Examination of Witnesses (Questions 660
WEDNESDAY 28 FEBRUARY 2007
Q660 Earl of Erroll:
The other thing that FIPR thought about was having a "best-before"
date on the machines when they are sold because if they have been
sitting in the shop for a while the software will be out of date.
Do you think this is a practical thing?
Professor Anderson: I think it would be a very
useful incentive for the shops to see to it that the machines
are updated when they are sold. It need not be particularly onerous;
it could come down to the shop supplying a DVD to the customers,
these DVDs contain the relevant updates and could be distributed
once a month through the shop's supply chain. That would at least
see that when the device came out of the box and was initially
powered up, it would not be instantly vulnerable.
Q661 Lord Mitchell:
Why do they not do that?
Professor Anderson: Because they do not have
to and it would cost money.
Q662 Earl of Erroll:
Some of the packages now do try to connect to the Internet. The
first thing they do is to check to see if there is an update,
but it assumes that your Broadband connection is working which
is unusual sometimes.
Professor Anderson: We would expect over time
that something like this would become a standard industry best
Q663 Baroness Hilton of Eggardon:
It is said that the Internet was not designed to be secure. Do
you think we are going to go on doing a constant sort of patching
or repairing of the current system or do you think it is likely
that a whole new, more secure system will be developed?
Professor Handley: I do not think we are going
to have a new Internet any time soon. The network effects of having
a large number of people connected to one network are really large.
The idea of coming up with something different without getting
there incrementally from where we are here is simply not going
to happen. The only two cases I can think of where it might happen
would be if the current Internet fell in a large heap for some
reason and we had to rebuild it from scratch but that is a very
unlikely scenario. Or if something came along which was radically
better in terms of cheaper or could do things that the current
Internet cannot do, but neither of those seem at all likely at
the moment. I think that what we are going to have is basically
a variation on the current Internet for the foreseeable future.
That is not to say that we are not doing research into network
architectures which are radically different, we are. Groups like
mine are putting in a lot of work in that area but the intent
is really not to come along and say, "Okay, here is a new
Internet, please use our one", it is to try to guide where
we might want to go in the future, try to see where we might want
to be a long way out, and then things will have to be incrementally
changed from where we are now in such a way that you do not destroy
the value that is already there. I do not think we are going to
have a substantially different Internet but I cannot say that
I particularly blame the Internet itself for the security problems.
Most of the problems we see are primarily problems with systems
connected to the Internet and not with the Internet itself. Of
course the two may appear to be the same thing but systems connected
to the Internet change pretty quickly but the Internet design
itself has not changed greatly in the last 30 years.
Professor Anderson: Perhaps a useful parallel
might be to consider what is the security property that you require
of the M1 motorway, given that that exists in order to take anyone
who wishes to go from London to Leeds and back. You do not expect
that the M1 itself will filter the traffic; you do not flag down
the cars and ask to see people's passports. There are one or two
security propertieswe do not want terrorists to blow up
the bridgesbut many of the bad things that happen as a
result of the M1's existence are dealt with using other mechanisms.
If a burglar from Leeds comes down and burgles a house in London,
then there are police mechanisms for dealing with that, and so
in the medium term I expect we will have better police mechanisms
for police in Leeds to collaborate with police in London if a
bad man in Leeds has written a program that has affected a machine
Q664 Baroness Hilton of Eggardon:
There are a number of mechanisms which potentially protect the
security but they are not much used. I have a whole list of acronyms
here: secure BGP, secure DNS, SMTP and so on but are not much
used. Is that because they do not work or because it is an area
where there should be greater regulation of the security systems?
