters.
Take a look at http://pisa-security.blogspot.com/

Spammers manipulate stock markets

2006-08-27T12:20:00.000+08:00

A news appear in BBC technology section and it is another trend that changed the unguarded world. Some people still believe email is an authenticated way of communication and trust the message it carries. But most email we received today are sent by machines!

E-mails typically promote penny shares in the hope of convincing people to buy into a company to raise its price. People who respond to the "pump and dump" scam can lose 8% of their investment in two days.

US Senate approval of Council of Europe Cybercrime

2006-08-14T13:09:00.000+08:00

I have been following the news about US Senate approval of Council of Europe Cybercrime Treaty. It is a milestone in both Internet law enforcement and Internet Governance. The most comprehensive article about this development was by ZDnet Asia

There are a lot of Bloggers discussing how Americans is affected by this Cybercrime Treaty. From this blogs, I found most negative comments are worries out of ignorance. Their comments do not quote or make reference to the Treaty, most of the time are just suspicions.

Treaty Article 19 – Search and seizure of stored computer data, US government may establish new provisions to seize individual data. But there are already lots of other American laws giving US government the right to do so. The Treaty only specifies the principles and each country is required to implement their own procedures.

Below are some comments from the Blogsphere :

Unsolicited Electronic Messages Bill

2006-07-09T17:13:00.000+08:00

Hong Kong after months of public consultations is proposing an Unsolicited Electronic Messages Bill. This proposed bill has the following major features:
1. Enforce Opt-out (One needs to check before sending)
2. Technology Neutral (cover SMS, FAX and Email)
3. Prohibit address harvesting

Generally, HK Government's effort is appreciated and the bill is comprehensive. There is not loophole the drafted bill does not quite get it.
Under this bill, government propose to empower the Telecommunications Authority (TA) to set up "do-not-call registers", "which would be to facilitate recipients to opt out from receiving further commercial electronic messages from all electronic marketers and for senders of commercial electronic messages to ascertain the electronic addresses to which they should not send further commercial electronic messages unless they have specific consents. "This kind of register is very likely to be abused by malicious person to validate email addresses. To address this potential abuse, "We propose to make it an offence for an electronic marketer using those information from the TA for any purpose other than for ascertaining whether a registered user of an electronic address does not wish to receive unsolicited commercial electronic messages"

Criminalizing this act seems to be effective at first glance. But if you consider 90% of spam are not HK-originated, the new offence is meaningless, at least 90% of the time.

I think the Telecommunications Authority should have strict rules on how the public access "do-not-call registers". At least the person accessing this "do-not-call registers" should have a valid business registration number or ID card number.

More information on how Australia is doing can be found here.

National firewall weakness

2006-07-03T13:12:00.000+08:00

A member from PISA posted an article on how the China Firewall works and how to circumvent it. Basically, there is one weakness of China national firewall that the web hosting company could exploit.

This is another example of "Technology wants to be free".

================================================

Abstract. The so-called "Great Firewall of China" operates, in part,by inspecting TCP packets for keywords that are to be blocked. If thekeyword is present, TCP reset packets (viz: with the RST ag set) aresent to both endpoints of the connection, which then close. However,because the original packets are passed through the rewall unscathed,if the endpoints completely ignore the rewall's resets, then theconnection will proceed unhindered.http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

Another War in the technology standard

2006-06-13T22:40:00.000+08:00

IEEE was and is affecting everyone by defining how bit and bytes transmit. Without a standard, no two machines could talk to each other.

In the past, US company were pioneer of technology standard and they were the only voice in standard setting committees. Now China wants to play the game and proposed WAPI standard. However, “In March, delegates representing standard bodies from 25 countries voted in favor of the IEEE's version over WAPI.China appealed the ISO decision and demanded an apology from the IEEE which it accused of "dirty tricks" in lobbying for its standard, Xinhua said.”

I am glad to see China government is actively protecting national manufacturers (although most of them are still state-owned) by going to international forum like IEEE. If IEEE does not adopt China-backed WAPI, I believe China will not step down. There will be two standards for wireless transmission. Just like Japan has their PHS mobile phone system.

A blackhole in Cyber Law Enforcement

2006-06-06T11:57:00.000+08:00

Local Police is not investigating the reported ransomware case as it MAY fall in the remit of the National High Tech Crime Unit (NHTCU), which was amalgamated into the Serious and Organised Crime Agency (Soca) in April.

