Protection…in a flash

Davey Winder Read more October 7, 2009

My professional interest in IT security overlaps rather neatly with my geeky personal interest in gadgetry, so when I recently gave a keynote speech to a select group of high-level security directors, my theme was the way hackers are using gadgets to further their social-engineering traps. They infect a cheap USB flash drive with a remote access trojan or similar malware, then drop it outside a target office, in the reception area or even at a bar or café known to be frequented by target staff. The trick is called, for obvious reasons, USB seeding. Hackers can afford to seed multiple drives because they’ve become dirt-cheap, and they can be reasonably confident that one will be picked up and plugged in thanks to human greed and curiosity. One security consultancy assessed a client company by dropping 20 infected thumb drives – 15 of them were picked up by staff and plugged into the network and the trojan activated.

Properly patched PCs and a policy to prevent unauthorised device connection could combat this threat, but such savvy firms are still few and far between. That’s why I’m always pleased to hear about a USB flash drive that turns the tables by making security better rather than worse. The only thing I wear around my neck is a Netac OnlyDisk U220, a minuscule slice of black-and-silver loveliness measuring just 53 x 13.5 x 5.5mm and weighing only 13g (it’s no thicker than the USB connector itself).

As well as providing 1GB of storage, the Netac keeps my data safe from prying eyes thanks to hardwired 128-bit AES encryption – not just some third-party software solution stuffed onto the drive as an afterthought. If I forget my password my data is gone, at least if I forget it enough times: the default password attempt lockout is set at 255, but I reduce this to a more practical 12 attempts. If the lockout ever did get activated, the entire drive would become unusable, and I’d have to send it back to the Netac R&D team in China to have it reset and reformatted – my data would be lost forever, as it can’t be restored during this process. As far as I’m concerned, this is the only way if you really don’t want anyone else accessing your data, although for corporate use it might pose the risk of a rogue employee changing the password.

That’s why the Stealth MXP USB flash drive I saw at the recent Infosecurity Europe show grabbed my attention. It is, I’m told, the first RSA SecurID Ready portable three-factor authentication device. Yes, that’s “three-factor” as in biometric access control, fingerprint and authenticated ownership of the physical device itself. With up to 4GB of 256-bit AES encrypted storage it’s pretty impregnable, although unlike my Netac it’s huge as a consequence of the amount of hardware packed into it. There’s an onboard CPU to do the hardware encryption, which means it has a zero memory and processor footprint when plugged into a remote host PC. Access software provides full control over security policy, deployment and field usage for admins, while the end user gets straightforward “plug in and it’s secure” encryption – remove it from the USB connector or reboot the host PC and the stick automatically locks itself down. Each device is bound to its individual user by hardware-based biometric and password authentication, in addition to the RSA SecurID Ready software authenticator, so the business can rest easy if it’s lost or stolen.

I’m also intrigued by the imminent release of another flash drive, the Yoggie Pico, which is designed to be a self-contained and portable internet protection device. With 13 security applications pre-installed, it claims to provide full 360-degree security for the consumer market in a rather revolutionary hands-off manner. The Yoggie itself manages the 13 security applications, including handling updates, and is activated simply by plugging into a spare USB port. I’ll be sure to report back once I’ve put this anti-virus, anti-spam, anti-hacker, URL-filtering wonder-stick through its paces.
Content creators needed

Although I’m no lover of Web 2.0 hype – which looks to be heading the same way as the last dotcom boom – I’ve no reservations about the technology itself. Social networking and information sharing is the natural direction in which the internet has to evolve if we’re to take its potential to the next level. That’s why I was slightly depressed by reading the latest study from Hitwise (a company that specialises in measuring web audiences), which suggests that there’s a fly in the Web 2.0 ointment, and it looks an awful lot like you and me.

Let me pose a simple question: when was the last time you uploaded some unique content to YouTube, Flickr or Wikipedia? Your deathly silence is reflected in the results of that Hitwise survey, which discovered that only a tiny percentage of people participate actively, as opposed to lurking and leeching. Take the Google-owned YouTube, which you might be forgiven for thinking has a thriving user participation given the media hype and undoubted success of the service – Hitwise suggests that only 0.16% of the people who visit the site upload any video clips themselves, to provide the content that forms YouTube’s lifeblood. For Flickr, owned by Google’s archrival Yahoo, things are pretty similar, with just 0.2% of visitors uploading new photographs. Wikipedia fares somewhat better with 4.6% of visitors contributing to site content, but it still all makes disturbing reading in the context of a Web 2.0 “revolution” supposedly fuelled by the social urge to share information.