Professor Handley: They are areas where there
are significant deployment costs. I believe that these areas you
have just talked about which are mostly to do with the infrastructure
itself are areas which desperately do need addressing and I think
that the industry is moving in the right direction to address
them. They have limited impact on security so far as the average
Internet user is concerned; they are more to do with the integrity
of the network as network. It is not quite the whole story though;
some of it is how you actually look up an address in a network
to go to and that would prevent some certain types of hijacking
attacks. I think that these mechanisms or similar ones will eventually
find their way out there because the requirement really is there,
but they are probably not the largest part of the problem, at
least from the point of view of the end user. From the point of
view of those, there is a worry about keeping the network itself
functioning. We worry about these things but your average Internet
customer probably should not worry about those things, they are
not their main problem.
Professor Anderson: Back in the mid to late
1990s when we were busy designing all this stuff, we tended to
take the view that Internet security was a function of the Internet
not having enough features but we began to realise about six or
seven years ago that this was not what was wrong with it. It was
that typically one company would be guarding a system but another
company or a group of people would be the people who suffered
when it failed. It became clear to us that at least those security
problems that were outstanding tended to be those that had both
a social part and a technical part, because the stuff that could
be solved easily by purely technical means has been solved.
Q665 Lord Harris:
Following on this question of the architecture, I read an article
quite recentlywhich I am afraid I do not have in front
of mewhich suggested that Google was investing very substantially
in the architecture and capacity of the Internet. Do you think
that is likely to make security better or worse, that sort of
investment, that sort of ownership of capacity? Or is it irrelevant?
Professor Anderson: I think it is hard to say.
There is a debate going on about this and there is a debate going
on particularly in the USA about network neutrality, about whether
it would be possible for your phone company to offer better service
to preferred providers. I think that these issues are largely
orthogonal to the main security issues.
Professor Handley: In terms of their investment
in network capacity, the issues are orthogonal. There is trend
which probably is good from the point of view of the end customeralthough
there is a balance here of coursewhich is that, for example,
Google Mail (which is basically a web mail programme where your
e-mail is dealt with on the Google server, it is stored there,
they do all the antivirus checking and so forth) probably protects
the end customer from those sorts of compromises much better than
running that on your end system because Google have a large amount
of resources to pour into that particular problem and they see
an awful lot of different things go past and they can spot viruses
more effectively than your average antivirus software can. The
downside of course is that to get that you give up degree of privacy
and you have to balance these two off against each other. From
the point of view of the main concerns of most end system users
the move towards network serviced based applications such as Google
Mail probably is a good thing for the security of the end user
but, as I said, there are privacy concerns there which you would
want to bear in mind.
Professor Anderson: I would agree that if you
have a web mail service like Gmail, for example, then you can
expect it to be better at finding viruses simply because it is
so big. If somebody does a virus run or a spam run then Google
should be able to detect it almost before anybody else. There
are, of course, other policy concerns about having large numbers
of people running all their applications on a small number of
application service providers but perhaps that is not the topic
Q666 Lord Mitchell:
I am interested to find out what proportion of machines on the
Internet have been compromised and what are they being used for?
Professor Handley: I received this question
before the meeting and I attempted to find the answer but I have
failed to find the answer. I can provide a few data points from
various surveys that people have done. There was a survey done
a little over two years ago by AOL which showed that about 20
per cent of the machines that they surveyed had viruses and about
80 per cent had some form of spyware or adware or stuff which
was benignly malicious, not as bad as a virus but not good. There
was also a study done by the University of Washington about a
year ago which was trying to look at web servers out there and
what fraction of those actually had malicious software on them
that they would serve up to the users and the answer was about
four per cent which is a worryingly high fraction. They surveyed
hundreds of thousands and four per cent actually had malicious
software on them which would try to compromise the end users'
machines. I cannot tell you what fraction of machines are compromised
but I can say that the problem is obviously significant. There
was a network of compromised machines which were being used as
one network primarily for spamming that was discovered last year
and shut down which was about 1.5 million machines under the control
of one bad guy (for lack of a better word). What these compromised
machines are being used for, I think by far the biggest would
be spamming. Probably second on the list in terms of concerns
would be things like identity theft, key logging, stealing passwords
or stealing credit card information and so forth. A third major
concern would be what is called distributed denial of service
attack where you take a lot of compromised end systems and you
flood a server with the intent of making so many requests or delivering
so much traffic to it that it falls off the network. There is
quite a high background rate of distributed denial of service
attacks happening at this point. I would say by far the biggest
Professor Anderson: I would say that quite possibly
most Windows PCs out there on the Internet have spyware on. I
have certainly found it when I have cleaned up machines at home.
