Secure comms ….

No real surprises today with a report that nearly a quarter of home wireless networks investigated had no password set to secure the network. Home networks have always been something of the achilles heel with far too few users understanding the need to take steps to secure their systems.

The Crusher has long held the view that wireless equipment (broadband routers, access points etc.) shoudl be sold with security enabled. With security in place from the start it would require some knowledge to disable the security rather than needing some knowledge to enable it when setting up the system. To be fair, some providers do take steps to secure systems but many users purchase equipment off the shelf in a wide range of outlets and fail to heed the advice in the set up instructions.

Some while ago, The Crusher took wireless enabled equipment for a walk along a street in a Hampshire market town. In just 200 yards, walking along a main shopping street with flats above, the system detected some 10 wireless networks, at least half of which were unsecured meaning that anyone could connect and gain access.

But it gets worse. More than half of the wireless networks still used the original router manufacturers SSID. If you can see the SSID and it identifies a particular manufacturer then there is a pretty good chance that the default password is still in use - most likely to require a username of ‘admin’ and a password of (yes!) ‘password’. It really is not too difficult to get in and if you can gain access to the router then you can secure it from remote and make changes to the configuration preventing the original user and owner from getting in! Of course, if you can physically access the router then you can reset to default and start again but …..

The problem is that an insecure wireless network is like leaving the front door of the house open. Anyone can come in and take a look around. Chances are that there are other machines connected to the network, once in you can sniff traffic and detect and read data. That could include usernames, passwords, financial data - the list goes on.

If you can access a wireless network from outside then you can connect and use the bandwidth and that might include accessing illegal or unlawful content. And that could pose a problem for the owner of the network - if a rights agency detects unlawful download of copyright materials then they can apply to a court for an order requiring an ISP to divulge details of the circuit and the owner. The rights owner may then seek to obtain damages and will pursue the owner of the circuit, whether or not that person had any knowledge of the infringing traffic or not. Having the police knock on the door at 6.00am to investigate child pornography might seriously upset your day - and that of the neighbours and your relations with them.

So what should you do if you are using a wireless network. The Crusher believes that there are a series of relatively simple steps that can be taken to substantially improve the security of a home wireless network. When setting up the system, take actions to:

1. Change the default system password. Make it something that you can remember but not something that is easily guessed (like the phone number, car registration, user name etc.)

2. Change the SSID, the wireless network name. By default this will typically be the name of the equipment manufacturer, Netgear, Dlink etc. Don’t use your name or the address as these will immediately identify the network with a particular property.

3. Secure the connection by setting an access password so that any user connecting to the system will be required to enter the password. This should be encrypted - systems will offer either WEP or WPA. WPA is more secure - WEP passwords can be decrypted relatively easily and the security broken.

4. To enhance the access control, restrict connections to known MAC addresses. Each wireless connection (network card) will have a unique MAC address. Your router will be able to show the connections - identify the connections with known equipment and grant access only to those you know and approve. Once this is set up any other equipment attempting to connect will be refused.

Let’s just go back to the first item. If you can connect to the router with a wired connection (plug in an RJ45 lead) then all the wireless protection is irrelevant. If you have not changed the password then you can get in.

The Crusher had occasion to stay in a small hotel. The WiFi system was not working at all well and the router was on a table in the main lounge. Plug a wired connection in and enter ‘admin’ and ‘password’ and there was immediate root access to the router and a quick indication of where there were problems. Now, access was with the permission of the owner and sorted out the problems but an unscrupulous person could have made changes that would have been unnoticed yet allow access from remote. Of course, the password was changed and the system secured when it was left.

The old adage, ‘caveat emptor’, is as relevant here as anywhere else. Far too many purchase equipment, take it out of the box and plug it in and play. Unfortunately, in most circumstances, that is all that is needed for it to work - to work safely and securely takes a bit more knowledge.

In the run up to an election …..

We know that a General Election is coming in the UK. The current government is now in the last Parliamentary session before they must prorogue Parliament and send members back to their constituencies to seek re-election. The last date that the election can be held is June 2010 - that is the time when the 5 year maximum period runs out.

So, the Government must go to the country. The likelihood is that the election will be before the absolute last date, possibly on Thursday 6th May. This is the date already set-aside for district council elections in England so it would make sense for the General Election to be held on the same day.

Of course, the election may come sooner and The Crusher hears whispers that a date in March may already be in consideration.

The recent State Opening of Parliament (18th November) saw one of the shortest Queen’s Speech ever as plans for future legislation were cut back and cut back to the absolute minimum. Many expected measures were dropped in the rush to cut back to what the Govt. thought they might just be able to squeexe through before the election. Perhaps the headline piece was the Digital Economy Bill which has now received its Second Reading in the House of Lords. This rather contentious piece now passes to the committee stage which will not now take place until January. That is beginning to look mighty close to the election. The Crusher is minded to think that there may be very little of the contents of the Queen’s Speech that will actually make it all the way to the Statute Book.

