Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 660 - 679)

WEDNESDAY 28 FEBRUARY 2007

PROFESSOR ROSS ANDERSON AND PROFESSOR MARK HANDLEY

  Q660  Earl of Erroll: The other thing that FIPR thought about was having a "best-before" date on the machines when they are sold because if they have been sitting in the shop for a while the software will be out of date. Do you think this is a practical thing?

  Professor Anderson: I think it would be a very useful incentive for the shops to see to it that the machines are updated when they are sold. It need not be particularly onerous; it could come down to the shop supplying a DVD to the customers, these DVDs contain the relevant updates and could be distributed once a month through the shop's supply chain. That would at least see that when the device came out of the box and was initially powered up, it would not be instantly vulnerable.

  Q661  Lord Mitchell: Why do they not do that?

  Professor Anderson: Because they do not have to and it would cost money.

  Q662  Earl of Erroll: Some of the packages now do try to connect to the Internet. The first thing they do is to check to see if there is an update, but it assumes that your Broadband connection is working which is unusual sometimes.

  Professor Anderson: We would expect over time that something like this would become a standard industry best practice.

  Q663  Baroness Hilton of Eggardon: It is said that the Internet was not designed to be secure. Do you think we are going to go on doing a constant sort of patching or repairing of the current system or do you think it is likely that a whole new, more secure system will be developed?

  Professor Handley: I do not think we are going to have a new Internet any time soon. The network effects of having a large number of people connected to one network are really large. The idea of coming up with something different without getting there incrementally from where we are here is simply not going to happen. The only two cases I can think of where it might happen would be if the current Internet fell in a large heap for some reason and we had to rebuild it from scratch but that is a very unlikely scenario. Or if something came along which was radically better in terms of cheaper or could do things that the current Internet cannot do, but neither of those seem at all likely at the moment. I think that what we are going to have is basically a variation on the current Internet for the foreseeable future. That is not to say that we are not doing research into network architectures which are radically different, we are. Groups like mine are putting in a lot of work in that area but the intent is really not to come along and say, "Okay, here is a new Internet, please use our one", it is to try to guide where we might want to go in the future, try to see where we might want to be a long way out, and then things will have to be incrementally changed from where we are now in such a way that you do not destroy the value that is already there. I do not think we are going to have a substantially different Internet but I cannot say that I particularly blame the Internet itself for the security problems. Most of the problems we see are primarily problems with systems connected to the Internet and not with the Internet itself. Of course the two may appear to be the same thing but systems connected to the Internet change pretty quickly but the Internet design itself has not changed greatly in the last 30 years.

  Professor Anderson: Perhaps a useful parallel might be to consider what is the security property that you require of the M1 motorway, given that that exists in order to take anyone who wishes to go from London to Leeds and back. You do not expect that the M1 itself will filter the traffic; you do not flag down the cars and ask to see people's passports. There are one or two security properties—we do not want terrorists to blow up the bridges—but many of the bad things that happen as a result of the M1's existence are dealt with using other mechanisms. If a burglar from Leeds comes down and burgles a house in London, then there are police mechanisms for dealing with that, and so in the medium term I expect we will have better police mechanisms for police in Leeds to collaborate with police in London if a bad man in Leeds has written a program that has affected a machine in London.

  Q664  Baroness Hilton of Eggardon: There are a number of mechanisms which potentially protect the security but they are not much used. I have a whole list of acronyms here: secure BGP, secure DNS, SMTP and so on but are not much used. Is that because they do not work or because it is an area where there should be greater regulation of the security systems?

  Professor Handley: They are areas where there are significant deployment costs. I believe that these areas you have just talked about which are mostly to do with the infrastructure itself are areas which desperately do need addressing and I think that the industry is moving in the right direction to address them. They have limited impact on security so far as the average Internet user is concerned; they are more to do with the integrity of the network as network. It is not quite the whole story though; some of it is how you actually look up an address in a network to go to and that would prevent some certain types of hijacking attacks. I think that these mechanisms or similar ones will eventually find their way out there because the requirement really is there, but they are probably not the largest part of the problem, at least from the point of view of the end user. From the point of view of those, there is a worry about keeping the network itself functioning. We worry about these things but your average Internet customer probably should not worry about those things, they are not their main problem.

  Professor Anderson: Back in the mid to late 1990s when we were busy designing all this stuff, we tended to take the view that Internet security was a function of the Internet not having enough features but we began to realise about six or seven years ago that this was not what was wrong with it. It was that typically one company would be guarding a system but another company or a group of people would be the people who suffered when it failed. It became clear to us that at least those security problems that were outstanding tended to be those that had both a social part and a technical part, because the stuff that could be solved easily by purely technical means has been solved.

