Monday, 18 April 2016

Article: Using open WiFi securely


An Open Question 

(Or How I Learned To Stop Worrying And Love Public Wi-Fi)

I recently wrote about some of the risks of using public WiFi, and some of the measures you can take to protect yourself. 

The article was first published in C Vu Vol 28 #1, March 2016 - the ACCU members' magazine.

An Open Question

Disclaimer alert: I am the editor of said magazine!

Friday, 15 April 2016

Privacy vs Security in Business

perfectcobalt One Person's Security is another's Privacy

There's been much in the news of late regarding the tension between (national) security and (personal) privacy. Apple vs. FBI, UK Gov's Investigatory Powers Bill, various anti-encryption proposals in the US and elsewhere, all putting security and privacy at odds with each other. There is another side to the story, however.

If you are a custodian of data about your customers - a Data Controller in the dry jargon of UK Data Protection Law - then you have a responsibility to take adequate measures to prevent that data from being accessed by unauthorized people, or being stolen. In effect, you are accountable to your customers regarding their right to privacy. It's not really your data, it's theirs.

A recent report by KPMG (Small Business Reputation & Cyber Risk) suggests that over half of small-business customers would be discouraged from using a company that had suffered a data breach, and that 90% of them are concerned about the safety of the data that businesses hold about them. In short, consumers - your customers - take their data privacy seriously.

It's not just about privacy, either. The issue of identity fraud is extremely serious, and growing, and at least some of the data used by cyber-criminals to impersonate people is gathered from personal information leaked by security breaches.

The KPMG report also claims that 86% of procurement managers would consider removing a business from their supplier roster after a breach. This is also a grave statistic for small businesses who fail to take their information security responsibilities seriously enough.

Which brings me neatly to my final point, also highlighted in that KPMG report. Over half of the small businesses surveyed think it unlikely - or even highly unlikely - that they would be the target of an attack. And yet, another recent survey by PricewaterhouseCooper (commissioned and sponsored by the UK government - Information security breaches survey 2015) reports that 74% of small businesses had suffered some form of data breach in 2015.

Your customers value their privacy, and trust you to safeguard their data. It's your security that protects their privacy. If you don't take your own cyber-security seriously enough, you risk losing that trust.

Tuesday, 5 April 2016

The Old Ones are the Best Ones


The Low Hanging Fruit

Whilst vulnerabilities such as Shellshock, Heartbleed and DROWN are undoubtedly nasty, they aren't very easy to exploit, at least until they are identified. The thing with zero-day vulnerabilities like these is that it's generally quite difficult to identify them in the first place. It usually requires crafting malicious packets, probing for buffer over-runs, attempting large-scale denial of service attacks, or seeing if protocol flaws can be exploited. Or some combination of the above. All of these take skill and patience.

If you are the developer of a widely used encryption library, or a ubiquitous runtime library, then you do indeed need to care about these things. "Widely used" in this sense means having millions of users. And that's what makes such things attractive to attackers, and worthwhile concentrating their effort on finding those vulnerabilities.

However, it's not always the zero-day exploits that catch people out.

If your software is sending customer passwords in plaintext back to the MotherShip, or fails to correctly validate user-input from a form, then attackers aren't going to bother looking for more subtle exploits. They already found the low hanging fruit.

And this can happen to software that is widely used:

This isn't even low hanging fruit, it's fruit that's already fallen off the tree and is just lying there, waiting to be picked up. In this instance, the "attacker" had the best of intentions: to highlight a flaw in Valve's process. When they were notified, Valve immediately engaged with the perpertrator to get the problem fixed.

Not everyone takes their security so seriously, even after they've been exploited. The moral is this: it's better to find out if you have vulnerable systems before you're attacked by someone who almost certainly will not tell you they've done it!