At this point, you may well exclaim “so what?” and draw my attention to television whose content-creator-to-consumer ratio is far, far smaller but it still works. Surely true, but missing the point that television wasn’t built on the premise of user participation. It’s for this reason that I dismiss “there have always been lurkers online” arguments too, although they’re slightly more relevant. Forums and discussion boards continue to thrive despite their poor signal-to-noise ratio, with a large core of users who’ll read but not write, absorb but not post. Once again, though, I have to return to the point; namely, that Web 2.0 sites sell themselves on the social-networking promise, the desire to create and share, and it’s this promise that draws big money and is creating another dotcom boom just waiting to bust.

Nobody would suggest that Web 2.0 sites are in decline, nor showing signs of declining soon – Hitwise suggests that during the last 24 months their audience has grown by somewhere in the region of 668%. I’m just not convinced that this growth has much to do with Web 2.0-style participation, but rather more to do with media hype and the availability of fresh content delivered in an accessible manner. This is why a lack of content creators should be of great concern. Without growth, not only in the number of content creators but also in their demographic distribution, I can’t see Web 2.0 becoming a force for continuing change. My fear is encapsulated in the fact that a majority of Web 2.0 content consumers appear to be from the much sought-after 18- to 34-year-old age range, but the majority of content creators are actually 35 to 55. Such a dichotomy can’t persist without people eventually spotting the cultural gap that’s emerging, and soon after that the whole house of virtual cards could come tumbling down.

Sex and the internet

It hardly seems possible that it’s been 11 years since the publication of my book Sex and the Internet, a rather risqué venture that was sadly a little ahead of its time. Despite the fact it covered everyone’s favourite subject, its sales were disappointing. I’m hoping my latest book, Being Virtual: Who you really are online, an exploration of virtual identity for the Science Museum, will fair a bit better when it’s published next year.
Book plugs aside, the final chapter of my sex book was called “What does the future hold?” It’s always dangerous to crystal-ball gaze in print, but considering it was over a decade ago I don’t think I did too badly, predicting that avatars and “networked 3D environments” would change the way we form online relationships. Just look how people meet and mate within Second Life for proof positive on this one. I was equally certain, and equally correct, that webcam sex would take off in a big way, although at that time it was just basic CU-SeeMe video-conferencing technology. Where I was totally wrong was in believing that the “media hysteria we’re currently experiencing about sex and the internet” would soon disappear thanks to “news-hounds finding something new to vent their spleens on”. Nothing could have been further from the truth, as the same hype and hysteria still prevail.

So it isn’t surprising that China has now officially declared war on internet sex and vowed to purge the web of all sexually explicit images, stories and video clips within six months, although it does make my hair on the back of my neck bristle slightly. The vice minister of the Ministry of Public Security, Zhang Xinfeng, has gone on record saying that “the boom of pornographic content on the internet has contaminated cyberspace and perverted China’s young minds. The inflow of pornographic materials from abroad and lack of domestic control are to blame for the existing problems in China’s cyberspace.” Leaving aside some real moral and legal arguments regarding the whole issue of pornography, to blame all of China’s online problems on sexually explicit content is a step too far, especially when those “problems” consist of people posting to anti-government blogs and joining a debate about democracy: Xinfeng has also stated that “content that spreads rumours and is of a slanderous nature” will also be removed as part of the same content-purging crusade.

China is hardly a safe haven for porn purveyors even now, as Chen Hui discovered when he was given a life sentence for running the largest such site last year. But the point is that porn is already illegal in China, online or off, and the punishments are harsh for those caught breaking the law. What’s more, the infamous “Great Firewall of China” already blocks most adult content from external sources, which suggests that the problem is one of homegrown content that’s able to bypass that filtering.

I bring all this up, in case you’re wondering, because an opportunity to make the filtering of adult material so much easier was dismissed once and for all by ICANN (Internet Corporation for Assigned Names and Numbers) when it overturned proposals for the creation of an .xxx top-level domain. This was the third time the proposal has been voted down, and so it’s now effectively dead, which is a shame because there had been tens of thousands of pre-registration requests for such domains and many organisations, both pro- and anti-adult content, supported the notion of a separate and easily identifiable domain. And that, it would appear, was the problem in the end, because ICANN felt that marking off adult content in this way would provide a tool for those who would censor the internet.