A much smaller proportion have actively malicious stuff, things
like botnet software; it might be a few per cent. There was an
interesting and indeed shocking piece of research recently about
the websites which serve up evil software. We had a paper from
Ben Edelman at the Workshop on Economics and Information Security
this summer where he showed a very strong adverse selection in
effect here. For example, although perhaps a couple of per cent
of websites might be malicious, double that number of websites
having a certain TRUSTe
stamp of approval were malicious, and similarly, although you
might have a two per cent probability of the top website you find
in a Google search is malicious, you might have a four per cent
probability that the top ranked ad on Google is malicious. Why?
Because people who are running bad operations buy ads and buy
seals of approval from careless organisations that sell them.
This could have some fascinating economic effects. If everybody
realised this then of course they would stop clicking on Google
Ads and the thing would go bankrupt. So there are some very interesting
things going on there I think.
How much of a problem are denial of service attacks in principle?
Professor Handley: The motivation for denial
of service attacks always used to be some teenager trying to knock
some web server or some chat server off for kicks. The last few
years they have been primarily economically motivated so there
have been a large number of cases of denial of service attacks
aimed at a company with the purpose of trying to extort that company
into paying up to stop the attack. The gambling industry in Britain
was hit fairly badly about two years ago by this until the industry
as a whole realised that they should all stop paying and then
they would stop being hit. Certainly most of those attacks seemed
to have some financial motive, whether direct extortion or some
other secondary financial motive. Those attacks are significant;
they cause quite a lot of the traffic on the Internet (not as
much as spam but still a significant fraction of the traffic)
and a lot of effort to stop. We do not yet have any mechanisms
deployed in the network to automatically stop such attacks. They
are a big problem and they are very difficult for network operators
to shut down effectively. The big concern, though, is that we
may end up with attacks which are not just for financial reasons
but for terrorism reasons or politically motivated attacks and
so forth which are on a significantly larger scale.
Q668 Lord Mitchell:
We do see some of these already, do we not?
Professor Handley: There was one just recently
against the Internet root name servers which are a critical part
of the Internet infrastructure. When they do not work, nothing
else works after a certain amount of time. This was not successful
but it caused a certain amount of down time for some of those
servers for a while. I do not think we have yet seen a large denial
of service attack aimed at what I would call critical infrastructure.
Most of them have been comparatively small but the potential is
certainly there. The botnet that was taken down last year of 1.5
million bots was primarily used for spamming. That is the only
one that I know of that is that large. If it was aimed at pretty
much any service on the Internet it would probably be able to
take it down. That volume of compromised machines working together
can probably take almost anything off the Internet. Anybody who
has sufficient financial backing could probably get that situation
so you would be very concerned in the long run that that is a
serious possibility. We have not seen it yet on that kind of scale.
Professor Anderson: One of the problems is that
we have not had much critical infrastructure on the Internet in
the past, but this is now changing in ways that nobody is really
measuring. For example, when we were worried about the millennium
bug ten years ago we asked ourselves whether the Internet would
go down and we concluded that if the Internet does go down for
a week then so what; we would actually get some work done with
no e-mails. But the world is not like that nowadays. We are seeing
in the NHS, for example, that systems have been rolled out where
hospitals no longer have their medical records on the premises,
they have server farms at remote locations. So if you were to
lose Internet services then you might find that a hospital would
be reduced to operating under World War II field hospital conditions
and you might not be able to get x-rays from radiology to theatre.
We just do not know the extent of this.
