Dataleaks - who is to blame?

Starting from November 2011 Finland has seen a few dataleaks, which have inspired many newspaper articles, radio & TV interviews, blogs and tweets. Read for example this and this to get a crasp of what's going on. Best way to dig further is to search twitterverse with #tietovuoto (#dataleak in Finnish) hashtag.

That's enough about what's been happening - there's a good chance that the saga continues. What I want to bring in to the discussion is that are we pointing fingers to right direction?

I've got the impression that the following parties are blamed and in this order:

1. Users who didn't have the skills and wisdom to pick strong password.
2. Hacked site business owners who didn't have the insight to require secure implementation from their service providers.
3. Service providers who have either failed to manage the site properly or left security holes in to the code.
4. Criminals or indiscriminate hackers who either made the breach or agitated clueless wannabes to do the dirty work.

I have few problems with this priority. 

Many users fail to pick good password, true, but having separate, strong, memorable password for different web-sites is mission impossible. Although there are lots of good advice around how to pick a good password, how to create rules to memorize different passwords and how to use password management tools. We've seen many analysis made out of leaked passwords and lots of comments about bad password choices. We seem to forget that most of the leaked passwords are considered to be pretty good and what good that did to those users? Password were leaked anyway. The fact is that passwords are obsolete. We need to have better authentication mechanisms, which don't rely so heavily on human behaviour and memory. 

Business owners of hacked sites has been found guilty to not understand security and not requiring secure services. Hacked sites are mostly owned by small companies run by tight budget or discussion forums run by volunteers without budget. I agree that owners should think more about security and demand secure services from their providers. I feel the pain, though. Security is complicated. Site owners should be able to trust their service providers to have security skills and responsibility.

Service providers have in some cases proved to be clueless about security. Ignoring security patching? Storing clear-text passwords? You must be kidding me. I understand that competition is killing small providers and prizing the services is an issue. I've heard about software companies who admit having pricing model, where thorough testing and extra security work is plain impossibility. However, service providers should be the trusted ones. They should have skills and understanding to create and run secure services. They should understand and advice customers about security risks. 

How about criminals then? Well, they are guilty as hell and we should not forget that. Even when user picks a poor password, site owner doesn't understand security risks, coders don't know SQL-injection and service provider sell you insecure service, breaking the site and publishing innocent users personal data is a crime. Saddest cases are the young hacker wannabes, who want to get peer acceptance and fame. They want to be a part of something and may end up ruining their life. 

So, in my mind we need to reverse the focus of the blame.

1. Criminals. Hacking is illegal. Leaking users data is illegal. Our focus should be in catching the criminals and make sure not to spread the damage. This should also show to young, skilled wannabes, that it's better to use one's skills for good. Breaking something is usually easy - you need to find just one weak spot. Securing services is what real men do - you need to cover everything.
2. Service providers should take more responsibility. Be an advisor. Help customers to build better services. Advice about risks and countermeasures. Play your cards right and you should be able to get more business. Aim to secure enough quality, not to cheap price. Educate your administrators and programmers. Security haven't been an option for a long time, it must be part of your skill set. There are no security supermen, who could come and fix your service afterwards. You are the responsible.
3. Business owners need to learn to ask for secure services. You guys must think what you can loose and how that would affect your business. Think about scenario where you would be on the front page because of a dataleak. Are there any business for you after that? Make contracts that force service providers to take responsibility.
4. Users - poor users. The Internet is a complicated environment. Simple user interfaces and useful services hide lots of complicated, technical issues. Applications and services tend to delegate risk and decision making to the user. Terms of use agreements are long, confusing documents, which basically takes all the risk off and gives the ownership of all data to the business owner. Users need to understand password quality, cryptic questions about certificates and make decisions if they want to continue to site even though their got some weird message. User awareness efforts are good and necessary, but they are not the final solution. User is not the weakest link. Weakest link is he, who doesn't design and create services for humans.

There's work to do on every level, but lets keep our priorities straight.

Change is a security opportunity

In my previous blog, security threats no-brainers 2011, I kind of promised continuation. I said that it would be more interesting to think what security opportunities mentioned changes would bring than falling straight into risk management mode. Yes - I know that some people say risk may be a positive thing. I don't buy that. In my thinking risk is always negative. You may achieve positive things when accepting risk, but that's different.

Five most common trends/changes typically mentioned as causing security risks I covered in my previous writing were smartphones/tablets, Stuxnet-like advanced attacks, social media, mobile applications and cloud. Let's see, if these can help us with security. I haven't done any thorough analysis or such, but write down things that comes to my mind right now.

