NEWS must be the final nail in the coffin for the government’s national ID card programme. If council staff are able to snoop at our records so easily and undetected for so long, then how can an even larger and more complex database be safe?” Indeed - who guards the guards?
“It has been reported that ‘routine checks’ unearthed these cases” Hall continued, “but, if there are breaches dating back to 2006, then they are not proving very effective. Such negligence reinforces the need for custodial sentences for breaches of the Data Protection Act.”
Microsoft working on secure web browser Steve Gold Microsoft’s research operation has published a paper detailing a security-enabled web browser application code-named Gazelle. The most interesting aspect of the Gazelle web browser is that it devolves many of the security features of the operating system into the browser code, which effectively takes a kernel programming approach to the browser client, Infosecurity notes. The paper - The Multi-Principal OS Construction of the Gazelle web Browser - describes a browser client acting as a “multiprincipal” operating system, with a ‘principle’ defined as a single, unique connection to a website. This appears to be a new approach to website interactions, Infosecurity notes, as conventional web browser clients are really designed for sequential browsing of static pages, even if those sites are then ‘tabbed’ into a series of page views, as seen on Internet Explorer 8 and Mozilla Firefox 3. According to Microsoft, by defining each website interaction as a principal, each ‘page view’ can be discreetly handled within the memory of the computer. This appears to take a ‘memory sandbox’ approach to web browsing, similar to that seen in Google’s Chrome but taking security to new levels. “Gazelle’s Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals,” says the paper.
“This construction exposes intricate design issues that no previous work has identified, such as legacy protection of crossorigin script source, and cross-principal, cross-process display and events protection,” it adds. It comes as no surprise that the paper’s authors say they have developed a prototype Gazelle web browser based on Internet Explorer, with each principal placed into a separate protection domains so they are protected from each other. “Just as in desktop applications where instances of an application are run in separate processes for failure containment, we run instances of principals in separate protection domains for the same purpose,” says the paper. “For example, when the user browses the same URL from different tabs, it corresponds to two instances of the same principal; when a.com embeds two b.com iframes, the b.com iframes correspond to two instances of b.com; however, multiple same-origin frames in a page are in the same principal instance as the page,” it adds. Gazelle’s developers also claim their browser can beat the current competition in its handling of other common security flaws. There is no indication when - and if - Gazelle will be released, but the technology could eventually find its way into the real world via Windows 7, which current borrows most of its TCP/IP interaction features from the Vista operating system.
European Union to investigate internet telephony eavesdropping Steve Gold Against a backdrop of the increasing use of internet telephony (aka voice over IP) by criminals as a way of avoiding wiretaps, the European Union has thrown its weight behind research into how to monitor internet telephony calls on a cost-effective basis. The European Union’s Judicial co-operation unit, also known as Eurojust, has announced it is working on a Europe-wide feasibility study into how legal VoIP telephony monitoring would be possible. Eurojust is a European Union body established back in 2002 to enhance the effectiveness of legal authorities when dealing with the investigation and prosecution of serious cross-border and organised crime. According to the Italian government, which is spearheading the Eurojust initiative, there are now real concerns that organised criminals and arms and drug traffickers are using services such as Skype to avoid traditional - and tappable - phone networks. “The possibility of intercepting internet telephony will be an essential tool in the fight against international organised crime within Europe and beyond,” said Carmen Manfredda, Eurojust’s acting national member for Italy, in a press statement.
8
INFOSECURITY EUROPE 2009
“Our aim is not to stop users from taking advantage of internet telephony, but to prevent criminals from using Skype and other systems to plan and organise their unlawful actions. Eurojust will make all possible efforts to co-ordinate and assist in the co-operation between Member States,” she said. Manfredda and Eurojust’s Italian operation are now working on a VoIP eavesdropping initiative, which was requested by Italy’s national anti-Mafia directorate. The gameplan calls on Eurojust to try and overcome “the technical and judicial obstacles to the interception of internet telephony systems, taking into account the various data protection rules and civil rights.” The problem facing Eurojust is immense, Infosecurity notes, as around half of internet telephony calls are now processed entirely across the internet, not touching the regular phone network at all. It is not all doom and gloom, however, as Skype, one of the major VoIP service providers on the internet, had confirmed it is working with the relevant authorities on developing a monitoring technology for legal eavesdropping. This goes against previous reports that Skype was unwilling to cooperate with international agencies on the legal eavesdropping front.