Saturday, 31 December 2011

The Internet In 60 Seconds

Being the last day of 2011, like everyone else, I've been reading about the events that shaped the year.  Then it struck me that technology moves so quickly that what shaped the year in January was probabaly quite outdated by December.  Then I came across a visual way of describing what happens in 60 seconds on both the Internet and in the business of selling technology (produced by  They were so good I just had to share the:

Of all the sciences, Computer Science is moving with the fastest.  And, of course, 2012 will see it accelerate!

Sunday, 18 December 2011

Is Anonymous Cyber Cash Good Or Bad?

Online currencies are not new.  Since the dotcom boom there have been those who have sought to provide a service that enables non-traditional means of payment online.  However, most of the mechanisms that survived have a formal linkage to some real-world form of payment.  For example, PayPal is linked to credit cards or bank accounts.  It provides a level of abstraction when entering details of payment online, thereby isolating the risks of your bank details being captured to the one place.

But, there has been a rise in another form of online payment which seeks to provide complete anonymity.  Whereas, if they wished, law enforcement agencies could trace back some transaction via, say, PayPal to a real person via their bank, the new forms of exchanging funds aim to isolate the user completely from any investigation.  There are a few of these new services:

  1. eCache: an anonymous bank operating over the Tor network.
  2. Bitcoin: a de-centralised, (Peer-to-peer), digital currency
  3. Pecunix: an anonymous digital gold currency.
Anyone who knows anything about the Tor network will be aware of how it is used to maintain anonymity in what a user does online.  However, the service that has been worrying people involve in cyber security for some time is Bitcoin.  Why?  Well, it appears to have become the currency of choice for cyber criminals.  There are sites, including some on Twitter, that advertise stolen (or at least valid) credit card details in exchange for a transfer via Bitcoin. 

In a previous Blog I talked about how cyber criminals were selling information in a growing "market", that enabled other cyber criminals to mount very powerful attacks.  Whilst the obvious information, such as credit card and identity details, are "for sale", the really high stakes involve the selling of zero day exploits.  If one hacker finds a previously unknown vulnerability s/he can sell it online; sometimes for hundreds of thousands of dollars.

There is a proper exchange rate between real-world currencies and Bitcoin. Hence, we can tell by looking at some of the transactions online just how much these zero day exploits are worth to the cyber criminals.  And, its not necessarily just "criminals" that are operating in this new market.  The Stuxnet attack of 2010 used 20 zero day exploits.  If that attack was mounted by a nation state then you can't help but conclude that they must have bought the knowledge of at least some of the zero day exploits used.

The systems of anonymous banking rely upon public key encryption but the key to their power is "blind signatures". It is worth noting that this is a peer-to-peer process, and that it relies upon a web of trust developing.  One of the simplest forms of blind signature is the RSA blind signature. But as you might expect this has already been attacked and so further more robust algorithms have (and contine to be) developed.  Buy why?  Why develop algorithms that can so easily be used to enable anonymity in online transactions.  Well, not all online transactions requiring anonymity are criminal.  For example, e-voting.  In a secret online ballot I do not want the person running the systems to necessarily know who I voted for.

It's also worth noting that the physical banking system also has several methods for unregistered transfer of money, so this is not a unique feature of the online world.  Bearer bonds are perhaps the best known.  And, of course, cash is untraceable for most of the transactions in which it is involved.  Having said that, most jurisdictions have a variety of means to discourage mechanisms like bearer bonds or transportation of large amounts of cash.

Of course, the virtual currency has to be converted at some point into currencies that can be used in real-world transactions.  And there's the rub.  These new online currencies have an exchange rate just like any other and that rate is influenced very strongly by the faith that the markets have in it.  Whilst Bitcoin started strongly, there is evidence that it may be tailing off (see conversion rate below).

So, the big questions for debate are:
  1. Should such virtual, anonymous currencies exist at all?
  2. Will they ultimately be undermined by a lack of confidence?
I suspect that the increasing levels of cybercrime is going to raise these questions, and will probably change the answers you might give, over the coming year.

