The British government is trying to push through legislation called the "Communications Bill" that will force Internet Service Providers (ISPs) to record and store all the point-to-point information for all their users. For example, the dates and times of all the emails a user sent or received and who they were delivered to or from. They are not at this stage asking for the content of the communication to be stored, just the when and who parts.
It's not just emails either, it's all Internet communication, e.g. social networking sites like Facebook and Twitter, voice calls over the Internet like Skype and MSN, webmail services like GMail and Hotmail, Gaming services, etc. It will cost industry billions of pounds to implement.
Advocates of the bill insist the information would only be used by appropriately vetted agencies (e.g. the police or security services) and even then, only after a court order. But I'm not so sure. If a publicly listed company like LinkedIn cannot keep its own customers' passwords secure, and this from a company whose very existence depends on the trust of its users, then what chance is there that communications data held by all ISPs will remain hidden from prying eyes?
LinkedIn's security failed because it didn't follow industry best practices and became susceptible to a dictionary attack. This type of attack has been known about for decades and works because, although the passwords are encrypted, there's nothing stopping an attacker who has access to them from encrypting all known, or at least common, passwords and comparing this to the ones in the database.
An easy way to make this type of attack harder is to use a method called salting. This stores a random value along with the encrypted password. When the user needs to authenticate with the system both the password and the salt are encrypted together and only if this value matches the stored value is the user permitted access. 
An attacker now has to encrypt every possible password for every user, as each user will have a different salt. In most circumstances this makes a dictionary attack infeasible.
LinkedIn's security breach is by no means a one off. There have been thousands of other similar failings in security in companies of all sizes. Sony's PlayStation network faced similar problems in 2011 when the personal information for 77 million users was stolen. The Wired Equivalent Privacy (WEP) standard used in 802.11b WiFi technology to secure communications has been broken and the key for any network using this outdated standard can now be recovered in just a few minutes. The Content Scramble System (CSS) used to encrypt DVDs only uses a 40-bit encryption key and has been comprehensively broken. Even the Advanced Encryption Standard (AES) which went through rigorous peer review, offered 256-bit key sizes and is a worldwide standard has been broken (admittedly only theoretically).
These are examples of just a few high-profile services and standards that are used the world over. There are a huge number of other broken standards that I could have mentioned here. The point is, if these systems were broken so soon after they came into widespread use, what hope do private small to medium, or even publicly large, enterprises have of keeping their users' communication history secret just in case a government agency wants to invade our civil liberties and see who we have been communicating with? If this bill comes into law, attackers will know all ISPs must keep this data, so will develop ever more sophisticated techniques to seize this information.
No comments:
Post a Comment