RE: [secdir] [New-work] Proposed W3C Charter: eGovernment InterestGroup (until 2008-05-19)

• From: Hallam-Baker, Phillip <pbaker@verisign.com>
• Date: Thu, 17 Apr 2008 10:29:03 -0700
• To: "Ian B. Jacobs" <ij@w3.org>, <public-new-work@w3.org>
• Message-ID: <2788466ED3E31C418E9ACC5C3166155734CB41@mou1wnexmb09.vcorp.ad.vrsn.com>

While the subject matter of data integration is important, I am concerned that the charter makes no mention of security issues. In particular the integrity and authenticity risks.

One example of this type of risk is seen in the story in yesterday's New York Times. A phishing attack targetting company executives was disguised as a government subpoena:

http://www.nytimes.com/2008/04/16/technology/16whale.html?_r=2&oref=slogin&oref=slogin



The principle risk in human/machine interaction is that the human will assume that a data source is authentic when it is not. This is actually a far greater real-world risk than confidentiality issues.

The risk here is that the machine/machine interactions will not be authenticated at all or authenticated only weakly. 

Without putting to fine a point on the issue, I predicted the current issues we are experiencing with Internet crime back in 1994. I now regret not having pressed the issue harder at that time. This time I do not intend to repeat that mistake. 

In 2004 I published one of the first articles to bring attention to the fact that Internet crime was no longer mere vandalism but is now professional. Last year our iDefense group developed a report that demonstrates that at least some of the Internet crime rings are working with the active support of the states from which they opperate. While this has been true of third world countries for some time there are now world powers doing the same. The situation very much resembles the 'privateer' phase of piracy in the mid 1600s when the likes of Drake stole the gold that the Spanish had stolen from the natives of South America. I expect this particular phase to be short lived but we should remember that even after they lost their national sponsors the Barbary pirates were still causing issues for Jefferson 150 years later.


As an example consider the plan to publish the London Gazette in semantic web RDF tripples:
http://2008.xtech.org/public/schedule/detail/528


I have been looking at this data because as you might imagine it is very interesting for a provider of digital certificates. But only if it is trustworthy.


Publishing the information does not constitute a confidentiality risk, but there is a serious integrity risk once British companies start to make use of the information.

For example the Gazette carries bankruptcy proceedings. We can imagine therefore that an early application of the semantic Web feed will be for credit agencies to note these announcements. Let us imagine that a company that uses this data is Acme credit.

At present the Gazette is published via HTTP, there is no SSL certificate and even if the transport were secured via SSL the security provided would only be transport level and not message level which is what you would want for archival purposes.

Let us imagine that Bolls-Boyce is bidding for a contract to supply aircraft engines and that the contract value is $100 million. Bids are solicited via anonymous tender through a purchase portal. But in order to eliminate frivolous bids the portal uses the credit rating feed from Acme. Since this is only intended to weed out frivolous bids only the most basic checks are performed: this is expressed as a package: does the company exist, is it solvent?

Now let us imagine that an unscrupulous competitor wants to win the contract but have no intention of risking being underbid by Bolls-Boyce. They hire a hacker group to perform either a DNS pharming attack against the gazette or possibly a BGP subversion that affects Acme. On the hacker underground these services should not cost more than $500.

The group redirects the site through their proxy. They then insert a bankruptcy notice for Bolls-Boyce. Then they request a credit report from Acme causing it to request the gazette record. Once Acme has the bankruptcy notice in the cache any bid from Bolls-Boyce is discarded. The competitor wins the bid. The confidentiality of the process ensures that their tracks are completely covered once the attackers insert a correction into the data stream.

Note that this same attack is possible today using the human readable copy of the Gazette. 

Note also that attacks of this type are not unknown in the aircraft industry. In fact there are several instances of this type of behavior. The sales commissions on an aircraft are going to be more than enough incentive for a less than scrupulous salesperson to engage in this type of tactic regardless of the honesty of their employer.


The professional gangs are moving up the value chain. Pretty soon they will have got bored of bank fraud and the returns will decline in any case as robust strategic countermeasures are deployed. 

It would be a mistake of catastrophic proportions to fail to consider security in this work. Even though the data concerned is not confidential it is trusted. And trusted data that is not trustworthy is a security issue waiting to happen.


> -----Original Message-----
> From: secdir-bounces@mit.edu [mailto:secdir-bounces@mit.edu] 
> On Behalf Of Ian B. Jacobs
> Sent: Thursday, April 10, 2008 1:52 PM
> To: public-new-work@w3.org
> Subject: [secdir] [New-work] Proposed W3C Charter: 
> eGovernment InterestGroup (until 2008-05-19)
> 
> 
> Hello,
> 
> Today W3C Advisory Committee Representatives received a 
> Proposal to create a new eGovernment Activity (see the W3C 
> Process Document description of Activity Proposals [1]). This 
> proposal includes a draft charter for the eGovernment Interest Group:
>   http://www.w3.org/2008/02/eGov/ig-charter

> 
> As part of ensuring that the community is aware of proposed 
> work at W3C, this draft charter is public during the Advisory 
> Committee review period.
> 
> W3C invites public comments through 2008-05-19 on the 
> proposed charter. Please send comments to 
> public-new-work-comments@w3.org, which has a public archive:
>   http://lists.w3.org/Archives/Public/public-new-work-comments/

> 
> Other than comments sent in formal responses by W3C Advisory 
> Committee Representatives, W3C cannot guarantee a response to 
> comments. If you work for a W3C Member [2], please coordinate 
> your comments with your Advisory Committee Representative. 
> For example, you may wish to make public comments via this 
> list and have your Advisory Committee Representative refer to 
> it from his or her formal review comments.
> 
> If you should have any questions or need further information, 
> please contact José M. Alonso, eGovernment Lead 
> <josema@w3.org>. See also information about W3C's current 
> work in eGovernment:
>   http://www.w3.org/2007/eGov/

> 
> Thank you,
> 
> Ian Jacobs, Head of W3C Communications
> 
> [1]
> http://www.w3.org/2005/10/Process-20051014/activities#ActivityCreation

> [2] http://www.w3.org/Consortium/Member/List

> 
> -- 
> Ian Jacobs (ij@w3.org)   http://www.w3.org/People/Jacobs/

> Tel:                     +1 718 260-9447
> 
> 
> _______________________________________________
> New-work mailing list
> New-work@ietf.org
> https://www.ietf.org/mailman/listinfo/new-work

> 
> _______________________________________________
> secdir mailing list
> secdir@mit.edu
> https://mailman.mit.edu/mailman/listinfo/secdir

> 

Received on Thursday, 17 April 2008 17:29:30 UTC