Category Archives: Security

The Cookie Monster is here

Cookie Monster

The UK’s implementation of EU Cookie regulations come into force this Saturday and the web design world is frantically trying to work out what to do! Firstly a bit of background into cookies and why we are where we are!

Cookies make the web go round – they’re how a website remembers who you are so you don’t have to remind it every time you load a page; they allow websites to personalise what you see; they make online shopping possible by remembering what’s in your shopping basket and they allow website owners to track the performance of sites to determine what’s working and what isn’t. Suffice to say without cookies the web would be a sorry place.

But they also have the potential to be abused. They can reduce your privacy on the web by tracking what you do on the web. By linking information together it could be possible for sites to build up a detailed profile of your online behaviour and the EU decided to act to better protect users’ privacy.

The UK’s implementation of the EU regulations is being enforced by the ICO who have issued guidance but things are never that simple! There isn’t – so far – an accepted “right” solution to compliance. The ICO themselves have taken quite a hardline approach – a bar across the top of every page asking for permission to set cookies. When this launched it had a devastating affect on their ability to analyse site usage which is vital if you’re going to build good websites.

BT and the BBC take a bit more of an opt-out approach by telling site visitors they will receive cookies unless they say otherwise.

These show the first time a visitor comes to the site and in BT’s case disappears after 10 seconds – much less off-putting and probably clearer than a simple “Do you want cookies?” prompt, but is it enough to satisfy the ICO? Only time will tell!

While the implied consent may still be unknown one thing that is generally agreed is that providing the user with more information in a form that they can understand is a Good Thing™ so that’s where we’ve started.

[I should note much of what we’ve implemented so far is based on a very pragmatic post by James Cridland of Media UK]

  1. We’ve added notices to key login pages like GO to say that you’re going to have to accept cookies if you want to log in. We’ll expand this to other services like the online shop and Rose Theatre ticket office in due course.
  2. We’ve added a Cookies page the the site listing how we use cookies and what for. I’m sure this isn’t 100% complete so if anyone would like to let me know gaps then please shout!
  3. We make a distinction between cookies which link to personal information and those that don’t.
  4. We link to instructions on how to manage cookie settings and mention “private browsing” modes in modern browsers as an easy alternative.

As James says in his post #3 is the most contentious:

ICO is primarily concerned with personal information and personal data – and I’m registered under the Data Protection Act and take personal data very seriously. However, Google Analytics and AdSense cookies, etc, are anonymous, and will only ever contain personal information if you deliberately log in to Google services (and even then Google claims not to link Analytics or AdSense with your Google account anyway). The same goes for Twitter and Facebook too. And the ICO go out of their way to say, in their advice: Although the Information Commissioner cannot completely exclude the possibility of formal action in any area, it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.

What does this look like? The cookie page is linked to from the header and footer of every page:

The Learning Edge landing page is a bit more explicit about how it makes use of cookies:

Depending on feedback from our users and others in the sector we may roll out some form of non-interrupting information box along the same lines as the BBC’s approach. We have also done some work on a cookie level chooser like BT have but the technical implementation across multiple in-house and third party systems is non-trivial.

If you have any feedback or questions about Edge Hill’s approach to cookie legislation compliance please leave a comment or get in touch and I’m sure there will be more changes to come!

How to choose a password

Password security is very important to protect users and computer systems from malicious activity. Often complexity is encouraged by suggesting use of numbers and punctuation in an attempt to make passwords harder to break. This logic is to a large degree flawed as they’re not harder to crack and they are less memorable leading people to write them down (which, as I hope you know, is very bad practice).

But it is possible to have easy to remember and secure passwords by choosing a short phrase. Although it might look easy to crack, it’s not, and the brain is very good and memorising phrases.

Of course xkcd has a comic to demonstrate this perfectly:

Facebook Privacy

There’s been quite a lot in the news lately about a backlash against Facebook’s privacy settings with many people believing their attitude to personal information security is too lax. This isn’t a new issue – nearly three years ago I blogged about it – but now that Facebook is so huge across the board and not just amongst university and college students the debate has started to reach further.

