Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Information Wants to be Free

A lawsuit that has recently been reported on highlights just how much information trends towards being free over time. The Internet Archive project, and a law firm that was using the Wayback Machine for research purposes, is being sued by HealthCare Advocates. The concern is that the Internet Archive was illegally storing unauthorised copies of web pages in their archives.

While any number of Internet search engines store cached copies of web pages, the issue in this case is that the Internet Archive did not respect the robots.txt file present on the HealthCare Advocates site. A robots.txt file is a short text file placed in the top level directory of a website with instructions for web spiders and Internet search bots about which area of the site can be indexed, and those areas which should not be looked at. Some spiders do not respect this voluntary instruction file, and investigating the robots.txt file is an elementary part of web based hacking, as it provides the attacker with an easy indication of possibly sensitive areas of the site. Apparently the Internet Archive was not respecting the robots.txt file in place on the HealthCare Advocates site, although the evidence suggests that the robots.txt file blocking the Internet Archive was placed on the site following the start of the lawsuit and after the Internet Archive had already archived the pages.

Even with the robots.txt file and other systems in place, it is important to recognise that information will always move towards being free. Internet search engines will cache information long after it may have been removed from the active Internet, and specialist sites will cache / locally copy information that they feel is interesting. Placing information on a website on the Internet is a decision to distribute it, allowing infinite copies to be made of the information. In essence, it provides a tacit approval for localised copying of the information, even if instructions are given not to copy the information, such as through No-Cache headers in HTTP. No matter how well information is supposedly protected, nothing can effectively be done about the 'analogue gap' (or 'analogue hole'), where the information is rendered or otherwise presented for human consumption. If you can see it, it can be copied. Likewise, the best digital rights management solutions will always fail, due to this gap:

A part of the problem comes from people who do not understand how the Internet actually works. There are people who still think that once they download something from the net, that it will not be available for anybody else, and that web pages are only sent out to the browser when a request is made, not available all the time - even if no one is looking at them, and when you close your browser the documents disappear. The difficulty comes in applying existing knowledge of data management and information replication to computerised and networked operations, almost all of the analogies used just do not work well. The problem with that approach, however, is that without the use of weak analogies, people with lower levels of technical understanding will never understand the technology, and this includes lawmakers, law enforcement, and the general populace. This approach leads to the legal decisions and lawmaking which appears counter intuitive to technically minded people, and misunderstanding of the application of such laws - such as the recent US Supreme Court ruling on P2P applications, which is still being reported as having made P2P applications illegal (which is incorrect).

Now that it is understood that information wants to be free, the idea of a national ID card system in Australia will, at one stroke, introduce the most desirable database for identity theft. With such an enticing database to criminals, it will only be a matter of time before it gets compromised, and the total database will be in criminal hands. It will be the greatest gift to identity theft. There will be naysayers who will deny that this is going to happen, but that stance is ignorant of reality. Last week's column provided an example where almost any personal information on Russian residents was available on the street, at public markets. The hacker arrested for breaking in to NASA and US Military systems claimed this last week that the systems were woefully protected, with one particular group of machines being installed with a blank administrator's password, allowing him to gain full control without actually needing any effort.

Although obscured in the PDF version of his indictment, the addresses of the attacked sites are fully visible when the information is copied across to another editor. This is merely the latest in a string of faux pas by companies and Government agencies that have failed to adequately obscure information before release. Another highly public example was the US report on the shooting of the Italian hostage following her rescue in Iraq. The full report was readable after copying it across to a text document, including the blocked out sensitive text.

Sticking with Australian news, an Australian man has been successfully found guilty for linking to sites which held illegal content (illegally shared music files). In addition, the ISP providing space and network connectivity for the site has been found to be a guilty party, as well. The case in question was actually mentioned a number of weeks ago in this column, and the ruling has now been handed down. In this case, the guilty party was knowingly linking to illegal content, and the ruling is in line with what the Dutch legal system seems to have taken in their approach, in that knowingly linking to illegal content constitutes an offence, but unknowingly linking to it does not.

This ruling actually has some pretty far reaching effects, if they are thought through. Search engines such as Google, Yahoo, MSN Search, Altavista, Sensis, and others, could be held liable for the sites that they archive in their indexes, as they must be aware that they are linking to illegal content as a part of their indexes. Already some foreign service providers are blocking Australian IP addresses from their services, though this is not widespread at this stage. This sort of decision is not actually without precedent. Major search engines have to prevent certain content from being presented to certain national IP blocks. For example, content relating to Nazis can not be presented to German web users, and the Great Firewall of China is designed to block content deemed unsuitable for Chinese web users, such as news articles critical of Chinese Government policy and actions. The adage that 'The Internet treats censorship as damage, and routes around it' is true, and this case will only result in a minor hiccup for the information flow dealing with illegal content. The multi-nation raids by law enforcement recently that shut down a number of warez servers (8 in total), will only result in a minor disruption of supply to the multitude of warez downloaders, as they adjust to alternate sources, and continue unabated. In the same way, shutting down sites hosting BitTorrent files which point to illegal content, will not work, as users adjust to sites located out of reach of the legal agencies chasing after them. A more practical example is spam email. Even with the US CAN-SPAM anti-spam legislation, the USA is still the source of more than half of global spam content. Relays in China are a popular choice for people who choose to operate out of reach of local law enforcement branches.