Wednesday, 14 December 2011

When Does A "Tool" Become A "Weapon"?

As with so many tools, security vulnerability detectors can be misused to exploit rather than defend.  The Metasploit Project is an extremely valuable tool and many of us in cyber security use it to research and probe for potential problems. However, a recent development which was revealed by Security Labs in India demostrates just how easily the Metasploit Framework can be used to develop malicious payloads that avoid detection by the usual Anti-Virus and Firewall software.

By installing a few extras with BackTrack 5 (another tool-set that penetration testers know well) it is possible to run a script based upon Metasploit that generates a "reverse TCP payload".  In essence, all of your Internet data is carried using a protocol called TCP/IP, where the IP part gives the "addresses" of the sender and receiver, and the TCP part ensures that the entirety of the data is reconstructed correctly once received as it is chopped up into small "packets" for transmission across the Internet.  This "reverse payload" method means that you receive the unwanted data without realising it.  Hence, it will bypass detection by the types of traps to are usually employed to capture unwanted code.
What could you do with this?  Well, imagine you could use the technique to deliver a "backdoor" to a machine. Actually, you don't need to imagine as that is exactly what was done.  All of a sudden you have the means to take over machine remotely without the user knowing, and in such a way that most users would stand very little chance of detecting the attack: certainly not using routine Anti-Virus and Firewalls software.

It's such a shame that these tools are used in this way. Or is it? Perhaps that's the very reason they exist.  After all this has shown a vulnerability and a form of attack vector that may not have been thought about by the AV and Firewall vendors.

Monday, 12 December 2011

Hackers Serve Notice Of An Interesting Year To Come

To paraphrase Douglas Admas' mega computer, "Deep Thought", I speak not of the attacks that have happened in 2011 but of those that are to come.  2011 has been dubbed by many in the press as "the year of the hacker".  I think they may be mistaking the calm before the storm.  One has only to read the various Tweets and Blogs by those involved in the hacking to realise that, if anything, they feel emboldened.  I don't mean those involved in cybercrime or cyber warfare, but the hacktivists.

The hacktivists such as TeamPoison, Anonymous and LulzSec have found that hacking can be a very effective means of making a political statement.  In times of increasing economic peril, widening gaps between rich and poor, and behaviours by some that appears to be worse than Gordon Gekko, its not surprising that those identified as the cause of the problem are subject to attack.

Whilst many involved in cyber security are seeking to secure systems that could lead to financial loss or interruption of critical infrastructure, I can't help but wonder if those in the sights of the hacktivists have taken the necessary precautions.  I suspect their focus may be elsewhere.  But, when it comes they can't say they weren't warned. And I don't mean by folk like me. The hacktivists themselves have quite blatantly set out their intentions - see below - ignore it at your peril (DO NOT WATCH THIS IF YOU ARE EASILY OFFENDED):

Friday, 9 December 2011

Supercomputers Enable Immersive Experiences

As someone who is a unusual mixture of physicist, engineer, statistician and computer scientist, I have long known the value of being able to visualise your data.  As computing power and data storage capacities have increased there has been a tendency to suffer from data overload.  Consequently, being able to dynamically manipulate large data sets and use that data to create visual representations, can lead to insights that would simply not result from poring over the raw data.

Florence Nightingale (yes that Florence Nightingale) was one of the first to use graphical representations to demonstrate publicly the poor conditions being suffered in the Crimea by British soldiers.  And, we've all seen bar charts, spider diagrams and so on.  But such simple tools have long since ceased to enable us to visualise the volumes and types of data that modern science needs to analyse.  Enter the Allosphere

The Allopshere was created back in 2008.  However, increasing experience of how to use it, and advances in the supercomputers that do the hard work, has meant that the Allopshere is now enabling analysis of physical phenomenon that are truly remarkable, and rather beautiful to watch. 

