Friday, May 30, 2014

A Forensic Hole In Ontario

I have a habit of noticing things, and then questioning what I just saw.  This then generally leads me on a series of questions as I dig deeper into “why” something happened, and why that thing happened, and the cause of the thing that made the thing happen that caused the thing I noticed.

One such area where this happens is electricity.  

As a kid, I used to notice the lights dim briefly every evening on weekdays at about the same time each day.  This turned out to be a result of grid switching some 40 miles away from me.  The reason for the switching was to bring on extra power to cope with the evening demand as people came home and cooked and switched on the television for the night.  As an adult, I still notice things like this - though these days, it’s a little more complicated as to what’s going on because now I live in Toronto, where we have many more factors to consider, but I still notice when the electricity supply changes.  What many people don’t know is that in addition to these big changes that are easily perceptible by dimming lights, or a drop in the tone of the noise from your furnace fan or hairdryer, there’s smaller changes happening.  

Without going into the specifics of generation and transmission mechanics, the grid has small changes happening all the time and it affects everything from the brightness of your lights, to the hum of your air conditioning.  This changing hum is known as the Electric Network Frequency.  

The amazing thing about it is it’s a unique pattern - if you record the frequency at regular intervals on the power grid, you can then match it to the hum found on audio tracks in a video or the brightness of lighting and determine what time that video was filmed.  This is called Electrical Network Frequency (ENF) analysis.  In some countries, it is now being regularly used to determine the time that crimes happened.  

A while ago, the question that crossed my mind was “who in Ontario records this frequency to help criminal investigations in here?”.   I asked everyone from the generator to the distributor to the regulator, and nobody claims to keep a record of the frequency.

If that’s true, then that’s a shame.  From a forensic standpoint, this is a really good tool that have, and Ontario at least doesn’t have access to it.

Wednesday, May 28, 2014

We've got the wrong weather... again.

Regular readers know I follow the weather, and I do a little more than the average person, and I even have a copy of the bulk of the country's weather history, so I can pull out answers to questions.

Today however, I just had a thought:  The usual "W" pattern for the air pressure in Toronto at 10pm might be different for this month as we just had a bank holiday.  I quickly ran the numbers off manually from Environment Canada and highlighted the bank holiday in green.    

Sure enough, the value for Monday was similar to the Sunday and Saturday, lending more weight to my thoughts that this is a manmade problem.  I checked the week before's data and that looked approximately how I'd expect it to look, though a bit week...  So, I just went back another week - and it appears that three weeks ago, the Tuesday appears out of whack...

This isn't a very scientific set of data, but it appears that the month of May this year has the wrong weather.

As a refresher, this is what the right weather should look like:

I think that what I need to do in the coming days is update my personal copy of the weather history and recrunch the more recent numbers on a bigger data set, to see if we can determine if this is part of a bigger trend, or just an anomaly for the month as I have seen this before.  The question is "when did I see this?"...

The Internet Of Things is Driven By Insurance

The basic business model of the Internet so far has centred around advertising.  You give up some of your privacy and your demographic information is sold to fund the service you use for free.  

The Internet of Things (IoT) is a new emerging part of the Internet that we’ve seen coming for a long time, but it’ now starting to really take off.  Have you wondered what it’s business model is?


  • The self driving car or car with an internet tracking system is less likely to have accidents or be driven erratically, so your car insurance company is happy to listen to data of what it’s doing.
  • The internet enabled fridge will make your health insurance company happy to hear that you keep running out of vegetables, and less happy about that full-fat mayo that you keep getting through.  
  • The same health insurance company will likely reward you soon for fuelband/fitbit data.  Participation in exercise and healthy lifestyles is tough to monitor but easy with a fitness band or similar equipment. 
  • The home alarm system, yep, that will tie your coming and going habits to the home insurance, too.

The next big battle is going to be over those who compete for discounts in insurance, and those who get penalized with higher premiums because they fail to conform to what the insurance companies want you to do.  Just think about that for a moment…  This isn’t about loss compensation, this is about loss control.  If you manipulate people into doing safer things, you control your potential losses.

Now, before you think it’s all doom and gloom here, there is a flip side to this coin:  
With automation and monitoring comes the elimination of some risks.  

The point of sensors in things is to detect the condition of things.  If you can now reliably eliminate bad things before they happen, there’s no point in insuring for the bad thing happening.  This means insurance companies are going to have to look for new risks to charge you for and profit from.

