Student Hackers on School Laptops

According to the Sydney Morning Herald ‘thousands of school students on Facebook and other websites are exchanging tips on how to hack into free government-issued laptops’.

More than 66,000 laptops have been handed out as part of Australia’s ‘digital education revolution’.  The laptops employ filtering, theft protection and system identification to help protect both the laptops and the users themselves from harm.

In my previous role I worked with schools educating teachers about security and appropriate use of the technologies they were given.  I did some consultation work with Australian education authorities who were looking at implementing a computer security curriculum for high school students. It was all pretty sound until I realised there was no mention anywhere of the actual consequences of misusing technology i.e. malicious hacking, spying, or otherwise circumventing security.

It’s no surprise then that this story has appeared. As a teenager with a C64 I too might have been involved in making dodgy ‘back-ups’, cyberbullying with the green screen TRS80s in the local LAN, and had the internet been around I might have even taken a peek through the fence at the seedier side of the net.  As the spokesman for the NSW Department of Education put it, most breaches were ”a result of the curiosity of tech-savvy 15-year-olds testing their skills against the security features of the laptop or downloading copyright material”.

Having a lesson on ‘the consequences’ of bad online behaviour would never be enough to deter some of these students from poking around where they shouldn’t. But learning that there are consequences, and that there are security mechanisms such as forensic audits which can catch you out might be enough to make some think again.

A while ago I spoke with a few people in the security industry about putting together a programme where security experts went into schools and demonstrated forensics, password cracking, and so on to try and excite those tech-savvy 15 year olds into thinking about using their talents for good.  The sessions would close with the warning that if they were ever convicted of hacking crimes they could probably kiss a career in the security industry goodbye.

Maybe it’s time to put something in to place.

2008 IT Security Blunders

I love these lists. At this time of year we start hearing about the top ten whatevers of this year and the predictions for top ten whatevers for next year. The lists are often thought provoking and provide a nice refresher on the last 12 months.

On security island the pundits release their views of the year’s biggest breaches and then predict next year’s top ten threats. This is of course a promotional exercise and often ends with “To protect against many of these threats companies should invest in our product X”.

I was expecting NCC  Group’s list of Top Ten IT Security Blunders of 2008 to follow a similar vein.  But as I read through the list I realised why this one was titled blunders rather than hacks, breaches or compromises. Blunder is a term used to describe a human behaviour. At least half of the items in NCC Group’s list are direct results of a human doing something stupid, no malicious intent involved. Here is the list described in simple terms:

1. MoD lost 200 devices (including 4 desktop computers. How do you lose a desktop computer? A memory stick is understandable but a desktop you have to unplug everything, physically lug it somewhere, then forget about it entirely with no memory of where you put it) 

2. Hackers infiltrate presidential candidates’ email
3. Hackers infiltrate hockey mom’s email (albeit due to poor use of security questions)
4. A laptop containing data on millions of individuals to be auctioned online (the owner was an archiving firm for goodness sake!)
5. AOL hands over information on the searches of 650,000 customers
6. Home Office loses a memory stick containing data on 127,000 criminals
7. Booking system hacked – 8 million customer details lost
8. Facebook hands over dates of birth of 80 million users
9. 38,000 Credit card details stolen from retailer
10. Data stick containing security information of government IT systems left in a carpark of a pub.
    

For some time now the IT security industry has been warning about the high proportion of breaches which occur simply through human error, stupidity, forgetfulness or just general lack of awareness. While technologies such as encryption can help protect data on memory sticks (which seems like an ironic name) this list highlights the growing need for awareness raising measures be they training, posters and other reminders, or regular reviewing of IT policies by both staff and managers.

Unfortunately there are still many (probably the majority in fact) IT managers who value technical solutions over and above trying to educate the ‘ignorant’ masses. After all, computers have been these managers’ friends. They behave predictably, can easily be fixed or replaced, and have never stood in the way of scoring top jobs. Unlike their human colleagues. Typically, IT managers have far too much influence over general company direction.  Their specialised technical knowledge of mission critical company resources, allows them to baffle and bulls__t at strategic meetings, placing disproportionate emphasis on their own narrow field of expertise i.e. technical solutions.

So my prediction for the foreseeable future  is that until we see as much time, effort and money go into securing the meatware as the hardware and the software,  then we will continue to see Top Ten IT Security Blunder lists, with ever increasing losses.

Anroids Don’t Need Anti-virus?

Computerworld has this story about a security analysist who even after finding the ‘first’ vulnerability in Google’s new Android mobile phone operating system seems to think that the OS is secure enough not to need AV software.

Miller is quoted as saying “If you want to do anything dangerous like access personal contacts, you have to specifically say to the virtual machine ‘these are things I’m going to have to do,’ and the virtual machine will ask the user if that’s OK,”.

The problem with this is that it relies on the user being able (or being bothered) to give a satisfactory answer. Peter Gutmann says that relying on users to always make a sensible decision is ultimately flawed because it relies on the user being omnicient – knowing exactly what they want and how to achieve it.

The story then goes on to say that hackers have found a way to install software on the phone bypassing the virtual machine! So even if the user is expert enough to understand whether an application should be allowed access to the Android OS, a hacker can bypass this security feature anyway.

Although this type of attack is not unique to Android, the article claims people don’t generally use their phones for accessing the same kind of important data they do on their PCs, making phones less of a target.

Nevertheless there are several antivirus software offerings for mobile phones.  This is a good thing.  Having worked in a polling booth this weekend and seen how many adults couldn’t even work out how to place two ticks on the ballot paper, I’m not hopeful that they’d competently answer a question thrown at them from an android.