So, what is the Allosphere?  The most obvious feature is the huge sphere within which images can be projected.  Not surprisingly it can be in 3D, but most importantly you can immerse yourself within your data, your equations or the images you have taken.

It looks like something out of a science fiction movie, and can accommodate upwards of 30 researchers who can stand together, deep within representations of their data, manipulate it using wireless joysticks, and together consider what the data is telling them:

Of course, none of this would be possible without the computing power that lies, unseen, in its air-conditioned hall.  The processing power that has been assembled is really impressive.  More impressive still is the way in which that has been combined to produce an "supercomputer".  The key is the algorithms and the software to implement them, without which the supercomputer would be a very expensive heating system.  Those at the Allopshere have been developing some, frankly, inspired pieces of software.  And, they don't keep it all to themselves.  They regularly contribute to Open Source projects, which I would encourage you to go visit.  These include:
  • Gamma - Genetics Synthesis Library
  • Cosm - extensions to Max/MSP/Jitter for buioding immersive environments
  • LuaAV - extension to Lua for tight coupling of computation and disaply of data and sound
  • CSL - the Create Signal Library for sound generation
  • Device Server - for linking remote devices like wiimotes, joysticks and a lot more
  • Stereo - for rendering stereo imagery
  • GLV- a GUI based toolset for developing interfaces to real-time systems

So, what does all of that add up to?  Well, it has now reached the point where you can walk through the nano-scale world and view data representing the multimodal quantum mechaincs at work:

I strongly encourage anyone to listen to Professor JoAnn Kuchera-Morin (Director of the Allopshere) in the TED talk she gave two years ago.  I, for one, hope she does another very soon.

Thursday, 8 December 2011

Capturing The Imagination

Sometimes there are things that you run across, completely outside your field of expertise, that simply capture your imagination.  Recently I became interested in computer generated animation that helps visualise music.  We have all seen the nice graphics that you can display when playing msuic in, for example, Microsoft's Media Player.  But, I wondered, was there something more synchronised with the music; a bit more connected.
My hopes were raised when I came across the folks at The Music Animation Machine.  Some of their animations were really entertaining and they certainly fulfilled my criterion for synchornisation with the music:

The animation is quite beautiful, even allowing for the fact that Beethoven contributed to a little to the whole experience.  There are many videos already produced, and you can even downlaod tools to make your own.  The slight draw back is that the music has to be in MIDI format.

However, what I next stumbled upon was the work of the people at Animusic.  If anyone tells you that computers are boring, or that they prevent the youngsters of today from being creative, then just watch a few of their videos.  Their work is just superb.  My personal favourite is one of their earlier works: Pipe Dream. 

I never cease to be amazed at what you can do with computer technology.........and a bit of imagination.

Wednesday, 7 December 2011

How Do They Do IT: Spam Filters

The current mechanisms for blocking junk email fall into one of the following categories:
  1. User defined
  2. Black lists
  3. White lists
  4. Bayesian filtering
User Defined
We are all probably aware that our email client has the ability to help block junk email depending on what we tell it.  When email appears in your inbox, if you think it is junk, you can typically block that particular sender.  This assumes that all email from that sender will be junk and so it is a rather blunt instrument. 

The corollary of blocking a sender is to tag a sender as being "safe".  All email from this sender will be classed a appropriate and not be classed as junk email by one of the other methods, if it they are operating.  This matters because, in trying to apply the other methods, false positives can result meaning that you can miss legitimate emails as they have been automatically diverted to a junk email folder.  Many people would rather not have this happen and so make use of the "safe sender" functionality rather than blocking emails..

In Microsoft's Exchange-based email systems, users can monitor the Spam Confidence Level (SCL) score being assigned by the email server.  If the threshold for the SCL is too low or high you can then ask you administrator to adjust the level.  This is always a tricky balance between receiving too many junk emails and missing legitimate emails.  It is also not usually something that is for a general user as setting up your email client to monitor SCL scores is not a trivial task.