  Q665  Lord Harris: Following on this question of the architecture, I read an article quite recently—which I am afraid I do not have in front of me—which suggested that Google was investing very substantially in the architecture and capacity of the Internet. Do you think that is likely to make security better or worse, that sort of investment, that sort of ownership of capacity? Or is it irrelevant?

  Professor Anderson: I think it is hard to say. There is a debate going on about this and there is a debate going on particularly in the USA about network neutrality, about whether it would be possible for your phone company to offer better service to preferred providers. I think that these issues are largely orthogonal to the main security issues.

  Professor Handley: In terms of their investment in network capacity, the issues are orthogonal. There is trend which probably is good from the point of view of the end customer—although there is a balance here of course—which is that, for example, Google Mail (which is basically a web mail programme where your e-mail is dealt with on the Google server, it is stored there, they do all the antivirus checking and so forth) probably protects the end customer from those sorts of compromises much better than running that on your end system because Google have a large amount of resources to pour into that particular problem and they see an awful lot of different things go past and they can spot viruses more effectively than your average antivirus software can. The downside of course is that to get that you give up degree of privacy and you have to balance these two off against each other. From the point of view of the main concerns of most end system users the move towards network serviced based applications such as Google Mail probably is a good thing for the security of the end user but, as I said, there are privacy concerns there which you would want to bear in mind.

  Professor Anderson: I would agree that if you have a web mail service like Gmail, for example, then you can expect it to be better at finding viruses simply because it is so big. If somebody does a virus run or a spam run then Google should be able to detect it almost before anybody else. There are, of course, other policy concerns about having large numbers of people running all their applications on a small number of application service providers but perhaps that is not the topic for today.

  Q666  Lord Mitchell: I am interested to find out what proportion of machines on the Internet have been compromised and what are they being used for?

  Professor Handley: I received this question before the meeting and I attempted to find the answer but I have failed to find the answer. I can provide a few data points from various surveys that people have done. There was a survey done a little over two years ago by AOL which showed that about 20 per cent of the machines that they surveyed had viruses and about 80 per cent had some form of spyware or adware or stuff which was benignly malicious, not as bad as a virus but not good. There was also a study done by the University of Washington about a year ago which was trying to look at web servers out there and what fraction of those actually had malicious software on them that they would serve up to the users and the answer was about four per cent which is a worryingly high fraction. They surveyed hundreds of thousands and four per cent actually had malicious software on them which would try to compromise the end users' machines. I cannot tell you what fraction of machines are compromised but I can say that the problem is obviously significant. There was a network of compromised machines which were being used as one network primarily for spamming that was discovered last year and shut down which was about 1.5 million machines under the control of one bad guy (for lack of a better word). What these compromised machines are being used for, I think by far the biggest would be spamming. Probably second on the list in terms of concerns would be things like identity theft, key logging, stealing passwords or stealing credit card information and so forth. A third major concern would be what is called distributed denial of service attack where you take a lot of compromised end systems and you flood a server with the intent of making so many requests or delivering so much traffic to it that it falls off the network. There is quite a high background rate of distributed denial of service attacks happening at this point. I would say by far the biggest is spamming.

  Professor Anderson: I would say that quite possibly most Windows PCs out there on the Internet have spyware on. I have certainly found it when I have cleaned up machines at home. A much smaller proportion have actively malicious stuff, things like botnet software; it might be a few per cent. There was an interesting and indeed shocking piece of research recently about the websites which serve up evil software. We had a paper from Ben Edelman at the Workshop on Economics and Information Security this summer where he showed a very strong adverse selection in effect here. For example, although perhaps a couple of per cent of websites might be malicious, double that number of websites having a certain TRUSTe[3] stamp of approval were malicious, and similarly, although you might have a two per cent probability of the top website you find in a Google search is malicious, you might have a four per cent probability that the top ranked ad on Google is malicious. Why? Because people who are running bad operations buy ads and buy seals of approval from careless organisations that sell them. This could have some fascinating economic effects. If everybody realised this then of course they would stop clicking on Google Ads and the thing would go bankrupt. So there are some very interesting things going on there I think.


  Q667Lord Mitchell: How much of a problem are denial of service attacks in principle?