This is going to be very interesting to see how it plays out.  I have a feeling, though, that it’s not going to be a smooth ride.

Monday, May 26, 2014

Humans are the weak link in security

It may have escaped your notice, but Chinese hackers have been pilfering secrets from the USA and this has been in the news a lot.  The underlying story for the non-technical minded is that the “weak link” in the security chain wasn’t technology, but humans.  That’s where the exploits happened - they were asking people to give up information using some fairly standard means.

I was explaining last week how I discovered something online that also fell into this area of vulnerabilities with banks and ISPs in Canada.  I raised the alarm and I’m still waiting for confirmation that everyone has closed off the hole before I say publicly what it was…  However, I discovered something this morning that continues along the line of “It’s all secure until someone has a lapse of security caused by policy, oversight, or human error”…

This time it’s with Toronto Hydro.

First, I’m going to take a step back and explain something about certain websites where a security design becomes a flaw.  Then you’ll hopefully see the logic of what’s wrong here.  

Many websites have a security feature that locks an account for anything from a minute to a permanent lock, if you get the login credentials wrong several times in quick succession.  This security feature means the site has also given others a simple tool that can be turned upside down and used in a malicious manner.  Lets imagine the website is an online auction site; if I’m bidding against you and you keep upping the bid on an item I really want, I could just wait until we’re a few minutes away from the auction ending, and then I log out of the website and enter your username and any made-up password several times to suspend your account.  Now, I go back in as myself, increase the bid by a penny and you can’t log in to outbid me as you’re on the phone with technical support trying to get your account unlocked, so I win.

This is a classic case of oversight in the pursuit of security.

Today, I walked into the lobby of a building that I was visiting.  I came across this:
(Click for enlargement)

Toronto Hydro put the account number and address on a public piece of card, and then left it for all and sundry to see.  Their way of making sure you're secure by requiring an account number is now the one thing you can reverse for malicious means. This could go wrong in so many ways, especially if you’re in a similar position to me where you know the name of the account holder.  For instance a person that wanted to be malicious could:  

  • Remove the card, so the effectiveness of posting the notice is diminished and the building gets disconnected.
  • Send bad payment information to that account so it incurs fees on that account.
  • Phone up Toronto Hydro, give the name of the account holder and address of the building and claim you’re not going to pay - when they ask to confirm the account number, you’ve got that too, as well as the balance.
  • Send around this information publicly to tarnish the person’s reputation.
  • Hire some people to turn up on the day before the disconnection with official looking paperwork with the correct account number and other information, and say that if you get payment now, you’ll not disconnect.  You’ve now collected the money instead of Toronto Hydro, and they still get disconnected.

These are just the simple things you can do with the information that they’re giving out.   From a technical standpoint, you can wire this up in all manner of ways and do way worse things.

It’s clear that Toronto Hydro doesn’t intend to deliberately post public information to compromise customer security, but it’s equally clear that they’re operating on the same security footing as most banks, ISPs, telco’s and other large institutions where the weak link is now not inside they’re systems, but the things humans do outside them.  No amount of firewalls or other encryption technology is going to catch this kind of policy error.

Hopefully, someone will review this oversight in time.

Friday, May 23, 2014

What I learned last night.

Last night I was doing one of my regular sweeps of the Internet to see if the institutions and companies I frequently deal with have breached and leaked information pertaining to me.  In the past, this has proven to be productive for me, though it does make for a thorny relationship with some organisations.

People often ask why I go to such lengths, and my answer has usually been that I just don’t trust the suppliers who I deal with to do an adequate job.  Naturally, every supplier I deal with, whether it be a bank, retailer or telco, will vehemently fire facts and figures at me then try to throw legalese at me as if instead of me saying “I believe they do a crap job at security”, they act like I’ve stated “they’ve done nothing”.  

Yes, it is true that some of these institutions have security teams, and it’s also true that some have spent millions of dollars on security, but no amount of hardware and firewalls is going to counter the effects of complacency, or blind-sightedness to certain security risks by their own internal teams (or worse the management in charge of these teams). 

That is why I do these sweeps a few times a year.

It was during one of these manual sweeps last night, that I stumbled into something that left many Canadians open to the possibility of fraud and theft, though only a small number of people had so far been affected - under 100 as a rough estimate.  