Professor Handley: We do not really understand
the interconnection of the systems that use the Internet so if
they went down for a week how much of the food supply system is
critically dependent on the Internet? How about the electricity
in the street? We simply do not know the interconnections there.
The concerns are real and these denial of service attacks whilst
at the moment are probably not going to cause the structure of
the nation to fall apart, you would worry about that in ten years'
Q669 Lord Mitchell:
Many of the attacks seem to come from insecure machines. Should
we be forcing ISPs to do more to fix the machines and, if so,
should that be through incentives or legislation?
Professor Handley: We should absolutely be doing
more to make sure that ISPs are looking for compromised machines
and also shutting them down as soon as possible. I think that
it is probably best done through incentives rather than legislation;
legislation is a pretty blunt tool for this sort of thing. I think
we really do need to make sure that the expectation is that they
are looking for these kinds of attacks, and not everybody is.
It does not necessarily cause them a problem if these machines
are going out and attacking somebody else but it certainly causes
the victim a problem. They should shut them down fairly quickly.
Their customer service costs are quite significant in doing this
so they are going to bear costs from doing it and they have to
take that into account so there has to be some incentive to make
up for that.
Q670 Earl of Erroll:
Would you just tell the ISP to disconnect someone's machine arbitrarily
from the Internet or would you tell the ISP to do something about
the botnet or whatever is sitting on it?
Professor Anderson: What current systems do,
as I understand it, is that if someone's machine is detected to
be infected and sending out spam then the ISP will wall it off
and allow it only access to a website from which it can download
some antivirus software. This is something that it already done
and for which incentives already exist. An ISP whose customers
send out too much spam risks getting cut off by other ISPs and
thereby having its costs pushed up.
Q671 Earl of Erroll:
Is there a danger of a knock-on effect on small businesses if
they are suddenly taken off without warning?
Professor Anderson: That is undeniable.
Q672 Lord O'Neill of Clackmannan:
We have heard evidence that suggests that the ISPs are best placed
to block bad traffic before it reaches individuals. How practical
Professor Handley: I do not believe the ISPs
are best placed to defend the individuals. I believe they are
well placed to detect when a machine has been compromised and
is being used to launch an attack or being used for spamming,
but I do not think they are very well placed to actually stop
bad traffic. The problem is that any bots you put in the middle
of the network watching the traffic going past has incomplete
information about how the end system will work. It has very incomplete
information about what that end system is trying to do if it is
not run by the same organisation as that end system. So one side
is that they will block legitimate traffic and the other side
is that bad traffic can get passed them without being detected
simply because the bots in the middle simply does not know exactly
how the end system will deal with various traffic. I do not believe
that it is feasible for the Internet providers to be the main
source of defence for their customers. They might be able to do
something but I think at best it is a small part of the story
and at worst they could cause significant damage. They may also
significantly harm the process of innovation in the network by
trying to embed into the network the concept of today's applications
whereas if you actually look at how the Internet has evolved we
have never been able to foresee more than five years on what the
killer application will be coming up and if you embed in the Internet
providers the concept of "this stuff that looks exactly like
today's good traffic is good and everything else is bad"
then you harm the future and we would really prefer that not to
Professor Anderson: I think that is all fair
enough when it comes to filtering in-coming stuff and indeed in
America network neutrality is about whether ISPs are allowed to
delay certain types of traffic to their customers. ISPs who also
happen to be phone companies, for example, may disrupt incoming
Voice over IP traffic so that their customers cannot cut their
phone bills by making their long distance calls by VoIP. However,
I think that there is a role for ISPs in blocking outgoing traffic.
A number of ISPs already block outgoing spam. They are well placed
to do this technically because the ISP, if it is of any size,
may get some proportion of the spam that its own customers' infected
machines are sending out. It is possible that if distributed denial
of service becomes a real problem that there might be some kind
of egress filtering device that helps with that as well. Ingress
filtering, I agree, has got a number of problems and is tied up
with policy and commercial issues.