  Professor Handley: The motivation for denial of service attacks always used to be some teenager trying to knock some web server or some chat server off for kicks. The last few years they have been primarily economically motivated so there have been a large number of cases of denial of service attacks aimed at a company with the purpose of trying to extort that company into paying up to stop the attack. The gambling industry in Britain was hit fairly badly about two years ago by this until the industry as a whole realised that they should all stop paying and then they would stop being hit. Certainly most of those attacks seemed to have some financial motive, whether direct extortion or some other secondary financial motive. Those attacks are significant; they cause quite a lot of the traffic on the Internet (not as much as spam but still a significant fraction of the traffic) and a lot of effort to stop. We do not yet have any mechanisms deployed in the network to automatically stop such attacks. They are a big problem and they are very difficult for network operators to shut down effectively. The big concern, though, is that we may end up with attacks which are not just for financial reasons but for terrorism reasons or politically motivated attacks and so forth which are on a significantly larger scale.

  Q668  Lord Mitchell: We do see some of these already, do we not?

  Professor Handley: There was one just recently against the Internet root name servers which are a critical part of the Internet infrastructure. When they do not work, nothing else works after a certain amount of time. This was not successful but it caused a certain amount of down time for some of those servers for a while. I do not think we have yet seen a large denial of service attack aimed at what I would call critical infrastructure. Most of them have been comparatively small but the potential is certainly there. The botnet that was taken down last year of 1.5 million bots was primarily used for spamming. That is the only one that I know of that is that large. If it was aimed at pretty much any service on the Internet it would probably be able to take it down. That volume of compromised machines working together can probably take almost anything off the Internet. Anybody who has sufficient financial backing could probably get that situation so you would be very concerned in the long run that that is a serious possibility. We have not seen it yet on that kind of scale.

  Professor Anderson: One of the problems is that we have not had much critical infrastructure on the Internet in the past, but this is now changing in ways that nobody is really measuring. For example, when we were worried about the millennium bug ten years ago we asked ourselves whether the Internet would go down and we concluded that if the Internet does go down for a week then so what; we would actually get some work done with no e-mails. But the world is not like that nowadays. We are seeing in the NHS, for example, that systems have been rolled out where hospitals no longer have their medical records on the premises, they have server farms at remote locations. So if you were to lose Internet services then you might find that a hospital would be reduced to operating under World War II field hospital conditions and you might not be able to get x-rays from radiology to theatre. We just do not know the extent of this.

  Professor Handley: We do not really understand the interconnection of the systems that use the Internet so if they went down for a week how much of the food supply system is critically dependent on the Internet? How about the electricity in the street? We simply do not know the interconnections there. The concerns are real and these denial of service attacks whilst at the moment are probably not going to cause the structure of the nation to fall apart, you would worry about that in ten years' time.

  Q669  Lord Mitchell: Many of the attacks seem to come from insecure machines. Should we be forcing ISPs to do more to fix the machines and, if so, should that be through incentives or legislation?

  Professor Handley: We should absolutely be doing more to make sure that ISPs are looking for compromised machines and also shutting them down as soon as possible. I think that it is probably best done through incentives rather than legislation; legislation is a pretty blunt tool for this sort of thing. I think we really do need to make sure that the expectation is that they are looking for these kinds of attacks, and not everybody is. It does not necessarily cause them a problem if these machines are going out and attacking somebody else but it certainly causes the victim a problem. They should shut them down fairly quickly. Their customer service costs are quite significant in doing this so they are going to bear costs from doing it and they have to take that into account so there has to be some incentive to make up for that.

  Q670  Earl of Erroll: Would you just tell the ISP to disconnect someone's machine arbitrarily from the Internet or would you tell the ISP to do something about the botnet or whatever is sitting on it?

  Professor Anderson: What current systems do, as I understand it, is that if someone's machine is detected to be infected and sending out spam then the ISP will wall it off and allow it only access to a website from which it can download some antivirus software. This is something that it already done and for which incentives already exist. An ISP whose customers send out too much spam risks getting cut off by other ISPs and thereby having its costs pushed up.

  Q671  Earl of Erroll: Is there a danger of a knock-on effect on small businesses if they are suddenly taken off without warning?

  Professor Anderson: That is undeniable.

  Q672  Lord O'Neill of Clackmannan: We have heard evidence that suggests that the ISPs are best placed to block bad traffic before it reaches individuals. How practical is this?

