Gary McKinnon has been in the news this week. Unless you have just surfaced for internet air you will remember that he is the guy with Aspergers who hacked into the Pentagon computer and who the
marshalls Feds in US of A wanted to extradite so that they could extract revenge.
This post is not about Gary McKinnon or the rights and wrongs of his case. It is about the fact that he was able to hack into what must surely be one of the most secure computer systems in the world (wide web).
Next up is the breach of Google’s webmail service in December 2009. I did have a link to a blog post on this courtesy of the Tor Project submission (the next 4 paras are from that submission) to the Draft Comms Data Bill but the link sees to be broken/article has been removed.
This attack was specifically targeted against Chinese human rights activists. The breach of Google was part of a co‐ordinated and sophisticated attack that also included Adobe and other companies that chose not to be publicly disclosed. The attack made use of custom‐made malware that was specifically designed to, and succeeded at, avoiding detection by anti‐virus software. It also exploited a vulnerability in Microsoft Internet Explorer which was, at the time of the attack, not known publicly. The identity of the attackers remains unknown and was disguised by bouncing their communications through hijacked computers in the US and Taiwan.
Another notable incident is the compromise of the Vodafone telephone exchange in Greece, allowing attackers to bug the mobile telephone of over 100 high‐ranking dignitaries, including the prime minister. In a highly sophisticated attack, custom‐designed software activated the lawful‐intercept functionality of the telephone exchange even though Vodafone had not purchased it. The attackers also successfully circumvented the audit logging, to hide the unauthorised access. Eventually the tampering was discovered but only after almost a year of being active (the exact date the attack was perpetrated remains unknown).
As a final example, a hacker supportive of the Iranian government but who stated that he was not affiliated to the government, compromised the certification authorities DigitNotar and Comodo (and claims to have compromised others), and managed to obtain digital certificates which were successfully used to impersonate Google’s website, potentially collecting sensitive information such as passwords, communications data, and content. The same attacker also targeted The Tor Project website, so it is reasonable to suspect that human rights activists were also among the targets.
So what am I saying here? No data is secure enough for us to be able to say it will not be compromised and used for purposed that were not intended. The only way to safely stop people from gathering personal info about you is to not have that information collected in the first place.
The Tor Project submission has some other interesting stuff to say:
“The draft bill and submissions of the Home Office make clear that only communications data, not content, may be collected and disclosed. The Home Office argue that communications data is less sensitive than content, and thus does not deserve the same safeguards, restrictions on collection, or level of authorisation to access. However, in many cases communications data can be as sensitive as content, and in some cases may be more sensitive than content.
For example, “use data” (following the terminology used in the annex to the draft bill) revealing that someone accessed a website which is collecting evidence on human rights violations could put that person or their family in severe danger. Even disclosing that someone was using the Internet at a particular time can be sensitive when it is correlated with, for example, the posting of videos of human rights abuses on YouTube. While the timing of a single instance of a video is unlikely to uniquely identify a person, repeating this exercise, combined with knowledge of the “usual suspects” for such activity, could single out an individual for repercussions.
Experiments have shown that 23.3% of Wikipedia users could be uniquely identified from “use data” alone, had they been using Tor to protect their privacy. This proportion goes to 95.7% when only Wikipedia users who have posted 50 or more items on Wikipedia are considered.
As another example, “traffic data” showing that a phone call made by a journalist was from a particular location could put that journalist at risk. It has been reported that the Syrian government were using traffic data analysis to target journalists, and this technique has been implicated in the death of Sunday Times war correspondent Marie Colvin.
Even “subscriber data”, while typically less sensitive than use data or traffic data, can be of critical importance. The disclosure of the identity of a person pseudonymously blogging about sexuality, political or religious beliefs could put someone’s employment at risk, even within liberal democracies.
The reason that communications data can be more sensitive than content is that it is more amenable to automated analysis, particularly when collected in bulk (as proposed by the draft bill). Content is designed for humans to read, and it is a challenging problem for computers to accurately interpret content. In contrast, communications data is designed for computers to interpret and so is far easier for computers to analyse and allowing a more accurate and detailed profile of individuals to be built than is possible with current technology to interpret content.”
Those paragraphs were again lifted verbatim from the Tor Project submission but it they make sufficiently strong points for me to simply repeat them – I doubt in any case that many of you will have read the 448 page PDF of all the written submissions (download whole report here).
The Tor Project is particularly interested in supporting human rights activists around the world. However their points are highly relevant to the privacy of you and I, private individuals in the UK. The “use” data when lost or stolen, as will inevitably happen, will not be something we want others to see.
Some may well argue that it takes specialist knowledge to be able to hack into “secure” systems. I doubt that Gary McKinnon would be deemed a specialist and in any case it doesn’t matter who does the hacking. Such persons are unlikely to be concerned at keeping their stolen data to themselves and often, as was the case of the published LinkedIn passwords, like to brag about it by making the information public.
In the meantime the header image is the google blogspot landing page for the link to the blog post on the attack on their mail. I suspect Google just took it down because they didn’t want to talk about it…