June 19, 2011

On Hacking (or Why We Need Security Ratings)

Another website has been hacked. It seems almost routine now, with site after site getting demolished by hackers. The overwhelming public response to the catastrophe has been to ask, "can anything be made secure?" Security experts, naturally, are constantly attacking the companies in question for their dismal security practices, but what of the general public? They don't know what a hash is. They don't know what an SQL injection is. They have no reason to know these things and will never understand them. All they understand is that their company assured them they had good security, and then they were hacked, and somehow the good security wasn't actually good. So then they'll move to another company, and this time, they're told, this company really does have good security. But nope, it got hacked too, guess that good security wasn't actually good.

Can any security be good? A security expert knows why the companies were hacked and can answer that question - the average Joe probably won't be able to. This is the crux of the problem - What is good security? How can an average person figure out what good security is? Good security used to be MD5 hashing. Then it was MD5 hashing with a seed. Now MD5 is cryptographically insecure, so we're trying to move to SHA1, but even that might be crackable in the near future, so someone invented bcrypt, but now the bcrypt implementation has demonstrated some unnerving behavior, making its implementation unverified. Then there is SQL injection vulnerabilities and the long list of XSS attacks, along with cookiejacking made possible by unencrypted networks and Firesheep. Even now we are seeing weaknesses at the highest echelons of security - hacked RSA databases and even HTTPS certificates.

Answering our question of what good security is clearly isn't easy. Of course, what if we assume that all security is broken? We would have to outlaw all hacking and seriously punish the offenders because there is nothing that can be done to lock up the system. This approach, however, is inherently flawed. For one, it is closely related to the drug war waged by the U.S. authorities, which has been astoundingly ineffective at stopping the drug trade. Not because it can't shut down drug-rings (it's very good at doing that), but simply because the business is so profitable that for every player you kill in the game, another one crops up to take their place. Lulzsec serves as a harbinger of that scenario, where hacking is cheap, and even if you throw everyone involved in jail, someone else will replace them.

However, even this scenario is being optimistic. If security is near impossible, computers become useless. The real world would turn into Hollywood, where electronics are easily bypassed. The problem is that if computer security is easily bypassed, people will stop using it. Online transactions die. The paper trail comes back. People refuse to put their personal details in anything that could be digitized. Everything that has enabled the technological explosion of today would get stuck in a tug-of-war between security and convenience. If history is anything to go by, the public would rather give up the last bits of their privacy just so they could use all the conveniences of electronics without having to worry about hackers. Suddenly we live in 1964.

This scenario may seem implausible to you because it is. Computer security can be effective, it simply needs to be done properly, which is not impossible. It may be difficult, but so is starting a successful company, and that doesn't seem to stop any of the entrepreneurs. The problem we face is that the average customer has no way of discerning good security from bad security. If they could, market pressures would force companies to adapt the best security possible, or customers would take their data elsewhere. Security is crap because no one knows what security is other then the security experts.

We have building inspectors and elevator certifications and health inspectors... why not security inspectors? It doesn't need to be government mandated, considering the government's track record, it might be a lot better if a private company or group provided the service, but somehow, there needs to be a way to measure security in a verifiable manner. There are two ways I know of to do this (there may be others) - from the inside, and from the outside. An inside inspection is more reliable when done properly, but more likely to be corrupted and gamed. An outside inspection, however, doesn't rely on the consent of a company to plaster a security rating on them. The downside is that an outside inspection requires pummeling the company's product blindly, which will only catch the really stupid mistakes, and not the dangerous middle-ground between really bad security and really good security.

I'm not pretending I know how to solve this problem. I don't, but I do know that someone needs to figure this out. If we are going to make any headway with security, the general public needs a friendly, easy, intuitive way to check the security rating of a company, instead of relying on the company's insistence that it uses a "very sophisticated security system". Only then will market pressures push for the resurgence of proper security.

4 comments:

  1. There actually is such a thing as a security inspection. It's called a penetration test. You can hire security consultants to perform digital and physical attacks on your corporate systems and report the results. It's not a 100% catch-all and there are many caveats, but the result is a report that explains all the holes.

    ReplyDelete
    Replies
    1. Yes, but as I pointed out, its not a security rating, like a rating the FDA gives to a restaurant based on its health inspection. The security inspection doesn't slap a rating on the company, it just tells the company things that it may or may not do anything about.

      Delete
    2. The problem with such a rating is that there's no way to quantify security. You can use SSL everywhere, enforce strong passwords, install a firewall, an IDS, an IPS and an AV and keep all your software up to date, then fall foul to an SQL injection attack. Whilst your security rating would be high due to all of the measures you took, your customer information still got stolen.

      Delete
    3. Whether or not your customer information gets stolen is not the point. The point is the sophistication of the attack required to steal the passwords. If you have a high security rating, it means an attacker would have to carry out a sophisticated attack (probably involving social engineering) to grab your customer data. If you do not have a high security rating it means you could fall prey to well known vulnerabilities. Most of the websites being hacked today are not being hacked by a super-sophisticated attacker, they just have absolutely terrible security.

      Delete