Friday, April 11, 2014

What do you need to know about the Heartbleed security vulnerability?

Simon Budgen at OpenLearn asked yesterday if I could offer some ordinary-mortal-interpretable thoughts on the Heartbleed OpenSSL security earthquake.

I offered Simon the rambling steam of consciousness below which he kindly edited into a more ordered Q&A here.
There is a lot of panic, misreporting and bad advice going round about Heartbleed as you say. Though there are a few key things it is worth making sure get included in any article.

Include the Heartbleed link http://heartbleed.com/ which outlines  the problem -

" The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

That's about as bad as it gets security wise. Security expert Bruce Schneier has described it as “catastrophic” and I wouldn’t disagree with that.

The OpenSSL bug has compromised half a million plus sites from what we're able to tell.

Ordinary internet users should change their passwords on sites affected but generally only after - the companies running the websites concerned have done a security audit to check if they are affected, patched their systems if they are, acquired a new public/private key pair and new SSL certificate, tested the patched systems, informed the user they have done all this and determined the system to be secure (and preferably pro-actively changed passwords that might have been affected). Now the news on the bug is out credible commercial entities are keen to do this in double quick time and many have already done so.

It’s not the best advice to change your password before a website has been patched as that might expose your details to a higher risk of being compromised and will certainly expose your new details/passwords. Some mainstream news media are informing people they should change all passwords immediately – not great advice if it leads you to assume your new credentials are safe when in fact they won’t be, if the site has not been patched yet. People should check with or have confirmation from the company or an independent trustworthy source that they have fixed their systems first. (Though if someone with existing compromised credentials chooses to use those for nefarious ends, in the window between now and the site being patched, then there may be a slight preference in favour of changing passwords temporarily and then changing again once the fix is done. None of this is really straightforward unfortunately).

All the usual advice about choosing strong passwords applies – change them regularly, don’t use the same ones on different sites, don’t use dictionary words or names, make them long, include upper and lower case, numbers and symbols.

If there are several layers of authentication use them for stronger security e.g. pin numbers, passwords, tokens etc.

It may be the time now people begin to realise how many passwords they are actually using, to consider investing in a password manager like LastPass, SplashID or Password Genie – software which does all the heavy lifting on choosing long difficult passwords and managing and “remembering” them for you.

Also note since the bug has been around for a couple of years that it is almost certain that a multitude of organised crime gangs will likely have gathered the encryption keys to all compromised sites, as will intelligence and security services like the NSA and GCHQ. Just to be clear on this – the usernames and passwords used on these sites will likely be in the hands of organised criminal gangs and intelligence services.

The other big issue for ordinary users is to find out exactly what sites have been compromised and where and when they need to go about changing passwords. Various news sites are providing lists of affected sites and those that have been patched but you need to choose your sources of information carefully. Mainstream news sites are not always the best guide. We do know the big guys like Google, Facebook and Yahoo! were compromised and appear to be patched. Apple and eBay we’re not sure, Tumblr yes, big banks apparently not (but don’t quote me on that), Linkedin apparently not, Amazon no, though Amazon cloud services yes. It’s basically taking quite some sorting out.

There are sites that enable you to test whether a service you use has been compromised by Heartbleed eg http://filippo.io/Heartbleed/ or https://www.ssllabs.com/ssltest/ Just enter the url you are concerned about and click the Go!/Submit button. These are not 100% reliable and will generate false positives (alerts on sites that are patched) and occasionally false negatives (giving the all clear to insecure sites). Do be a little careful with these too as there will be false test sites which attempt to mislead people about the security of sites which remain compromised.

If people have not heard from the sites they use, they should actively contact them to ask – if they have done the requisite Heartbleed related security audit, if they have been compromised and if they have patched any vulnerabilities; and don’t stop asking until a definitive answer is forthcoming. Then if necessary change their passwords once the fix is implemented.

Hope that gives you something to start with.
Comments welcome here or over at OpenLearn.

Thursday, April 10, 2014

European Court of Justice annuls 2006 data retention directive

On Tuesday, 8 April, 2014, the Court of Justice of the European Union, (also known as the European Court of Justice) in a scathing indictment of widespread mass surveillance practices, abolished the 2006 EU data retention directive. The Court said the directive was a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights.

The directive constituted such a serious interference with the fundamental right to privacy that it had to be annulled - it was an affront to liberty that should never have existed.

TJ McIntyre of Digital Rights Ireland (DRI), the heroic litigants in chief, has made a copy of the full decision available at scribd and it will appear on the Court website in due course. Credit also to the 11,130 Austrian citizens whose case was joined to that of DRI since they had challenged the directive on similar grounds.

For the uninitiated, the data retention directive was the instrument through which the EU required communications service providers, both fixed line and mobile, to store details of everything everyone does on the telephone or internet; for a period of between 6 months and two years. The details of what should be collected are laid out in article 5 of the directive and the only thing not allowed was recording of the content of calls or messages.

It's actually worth spending 5 or 10 minutes looking at that list of things in Article 5 that has been gathered by communications service providers throughout the EU. At first pass it seems a bit legalistic but if you cut through that and think about it – names, addresses, who spoke to whom, where, when, for how long, on what device, how often, websites visited etc. etc. This all paints a very detailed picture and most people don’t know it is going on. The who, where, why, how, what and when of individual lives is all there in this metadata.

