headers
Andrew Cormack | 2 Nov 2009 21:04

RE: Wifi hot spots - 'not secure'

Hi Chris
I've just raised the same question on another list, having not seen the
programme. But I note from the write-up
(http://www.bbc.co.uk/blogs/watchdog/2009/10/wifi_hot_spots_not_secure.h
tml) that they seem to regard "VPNs" as a user solution to whatever the
problem is. That seems to support your feeling that it might be lack of
SSL that's a problem, but then it seems a bit mean to beat up the wifi
provider when it's actually the webmail provider that's at fault...

Andrew

--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation
Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399

JANET, the UK's education and research network

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

> -----Original Message-----
> From: ukcrypto-bounces@... [mailto:ukcrypto-
> bounces@...] On Behalf Of Chris Edwards
> Sent: 30 October 2009 09:19
> To: ukcrypto@...
(Continue reading)

Permalink | Reply | 1 comment |
headers
pgut001 reflector | 5 Nov 2009 11:12
Picon

RE: Wifi hot spots - 'not secure'

>What attack do we recon is performed here ?

It could have been a transparent SSL downgrade attack, which involves using a
rogue AP to MITM an SSL'd web site to turn it into a non-SSL'd web site.
Here's an extract of a writeup on how easy (and effective) this is to do:

  This attack is particularly easy to carry out on wireless networks, in which
  you can force a disconnect via a deauthenticate/dissociate message so that
  the targeted device will look for alternative access points to connect to on
  the assumption that the original is no longer available [182].
  Alternatively, any number of denial-of-service attacks can be used to force
  a client to disconnect, even ones that take advantage of security measures
  designed to protect against security breaches such as disconnecting clients
  that send packets with invalid authentication codes [183].  Support for
  these sorts of attacks are a standard feature of many 802.11 hacking tools.

  Fig.X: SSL downgrade attack on a bank site

  A screenshot of an SSL downgrade attack of this kind carried out using a US
  $29 open-source wireless networking appliance roughly the size of a packet
  of cigarettes is shown in Fig.X.  Note how practically all of the visible
  security indicators show that the page is "secure".  As Fig.Y shows, even
  the Verisign site seal, if clicked on, promises that this attacker-
  controlled page is safe to use.

  Fig.Y: Verisign site seal for the attacker-controlled site shown above

  When this attack was demonstrated live on several occasions to a roomful of
  hardcore geeks it took multiple iterations of considerable amounts of
  explanation to convey to them how it worked, and that using HTTPS on the
  server wasn’t going to help.  Even then, several of them were still
  convinced afterwards that, because their server used SSL, this attack
  wouldn’t work against them.  If it’s this hard to explain to geeks, imagine
  getting it across to average users.

Peter.

Permalink | Reply | 1 comment |
headers
Tom Thomson | 5 Nov 2009 17:14
Picon
Favicon

RE: Wifi hot spots - 'not secure'

pgut001 reflector wrote:
> If it’s this hard to explain to geeks, imagine
> getting it across to average users.

It might be a lot easier – average users have a lot less to unlearn than geeks.

I will always remember one geek who had learnt, when attending an 
information theory course, the Nyquist-Shannon sampling theorem.  He 
and was utterly convinced as a result that it was impossible to get 
more than 2B bits per second out of a channel with bandwidth B.  I 
tried to explain that the Nyquist rate was a signalling rate, not a 
data transmission rate, that the signalling limit was 2B baud, not 2B 
bits per second, and that 1 baud is not 1 bit per second;  but this 
had not the slightest effect, no amount of explanation could convince 
him he was wrong – Claude Shannon was an eminent authority and 
therefore his interpretation must be right (it always amuses me how 
often a geek will have completely misunderstood the eminent authority 
to whom he appeals to support his nonsense; they are almost as bad as 
politicians in this respect). Even pointing out that this same eminent 
authority, Claude Shannon, was responsible for the Shannon-Hartley 
theorem which clearly contradicted his conclusion had no effect 
(presumably his information theory course hadn’t got that far).  Nor, some time (?years?) later, did
pointing out that the post office had 
just announced a shiny new 9.6kb/s modem to operate over its 4kHz 
bandwidth phone lines, and 9.6/4 is a little larger than 2 - he 
claimed that that must all be being done by clever compression. I 
imagine he still believes that the Nyquist-Shannon sampling theorem 
provides a limit on data transmission rates.  

I can’t imagine ever having that sort of problem with a non-geek.

M.
Permalink | Reply | 0 comments |
headers
Richard Clayton | 6 Nov 2009 15:50

RIP authorisations consultation response


The consultation response on changing authorisations in RIP is now out.

http://www.homeoffice.gov.uk/documents/cons-2009-ripa/

-=-=-=-=-

From the press release:

   The level of authorisation required by local authorities to sign off
   investigatory techniques will be raised to prevent them being used
   for trivial matters under new plans announced by the Policing
   Minister David Hanson MP today. 

   Following a public consultation of the Regulation of Investigatory
   Powers Act (RIPA), a senior executive now has to approve how and when
   the techniques are used to protect the public and fight crime.

   Under the new measures, elected councillors in each local authority
   are also required to oversee the use of RIPA. In addition, training
   for local authority authorising officers and bespoke written guidance
   on how local authorities should use RIPA will be issued.

   New codes of practice make it clear to all public authorities who can
   make authorisations under RIPA that they cannot be used for minor
   matters.

   The Home Office received 222 responses to the consultation (new
   window) launched in April and will now bring forward legislation to
   implement the changes. The orders and the related codes of practice
   will include measures to:

   *    clarify the test of necessity and proportionality so techniques
        will not be used to investigate dog fouling or people putting
        bins out a day early
   *    raise the rank of authorising officer for RIPA techniques in
        local authorities to senior executive at a minimum of 'director'
        level
   *    give elected councillors a role in overseeing the way local
        authorities use covert investigatory techniques
   *    require constituents' communications with MPs on constituency
        business to be treated as confidential information, and
        therefore subject to authorisation by a higher rank of officer
   *    treat covert surveillance of legal consultations as 'intrusive'
        rather than 'directed' surveillance, meaning it can only be
        carried out by a very limited number of public authorities.

   Many of the investigations that rely on the techniques regulated by
   RIPA are vital to protecting public safety - not just for serious
   crime and terrorism - and they can also make a real difference to
   people's everyday lives. For example, by stopping rogue traders or
   trapping fly tippers who dump tonnes of rubbish on an industrial
   scale.

-=-=-=-=-

Presumably only industrial scales measure tonnes; and presumably because
it is industrial, that means that it has to be metrically measured.

--

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
Permalink | Reply | 7 comments |
headers
Peter Tomlinson | 6 Nov 2009 16:28
Picon

Re: RIP authorisations consultation response

A farmer who has half a ton[ne] of asbestos contaminated waste dumped is 
not going to be pleased when told the activity is not on an industrial 
scale.

And this Policing Minister is only one alpha character away from our 
very own David H.

Peter

Richard Clayton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> The consultation response on changing authorisations in RIP is now out.
>
> http://www.homeoffice.gov.uk/documents/cons-2009-ripa/
>
> - -=-=-=-=-
>
> - From the press release:
>
>    The level of authorisation required by local authorities to sign off
>    investigatory techniques will be raised to prevent them being used
>    for trivial matters under new plans announced by the Policing
>    Minister David Hanson MP today. 
>
>    <snip>
>
>    Many of the investigations that rely on the techniques regulated by
>    RIPA are vital to protecting public safety - not just for serious
>    crime and terrorism - and they can also make a real difference to
>    people's everyday lives. For example, by stopping rogue traders or
>    trapping fly tippers who dump tonnes of rubbish on an industrial
>    scale.
>
> - -=-=-=-=-
>
> Presumably only industrial scales measure tonnes; and presumably because
> it is industrial, that means that it has to be metrically measured.
>
>
>
Permalink | Reply | 0 comments |
headers
Roger Hird | 6 Nov 2009 16:41
Picon
Favicon

Metric - was RIP authorisations consultation response

In article <B1WjbKCBfD9KFAZN@...>,
   Richard Clayton <richard@...> wrote:
> Presumably only industrial scales measure tonnes; and
> presumably because it is industrial, that means that it has to
> be metrically measured.

An aside from my past: to all intents and purposes all legal
metrology in the UK has been "metric" (SI to its afficionadps)
for decades (together with most teaching). The exceptions
represent a relatively small set of "familiar" things - and those
exceptions appear to be be being phased out.

--

-- 
Roger Hird
rl.hird@...
Website: http://roger.hird.orpheusweb.co.uk
Permalink | Reply | 3 comments |
headers
Ian Batten | 6 Nov 2009 17:13

Re: Metric - was RIP authorisations consultation response


On 06 Nov 09, at 1541, Roger Hird wrote:

> In article <B1WjbKCBfD9KFAZN@...>,
>   Richard Clayton <richard@...> wrote:
>> Presumably only industrial scales measure tonnes; and
>> presumably because it is industrial, that means that it has to
>> be metrically measured.
>
> An aside from my past: to all intents and purposes all legal
> metrology in the UK has been "metric" (SI to its afficionadps)
> for decades (together with most teaching). The exceptions
> represent a relatively small set of "familiar" things - and those
> exceptions appear to be be being phased out.

