thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, May 28, 2008

German Students Break CardSpace Security

Three students from the Ruhr-University Bochum in Germany were able to intercept the security token and, based on that, read the plain text of the cards' content, e.g. name, credit card number and other things impersonate the legitimate user during the lifetime of the security token. They basically did this by means of an extended man-in-the-middle attack through DNS manipulation:
We study the security of Cardspace and show that the browser-based protocol is susceptible to attacks, where the adversary steals the security token. Consequently, we prove evidence that users are impersonatable and the one who potentially suffer from identity theft. We confirm the practicability of the attack by presenting a proof of concept implementation. Finally, we discuss countermeasures, addressing both the CardSpace identity metasystem and the protocol.
See the short description and the full report (pdf).

Heise Security tried to reproduce the attack without success, though. Microsoft is already working on a solution.

Tuesday, May 13, 2008

Deep Packet Inspection: Technology vs Lawyers?

Lots of interesting things have been happening in the last few weeks in the field of real-time Internet traffic "inspection" a.k.a. monitoring or surveillance. This is just a small summary of the most important developments:

On the technology front, the DPI equipment available on the market is getting more and more sophisticated, as Ars Technica reported yesterday:
Procera Networks will announce today a new standard in deep packet inspection (DPI) gear: an 80Gbps monster called the PacketLogic PL10000 that is targeted at tier-1 network operators. At up to $800,000 a unit, these aren't cheap, but when you want to throttle, inspect, and shape traffic in real-time on a major network, this is now the fastest thing on the market (and by a large margin).
Procera's own press release phrases this in more business-oriented language, actually quite tellingly:
[S]ervice providers now have a platform that will support millions of subscribers while giving them the business intelligence, service creation, network visibility and control required to successfully roll out new revenue-generating services and optimize network performance. Generally available now, the PacketLogic PL10000 already has four service provider customers from around the world and is currently operating in production networks.
They are nice enough to also quote one ISP who uses their gear:
"As a Procera customer since 2004, we are extremely pleased with our experience with PacketLogic, and as our business has grown to the point where we needed larger PacketLogic systems, it was an easy decision to start upgrading to PL10000,"," said Jens Persson, vice president of R&D at Com Hem, Scandinavia's largest cable operator.
Com Hem might not be so happy anymore in the near future if the internet lawyers in Sweden are anywhere close to their Canadian and British colleagues in terms of action:

In Canada, privacy lawyers have filed an official complaint with the federal privacy commissioner's office against Bell Canada because of its DPI usage for traffic shaping:
The Canadian Internet Policy and Public Interest Clinic, a University of Ottawa legal clinic specializing in internet- and other technology-related law, has joined the assault on Bell Canada Inc. and its traffic-shaping practices, urging an investigation by the country's privacy commissioner. The group says Bell has failed to obtain the consent of its retail and wholesale internet customers in applying its deep-packet inspection technology, which tells the company what subscribers are using their connections for. Bell is using DPI to find and limit the use of peer-to-peer applications such as BitTorrent, which it says are congesting its network.
Here is the full complaint. From the introduction:
[W]e understand that Bell is engaging in internet “traffic management” practices that involve the inspection of internet traffic headers and content, both of which contain information that can be linked to internet subscribers, purportedly to classify traffic for purposes of network optimization. Such practices – i.e., those involving the collection and use of personal information - are not necessary to ensure network integrity and quality of service. Moreover, subscribers whose traffic is being inspected have not consented to the inspection and use of their data for this purpose. Finally, Bell does not make readily available to individuals specific information about these practices.

We submit that Bell is violating Principles 4.3, 4.4, and 4.8 of PIPEDA, Schedule 1 by failing to:
  • a. Obtain informed consent from affected individuals to the collection and use of their personal information for the purpose of traffic management (Principle 4.3);
  • b. Limit the collection of personal information to that which is necessary for its stated purposes (Principle 4.4); and
  • c. Make readily available to the public specific information about its traffic management policies and practices insofar as they involve the collection and analysis of personal information (Principle 4.8).
In the UK, the Foundation for Information Policy Research (FIPR) has done a tremendous job in analyzing the technical and legal issues around Phorm's "Webwise" system for inserting adverts into ISPs' customers' traffic. Richard Clayton comprehensively describes how the system, which was already tested at BT (formerly British Telecom), works. The summary sounds rather dry:
The basic concept behind the Phorm architecture is that they wish to take a copy of the traffic that passes between an end-user and a website. This enables their systems to inspect what requests were made to the website and to determine what content came back from that website. An understanding of the types of websites visited is used to target adverts at particular users.
Read the full paper! This is scary stuff, including deep packet inspection, forged cookies, multiple re-routing and other techniques.

Nicholas Bohm from FIPR then added a legal analysis based on Clayton's work. His judgement:
This paper concludes that deployment by an ISP of the Phorm architecture will involve the following illegalities (for which ISPs will be primarily liable and for which Phorm Inc will be liable as an inciter):
  • interception of communications, an offence contrary to section 1 of the Regulation of Investigatory Powers Act 2000
  • fraud, an offence contrary to section 1 of the Fraud Act 2006
  • unlawful processing of sensitive personal data, contrary to the Data Protection Act 1998
  • risks of committing civil wrongs actionable at the suit of website owners such as the Bank of England.

Of course, this is not "Technology vs. Lawyers", as the headline suggests (just teasing). Technology can be used to enhance as well as circumvent these DPI surveillance tools, and law can be used to allow or prohibit their deployment. More on this in a later posting.