With what may be interpreted as half and eye on the Edward Snowden revelations, the Grand Chamber of the Court, effectively condemned pre-emptive, suspicionless, warrantless mass surveillance and consequent "interference with the fundamental rights of practically the entire European population". The case is the first major court decision on mass surveillance since the Snowden stories started to break in June 2013. Though high courts in Romania (2009), Germany (2010), Bulgaria (2010),  the Czech Republic (2011) and Cyprus (2011) have all declared the data retention directive unconstitutional and/or a disproportionate unjustified interference with the fundamental right to privacy, free speech and confidentiality of communications. As recently as 2011 following the national courts' striking down of regulations implementing data retention, the European Commission were hounding Germany and Romania to re-implement the directive. The Commission subsequently sued Romania which went on to pass a widely criticised version of data retention law in 2012, nicknamed "Big Brother". The Commission had also previously sued Greece, the Netherlands, Austria and Sweden for failing to implement the directive by the due date of September 15 2007.

The previous UK Labour government were one of the key driving forces behind the original implementation of the the data retention directive. The current UK government is one of the biggest cheerleaders for and operators of mass surveillance standards and practices. Though the UK government was not involved directly in the case, (and are scrambling madly to find a way to circumvent the decision as, sadly, are the Commission), both the current and the previous administrations' behavior, in the data retention context, is considered so heinous in law that it should never have happened; and the laws facilitating that behavior should never have existed.

Some commentators have also suggested the Court was firing a message not just to the UK but across the pond (2 min 40sec audio) to the effect that US mass surveillance standards are totally unacceptable in an EU context.

I have now managed to read the decision in full (in fits and starts) and will endeavour to post an analysis here at the earliest opportunity. (Aka when grown up admin duties allow and I can construct a sufficiently robust buffer between me and the zombiecrats to take a sustained run at it).

Appelbaum on mass surveillance

Take 5 minutes 33 seconds to listen to Jacob Appelbaum on mass surveillance and the  WePromiseEU 10 point charter for digital rights


Tuesday, April 08, 2014

Daniel Solove: Nothing to Hide, Nothing to Fear?

Nice interview with Daniel Solove (24 minutes) on the nothing to hide meme.



Kafka better captures the modern privacy issues we face. Decisions about our lives are being made on the basis of secret uses of our personal data - look at airline screening for example.

Categories of data which were required to be retained under the data retention directive

The data retention directive, DIRECTIVE 2006/24/EC, thanks to the efforts of a small number of digital rights activists in Ireland and a slightly larger group from Austria has been declared unlawful - a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights - by the European Court of Justice today.

I'm hoping to blog about the decision soon but it is worth pointing out the categories of data that this directive required service providers to retain and facilitate crime fighting authorities access to. They are specified exhaustively in article 5 of the directive:
Article 5
Categories of data to be retained
1. Member States shall ensure that the following categories of
data are retained under this Directive:
(a) data necessary to trace and identify the source of a
communication:
(1) concerning fixed network telephony and mobile
telephony:
(i) the calling telephone number;
(ii) the name and address of the subscriber or registered
user;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any
communication entering the public telephone
network;
(iii) the name and address of the subscriber or registered
user to whom an Internet Protocol (IP) address, user
ID or telephone number was allocated at the time of
the communication;
(b) data necessary to identify the destination of a
communication:
(1) concerning fixed network telephony and mobile
telephony:
(i) the number(s) dialled (the telephone number(s)
called), and, in cases involving supplementary services
such as call forwarding or call transfer, the
number or numbers to which the call is routed;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s);
13.4.2006 EN Official Journal of the European Union L 105/57
(2) concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended
recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s) and user ID of the intended recipient
of the communication;
(c) data necessary to identify the date, time and duration of a
communication:
(1) concerning fixed network telephony and mobile telephony,
the date and time of the start and end of the
communication;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the date and time of the log-in and log-off of the
Internet access service, based on a certain time zone,
together with the IP address, whether dynamic or
static, allocated by the Internet access service provider
to a communication, and the user ID of the
subscriber or registered user;
(ii) the date and time of the log-in and log-off of the
Internet e-mail service or Internet telephony service,
based on a certain time zone;
(d) data necessary to identify the type of communication:
(1) concerning fixed network telephony and mobile telephony:
the telephone service used;
(2) concerning Internet e-mail and Internet telephony: the
Internet service used;
(e) data necessary to identify users’ communication equipment
or what purports to be their equipment:
(1) concerning fixed network telephony, the calling
and called telephone numbers;
(2) concerning mobile telephony:
(i) the calling and called telephone numbers;
(ii) the International Mobile Subscriber Identity (IMSI)
of the calling party;
(iii) the International Mobile Equipment Identity (IMEI)
of the calling party;
(iv) the IMSI of the called party;
(v) the IMEI of the called party;
(vi) in the case of pre-paid anonymous services, the date
and time of the initial activation of the service and
the location label (Cell ID) from which the service
was activated;
(3) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the calling telephone number for dial-up access;
(ii) the digital subscriber line (DSL) or other end point
of the originator of the communication;
(f) data necessary to identify the location of mobile communication
equipment:
(1) the location label (Cell ID) at the start of the
communication;
(2) data identifying the geographic location of cells by reference
to their location labels (Cell ID) during the period
for which communications data are retained.
2. No data revealing the content of the communication may be
retained pursuant to this Directive.
Blanket retention of this data is theoretically now invalid in the EU but it remains astonishing that it was ever lawful in the first place. Seriously. Take a look at that list of metadata and think about what it can tell you about an individual.