Related back to the original content on information wanting to be free is the idea of banning information. With the freedom of information that the Internet, and associated file sharing networks, provides, it becomes essentially impossible to filter all network traffic to proactively block content that has been banned, or is illegal. Actions taken by national classification bodies, such as the Australian Office of Film and Literature Classification, in banning movies or books automatically creates a demand for the banned content, as people seek to discover for themselves exactly what it was that got it banned. Likewise, attempts to ban or restrict access to information will eventually see it being set free by people who desire to handle the information, and who do not wish to see it suppressed. This can go too far, and descend into paranoia and conspiracy theory, and it only takes a cursory glance at major recent global events such as the September 11 events, and the invasion of Iraq, to see people who are endeavouring to free information, and those who have gone too far into conspiracy to claim that September 11 was co-ordinated by the US Government, although some of their other claims do appear to warrant further investigation. If it wasn't for people endeavouring to uncover information which others have tried to hide, the Iraq dossier would have gone unquestioned, the Downing Street memos would never have surfaced, and, going back in history, the Watergate affair would never have been made public.

With the above mentioned court case, the ruling has created an ironic situation, in that the published court documents have done more to draw attention to the illegal content, and advertised it wider than any of the efforts by the convicted parties. Some observers have suggested that the court be held to their own standards, and charged with the same offences for this action. Other observers have drawn parallels to the "Index Librorum Prohibitorum", the list of banned books by the Roman Catholic Church, which, itself, apparently is banned / suppressed, and by its very existence has created demand for the titles contained within.

In more positive news from the week, a 27 year old Chinese student has been arrested in Japan for hacking into a Tokyo travel agency's website and stealing personal data of about 90,000 customers. The breach happened back in March and was part of a wider spree which involved hacking into 14 business sites, and stealing half a million data entries. Apparently some of the data was on sold to unidentified parties, but it does not appear that any of the information has been used inappropriately ince its theft. The attacks were made possible through SQL injection attacks, a common form of Internet based attack against websites and web applications.

At the end of last week, the SpreadFirefox website, which is used to increase awareness of the alternative web browser, was subject to an attack via a published vulnerability in the Drupal Content Management System. Spread Firefox does not believe that any personally identifying information was compromised during the attack, and they believe that the purpose of the attack was to use the system for spreading spam messages.

In some fun news for digital rights supporters (not digital rights management supporters), an executive who believes the implementation of DRM solutions for his company's products is essential, has been caught out violating the DRM of another company in order to fix problems he encountered with their DRM and his ability to use their software. Although the position he was arguing from was that DRM that gets in the way is not the best form of DRM (so his stance on DRM hasn't really changed), the very fact that he took steps to violate existing DRM, and publicised the fact means that he appears to be wearing quite a bit of egg on his face. If he had stopped at the point of saying that poor DRM solutions are actually stumbling blocks to usefulness of a product, then nothing would have been out of line. The problem came when he took the next step and actually cracked the DRM implementation. The executive decided that HE was the one to decide that that particular implementation of DRM was not 'good', and because it didn't meet HIS requirements that it was okay to crack it for HIS needs. The problem with this approach is that he has placed his personal beliefs and convictions over what the law has set down, and it places him on the same level as every other 'pirate' who sidesteps DRM processes to get what they are after (such as music and movie downloaders).

More people are picking up on the adjustment by Microsoft's Anti-Spyware product with respect to the detection of Claria spyware. The default recommendation has now changed to Ignore, not Remove, which is causing rumours amongst various groups that Microsoft is losing the good faith that their Spyware removal product had established (prior to this it was one of the better spyware removal tools).

The Card Systems 40 million credit card breach that was reported on recently has moved into the news again, with a number of different groups claiming that they were the ones who were responsible for the fraud being detected and announced. This includes CardSystems, who claim that they delayed the announcement due to FBI request (the FBI deny this), MasterCard, who made the first major Press Release, and various Australian credit card providers, who claim that they alerted this breach back at the start of the year. Finger pointing and blame shifting is only going to get worse, as a couple of retailers are launching a class action suit against the major credit card providers and processors in an attempt to get them to accept liability for their actions, and provision of cards and services.

Keeping track and accountability of IT assets is an ongoing concern for a wide range of organisations and companies. The United Kingdom Ministry of Defence, in particular, has had a number of high profile losses in the past, and figures have recently been released that indicate that the various branches of the UK government have lost 150 computers so far in 2005. The Home Office is the greatest culprit, with 95 machines lost, and the MoD has lost 23 machines so far. Proper data management policies will mitigate the exposure of critical information through system losses, and companies should be able to identify what information is being stored on their systems. Unfortunately, history has shown that most companies are not aware of the information being stored on their various systems, and are unknowingly exposing themselves to potential exposure of this information (much like security of wireless access points).

An article on The Register discusses the significant issues caused by domain hijacking. A recent significant hijacking included anonymous webmail provider, while the hijacking is a famous case which took a lot of resources and time to resolve. The concern with domain hijacking is that seemingly legitimate domain transfer requests are sent to registrars seeking to move domains to new addresses. If successful, this then directs all website traffic to the new address, where the hijacker could be serving up malware, capturing visitor information, and denying service to the legitimate site. Domain owners should ensure that domain locking is applied to their registration, and that their registrar is to contact them via telephone any time that a change request is submitted. These efforts will not stop upstream transfers, but will stop most hijackings. Even if a site has been hijacked, the legitimate site will still appear at the original IP address, and can still be found via http://123.456.312/ , for example.

18 July 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.