Q673 Lord O'Neill of Clackmannan:
We have also been told of the end-to-end principle. What happens
if you block the traffic in the middle of the net? Can this be
seen as casting in stone the system so that future improvements
could be made more difficult?
Professor Handley: Yes, absolutely. We are already
seeing this to some extent. Most commercial sites and universities
and so forth have some form of firewall which is a boundary at
their site which filters some of the traffic. Those sites have
the advantage that they at least have some clue what their systems
are trying to access. There is an arrangement basically between
the person who runs the firewall and the person who runs the end
system and they use the same organisation so in principle they
are not battling each other. If you tried to do the same thing
between an Internet provider and their customers they are not
the same organisation so it is much harder to tell exactly what
the end customer is actually trying to do. There is a significant
risk of harming innovation by embedding a concept in the core
of the network in any way which is: "these are what today's
applications look like". We are seeing innovation problems
already with commercial sites but it would be much, much worse
if you did it in the middle of the network where it is not the
same organisation as the end systems.
Q674 Lord Patel:
My questions concern the security breach notification laws. The
view that Bruce Schneier took was that the California breach notification
laws, whilst initially effective, were not so once the media lost
interest in it. The question I have for you is, do you agree with
that view? Secondly, do you think we should have such laws in
the United Kingdom and if so how could we make them more effective?
It is also the position that the banks suggested that any loss
of personal data should not be reported because it would generate
more anxiety and that the companies themselves should be left
to decide whether it should be reported or not. Do you agree with
Professor Anderson: I have some experience of
dealing with banking type systems as I worked in banking 20 odd
years ago and I have been an expert witness in a number of disputed
cases over the last 15 years. One of the problems in the UK is
that if you end up with a disputed banking transaction the onus
may be put on you to explain what happened without you being given
access to the information that you need to discharge that. Let
me give you an example. A few months ago our local Tesco cash
machine had a skimmer put on it. Had that been in California then
Tesco would have been obliged to write to the 200-odd people who
used the cash machine that day saying, "Dear Sir, please
check your bank statements and send us the bill". Of course
company lawyers do not like sending letters like that unless they
Q675 Lord Patel:
Why did Tesco put skimmers on?
Professor Anderson: The skimmer had been put
on Tesco's cash machine by a bad man who eventually was arrested.
If Tesco themselves had been putting skimmers on that would be
cause for even greater concern! As it happens, the Bedfordshire
Constabulary had to put an article in Bedfordshire on Sunday
saying that anybody who used this cash machine on the Tuesday
could they check their bank statements and call them. If you had
not been lucky enough to read that issue of our free paper you
would not have known what had happened. If you then saw thousands
of pounds vanishing from your account through cash machines in
London and had complained to your bank and the bank had said,
"Our systems are secure, go away", then you would have
been stuck. The breach notification law that is now law in more
and more American States, basically fixes that problem, and there
is an independent fix for it in Regulation E. I think that breach
notification would be enormously effective in the UK because we
start off from a much lower level of consumer rights on-line and
it would mean that when bad things happen they could not be covered
up with the facility that they can be covered up with at the moment.
Another problem has arisen since January which is that if you
go to the police and report a bank fraud they will now tell you
to go and take the matter up with your bank. This is convenient
to the banks and it is also convenient to the Home Office in terms
of the crime statistics. However, it does actually make things
hard for people who are trying to get a handle on what is going
on. In one recent case it has been making it difficult for the
police themselves because the police were not aware that there
was one gang going round the UK putting skimmers on chip and pin
terminals until some bad men were caught in Phuket in Thailand
with a suitcase containing 5000 forged cards, most of them British,
simply because we did not have the police reports and the dots
were not being joined up. So for all sorts of reasons to do with
consumer rights and policing effectiveness, security breach reporting
is something that we need.
Professor Handley: I would agree completely.
I think that the goal obviously is to attempt to make all of the
systems that we interact with as secure as is reasonably cost
effective and this seems to be a very cheap and cost effective
way to make it in the bank's interests to strive to be the best.