Black Lists
This is what you might imagine: a centralised list of those who are known spammers.  Your email server (or potentially your email client) can refer to this list and block accordingly.  One of the most popular is Domain Name System Blacklists, also known as DNSBL's or DNS Blacklists. 

An issue here is the proliferation of DNSBL's: it is difficult to decide which to use. Rather like anti-virus checkers, people tend to migrate to the better known names whom they feel they can trust. A considerable benefit of most DNSBL's is that they tend to include "zombie" machines which are used to avoid the simple user defined email blockers.

Recent developments have included listings email addresses that have sent to "honeypots" and ISPs that knowingly host spammers.  However, there has been some concern expressed about blacklists from organisation such as the Electronic Frontier Foundation (EFF).  These concerns are not so much about the technologies but about the specific policies implemented by those compiling the lists.

White Lists
Still the most common form is the user defined white list as described above.  However, increasingly ISPs are supplying their customers with white lists, usually through an email client that is provided by the ISP.  The ISP supplied white lists typically comprise email addresses of companies who apply to the ISP to be included as safe senders.

White lists can operate in one of two ways.  They can let through only those on the list or, alternatively, the list prevents other junk email methods from deleting the message.

The concern about allowing commercial organisations to pay for inclusion on a white list is that they can effectively pay to avoid spam filters.  The business models used to determine payment try to militate against this.  For example, the ISP will charge depending on the number of complaints received.  The ISPs argue that charging this way means that the funds can be used to invest in further spam filtering.  It's not cleat if this actually happens.

There are some non-commercial white list providers.  Inclusion on these lists is allowed only if the sender passes certain tests.  For example, they must not allow unchecked relay of SMTP messages, which is a classic attack vector for spammers.  Personally, I would recommend using one of these white lists.

Bayesian Filtering
This is a statistically-based technique using, you guessed it, Bayesian Probability.  This approach determines how likely a given proposition is ie is an email spam.  The probability is determined using "evidence" ie it is learned from experience. 

One particular form used in spam filtering is known as a "naive Bayesian classifier", which simply means that every feature you look for evidence of in the spam emails is considered independent of every other feature.  This would appear to restrict the ability of the system to learn about system combinations of content that increase the likelihood of a message being spam.  However, it is fast and has surprisingly high accuracy.

Other forms use combinations of content as well as typical traffic patterns.  For example, you may receive many emails with the word Viagra but you rarely send them.  Hence, if you see a high proportion of email with a particular word passing across your network the likelihood of it being spam is raised.

One cannot rely totally on Bayesian Filtering as it is susceptible to "poisoning", where  spammers send email using large amounts of text that is unlikely to be classed as spam.  Hence, whilst individual words might raise an alert, when looked at as a whole, the message receives a lower spam score than would otherwise be the case.

The volumes of spam email are extraordinary.  Between 70% and 80% of all email sent is spam.  As none of the current methods described here are completely effective, there is still scope for much further research in this area.

Tuesday, 6 December 2011

Another UN Site Is Hacked

My blog entry for yesterday now appears almost prophetic as reports emerge today that another UN site has been hacked using, guess what, a SQL Injection vulnerability. 

The site belongs to the UN refugee organisation (ACNUR) based in Spain.  Not much point in attacking them you might think.  This organisation does only good works helping refugees from beleaguered countries in Africa.  However, the data that their servers hold is far from valueless.  Think of the high profile people who have dealings with the UN and their contact details are an obvious target.

Sure enough the hackers were able to obtain email and phone details for people such as Barack Obama. 
Luckily the password to the President's email was encrypted within the data store so it wasn't totally compromised - at least whilst the hackers try to decrypt the password Mr Obama has time to change his password.  Email addresses and phone numbers take a little more doing.