In this example, no amount of hardware at a bank or ISP would have caught the security issue, because this was a technical blind-spot caused by human activity outside their systems, not within them. Having confirmed a number of national organizations were blind to the problem, I documented it as I found it, and then left it where it was.  

At this point I raised the alarm…  (there's a reason I'm not publicly saying what the issue was, so as to give time for the other organisations to do what they need to to)  

The important lesson I learned from last night’s discovery was that there was only one organisation that I could prove had the foresight to act on the same type of issue I was looking for.  They'd found the problem before I did and had closed themselves off from it. 

That organisation was Scotia Bank.  

If I invert this logic, I think it's safe to assert that I now know which Canadian organisations have a security blind-spot where humans are concerned.

I think I’ll keep doing my sweeps.

Tuesday, May 20, 2014

What the BK were they thinking?

I think I live in another world to many other people…  

I consider myself very open-minded and tolerant to the fact that the world is a complex place.  I also consider myself modern-minded, and I recognise that many things I have been taught by people who act in a position of authority is often completely wrong.  For example, at one point or another in my life, I’ve been told by teachers and other “authorities on the matter” that a) Pluto is a planet. And b) Diamonds are made of compressed coal and they’re so hard that only another diamond can break a diamond.  But, I now know Pluto is just a planetoid (a failed planet) and a two year old with a normal hammer can turn a diamond to dust.  

Even recently, I’ve heard people who still believe there is no gravity in space and that the great wall of China can be seen from space, despite the evidence that gravity has us circling around the sun, the astronauts couldn’t jump off the moon, and I’ve heard Cmdr Chris Hadfield first hand say that you can’t see the great wall of China from space - but you can see the Highway 407 north of Toronto.

So, armed with this open-minded attitude, I came across a slew of news articles about Burger King’s new slogan “Be your way”, instead of the old slogan “Have it your way”.  Every one of the articles went one of two ways.  Either:
Burger King are trying to out-cool McDonalds and this is great.
- or - 
Burger King are trying too hard.

Traditionally, I personally see Burger King as a condescending corporation with irritating advertising.  In Canada, their TV adverts didn’t just say “Have it your way” and be done with it… No, they add this “smarmy neighbour gloating over the garden fence” style of advert narrative where you’d suddenly hear “”Hey Canada! Have a look at our blah blah”…  They then finish off the adverts with “Have it your way, Canada!” in a tone that sounded like being in Canada was an affliction.  If you can imagine a late-teen male bully addressing a victim with something along the lines of “”Great hair, fatbo-o-o-y!”, this is precisely how that tagline comes across.  Every time.

For me, this news sounded like they were going after the LGBT crowd.  As I do on many occasions, I went back to the original release that Burger King put out just to get it from the horses mouth.

In the first paragraph of the news release (check the original and you’ll see I’ve not edited this), I saw that the new slogan “reminds people that no matter who they are, they can order how they want to in BURGER KING® restaurants and that they can and should live how they want anytime. It’s ok to not be perfect.

What the BK were they thinking when they approved that wording?  It's worse than their usual adverts!

Tuesday, May 13, 2014

Weather Map Thoughts

This post whilst public, is actually a response to the Weather Network Roundtable discussion on map products this week, and previously I didn't have an example of what irks me and now that I have, it was too large to put in a simple tweet.

Above is a map that went out on Social Media on the morning of May 13 2014.  I'll quickly run through the three things that leap out at me:

The first problem with any time sensitive image on Social Media is you need to be specific about dates and times.  A map titled "Today" may mean May 13th right now, but if I'm scanning my twitter feed at 12:30am before bed, "today" might mean tomorrow. 

Additionally, is "today" inclusive of "tonight" or will a second map replace this one this evening? Again, this isn't clear and so for all I know, this map could be talking only about events that commence after 5pm.

The second problem is according to the legend, we have possible states:  Severe, and Non Severe.  Given the map is coloured with only the "non severe" colour, you'd think at a glance that this means there's not going to be any severe event because nothing is coloured in as severe... Except the non-severe area is negated by text saying that an isolated severe event might happen.  So really, this map should have one colour that says "thunderstorms, with some isolated severe" rather than say "it's non-severe, except where it's not".

The third and final problem is the ambiguity of using the "isolated severe" text.  Is that written where it is because of space issues? Is the severe event only over Michigan, western Ontario and the Bruce Peninsula? Or does the isolated severe event apply to everywhere in the non-severe coloured area?  Again, this is largely open to ambiguity.