After reading this news article, I have no clue when or who will investigate this case. It seems in UK the law enforcement have not keep up with cyber crime. The local police said it is international crime and they do not have resources to investigate. The Soca seems only investigate large and organized crimes.

So when a crime involves international transactions and not organized, citizen in UK does not have any protection from their government even they report it to police. I believe what happens in UK is similar to elsewhere in the world. Police forces are not ready or willing to surf the wave of cybercrime.

The resource to investigate is huge. There may be some wrongly reported cases. The legislation and prosecution is difficult. All are the reasons that police feel powerless.

The issue revealed by the article is alarming as this un-patrolled area of cybercrime is definitely growing.

Anti-Ransomware

2006-06-05T07:02:00.000+08:00

A counter-action of last blog :
The password for unlocking hijacked-files by Ransomware are widely available online now.

One nature of encryption is that there is a one-to-one match of general used encryption softwares/tools. When a hacker distribute his ransomware to the victim, there is one key for encrypting files. There is also one key to unlock these files.

Each release of ransomware will share the same unlocking key and this is the weakness of ransomware. When the password is publicly available, the ransomware is useless.

However, there maybe multiple releases with different keys. In such case, the hacker will need to keep track of which key corresponding which release. The logistics maybe overwhleming.

One direction of development is there is a pattern of generating keys (like using a master key and the username, ip address or computer service patch number). Then the variant of keys of each releases will be multiplied.

Another case of computer crime

2006-06-01T07:30:00.000+08:00

From BBC
A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back.

Do anyone have a glue on how to translate ransomware in Chinese ?

US data retention law (to be)

2006-05-29T20:17:00.000+08:00

U.S. Attorney General said Internet service providers should retain subscriber information and network data for two years.

Previously, I blogged about China's legislation on keeping user Internet-activity by ISP. Now US is going the same direction. When I was skeptical about Chinese government uses of IP address log, US government is doing it in the name of child pornography .
I am more concern about the possible uses of these IP address. In HK and Japan, cases has been brought by music companies to request ISPs to disclose IP address logs and their correspondents. These information was used for copyright infringements.

Once the detail user activity is kept. The uses of it will be unlimited and it is scary. There is nothing wrong for music company to sue for infringements. But if music company could use these logs, what will stop someone to bring civil cases against you and request ISP to disclose your internet activity. Recently, the Hong Kong Examination Authority used web server logs to investigate reported cheating cases.(PDF)

When log are kept for good reason, the use of it must also be good reason.

One source of poverty

2006-05-18T09:37:00.000+08:00

A study focused on the effects of Wal-Mart stores on poverty rates found that an estimated 20,000 families nationwide have fallen below the official poverty line as a result of the chain's expansion.

Although I have not read the whole report nor the article confirmed the research method is scientific, I agree with the author that "found that one of the greatest effects of a Wal-Mart opening is the closing of mom-and-pop-type operations."

Promoting Chinese using Internet

2006-05-07T12:31:00.000+08:00

BBC posted a new on China government is promoting Chinese using the Internet. Chinese is getting more attentions now.

This brings me to think the process I learn English. Reading storybooks was the major part of it. Animal Farm , The Tale of Two Cities and Sophia were those I read. Those books were written not for learning English as a second language but they are interesting even after centuries.

Chinese has some great storybooks too and I hope these books will enable people to understand Chinese culture. I am interested in knowing which books or stories will China government uses to educate Chinese to the world.

IP address logging has many faces

2006-05-03T20:27:00.000+08:00

A council question on whether IP should be treated as Personal Data as defined in Section 2 of Personal Data (Privacy) Ordiance was asked by CK Sin. This issue was raised because Yahoo Hong Kong gave Internet usage information to China official and resulted in some arrestments in China.

In reading the reply from government, I notice that government official referred to EU Directives but not China’s Law despite the fact that both EU and China adopt civil law legal system and HK is common law. I believe it is the intuitive reaction for HK government official to look for guidance from EU on privacy matters and it is this intuitive distinguish HK from other China cities. How will HK change to more like China cities or China cities changes to more like HK? I am not totally sure.

Back to the real issue. I always think absolute anonymity is a fake concept in the Internet since each and every bytes transferred can be recorded with little incremental cost. ISPs have both the ability and capacity to record every IP address used by their customer. Logging may be for good reasons like troubleshooting or security or for surveillance. No one knows how the log will be used after it is stored. Regulation on this area is needed, not only in Hong Kong.