But - as we now run up to the election, and the State Opening was perhaps the first and opening element of the election campaign, a look at something elsewhere in Europe. A General Election was held in Portugal on Sunday 26th September. Posters across the country exhorted the population to cast their vote. But one poster caught the eye of The Crusher - a large billboard alongside the main road leading to the airport just outside central Lisbon.

Now, clearly child protection is an issue in Portugal as it is here in the UK. Perhaps we are less likely to see campaigning here on this particular front. Translated, the poster reads:

“If you want to provide paedophiles with freedom, continue to vote as you would normally. For chemical castration of these criminals and to change Portugal, vote MMS.”

This particular party did not win the majority mandate - the election returned the previous centre-left government but with a reduced majority.

Somehow it seems unlikely that we will see this poster reproduced here in the run up to the General Election.

Joined up thinking?

The Parliamentary Internet Conference held at Portcullis House, House of Commons, on 15th October was an interesting day - not just an opportunity to hear Ed. Richards (CEO Ofcom), Martha Lane Fox, Stephen Timms and others but also the opportunity for the All Party Communications Group (apComms) to release its report into its inquiry, ‘Can we keep our hands off the net?’

apComms called for evidence and submissions over the summer (during the Parliamentary recess - a period that most people link with lack of work and extra long foreign holidays for our elected servants) and has now put together a report and a series of key recommendations. There are 11 recommendations on a wide range of topics, from Privacy to dealing with illegal (or ‘unlawful’ as the noble Lord, the Earl of Erroll corrected) file sharing, from behavioural advertising to eSafety tuition in schools.

But, The Crusher was rather taken with two recommendations that appear to be at opposite ends of an argument.

There has been much discussion about the likelihood of Government mandating the filtering of child abuse sexual imagery at the network level by ISPs. In 2007, Ministers set a target of 100% consumer broadband circuits to be filtered - so far that target has not been reached although there is suggestion that the proportion of consumer circuits that are now subject to filtering is in the mid to high 90s% range.

Recommendation 7 is that the Government does not legislate to enforce the deployment of blocking systems based on the IWF lists. This has the potential to damage future attempts to fix problems through self-regulation and will thus, in the long term be counterproductive.

The thinking here is that all major ISPs already block access to child abuse images and that any action to force others to take action will be counterproductive as it militates against attempts to find self-regulatory solutions to other problems.

OK, that is fairly clear although there may be some issue with the perception of the extent of current filtering practice. Whilst the number of consumer circuits with filtering in place may be in the mid to high 90% range, these may well be as a result of the actions of fewer than 10 large ISPs. The Crusher understands that the number of ISPs currently implementing child abuse filtering may well only be in the order of 20 to 30 - with some 270 plus mainly medium to small ISPs not currently implementing any form of network level filtering.

The report then goes on to consider the problem of malware infected machines. Now machines that are infected with malware makes them likely to become part of a large scale ‘botnet’ and potential distributed sources of junk email and denial of service attacks. The problem is that the infected machines are not on the ISP network and are machines owned and used by end users who may have greater or lesser understanding of the security implications or needs of always on broadband Internet connectivity.

Recommendation 10 is that there should be a voluntary code for ISPs relating to the detection of and effective dealing with, malware infected machines in the UK. If this voluntary approach fails to yield results in a timely manner, then Ofcom should unilaterally create and impose sich a code on the UK ISP industry.

The report notes that ISPs have systems in place to proactively filter incoming junk mail but do not take actions to filter outgoing junk. The report continues, ‘a reduction in compromised end user machines is essential to make the Internet a dafer place, so the ISPs need to act voluntarily as a group to improve the situation ….. if the ISPs cannot voluntarily agree to act, the report sees Ofcom as the appropriate regulator to impose a compulsory regime.

Interesting stuff. Filtering out material from infected machines will not be easy and will not be cheap - so additional development and application costs for the ISP (and, ultimately the end user). But, note the sting in the tail here - if self-regulation does not work then a compulsory regime should be imposed.

The Crusher sees some lack of joined up thinking here. On the one hand the report suggests that mandatory child sexual abuse imagery filtering should not be applied as it militates against self-regulation in other areas - and then recommends a compulsory regime for filtering the output of malware infected machines, albeit in the event of a failure of self-regulatory approaches.

The Crusher is intrigued: a self regulatory approach has seen pretty well all ISPs implement filtering to identify and remove incoming junk mail and virus infected items. For most that has been a commercial decision but there is undoubtedly a cost for the ISP. Self regulation is now being proposed to require ISPs to filter and remove outgoing junk and infected items. There may also be actions in relation to unlawful (thank you Merlin!) file sharing. But, the one thing that is illegal is to view child sexual abuse imagery (it is a Criminal offence under the Sexual Offences Act to view obscene images of children) - there is self-regulation but mandatory filtering is not recommended. Yet it is for dealing with malware - and as far as I am aware it is not yet a criminal offence to leave one’s Internet connected computer unsecured, without anti-virus or firewall protection.

The apComms group seems to have have worked on elements individually and with application of specific evidence - but the linkage of items from one part to another seems to have failed. Joined up thinking in the final output would have been helpful.