  Professor Handley: I do not believe the ISPs are best placed to defend the individuals. I believe they are well placed to detect when a machine has been compromised and is being used to launch an attack or being used for spamming, but I do not think they are very well placed to actually stop bad traffic. The problem is that any bots you put in the middle of the network watching the traffic going past has incomplete information about how the end system will work. It has very incomplete information about what that end system is trying to do if it is not run by the same organisation as that end system. So one side is that they will block legitimate traffic and the other side is that bad traffic can get passed them without being detected simply because the bots in the middle simply does not know exactly how the end system will deal with various traffic. I do not believe that it is feasible for the Internet providers to be the main source of defence for their customers. They might be able to do something but I think at best it is a small part of the story and at worst they could cause significant damage. They may also significantly harm the process of innovation in the network by trying to embed into the network the concept of today's applications whereas if you actually look at how the Internet has evolved we have never been able to foresee more than five years on what the killer application will be coming up and if you embed in the Internet providers the concept of "this stuff that looks exactly like today's good traffic is good and everything else is bad" then you harm the future and we would really prefer that not to happen.

  Professor Anderson: I think that is all fair enough when it comes to filtering in-coming stuff and indeed in America network neutrality is about whether ISPs are allowed to delay certain types of traffic to their customers. ISPs who also happen to be phone companies, for example, may disrupt incoming Voice over IP traffic so that their customers cannot cut their phone bills by making their long distance calls by VoIP. However, I think that there is a role for ISPs in blocking outgoing traffic. A number of ISPs already block outgoing spam. They are well placed to do this technically because the ISP, if it is of any size, may get some proportion of the spam that its own customers' infected machines are sending out. It is possible that if distributed denial of service becomes a real problem that there might be some kind of egress filtering device that helps with that as well. Ingress filtering, I agree, has got a number of problems and is tied up with policy and commercial issues.

  Q673  Lord O'Neill of Clackmannan: We have also been told of the end-to-end principle. What happens if you block the traffic in the middle of the net? Can this be seen as casting in stone the system so that future improvements could be made more difficult?

  Professor Handley: Yes, absolutely. We are already seeing this to some extent. Most commercial sites and universities and so forth have some form of firewall which is a boundary at their site which filters some of the traffic. Those sites have the advantage that they at least have some clue what their systems are trying to access. There is an arrangement basically between the person who runs the firewall and the person who runs the end system and they use the same organisation so in principle they are not battling each other. If you tried to do the same thing between an Internet provider and their customers they are not the same organisation so it is much harder to tell exactly what the end customer is actually trying to do. There is a significant risk of harming innovation by embedding a concept in the core of the network in any way which is: "these are what today's applications look like". We are seeing innovation problems already with commercial sites but it would be much, much worse if you did it in the middle of the network where it is not the same organisation as the end systems.

  Q674  Lord Patel: My questions concern the security breach notification laws. The view that Bruce Schneier took was that the California breach notification laws, whilst initially effective, were not so once the media lost interest in it. The question I have for you is, do you agree with that view? Secondly, do you think we should have such laws in the United Kingdom and if so how could we make them more effective? It is also the position that the banks suggested that any loss of personal data should not be reported because it would generate more anxiety and that the companies themselves should be left to decide whether it should be reported or not. Do you agree with that?

  Professor Anderson: I have some experience of dealing with banking type systems as I worked in banking 20 odd years ago and I have been an expert witness in a number of disputed cases over the last 15 years. One of the problems in the UK is that if you end up with a disputed banking transaction the onus may be put on you to explain what happened without you being given access to the information that you need to discharge that. Let me give you an example. A few months ago our local Tesco cash machine had a skimmer put on it. Had that been in California then Tesco would have been obliged to write to the 200-odd people who used the cash machine that day saying, "Dear Sir, please check your bank statements and send us the bill". Of course company lawyers do not like sending letters like that unless they have to.

  Q675  Lord Patel: Why did Tesco put skimmers on?

  Professor Anderson: The skimmer had been put on Tesco's cash machine by a bad man who eventually was arrested. If Tesco themselves had been putting skimmers on that would be cause for even greater concern! As it happens, the Bedfordshire Constabulary had to put an article in Bedfordshire on Sunday saying that anybody who used this cash machine on the Tuesday could they check their bank statements and call them. If you had not been lucky enough to read that issue of our free paper you would not have known what had happened. If you then saw thousands of pounds vanishing from your account through cash machines in London and had complained to your bank and the bank had said, "Our systems are secure, go away", then you would have been stuck. The breach notification law that is now law in more and more American States, basically fixes that problem, and there is an independent fix for it in Regulation E. I think that breach notification would be enormously effective in the UK because we start off from a much lower level of consumer rights on-line and it would mean that when bad things happen they could not be covered up with the facility that they can be covered up with at the moment. Another problem has arisen since January which is that if you go to the police and report a bank fraud they will now tell you to go and take the matter up with your bank. This is convenient to the banks and it is also convenient to the Home Office in terms of the crime statistics. However, it does actually make things hard for people who are trying to get a handle on what is going on. In one recent case it has been making it difficult for the police themselves because the police were not aware that there was one gang going round the UK putting skimmers on chip and pin terminals until some bad men were caught in Phuket in Thailand with a suitcase containing 5000 forged cards, most of them British, simply because we did not have the police reports and the dots were not being joined up. So for all sorts of reasons to do with consumer rights and policing effectiveness, security breach reporting is something that we need.