Apart from Human Right and censorship, I recently finished Cyber Regulation course at HKU Law Faculty and our lecturer Maurushat Alana discussed another aspect of IP surveillance. Due to the emerging of Digital Right Managements (DRM) in the entertainment industry, many software is developed to control and monitor user usage of music or movie. Monitoring devices will sometimes log the IP addresses, data/time and OS platform information. There is a danger for DRM software recording and sending information silently to the entertainment companies. One day, some government officials may request Sony Music or Warner Brothers to provide Internet activity report for criminal or activists.

The issue of IP address logging and privacy is just a start of how Internet governance that will affect everyone life.

Ransom, the 21th centrury story

2006-05-01T12:06:00.000+08:00

Two ransomware cases were reported recently, both involved a Trojan control access to computer. The trend of cybersecurity is going from phishing to ransomware and it is alarming as these ransomware will cause real damages.

16 March PCworld
27 April Yahoo News

As I am working in a bank, I notice that both cases relied on money transfer company(Western Uinion & e-Gold) for their operations. The convenient e-payment infrastructure is one of the factors for this type security incidence. The Torjan instructed victims to deposit money via this money transfer company and their computer/file will be unlocked. If the criminals are able to open a large amount of money transfer account for large scale operation, it will be a real danger to the Internet.

China Internet Security Law and WTO!?

2006-03-26T20:47:00.000+08:00

There is a new Law effective in China being 1 March 2006.
A brief outline is here http://news.xinhuanet.com/it/2005-12/29/content_3986087.htm
The full legislation is here 互联网安全保护技术措施规定 .

There are some interesting observations from an IT security perspective:

1. This regulation is under the regime of China Police Force.

2. Article 7.1.2 requires ISPs to have disaster recovery ability for vital database and system equipments.

3. Most of the regulation requires ISP or who operate internet services (loosely defined at Article 18) to record and store users login time, IP address, user account information and system logs.

4. ISP has to maintain records if they find any illegal materials being distributed to the public. (“What means by illegal in the China?” is a mystery).

5. China Police could punish entity if they fail to perform Article 7 to 14. But there is no indication of what kinds of punishment should be.

First, as a security professional, I appreciate China government is working on legal protection of their Internet Infrastructures. But it seems stress on monitoring measures more than preventive measures. And the amount/details of information to be recorded by ISP have little to do with Internet security. The fact that it is under the regime of Police force made me think that it is more a surveillance measure for China government.

If this regulation is enforced strictly, China ISP will be the biggest buyer of storage devices. Imagine the sheer amount of data generated every second. But this regulation does not specify how long the data should be kept!

Just by reading this regulation, I believe even China open telecommunication industry to foreign companies, no sensible company will enter the ISP market!

A war ! and who wins

2006-03-24T21:31:00.000+08:00

I read story(case study) about Britannica transforming from books to CD and their need to change business model in Internet Age.

Now the same company face another challenge : Wikipedia, which has been a phenomena now.
BBC reported a study comparing their accuracy :
Wikipedia study 'fatally flawed'

It seems Britannica always face challenges from "new media" and this time they choose to begin a war!

Web 2.0 & Democratization of Media

2006-03-19T12:23:00.000+08:00

When I go to class at HKU, two separate seminars bring a thinking threads
to the current Web2.0 discussion.

Professor Bebo White spoke of user empowerments at
Web 2.0 and the Future of Social Networking and Online Communities. And this empowerment results in Democratization of Media.

Web 2.0 is still in a developingstage but the decentralized publishing is really changing how the society works.

My view is once the media is effectively decentralized and people being to information from the democratized media (like blog, wiki and off-line chat) for decision making, the result will be a collaborated decision making.

The other think thread is the influence of each individual to the world will be greater since the voice will be heard (either collectively or individually).

However, all this has to be based on a trustworthy web.

P.S. take a look at www.yackpack.com a offline chat services

2006 Spring (open source and collaborations)

2006-02-22T17:18:00.000+08:00

On cyber space, I was hibernated for last winter. In real world, lots of new ideas and works.
During this time, I extend my horizon from IT security to a larger world ; open source and web 2.0. And now I am sure I can't handle all these new concepts coming in.

Mostly the time were spent on understanding the open source world. It has been evolving at a pace, no one alone can understand the impact of it. In Chinese, bamboo after spring rain.

Will have more thinking threads along these new lines.