Well, er, yes, but isn’t that the point? Shouldn’t it be getting easier to censor content at a personal or corporate level rather than harder? It would be foolish to expect everyone who posts porn to do so only via a .xxx registered domain, but even if 50% of adult sites followed this route that would be one heck of a start. The adult entertainment industry itself, or at least some parts of it, lobbied against the .xxx domain idea, and none harder than the porn trade organisation known as the Free Speech Coalition, which used the censorship stick to poke a big hole in the debate. The fear that governments around the world – China being a good example – would be given an easy way to prevent access to such profitable content proved too much to bear. Let’s not forget that the adult entertainment industry hasn’t only helped to drive technological development forward, but remains to this day one of the very few constantly profitable online market sectors. It’s a shame that an option to help safely segregate adult material from those who don’t want to see it, or are too young to legally do so, should be dismissed so readily.
Not that an .xxx domain would have solved all sex-related internet troubles. It would have had no effect on the strange tale of Sandra, her stiletto shoes and Skype, for example, which was brought to my attention by Sophos, which warned me that a message containing a link to said young lady wearing nothing but her high heels was circulating via Skype IM. Being a security specialist and having a little common sense, I grasped at once that this wasn’t just a case of a bored extrovert showing off her new shoes (along with much else) to total strangers. Click on this link and in addition to Sandra’s shoes, which were very fetching as I discovered in the cause of scientific research, you were also presented with a downloader trojan and a worm for good measure.

“Once it’s up and running, the Pykse worm attempts to connect to a number of remote websites, presumably in an attempt to generate advertising revenue for them by increasing their number of hits,” Graham Cluley, senior technology consultant with Sophos told me. “It’s another example of the methods that malware authors can use to make money,” he said. Quite. It’s also another example of how easily the average end user can be tricked into infection – one mention of a naked lady in pointy shoes and common sense flies out of the window. The fact that Skype was the initial distribution vehicle just makes matters worse by highlighting the danger of uncontrolled VoIP usage, which is now rife in businesses across the country. A Sophos poll of sysadmins last year revealed that 86.1% wanted the power to control use of VoIP in their workplace, and 62.8% said blocking it was an essential move. Add IM into this mix as Skype does, and there’s also the potential for data leakage as well as malware exploitation to consider. So before the next naked lady comes along baring gifts, perhaps you ought to make sure there’s a policy in place to determine not only what IM clients are acceptable within your workplace, but also whether they should be allowed to communicate with the outside world?

Email Britain

At first glance, the Email Britain project from the British Library looks like a good idea: to create an archive of email correspondence in the UK. After all, this is the same British Library that receives copies of pretty much every book published in the UK, as well as all the foreign books distributed here for good measure. And the measure is a big one, some 13 million books and another million periodicals, journals and so on. There’s a kind of virtual library out there already for web pages, known as the Internet Archive (www.archive.org) and searchable through the Wayback Machine interface. Founded in 1996 as a modern-day equivalent to the ancient Library of Alexandria (which supposedly contained a copy of every book in the world), it currently provides access to an archive of 85 billion web pages dating back to 1996, as well as 195,000 electronic texts, 65,000 movies, 137,000 audio items and 33,000 pieces of software. But no email, which is where the British Library comes in with its desire to create what it claims will be the first municipal email archive in the world. But asking people to submit examples of email from their mailboxes covering a variety of categories such as complaints, love and romance, humour and even spam, is a far cry from a Shakespeare first folio or the Magna Carta in terms of important documents. Indeed, the whole “electronic time capsule” approach to the project smacks more of a marketing exercise than genuine “vast snapshot of present-day email communications” that will “be of great value for future researchers” as a Library spokesperson has claimed. No surprise then that the project is a tie-in with the launch of Windows Live Hotmail in the UK, and will only actually be running during the month of May (so will be over by the time you read this) and is ridiculously being referred to as a 21st century Domesday book. I’m not sure that either Microsoft or the British Library has thought this through, particularly from the privacy and legal perspectives. Sure, the submission guidelines state “get permission from third parties included in the email and copy them on the email which you submit” and “remove commercially sensitive and personal information from your email, including all surnames” – can you imagine this will happen? Hopefully, there’ll be a search facility where we can all go and look for mentions of ourselves, our companies and our business interests.