Daily Archives: November 20, 2007

security

15m UK bank details lost – but what’s the risk?

6 Comments

The UK is in a panic right now because data containing 15m recipients of child benefit has been lost. It’s a serious incident and the chairman of HM Revenue and Customs has resigned.

Even so, I’m a little confused. I watched TV news over lunch and several identity theft experts came on and warned us to scrutinize our bank statements with extra care because of what has happened.

So what is in these records? We don’t know, yet, though the BBC says:

names, addresses, date of birth and bank accounts

Now, none of these experts has explained to me how Mr Fraudster takes these details and translates them into cash extracted from my bank account. Perhaps he approaches my bank, posing as myself, and asks to withdraw money? He would have to produce some kind of additional fake identity to do so. Perhaps he embarks on a more complex fraud involving, say, a change of address and a replacement debit card? Fair enough, but it is non-trivial.

Further, how difficult is it to obtain such details anyway? Names and addresses are easy enough to find; so are dates of birth. Nor are bank account details normally regarded as highly confidential. They are on every cheque you sign. Some companies include bank details on their invoices or on their web site for all to see.

I’d have thought that credit card details were far more valuable to criminals, especially when they include things like expiry dates. But they won’t be part of these records, surely, and nor will passwords or PIN numbers, unless there is a lot that we have not yet been told.

I don’t mean to diminish the seriousness of the incident. This is a huge amount of confidential information to lose. But I’d like a bit more explanation about why these details are so dangerous in the wrong hands, before I rush out and close all my accounts.

Security expert Bruce Schneier would I think call these details “semi-secret”. His consistent message is that you should authenticate the transaction, not the person. See his (old) post on Identity Theft in the UK.

Update

Here’s the official advice:

What can an ID fraudster do with this data?
No password, security details or card details have been compromised, so a fraudster cannot access your bank, building society or card account. However, HMRC is advising customers that if they use any personal data, like child’s name or date of birth in their password, they may wish to consider changing their password.

If this data were in the hands of a fraudster – and at present there is no evidence that it is – this type of information might help them to commit account takeover fraud, although additional information would be needed. There is also a risk of a fraudster using those details to set up other credit or financial agreements, e.g. mobile phone accounts.

Further postscript

As it happens, I was at a meeting this evening and spoke to someone who works for a bank. He says there are several risks. A smooth-talking fraudster might persuade a cashier to release funds, though it would be a failure of policy. We also discussed direct debits. These are vulnerable, because the bank might not be involved in checking the authenticity of the instruction at all. In both cases though, these are existing weaknesses in the system. It’s possible that heightened risk of fraud could result in better procedures, so some good may come out of it.

Another thought: surely a smart thief would have copied the data and returned the CDs to the envelope. That way, nobody would know. Put another way, how much data theft occurred without it ever coming to light? It just happens that this one is very large and very public.

Technorati tags: ,
borland, codegear, delphi, internet, software development

Is CodeRage the future of tech conferences?

CodeRage 2007 starts next week. It’s a technical conference covering CodeGear’s products, including Dephi, JBuilder, C++ Builder and 3rdRail, the new Ruby on Rails IDE.

The conference is both free and virtual.

A virtual conference is no substitute for human contact. I’ve learnt this paradox over many years: even if the same content is freely available on the Web, there is substantial benefit in physical attendance. You are more focused, you learn more, you can easily ask questions, and you pick up all those indefinable signals from others who are attending.

Equally, the global fuel crisis and concern about the environmental cost of travel surely means that virtual conferencing is an idea whose time has come. Another benefit is that it includes an array of people for whom a typical tech conference is just not feasible, for financial or other reasons.

I’d like to see more of these.

Technorati tags: , , , ,
security, software development

How to write secure (and less buggy) code

Thought-provoking paper [PDF] from Daniel J Bernstein, the author of qmail, covering software security and addressing topics such as premature optimization and bug reduction along the way.

In March 1997, I took the unusual step of publicly offering $500 to the first person to publish a verifiable security hole in the latest version of qmail: for example, a way for a user to exploit qmail to take over another account. My offer still stands. Nobody has found any security holes in qmail. I hereby increase the offer to $1000.

He attributes his success to minimizing the amount of trusted code, in contrast to running code with least privilege which he says is ineffective.

(from Schneier on Security).

microsoft, software development, windows

How Akamai Download Manager hides your downloads (VS 2008 downloaders take note)

23 Comments

Yesterday I downloaded the hot new release in the Microsoft development community: Visual Studio 2008.

At least I thought I did. I used the MSDN “Top Downloads” feature, which promises:

… a more direct way to initiate a download of a limited set of selected products

The service uses a plug-in called the Akamai Download Manager. This guy is annoying, especially if you use Windows Vista. First, it doesn’t seem to work at all. Then you realize that you have to disable the IE pop-up blocker. Next, you try to select a download location but it will not let you. It respects some setting in IE that restricts downloads to “safe” locations. You had better have lots of space in your user directory, otherwise this is not going to work.

Fortunately, I do have lots of space, so even the 6GB or so I was downloading should have been OK. I gave in and let it choose the location it wanted. The next thing you see is curious – see here for a screenshot. A message appears telling you the file has been saved (note past tense, though the download is just starting) to the Temporary Internet Files folder, and invites you to open it. I knew the file could not be downloaded yet, but opened it anyway. You get an Explorer window onto a weird location that claims to be in the Windows folder (it isn’t) and shows a single folder labeled C. If you are like me, you shrug, and close it. Don’t do that.

Why not? Well, after several hours or perhaps overnight, the download completes and you look for your files. Where are they?

I looked in Documents, the supposed location. Not there.

I looked in IE’s Temporary Internet Files folder. Not there.

I looked in my Virtual Store, a feature of Vista that supports legacy software which tries to write to locations like the Windows folder. Not there.

I performed a search of my entire User folder, set to show hidden files and folders. Not there.

Before giving up, I opened an administrative command prompt, navigated to the root folder, and typed:

dir *.iso /s

Ah! There they are, in (wait for it):

C:\Users\Username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Username\Documents

where “Username” is the current user.

Why didn’t the Explorer search find it? The problem is, you have to have the option:

Hide protected operating system files (Recommended)

set to unchecked in folder options, passing the dire warning that tells you not to do it.

Why do I normally have this checked? The dire warning doesn’t bother me, but I do mind that having this unchecked shows files like desktop.ini on the Vista desktop. Ugly. So I normally have this checked.

Hey, wouldn’t it be good if Microsoft had a single checkbox in its “Advanced” search: to just search everywhere?

What is this nonsense?

So I found the downloads. But honestly, what is this nonsense? The truth is, Akamai Download Manager is not really Vista-compatible; why is Microsoft using it on its premier developer site, for its premier developer product? Ironically, this is the community most likely to be running Microsoft’s latest and [possibly] greatest.

Further, what it is the message here? That Vista adoption is so modest that Akamai can’t be bothered to fix its utility? Or that Microsoft’s own in-house developers can’t build a decent download manager? Or offer to fix the Akamai one?

Excuse my temper. It is no fun to complete a long download and then lose the files.

Update: I also sent a comment and query to the email address given for feedback. It was msdnreply(at)eu.subservices.com. Guess what? Bounced with “User unknown”.