MS 05-51 buggy patch

2005-10-17T13:24:00.000+08:00

My computer did not show any network connection after I installed my computer with all 9 security patches. After some search, MS also noticed this problem and the update is below.
http://support.microsoft.com/?kbid=909444

This experience prompt me for 2 issues (one technical , one management)

1. MS recommend one setting "Everyone group should have Bypass Traverse Checking permission".
But this violated the default server built standard at some companies. The servers before put into production was hardened and this permission was changed to Domain User or Authenticated User.
Should we ask ourselves "Are we doing too much security hardening?" or "Why Everyone is need this permission?"

2. While it took 5 days for malicious hacker to publish exploit code, MS took 4 days to resolve their buggy patch. How IT admin is going to manage their internet facing server if running MS IIS ?
Patch too soon, we are at risk of MS bug.
Patch too late, we are at risk of exploit code.

Message from the court

2005-10-08T21:25:00.000+08:00

BBC news reported two twenty-something were convinced for 3 and 6 months. What alter me is that the judge by putting them behind bars was sending message to other young people.

“Young men, like you, have to be deterred from committing this kind of offence.” By Judge Beatrice Bolton

http://news.bbc.co.uk/1/hi/england/4319942.stm

Behavior becomes mainstream

2005-08-29T23:28:00.000+08:00

Reading of this weeks Economist on mandatory pension (page 63), quote below
" Given the choice between $1000 in now and $1100 next year, an individual may well take the money at once ... ... Behavioral finance also shows the surprising extent to which people are swayed by the way that choices are framed. "

Behavior economy is going mainstream.
As a security professional, I usually encountered people (even myself) taking risks just because it is convenient! And security professional should make use of behavior to control IT related risks.

Windows Online Crash Analsysis (OCA) Security

2005-08-23T23:38:00.000+08:00

Today when I was using MS word to edit a document, I encountered an error which hangs my application. By forcing it to quit, Windows XP started Microsoft Online Crash Analsysis (OCA) and asked me to send an error report to Microsoft. OCA has been with us for sometimes and I usually clicked on “OK” with an urge to start working as soon as possible. However, today I looked into what was happening behind the simple click and found something unexpected.

Opening 5MB file generated by OCA with a notepad, I was stunned to find my entire document appear in plain text (see the figure below). The error-reporting module actually transfers the document I am editing to Microsoft. Immediately, I checkout their privacy website to find out if is declared and it is (see the red circle).

At this moment, a lot of questions pop up
1. Most importantly, are the document content necessary for the error investigations?
2. I believe with million of error reporting, Microsoft and their staff will not have the resources to look at the content. But what is their retention policy?
3. Should Microsoft display a more clear warning message? Instead of in a privacy statement with small fonts.

I believe companies should disable OCA or use firewall to block this type of traffic. More studies need to be done on FireFox quality feedback program.

Below is Microsoft Privacy Statement
http://oca.microsoft.com/en/dcp20.asp

Growing game indsutry ... ...

2005-08-20T15:34:00.000+08:00

A highly contaminated network
"About 6000 machines connected to the network... of these 1100 were infected...no less than 400 000 different species of your least favorite malware were identified! "

A read of this Blog shows how immediate pleasure overshadowed the risk of virus infections. While firewall and patches will keep the computer safe, PC gamers who are afraid of speed deterioration let themselves open for real world attacks.

The figure shows 18.3% of gaming PCs are vulnerable. With the ever-growing PC game industry, the family of Zombie machines is also growing. Again, IT security is more on human behavior than technology.

My advice is to have the machine dual-boot, one for productive work and one for adventures. (A side question is do we need 2 OS licenses for a dual boot machine?)

How the Security Breach Occurred

2005-07-24T23:03:00.000+08:00

Below is the testimony from CEO of Cardsystem, which can be found at here

It seems an insider job (knowing which file to look for and can bypass FW setups). It is very difficult to uncover a script on a server if it is plant by an insider. BUT having this script running for 8 months is another thing. Security Audits, periodic port scanning and health check should uncover this abnormality of the systems.

If one look into the root cause of this problem, it is the credit card data is stored for incomplete transactions. I believe lots of other card processing companies also store these type of data for manual settlements.

How the Security Breach Occurred
In September 2004, an unauthorized party placed a script (a sequence of instructions interpreted or carried out by another program) on the CardSystems platform (an underlying computer system on which application programs run) through an internet-facing application that is used by our customers to access data. In contrast to scripts, viruses and worms are programs or programming code that replicate indiscriminately and may result in file destruction. This script ran on our system and caused records to be extracted, zipped into a file, and exported to an FTP site (similar to a web address). It was a sophisticated script that targeted a particular file type, and was scheduled to run every four days. Based on all of
the forensic investigaions conducted externally, by independent scans and investigations and by the payment card providers, we know of only one confirmed instance in which any data was exported, and that is the May 22 incident that has brought us here today.

Why the data is stored
The data stored in the files that were confirmed to have been exported by the script consisted of transactions which were not completed for a variety of reasons. This data was stored for research purposes in order to determine why these transactions did not successfully complete. As we have repeatedly acknowledged, our error was that the data was kept in readable form in violation of Visa and MasterCard security standards. As of May 27, 2005, track data is no longer stored by CardSystems.

Security for phy impaired

2005-07-17T23:01:00.000+08:00

In HK, one of the largest banks enchanced their eBanking security by giving each online banking customer with a security token, about the size of a battery with smal 6-digit LCD display.

The device fits for carrying around. BUT after its release, some people with poor vision is complaining their access to online banking is made more difficult if not impossible. The one-time password display is just too small for them.

When we talk about security, it is usually for the "normal" man working on the street. As security is becoming a commonplace, we will face the challenge of meeting the demand of everyman on the street.

Softside of security

2005-06-30T23:12:00.000+08:00

Yesterday, PISA invited security experts to have a discussion forum and share the challenges in management IT security. 3 keynotes speakers are coming from banking, telecom and public organization respectively.

Below are the key points of the 2 hours discussions:

Both banking and telecom are highly regulated industries. IT security planning and management are driven by regulators. And both security managers in these industries believe more regulation will come!! Be prepared. But WHY the regulator wants more regulations? (An interesting question although knowing the answer will not stop them)

IT security managers sometimes need to educate business manager about risk and sometimes need to control them. It is a delicate relationship. In other word, IT security manager need to control our customer. The following were shared:

One organization has a security steering committee and it is a collective decision on whether to implement a control. Security manager’s role is to advice and advocate about risk. The decision to venture a risky operation or system does not rest on IT security manager or business manager.
The key point in IT risk management is to deliver the message to the Top Management. In cost conscious economy like now, management attentions are the key. If IT security manager direct report to CEO, meaning by passing CIO, things will be very different.
IT Auditor sometimes is friends to IT security manager as they helps delivery message to the board level and balance the risk control culture.

Blackhole for network security

2005-06-28T20:23:00.000+08:00

There is a few paper on the net discuss how to divert and mitigate the damages caused by network attacks, in particular DDOS. Both papers describe a means to create a “black hole” on the network.

One is on the network layer and one is on the web server layer
Cisco Black Hole Filtering
Cisco's paper explain a specifically built infrastructure can help ISP to route malicious packets to a null interface(blackhole filtering).

Microsoft Beat Hackers At Their Own Game With A Hackerbasher Site
Utilizing the principle that all vistors must know my name. This method divert incoming traffic using IP address not hostname.

These papers give a good illustration that security can be achieved by thoughtful design. All the tools and technology is available to everyone or what they call built-in. By good designing, we increase the effectiveness of our security investment.

Risk on Radio

2005-06-23T22:04:00.000+08:00

This morning I joined a talk show on RTHK and discussed risk of usnig credit cards. Media attendtion is high after the recent security breach at Cardsystems. The story was uncovered on 17 June 2005, but after 6 days it is still lingering on. WHY?

First, I believe this incident is huge in terms of people affected. 40 million card numbers were lost. Secondly, it was uncovered on SAT. I am not joking. One of my lectures in a Crisis Management class told his student in class that when reporters are hungry for news, even lost of a penny can be headline news. On Saturday, when reporters unable to find new story, a incident like this one will be reported by every newspaper.

Back to the talk show, there were few people called in. And one mentioned that when he visited a Indian online shop and was diverted to a HSBC credit card website. This website asked him to enter his personal information like birthday and passport number. He worried this may be fraudulent website and asked for advice.

As a banking guy, I know the credit card website is part of the process called "Verified by VISA" and definitely not fraudulent. This “Verified by VISA” process enables the card issuing bank to authenticate the online transactions. Banks invested a lot to enable this technology. However, the general public is scared about things tooooooo new.

If you think positively, this person is risk aversive and phishng is not going to catch him.
If you think negative, it is a lost/lost/lost situation. The credit card holder cannot buy his goods. The online cannot sell. The bank’s investment on new technology is gone.

I am on the negative side.

Click here to Hong Kong Backchat talk show.