I’ve had cause to work with some of the more common Vulnerability Assessment scanners recently, and I couldn’t help but notice that a lot of the findings related to incorrect configuration of, or bugs with, SSL implementations.
So like most things in security, decisions are made based on a set of assumptions, and it’s when these assumptions prove to be faulty that security can go quite badly wrong.
I was thinking about a fairly common assumption recently in light of Apple’s new continuity feature. Over the last couple of years as the weaknesses in password based authentication models become ever more apparent, there’s obviously been a drive to improve authentication, and one method of doing this is through the use of different channels to send authentication tokens “out of band”.
One of the more common methods of doing this is to send authentication tokens over SMS messages. The theory is that this is a separate channel from the PC or tablet that is the primary device being used, so it should be harder for an attacker to compromise both channels, thereby improving security.
For example if we have an attacker who has access to a users PC (for example having placed malware on it which steals passwords and other data entered there), the idea goes, by adding in SMS, we make it harder for the attacker to compromise the whole authentication mechanism.
You can probably see, based on the starting paragraph, where this assumption is starting to fall down… With features like Continuity or, SMS to email applications or phone carriers who provide websites which allow for viewing and sending SMS messages, the barrier between these two channels is effectively pierced and SMS becomes much less useful as a second factor for authentication.
Now if an attacker can compromise the PC, it’s quite likely that they’ll get access to the users SMS messages at the same time, with all that entails.
Hopefully this line of thinking will penetrate with service operators and they’ll realise that if 2-factor/channel authentication is needed for their service, they’ll need to offer something more robustly separate.
The other thing I thought this was an interesting illustration of, is that this to me is a good example of differing incentives in the security world. Online service provides have the incentive for SMS messaging to be a good 2nd channel for authentication data as it’s something that almost all their subscribers already have access to, and it’s very cheap to use.
On the other hand, mobile operators and mobile ecosystem providers have no such incentive. Instead they’re working to make it easier for users to access all their information in a single place….
So how do we know that the sites we use are secure? It’s an obvious question with no brilliant answer but here’s an example of how we don’t.
This took me a little while to track down all the piece so possibly worth a blog post (if for no other reason that so I can find it again).
For a long time the subject of browser password storage has been a relatively contentious topic in the Information Security world.
Unless you’ve been living under a rock for the last couple of days you will have noticed a bit of a kerfuffle about a vulnerability in OpenSSL. One of the more notable parts of this story has been the wide variety of large companies who have been seriously affected by the problem.
I was reading this post and I was thinking that this is another good example of the general theme in a lot of modern business and security.
People will a lot of times neglect some of the “plumbing” of their website and not realise quite how important it is to their sites security. In the linked example it was DNS. An attacker was able to get control of the site domain name and then essentially controlled the site. That’s one way of pulling it off but there are others.
Good examples of services which are often overlooked but are critical
So what makes me say these things are “neglected”? Well look at the market and it’s pretty obvious. In a lot of cases the successful providers in these areas are the cheapest/easiest to use, not the most secure. Of course there’s the usual security problem of a “market for lemons” in that all providers will say that they’re secure but I’d still recommend that if you have a system that’s important to you (and that’s true for an increasing number of companies who do business primarily on-line), then spending some time trying to find high quality “plumbing” will pay off in the long run.
I was doing a talk for the OWASP meeting in Glasgow the other day, which covered the OWASP Top 10. I had made the point that the Top 10 is largely the same now (in it’s 2013 iteration) as it was in it’s original iteration in 2003. Someone asked me a question based on that which (roughly) was “Why isn’t security getting better?”
So herein is a new post on a new system that I may or may not keep up to date, like so many other venues.
For a number of years, I have felt that tech companies must be seriously lacking in acumen to take the policies they do with regard to their customers. Yesterday I noticed however that it is not restricted to tech companies, and it makes an interesting study in human stupidity to see this in operation.
So for example, a search for property management companies in the UK came up with this
http://www.reviewcentre.com/reviews117367.html
I have no personal knowledge of the company involved, or whether the reviews in question are in fact accurate, but I find it inconceivable that any commercial entity would allow their customer service (or their marketing department) to be so egregiously bad as to have that kind of review show up in search engines. I mean surely they must realize that in the modern world, potential customers are going to look for reviews – and that it is not going to be a positive thing if you have a consistent 1 star rating.
But then I got to comparing it to the behaviour of tech companies – and I am afraid that three immediately jump to mind. I used to administer Lotus (heard of them?) technologies. At one point they had a massive chunk of the Office Suite, email, collaborative website and instant messaging market. Then they were bought by IBM and everything went downhill from there. There is no doubt in my mind that Domino was a superior product to early versions of Exchange. Equally QuickPlace was there before SharePoint was really more than a twinkle in Microsoft’s eye. I see that support was recently finally dropped for Lotus SmartSuite – but in its day it was way ahead of MS Office.
The same can be said of Novell Netware. I loved that product back when, and I would defend NDS as a better directory service to AD until about ten years ago. Today who under the age of 30 has even heard of Novell? And AD runs most of the world's internal networks.
One final example…. Sadly I think Blackberry is going the same way. Considering that they have been relegated to fourth place in the mobile market, I think it unlikely that they will still be in the race (as an independent company) in a year’s time. And yet not so long ago they had the vast majority of the smartphone market.
And the common factor in all of this…. Intellectual arrogance and the complete inability or unwillingness to listen to their customer base, or in any way to acknowledge that their product was not automatically superior just because it was the current market leader.
So two things I would take from this….. Firstly if I were a property management company I would seriously do something about my customer service before I allowed a simple Internet search to make me look that bad. Secondly, I would bet a lot of money against the tech press who are writing Microsoft off as a major force compared to Apple and Google. Consistently over the last 20 years they appear to have been the only company who genuinely care about customer service, and also one of the few who try to adapt to changing times. They have never made any claims about 'doing no evil' - but it consistently appears that caring for your customers on a day to day basis, and being seen to do so, makes good commercial sense.