  Professor Handley: I would agree completely. I think that the goal obviously is to attempt to make all of the systems that we interact with as secure as is reasonably cost effective and this seems to be a very cheap and cost effective way to make it in the bank's interests to strive to be the best. Obviously I think that Bruce Schneier's point is that it created a vast amount of bad publicity for the people who had security breaches early on and relatively minor after that. Even the relatively minor is still a significant improvement from where we are at the moment where nobody has any clue what is going on with any of these systems that we depend on all the time. It provides all the right incentives. It makes security an issue which is visible at the PR level which is necessary to actually get the financial resources within the bank applied to these kinds of problems. It also provides information for the customers to be able to choose between the different possible competing financial institutions. If there is a bank which is repeatedly issuing security alerts and the other ones are not, it is not that hard to choose to go to a different bank. Right now I have no clue whether my bank is good or bad. I have tried to pay attention to these things but I just do not know because the information is not there. I think it is entirely a good thing.

  Q676  Lord Patel: What about this comment that the companies should decide themselves and not report loss of personal data?

  Professor Handley: I do not see that that helps anybody other than the company itself. It certainly does not help their customers and again it does not really put the incentive on the institutions to actually take security seriously.

  Professor Anderson: I think it must be borne in mind that consumers in America already start from a very much higher level of protection. If you dispute an electronic banking transaction in America the bank basically has to prove that you did it using direct evidence rather than simply assertions about the wisdom of their systems or else give you your money back. The relative improvement that you got from breach notification laws in America was less than we would expect to get here. I know that the European Union plans to bring in a directive but it is going to be a relatively narrow one to do only with the telecom systems, and I think there is a real opportunity here for Parliament to enact a much broader based breach notification law which will cover all the various relevant sectors.

  Q677  Lord Broers: Do you have any idea as to how often holes in the wall are skimmed?

  Professor Anderson: It is an industrial process. There are gangs who do it with equipment which is made, we believe, in Eastern Europe. The figures are of course not made known. The biggest scandal recently has been that the gangs have moved from cash machines to chip and pin terminals and there appear to be skimmers out there that put in the cable from the chip and pin terminal to the branch server which records all the information from the card except the PIN, and the operator gets the PIN by eyeball. That is what this particular Sri Lankan gang was using against a whole number of petrol stations in the UK. If you look at APACS figures card fraud is in nine figures. They hoped it would go down with chip and pin but it has not. We are talking in total hundreds of millions of card fraud, with certainly tens of millions of debit card fraud.

  Q678  Lord Broers: Banks are not obliged to report that when they learn about it. Presumably the banks always do learn about it.

  Professor Anderson: It is unclear to what extent there are good reporting mechanisms. If front line bank staff are told to simply deny that phantom withdrawals are possible when customers complain, then some customers will go away and perhaps the claims will never end up being reported. This is why it is a bad deal that you can no longer report such things to the police. If you try and report to the bank you may not succeed in reporting it. The bank may report some of the fraud that gets reported to it to APACS; what APACS reports in public is another thing. We just do not know how effective any of this chain is; we have no decent figures. Of course APACS has an institutional incentive to downplay the amount of fraud because they promised us that fraud would go down when they got the banks to introduce chip and pin.

  Q679  Lord Broers: Can you see any downside from that fraud being made public?

  Professor Anderson: Not at all. I think the modus operandi are known already to the bad guys and in this case, as in many others, security breach reporting is going to incentivise the defenders. There is significant literature on this in general among security economists because people started to question about whether vulnerabilities of an operating system should be reported through CERT or wherever, so that patches can be fixed. There were a number of models that were produced of the introduction and elimination of vulnerabilities and these were tested against experimental data. As far as we are aware from the operating systems front it is a good thing to report vulnerabilities although it is prudent, of course to allow a certain window for patches to be shipped. On the basis of that model I would say there was an even stronger incentive to report bad things that go wrong in the financial system.


3   See www.truste.org. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007