Sunday, July 03, 2011

No-one cares about computers and security.

No-one cares about computers and security.

I care. I am quite interested in computer security from a technical point of view. I also want to keep my data and credentials safe from prying eyes and corruption/deletion, accidental or otherwise and misuse.

However, I now believe that among computer users I am on my own. The only other people that seem to be interested are security consultants. But then they have something to sell. I find this annoying because computer security is important for a number of reasons that really do have the potential to adversely affect me when not done right.

  • My money. Is it safe? Do the retail banks take responsibility for making sure that it is not easily stolen and that the account is resistant to fraud? No, they don't. Everyone's bank account is at risk. So are their credit cards and debit cards.
  • My personal details. Will they end up in the hands of spammers and junk mailers. Yes, they will. The people that had these details for perfectly legitimate reasons cannot be trusted to look after them responsibly or even with basic competency. This is why everyone is taking to shredding everything these days.
  • Impersonation. Will someone be able to log to my online-account, pretend to me, and do all sorts of horrible things in my name? Yes, they can. Newspapers are full of these stories happening more and more often. Do you think your Facebook account is secure? How about your Twitter account? Your PayPal account? Your Amazon account?
  • Computer breakins. I want my computer to remain mine and no-one else is allowed in. Thankfully I don't use Microsoft Windows so this greatly increases my chances. However, security holes are discovered in commonly used software every day, including the software that runs on Linux. My own machines are regular attacked using port scanning and password guessing.
  • Privacy. I want the stuff that I do on my computers to be private. AFAIK only the UK government have passed a special law that grants them the right to force your decryption keys from you. Also, when using encryption there is the problem that most other people don't know anything about it. It is hard to communicate securely with people that are not interested in keeping the communication secure.

Although I say I care, I have stopped caring in certain areas. This is because I have just got fed up of security not being done right so that it hinders work, even hinders real security and certainly does not provide it. My boss put it so well when he said "security is that which impedes the developer whilst at the same time not offering security".

These areas are listed below.

  • o Passwords. I write them down. I keep the number small by reusing them across systems. They are drawn from a small list of passwords that I use over and over. I often don't make them a complex mixture of numbers, letters and special symbols as is recommended. They are often based on words that make them vunerable to a dictionary attack. I keep them all in a notebook in my desk drawer.
  • Usernames. I tend to use the same one every time. Yes, it is based on my name.
  • I tell people my username and password. Well, at least I do at work. Well at least I would if anyone was interested or asked. The workplace is where security is just a joke so this doesn't matter as far as I am concerned.
  • I lend people my security pass. No-one looks at the pass anyway, it is just used to open the door locks. I never wear my pass, I keep it in my pocket.
  • I don't lock my terminal when leaving it unattended. The corporate environment tends to force a lock after a very brief period of inactivity so I find myself subconsciously rebelling.
  • When I briefly leave my desk I leave the drawer unlocked with the notebook inside containing all my passwords.
  • I share my main working directory with everyone indiscrimanently using Windoze Shares and lax permissions. Windoze is not secure anyway, FTP, telnet and CIFS protocols sends usernames and passwords over the wire in plaintext anyway, so what's the problem?
  • I don't use two-factor authentication. Well actually I would like to but it would be really useful, like looking after the money in my bank account for example, it is not even offered.
  • I don't use public key encryption for sensitive communication. Actually I refuse to use email for sensitive communication. I would like to use public key encryption but usually the person at the other end of the communication does not understand the need and is incapable of using public key encryption so I try to find another way, e.g a face to face meeting or using the telephone (which is not secure either).
  • I don't digitally sign anything. After all, no-one uses or understands public key encryption anyway.
  • I don't use an Intrusion Detection System (IDS). Actually I did try out an IDS once which is how I know my machines do get attacked. But I never use an IDS at my clients site. They don't use one either. Tough luck. And those systems are typically Windoze-based where a breakin will happen sooner or later.
  • I don't use a virus scanner. Well, I use Linux at home, which is a much smaller target for crackers and malware. My clients, being typically Windoze-based, will use whatever the corporate standard is for a virus checker. It is typically configured to not update each day but rather at the behest of the 'security' department. It is often either partially or completely disabled since the continual disk scanning slowers the machine down for developers (word processing users don't notice).
  • Whenever I receive a Word or Excel document containing macros I enable them without any consideration of the potential consequences. Such is life in the corporate world. Of course at home I don't use Microsoft Office so it's not a problem there.
  • I use Internet Exploiter as my web browser. At home I use Firefox of course. But Firefox has yet to be discovered by the corporate world. IE is still the standard on the desktop and provides a rich source of attack vectors, drive-by-shootings etc.
  • I use software that sends usernames and passwords over the wire in plaintext. The most commonly used is FTP. I would like to use secure protocols/commands such as sftp, ssh etc but these have yet to be discovered by the corporate world.

No comments: