Social Network Risks

Yesterday’s Washington Post has a report on the concerns raised by parents and child advocates about the use of social networks by pre-teenagers.  The story focuses on the photo sharing service, Instagram, but the general issues are relevant to other sites as well: is the site collecting the personal information of susceptible children, and does it do enough to protect them from miscellaneous predators.

The Instagram service is an offshoot of Facebook, the social networking giant, which has about 1 billion users.  The company’s policy requires users to be at least 13 in order to open an account, but the Instagram site does not even ask the user’s age when (s)he signs up.  (The main Facebook site does require a bit of verification, requiring the user’s real name and age; however, the effectiveness of this is questionable, since there is no way to check the user’s answers.)  The result is that many children under 13 have set up Instagram accounts.

There is some reason for concern about this; looking at the site (or at Facebook, for that matter, where I have an account) shows that many users post a great deal of what might be regarded as fairly personal information.  Most readers are probably familiar with news stories of people whose employment or other prospects have been damaged by indiscreet posting and photos on Facebook and other social sites.  Even if one grants that adults have a right to behave like complete idiots if they wish to, it seems reasonable that children, who lack both mature judgment (such as it is) and experience, deserve some protection.

However, people need to realize that, outside the realm of science fiction, this is not a problem that has a technological solution.  Even if it were possible to develop a peripheral device that would automagically detect a persons age, it really wouldn’t solve the problem; all the server on the other end of the transaction can do is to verify that the bit pattern it receives indicates the user is 13 (or 18, or 21).   Were such a device to be developed, I would not expect it to be long before some enterprising teenage hacker produced a “spoofing” device.

Facebook and other social-media sites have said that authenticating age is difficult, even with technology. A Consumer Reports survey in 2011 estimated that 7 million preteens are on Facebook.

It’s not difficult; it’s effectively impossible.

The other thing that all of us, kids and adults, need to remember is how businesses like Facebook work.  It may seem, as you sit perusing your friends’ postings, that you are a customer of the service.  But the customers are actually the advertisers who buy “space” on the service, which has every incentive to provide the customer with as much personal information as possible, in order to make ad targeting more effective, thereby supporting higher ad rates.  When you use Facebook, or other similar “free” services, you are not the customer — you are the product.

OUCH on Passwords

One of the “Useful Links” in the sidebar here is to the SANS Internet Storm Center [ISC].  The site, staffed by volunteer “handlers”, a group of highly skilled and experienced security professionals and systems/network administrators,  is a very valuable source of the latest security news.  It is, however, a site aimed at IT professionals, and tends, understandably, to be fairly technical, and to assume a fair amount of basic IT knowledge for starters.

However, to their credit, the folks at ISC have not neglected the ordinary user.  It has had, for a couple of years now, an initiative called Securing the Human, which attempts to address security policy issues considering the users’ perspective.  (In the interests of honesty, from personal experience, I am bound to say that this is probably not entirely from altruistic motives — better educated users are, on the whole, less likely to make terminally stupid mistakes.)    The Securing the Human initiative has also involved publishing a newsletter called OUCH!, which is oriented toward end users.

The latest issue of OUCH! has a short (three-page) article on good password practice [PDF].  It has some good, common sense advice that will help you use passwords securely.  If you are a systems admin person, you might want to consider giving copies to your users.

I’d just make one final suggestion: using a password manager, such as Bruce Schneier’s PasswordSafe, can be a big help in managing your passwords, and using them well.

Dotty Security Arguments

Bruce Schneier has an excellent opinion piece over at CNN, in which he discusses the criticism directed at security and intelligence agencies for not discovering and stopping the Boston Marathon bombing.  The litany of complaint is familiar enough:

The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn’t happen again?

Just as after the atrocities of 9/11, the agencies are being criticized for failing to “connect the dots” and uncover the plot.

Now, there have been specific incidents in connection with terrorism that one might think would raise some suspicions (for example, the 9/11 hijackers who took flying lessons but didn’t want to learn how land the plane).  But for the most part, as Schneier points out, “connecting the dots” is a bad and misleading metaphor.

Connecting the dots in a coloring book is easy and fun. They’re right there on the page, and they’re all numbered. … It’s so simple that 5-year-olds can do it.

After an incident has occurred, we can look back through the history of the people and things involved, and attempt to piece together a pattern.  But that is possible only because we know what happened.  Before the fact, real life does not number the dots or even necessarily make them visible.  The problem, generally, is not that we have insufficient information.  It’s that we don’t now which tiny fraction of the information that we do have is relevant, and not just noise.

In hindsight, we know who the bad guys are. Before the fact, there are an enormous number of potential bad guys.

I heard a news report a few days ago saying that Tamerlan Tsarnaev, the elder of the two brothers, had taken part in a monitored telephone call in which the term ‘jihad’ was mentioned.  Lumping together telephone calls (including those by reporters, of course), radio and TV broadcasts, and other forms of electronic communication, how many times per day would you guess that word might be mentioned?

As Schneier goes on to point out, this is an example of a psychological trait called hindsight bias, first explained by Daniel Kahneman and Amos Tversky,

Since what actually happened is so obvious once it happens, we overestimate how obvious it was before it happened.

We actually misremember what we once thought, believing that we knew all along that what happened would happen.

Telling stories is one of the primary ways that people attempt to make sense of the world around them.  The stories we construct tend to be a good deal tidier and more logical than the real world.  There is a strong tendency to adjust the “facts” to fit the story, rather than the other way around.  (This is one reason that science is hard.)

You can observe this tendency regularly in reporting on financial markets.  For example, whatever the stock market did yesterday — go up or down, a little or a lot — you can be sure that some pundits will have an eminently plausible explanation for why that happened.  You are very unlikely to hear anything like, “Well, the S&P 500 went down 500 points, and we don’t have a clue why it happened.”  (I have been saying for years that I will start paying attention to these stories when they are published before the fact.)

It is certainly sensible, after any incident, to look back to see if clues were missed, and to attempt to learn from any mistakes.  But it is neither sensible nor realistic to expect prevention of any and all criminal or terrorist activity.

Update Tuesday, May 7, 17:05 EDT

Schneier’s essay has now also been posted at his Schneier on Security blog.

Anti-Virus Updating

The folks over at the SANS Internet Storm Center have a recent diary entry on keeping anti-virus (AV) software up to date.  This kind of anti-malware protection typically tries to recognize “evil code” on the basis of a set of heuristics, or by recognizing bit patterns in the code itself (these are sometimes called “signatures”).  These elements, especially the signatures, need to be updated as new varieties of malware are created and discovered “in the wild”.   (The defender is always, in a sense, trying to catch up, since a new type of malware has to be found and identified as such before a signature can be developed.)

The contributors to the article are all very capable systems administrators, and I think it’s well worth a read, especially if you are responsible for a bunch of PCs.  (There are also some comments following the article itself; they are, as usual, sort of a mixed bag.)  I’d take away these suggestions from the discussion:

• You may need to schedule AV updates more frequently than your initial instincts (one participant suggests hourly), to account for the fact that the updates will not all run every time they are scheduled.  (Machines may be rebooting, or turned off, for example.)
• Because updates are not guaranteed to occur on the advertised schedule, it’s important to measure how up to date your machines actually are — if there are big discrepancies, try to find out why and fix the problem.
• AV software is one layer of defense, but is certainly not a total solution.

Probably the most important advice is this: if a machine has been compromised by malware, it is highly improbable that AV software, or anything else, will be able to clean or repair it.  Modern systems, and the malware that attacks them, are so complex that figuring out exactly what has been affected, compromised, or corrupted is effectively impossible.  The only reliable recovery method is “nuking from orbit”: wiping the machines hard drive(s), and reloading the OS, applications, and data from known clean backup copies.  Yes, it is a bloody nuisance, but it’s really the only way to make sure that you have a clean system.

A Safer Form of Fertilizer?

A tragic accident, perhaps compounded by carelessness, led to a fire and explosion in a fertilizer plant in West TX on April 17.   (Just to clarify a point which was slightly confusing in the initial reports, ‘West’ is the actual name of the town.)  The news was somewhat overshadowed by the bombings at the Boston Marathon on April 15, but the disaster killed 14 people, injured many more,  and devastated the small town.  The plant apparently had stores of anhydrous ammonia (NH₃), a gas, and ammonium nitrate (NH₄NO₃), a solid.  Both are very commonly used as components of fertilizers.  Ammonia is a strong irritant, and a health hazard, but doesn’t burn in air except in very high concentrations (roughly 15-25%).  Ammonium nitrate is also an irritant; however, it is also a powerful oxidizing agent, and can form explosive mixtures with many organic compounds.

In fact, ammonium nitrate has been used, mixed with fuel oil, to make bulk industrial explosives for routine use, because of its low cost.  It has also been a popular ingredient for improvised explosive devices (IEDs) and vehicle bombs, such as the one set off at the Murrah Federal Building in Oklahoma City in 1995.  Because of its potential for misuse, there are regulations concerning its storage and use, but these are apparently not always followed.  (It appears that the plant in West did not report its February inventory of 270 tons to the Department of Homeland Security, as the law requires.)

An article at the Gizmag site reports that Kevin Fleming, an engineer from Sandia National Laboratory, has developed a technique for compounding ammonium nitrate so that it can’t be used to make fuel-based explosives.

Knowing that in ammonium nitrate the ammonium ion is weakly attracted to the nitrate ion, and that the right chemical reaction can pull them apart, Fleming decided to look for a compound they would rather cling to that could be added to the ammonium nitrate. He tried several materials, including iron sulfate, a readily available compound discarded by the ton from steel foundries.

If someone attempts to mix fuel into the ammonium nitrate / iron sulfate mixture, they will end up with ammonium sulfate and iron nitrate, neither of which will form an explosive mixture.

The addition of iron sulfate does not degrade the usefulness of the fertilizer; in fact, it probably makes it slightly better for environments with alkaline soils.  Adding iron to the soil may also incrementally improve the iron content of vegetable crops.

Since iron sulfate is cheap — it’s a waste product from steel production — this technique might be an economical way to reduce the risk of explosions, accidental or otherwise.

Update Monday, 29 April, 22:16 EDT

Here is the original Sandia Labs information release.  Their server appears to have been down last  night.

Microsoft, Verizon Release Security Reports

Two new reports have just been released dealing with the state of Internet security; one is from Microsoft, and the other from Verizon.  If you are interested in security, I recommend both reports as interesting, if sometimes rather depressing, reading.

Since 2008, Verizon’s RISK Team has published an annual report summarizing security and data breach incidents, and categorizing them on various criteria (e.g., who did it?  how was it done?).  The 2013 Data Breach Investigations Report [PDF] analyzes data from more than 47,000 security incidents, and 621 confirmed data breaches.  This year, the report attempts to assess the prevalence and origins of “espionage” attacks: those whose primary motivation was not mischief, or financial gain, but theft of trade secrets and other intellectual property.  There is also an Executive Summary [PDF] available.

Microsoft’s Security Intelligence Report (Vol. 14) [PDF], which covers the period July through December, 2012, is (as you might expect) more focused on software security issues.  The report looks at the software security vulnerabilities that have been disclosed, and the exploits that have been detected, and attempts to identify particular problem areas and trends.  As has been true for some time, the most common type of exploit is one involving HTML and JavaScript; document-based and Java-based exploits, two other hardy perennials, showed a significant increase in the second half of 2012.   There is also a Key Findings [PDF] summary of this report.

I have not had a chance to read these reports yet, but will post further comments here when I have.   An essential part of any sensible security analysis is an evaluation of the threats one is guarding against.  These reports should provide some information useful in that exercise.