The full copy of the apComms report can be found here

A week of Digital Reports ……

It has been a week of digital reports. On Tuesday the Digital Britain report was launched - introduced in the House of Commons at 15.30 and then a little later in the Lords. Lord Carter’s report has been much reported and commented elsewhere so the major points will be well known - particularly the proposal for a 50p per month levy (or tax!) on all landline telephone circuits to help to fund next generation networks and high speed broadband (fibre to the cabinet etc.) by 2017 and proposals for industry action agains file sharers.

But, as ever, the interesting bits are always in the details. Stephen Carter’s ‘Digital Britain’ report (you can download a copy here ) contains proposals for legislation to take actions against persistent file sharers. Here again is the three strikes route but there is recognition of the need for judicial review before termination - and there is also some recognition of potential for problems for the smaller ISPs.

But, in the media frenzy that accompanied Lord Carter’s report there seemed to be little attention paid to another digital report published this week, the ‘Digital Manifesto’ published by the Children’s Charities Coalition on Internet Safety. You can download a copy of the Digital Manifesto here. The Digital Manifesto, written by John Carr, Secretary of CHIS and Zoe Hilton of the NSPCC, is a new version of a document originally issued in 2004. Since that timere there have been substantial changes in the provision of high speed services and the availability of new types of content and service. It is apposite that the new Manifesto is now available, particularly in the run-up to the next General Election.

Of particular interest to those with an eye on the regulation of the Internet industry are the recommendations for action in the area of content blocking and filtering of access to child abuse content. Typically the sites containing abuse content are identified by the Internet Watch Foundation who are able to provide subscribing ISPs with a CSV blocklist.

The report suggests: “The Government should prepare a Bill that will compel all internet service providers based in the UK to adopt the Internet Watch Foundation list, or some other technical solution that blocks access to all known child abuse websites and newsgroups. The Bill should also detail or make provisions for a method by which compliance with this policy can be tested and publicly confirmed. If it becomes clear that some ISPs will refuse to implement a blocking solution unless compelled by law to do so, the Government should immediately put the Bill before Parliament.

In the meantime the Government should issue an instruction to all departments forbidding them from purchasing internet services from any ISP that does not deploy a solution that blocks access to all known child abuse websites. The Government should also encourage the remainder of the public sector to follow its lead. The Government should consider the use of tax or other incentives to encourage ISPs and other technology companies to develop and deploy new or speedier ways of tracking, blocking or destroying online child abuse images.

Some background is worth entering here. In 2006, the then Minister of State at the Home Office, Vernon Coaker, announced a Ministerial target for ISPs to introduce content filtering to block access to child abuse sites for all (ie 100%) of consumer broadband accounts by the end of 2007. This followed the trials conducted by BT with their ‘Cleanfeed’ system. It is estimated that now, in 2009, the implementation of content filtering is about 95% with predominantly consumer circuits filtered by the big 6 ISPs. There is now considerable pressure for action to be completed to close the remaining 5% gap - suggested as representing some 700,000 households.

There now appear to be some distinct groupings amongst ISPs. There is a group that have implemented filtering, there is a group that have fundamental philosophical objections to the process; there is a group that claim that they cannot afford the cost and there is a final group that will not take any action unless they are forced by legal mandate.

OK, the last group are clearly targeted by the Manifesto recommendations. The cost issue is a little more of a problem. The initial costs for large scale providers such as BT were not inconsiderable. Although costs have come down they remain potentially high for the smallest providers, particularly those who only have a few hundred, perhaps a thousand end user customers. For these the unit costs can be substantial and potentially more than the margin on circuits in the tight UK market. It is interesting to note a comment amongst the detail (the devil is always in the detail!) in the Manifesto (footnote 60 to be exact) with a suggestion that there should be central Government support for the smaller providers, perhaps included within the provisions of the upcoming Communications Data Bill. ‘The Crusher’ thinks that any such support would help those for whom the costs of filtering represent a disproportionately large element of overall provision and might be targeted at those with fewer than 1000 consumer connections.

‘The Crusher’ is aware of the pressure to close the gap. At the end of April ‘The Crusher’ had a meeting with a Home Office Minister who emphasised the Governments commitment to the 100% target and the need to see self-regulation deliver filtering across all consumer circuits within the next few months. If the self-regulatory model was to fail then there was clear indication that the Government would look to introduce mandatory legislation later in the year, perhaps in October. This would be likely to be seen as a non-contentious Bill that would attract cross-Party and media support.

The CCIS Digital Manifesto is a pointer for action by the ISP community. It is clear that the issue will not go away and that ISPs will need to take actions. There is now a European dimension to the issue with a proposal for a Framework Decision which includes, as Article 18, a clause requiring member states to introduce mandatory blocking of child abuse images.

The Manifesto recommendation that Govt. should include filtering as a requirement in public sector contracts is interesting - and would follow the inclusion of quality management and environmental management credentials. The forthcoming ISPA Awards will be interesting - and there may well be pressure on winners, particularly in consumer delivery categories to state and, if necessary, to justify their position in relation to the Govt. target and the Digital Manifesto recommendations.

In a week when we saw two digital reports, it may well be that the recommendations of the CCIS Digital Manifesto have a greater chance of becoming law.