I would not at all surprised to find that this vulnerability was exposed using the techniques described in the blog below.  Having had a high profile intrusion only a few days ago you would have thought that the UN would be taking particular care of their systems, especially when they obviously do contain very sensitive information that none of us, never mind the US President, would wish to be compromised.  Or maybe their claims that the group "Team Poison" had compromised only an old system with no data of value, is not quite the full story.  Is this a continuation of the first attack?

This latest attack appears to again be a collaborative effort.  This time a group called "Sector 404" has said that they have come together with the well know group "Anonymous" to mount the attack.  Which group found the vulnerability and which mounted the attack is unclear but as I've said before such sharing of information to break into systems is becoming increasingly common.

Hopefully the UN will now call in some help and audit their systems.

Monday, 5 December 2011

It's Not Junk Email That Is The Worry But What Lies Behind Them

It’s quite scary how many home computers are unwittingly aiding and abetting cyber criminals: 6% according to the latest study reported by the BBC. And it’s not just spam email that is the problem.

One of the issues that those tackling the problem have is that spammers are becoming ever more cunning in their use of email content.  Whilst spam filters look for obvious content, often through key word monitoring, the spammers subtly change the content so that it might appear readable to a recipient but not to an automated process.  The classic is replacing a letter (say “l”) with a number (say “1”).

With the latest estimates saying that spam, and malware laden emails, account for over 70% of all email traffic, this is undoubtedly significant problem. Although, attempts over the last year have seen some inroads into reducing the volumes.  Microsoft report in their latest Security Intellignce Report that machines running their software (and despite the wishes of the Apple lobby the vast majority of PCs run Microsoft operating systems) have seen a significant decrease in spam emails.

Having said that, there it is a valid debate as to who should be trying to stop the email.  With landmark cases such as that in European Court of Justice two weeks ago which relieved ISPs of responsible for ensuring traffic does not contravene copyright laws, who is to say that the ISPs should stop spam.  After all, the Post Office does not stop junk mail by default.  There is a view that we should all take more responsibility for our own machines and have email clients that can stop junk email and catch malware before it jumps from our email to our PCs.

This volume of spam does not mean great economic loss through reading adverts for illegal Viagra, cheap loans or free legal advice.  Rather, the criminal activity comes from so called “phising” emails.  You might think it rather daft to respond to, for example, someone calling themselves the ex-President for Nigeria who, if only you would deposit £1000 in his account, could release millions and he would reward you tenfold.  We’ve all had them.  But if you send enough of them, then someone will fall for the scam. 

There is classic hacker trick where you obtain a phone book for a company. Then you ring around each number in the book saying you are “technical support” and that you have called to help them with their problem.  Eventually you will reach someone who has a problem and lodged a call for help.  You then ask for the username and password, which of course they are happy to provide as you have proven you are technical support by responding to their call.  How else woul dyou have known to call them? The current equivalent are the emails. We all receive emails from banks saying that they are responding to our call for assistance and would you just click this link and enter your details in the very authentic looking website.  The medium is different but the con is the same.  With billions of spam emails each day, the spammers can collect a frightening number of credentials.

However, in my opinion, the fact that such large proportion of home machines host unknown malware hides a bigger threat than simply spreading large volumes of annoying and phising emails.  By hijacking so many PCs it is possible to mount a massive probing operation that can seek out high value targets that are susceptible to classic hacking attacks.  A good example is what is known as “SQL Injection” attacks.  If an attacker had to manually probe every system using SQL to see if it was vulnerable his/her arms would fall off before they found a victim.  But, automate the process across many thousands of “bots”, each of which is reporting success or failure back to some master criminal machine, and you’ll have an embarrassment of victims from which to choose.  In fact, this is so effective that an industry is growing up in which one set of criminals will find the vulnerable machines and then sell the list to other criminals.

So, am I worried about junk email?  No.  Am I worried about those same hijacked PCs supporting criminal hacking.  Yes.  The graphs show that the junk email is beginning to be tackled but what is less clear is if the hidden activity of these botnets is being tackled.  My guess is not.