Facebook have responded by trying to be more open about what configuration options are available and explaining how to control what you share. They provide shortcuts to restrict the level of information shared to “everyone”, “friends of friends” or just “friends” along with a comforting-sounding “recommended” settings. I imagine most people will choose this which is pretty scary. Take a look at what that means you will be publishing:

Recommended Sharing Settings

Choosing the recommended settings means everyone – not just Facebook members but the general public – will be able to see status updates like the ones you post when you’re mad with your boss or photos you took at the end of a night out or biographical details like where you work. Information available to “friends of friends” opens the door to the 1200 “friends” your 17 year old cousin has and do you really want them all seeing photos of you?

We shouldn’t be too critical of Facebook – they have a business to run and shareholders who expect them to maximise profit from advertising which means persuading you to be as open as possible with the information you share. The onus is on individuals to carefully consider the information they share and the implications it might have on their life. More importantly this isn’t a one off job – you should be reviewing privacy settings on a regular basis.

What do I do? I have a set of custom settings which generally means only friends can see what I publish except the groups “Limited Profile” and “Colleagues”:

Sharing on Facebook

On the other hand I use Twitter, Flickr, foursquare, delicious and many other services where information I publish is completely public but I understand the risks involved and am constantly aware that everything I write online could come back to bite me.

JANET CSIRT

Today I was at the JANET CSIRT Conference, held at the International Coffee Organisation facility in London (I booked on before I knew where it was being held… honest!).

The conference covered a variety of security related issues and I’ll cover a brief summary below.

A shared approach to Information Security – Matthew Cook, Loughborough University

The EMMAN Shared Information Security Service (ESISS) can provide a complete portfolio of services to your organisation. These services are designed to reduce the risk of significant information security breaches and reduce the associated costs of prevention, management, remediation and audit activities.

Matthew Cook gave an overview of some of the services offered by a new shared service from EMMAN. Much of it was what you’d expect – consultancy, penetration testing, network health checks and so on but I was surprised by one of their new services.

Currently in development/testing and to launch in the new year, they’ll be offering reputation management to monitor the interwebs and send a weekly report to technical and PR/marketing teams to alert them of any problems with your site.  It will check social networks like Twitter, blogs as well as more technical problems like spam comments on blogs linking to dodgy websites.

There are a number of companies that offer this type of service already and it will be interesting to see how they differentiate themselves.  I’ve not looked at many other services but ESISS’ pricing doesn’t seem outlandish… as long as it’s of benefit!

The issue I have with it is the weekly nature of the email reporting.  A week is a long time in Twitter. Recent examples of #janmoir and #carterruck have exploded in a matter of hours so waiting seven days before detecting and responding to criticisms online isn’t an option.

I do hope ESISS are successful with this service – there are far too many snake oil merchants in the reputation monitoring game and so an organisation without the commercial pressures would be welcome but whether they’re able to keep pace with the fast changing social media landscape – as well as provide their more traditional consultancy services – remains to be seen.

The Value of Security Testing – Rory McCune, NCC Group

A great Security Testing 101 session which really helped bring me up to speed with some of the terminology involved.  Showed the different levels of testing that can be undertaken.

The big thing I took away from this session is not to trust third party vendors.  They usually have no interest in security so either test software yourself, or as part of a consortium.  Get security written into contracts to ensure that it’s the vendor’s responsibility to fix any problems.

Traffic monitoring and basic anomaly detection with Netflow – Nick Reynolds, ULCC

Using the NetFlow protocol built into Cisco and some other network kit, Nick showed how they are monitoring traffic at student residences and FE colleges in London. Building on basic MRTG charts they provide more advanced reporting for staff within colleges who may not have the time or skills to undertake regular monitoring.  From there they have built pattern analysis software which can look for unusual traffic patterns passing through routers as a sign of breaches in security or usage policies.  Still a little rough looking but it shows what’s possible using a few open source tools and a little development time.

SQL Injectors – Simon Baker, SEC-1

How to scare a web manager in 35 minutes…!  Using Microsoft SQL Server and ASPX as examples – not tools we develop in directly, but we do have third party SQL Server/IIS systems – Simon demonstrated a few SQL injection attach vectors which seem alarmingly easy.  Different attacks accomplish different things but with certain versions of SQL Server it’s even possible to execute commands!