Smartphones and tablets

These are new devices what users desire. It's a good opportunity to introduce some security guidelines and practices which may have forgotten earlier. Users are ready to do anything in order to be able to use latest and greatest gadgets. Just be careful not to overdo it - don't kill the usability.

Stuxnet-like advanced attacks

Hmm. Tough one. Lets say that at least it's been a wakeup call for many companies who thought they were safe. Awareness building opportunity.

Social media

Easy. Your users are using social media, so you want to be there too. Good opportunity to build awareness, educate users and bring security down from the ivory tower. Finally there's a channel to get some feedback, if you play your cards right. I don't mean log reports, but actual concerns and suggestions of your users. See this great picture, how information security people think differently from regular people.

Mobile applications

How about offering security awareness apps? In form of games, videos, guidelines, FAQ, etc. Maybe offer a quick way to ask questions and send feedback.

Cloud

Excellent. Someone is doing all security work for you, if you just know to ask. Sometimes getting in-house IT into speed is hard work - there's always production-related issues and more important tasks to do. Vendor rarely says no and if the price tag is too high, at least management knows what security they decided not to buy.

There - quick-and-dirty list of how new trends can enhance security. I'm sure there's lot more.

Security threats no-brainers 2011

As usual, there's been a flood of security predictions to start a new year. I found most of the predictions to be no-brainers, uninteresting and too much technology driven. Almost like security "fashion" we are expected to discuss this year. Worst predictions seem to be made for marketing purposes. To be fair, I've also seen some great insights of security trends/threats, but those are usually not labelled under ongoing year.

It would be great to see some proper analysis done about these different threat predictions. While waiting, I browsed through several predictions to see what's a consensus.

I checked predictions from Symantec, Sophos, McAfee, Panda, WebSense, F-Secure, zscaler, Bankinfo Security, SANS, CIO Insight, Stonesoft , Hakin9, Help Net Security, Imperva and IBM. There's probably lot more, but this was enough to see the common ground.

Five most mentioned security problem areas were (not in any specific order):

• Smartphones and tablets
• Stuxnet-like advanced attacks against critical infrastructure
• Social media
• Mobile applications
• Cloud

Let's see...

Smartphones and tablets

Number of smartphones is growing fast and it's expected to exceed the number of computers in few years. Smartphones are going to be the most common device to access Internet and applications. It's safe bet to assume that they will be attacked. Because of Apple's popularity, many predictions expected attackers to focus more on Apple devices and applications.

Interestingly, number of other devices connected to Internet is growing even faster and it's expected that in few years smartphones and computers will be only a fraction of all IP-connected devices. Think about security problems of smart-meters, vehicles and fridges.

Stuxnet-like advanced attacks against critical infrastructure

Stuxnet was one of the biggest security topics last year. It shook some beliefs what malware could do and who do malware. It's clear, that different nations are thinking how to use malware as a weapon. Weapons need to be tested, weapons want to be used.

Social media

Everyone is rushing to join different social media and geotagging services. Criminals don't need to be brainiacs to follow the potential victims. This is just a case where all-so-familiar spamming, phishing, social engineering and malware attacks move from email and web-sites to social media sites.

Mobile applications

Rise of the smartphones means more amateur-made, easy-downloadable, cheap/free applications. Businesses and individuals want to act fast and test waters with different applications. Security won't be priority. At the same time users are taught to download and install a lot of apps. Checking security features, privacy options or terms of usage is just too freakin' difficult.

Cloud

Nice, warm, fluffy cloud. We used to have eggshell security model - tough shell outside, all soft inside. Cloud services should reverse that tough/soft model. Let's hope we don't get scrambled eggs security model instead. Anyway, cloud is new, unknown and uncontrollable, hence scary.

Those were top 5 security problem areas I found from different predictions. Pretty easy guesses based on what's new, what has happened and what's obvious. Quite many threat-lists excpected also more data loss cases, more hactivism and ever-popular insider attacks. Combining all threats mentioned in predictions we would get +30 different threats.

If I would need to pick one of those predictions papers, I would recommend Hakin9 article Cybercrime and Cyberwar Predictions for 2011.

If you insist reading even more of predictions and trends, I would recommend some good longer-term analysis, like Europol Threat Assessment of Internet Facilitated Organized Crime, ISSA-UK's Information Security The Next Decade or ISF Threat Horizon 2012.

I think my last years security predictions are still pretty much valid also :-)

Smartphones, mobile apps, cloud services and social media are not a threat per se, but they are going to be popular, useful and must have trends/tools/services. Sure it's good to analyse risks and design controls to manage them. We need to be aware and enhance security measures accordingly. However, I think that instead of looking changes from threat perspective, it would be more interesting to think what security opportunities these changes would bring. More about that later.