On a vaguely related topic, one of the pieces of legislation that fell  
at the end of the Major government was a proposal to make UK legal  
time UTC, rather than `GMT' (UT0).  I had a correspondence with Lord  
Sainsbury which boiled down to `those that care know the difference  
and it doesn't matter to anyone else'.

ian
Permalink | Reply | 2 comments |
headers
Roger Hird | 6 Nov 2009 17:45
Picon
Favicon

Re: Metric - was RIP authorisations consultation response

In article <2CB255A8-9183-4A42-AD79-D2B1D2B4CCBB@...>,
   Ian Batten <igb@...> wrote:
> On a vaguely related topic, one of the pieces of legislation
> that fell at the end of the Major government was a proposal
> to make UK legal time UTC, rather than `GMT' (UT0).  I had a
> correspondence with Lord Sainsbury which boiled down to
> `those that care know the difference and it doesn't matter to
> anyone else'.

Indeed - I was manging NPL's budget at the time in DTI - and of
course NPL maintains our time standards. There was a Tory back
bench peer - Lord Tanlaw? - who much exercised about it.  It was
a fair point - GMT, as such, is/was no longer maintained and it
really is a nonsense to have as the legal basis of time
measurement something that is only a secondary - and artificial -
standard.  

Actually, my memory may be failing me but I thought the actual
name for what we use as a GMT equivalent was not UTC but UTC
(NPL)?

--

-- 
Roger Hird
rl.hird@...
Website: http://roger.hird.orpheusweb.co.uk
Permalink | Reply | 0 comments |
headers
Watching Them, Watching Us | 7 Nov 2009 16:53
Favicon

re: RIP authorisations consultation response - no use of encryption ?


>Richard Clayton richard at highwayman.com
>Fri Nov 6 14:50:41 GMT 2009

>The consultation response on changing authorisations in RIP is now
>out.

>http://www.homeoffice.gov.uk/documents/cons-2009-ripa/

http://www.homeoffice.gov.uk/documents/cons-2009-ripa/ripa-cons-
response?view=Binary  (292Kb .pdf)

---------------

page 13

6.  Are the Government’s other proposed changes in the
Consolidating Orders appropriate?

[...]

  there should be a mandatory requirement for all RIPA
applications, authorisations and material obtained to be encrypted;

[...]

GOVERNMENT’S POSITION

[...]

It would be impractical to require all material obtained through
the use of RIPA to be encrypted. However, it is perfectly
reasonable for members of the public to want reassurance that all
appropriate steps are taken to protect material obtained through
the use of techniques under RIPA. All relevant public authorities
have in place a variety of security measures, including physical
security measures, security procedures, staff vetting and training,
to ensure that material is protected from improper disclosure.

----------------

Given the Government data security and privacy disasters of recent
years, is anyone reassured by this "Government Position" ?

The list of security measures "in place" by "all relevant public
authorities" does *not* include "encryption".

This rather implies that they *never* use encryption to protect the
RIPA documentation or end products, in transit or in storage, even
where this is obviously cheap and practical to do.

Why are the Home Office so dead set against normal, professional IT
security procedures ?

regards

Mark

----
http://SpyBlog.org.uk -  Spy Blog
blog@...

PGP Public Encryption Key for blog@...:
http://SpyBlog.org.uk/Spy_Blog_PGP_Public_Encryption_Key.pl
PGP Public Encryption Key ID: 0xEB3CF9A8
Fingerprint: 8DBB D4C8 AB0B 3F2A 3548  D252 A736 3503 EB3C F9A8

If you are researching, or writing, or protesting about anything to
do with National Security, or Government spin and secrecy, you
should take some basic precautions:

Hints and Tips for Whistleblowers
http://ht4w.co.uk
Permalink | Reply | 1 comment |
headers
Dave Howe | 7 Nov 2009 23:50
Picon
Favicon

Re: Wifi hot spots - 'not secure'

Andrew Cormack wrote:
> Hi Chris
> I've just raised the same question on another list, having not seen the
> programme. But I note from the write-up
> (http://www.bbc.co.uk/blogs/watchdog/2009/10/wifi_hot_spots_not_secure.h
> tml) that they seem to regard "VPNs" as a user solution to whatever the
> problem is. That seems to support your feeling that it might be lack of
> SSL that's a problem, but then it seems a bit mean to beat up the wifi
> provider when it's actually the webmail provider that's at fault...

I have noticed that quite a few wifi hotspots are NATted to the internet
and do not support ipsec; an SSL vpn may well work, but classic ipsec
clients (like the cisco one) fail, even in nat-t (udp encapsulation) mode.

most free ones seem ok, and the "cloud" ones that are common in pubs
seem ok, but a lot of hotel ones seem to fail (which is odd, you would
think that customers wanting to vpn back to their home base would be a
large segment of their user base)
Permalink | Reply | 0 comments |

Gmane