If ever there was an argument for using an ORM to ensure all database interaction is correctly escaped then a session like this will prove it!  Prize goes to this session for best use of an xkcd comic strip in a presentation:

Web Application Security, OWASP – Dinis Cruz, OWASP

Somehow Dinis managed to get through three presentations each with dozens of slides in his 40 minute slot!  I must admit it was a little bit too much to take in, but the general gist was that OWASP (Open Web Application Security Project) is great and that we should all get involved.  It certainly seems to have a lot to offer.  Their best known project is their Top Ten website vulnerabilities:

  1. Cross Site Scripting
  2. Injection Flaws
  3. Malicious File Excecution
  4. Insecure Direct Object Reference
  5. Cross Site Request Forgery
  6. Information Leakage and Improper Error Handling
  7. Broken Authentication and Session Management
  8. Insecure Cryptographic Storage
  9. Insecure Communications
  10. Failure to Restrict URL Access

The use of a mature web framework helps avoid many of these problems but it’s probably time for us to do a full audit.

OWASP also offer a huge amount of other material from books to approval processes and tools.  One of their project strands concentrates on Education to get students trained up with the correct skills.  Dinis said something along the lines of:

The majority of IT Security professionals are screwed because they don’t know how to code.

Computing students and developers alike are well placed to get the skills required to create intrinsically secure websites – so-called “security experts” will struggle to match them on the details.

P2P File-Sharing and Copyright Infringement – Morgan Doyle, NetFort Technologies

Final session of the day was an interesting review of some research undertaken at NetFort into use of peer-to-peer file sharing – specifically BitTorrent – in a university environment and how it can be detected, tracked and reported on.  The reasons for wanting to do this were twofold – to be able to account for excessive bandwidth usage and to respond to DMCA notices.

I must stress that I Am Not A Lawyer, but I thought that DMCA was a American law so I’m not sure how it applies to UK file sharers, and that in most cases illegal filesharing was a civil offence.  I’m not condoning breaking the law, but I do question whether it’s the job of universities to do the dirty work of rights holders.

Wrap Up

ICO translation boothsSo on the whole a very interesting day.  Not necessarily what I expected but very useful and it’s given me lots to think about.  The International Coffee Organization is a great venue – where else can you find translation booths and flags on the wall?!  I must admit I was slightly disappointed in the quality of the coffee.  It was okay filter coffee but I would have expected something a bit more… gourmet?

Finally, it was interesting to note how little backchannel activity there was on The Twitter. A single post from someone saying they were at the conference with the rest posted by me with a few comments from my followers. What – if anything – does this say about networking or security professionals in Higher Education? 😉

Internet Explorer Security Alert

So the BBC have finally picked up the news and jumped on the bandwagon. Mass media are now telling you to switch to a more secure web browser (you know, the thing your using to view this web page with).

From the BBC:

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

As many as 10,000 websites have been compromised since last week to take advantage of the security flow, said antivirus software maker Trend Micro.

Are you ready to make the switch? I certainly don’t want my passwords or bank account details stolen and my bank account emptied, do you?

For you home computers and laptops: Get Firefox now!

Steve Daniels

Browser security

My web browser of choice is Firefox. One of the appeals is the pile of add-ons that you can use to personalise the way you view the web. If I were recommending a browser, that’s the one I’d go for.

Opera Stay SecureAs a web developer, I also need to test how pages look in other browsers so I tend to have the most up-to-date versions of the common ones, IE, Safari, Chrome and Opera.

Yesterday I was looking at Opera’s widgets and noticed “Stay Secure”. Useful for very quickly displaying the current vulnerabilities of Internet Explorer, Firefox, Opera, Safari and Konqueror in an unobtrusive graphic on your desktop.

The information is provided by Secunia and by clicking on any of the browser icons on the the graphic the detailed report from Secunia is accessed.

So now, if you were to ask me to recommend a browser, I’d say Firefox, but use Opera (and the Stay Secure widget) for your secure transactions (if the site works in Opera ).