Obviously I think that Bruce Schneier's point is that it created
a vast amount of bad publicity for the people who had security
breaches early on and relatively minor after that. Even the relatively
minor is still a significant improvement from where we are at
the moment where nobody has any clue what is going on with any
of these systems that we depend on all the time. It provides all
the right incentives. It makes security an issue which is visible
at the PR level which is necessary to actually get the financial
resources within the bank applied to these kinds of problems.
It also provides information for the customers to be able to choose
between the different possible competing financial institutions.
If there is a bank which is repeatedly issuing security alerts
and the other ones are not, it is not that hard to choose to go
to a different bank. Right now I have no clue whether my bank
is good or bad. I have tried to pay attention to these things
but I just do not know because the information is not there. I
think it is entirely a good thing.
Q676 Lord Patel:
What about this comment that the companies should decide themselves
and not report loss of personal data?
Professor Handley: I do not see that that helps
anybody other than the company itself. It certainly does not help
their customers and again it does not really put the incentive
on the institutions to actually take security seriously.
Professor Anderson: I think it must be borne
in mind that consumers in America already start from a very much
higher level of protection. If you dispute an electronic banking
transaction in America the bank basically has to prove that you
did it using direct evidence rather than simply assertions about
the wisdom of their systems or else give you your money back.
The relative improvement that you got from breach notification
laws in America was less than we would expect to get here. I know
that the European Union plans to bring in a directive but it is
going to be a relatively narrow one to do only with the telecom
systems, and I think there is a real opportunity here for Parliament
to enact a much broader based breach notification law which will
cover all the various relevant sectors.
Q677 Lord Broers:
Do you have any idea as to how often holes in the wall are skimmed?
Professor Anderson: It is an industrial process.
There are gangs who do it with equipment which is made, we believe,
in Eastern Europe. The figures are of course not made known. The
biggest scandal recently has been that the gangs have moved from
cash machines to chip and pin terminals and there appear to be
skimmers out there that put in the cable from the chip and pin
terminal to the branch server which records all the information
from the card except the PIN, and the operator gets the PIN by
eyeball. That is what this particular Sri Lankan gang was using
against a whole number of petrol stations in the UK. If you look
at APACS figures card fraud is in nine figures. They hoped it
would go down with chip and pin but it has not. We are talking
in total hundreds of millions of card fraud, with certainly tens
of millions of debit card fraud.
Q678 Lord Broers:
Banks are not obliged to report that when they learn about it.
Presumably the banks always do learn about it.
Professor Anderson: It is unclear to what extent
there are good reporting mechanisms. If front line bank staff
are told to simply deny that phantom withdrawals are possible
when customers complain, then some customers will go away and
perhaps the claims will never end up being reported. This is why
it is a bad deal that you can no longer report such things to
the police. If you try and report to the bank you may not succeed
in reporting it. The bank may report some of the fraud that gets
reported to it to APACS; what APACS reports in public is another
thing. We just do not know how effective any of this chain is;
we have no decent figures. Of course APACS has an institutional
incentive to downplay the amount of fraud because they promised
us that fraud would go down when they got the banks to introduce
chip and pin.
Q679 Lord Broers:
Can you see any downside from that fraud being made public?
Professor Anderson: Not at all. I think the
modus operandi are known already to the bad guys and in
this case, as in many others, security breach reporting is going
to incentivise the defenders. There is significant literature
on this in general among security economists because people started
to question about whether vulnerabilities of an operating system
should be reported through CERT or wherever, so that patches can
be fixed. There were a number of models that were produced of
the introduction and elimination of vulnerabilities and these
were tested against experimental data. As far as we are aware
from the operating systems front it is a good thing to report
vulnerabilities although it is prudent, of course to allow a certain
window for patches to be shipped. On the basis of that model I
would say there was an even stronger incentive to report bad things
that go wrong in the financial system.
3 See www.truste.org. Back