Tuesday, February 17, 2009

Snakeoil and you

Security guru Bruce Schneier hit the nail on the head in describing why security is so maddeningly difficult:
The problem with bad security is that it looks just like good security. You can't tell the difference by looking at the finished product. Both make the same security claims; both have the same functionality.
Companies spend a lot of money checking out security claims by its vendors. Entire industries - for example, Analyst organizations like Gartner Group -do a good business verifying vendor claims.

This keeps guys like me in pizza money, so I'm not complaining. It's a lot harder for folks who don't want to be a computer security geek. How can you tell the difference between good security and snake oil?

Unfortunately, mostly you can't. There, I said it.

It's bad enough on your home computer, where things are (relatively) simpler: personal firewall, antivirus, good choice of browser, patch regularly (that's Windows Update for most of you) that's about all you can expect.

What about people you give information to? How's their security?

You can't tell. I know this, because I can't tell, either. This is bad, because in a sense, it's my job to be able to tell, and I can't. Don't tell Big Tech Company, because I like having pizza money.

And so, you see things like this:
A UK childcare voucher scheme has admitted that confidential customer data was briefly left exposed to other users during an upgrade last week, but denied suggestions that any sensitive information leaked as a result. ...

Nick Gibbins, a Busy Bees user who discovered the breach and notified the firm, states he found email addresses of Busy Bees customers, National Insurance numbers, bank account details, payment logs and service logs on the site. In a blog posting, now restricted but still available through Google cache, Gibbins claimed that personal data for over one hundred thousand users was exposed by lax web security at Busy Bees.
John Leyden describes the system architecture that this organization used; what's surprising is not that it leaked sensitive data like a sieve, but that it took so long for anyone to notice. Basically, it's built on ten year old software, which means "save a boatload of money by not upgrading the system, and anyway what could possibly go wrong?"

Unfortunately, it's not something that you can expect to find out - there's no way to look at a web site and say "Ooo - lousy security! I'll go somewhere else." Well, no easy way.

So what can you do? The only thing I can suggest is what I do - don't give out personal information to anyone at all, if you can avoid it. I'm quite comfortable with email for communicating with my kid's school - it's relatively simple to secure, so there's a half way decent chance that the school will get it right.

A web site? Not a chance.

So choose a limited number of places you'll do business with over the web - Amazon, maybe. Your bank (grumble grumble). Limiting your exposure - at least until industry gets its hands around the web security problem - is your best defense. Anyone who insists that you use their "secure" web site to handle your sensitive information almost certainly has no idea how secure their web server is.

3 comments:

alan said...

I assume anything I put on the Internet is public. Even it isn't now, there's a good chance it will be in the future.

The Internet is forever, and it never forgets.

It is most definitely not secure, nor will it ever be.

AnarchAngel said...

When we do our job well, no-one ever knows.

When no-one knows, they do not see the value.

When they do not see the value, they do not pay the cost.

When they do not pay the cost, they always pay the price.

Borepatch said...

Alan, you bet. I like the phrase "Google sees all, forgets nothing."

Chris, Amen. I think this is why security is so expensive.